CCIE Routing & Switching Advanced Technologies Class - VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 34m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 59m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:12	So continuing our discussion of VTP pruning here
0:00:15	we saw that between the four switches when we had the
0:00:19	the trunk links configured in serial
0:00:22	and switch three had
0:00:27	VLAN twenty assigned,
0:00:30	switch one had VLAN 10,
0:00:33	switch two had VLAN twenty,
0:00:38	and switch four had VLAN ten, that the end result
0:00:40	was that from switch three
0:00:43	VLAN twenty would be forwarded to switch one
0:00:45	switch one would send it to switch two
0:00:47	but switch two would not forward this down to switch four.
0:00:51	The reason why is that switch four doesn't have any ports assigned in VLAN twenty
0:00:55	so it's not optimal to forward those frames out this particular port.
0:01:00	Likewise on the other way back
0:01:03	VLAN ten is not forwarded on switch one out towards switch three.
0:01:09	The advantage of doing this with pruning
0:01:11	is that's it's dynamic in the case that new VLANs are added
0:01:15	or new VLAN assignments are created at a later point.
0:01:20	Now the next option that we can set with VTP pruning
0:01:24	is what particular VLANs are allowed to be pruned or what is known as prune eligible.
0:01:32	By default all standard VLANs, which are 2 to 1001,
0:01:37	are in the prune eligible list.
0:01:39	So this means that pruning messages can be sent for them and pruning message can be received for them.
0:01:47	Now it's an important point to note here that when you compare the pruning list
0:01:52	versus the trunk allowed list
0:01:55	they actually accomplish the exact opposite things.
0:02:00	Where the prune eligible list
0:02:02	says that if a VLAN is not in the list
0:02:06	it must be forwarded.
0:02:10	Where the trunking allowed list
0:02:13	says that if a VLAN is not in the allowed list it cannot be forwarded.
0:02:19	The pruning list, since it includes everything by default,
0:02:22	it means that any VLAN can be removed
0:02:25	with the exception of the default VLAN one.
0:02:28	So VLAN one cannot be removed when you're doing VTP pruning.
0:02:31	Could be removed if you manually tried to do this with the trunking allowed list.
0:02:37	Now when we look at either the show interface switchport or the show interface
0:02:41	pruning, or excuse me, the show interface
0:02:47	I believe actually just show interface switchport is going to show the list.
0:02:52	If we look at on switch one, let's say show interface FastEthernet thirteen switchport,
0:03:01	where the pruning list is
0:03:05	down here. So notice the first one here it says the
0:03:11	the trunking
0:03:13	VLANs enabled, this is the
0:03:15	the trunk allowed list
0:03:18	where the second one is the pruned eligible list.
0:03:22	So since all standard VLANs are in this, 2 to 1001,
0:03:26	it means that we can remove these off of the trunk links
0:03:29	if we don't have anyone that's actually forwarding that traffic.
0:03:33	So let's say for example
0:03:35	that we had a bunch of new VLANs on one of the servers. So let's say on switch one
0:03:41	we add VLANs 50, 60,
0:03:45	70, 80, 90,100.
0:03:51	Okay, then on switch four
0:03:54	I'm going to assign
0:03:56	one of these. Let's say show interface status
0:04:03	and I'll do this on
0:04:07	let's say FastEthernet six. So switchport access VLAN sixty.
0:04:14	Okay, FastEthernet six on switch four
0:04:17	connects to router six's FA zero slash one so I need to bring that up.
0:04:25	Once this VLAN is assigned and it goes into the spanning tree forwarding state
0:04:30	if I were to look at any switch that is in the transit path for that VLAN
0:04:35	and look at the show interface trunk
0:04:39	I should see now that in
0:04:46	this direction
0:04:50	VLAN sixty
0:04:53	needs to be forwarded
0:04:55	because switch four's requesting it of two.
0:04:57	Two is telling one that it is in the transit path and likewise one is telling switch three that it is in the transit path.
0:05:04	The other ones though, 70, 80, 90, 100, those are not going to be forwarded on any of the links
0:05:09	because no one actually has those assigned.
0:05:12	So on switch one let's look at show interface trunk.
0:05:14	We can see now VLAN sixty is updated there.
0:05:17	So the pruning is automatically accounting for new VLANs that are assigned.
0:05:22	Now if I were to remove from the prune eligible list
0:05:28	on switch two
0:05:31	towards switch one
0:05:34	I'm going to remove
0:05:37	seventy.
0:05:40	What should be the effect here
0:05:43	if on switch two we say that on this particular interface seventy cannot be pruned?
0:05:51	Does it mean that we are going to send seventy or we are going to receive seventy?
0:05:57	So let's take a look at it. Let's go to switch two
0:06:00	and on port thirteen
0:06:03	we'll say the switchport
0:06:05	trunk pruning
0:06:10	the pre VLANs I'm going to remove VLAN seventy.
0:06:16	So these operators
0:06:17	add, accept, none remove, or just the VLAN numbers
0:06:21	they all essentially accomplish the same thing
0:06:24	just depends on what numbers you're trying to add or remove.
0:06:27	So if there's only one VLAN that you want prune eligible
0:06:32	I could say that
0:06:36	or excuse me, one VLAN that you do not want prune eligible, I could say all of them except this.
0:06:41	I could set it to none and then add one back.
0:06:45	The final result is always going to be seen in the running config
0:06:49	what particular values are allowed.
0:06:52	So by me saying remove seventy it's the same as saying
0:06:55	two to sixty-nine and seventy-one to one thousand one.
0:06:59	So if we look at the show interface trunk
0:07:03	we can see seventy is now not pruned
0:07:07	on FastEthernet thirteen.
0:07:08	So it means that seventy must be forwarded out that link.
0:07:12	Likewise if we look at switch one
0:07:16	it means that seventy must be received in the link from switch two's perspective.
0:07:21	So in both directions seventy cannot be pruned.
0:07:26	If switch one
0:07:28	was told by switch two that seventy must be included
0:07:33	then this should also imply
0:07:35	that on switch three
0:07:39	that seventy now needs to be included down here.
0:07:43	So switch one is basically saying I'm in the transit path for seventy.
0:07:47	You need to add that to your trunking list as the frames go out.
0:07:54	So removing a VLAN from the prune eligible list
0:07:58	is going to affect both directions.
0:08:01	So switch two it means that we're sending it out and we're receiving it in.
0:08:05	Then on switch one it means that we're telling switch three I must receive that VLAN.
0:08:11	Okay, if we look at switch one again and look at the show interface trunk
0:08:15	I'm not forwarding seventy
0:08:18	in this direction.
0:08:21	I'm only forwarding seventy over to switch two.
0:08:27	So you could see even with just four switches the topology can get kind of confusing
0:08:31	what trunk links are actually forwarding which VLANs.
0:08:35	This is why pruning is
0:08:37	really the preferred solution to do the
0:08:41	the management of what VLANs are on the trunks because it's going to do it automatically.
0:08:46	Okay, we can do it manually and we'll see next there are some particular reasons
0:08:50	why you must do it manually
0:08:53	in an individual design.
0:08:55	So any other questions up to this point
0:08:58	about the
0:09:00	VTP pruning?
0:09:06	There's a question - can a manual allowed override what is pruned?
0:09:12	It would actually be the opposite of that so
0:09:17	making it not allowed
0:09:21	would force it to not be pruned.
0:09:25	Okay? Which is kind of confusing because the logic is backwards of it.
0:09:29	So again, I'm saying on switch two here
0:09:32	that
0:09:36	VLAN seventy cannot be pruned
0:09:40	which in turn means that I must receive the traffic for it.
0:09:45	So removing it from the prune eligible list means that it has to be forwarded.
0:09:49	Whereas with the trunk allowed list, if you remove it from the trunk list it means it will not be forwarded.
0:09:59	So now we have a couple problems
0:10:02	when we're dealing with VTP pruning.
0:10:04	Okay, first and foremost what happens if not all of the devices in the network support pruning?
0:10:11	This could definitely be a problem because CTP is Cisco proprietary.
0:10:15	So it means that if you have other vendor's switches that are in the transit path for your Cisco VTP,
0:10:21	there's going to be some problems with the advertisements of the VLANs.
0:10:26	So usually if you have a mixed vendor environment you cannot run VTP to begin with.
0:10:30	On the Cisco switches you would just put everyone in transparent mode
0:10:34	and then manually make sure that the VLAN numbers match.
0:10:38	Okay, realistically in today's networks, you're Layer 2 network
0:10:42	really shouldn't be that big to begin with.
0:10:46	So you should have Layer 3 segmentation or even routing down to the access layer
0:10:51	in which case you wouldn't even need to worry about the VLANs.
0:10:55	But assuming you did have a large Layer 2 network then the VLAN management could potentially be an issue.
0:11:02	So one issue is that it's not going to be supported on the other switches
0:11:06	but what happens when you send
0:11:09	the pruning requests out
0:11:13	and you do not get a reply back in?
0:11:18	Now one way that we could simulate this
0:11:22	is to do trunking to one of the routers.
0:11:26	So let's say on
0:11:32	and let me draw out the assignments again here. So switch three has
0:11:36	twenty. Switch one has ten.
0:11:40	Switch two has twenty
0:11:43	but it also removed seventy from the allowed list
0:11:48	and switch four has ten and sixty.
0:11:55	So now let's say on switch three
0:11:59	we have some trunk link that is going to a device that doesn't run VTP.
0:12:04	I'm going to simulate this here by doing router on a stick. We'll say this goes to router three
0:12:10	and that this is going to be a trunk.
0:12:13	Another common case for this in a real design
0:12:17	would be if you're trunking to a server.
0:12:20	So maybe you have some VMware machine that you're running a soft switch on
0:12:25	and from the Layer 2 switches you need to forward multiple VLANs down to it.
0:12:30	No if VMware doesn't support VTP
0:12:34	then there's going to be a problem if you are trying to do VTP pruning.
0:12:39	So if it doesn't support VTP it's not going to affect just the advertisement of the VLANs.
0:12:43	This is only specific to when we are running VTP and pruning at the same time.
0:12:48	So let's go over to switch three
0:12:52	and technically on switch three, or excuse me, router three
0:12:57	technically router three we don't even need to do anything
0:13:01	because router three is not part of the trunking negotiation so let's just assume that router three is configured with
0:13:06	sub-interfaces for trunking.
0:13:08	What I am going to do though on the switch side
0:13:12	is that here
0:13:16	oh, that's the VLAN twenty, actually let me do this on
0:13:21	let's see, do show run interface FA zero five, yeah, let me do this on five.
0:13:28	So instead of router three that's five.
0:13:30	Okay, this is still a trunk.
0:13:32	This is FA zero slash five on switch three.
0:13:36	So on switch three we'll go to interface FA zero five
0:13:40	say switchport trunk encapsulation is dot1q, the switchport mode is trunk.
0:13:46	Since this is a trunk link
0:13:48	we should be running VTP on it.
0:13:51	If we look at the show interface FastEthernet five pruning
0:13:56	and compare this to the show interface FastEthernet
0:13:59	or show actually spanning tree
0:14:04	interface FA zero slash five
0:14:10	this link, this link must be shut down.
0:14:25	So we see all the VLANs are in listening state.
0:14:32	If we look at the pruning right now we are not
0:14:42	pruning anything to them. Okay? We have to actually wait until spanning tree starts forwarding.
0:14:46	So we now progress to the learning state.
0:14:52	And now we're at forwarding. Okay, so let's look at the show interface pruning.
0:14:57	It says VLAN traffic requested of the neighbor.
0:15:01	This means that switch three
0:15:04	is telling router five
0:15:07	if you were to support pruning
0:15:09	I need VLANs
0:15:12	one, ten, twenty,
0:15:15	forty, sixty, and seventy.
0:15:19	Because switch three either has these numbers assigned or it is somewhere in the transit path for them.
0:15:26	Okay, that's what I sent the request out for.
0:15:31	But if we look at the top output it says VLAN pruned
0:15:35	for lack of request by the neighbor.
0:15:39	This would be what router five is not asking for inbound.
0:15:47	And in this case it is nothing.
0:15:49	Okay? It is not asking for nothing.
0:15:51	So again it's a double negative here with the pruning.
0:15:55	So what do you think is going to be the result here if switch three sends the pruning request out to five
0:16:02	but since five doesn't run VTP, no response can be sent.
0:16:08	What's the final result of the VLANs then?
0:16:16	Switch three is now going to tell switch one
0:16:22	I essentially need everything.
0:16:25	So all the way up to one hundred.
0:16:28	Because switch three cannot guarantee
0:16:30	that router five does not need VLAN eighty or that it doesn't need VLAN ninety
0:16:35	because the request went out, it received no response back in,
0:16:39	so there's no way to tell router five does not need those numbers.
0:16:43	The end result of this, if we were to look at
0:16:46	let's say switch two, and we'll look at this port nineteen.
0:16:52	On switch two if we show
0:16:57	interface trunk and we look at nineteen
0:17:03	or actually, excuse me, it's the other way around.
0:17:05	It would be for the forwarding that way.
0:17:09	So it's going to be in this direction.
0:17:13	Switch two now says everything has to go that way.
0:17:19	Then likewise switch four is going to say everything has to go toward switch two.
0:17:24	So we show interface trunk
0:17:26	we see everything has to go to switch two.
0:17:33	Therefore the problem with this
0:17:35	is that if you are running VTP pruning
0:17:38	and you have any trunk link in the network, doesn't matter where it is,
0:17:42	that on the other end the device does not support VTP pruning
0:17:47	if means it's going to automatically undo anything that pruning tried to fix.
0:17:52	At least in a uni-directional fashion
0:17:54	because remember the trunk allowed lists
0:17:58	they're independent of each other on each side.
0:18:00	So what I'm forwarding to you doesn't necessarily have to be the same as what you are forwarding back to me.
0:18:10	So how could we fix this now? We know the problem is that five is not running VTP.
0:18:14	There's no way that we can change that. It's particular IOS is not going to support that.
0:18:19	So how can we tell switch three
0:18:23	that router five doesn't need those VLANs?
0:18:25	Let's assume that router five only needed VLAN fifty.
0:18:32	Okay, it didn't need the other ones which are eighty and ninety and one hundred.
0:18:36	We want to say router five really only needs VLAN fifty.
0:18:44	So what we'll do
0:18:46	is edit the allowed list
0:18:49	on switch three's link over to router five.
0:18:54	So if we say on FastEthernet five the switchport trunk allowed list
0:19:00	is going to
0:19:02	have just VLAN
0:19:04	what did I say there? Just VLAN fifty.
0:19:12	So now if we look at the pruning
0:19:17	now all of the other VLANs can be pruned.
0:19:29	If we look at the result of this on switch four
0:19:34	see previously it was forwarding all of the VLANs to switch two.
0:19:39	Once spanning tree is converged
0:19:42	we should see that these are going to change, that we would not need
0:19:47	at least eighty, ninety, and one hundred
0:19:54	and there we can see it.
0:19:56	So likewise, sixty was removed because no one had sixty assigned.
0:20:05	Now technically you would always want to do this anyways. If you had some sort of
0:20:11	server that you were trunking to
0:20:13	you would only want to send it the particular VLANs that it needed to encapsulate.
0:20:18	So if we know that router five, maybe it needs just fifty and one hundred,
0:20:22	there's no reason that we would send the other VLANs to it
0:20:26	because it means it's going to receive a lot of broadcasts
0:20:29	and unknown unicasts or multicasts
0:20:33	that are not included in any segment that it wants.
0:20:37	So router five would receive those frames inbound and then just drop them
0:20:41	because it didn't have a tag value associated with it.
0:20:48	Okay, I see a couple of people have their hands raised here.
0:20:51	If you have questions just feel free and go ahead and ask them.
0:20:53	You don't need to raise your hand before you ask anything.
0:21:01	So again, the key with this example is that with pruning
0:21:06	if some device in the network does not support pruning and you are trunking to them
0:21:10	it's basically going to undo all of your previous
0:21:16	optimization. Okay? So that's the first problem - if devices don't support pruning then it's going to undo it.
0:21:25	Okay, next, what if devices don't agree on the VTP revision number?
0:21:36	I'm not sure why I would have put that there. That would be just the
0:21:41	if the network is not converged.
0:21:47	What if devices don't agree on the VTP revision number?
0:21:51	Oh, okay. Now I remember where I was going with this.
0:21:53	That's not actually a pruning problem. That's just a VTP problem.
0:21:57	One of the other issues you could run into with VTP
0:22:01	is that if you have someone that is not
0:22:06	that does not have the accurate copy of the database
0:22:10	but for some reason has a higher revision number
0:22:13	it can essentially poison
0:22:16	the legitimate database.
0:22:19	So let's say for example that
0:22:23	switch four
0:22:33	that switch four is supposed to be just a client.
0:22:40	So switch four is a client.
0:22:44	Switch three is the server.
0:22:47	And the revision number
0:22:49	is let's say it's just one.
0:22:51	Okay, so there's only been one update to the database.
0:22:55	At this point, everyone should agree that the revision number is one.
0:23:03	Switch four says the same thing, revision number is one.
0:23:06	Now if switch four is disconnected from the network
0:23:10	and for some reason the revision number increments,
0:23:13	let's say someone changes it from client to server
0:23:16	the revision number goes to two
0:23:19	then changes them back to client
0:23:23	even though this device is not a server
0:23:26	it will generate the updates out this way with a revision number of two
0:23:31	and essentially overwrite the database of anyone else in the network.
0:23:36	So this is not a pruning problem. This is just inherent to VTP.
0:23:39	Whoever has the highest revision number
0:23:41	is always assumed to have the current copy of the database.
0:23:46	So that means that if you're not doing authentication
0:23:49	that anybody can just override the whole entire topology.
0:23:54	So it's a very easy attack to implement on
0:23:58	a network that is running VTP
0:24:00	that if you see they don't run authentication
0:24:03	you just send a blank update with a higher revision number and it basically deletes all of the VLANs that any of the switches have.
0:24:12	There's a question - even if the domain is different? Not if the domain is different.
0:24:17	But remember the update contains the domain anyways.
0:24:21	So if I'm an end host that's trying to attack the network
0:24:25	when I receive the VTP packets from the switch
0:24:30	I'm already going to know what the revision number, or what their domain name is
0:24:36	and what their revision number is.
0:24:38	So if I create a packet that has the same domain and a higher revision number
0:24:43	the potentially I can override whatever information they have.
0:24:47	So really the solution for this is just to run transparent mode everywhere
0:24:53	and then you wouldn't have this threat of someone overriding the database.
0:24:56	Okay, the problem with that though, if you run transparent mode everywhere
0:25:00	it means that you cannot run VTP pruning.
0:25:04	So pruning is only going to be supported if no one is in transparent mode anywhere in the network.
0:25:12	Okay, and we'll look at a design case here now where if you were to insert someone that is transparent mode
0:25:19	you can break the topology and it's a very difficult problem to troubleshoot.
0:25:33	So let's look back at our
0:25:38	topology here. Let's now assume that switch three is going to be there server,
0:25:48	that switch two and four are clients,
0:25:55	and switch one is in transparent mode.
0:26:01	Okay, we'll do a couple of examples talking about just transparent mode in general and then
0:26:05	the final one will be the pruning before we move on to other topics.
0:26:10	So first and foremost, let's go to the switches and set their new roles.
0:26:15	So switch one is going to be transparent. Let's say VTP transparent or VTP mode transparent.
0:26:25	Switch three is the server. Two and four are going to be the clients so VTP mode client
0:26:32	and on switch four VTP mode client.
0:26:39	If we look at the transparent switch which is switch one and look at the show VTP status
0:26:46	we can tell that it's transparent because the revision number is zero and it says that the operating mode is transparent.
0:26:53	This should now mean that if an update occurs anywhere else in the database
0:26:59	that it is not going to affect switch ones VLAN information.
0:27:07	So if I were to go to the server
0:27:09	which in this case is switch three
0:27:13	and create VLAN 999
0:27:17	ideally if the network is configured properly
0:27:21	this new 999 update should go from switch three to the transparent switch.
0:27:28	Switch one should forward it on without modifying it
0:27:33	and switch two and four should install this.
0:27:39	So we want to make sure can the transparent mode switch actually just forward the frames through
0:27:44	without dropping them or modifying them.
0:27:48	We created the VLAN 999. We know switch ones not going to receive this if we show
0:27:56	show VLAN brief include 999.
0:28:00	Okay, switch ones definitely not going to have that because it is in transparent mode but ideally switch two
0:28:07	and switch four will, which they do.
0:28:11	So this means the transparent switch is doing what it is supposed to.
0:28:13	It's receiving the updates, not installing them, but it continues to forward them on.
0:28:21	This then assumes that switch one is in the same VTP domain.
0:28:27	If I were to change the domain, if I say the domain is XYZ,
0:28:38	then create a new VLAN,
0:28:44	on switch three, let's say VLAN 998,
0:28:50	and we could see additionally we now get a log message from DTP.
0:28:54	It says we're unable to perform trunking negotiation because of a VTP domain mismatch.
0:29:01	This means dynamic trunking protocol is going to try to prevent this problem before it occurs.
0:29:06	If you want to include transparent switches in the network they should share the same domain name with everybody else.
0:29:14	If they don't, then we could run into some weird problems which we'll see next.
0:29:22	Now I could get rid of this error message by disabling DTP.
0:29:28	If I ran every link as a static trunk that's going to solve the log but it's still not going to solve the underlying problem
0:29:34	that when switch one receives and update that has a different domain than itself
0:29:41	it's going to drop this. Its not going to pass it on.
0:29:46	So the main idea of the transparent switch is that it will pass it on
0:29:50	but not install it locally. The key being that's actually only going to happen if
0:29:59	if the domain name is matched.
0:30:02	Okay, so on switch one let's change the domain back to the one that does match.
0:30:08	VTP domain ABC.
0:30:12	Now if you look at the documentation for this
0:30:18	let's go to the 3560 configuration guide, then to configuring VTP.
0:30:26	And let's look at the VTP versions.
0:30:38	It says in VTP version two, it supports these features that are not in version one.
0:30:44	Okay, first and foremost there's token ring support for the token ring VLANs which would be
0:30:50	the 1002 and actually it could be any number that we are creating
0:30:56	which in this case is legacy so we don't need to worry about the token ring support.
0:31:01	The one that is really important, it says
0:31:08	in VTP version one a transparent switch inspects the messages for the domain name and version
0:31:12	and forwards a message only if the version and domain name match.
0:31:16	Because version two supports only one domain. It forwards VTP messages
0:31:21	in transparent mode without inspecting the version and domain name.
0:31:27	So ideally this means that it doesn't care about the domain name mismatch.
0:31:32	It's supposed to allow the updates to go on regardless.
0:31:39	As far I've seen on these platforms either this is misdocumented or it's a bug.
0:31:45	So if you actually set up the switch that's in the transit path, switch one in this case,
0:31:52	if we set it to be VTP version two and in a different domain
0:31:58	it's still not going to pass the updates on between the interfaces.
0:32:03	So the only case where this particular version will pass the updates on the transparent switch is if the domain name does match.
0:32:14	Okay, now let's look at the case where we are running VTP pruning.
0:32:21	And let's look at what are the particular VLANs
0:32:25	that we have assigned again. Okay, we're going to make this a little bit
0:32:32	less complicated. I'm going to delete some of the other VLANs that we
0:32:36	that we do not need. So let's look at
0:32:41	the show VLAN brief.
0:32:51	Switch one has
0:32:56	VLAN ten assigned.
0:33:00	Okay, switch one has ten.
0:33:03	Switch four also has ten, switch two has twenty, switch three has twenty.
0:33:10	I'm just going to delete all the other ones for simplicity so we only have two VLAN numbers that we are dealing with.
0:33:16	So on the server which is switch three
0:33:20	I'll say no VLAN 2 to 1001, which is everything.
0:33:28	Then I'll recreate VLANs ten and twenty.
0:33:32	So those are the only two that I want. On the transparent switch I'll do the same thing.
0:33:36	So it will simplify the topology.
0:33:47	On switch three also I am going to turn VTP pruning off.
0:33:54	So at this point once the network converges, so once spanning tree is done,
0:33:59	I should be able to go to router one and ping router four
0:34:07	and router two should be able to ping router three.
0:34:13	So these are the devices again in VLAN ten and twenty respectively.
0:34:23	So VLAN twenty is working and VLAN ten is working.
0:34:25	Okay, so everything is good. Now let's turn on VTP pruning.
0:34:36	Let's look at the result of the show interfaces pruning.
0:34:44	And let me...actually let me shut down that link
0:34:49	that goes to router five or I'll just default it. We'll say default interface FastEthernet five.
0:35:24	Okay, on switch three now
0:35:26	it says traffic requested of the neighbor is one and twenty.
0:35:34	This is what switch three is telling switch one that I need.
0:35:39	So this means in this direction, outbound on switch one, we should have one and twenty forwarding.
0:35:48	On switch three
0:35:51	it should ideally be forwarding one, ten, and twenty
0:35:56	because the twenty traffic needs to go from here to here
0:36:06	and VLAN ten technically doesn't need to go there
0:36:11	because it doesn't have any host assigned. But let's look at what are all the results of the trunk links on all of the switches then we'll
0:36:19	write out here what are the particular numbers that it's forwarding.
0:36:22	So let's start on switch one and say show interface trunk.
0:36:30	So I want to see what are the VLANs in the spanning tree forwarding state and not pruned.
0:36:43	So let's start on switch one. Okay, switch one says I have
0:36:53	one, ten, and twenty
0:36:56	on both of these links.
0:37:00	So we have one,
0:37:04	one, ten, and twenty.
0:37:07	One, ten, and twenty.
0:37:12	Switch two says on port thirteen I have one and twenty.
0:37:18	On port nineteen I have one and ten.
0:37:26	Switch three says I have one, ten, and twenty.
0:37:32	Switch four says I have one and twenty.
0:37:39	Again, let's look at what should the transit path be for these two different VLANs.
0:37:47	VLAN twenty traffic needs to go from switch three to switch one,
0:37:52	from switch one to switch two. VLAN ten traffic needs to go from switch one
0:37:59	to switch two and then to switch four.
0:38:03	What's the potential problem we now have in this topology?
0:38:08	When we look at these forwarding lists for the trunks?
0:38:12	So these numbers in blue, this is what the switches said they're going to forward out these interfaces.
0:38:17	Let's look at the connectivity between the routers again now.
0:38:23	For some reason one and four have lost connectivity
0:38:28	but two and three have not.
0:38:31	So if we look at the diagram again
0:38:35	switch four is not forwarding VLAN ten
0:38:39	which it does need to because based on that purple outline there
0:38:45	traffic from those two hosts is going to be going out switch four's link to switch two
0:38:50	and then be returning back in there.
0:38:54	So this is actually a very odd problem to troubleshoot
0:38:58	because when we look at, if we go to switch four,
0:39:02	and look at the
0:39:04	show spanning tree for VLAN ten
0:39:09	it actually shows that VLAN ten is forwarding on FastEthernet zero slash sixteen.
0:39:16	Only if you were to look at the show interface trunk output
0:39:20	and be careful enough to realize that there is a discrepancy
0:39:25	between what spanning tree says is forwarding
0:39:29	and what spanning tree plus pruning says is forwarding.
0:39:35	Because remember this last field, it's actually two things. It's saying did spanning tree
0:39:40	say it was okay and did VTP pruning say it was okay?
0:39:47	In this case spanning tree says it's fine but VTP pruning says it's not.
0:39:52	And the reason why is a real odd design case
0:39:56	that is due to the transparent switch. On switch three to start,
0:40:01	it knows that it has VLAN twenty assigned.
0:40:08	Switch three to switch one is going to say add VLAN twenty
0:40:13	and then remove anything else.
0:40:19	When switch one receives this message, this VTP pruning message,
0:40:22	what is it going to do with it?
0:40:24	It's not going to process it locally because remember it's in transparent mode.
0:40:29	So when it receives this in, it's actually going to forward the message on to switch two.
0:40:35	So the message that switch three originated actually arrives on switch two's port
0:40:41	saying that I want you to add a twenty and then remove anything else.
0:40:47	Switch two then also tells switch four
0:40:49	I am not in the transit path for VLAN ten so add VLAN twenty and remove anything else
0:40:57	which means that this traffic is then going to fail, the VLAN ten traffic.
0:41:02	The key point being here that the transparent switch
0:41:06	is not able to tell anyone else that it actually needs VLAN ten
0:41:11	because it cannot exchange the VTP updates.
0:41:15	So again really the only way to troubleshoot this would be to
0:41:19	to look at the show interface trunk and see that there's the discrepancy between what
0:41:24	spanning tree says is supposed to go versus what pruning says is supposed to go.
0:41:29	And we can see this again when we look at the
0:41:31	show interface FastEthernet sixteen pruning
0:41:36	and compare this to show spanning tree interface FastEthernet sixteen.
0:41:40	Spanning tree says that we are supposed to send
0:41:44	one, ten, and twenty.
0:41:48	Pruning says we're only supposed to send one and ten,
0:41:58	no, that's not right. Traffic requested of the neighbor.
0:42:02	It would actually be, it's the top field not the bottom one there.
0:42:06	So it's that out of these three VLANs
0:42:09	ten was pruned, so ten is being deleted.
0:42:16	If we compare that to the
0:42:20	show interface FA zero sixteen trunk
0:42:30	to the show spanning tree we could see that ten is not listed there.
0:42:35	So ten is supposed to be forwarding for spanning tree but not for VTP.
0:42:40	So it's excluded. So one way we could fix this here
0:42:44	then is just not to run pruning. So any time there is a case where you have
0:42:49	transparent switches in the transit path for any VLAN
0:42:53	then you will not be able to do pruning.
0:42:56	Okay? Or technically you can but you could end up in a weird case like we saw there
0:43:00	where you lose reachability between some of the VLANs.
0:43:04	And it actually gets even harder to troubleshoot if you do packet analysis
0:43:08	because if we look at the allowed lists
0:43:12	on the interface and look what's listed in blue there, it means that
0:43:17	the outbound traffic flow
0:43:20	and we can see this on the routers here and when I saw this problem for the very first time
0:43:25	it took forever to figure out that this was the problem. If we go to router one,
0:43:31	who is on switch one, and is trying to send packets to router four,
0:43:36	what we would actually see is that traffic is uni-directional,
0:43:41	that from one it can get to four
0:43:45	but four's response never gets back to one.
0:43:49	So if we go to router one
0:43:54	and let's keep sending these pings
0:43:58	then I go to router four and look at the debug IP packet detail
0:44:05	we see that the packets are coming from one to us
0:44:11	then we try to reply
0:44:15	it says route packet from the local CPU, the source is 14004.
0:44:20	The destination is 14001, which is router one.
0:44:23	So we actually are receiving the packet and replying
0:44:27	but it gets dropped in the layer two transit path.
0:44:33	So one way we could also figure this out
0:44:36	if we look at the show ARP
0:44:41	I want to know what's going on with these two MAC addresses
0:44:45	in the CAM table of VLAN ten.
0:44:49	So if I went to switch four and said show MAC address table dynamic VLAN ten.
0:44:58	Switch four knows about
0:45:03	zero zero DBC oh one 3400, which is router one,
0:45:10	and then the
0:45:14	the 5D, that's router four, so let's look at this on the other switches.
0:45:23	Switch one doesn't know about it. So switch one does not know the MAC address of router four
0:45:28	nor should switch two here.
0:45:34	What was this? This says 9 A 5 D is four's MAC address. So it's not on the CAM table there.
0:45:40	So like I mentioned before,
0:45:42	this output here, the show MAC address table,
0:45:45	this is what ultimately controls whether the frames are going be forwarded or not.
0:45:49	Whether the MAC address can be inserted into the table.
0:45:52	So spanning tree, the VTP, the other control plane protocols,
0:45:57	they're basically just filtering down
0:46:00	what type of MAC address is going to be installed
0:46:02	then they forward this so this information over to the A6
0:46:06	then it's up to them to actually switch the traffic.
0:46:09	But really, really hard to trouble shoot here because like you can see
0:46:12	four receives the packets and replies.
0:46:15	If we look at router one, we can see that the packets are not
0:46:19	going the full transit path. So let's try disabling pruning now, no VTP pruning.
0:46:32	And now as soon as we do that, now the packets are successful.
0:46:36	So our other option here would be to do the
0:46:39	the pruning manually. We saw this with an example as
0:46:43	router three, or excuse me, switch three,
0:46:48	as switch three was forwarding
0:46:51	packets out to router five where this was configured as a trunk link.
0:46:54	The reason again you would want to do this
0:46:57	which is to set the allowed list
0:47:01	is that if pruning is on
0:47:07	then any trunk that does not run pruning is going to reverse the effects of it.
0:47:13	And regardless, even if you're not running pruning, you would want to optimize the Layer 2 flow
0:47:17	so that your servers are not receiving packets they don't actually need.
0:47:22	Especially if there's a lot of broadcast traffic or a lot of unknown frames
0:47:26	then that can definitely be a performance degradation at the switches
0:47:30	and at the end host's nic card.
0:47:33	The extended
0:47:35	VLAN range that is beyond 1006
0:47:40	this is one other application that requires that we run VTP in transparent mode.
0:47:46	Okay, there is an exception on the newest platforms. There's a version three for VTP
0:47:51	that supports the advertisements of these, which are 1006 to 4094,
0:47:56	but in most of the access layer switches
0:48:00	VTP v3 is not yet supported.
0:48:04	So if you want to use this extended range that means you cannot be a server, you cannot be client,
0:48:10	which then would eliminate your ability to run pruning
0:48:14	and also to do VTP authentication.
0:48:18	So VTP authentication cannot be used if you are using transparent mode.
0:48:23	Which it really doesn't matter in the end because
0:48:26	VTP does not define the broadcast domains.
0:48:29	As long as the VLANs match on a hop by hop basis,
0:48:33	that's what controls whether the traffic can be forwarded
0:48:37	between two hosts in the same VLAN.

Now Viewing

CCIE Routing & Switching Advanced Technologies Class
Title:	CCIE Routing & Switching Advanced Technologies Class
Duration:	81h 59m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

VTP Prune Eligible List, VTP Transparent, VTP...

Create Bookmark