CCIE R&S Advanced Technologies Class v4.5 - Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 06m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 02m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our next section here we're going to talk about Ethernet switching
0:00:17	and specifically the core topics that are related to Ethernet
0:00:20	within the scope of the routing and switching exam.
0:00:24	Now one of the keys to passing the exam
0:00:26	is to have a good strategy about the particular order
0:00:28	that you are going to configure sections in
0:00:31	so that the network is built in a logical fashion.
0:00:34	So for example, it doesn't make sense to do BGP peering
0:00:37	before you check that your Ethernet VLANs are assigned
0:00:40	or that your frame relay PVCs are configured correctly.
0:00:43	Now within a particular technology domain
0:00:45	like Ethernet or IGP routing
0:00:47	we can also separate the topics into core networking tasks
0:00:52	versus the peripheral tasks or things that are just on the side.
0:00:56	Now the core tasks
0:00:57	are the ones that we need to configure 100 percent correctly
0:01:01	in order to proceed out of this section.
0:01:03	So in the case of Ethernet,
0:01:05	this is anything that is related to us getting basic Layer 2 connectivity.
0:01:09	So if Layer 2 connectivity is not there
0:01:11	then anything Layer 3 or above, like OSPF or Multicast, BGP,
0:01:17	that stuff is simply not going to work.
0:01:19	Now the peripheral tasks are basically anything that we can skip over
0:01:24	without having an immediate impact on anything that is Layer 3 or above.
0:01:30	An example of the core tasks
0:01:31	would be anything related to trunking, VLANs, or VTP.
0:01:36	So this is our basic intra and inter switch communication
0:01:41	Then potentially Etherchannel between the switches
0:01:46	and 802 dot1q tunneling
0:01:48	if it is located somewhere in the core of the network topology.
0:01:53	So with these five topic domains, once we're done with configuring all of these,
0:01:57	we should have basic direct connectivity
0:02:00	between on any of the devices in the network.
0:02:04	So, of course, until we can figure out our routing protocols
0:02:07	IGP, BGP, and beyond,
0:02:10	we won't have full reachability in the network
0:02:12	but at least routers on VLAN 10
0:02:15	should have reachability to routers on VLAN 10.
0:02:18	And routers on VLAN 20 likewise should have reachability to routers on VLAN 20.
0:02:23	So these are the first topics that we need to focus on
0:02:27	to make sure that we understand how to do all the configuration for these
0:02:31	the verification, and then if there is a problem in something,
0:02:34	what's some of the troubleshooting steps that we can go through
0:02:37	in order to try to resolve any issues.
0:02:39	Now the peripheral topics,
0:02:41	is basically going to be anything else that the catalyst IOS supports.
0:02:45	Any type of spanning tree manipulation,
0:02:47	whether this is in regular per VLAN spanning tree
0:02:50	or multiple and rapid spanning tree or any of the spanning tree features,
0:02:55	like uplink fast, backbone fast, root guard, loop guard,
0:02:59	that's stuff we technically don't need to configure
0:03:02	in order to get basic Layer 2 reachability.
0:03:06	Now, of course, spanning tree should be on by default
0:03:11	but it's just that we don't need to change any of the spanning tree options
0:03:13	in order to get our basic connectivity working.
0:03:17	The same would be true of any Layer 2 security or Layer 2 QoS.
0:03:21	Those topics we will cover separately when we get to security
0:03:25	and when we get to Quality of Service.
0:03:27	So we're not going to be talking about either of those this week.
0:03:31	But as you could probably guess, you wouldn't need to configure
0:03:36	let's say, traffic policing in order to get connectivity between two hosts on the same VLAN.
0:03:45	Now this may be necessary in order to get credit for a particular section in the exam
0:03:50	so to get the points for the individual tasks
0:03:52	but at least we can move on to the Layer 3 configurations
0:03:56	without needing to do all of the QoS security and feature type stuff.
0:04:02	This is not to say that we are going to skip over these topics
0:04:06	when the final configuration is done
0:04:09	just that we can choose what the order that we want to approach this in the exam is.
0:04:13	Ideally I would want to approach the exam
0:04:16	where I am building the core of the network first
0:04:20	which is the trunking, the VLANs, EtherChannel, etc.
0:04:24	make sure that everything has connectivity
0:04:26	before I were to configure a VLAN access list or port security.
0:04:31	Because these type of topics
0:04:34	we know that we don't need port security for something to work
0:04:37	or we don't need a VLAN access list for something to work
0:04:41	but these topics could break the connectivity.
0:04:49	So it doesn't make sense to configure a VLAN access list
0:04:52	without already doing the basic Layer 2 configuration and making sure that works.
0:04:58	So we'll see as we go through these technologies we're always going to approach them
0:05:02	in a logical manner for how the network should be built from a design point of view.
0:05:09	So it doesn't make sense to implement the actual application
0:05:14	let's say like a media server before we check if the cables are plugged in.
0:05:19	So we'll see a lot of the topics as we progress through the class.
0:05:22	They're going to follow roughly how the OSI model works
0:05:26	that we'll start with Layer 2, work up to Layer 3,
0:05:28	and then the applications beyond that.
0:05:31	So this means then that our first step for switching
0:05:34	is to do whatever is necessary to get us basic connectivity
0:05:38	between the routers and the other devices on the same segments.
0:05:43	So this means we need to know
0:05:44	what are the Layer 2 statuses of the interfaces,
0:05:46	what are the Layer 3 statuses of the interfaces.
0:05:50	For Layer 2 links we basically have four different options.
0:05:55	We could run access ports, trunk ports, dot1q tunnels,
0:05:59	or use dynamic interfaces.
0:06:02	Where the difference between them is that an access port is one single VLAN.
0:06:07	Trunking is going to be multiple VLANs, so for inter switch communication.
0:06:12	A tunnel port, which is also sometimes called Q & Q or an 802.1 Q tunnel.
0:06:18	This will be for a transparent Layer 2 VPN
0:06:22	which we'll take a look at a little bit later today.
0:06:26	Lastly we have the dynamic switchports.
0:06:27	Those are going to be using dynamic trunking protocol or DTP
0:06:32	to automatically figure out which of these first three
0:06:37	switchport types should we be running as.
0:06:41	So dynamic ports will automatically figure out
0:06:43	should this link be an access port or should this be a trunk port.
0:06:47	Now the other two types, the Layer 3 ports,
0:06:50	the SVIs, the switch virtual interfaces,
0:06:53	and the native rooted interfaces
0:06:55	we'll take a look at that after we go through the basic Layer 2 connectivity.
0:06:59	So for access port configurations, pretty straight forward.
0:07:02	Let's take a look at the command line here.
0:07:06	If we were to go to one of the switches
0:07:10	and at the link level if we say switchport mode is access,
0:07:17	and the switchport access VLAN, let's say VLAN 10 for example,
0:07:22	Okay, the switch by default, since it is running in VTP server mode,
0:07:28	and also if we look at the running configuration here,
0:07:31	I basically don't have any other options other than just the host name.
0:07:36	So everything is essentially default on the switch
0:07:39	other than what I just changed here on the Ethernet.
0:07:43	So this link is not configured as an access port.
0:07:46	It's running VLAN 10 as its VLAN assignment.
0:07:51	If we were to look at the show interface FastEthernet 1 switchport
0:07:56	This is going to show us all the possible Layer 2 attributes of the interface.
0:08:02	First and foremost it says that switchport is enabled.
0:08:05	Okay, this means that the link is running in Layer 2 mode.
0:08:10	The administrative mode is static access.
0:08:14	This is what we have configured.
0:08:16	The operational mode right now is down
0:08:19	because either the link is not plugged in
0:08:22	or on the other end it's in the shutdown mode.
0:08:26	So if this links specifically on switch one's port FastEthernet 0/1
0:08:31	this is going to connect to router one's FA 0/0.
0:08:38	So let's take a look at router one here.
0:08:43	And show IP interface brief.
0:08:47	Right now this link is shut down.
0:08:49	So let's just go to FA 0/0, we'll say no shut,
0:08:53	and we should see the status get updated on the switch. Okay, which it is.
0:08:59	So now if we look at the show interface switchport again
0:09:03	It says now both the administrative mode and the operation mode are static access.
0:09:10	Now the case where you would see these two as different
0:09:14	is if the link is down like we saw in the previous case
0:09:19	or the administrative mode is dynamic.
0:09:28	So if the administrative mode is dynamic, either auto or dynamic desirable,
0:09:33	the operational mode, this is going to show us what the result of that negotiation is.
0:09:40	So if the link negotiated as a trunk
0:09:42	the operational mode would be trunk.
0:09:44	If the link negotiates as access it's going to be access.
0:09:49	We can also see here that the negotiation of trunking is off.
0:09:53	This is referring to DTP, the dynamic trunking protocol.
0:09:58	The reason this is off here
0:10:00	is because I manually set the mode to be static access.
0:10:06	So if we were to look at another port
0:10:09	let's say on the connection to router 3,
0:10:12	so on router 3's Ethernet,
0:10:17	we'll say likewise no shutdown.
0:10:25	This will be switch one's port FastEthernet 0/3.
0:10:29	If we look at the show run interface, FA 0/3,
0:10:33	we could see that everything is default.
0:10:36	If we look at the show interface, FastEthernet 3 switchport,
0:10:42	it says for this particular platform the administrative mode is dynamic auto by default.
0:10:49	This means that the negotiation of trunking is on
0:10:53	but we're not actually initiating this negotiation.
0:10:58	So if we were to do a low level debug and look at the DTP control packets that are on the interface
0:11:05	We would not be sending them out
0:11:07	we would be passively listening for them to come in.
0:11:12	In this particular case,
0:11:14	the device on the other end of the link, which is router three,
0:11:17	did not initiate negotiation through DTP
0:11:20	so then we fall back to access mode.
0:11:25	The key point being here for this particular platform and version,
0:11:29	the default interface mode is dynamic auto.
0:11:33	So this means that a trunk will be formed
0:11:37	only in the case that someone on the other side
0:11:40	is running DTP in desirable mode
0:11:45	which means that DTP does initiate the negotiation out the link
0:11:50	to try to get the other interface to become a trunk.
0:11:55	Now since the administrative mode, which again is the configured mode,
0:12:00	is dynamic auto, this means that the trunking encapsulation would be negotiated.
0:12:07	So with DTP it will attempt to negotiate dot1q first,
0:12:12	or excuse me, it will try to negotiate ISL first.
0:12:14	If ISL trunking negotiation fails then it will fall back to dot1q.
0:12:19	If that fails then it's going to go to access mode
0:12:24	which is what we had in this case.
0:12:27	But the key point being, for these default configurations, negotiation of trunking is on.
0:12:33	Again, when we looked at the
0:12:39	show interface FastEthernet one switchport
0:12:43	negotiating of trunking was off.
0:12:46	This is only because I manually configured the link as static access.
0:12:53	So whether you want to do this
0:12:56	statically set the mode, it really depends what the ultimate goal is.
0:12:59	Within the scope of the lab exam
0:13:01	unless the question specifically tells you to do one or the other,
0:13:05	it really doesn't matter as long as you end up in the correct result.
0:13:10	Where most likely the correct result is that you want routers on VLAN 10
0:13:14	to have reachability to routers on VLAN 10
0:13:17	and likewise VLAN 20 should reach VLAN 20.
0:13:20	We really only care about what the mode of the interface is
0:13:23	if there's something specific in the question that is leading us to use one versus the other.
0:13:29	Now within a real design, the reason we may want to run this dynamic mode would be for what?
0:13:39	Why would you want to run DTP in production on these interfaces?
0:13:43	One case would be to make it easier to deploy your IP telephony.
0:13:49	So your Cisco phones, when you plug them into the access layer,
0:13:54	those are also going to run DTP.
0:13:56	So the phone and the switch will automatically negotiate a trunk
0:14:00	which consists of the access VLAN for the data
0:14:03	and the voice VLAN for the actual voice traffic, for the phone call.
0:14:08	But most of the time you would know in your own network design
0:14:13	what links should be trunks and what links would not be trunks.
0:14:18	So unless you have some very specific application like telephony
0:14:21	or maybe your wireless access points are moving around a lot
0:14:25	you should really know which are going to be the trunk links and which are not.
0:14:29	We'll see when we get to the security portion of Layer 2
0:14:33	this is a possible vulnerability to leave the interface in desirable mode
0:14:39	because a malicious host can negotiate a trunk with a switch,
0:14:45	do a spanning tree attack to announce itself as the root bridge,
0:14:50	where the end result is a Layer 2 man in the middle attack
0:14:54	where essentially the end host can sniff any of the Layer 2 traffic
0:14:58	on all of the segments in the network.
0:15:02	So ideally if we know that this particular interface is going to the end hosts
0:15:06	we would just want to set the mode to be static access.
0:15:11	This would mean that if the end host
0:15:14	sent an ISL frame or a dot1q tagged frame, the switch is just going to throw those away.
0:15:21	So anything on an access port that has a trunk encapsulation, the switch will not accept it.
0:15:26	But if the link is in dynamic mode
0:15:29	the switch could negotiate through DTP
0:15:34	that trunking will occur and then also what the encapsulation is
0:15:37	either ISL or dot1q.
0:15:39	Now for the trunking we know we have two different encapsulations, we have ISL and dot1q.
0:15:44	Functionally there's not really a big difference between them.
0:15:47	The overall idea is we just want to
0:15:51	to carry what is the VLAN assignment in the particular packet.
0:15:54	So when the switch is sending packets out a trunk link
0:15:58	It's going to use the ISL encapsulation or the dot1q header
0:16:02	to tell the switch on the remote end what particular VLAN is that frame supposed to belong to.
0:16:08	Really the only functional difference is dot1q's notion of the native VLAN
0:16:15	which essentially is untagged traffic as the packets are sent over the interface.
0:16:23	So if the switch's native VLAN on the trunk is VLAN 10
0:16:27	every VLAN besides 10
0:16:30	would receive a dot1q tag in the frame.
0:16:34	When we receive frames that have no tag value
0:16:37	we would assume they are part of the native VLAN.
0:16:40	Then likewise when we have a frame that is in the native VLAN we are going to send outbound
0:16:46	the switch does not modify the frame - it doesn't add a dot1q tag.
0:16:51	Now there are some specific cases where you would need to use this.
0:16:56	Some intrusion prevention or intrusion detection or some firewall devices
0:17:02	sometimes don't understand the tag values
0:17:07	so in certain cases you may want to send untagged frames to them.
0:17:10	Okay, or likewise the reverse could also be true where some devices don't understand untagged frames
0:17:17	where you would need to tell dot1q that I do want to tag all frames.
0:17:22	So we can do this configuration wise if we look at any of the switches in global config.
0:17:29	If we go to, let's say, switch one here and the command would be... not dot one x
0:17:38	it would be VLAN dot1q tag native.
0:17:44	So this is a global command that will apply to all trunk links.
0:17:48	This essentially means that for any dot1q trunk you now have
0:17:53	even if traffic is being sent out in the native VLAN it will include a dot1q tag value with it.
0:18:03	So you're essentially making dot1q behave like ISL
0:18:07	because ISL automatically encapsulates all VLANs.
0:18:11	So even if it's VLAN 1, it gets a header and a trailer for ISL.
0:18:16	But with dot1q if we were to look at the show interface trunk
0:18:23	we see that some of these interfaces automatically negotiated as trunking by default.
0:18:29	The first one is FastEthernet 0/16.
0:18:33	If we look at the show interface FA 0/16 switchport
0:18:38	we see that the native VLAN by default is one.
0:18:45	So this means that any traffic the switch sends out that link
0:18:49	in VLAN 1, is not going to receive a dot1q tag.
0:18:52	Then likewise if anything is received inbound and it does not already have a tag
0:18:58	we would assume that the VLAN assignment should be 1.
0:19:05	Now really the only case that this going to matter
0:19:08	is if for some reason the switches don't agree on what the VLAN tag is
0:19:17	or excuse me, don't agree on what the native VLAN is.
0:19:19	So if two switches are trunking dot1q
0:19:22	and one of them says the native VLAN is 10 and the other says the native VLAN is 20
0:19:28	if we were to look at an example case of this,
0:19:31	let's say that we have switch one and switch two
0:19:40	who are connected. Switch one is connected to hosts A and B.
0:19:44	Switch two is connected to hosts C and D.
0:19:48	Then we have a dot1q trunk between them.
0:19:54	So our goal here is to get traffic from host A which is in VLAN 10
0:19:59	to host C which is also in VLAN 10.
0:20:04	Then host B, which we'll say is in VLAN 20,
0:20:11	we want this to get to host D that is in VLAN 20 as well.
0:20:17	Now normally since the native VLAN is one
0:20:20	both the VLAN 10 and the VLAN 20 traffic will be tagged as it is sent over the link.
0:20:26	The potential design issue is that if switch one says that my native VLAN
0:20:33	is 10 and switch two says that the native VLAN is 20
0:20:41	what would happen is that when a frame is received from A
0:20:46	and is encapsulated onto the trunk link
0:20:49	since the native VLAN is 10 this frame would be sent untagged.
0:20:56	When switch two receives this inbound
0:20:59	it says my native VLAN is 20
0:21:02	the tag does not have a... or the frame does not have a tag
0:21:06	so I'm going to assume it's part of VLAN 20.
0:21:09	So essentially the end result is that traffic leaks between the two different broadcast domains.
0:21:15	Host A can send traffic to host D
0:21:18	and host C can send traffic to host B.
0:21:21	But that's not what we want because we're trying to define two separate broadcast domains as VLAN 10 and 20.
0:21:28	We'll also see later there are some potential issues when we deal with 802 dot1q tunneling
0:21:36	that if the customer switch and the provider switch do not agree on what the native VLAN is supposed to be
0:21:43	the customer's traffic can leak into the provider network which is generally bad.
0:21:47	So configuration wise, if we look at the
0:21:51	the switches here. Let's say we got to then interface FastEthernet 16
0:21:55	and say switchport, trunk, native VLAN, we could see we can change the value if we want to.
0:22:06	So it is VLAN one by default.
0:22:08	Really there's no reason why you would want to change this
0:22:11	within the scope of the exam unless there's a particular question that is asking you to do that.
0:22:15	So again our only main differences here
0:22:18	are that... well actually there's two differences.
0:22:20	ISL is Cisco proprietary where dot1q is an open standard.
0:22:24	ISL tags all of the traffic, or more specifically encapsulates the traffic
0:22:29	because there's both a header and a trailer.
0:22:32	Where dot1q is tagging the frame because it is modifying the previous frame.
0:22:38	ISL takes the previous frame unmodified and puts a new encapsulation on top of it.
0:22:44	Dot1q is a little bit more lightweight because it doesn't have to do that entire encapsulation.
0:22:52	So you'll see even in a lot of new platforms that Cisco is putting out, ISL is no longer supported
0:22:58	because implementation wise there's no advantage to use ISL versus dot1q.
0:23:03	It used to be way back that ISL only supported certain types of spanning tree,
0:23:09	like per VLAN spanning tree for the one instance per VLAN
0:23:13	where dot1q didn't support that.
0:23:16	Then Cisco came out with the per VLAN spanning tree plus
0:23:20	which was a way to encode the per VLAN spanning tree into the dot1q tag.
0:23:27	But now dot1q natively supports that so there's really no advantage of running ISL versus dot1q.
0:23:34	Okay, you would actually prefer the latter because the encapsulation is less overhead.
0:23:43	So again our, verification wise if we look at show interface trunk
0:23:48	we saw that on switch one here that if we do show interface trunk
0:23:53	this tells us that a couple of these links were automatically negotiated as trunks.
0:23:58	We can tell that because the mode is auto.
0:24:01	It says the encapsulation is n-isl
0:24:04	which means that ISL was automatically negotiated.
0:24:09	The status is currently trunking.
0:24:11	The native VLAN is one.
0:24:12	In this particular case this value does not matter because we're not running dot1q.
0:24:19	So ISL doesn't care about what the native VLAN is.
0:24:23	So now let's talk about the dynamic trunking protocol
0:24:27	and what are some of the different options that we can use here in DTP
0:24:32	in order to form a trunk link.
0:24:35	So again, the key about this protocol,
0:24:39	DTP, is that we're using it to automatically negotiate what our trunk links are supposed to be.
0:24:45	There's two modes of configuration we can run in
0:24:49	desirable mode and auto mode.
0:24:51	Desirable mode means that we will send DTP frames out
0:24:56	and we will attempt to initiate the trunking.
0:24:59	Whereas the auto mode simply listens for DTP to come in.
0:25:04	It's not going to initiate the negotiation.
0:25:08	So the result of this would be is that if both switches are in auto mode
0:25:12	they would not automatically form a trunk.
0:25:15	As long as least one of them is in desirable mode and DTP is on then a trunk should be formed.
0:25:25	There's actually two ways we can do this configuration wise
0:25:28	which is to say that the switchport mode is either dynamic desirable or dynamic trunk
0:25:34	where the second implementation here is a little bit less known.
0:25:40	So you would assume that since the mode is trunk
0:25:44	you're saying that the link has to be a trunk.
0:25:48	You're technically saying that on the other side it could be automatically negotiated.
0:25:55	So let's look at an example of this between two of the switches.
0:26:00	Now if we look at our switching topology
0:26:04	physically again there's four switches and each of them have three links that are going to the other switches
0:26:12	so switch one and two
0:26:18	they have three different interfaces that are going between them
0:26:21	specifically these are port numbers FastEthernet 13, 14, and 15.
0:26:29	Okay, it's the same values on both sides.
0:26:31	Again for our physical topology
0:26:33	if you take a look at the rack rental page
0:26:36	you can see the PDF that specifies what the physical connections are.
0:26:42	Now on switch one and switch two, both of these are 3560s.
0:26:48	The 3560 will have all of its ports in the dynamic auto state by default.
0:26:59	This again means that they are listening for trunking negotiation
0:27:03	but they're not initiating it actively outbound.
0:27:06	So if we were to look at switch one
0:27:10	and let's say show cdp neighbors
0:27:14	we see that we have the connections to switch two
0:27:17	which are on ports 13, 14, and 15.
0:27:21	But if we show interface FastEthernet 13 trunk
0:27:26	it says that the status is not trunking.
0:27:33	This would mean either two things.
0:27:35	We can see here that our mode is auto.
0:27:38	This means that DTP is on and we are listening for the negotiation to come in.
0:27:44	Since the link is not trunking
0:27:47	this should then mean that the other side either has DTP disabled,
0:27:53	so maybe the other side is an access port,
0:27:56	or they are also running DTP in auto mode
0:28:02	which is actually the case we have here because the 3560s default to auto mode.
0:28:07	If I were to look at switch two and say show interface FastEthernet 13 switchport
0:28:14	we can see that the administrative mode, which is what we have configured, is dynamic auto.
0:28:21	But the end result of the negotiation was that we are an access port
0:28:26	because neither of the switches are initiating the negotiation.
0:28:33	So let's look at what are the variations that we can do here in order to get the trunk to actually form.
0:28:42	Okay, one would be to go to one of the switches and change the mode so that it does initiate DTP negotiation.
0:28:50	If say switchport mode dynamic desirable
0:28:59	the line protocol goes down.
0:29:02	When it comes back up we should see that DTP is now negotiated.
0:29:06	If we look at the do show interface trunk
0:29:10	we could see now FastEthernet 13 is trunking.
0:29:14	Our mode is currently desirable.
0:29:17	We have negotiated ISL encapsulation.
0:29:22	This third column here means that neither of the switches, or at least on this side,
0:29:28	have specified what the encapsulation is for the trunk.
0:29:34	So it means that they have not specified manually to use ISL or dot1q.
0:29:39	If I were to go to the other side, let's say on switch one,
0:29:43	and it changed the encapsulation on the link if we say switchport trunk encapsulation is dot1q
0:29:51	our switchport mode is still auto
0:29:55	but now we're specifying what the encapsulation has to be.
0:29:59	If we look at the show interface trunk the result of this should be that the link is trunking
0:30:06	but we have statically specified that dot1q is the encapsulation.
0:30:12	On the other side on switch two
0:30:16	if we look at the same output again
0:30:18	show interface trunk
0:30:20	they have now negotiated dot1q.
0:30:25	So what this is showing us here essentially that ISL is preferred for the negotiation
0:30:30	then it will fall back to dot1q second.
0:30:36	So here are variations where on switch one we were auto
0:30:44	on switch two we were dynamic desirable.
0:30:54	Okay, again, this was on port 13.
0:30:57	Now let's take a look at port number 14
0:31:01	and let's set this one statically to be a trunk.
0:31:04	So on switch two let's go to interface, FastEthernet, 0/14.
0:31:10	We'll say the switchport mode is trunk.
0:31:12	Okay, the switch is going to complain now.
0:31:14	It says an interface whose trunk encapsulation is auto cannot be configured to trunk mode.
0:31:20	Which basically means that if we are statically setting this link in trunking mode
0:31:24	you have to also tell the switch which encapsulation it's supposed to use.
0:31:30	So we need to specify first what is the switchport trunk encapsulation,
0:31:34	either dot1q or ISL. Okay, the default is the last one negotiated.
0:31:39	So let's say here statically we will use dot1q.
0:31:43	Now we can set the mode to be trunk.
0:31:48	The common confusion with this config
0:31:50	if we were to look at switch four's running config on the link
0:31:56	you would assume here that dynamic trunking protocol is off
0:32:00	because we manually specified the link as a trunk.
0:32:05	If I look on the other side on switch one and show run interface FastEthernet 14,
0:32:13	we could see there's no config there.
0:32:15	Okay, this means that the port is going to be in dynamic auto state.
0:32:20	If we look at show interface trunk
0:32:25	port 14 is trunking and it has negotiated dot1q.
0:32:32	The reason why is if we go to switch two
0:32:35	and look at the show interface FastEthernet 14 switchport
0:32:41	we can see that even though we manually said that this a trunk running dot1q
0:32:48	DTP is still on. So essentially this means that if we have the mode
0:32:55	the switchport mode dynamic desirable or switchport mode trunk
0:33:00	both of those run DTP and they will initiate the negotiation.
0:33:05	If we are switchport mode dynamic auto
0:33:08	we will listen for DTP negotiation but we will not start it.
0:33:15	The final result of this would mean that if we want to do the trunking negotiation, we'll say that we have device one and two,
0:33:25	we could have auto and desirable
0:33:33	we could have desirable and desirable
0:33:37	we could have auto and on, which is switchport mode trunk,
0:33:44	we could have on and on or we could have on and desirable.
0:33:49	Essentially we could have any variation except auto and auto.
0:34:00	Okay, this one is not going to work because neither of them are initiating the negotiation.
0:34:05	And we could see that if we were to look at the low level debug for DTP
0:34:09	we would see that the negotiation packets don't go out.
0:34:13	They're only going to be coming inbound.
0:34:17	Now if DTP were to be disabled
0:34:20	then a port in either auto mode or desirable mode would not be able to form a trunk link.
0:34:28	So there's a difference between the mode being on
0:34:32	and the mode being on plus DTP being off.
0:34:38	The way that we would configure this one is how?
0:34:41	This is with the switchport no negotiate command.
0:34:45	So typically there's no reason to use this option
0:34:51	if the mode of the port is access
0:34:54	or if it's a tunnel. So if it's a dot1q tunnel, DTP is automatically going to be disabled.
0:34:59	But if we say switchport mode trunk plus switchport no negotiate
0:35:05	it means that trunking is enabled but DTP is off.
0:35:11	Now the case where you would want to do this
0:35:14	is for Layer 2 high availability.
0:35:18	So let's say you have some very sensitive - some very latency sensitive application,
0:35:23	maybe voice over IP or some media application.
0:35:26	When the switches start their trunking negotiation
0:35:30	DTP is going to take some finite time in order to do the negotiation
0:35:36	regardless of how minuscule it is.
0:35:37	Maybe it's, I don't know, 10 or 20 milliseconds.
0:35:41	But if your high availability environment is to the point where you are counting on the per millisecond basis
0:35:49	then DTP would add unnecessary Layer 2 convergence time.
0:35:55	So if we were to say switchport mode trunk plus switchport no negotiate
0:36:00	on both sides, the trunk is going to form but it's not going to have to wait for DTP to run.
0:36:11	So let's look at a case for that configuration.
0:36:15	We'll say that this will be on ports 15, between switch one and switch two.
0:36:27	So both of these will say switchport mode trunk
0:36:32	and then switchport no negotiate.
0:36:36	So on switch two let's go to interface or config t first
0:36:41	Interface FastEthernet 15, switchport no negotiate,
0:36:47	okay, and it says we cannot turn DTP off if the mode is desirable.
0:36:52	It doesn't make sense because dynamic says use DTP.
0:36:57	So I would need to say switchport mode trunk
0:37:01	which then again implies that I have to know the encapsulation.
0:37:04	So let's say that the switchport trunk encapsulation is ISL.
0:37:10	So some of these configurations, as we can see, they are dependent on the order of operations.
0:37:16	Especially when we get into EtherChannel later this afternoon,
0:37:19	it's very highly susceptible to errors in the order of the commands that are entered.
0:37:26	So in this case we need to say switchport trunk encapsulation.
0:37:29	I'll set the mode then turn negotiation off.
0:37:37	So if I do show run interface FastEthernet 15
0:37:43	this is what I'm going to say exactly on the other side..
0:37:47	Only disadvantage of this configuration is now if I say show interface trunk
0:37:56	this link is in the trunking state.
0:38:00	The mode is on, the encapsulation is ISL but DTP has been disabled.
0:38:07	I can tell this by looking at the show interface FastEthernet 15 switchport.
0:38:14	It says here, what?
0:38:18	Negotiating of trunking is off.
0:38:22	So the potential issue that I now have is that switch two has forced its port to go into trunking mode.
0:38:31	Switch one though, we haven't modified it's config so if we look at show run interface FastEthernet 15,
0:38:38	this has the default options.
0:38:41	This link is running in dynamic auto mode which means that DTP is on.
0:38:46	No DTP frames came in
0:38:49	which means that if we look at the show interface FA0/15 trunk
0:39:01	here it says the status is trunking.
0:39:06	Let's try this. Let me shut the link down and then bring it back up.
0:39:10	What we should see is that switch one says this is not trunking
0:39:16	but the other side says that it is trunking.
0:39:23	And if this does show trunking, what it means is that they fixed this design problem in this version.
0:39:31	So if we show interface trunk, now it's not trunking.
0:39:34	So we are not listening for DTP negotiation to come in but the packets are not arriving.
0:39:41	The reason why is that on the other side we disabled this with no negotiate.
0:39:49	What's going to be the end result of this configuration now?
0:39:53	It means that switch two is sending trunk encapsulated frames including spanning tree to switch one.
0:40:02	Switch one is receiving them in and saying this link is not a trunk.
0:40:08	What's going to happen when switch one receives the ISL frames on the non trunking interface?
0:40:14	It's going to drop them.
0:40:16	So now there's an issue where the trunk looks like it's up on this side,
0:40:21	on switch two, we see that from the show interface trunk but in reality it's not working.
0:40:26	This is what DTP was designed to prevent.
0:40:30	So by doing the dynamic negotiation you assume that both ends of the link have to agree
0:40:35	on whether the trunk is up or down.
0:40:38	But by forcing it this way, what I did with the switchport no negotiate,
0:40:43	we're left open to the potential for some sort of Layer 2 loop
0:40:49	where one device thinks that the link is trunking, the other one doesn't
0:40:53	which means that we could have a failure in the spanning tree calculation.
0:41:00	So from switch two's perspective, it thinks that it is supposed to forward frames out that link.
0:41:04	Switch one gets them and discards them but switch two doesn't know about it.
0:41:10	So if you are going to disable DTP, you need to make sure to do it on both sides.
0:41:16	So now if we look at the result and say show interface trunk,
0:41:20	both of these devices should agree that the link is trunking.
0:41:25	An additional way that we can verify this
0:41:29	We saw that show interface switchport tells us whether dynamic trunking is on or off,
0:41:34	what the administrative mode, which is the configured mode, and then what the operational mode is, which is the result.
0:41:41	So show interface trunk, it's not really going to tell us 100% of the time whether the link is actually working or not.
0:41:47	In reality what is a better verification
0:41:50	is to look at what is the result of spanning tree on the interface.
0:41:55	If we show spanning tree on both sides
0:41:58	and the switches agree on a per VLAN or per instance basis who the root bridge is
0:42:06	then it means that bidirectional communication has been established on that link.
0:42:10	For example in this particular design,
0:42:14	what I'm going to do is essentially disable every interface on switch one
0:42:21	with the exception of this port 15.
0:42:25	So switch two, it's already dynamically formed trunk links with switch three and switch four
0:42:30	because these ones are in desirable mode
0:42:35	where switch two is in auto.
0:42:38	Okay, the reason why is that these other two platforms, switch three and switch four, these are 3550s.
0:42:45	So there's a change in some of the versions.
0:42:48	Some platforms run dynamic desirable by default; some of them run dynamic auto.
0:42:53	You don't really to memorize that just if you look at the output of the show interface switchport
0:42:58	you can tell what are all the default options on the interface.
0:43:08	So I'm going to go to switch one and basically just shut down every other interface.
0:43:12	So on switch one, let's say interface range FastEthernet 13 to 14,
0:43:20	and 16 to 21.
0:43:26	Shut those down.
0:43:28	The end result
0:43:30	should be that when we look at the show interface trunk
0:43:35	the only trunk port that's left is port 15.
0:43:39	Again, this is the one that we manually configured
0:43:42	as having DTP off so it's a static trunk link.
0:43:47	If I now look at the show spanning tree
0:43:50	for a particular VLAN instance - let's just say VLAN one,
0:43:56	switch one says that my bridge ID is this.
0:44:03	Okay, there's my priority value at 32769.
0:44:06	My address is 0019 etc.
0:44:10	The root bridge for this VLAN
0:44:14	has this priority and this particular address.
0:44:18	Now since the address doesn't match mine it means I'm not the root bridge.
0:44:23	My report is FastEthernet 15.
0:44:27	Okay, again, that's the link that is going over to switch two.
0:44:32	If switch two agrees on what the root bridge assignment is
0:44:37	then we could assume that bidirection communication has been established over the trunk.
0:44:43	So let's look at switch two and now say show spanning tree for VLAN one.
0:44:53	What I want to look at is these two values in the field.
0:44:57	So if this matches between switch one and two,
0:45:01	and it does, you can see I'm changing between the two tabs,
0:45:05	it means that the trunk is working.
0:45:10	What I could also do is go to switch one.
0:45:13	Let's say we tell the other switches that switch one is root.
0:45:16	Spanning tree, VLAN one, my priority is zero.
0:45:21	So I have the best priority in the spanning tree domain.
0:45:25	Okay? Zero is best.
0:45:28	If I look at switch one now and show spanning tree for VLAN one, I'm the root.
0:45:36	If switch two now says that this priority value with this address is the root bridge
0:45:45	we're not guaranteed that the trunk is working.
0:45:51	So the key point behind this
0:45:54	is that you may not need to verify all the individual steps along the way
0:46:00	if you can verify what the final result is.
0:46:03	The final result in this case is that the link is trunking - it's running that particular instance of spanning tree.
0:46:09	If we were to look at the show spanning tree interface FastEthernet 15
0:46:14	this would also tell us what are the other instances that are running.
0:46:18	So let's say, for example, that we create VLANs two through ten
0:46:24	on both of these switches.
0:46:27	So VLANS two through ten.
0:46:35	Then on switch one we say show spanning tree interface FastEthernet 15.
0:46:42	Eventually all of these VLANs should go into the forwarding state
0:46:46	and the root bridge election should be identical for all nine of them.
0:46:53	The reason why is that no one has modified any of the priority values for VLANs two through ten.
0:47:00	So whoever is the root bridge for VLAN two, it's going to be the root bridge for VLANS three through ten.
0:47:06	If we show spanning tree VLAN two, I'm the root.
0:47:12	If switch two agrees on this, show spanning tree VLAN two,
0:47:18	so zero zero one nine fifty-five F8
0:47:22	that's the MAC address of switch two, or excuse me, of switch one,
0:47:28	So now we're guaranteeing that the trunk is actually functional.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 02m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

Ethernet Overview, Layer 2 Switchports, Trunk...

Create Bookmark