CCIE Written: Core Ethernet Switching Components

VLAN

* Used to separate ports into different broadcast domains

* Hosts in same VLAN share the same broadcast domain

* Switches create a separate CAM (Content Addressable Memory) table per VLAN

* Traffic inside the VLAN is layer 2 switches

* Traffic to outside or between VLANs must be layer 3 routed

* VLAN Trunks carry traffic for multiple VLANs between switches on uplinks

VLAN Numbering

* VLAN membership defined by number

* 12-bit field (0-4095)

                - 0 * 4095 reserved per 802.1Q standard

* Normal VLANs 1-1005

                - 1 à Default Ethernet VLAN

                - 1002/1004 à Default FDDI VLANs

                - 1003/1005 à Default Token Ring VLANs

                - Extended VLANs 1006 -4094

* Extended VLANs range can assigned via the VTP transparent mode. And mostly used in Private VLAN

* Extended VLAN is not advertised via the VTP version 1 & 2. It can advertised via VTP v3 in the new platform.

VLAN Trunks

* Trunk links are used to transport traffic for multiple VLANs between devices

* Traffic sent over a trunk link receives special trunking encapsulation

                - Normal Ethernet header does not have field for VLAN number

                - ISL or 802.1Q headers are added to include this information

* Both ISL and 802.1Q accomplish the same goal of encoding VLAN number in frame header to separate traffic

* The key different are

                - ISL: + Cisco Proprietary

                          + 30 byte encapsulation for all frames (26 byte header and 4 byte trailer FCS)

                          + Does not modify original frame

                - 8021.Q: + IEEE Standard

                                   + 4-byte tag except for “native VLAN”

                                   + Modify original frame as it need to generate the new FCS

IOS Switch Port modes

* Access

* Trunk

* Dynamic Desirable

* Dynamic Auto

* Tunnel (802.1q)

Dynamic Trunking Protocol

*Dynamic Switchports automatically choose whether to run in access or trunking mode

* Run DTP to negotiate , in order to decide to run ISL trunk, 802.1q trunk or access port

* DTP prefer ISL as it negotiate as ISL, then 802.1q and then access

* Configure as switchport mode dynamic [auto | desirable]

* Disable with switchport nonegotiate or switchport mode access

* On: Force the port to become trunk

   Off: Force the port to become non-trunk

   Desirable: Actively to convert the link to trunk when the other party is On, Auto & Desirable

   Auto: Trunk if other is Desirable or On

   No-negotiate: Turn off the DTP.

	On	Off	Des	Auto	Nonego
On	√	X	√	√	√
Off	x	X	x	X	x
Des	√	X	√	√	√
Auto	√	X	√	X	x
Nonego	√	X	√	X	√

- Nonego and nonego depends on the switchport mode. Both sides must on.

VLAN Trunking Protocol

* VTP solves the VLAN administration problem. It is just make sure the switches agree on the VLAN number assignment

* Cisco proprietatly

* Used to dynamically

                - Advertise addition, removal, modification of VLAN properties like numbers, name etc

                - Negotiate trunking allowed lists by using VTP pruning

* Does not affect actual VLAN assignments

                - Still manually needed with switchport access vlan [vlan]

How VTP Works

* VTP domain

                - To exchange information, switches must belong to the same domain

* VTP Mode      

                - Controls who can advertise new/modified information

                - Modes are Server, Client and Transparent

* VTP Revision Number

                - Sequence number to ensure consistent databases

                - Higher revision number indicates newer database

VTP Domains

* VTP domain name controls which devices can exchange VTP advertisements

* VTP domain does not define broadcast domain

                - Switches in different VTP domains that share same VLAN numbers hosts’ are still in the same broadcast

                 domain

* Configured as vtp domain [name]

* Defaults to null value

                - Switch inherits VTP domain name of first advertisement it received

VTP Server Mode

* Default mode

* Allows addition, deletion and modification of VLAN information

* Changes on server overwrite the rest of the domain assuming it has the highest revision number

* Configure as vtp mode server

VTP Client Mode

* Not allows for addition, deletion and modification of VLAN information

* Listens for advertisements originated by a server, installs them and passes them on

* Configure as vtp mode client

VTP Transparent Mode

* Keeps a separate VTP database from the rest of the domain

* Does not originate advertisements

* “Transparently” passes received advertisements through without installing them

* Needed for some applications like Private VLANs

* Configure as vtp mode transparent

VTP  Security

* VTP susceptible to attacks or mis-configuration where VLANs are deleted

                - Access ports in a VLAN that does not exist cannot forward traffic

* MD5 authentication prevents against attack

                - vtp password [password]

* Does not prevent against mis-configuration

                - VTP transparent mode recommendation

VTP  Pruning

* Broadcast and unknown unicast/multicast frame are flooded everywhere in the broadcast domain

                - Includes trunk links

* Edition allowed list limits this flo0ding, but large administrative overhead

* VTP pruning automates this procedure

                - Switches advertise what VLANs they need

                - All other VLANs are pruned (removed) off the trunk link

* Does not work for transparent mode

* Just configure the VTP pruning in any of the server and it will propagate out to the whole VTP domain