chapter 3/sem 2

change a port memebership command

"no switchport access vlan"

deleting vlans command

"no vlan ___" in config t

commands to see ports assigned to vlan

"show vlan brief"

switchport mode trunk

Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link.

Voice vlans

entire network has to be designed to support VoIP ex:The student computer PC5 is attached to the Cisco IP phone, and the phone is attached to switch S3. PC5 is in VLAN 20, which is used for student data.

switchport access vlan command

forces the creation of a VLAN if it does not already exist on the switch

segment based on?

function, project team, application without regard to physcial location -each vlan is a sep.logical network

routers primary role?

move information between networks, not provide netowrk access to end devices

To enable trunking from a Cisco switch to a device that does not support DTP, use what command/

switchport mode trunk and switchport nonegotiate interface configuration mode commands.

VoIP traffic requires:

-Assured bandwidth to ensure voice quality -Transmission priority over other types of network traffic -Ability to be routed around congested areas on the network -Delay of less than 150 ms across the network

commands for resetting trunk links

1) config t 2) interface ___ 3) no switchport trunk allowed vlan 4)no switchport trunk native vlan 5) end

Catalyst 2960 and 3560 Series switches support over how many vlans?

4000

vlan.dat

Configurations are stored within a VLAN database file -stored in flash memory of the switch

types of Vlans

Data, default, native and management -some designed by traffic classes -other designed for specific functions

Hierarchical network addressing means that?

IP network numbers are applied to network segments or VLANs in an orderly fashion that takes the network as a whole into consideration

Each VLAN in a switched network corresponds to a?

IP network; therefore, VLAN design must take into consideration the implementation of a hierarchical network-addressing scheme.

switchport mode dynamic auto

Makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. -The default switchport mode for all Ethernet interfaces is dynamic auto.

switchport mode dynamic desirable

Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.

vlan trunk

OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically) -To enable trunk links, configure the ports on either end of the physical link with parallel sets of commands

non-negotiate

Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.

switchport mode access

Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link

a series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using what command?

S1(config)# vlan 100,102,105-107

tagging

The standard Ethernet frame header does not contain information about the VLAN to which the frame belongs; thus, when Ethernet frames are placed on a trunk, information about the VLANs to which they belong must be added.

show interfaces trunk command

To display the status of the trunk, the native VLAN used on that trunk link, and verify trunk establishment

normal range vlans

Used in small- and medium-sized business and enterprise networks. Identified by a VLAN ID between 1 and 1005.

If the native VLAN has not been reconfigured, the PVID value is set to

VLAN1

resetting the trunk to default state

When reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN.

a switch port can belong to what?

a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations within the VLAN where the packets are sourced

Cisco Discovery Protocol (CDP) packets

access port- sends CDP packets, that instruct an attached IP phone to send voice traffic to the switch in one of three ways, depending on the type of traffic: In a voice VLAN tagged with a Layer 2 class of service (CoS) priority value. In an access VLAN tagged with a Layer 2 CoS priority value. In an access VLAN, untagged (no Layer 2 CoS priority value).

default vlan

after intial bootup of switch, all ports becomes part of the default vlan -default in cisco = vlan1- can communcate with other users on switch port -all layer 2 traffic is associated with vlan 1

vlan leaking

an access port might accept frames from VLANs different from the VLAN to which it is assigned

managment vlan

any VLAN configured to access the management capabilities of a switch -vlan1- by default, SVI- assign IP and mask -vlan 1 not good choice for managments

Trunk ports

are the links between switches that support the transmission of traffic associated with more than one VLAN

after creating a vlan what is the next step?

assign ports to the VLAN

native vlan

assigned to an 802.1Q trunk port -supports traffic comiing from multiple vlans and traffic not from vlan -IEEE 802.1Q -configure as unused

data vlan

carry user-generated traffic -referred to as user vlan -seperate network into groups of users or devices

show mac address-table does what?

checks what addresses are on a particular port of the switch and to which vlan

switchport mode access command

command is optional, but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.

VLAN trunk does not belong to a specific VLAN; rather, it is a?

conduit for multiple VLANs between switches and routers. A trunk could also be used between a network device and server or other device that is equipped with an appropriate 802.1Q-capable NIC. By default, on a Cisco Catalyst switch, all VLANs are supported on a trunk port.

Dynamic Trunking Protocol (DTP) negotiation

convert the link into a trunk link even if the interface connecting to it does not agree to the change

virtual local area netowork (VLAN)

created on L@ switch, reduce size of broadcast domains -modern networks have began to use them in MANs and WANs

delete entire vlan.dat. file command?

delete flash:vlan.dat privileged EXEC mode command

VLAN hopping

enables traffic from one VLAN to be seen by another VLAN

PVLAN Edge: Private VLAN (PVLAN) Edge feature, also known as protected ports,

ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch -enter the switchport protected command in interface configuration mode

show interfaces trunk command

heck whether the local and peer native VLANs match. If the native VLAN does not match on both sides, VLAN leaking occurs -check whether a trunk has been established between switches. Statically configure trunk links whenever possible

The VLAN Trunking Protocol (VTP)

helps manage VLAN configurations between switches, can only learn and store normal range VLANs

Double-Tagging Attack

his type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame.

benefits of vlans

improved security, reduced cost, better performance, smaller broadcast domains, IT efficiency, and managment efficiency

802.1Q header

includes a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs

most common error in vlans?

incorrectly configured ip/s and masks -if not in same mask- cannot communicate

each vlan must correspond to a unique ?

ip address

Devices from other vendors that support tagged frames on the native VLAN include?

ip phones, servers, routers, and non cisco switches

Switch spoofing

is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port -network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating 802.1Q and DTP messages. By tricking a switch into thinking that another switch is attempting to form a trunk, an attacker can gain access to all the VLANs allowed on the trunk port

Common Problems with Trunks

native vlan mismatches, trunk mode mismatches, allowed vlans on trunks

An access port that is used to connect a Cisco IP phone can be configured to use two separate VLANs:

one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. The link between the switch and the IP phone acts as a trunk to carry both voice VLAN traffic and data VLAN traffic.

Dynamic Trunking Protocol (DTP)

operates on a point-to-point basis only, between network devices. -Cisco proprietary protocol -n the neighbor switch is configured in a trunk mode that supports DTP.

show vlan brief command

output of switch

VLAN trunk

point to point link between network devices that carries more than one vlan -extends vlans across an entire network -allow all vlan traffic to propogate between switches so that devices which are in the same vlan- can communicate without router

access layer switch

provides access into a LAN

Tagged traffic

refers to traffic that has a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs.

VLANS provide?

segmentation and organizational flexibility -group of devices within LANs communicate as if attached to the same wire -logical connections not physical

to support a Voip a ___ is required

separate voice vlan

To determine the current DTP mode, issue the what command

show dtp interface

verifying trunk config

show interfaces ____ switchport command or show interfaces f0/1 switchport command

verify vlan info command?

show vlan ____, show vlan brief, show vlan summary

VLAN creates a logical broadcast domain that can?

span multiple physical LAN segments

VLANs enable the implementation of access and security policies according to ?

specific groupings of users. Each switch port can be assigned to only one VLAN (with the exception of a port connected to an IP phone or to another switch)

Use the Cisco IOS switchport trunk allowed vlan vlan-list command to ?

specify the list of VLANs to be allowed on the trunk link.

To configure a switch port on one end of a trunk link command?

switchport mode trunk -With this command, the interface changes to permanent trunking mode

All untagged traffic coming in or out of the 802.1Q port is forwarded based on

the PVID value. For example, if VLAN 99 is configured as the native VLAN, the PVID is 99 and all untagged traffic is forwarded to VLAN 99.

When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host in a particular VLAN are restricted to?

the devices that are in that VLAN

interface range command

to simultaneously configure multiple interfaces

access port can only belong to one what at a time?

vlan -except ip phone

efault native VLAN

vlan1

Extended Range VLANs

xtend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs. Are identified by a VLAN ID between 1006 and 4094. -saved in running config and not vlan.dat -vlan does not learn extended range