Chapter 11 Switching and Virtual LANs
differences and similarities between bridges and switches that you need to keep in mind:
-Bridges are software based, whereas switches are hardware based because they use ASIC chips to help make filtering decisions. -A switch can be viewed as a multiport bridge. -There can be only one spanning-tree instance per bridge, whereas switches can have many. (I'm going to tell you all about spanning trees in a bit.) -Switches have a higher number of ports than most bridges. -Both bridges and switches forward layer 2 broadcasts. -Bridges and switches learn MAC addresses by examining the source address of each frame received. -Both bridges and switches make forwarding decisions based on layer 2 addresses.
Here's a list of some of the cool features VLAN Trunking Protocol (VTP) has to offer:
-Consistent VLAN configuration across all switches in the network -Accurate tracking and monitoring of VLANs -Dynamic reporting of added VLANs to all switches in the VTP domain -Adding VLANs using plug-and-play
Layer 2 switching provides the following benefits:
-Hardware-based bridging (ASIC) -Wire speed -Low latency -Low cost
downside of Redundant links?
-If no loop avoidance schemes are put in place, the switches will flood broadcasts endlessly throughout the internetwork. This is sometimes referred to as a broadcast storm.
You should know these requirements for VTP to communicate VLAN information between switches:
-The VTP management domain name of both switches must be set the same. -One of the switches has to be configured as a VTP server. -Set a VTP password if used. -No router is necessary and a router is not a requirement.
Let me give you a step-by-step example of how a forward/filter table becomes populated:
1. Host A sends a frame to Host B. Host A's MAC address is 0000.8c01.000A, and Host B's MAC address is 0000.8c01.000B. 2. The switch receives the frame on the E0/0 interface and places the source address in the MAC address table, associating it with the port it came in on. 3. Because the destination address is not in the MAC database, the frame is forwarded (flooded) out of all interfaces—except the source port. 4. Host B receives the frame and responds to Host A. The switch receives this frame on interface E0/1 and places the source hardware address in the MAC database, associating it with the port it came in on. 5. Host A and Host B can now make a point-to-point connection, and only the two devices will receive the frames. Hosts C and D will not see the frames, nor are their MAC addresses found in the database, because they haven't yet sent a frame to the switch. Oh, by the way, it's important to know that if Host A and Host B don't communicate to the switch again within a certain amount of time, the switch will flush their entries from the database to keep it as current as possible.
Spanning Tree Port States: Blocking
A blocked port won't forward frames; it just listens to BPDUs and will drop all other frames. The purpose of the blocking state is to prevent the use of looped paths. All ports are in a blocking state by default when the switch is powered up.
Spanning Tree Port States: Disabled
A port in the disabled state (administratively) does not participate in the frame forwarding or STP. A port in the disabled state is virtually nonoperational.
There are three distinct functions of layer 2 switching—you need to know these! They are as follows:
Address learning Forward/filter decisions Loop avoidance
The ports on a bridge or switch running STP can transition through five different states:
Blocking Listening Learning Forwarding Disabled
How do we break up broadcast domains in a pure switched internetwork?
By creating a virtual local area network (VLAN), that's how!
Switches break up _______________ domains and routers break up _____________ domains. A. broadcast, broadcast B. collision, collision C. collision, broadcast D. broadcast, collision
C. Collision and Broadcast
STP Convergence
Convergence is what happens when all the ports on bridges and switches have transitioned to either forwarding or blocking modes. During this phase, no data will be forwarded until the convergence event is complete. Plus, before data can begin being forwarded again, all devices must be updated. Yes—you read that right: When STP is converging, all host data stops transmitting! -Convergence is truly important because it ensures that all devices are in either the forwarding mode or the blocking mode
QoS methods focus on one of five problems that can affect data as it traverses network cable:
Delay Dropped packets Error Jitter Out-of-order delivery
The 802.1w is defined in these different port states (compared to 802.1D):
Disabled = discarding Blocking = discarding Listening = discarding Learning = learning Forwarding = forwarding
ARP Inspection
Dynamic ARP inspection (DAI) is a feature that, when configured, uses the DHCP snooping database of IP address-to-MAC address mappings to verify the MAC address mappings of each frame going through the switch. In this way, any frames with incorrect or altered mappings are dropped by the switch, thus breaking any attacks depending on these bogus mappings. Because it uses the DHCP snooping database, the configuration of DHCP snooping is a prerequisite to enabling DAI. -helps mitigate man-in-the-middle and ARP cache poisoning attacks.
Thrashing the MAC Table
I am the term used to describe the act of a switch begins so caught up in updating MAC filters during a broadcast storm that it fails to forward packets.
VTP Modes of Operation: Client
In client mode, switches receive information from VTP servers, but they also receive and forward updates, so in this way they behave like VTP servers. The difference is that they can't create, change, or delete VLANs. Plus, none of the ports on a client switch can be added to a new VLAN before the VTP server notifies the client switch of the new VLAN and the VLAN exists in the client's VLAN database. Also good to know is that VLAN information sent from a VTP server isn't stored in NVRAM, which is important because it means that if the switch is reset or reloaded, the VLAN information will be deleted. Here's a hint: If you want a switch to become a server, first make it a client so it receives all the correct VLAN information, then change it to a server—so much easier!
what can you tell about figure 11.17?
It shows how the different links are used in a switched network. All hosts connected to the switches can communicate to all ports in their VLAN because of the trunk link between them. Remember, if we used an access link between the switches, this would allow only one VLAN to communicate between switches. As you can see, these hosts are using access links to connect to the switch, so they're communicating in one VLAN only. That means that without a router, no host can communicate outside its own VLAN, but the hosts can send data over trunked links to hosts on another switch configured in their same VLAN.
how does Port Tagging/IEEE 802.1Q work?
It works like this: You first designate each port that's going to be a trunk with 802.1Q encapsulation. The other ports must be assigned a specific VLAN ID in order for them to communicate. VLAN 1 is the default native VLAN, and when 802.1Q is used, all traffic for a native VLAN is untagged. The ports that populate the same trunk create a group with this native VLAN, and each port gets tagged with an identification number reflecting that membership. Again, the default is VLAN 1. The native VLAN allows the trunks to accept information that was received without any VLAN identification or frame tag.
management VLAN interface
It's a routed interface found on every switch, and it's referred to as interface VLAN 1. It's good to know that this management interface can be changed, and all manufacturers recommend changing it to a different management interface for security purposes.
Address Learning
Layer 2 switches and bridges are capable of this; that is, they remember the source hardware address of each frame received on an interface and enter this information into a MAC database known as a forward/filter table.
static VLANs
Most of the time, VLANs are created by a system administrator who proceeds to assign switch ports to each one. -most secure -easy to setup and supervise
Types of Switch Port Protection
Port Security DHCP Snooping ARP Inspection Flood Guard BPDU Guard Root Guard Port Bonding Device Hardening
This next command tells the switch to use the AAA server if someone is trying to access the console of the switch:
S1(config)#aaa authentication login console
configure switches and routers to store their usernames and passwords remotely for ease of configuration using an AAA server. Doing this allows you to change the passwords at one device without having to telnet into each device separately to change passwords. To get this done, use the following command:
S1(config)#aaa authentication login default -This tells the switch to use AAA when Telnet or SSH is used for in-band management.
STP is a layer....protocol
STP is a layer 2 protocol that is used to maintain a loop-free switched network.
Spanning Tree Protocol (STP)
STP's main task is to stop network loops from occurring on your layer 2 network (bridges or switches). It achieves this feat by vigilantly monitoring the network to find all links and making sure that no loops occur by shutting down any redundant ones. STP uses the Spanning Tree Algorithm (STA) to first create a topology database and then search out and destroy redundant links. With STP running, frames will be forwarded only on the premium, STP-picked links. Switches transmit Bridge Protocol Data Units (BPDUs) out all ports so that all links between switches can be found.
VTP Modes of Operation
Server, Client, and Transparent
Do We Really Need to Put an IP Address on a Switch? Since the switches are providing layer 2 services, why do we need an IP address?
Switches have all ports enabled and ready to rock. Take the switch out of the box, plug it in, and the switch starts learning MAC addresses in the CAM. -Because you still need an IP address for in-band management, which is used with your virtual terminals, that's why. Telnet, SSH, SNMP, and so on all require IP addresses to communicate with the switch, in-band, through the network
VTP Modes of Operation: Transparent
Switches in transparent mode don't participate in the VTP domain or share its VLAN database, but they'll still forward VTP advertisements through any configured trunk links. An admin on a transparent switch can create, modify, and delete VLANs because they keep their own database—one they keep secret from the other switches. Despite being kept in NVRAM memory, the VLAN database in transparent mode is actually only locally significant. The whole purpose of transparent mode is to allow remote switches to receive the VLAN database from a VTP-server-configured switch through a switch that is not participating in the same VLAN assignments.
Spanning Tree Port States: Listening
The port listens to BPDUs to make sure no loops occur on the network before passing data frames. A port in listening state prepares to forward data frames without populating the MAC address table.
Spanning Tree Port States: Forwarding
The port sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the learning state, it enters the forwarding state.
Let's take a look at the output of a show mac address-table command as seen from a Cisco Catalyst switch (the MAC address table works pretty much exactly the same on all brands of switches): Switch#sh mac address-table Vlan Mac Address Type Ports ---- -------------- ------- ----- 1 0005.dccb.d74b DYNAMIC Fa0/1 1 000a.f467.9e80 DYNAMIC Fa0/3 1 000a.f467.9e8b DYNAMIC Fa0/4 1 000a.f467.9e8c DYNAMIC Fa0/3 1 0010.7b7f.c2b0 DYNAMIC Fa0/3 1 0030.80dc.460b DYNAMIC Fa0/3 1 0030.9492.a5dd DYNAMIC Fa0/1 1 00d0.58ad.05f4 DYNAMIC Fa0/1 Now suppose the preceding switch received a frame with the following MAC addresses: Source MAC: 0005.dccb.d74b Destination MAC: 000a.f467.9e8c How will the switch handle this frame?
The right answer is that the destination MAC address will be found in the MAC address table and the frame will be forwarded out Fa0/3 only. Remember that if the destination MAC address is not found in the forward/filter table, it will forward the frame out all ports of the switch looking for the destination device.
Spanning Tree Port States: Learning
The switch port listens to BPDUs and learns all the paths in the switched network. A port in learning state populates the MAC address table but doesn't forward data frames. Forward delay is the time it takes to transition a port from listening to learning mode. It's set to 15 seconds by default.
frame filtering
The switch will not transmit the frame out any interface except the destination interface. Not transmitting the frame preserves bandwidth on the other network segments
VTP Modes of Operation: Server
This is the default mode for all Catalyst switches. You need at least one server in your VTP domain to propagate VLAN information throughout that domain. Also important is that the switch must be in server mode for you to be able to create, add, and delete VLANs in a VTP domain. VLAN information has to be changed in server mode, and any change made to VLANs on a switch in server mode will be advertised to the entire VTP domain. In VTP server mode, VLAN configurations are saved in NVRAM on the switch.
distributed switch
This provides connectivity between virtual servers that are located on different hosts, as shown in Figure 11.10.
Static access ports are either manually assigned to a
VLAN or assigned through a RADIUS server for use with IEEE 802.1X. It's easy to set an incorrect VLAN assignment on a port, so using a RADIUS server can help in your configurations.
how does address learning work when a switches forward/filter table is empty?
When a device transmits and an interface receives a frame, the switch places the frame's source address in the MAC forward/filter table, which allows it to remember the interface on which the sending device is located. The switch then has no choice but to flood the network with this frame out of every port except the source port because it has no idea where the destination device is actually located. If a device answers this flooded frame and sends a frame back, then the switch will take the source address from that frame and place that MAC address in its database as well, thereby associating the newly discovered address with the interface that received the frame. Because the switch now has both of the relevant MAC addresses in its filtering table, the two devices can make a point-to-point connection. The switch doesn't need to flood the frame as it did the first time because now the frames can and will be forwarded only between the two devices recorded in the table.
Forward/Filter Decisions
When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database and the switch makes a forward/filter decision. In other words, if the destination hardware address is known (listed in the database), the frame is only sent out the specified exit interface.
BPDU Guard
When a switch that is unknown to you and not under your control is connected to one of your switches, it can play havoc with your STP topology and may even allow the rogue switch to become the root bridge! As you know, when a switch starts receiving STP BPDUs from a new switch, the information in the BPDU (specifically the switch priority) is used to determine if the switch might be a new root bridge (causing a new election) or if the STP topology should be changed. To prevent this from occurring, a feature called BPDU Guard can be implemented. This feature should be enabled on all switch ports that do not connect to known switches. Since most connections between switches and from the switch to a router are trunk ports, then it is typically enabled on all access ports or ports that connect to end devices.
Flat network structure
With this configuration, every broadcast packet transmitted is seen by every device on the network regardless of whether the device needs to receive that data or not.
before you can get VTP to manage your VLANs across the network, you have to create...
a VTP server. All servers that need to share VLAN information must use the same domain name, and a switch can be in only one domain at a time. So basically, this means that a switch can share VTP domain information with other switches only if they're configured into the same VTP domain. You can use a VTP domain if you have more than one switch connected in a network, but if you've got all your switches in only one VLAN, you just don't need to use VTP. Do keep in mind that VTP information is sent between switches only via a trunk port.
Explain figure 11.8 and 11.9
a device can receive multiple copies of the same frame because that frame can arrive from different segments at the same time. Figure 11.9 demonstrates how a whole bunch of frames can arrive from multiple segments simultaneously. The server in the figure sends a unicast frame to another device connected to Segment 1. Because it's a unicast frame, Switch A receives and forwards the frame, and Switch B provides the same service—it forwards the unicast. This is bad because it means that the destination device on Segment 1 receives that unicast frame twice, causing additional overhead on the network.
Flood Guard
a feature that can be implemented to prevent this attack (flood attacks). It uses two mechanisms to accomplish this: unknown unicast flood blocking (UUFB) and unknown unicast flood rate-limiting (UUFRL). The UUFB feature blocks unknown unicast and multicast traffic flooding at a specific port, only permitting egress traffic with MAC addresses that are known to exist on the port. The UUFRL feature applies a rate limit globally to unknown unicast traffic on all VLANs. When these two features are combined, flooding attacks can be prevented in switches that support the features.
So what handy little device do you think we need to enable the hosts in Figure 11.16 to communicate to a host or hosts on a different VLAN?
a router!
There are two different types of links in a switched environment:
access ports and trunk ports.
By default, routers allow broadcasts to occur only within the originating network, whereas switches forward broadcasts to
all segments
Voice Access Ports
allow you to add a second VLAN to an access port on a switch port for your voice traffic -it's still just an access port that can be configured for both data and voice VLANs. This allows you to connect both a phone and a PC device to one switch port but still have each device in a separate VLAN. If you are configuring voice VLANs, you'll want to configure quality of service (QoS) on the switch ports to provide a higher precedence to voice traffic over data traffic to improve sound quality.
Flood Attack
an attack where some malicious individual floods the switch with unknown MAC addresses. Since switches record all MAC addresses of received frames, the switch will continue to update its MAC table with these MAC addresses until it pushes all legitimate MAC addresses out of the limited space provided for the MAC table in memory. Once this occurs, all traffic received by the switch will be unknown to the switch and it will flood this traffic out of all ports, basically turning the switch into a hub. Now the attacker can connect a sniffer to his port and receive all traffic rather than only the traffic destined for that port as would normally be the case. This attack is shown in Figure 11.21.
VLAN Trunking Protocol (VTP)
are to manage all configured VLANs across a switched internetwork and to maintain consistency throughout that network. VTP allows you to add, delete, and rename VLANs—and information about those actions is then propagated to all other switches in the VTP domain.
dynamic VLAN
assign all the host devices' hardware addresses into a database so your switches can be configured to assign VLANs dynamically anytime you plug a host into a switch.
In Figure 11.7, you can see Host A sending a data frame to Host D. What will the switch do when it receives the frame from Host A?
because Host A's MAC address is not in the forward/filter table, the switch will add the source address and port to the MAC address table and then forward the frame to Host D, you're halfway there. If you also came back with, "If Host D's MAC address was not in the forward/filter table, the switch would have flooded the frame out of all ports except for port Fa0/3," then congratulations—you nailed it!
Access Ports
belongs to and carries the traffic of only one VLAN. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Any device attached to an access link is unaware of a VLAN membership—the device just assumes it's part of the same broadcast domain, but it doesn't have the big picture, so it doesn't understand the physical network topology at all. -
Switch ports are usually in either the
blocking or forwarding state
each VLAN is considered a
broadcast domain.
Trunk Ports
carry multiple VLANs at a time. benefits: you get to make a single port part of a whole bunch of different VLANs at the same time. This is a great feature because you can actually set ports up to have a server in two separate broadcast domains simultaneously so your users won't have to cross a layer 3 device (router) to log in and access it -Information from multiple VLANs can be carried across trunk links, but by default, if the links between your switches aren't trunked, only information from the configured VLAN will be switched across that link.
One of the unique features of these virtual switches is the ability of the switches to span multiple physical hosts. When this is done, the switch is called a
distributed switch
If a switch determines that a blocked port should now be the designated, or root, port, say because of a topology change, the port will respond by
going into listening mode and checking all the BPDUs it receives to ensure that it won't create a loop once the port goes back into forwarding mode.
Rapid Spanning Tree Protocol (RSTP)
instead of taking 50 seconds to converge, the switched network can converge in about 5 seconds, or maybe even less. RSTP was not designed to be a "brand-new" protocol but more of an evolution of the 802.1D standard, with faster convergence time when a topology change occurs. Backward compatibility was a must when 802.1w was created.
trunk link
is a 100 Mbps or 1000 Mbps point-to-point link between two switches, between a switch and router, or even between a switch and server, and it carries the traffic of multiple VLANs—from 1 to 4,094 VLANs at a time.
Virtual LANs (VLANs)
is a logical grouping of network users and resources connected to administratively defined ports on a switch. When you create VLANs, you gain the ability to create smaller broadcast domains within a layer 2 switched internetwork by assigning the various ports on the switch to different subnetworks. A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcasted onto the network are only switched between the ports logically grouped within the same VLAN.
blocking ports
is a strategy for preventing network loops. Once a switch determines the best path to the root bridge, all other redundant ports will be in blocking mode. Blocked ports can still receive BPDUs—they just don't send out any frames.
DHCP Snooping
is a switch feature that can help to prevent your devices from communicating with illegitimate DHCP servers. When enabled, DHCP snooping allows responses to client requests from only DHCP servers located on trusted switch ports (which you define). When only the ports where company DHCP servers are located are configured to be trusted, rogue DHCP servers will be unable to respond to client requests. The protection doesn't stop there, however. The switch will also, over time, develop an IP address-to-MAC address table called the bindings table, derived from "snooping" on DHCP traffic to and from the legitimate DHCP server. The bindings table is also used with ARP inspection, which makes the configuration of DHCP snooping a prerequisite of ARP inspection.
Inter-Switch Link (ISL)
is a way of explicitly tagging VLAN information onto an Ethernet frame. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method (ISL), which allows the switch to identify the VLAN membership of a frame over the trunked link. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. ISL functions at layer 2 by encapsulating a data frame with a new header and cyclic redundancy check (CRC).
Forwarding Port
is one that has been determined to have the lowest (best) cost to the root bridge. But when and if the network experiences a topology change because of a failed link or when someone adds a new switch into the mix, you'll find the ports on a switch in the listening and learning states.
VLAN Identification Methods
is what switches use to keep track of all those frames as they're traversing a switch fabric. All of our hosts connect together via a switch fabric in our switched network topology. It's how switches identify which frames belong to which VLANs, and there's more than one trunking method: ISL and 802.1Q.
Because the typical spanning-tree topology's time to convergence from blocking to forwarding on a switch port is 50 seconds...
it can create time-out problems on your servers or hosts—like when you reboot them. To address this hitch, you can disable spanning tree on individual ports.
benefit you gain by having a layer 2 switched network is that...
it creates an individual collision domain segment for each device plugged into each port on the switch.
A switch port can belong to only one VLAN if
it is an access port or all VLANs if it is a trunk port
Switches populate the MAC address table in
learning and forwarding modes only.
You can manually configure a port as an access or trunk port, or you can
let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switch port mode. DTP does this by negotiating with the port on the other end of the link.
Each host attached to a particular physical network has to match that...
network's logical network number in order to be able to communicate on the internetwork.
What makes layer 2 switching so efficient is that
no modification to the data packet takes place. The device reads only the frame encapsulating the packet, which makes the switching process considerably faster and less error prone than routing processes.
flat network
one broadcast domain
VLAN is considered a broadcast domain, it's got to also have its
own subnet number (refer again to Figure 11.16). And if you're also using IPv6, then each VLAN must also be assigned its own IPv6 network number. So you don't get confused, just keep thinking of VLANs as separate subnets or networks.
One way to test the loop avoidance operations of your switch network is to
plug one end of a cable into one port and the other end of the same cable into another port. If loop avoidance is not operational, this should cause a big broadcast storm!
Quality of service (QoS) allows administrators to
predict, monitor, and control bandwidth use to ensure it is available to programs and apps that need it.
Switches create
private, dedicated collision domains and provide independent bandwidth on each port, unlike hubs. Figure 11.4 shows five hosts connected to a switch—all running 100 Mbps full duplex to the server.
Quality of service (QoS)
refers to the way the resources are controlled so that the quality of services is maintained. It's basically the ability to provide a different priority for one or more types of traffic over other levels; priority is applied to different applications, data flows, or users so that they can be guaranteed a certain performance level.
To provide inter-VLAN communication (communication between VLANs), you need to use a
router or a layer 3 switch.
To verify the spanning-tree type running on your Cisco switch, use the following command:
sh spanning-tree Since the type output shows Spanning tree enabled protocol ieee , we know we are running the 802.1D protocol. If the output shows RSTP, then you know your switch is running the 802.1w protocol.
what do you do with unused ports in a switch?
since all ports are enabled by default, you need to shut down unused ports or assign them to an unused VLAN. Configuring a switch out-of-band means you're not going through the network to configure the device; you're actually using a port, such as a console port, to configure the switch instead. Most of the time, you'll use the console port upon starting up the switch. After that, all the management will be completed in-band.
let's say MAC addresses have been entered into a centralized VLAN management application and you hook up a new host. If you attach it to an unassigned switch port,
the VLAN management database can look up the hardware address and both assign and configure the switch port into the correct VLAN. Needless to say, this makes management and configuration much easier because if a user moves, the switch will simply assign them to the correct VLAN automatically. But here again, there's a catch—initially, you've got to do a lot more work setting up the database. It can be very worthwhile, though! And here's some more good news: You can use the VLAN Management Policy Server (VMPS) service to set up a database of MAC addresses to be used for the dynamic addressing of your VLANs. The VMPS database automatically maps MAC addresses to VLANs.
remember that each host also has to have the correct IP address information. For instance, you must configure each host in VLAN 2 into the 172.16.20.0/24 network for it to become a member of that VLAN. It's also a good idea to keep in mind that if you plug a host into a switch, you have to verify the VLAN membership of that port. If the membership is different than what's needed for that host...
the host won't be able to gain access to the network services that it needs, such as a workgroup server.
QoS can ensure that applications with a required bit rate receive
the necessary bandwidth to work properly. Clearly, on networks with excess bandwidth, this is not a factor, but the more limited your bandwidth is, the more important a concept like this becomes.
Suppose you plug a host into a switch port and users are unable to access any server resources. The two typical reasons this happens is because
the port is configured in the wrong VLAN membership or STP has shut down the port because STP thought there was possibly a loop.
Layer 2 switches and bridges are faster than routers because
they don't take up time looking at the Network layer header information. Instead, they look at the frame's hardware addresses before deciding to forward, flood, or drop the frame.
Redundant links between switches can be a wise thing to implement because
they help prevent complete network failures in the event that one link stops working.
Switches are definitely pretty busy devices. As frames are switched throughout the network,
they've got to be able to keep track of all the different port types plus understand what to do with them depending on the hardware address. And remember—frames are handled differently according to the type of link they're traversing.
application-specific integrated circuits (ASICs)
to create and manage a filter table for switches
The basic purpose of ISL and 802.1Q frame-tagging methods is
to provide inter-switch VLAN communication. Remember that any ISL or 802.1Q frame tagging is removed if a frame is forwarded out an access link—tagging is used internally and across trunk links only!
According to Cisco, what is VLAN 1 used for?
use it for administrative purposes only. You can't delete or change the name of VLAN 1, and by default, all ports on a switch are members of VLAN 1 until you actually do change them.
Port Tagging/IEEE 802.1Q
works by inserting a field into the frame to identify the VLAN. This is one of the aspects of 802.1Q that makes it your only option if you want to trunk between a Cisco switched link and another brand of switch. In a mixed environment, you've just got to use 802.1Q for the trunk to work! -To meet the exam objectives, it's really the 12-bit VLAN ID that matters, so keep your focus on it. This field identifies the VLAN and can be 2^12 minus 2 for the 0 and 4,095 reserved VLANs, which means an 802.1Q tagged frame can carry information for 4,094 VLANs.
VTP transparent mode
you can configure switches to forward VTP information through trunk ports but not to accept information updates or update their VTP databases. If you've got sneaky users adding switches to your VTP domain behind your back, you can include passwords. Switches detect any added VLANs within a VTP advertisement and then prepare to send information on their trunk ports with the newly defined VLAN in tow.
Port Security
you can limit the number of MAC addresses that can be assigned dynamically to a port, set static MAC addresses, and—here's my favorite part—set penalties for users who abuse your policy! Personally, I like to have the port shut down when the security policy is violated. Making abusers bring me a memo from their boss explaining why they violated the security policy brings with it a certain poetic justice, which is nice. And I'll also require something like that before I'll enable their port again.
By creating your physical switch design in a hierarchical manner, as shown in Figure 11.12
you can make your core switch the STP root. This makes everyone happy because it makes STP convergence happen fast.
One of the nastiest things that can happen is having multiple loops propagating throughout a network. This means
you end up with loops occurring within other loops, and if a broadcast storm happened at the same time, the network wouldn't be able to perform frame switching at all—it's toast!
all users can see all devices. And you can't stop devices from broadcasting, plus you can't stop users from trying to respond to broadcasts. This means
your security options are dismally limited to placing passwords on your servers and other devices.
