CCIE Routing & Switching Advanced Technologies Class - VTP, VTP Authentication, VTP Pruning

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 46m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 34m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 59m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our next section here we're going to talk about VLAN trunking protocol or VTP
0:00:18	and some of the lesser known caveats about problems you could run into with VTP
0:00:25	when we're using this to advertise VLANs between multiple switches.
0:00:29	So as we know,
0:00:31	the purpose of VTP is that we can centralize the administration for the VLAN attributes.
0:00:38	Attributes meaning things like the VLAN numbers, the VLAN names,
0:00:42	and other options that we can set onto them like r span for example.
0:00:46	One key point to remember though
0:00:48	is that VTP does not actually define the broadcast domain in the network.
0:00:55	It is the VLAN and spanning tree itself
0:00:58	that determines where the traffic is going to be forwarded.
0:01:01	Okay, actually technically it is the cam table
0:01:04	that determines where traffic is forwarded
0:01:06	because that's ultimately where the MAC addresses are stored.
0:01:12	Now the reason I mentioned this though is that you can run into a design
0:01:17	where you have two VLANs that are in the same broadcast domain
0:01:22	but the switches are in different VTP domains.
0:01:25	So as long as the VLAN numbers match between two switches
0:01:30	and the VLAN is being trunked between the switches
0:01:33	then it's going to be the same broadcast domain so you can have hosts in the same subnet that are able to reach each other.
0:01:40	We will see that if you do have
0:01:43	different VTP domains
0:01:46	the switch will try to prevent this automatically
0:01:50	by trying to disable any trunk links that have been negotiated with DTP.
0:01:56	So when we look at the actual configuration, if we combine dynamically
0:02:01	negotiated trunk interfaces plus VTP in different domains, the two of those are not going to work together.
0:02:08	But technically as it shows here, VTP is technically not a requirement of Ethernet networks.
0:02:15	So as long as the VLAN numbers match between the switches
0:02:18	that's what defines the broadcast domain.
0:02:20	VTP is going to be use just for the administration.
0:02:24	Now in real designs the vast majority of the time VTP is not used
0:02:29	because there's some underlying problems in the design
0:02:32	that we can simply avoid by not using it in the first place.
0:02:36	So it's good for administration but it's really not worth the price that you have to pay
0:02:41	when you look at the potential problems that it could cause.
0:02:45	So configuration wise, we can do this two different ways
0:02:48	in the VLAN database or in global configuration.
0:02:51	Some particular platforms only support using the VLAN database
0:02:56	like if you're using a much older catalyst switch
0:02:58	or you're using a particular Ethernet module
0:03:03	the Ethernet switching modules that plug into the routers
0:03:06	some of those only allow you to do the VLAN database configuration.
0:03:11	But either way, however you create the VLANs and apply the attributes
0:03:15	doesn't really matter - it's going to have the same effect.
0:03:18	If we were to look at the command line here
0:03:21	Let's say that we go to switch one and we go into the VLAN database
0:03:30	and we create VLAN 10, VLAN 20, VLAN 30, VLAN 40,
0:03:36	et cetera; once we exit out of here we could see it says that an apply was completed.
0:03:42	If we show VLAN brief or show VLAN, we could see VLAN numbers 10, 20, 30, and 40 are there.
0:03:50	So in reality is doesn't matter how you create them.
0:03:53	With the VLAN database you have to do them one at a time.
0:03:56	If we were to do that in global config we could just say VLAN 50 comma 60 comma 70 through 79.
0:04:05	So it's a little bit easier to create all the VLAN numbers at once.
0:04:10	Either case it's going to put these locally into the database.
0:04:14	Now at this point we don't have any other configuration on switch one
0:04:19	other than all of the defaults on the interfaces and the VLANs that we created.
0:04:24	So if we look at the show VTP status
0:04:30	by default VTP is on but the domain name is null.
0:04:37	So you can see it doesn't show anything here.
0:04:40	So what this means is that if the switch receives a VTP packet in on a trunk link
0:04:47	which ever one adheres first it's automatically going to inherit that name.
0:04:52	So if I were to go to some other switch that is trunking to switch one
0:04:57	Let's first let's look at the show interface trunk.
0:05:02	Let's say port number 21
0:05:05	which goes over to switch four.
0:05:07	If we look at the show CDP neighbors include zero slash 21,
0:05:12	our local zero slash 21
0:05:15	is going over to switch four's FastEthernet zero slash 15.
0:05:18	So if I were to go to switch four
0:05:20	and say that my VTP domain is ABC
0:05:28	and we look at the result of this on switch one if we show VTP status
0:05:35	we could see now we inherited that domain name.
0:05:40	So this to begin with is kind of a disadvantage of VTP.
0:05:45	It makes it very easy to deploy but it's not very secure
0:05:50	in the case that as soon as you plug in a switch to the network it's going to join the VTP domain
0:05:55	and it's going to learn about all of the VLANs.
0:05:58	So there's nothing preventing by default
0:06:01	switch one now deleting all of the VLANs that were in the database or
0:06:07	now using this as some sort of reconnaissance attack
0:06:10	because now I know what are the different VLAN numbers
0:06:14	so I know if I want to do maybe some sort of Layer 2 man in the middle attack
0:06:18	I know what particular VLAN numbers I need to do this against.
0:06:24	Now since all of the devices by default
0:06:27	are VTP servers
0:06:29	it means that any of them can make modifications to the database.
0:06:34	Once we make these modifications
0:06:36	we should see the configuration revision number change
0:06:41	which is essentially the sequence number for the database.
0:06:45	So if VTP is converged
0:06:48	everyone should agree on what this configuration revision number is.
0:06:52	So right now it shows zero
0:06:55	which for the case of a VTP server, this is not correct.
0:06:59	And we can see it says that there's an MD5 digest checksum mismatch
0:07:03	on the trunks between 19, 20, and 21.
0:07:08	So it actually means that there's some problem with the authentication between the neighbors.
0:07:17	Now this output might seem kind of odd here
0:07:21	because we didn't actually configure a password on any of the switches.
0:07:27	So does anybody know why without configuring the password
0:07:30	why would the switches say that there's a mismatch in
0:07:34	the MD5 checksum?
0:07:40	So let's look at switch four
0:07:43	and show VTP status
0:07:46	and I'm going to do this on all of the
0:07:50	switches. Let's go to four, to three, and to two.
0:08:02	So we can see they all joined the domain, they joined ABC
0:08:07	but it says that these updates coming in, these are the ones that are coming from switch four,
0:08:14	it basically says these are not valid because there's a mismatch in the checksum.
0:08:18	Okay, we can see this also because the revision number is zero.
0:08:22	The reason why this is happening
0:08:25	is that even though a password is not sent
0:08:28	VTP technically does authentication on everything by default.
0:08:33	So it's similar in the logic of how OSPF authentication works.
0:08:38	Even if you don't configure OSPF configuration it is on.
0:08:43	If you don't configure it you're doing what type of authentication?
0:08:48	You're doing null authentication.
0:08:51	Okay, null authentication or no authentication.
0:08:53	So if two of the neighbors both use null authentication which is authentication type zero
0:08:58	then they can form an adjacency.
0:09:01	If one of them has type one which is clear text authentication, one of them has type zero which is null, they would not form the adjacency.
0:09:08	Same type of logic here with VTP.
0:09:10	Even though I didn't configure the password
0:09:13	which means that the password is null
0:09:15	so if I look at switch four and say
0:09:19	show VTP password
0:09:22	it says password is not configured.
0:09:24	I'm taking the revision number and with the null password
0:09:29	coming up with a hash for that.
0:09:33	So the revision number is basically used as a seed for the MD5 output
0:09:38	and if we look at what this result is, zero by A4, zero by 1C, etc.,
0:09:44	this does not match what is on the other switches.
0:09:48	So since they all have different digest numbers
0:09:52	then they're not going to accept the updates from each other.
0:09:55	So it basically has to do with an order of operations problem
0:09:59	of how I configured the VLANs versus assigning the domain name.
0:10:03	So what I'm going to do here now is go to...
0:10:07	Actually, before I do that, let's look at the other devices, let's say switch four,
0:10:13	and show VLAN brief
0:10:16	notice that the VLANs I created on switch one
0:10:19	they're not being learned by this switch.
0:10:22	And they should not be learned by any of the switches.
0:10:31	So if we show VLAN brief on switch two
0:10:35	switch two has some of the VLANs but not all of them. It doesn't have 20, 30, 40, etc.
0:10:39	So we can clearly tell there's some mismatch in the database
0:10:43	and it has to do with the fact that I configured the VLANs on one switch
0:10:48	then started the VTP process on another one that didn't have the VLANs.
0:10:53	We now basically end up in an order of operations problem.
0:10:57	So what I should be able to do is go to switch one
0:11:00	and force an update for VTP by adding a VLAN or by removing a VLAN.
0:11:09	So the add and remove, if I now look at the show VTP status,
0:11:16	now the revision number is two because I made two separate changes.
0:11:21	So every time a VLAN is added, a VLAN is removed, any attribute is changed,
0:11:26	that counts as a new sequence number or basically the revision number.
0:11:31	So if we look at the other switches now and show VTP, show VTP status,
0:11:38	now they agree that the revision number is two
0:11:41	and if we show VLAN brief
0:11:45	we now see that the other switches are learning the VLANs from switch one.
0:11:53	So it's not really a big problem here. The only thing we need to do is just force an update.
0:11:58	Another thing that would do this would be to shut the trunk links down and then bring them back up.
0:12:03	But the easier way as you can see with the config,
0:12:05	would just be to create a VLAN and then remove it.
0:12:09	This is going to cause a triggered update in the VTP network.
0:12:13	So at this point everyone agrees on what the domain name is.
0:12:16	So no matter where we create a VLAN or remove a VLAN it's going to be propagated to everyone.
0:12:22	The reason why is that everyone is in server mode by default.
0:12:28	Client mode means that we can receive the updates from the server but we can't actually make any changes.
0:12:35	So on a client you would not be able to create or delete a VLAN.
0:12:39	Whereas the last option in transparent mode
0:12:43	basically means that you're not participating in VTP with the other devices.
0:12:47	So when you receive an update in it would not update the local VLAN database
0:12:53	but you could potentially send it out your other trunk links
0:12:56	in order to forward it on to other switches.
0:12:59	Okay, we'll come back to transparent mode in a little bit.
0:13:01	There are some caveats with this where certain designs will not work
0:13:06	if you use transparent mode switches in the network.
0:13:11	So usually in most real designs you would have everyone run in transparent mode
0:13:18	or agree on what the client and server relationships are.
0:13:21	So if everyone is in transparent mode it's effectively the same as having VTP off.
0:13:26	So you won't ever worry about someone updating your database incorrectly.
0:13:31	So now let's look at let's say switch two
0:13:34	and we'll put this into client mode so in global config we'll say VTP mode is client.
0:13:42	So if we now tried to create a VLAN, let's say VLAN 123,
0:13:46	or no VLAN two
0:13:49	we could see it says we can't do that because we're in client mode.
0:13:51	So only in server or transparent mode can we make modifications to the database.
0:13:58	Which is fine, we don't really care where the VLANs are created as long as they propagate to everywhere in the network.
0:14:06	But one potential problem that we could have here
0:14:09	is essentially a parser error where the parser is the interpreter for the IOS
0:14:18	where the parser should have an error message
0:14:21	in the case that you are in VTP client mode and you go to an access port
0:14:29	and assign a VLAN, let's say switchport mode access and switchport access VLAN let's say 200.
0:14:38	There ideally should be a check in the parser that says VLAN 200 does not exist
0:14:46	and doing this assignment is not going to accomplish anything.
0:14:49	Because now if we were to look at the show run interface FastEthernet two
0:14:56	versus the show VLAN brief
0:15:02	we can see at the interface level it did take the VLAN 200 configuration
0:15:07	but here in the show VLAN brief output we don't actually have VLAN 200 there.
0:15:13	So it goes from 79 up to 1002, which is one of the default VLANs.
0:15:19	Now if we don't have VLAN 200 in there
0:15:25	what also is going to be true about VLAN 200? Or actually what is not going to be true about VLAN 200?
0:15:36	It means that we won't have a spanning tree instance for VLAN 200.
0:15:42	So the switches run per VLAN spanning tree by default
0:15:46	which means that each VLAN needs its own instance of spanning tree
0:15:50	so there's a separate bridge election, there's a separate report and designate a port election on a per VLAN basis.
0:15:57	But since VLAN 200 does not exist, since the VTP server did not create it,
0:16:02	it means that even though it was applied at the interface level
0:16:08	and if we look at show interface status
0:16:12	or do show interface status, we can see that VLAN 200 was assigned there.
0:16:19	Okay, not connected here basically means that switch, or not switch two, router two
0:16:25	has it's port shut down. So let me...
0:16:30	Let's bring that up here.
0:16:41	So the switch says port FastEthernet two is up.
0:16:45	When we look at the show interface status
0:16:48	everything looks fine from this output.
0:16:50	So it says FA zero slash two
0:16:53	has the connected status which is what we want to see.
0:16:57	VLAN 200 was assigned and the duplex and speed were automatically negotiated.
0:17:04	Okay, which is good. What it doesn't tell us though is that if we look at the
0:17:14	show spanning tree for VLAN 200
0:17:18	we can't actually forward traffic for that particular VLAN.
0:17:25	So now whenever the switch receives traffic in on a port
0:17:30	that is assigned to VLAN 200 as an access port or as a tagged frame that comes in on a trunk interface
0:17:39	it's going to be dropped.
0:17:41	The reason why is that if we look at the show MAC address table
0:17:46	or a space MAC address table dynamic for VLAN 200
0:17:51	there's no MAC addresses in the CAM table.
0:17:54	So when this switch receives a frame it basically doesn't know what to do with it.
0:17:59	So if I were to assign this to router four's port as well, let's say switchport access VLAN 200,
0:18:07	where essentially the topology here
0:18:10	is going to look like this where router two
0:18:15	is on port FastEthernet zero slash two
0:18:19	and router four is on FA zero slash four.
0:18:23	So let's put these two routers in the same VLAN. Let's say that they're... not the same VLAN the same subnet.
0:18:28	Let's say they're ten zero zero zero slash twenty-four.
0:18:32	Okay, router two will be dot two; router four will be dot four.
0:18:36	So we're just trying to get basic connectivity within the single switch.
0:18:42	So on router four
0:18:45	on FastEthernet zero zero, our address will be ten zero zero four slash twenty four.
0:18:54	On router two
0:18:58	will be ten zero zero two slash twenty four.
0:19:04	So ideally if the Layer 2 switch network is working,
0:19:08	I should be able to ping from router two over to router four.
0:19:14	Okay, I know at this point it's not going to work because I didn't actually assign...
0:19:18	Or actually I did assign the port.
0:19:21	Okay, so I assigned the port. If we show
0:19:25	Let's say show VLAN, or not show VLAN 200, show
0:19:31	let's say show just VLAN; show VLAN brief.
0:19:42	So again we can see that 200 doesn't exist here; it's not listed.
0:19:46	But if we show interface status
0:19:51	both of those ports are assigned to 200.
0:19:57	Router two's unable to send packets over to router four.
0:20:00	On switch two, if we look at the CAM table again, the show MAC address table output,
0:20:05	these MACs of router two and router four, they're not able to be installed.
0:20:12	So ultimately in a Layer 2 switch network
0:20:16	if you have some sort of forwarding problem that you're trying to troubleshoot
0:20:20	the final say is done by the MAC address table.
0:20:23	So if the MAC address table is not in the...or excuse me, if the MAC address is not in the table
0:20:30	traffic is not going to be forwarded towards that destination.
0:20:33	So spanning tree
0:20:35	does prevent the loops of the packets
0:20:39	but the way it does that is by disabling MAC address learning
0:20:44	on interfaces that are not in the forwarding state.
0:20:48	So we'll see tomorrow when we get into more details with spanning tree
0:20:51	technically a port that is blocking does or can at least receive packets in.
0:20:57	So regular unicast packets, not like just a broadcast ARP or something like that.
0:21:02	It can receive normal packets in
0:21:05	but it's not going to do anything with them because there's no MAC addresses in the CAM table.
0:21:09	And that's basically the problem we have here.
0:21:12	So two and four, they don't have connectivity because we cannot put MAC addresses in the table.
0:21:18	In order to allow this we need to first now create the VLAN
0:21:24	which then in turn creates the spanning tree instance.
0:21:29	So if we show spanning tree for VLAN 200
0:21:34	now an instance exists.
0:21:37	If we look at the MAC address table
0:21:39	we're now learning the MACs of router two and four.
0:21:44	So only once those can be inserted into the CAM table will we actually get connectivity between the devices.
0:21:52	So we were previously in the listening phase of spanning tree.
0:21:58	We can see now we get past for, uh, learning and go onto forwarding now there's connectivity between the two devices.
0:22:04	But the key point here being that if the device is in VTP client mode
0:22:09	you could accidentally assign a VLAN to an interface
0:22:13	where the VLAN doesn't exist.
0:22:15	Ideally the parser of the switch would have some check that says you configured VLAN 200
0:22:20	as an access assignment but you didn't actually create it first.
0:22:24	The problem is it does not do that.
0:22:26	If you were to do the same operation either on a VTP server
0:22:31	or someone in transparent mode
0:22:34	it will automatically fix this for you.
0:22:37	So if I were to go to switch one
0:22:40	and go to any port here
0:22:43	I'll say switchport access VLAN 555
0:22:48	the parser automatically creates the VLAN for me.
0:22:52	Because it says 555 wasn't in the VLAN database so I'm just going to add it automatically.
0:22:58	So on the client it should say something like access VLAN does not exist
0:23:03	then I'm in VTP client mode so I can't create it so it would be some sort of informational log message for you.
0:23:10	The end result you would be able to eventually figure this out though because without the VLAN
0:23:15	we can see there's no connectivity.
0:23:19	But potentially we could waste a bunch of time
0:23:21	troubleshooting some higher layer problem, Layer 3 or above,
0:23:25	when really it's just that the Layer 2 VLAN doesn't exist
0:23:28	which means that there's a problem in the CAM table.
0:23:31	Okay, next let's look at VTP authentication here.
0:23:36	Talked a little bit about it before where by default
0:23:38	you technically are running authentication but it is null.
0:23:43	So when we look at the switches, let's say switch one here,
0:23:48	and show VTP password
0:23:51	I don't have a password configured.
0:23:53	If I show VTP status
0:23:56	and let's say show VTP status and just include
0:24:01	the MD5 digest.
0:24:04	So I want to look at this on all of the switches, so switch one, two, three, and four.
0:24:13	Now if we look at the differences between the four
0:24:17	notice that the digest is the same on all of them.
0:24:22	So even though there is no password configured
0:24:25	the MD5 authentication result is the same.
0:24:29	The reason why is that they are all agreeing on what the configuration revision number is.
0:24:35	So this is used as a salt for the MD5 hash
0:24:39	since they all agree on what the revision number is
0:24:42	they're taking a null string salting it with number four in this case
0:24:46	then the MD5 output is what we see here.
0:24:52	So it's kind of an odd problem even though the password doesn't exist
0:24:55	you can end up in an authentication failure like we saw before.
0:25:00	Now for the actual authentication the configuration is really straight forward. We just say VTP password
0:25:05	let's say Cisco, so whatever we want to configure.
0:25:08	This is going to be MD5 by default.
0:25:12	If we look at the show VTP status
0:25:15	we'll see now the MD5 digest changed from what it was before
0:25:21	and the other switches are not going to agree on this.
0:25:25	So if we look at the show VTP status, the other switches did not change.
0:25:30	If I now make an update, let's say VLAN 333, once I send this update out
0:25:39	the other switches are not going to accept it.
0:25:44	Okay so now it says there's an MD5 digest checksum mismatch on a receipt of an equal revision summary on the trunk.
0:25:54	So it's basically saying that we should have the same copy of the database
0:26:00	because we're in the same domain and we have the same revision number
0:26:03	but for some reason authentication is still failing.
0:26:07	So if you see this log message come up, basically it means that your passwords are wrong.
0:26:12	So I would then need to go to all the switches and just simply say VTP password and then whatever it is.
0:26:19	So now on switch three when we look at the show VTP status
0:26:26	I should see...actually I'll have to make another update here.
0:26:31	On switch one, let's say VLAN 334,
0:26:37	then show VTP status
0:26:40	I want to know what is my current revision number
0:26:44	and what is my MD5 hash.
0:26:46	So notice that it changed from before so let's say show VTP status
0:26:51	include revision or MD5.
0:26:59	So with the revision number is six.
0:27:02	MD5 digest is zero by zero A, etc.
0:27:05	If I make another update, let's say VLAN 335,
0:27:10	this should increment my revision number to seven
0:27:13	but then also I have a new hash.
0:27:16	So we could see based on that the MD5 is salted with the revision.
0:27:20	When I look at this on switch three
0:27:24	ideally we should agree on this, which we do.
0:27:30	So both the revision and the has match on switch one and switch three
0:27:35	which means that the authentication was successful.
0:27:38	If I look at any of the other devices they will not have this matching
0:27:41	because they don't have the same password configed.
0:27:47	So the implementation of the password is fairly straightforward.
0:27:50	Actually for any of this VTP stuff, there's not really that many commands that go along with it.
0:27:55	The problem is you can run into these weird order of operations problems
0:27:59	where you have identical configurations on the switches that should be working
0:28:03	but they don't because you configured it in the wrong order.
0:28:08	Worst case scenario you could reboot the switches and then it would load the process in the correct order
0:28:15	but also like I showed, if you just delete the VLANs and then...
0:28:18	or add a VLAN or remove a VLAN, then it's going to cause a triggered update.
0:28:23	Our next topic we have in VTP is how pruning works
0:28:28	which is going to be used to
0:28:30	reduce the amount of unnecessary traffic that's forwarded though the Layer 2 domain.
0:28:34	So typically by default when a switch receives a broadcast frame
0:28:41	it will be replicated out every port that is in that VLAN except the one that it came in on.
0:28:48	Now for any unicast or multicast packet that comes in
0:28:52	and the switch does not know the destination MAC address
0:28:57	these two types of frames the unknowns,
0:28:59	these are going to be treated the same as the broadcasts.
0:29:04	So this is essentially how the switch learns the MAC addresses
0:29:07	by flooding the packets everywhere
0:29:10	and then ideally waiting for a reply to come back from that particular destination.
0:29:17	So if the switch floods on ARP request out every port
0:29:21	it's going to listen back in for the ARP replay
0:29:24	to look at the port the frame came in and what the source MAC address was.
0:29:29	So were building the cam table by the port and source MAC address association.
0:29:35	The problem with this though is that if the Layer 2 network is really big
0:29:40	we get a lot of unnecessary flooding
0:29:43	of unknown unicasts or broadcasts that we don't need.
0:29:49	So let's say for example that our switching topology
0:29:57	looks like this where we have trunk links from switch three to switch one,
0:30:02	switch one to switch two, and switch two to switch four.
0:30:07	If I now have a host on switch three, let's say this is A,
0:30:12	and host B and C.
0:30:15	Okay, all three of these guys, they're all in VLAN 100.
0:30:19	When A first comes on to the network
0:30:22	it needs to know what are the MAC addresses of B and C before it can actually send them packets.
0:30:28	So A is going to send out the ARP request.
0:30:34	Switch three receives this and says this ARP request has a broadcast destination.
0:30:39	It's going to all F's
0:30:43	and four more, F F F F.
0:30:47	Destination MAC addresses all F switches the Layer 2 broadcasts
0:30:51	so I'm now going to look at the spanning tree forwarding table
0:30:55	to figure out which local ports have VLAN 100 in the forwarding state.
0:31:00	So either root ports or at designated ports.
0:31:04	Switch three says that these four interfaces, they're all running VLAN 100 so I'm going to flood the frame out to switch one
0:31:11	and then flood it out to B and C.
0:31:14	It's not going to be flooded back to A because that's where the packet originally came from in the first place.
0:31:22	The problem now though is that when switch one receives it
0:31:25	likewise this will be flooded to switch two
0:31:28	switch two floods it to switch four
0:31:30	and then switch four floods it beyond
0:31:33	to whatever other trunk links are there.
0:31:37	So ideally we would not have switch three flooding the broadcast up to switch one
0:31:44	because we know based on the physical topology
0:31:47	there's no hosts that are actually in VLAN 100 on those switches.
0:31:53	Essentially there's two different ways that we could...well, actually three different ways that we could do this.
0:31:58	Okay, one of the easiest ways
0:32:00	would be between the switches
0:32:03	to not run these as Layer 2 links to begin with.
0:32:06	So if this is a Layer 3 routed interface
0:32:09	we're segmenting the broadcast domains to begin with.
0:32:13	So if these were all Layer 3 links
0:32:16	we would then rely on some sort of IGP routing protocol in order to get the connectivity.
0:32:21	But assuming that we're running Layer 2
0:32:25	there's two ways that we could try to optimize these traffic flows.
0:32:30	One way would be on switch three
0:32:32	to say essentially on this trunk link
0:32:35	I don't want to forward VLAN 100.
0:32:38	So we could do this by editing what's known as the allowed list
0:32:44	on the trunk port.
0:32:46	So we could move VLAN 100 for that interface
0:32:49	so then even if someone came into the network later in VLAN 100
0:32:55	switch three is not going to be able to forward that traffic.
0:32:58	So it's a manual filter for the VLAN on the interface.
0:33:03	The problem with this though as you can imagine it's very...
0:33:08	there's a lot of administrative overhead to do it.
0:33:11	So you would have to have a very detailed graph of your Layer 2 network
0:33:15	and know where every particular VLAN is if you wanted to do this VLAN pruning manually.
0:33:22	The other option here would be that we use VTP
0:33:25	which already knows what the VLAN numbers are between the switches
0:33:30	and have them communicate what VLANs I have assigned
0:33:34	or which VLANs that I am in the transit path for.
0:33:39	So now if we hit a case
0:33:41	where switch three has VLAN 100
0:33:45	and switch two also has VLAN 100.
0:33:49	If VTP pruning was on
0:33:53	the result of this is that 100 would forward between switch one and three.
0:33:58	It would forward between switch one and switch two but it would not forward between switch two and switch four.
0:34:05	Essentially what happens is that switch two asks switch four
0:34:09	what are the VLANs you have assigned or you are in the transit path for.
0:34:14	Switch four replies and says not 100
0:34:18	so switch two is going to remove this from the forwarding state on the trunk link.
0:34:24	So it's essentially the same as editing the allowed list on the trunk
0:34:28	but we can do this automatically.
0:34:31	So in order to do this we're assuming in the first place that we are running VTP.
0:34:36	It's only supported when you're running either in client mode or server mode.
0:34:40	So if there's transparent switches in the network there's going to be some issues that you could run into.
0:34:48	The configuration of it is very straightforward. On any of the servers we just say VTP pruning
0:34:53	and it should be automatically advertised to all of the other clients and all of the other servers in the network.
0:35:04	Okay, so let's build the trunks based on this topology that I
0:35:11	drew out here.
0:35:14	So we're going to have switch three trunking to switch one.
0:35:21	So on switch three let's look at the
0:35:25	show interface trunks
0:35:27	and we'll say this is port 13. Okay? That link's already running as a trunk link because it was in dynamic desirable mode.
0:35:34	So the only thing I need to do is basically disable the other ones.
0:35:38	So let's say interface range
0:35:41	FastEthernet 14 to 21 shutdown.
0:35:49	So let's label these. This is going to be on switch three, that's 13
0:35:55	and 13 on switch three is going to mean...let's see, 13, 14, 15, 16.
0:36:03	This is going to be 16 on switch one.
0:36:08	Then we'll say 13 and 13
0:36:12	and 16 and this would be 16 too.
0:36:22	So let's look at
0:36:24	switch one now.
0:36:28	And we show interface trunk
0:36:30	so I want links 13 and 16 to be the only trunks running.
0:36:35	Sixteen is running but 13 is not so I'll go to 13
0:36:41	and say switchport mode is dynamic desirable.
0:36:45	So assuming that whatever is on the other end of the link
0:36:48	as long as they didn't disable DTP
0:36:50	or they're not in access mode
0:36:53	then this should automatically become a trunk link.
0:36:56	Okay, then I'm going to go to the other links which are
0:37:00	16 to 21 and shut those down.
0:37:11	Okay, on switch two likewise I want 13 and 16 so let's say show interface trunk.
0:37:19	So 19 to...actually no, that's not
0:37:24	that's not 16. This would be...
0:37:32	That would be 19. 19 goes to 16.
0:37:42	So I want to disable 20 to 21
0:37:47	and when you're doing these exercises with the Layer 2 switches
0:37:50	you need to make sure that you have some sort of diagram like this that shows the logical Layer 2 network
0:37:56	because otherwise if there's additional trunk links that have formed automatically
0:38:01	it's going to skew your results of whatever feature that you're trying to test.
0:38:05	So always draw out the Layer 2 topology so you know how the packets should be forwarded.
0:38:12	Okay, then last thing on switch four, let's look at
0:38:15	show interface trunk
0:38:21	and we have 16. Okay, so 16 on switch four is going to...it should be 19 on switch two.
0:38:32	Then 13 on switch two goes to 13 on switch one.
0:38:38	And switch one should also have 16, which I probably accidentally shut down.
0:38:51	Okay, so 13 and 16 and then on switch three lastly it should be
0:38:59	just 13. Okay, so now the Layer 2 trunks are built end to end.
0:39:04	We have everyone in VTP server mode
0:39:08	with the exception of switch two so if we show VTP status
0:39:13	let's make sure that first everyone is converged.
0:39:18	So if we compare all of the show VTP status outputs
0:39:23	what would I want to be looking for to see if everyone agrees on the topology?
0:39:36	Now I could look at what are the number of VLANs.
0:39:42	So if everyone else has 31 VLANs I could probably safely assume that
0:39:48	the network is converged. The only problem with this
0:39:52	is that if I have 31 VLANs and someone has another different 31 VLANs
0:39:58	then this value is not really going to show us that.
0:40:02	So what I really want to look at here is just the revision number.
0:40:05	If everyone has the same configuration revision then the network should be converged.
0:40:11	So right here on switch four it's number four.
0:40:15	Switch three has seven, switch two has four,
0:40:19	and switch one has seven.
0:40:21	So we can tell at this point the network is not converged.
0:40:24	The reason why is that I configured the passwords before not on everyone. So let me add those.
0:40:32	Actually I'm not going to add the passwords, I'm going to remove the passwords.
0:40:36	And I'll explain why in a couple of minutes I'm doing that but let's for right now let's just say no VTP password.
0:40:48	So on switch one and three no VTP password.
0:40:55	Then for simplicity
0:40:57	on switch three let's clear out the database, let's say no VLAN 2-1001.
0:41:03	So that's going to delete all of the numbers that were there previously.
0:41:08	I'm going to create just VLAN 10. Actually let's say 10, 20, 30, and 40.
0:41:16	So if VTP is working now switch three created these four VLANs
0:41:27	which were 10, 20, 30, and 40. If VTP is working
0:41:34	the final result would be that the update goes around this way, all the way down to switch four.
0:41:41	So if I can look at switch four and see those VLANs, 10, 20, 30, and 40 being learned in the VLAN database
0:41:48	then I can assume all the trunk links are working and that VTP is working end to end.
0:41:55	So on switch four let's look at the show VLAN brief.
0:42:02	Okay, which I do, so I have 10, 20, 30, 40. At this point we can assume that VTP is working.
0:42:09	Next let's do some actual assignments of the ports.
0:42:14	So on switch two I have a link that goes to router two
0:42:19	that's going to be port FastEthernet zero slash two.
0:42:23	On switch three I have a link that goes to router three
0:42:29	that will be FA zero slash three.
0:42:32	On router three's interface this is FA zero slash one.
0:42:37	On router two that is FA zero slash zero.
0:42:43	Then on switch one
0:42:46	I have router one.
0:42:50	Okay, router one's FA zero zero
0:42:52	is going to go to switch one's FA zero one.
0:42:58	And on switch four I have router four.
0:43:02	So router four is FA zero zero is going to go to FA zero four.
0:43:08	So I want two different VLAN assignments here. Let's say that
0:43:11	between routers one and four this is going to be VLAN 10.
0:43:18	Then between routers two and three this will be VLAN 20.
0:43:28	So first let's create the subnets between the neighbors.
0:43:33	So let's say for simplicity we'll say that these are 14 0 0 0 and 23 0 0 0.
0:43:42	So the subnets between one and four and two and three respectively.
0:43:47	So let's go to the routers.
0:43:54	On router one
0:44:00	this will be fourteen zero zero one
0:44:13	no shutdown
0:44:18	then on router four
0:44:23	this will be fourteen zero zero four.
0:44:30	Router two
0:44:35	Oh, did I use the right link there? I think I used the wrong one. Actually that should be
0:44:39	on router four that should be FA zero slash one.
0:44:47	And so I need to change that on four.
0:44:53	Let's say default interface FA zero zero. Interface FA zero one
0:44:59	has the address fourteen zero zero four.
0:45:06	Okay, then router two is twenty-three zero zero two.
0:45:13	And router three is twenty-three zero zero three.
0:45:25	Okay, so now I have the addressing on the routers.
0:45:28	They're not running any routing protocols so they're essentially just end hosts.
0:45:32	At this point they should only be able to reach devices in their own
0:45:36	VLAN or in their own subnet.
0:45:39	Okay, next on the switches I need to do the actual assignments.
0:45:42	So on switch one on port one switchport access VLAN ten.
0:45:48	Okay, nothing real complicated here. On switch two,
0:45:52	switchport access VLAN 20.
0:45:57	Switch three is also switchport access VLAN 20.
0:46:03	Then on switch four, switchport access VLAN, VLAN 10.
0:46:19	So let's see here now after spanning tree converges
0:46:24	router one should be able to ping four
0:46:27	and two should be able to ping three.
0:46:32	If we look at the spanning tree, let's say we look at switch one for example,
0:46:37	if I say show spanning tree VLAN 10
0:46:43	I want to make sure that the correct ports are forwarding so this is the
0:46:48	the access port that goes down to router one
0:46:51	is in the forwarding state
0:46:53	and then the two different trunk links
0:46:56	that are going to switch two and switch three respectively here.
0:47:16	So switch one was correct for VLAN 10. Let's make sure switch four is doing that as well. So show spanning tree VLAN 10.
0:47:27	And port four is not forwarding.
0:47:32	So this output here by looking at the spanning tree table
0:47:37	this is a good indication of whether packets can actually be forwarded out the link or frames to be more specific.
0:47:44	So here this should be listening FastEthernet zero slash four
0:47:47	which is connecting to router four.
0:47:49	So now we need to look at this in more detail. Why is VLAN 10 not forwarding on the link?
0:47:56	Okay, now let's look at the show interface status. I want to know is VLAN 10 actually assigned.
0:48:03	So show interface status. VLAN 10 is assigned
0:48:10	but it says that the interface is not connected.
0:48:18	So most likely on router four this link is probably just in the shutdown state.
0:48:24	So let's look at router four and show IP interface brief and it is shut down.
0:48:40	So as you can see the method that I'm using for troubleshooting
0:48:44	I'm not looking at the higher layer protocols first.
0:48:48	Like I'm not checking if there's an access list or some sort of routing problem.
0:48:52	You always want to make sure that the basic Layer 1 and Layer 2 status is working
0:48:56	before you complicate the issue
0:48:58	by looking at higher level configurations.
0:49:02	So I've seen lots of candidates in the past
0:49:05	that are going through troubleshooting.
0:49:07	Let's say a BGP peering is not working.
0:49:10	They'll spend half an hour trying to troubleshoot the BGP peering
0:49:14	when finally the problem ends up being there's something wrong in the frame relay map statement.
0:49:19	So the key is you want to make sure that your
0:49:22	your troubleshooting process that you're choosing the right layer
0:49:26	and then to move either up or down
0:49:29	the stack depending on what your results are.
0:49:32	So in my case the ping was not working so I know that the problem has to be Layer 3 or below.
0:49:38	So instead of checking all of the Layer 3 options I'm probably better off just checking Layer 1 and Layer 2 first.
0:49:44	Because there's less things that I could...or less variables to eliminate there
0:49:47	than all the potential Layer 3 problems.
0:49:52	So now router one should be able to reach four, which it can, and two can reach three.
0:49:59	So at this point we have full connectivity between the
0:50:03	between the hosts. So three can send traffic to two. One can send traffic to four. No problems.
0:50:10	Now let's look at what is the current state of the trunk links
0:50:16	as it compares to the
0:50:21	spanning tree. So I want to know what particular VLANs are actually forwarding on the links.
0:50:27	So let's start with this on switch three. I want to know for this port, FastEthernet zero slash thirteen,
0:50:33	what is currently forwarding there.
0:50:39	So on switch three let's look at the show interface trunk.
0:50:46	Okay, this shows me
0:50:48	four different pieces of information I want.
0:50:51	First and foremost the trunking is working.
0:50:56	It says status is trunking.
0:50:59	The encapsulation is ISL. This was negotiated from DTP.
0:51:03	Next it tells me
0:51:05	is there some sort of administrative filter
0:51:09	on what VLANs are allowed to forward out this interface.
0:51:14	So this doesn't control inbound traffic. There's no way on the switch to say what VLANs you will receive inbound.
0:51:20	So this allowed link for the trunk is for forwarding traffic out.
0:51:25	Next it says out of these possible VLANs, out of the 4094 VLANs,
0:51:31	which ones are actually active.
0:51:33	So essentially this means which VLANs are created.
0:51:37	So these five VLANs are created. We have default VLAN one
0:51:41	and then 10, 20, 30, and 40 which I configured on the VTP server.
0:51:49	Out of these five VLANs
0:51:52	which ones fall into these two different checks?
0:51:56	We need to be in the spanning tree forwarding state
0:51:59	and we need to be not pruned by VTP.
0:52:04	In this case spanning tree is running for all five of them
0:52:08	and VTP pruning is not on.
0:52:11	This output here is ultimately what is going to be forwarding over the interface.
0:52:17	If we were to look at the
0:52:20	show spanning tree interface FastEthernet zero slash thirteen,
0:52:25	this is going to show us the same output.
0:52:27	So VLANs 1, 10, 20, 30, 40 that's what's actually forwarding out the interface.
0:52:33	If I were to look at the CAM table
0:52:36	and say show MAC address table interface FastEthernet thirteen
0:52:41	we would see that MAC addresses can only exist
0:52:45	in those five VLANs so 1, 10, 20, 30, 40.
0:52:53	Now based on this particular topology
0:52:56	this is not really the most efficient design
0:53:00	because I'm forwarding a bunch of VLANs
0:53:03	so 10, 20, 30, 40 that the other switches don't really need.
0:53:10	So switch one
0:53:11	it doesn't have anybody in 30 or 40.
0:53:15	Neither do switch two or switch four.
0:53:19	So when I receive a frame
0:53:21	in those VLANs and it is either a broadcast
0:53:24	or an unknown unicast or unknown multicast
0:53:29	those three type of frames will be forwarded out this trunk link and then go everywhere in the Layer 2 network.
0:53:38	So again, three different ways we could fix this.
0:53:41	First would be just to run Layer 3 routing.
0:53:44	So that's going to cut off the broadcast domain.
0:53:48	We could manually edit the trunks or we could run VTP pruning.
0:53:56	Now if we were to enable VTP pruning here
0:54:00	what should be the results of the forwarding states of the trunks?
0:54:06	So if I go to all four of the switches and say show interface trunk
0:54:11	on a switch by switch basis what numbers should I see in the output of
0:54:16	VLANs in the spanning tree forwarding state and not pruned?
0:54:24	Well really it's going to depend on what VLANs do the other switches have locally assigned
0:54:30	or what are they in the transit path for.
0:54:34	Now switch one we know that it has VLAN ten.
0:54:38	So this means switch one is going to say to switch two
0:54:43	and to switch three, do not prune
0:54:49	ten.
0:54:52	But switch one doesn't have 20, 30, or 40.
0:54:56	So it can say to switch two
0:55:00	prune 20, 30, and 40
0:55:03	until the point that switch three says to switch one do not prune
0:55:10	twenty.
0:55:13	This tells switch one that even though I don't have twenty assigned
0:55:18	I am in the transit path for this.
0:55:20	So this means that on the request over to switch two it cannot include twenty in the pruning list.
0:55:27	So if we look at the final result of this, what we should see
0:55:30	is that switch three should be forwarding.
0:55:41	Switch three is going to forward one, ten, and twenty.
0:55:46	Switch one is going to forward one and twenty
0:55:50	out that way.
0:55:52	Out to the right it's going to forward one, ten, and twenty.
0:55:57	Switch two should forward one, ten, and twenty.
0:56:01	And then switch four should forward
0:56:05	no, switch two to switch four is going to be one and ten.
0:56:09	And switch four
0:56:16	is going to be one
0:56:25	one and ten. So let's look at the...
0:56:32	Let's look at the result of this. So on the switches
0:56:35	there's only one change that we need to make, just in global config say VTP pruning.
0:56:42	A couple of different things we can do to verify this.
0:56:46	We could show interface trunk, which what we saw before it lists what's
0:56:51	what's allowed, what is created, and then what is actually forwarding
0:56:56	or we could look at the show interface pruning.
0:56:59	So this second output here
0:57:02	or actually the third command there
0:57:05	this is going to be the most accurate way to check it
0:57:08	because it shows not only what we are sending
0:57:12	but what the neighbor is requesting.
0:57:15	And the output of the command, it gets a little bit confusing to read the way that they format it
0:57:21	but if we look at now
0:57:24	switch one
0:57:27	let's say show
0:57:32	let's just show interface trunk
0:57:34	Okay, we can see there was a change in what was forwarding.
0:57:38	Okay, so now it's not everything. It's just a subset of this.
0:57:41	And also let's look at the show interfaces pruning.
0:57:48	So switch one says there's two different fields here.
0:57:51	The first is VLANs prune for lack of request by neighbor.
0:57:55	This means outbound
0:57:58	I am not sending thirty and forty out this particular port.
0:58:08	Likewise on port sixteen, I am not sending ten, thirty, or forty.
0:58:17	On switch one towards the bottom here
0:58:20	this is what I am expecting in.
0:58:24	So I told the neighbor that is on port thirteen these are the VLANs that I need.
0:58:32	So one, ten, and twenty for both of these interfaces. If we look at the result of this on the other end of the link,
0:58:39	so if we go to switch three and say show interface trunk,
0:58:45	actually let's look at this everywhere.
0:59:01	And let's compare this to what I
0:59:04	drew in the diagram here. So switch one on port thirteen is sending one, ten, and twenty
0:59:10	which is
0:59:14	what we thought it would. Okay, then it's sending one and twenty out to switch three.
0:59:21	Switch three should be sending one, ten, and twenty; which it is.
0:59:27	Switch two should be sending likewise one, ten, and twenty
0:59:31	out to switch one
0:59:34	but it's not sending twenty this direction because switch four doesn't have it.
0:59:40	Switch four does need to send twenty in the opposite direction
0:59:44	so twenty should be there also because switch two has that assigned.
0:59:48	So you actually end up in kind of a strange case here where the trunks are unidirectional for certain VLANs.
0:59:56	Whereas when we look at the link between switch one and switch three
1:00:01	on switch three, ten is going outbound
1:00:05	but ten is not coming inbound.
1:00:11	The end result of this is going to be a more efficient
1:00:14	traffic flow when we're looking at either the broadcasts or the unknown frames
1:00:19	and the ease of administration is that all of this happens automatically.
1:00:23	So we don't need to worry about what VLANs the route or the switches have assigned or what they're in the transit path for
1:00:30	or if later down the road a new VLAN assignment happens. So if we were to go to
1:00:38	let's say switch one
1:00:42	and on switch one's port FastEthernet
1:00:46	five, we'll say switchport access VLAN forty.
1:00:53	And this is attached to router five here.
1:00:59	If we look at now the show
1:01:04	show spanning tree VLAN forty
1:01:11	the port going down to the end host, the access port right now is in the listening state.
1:01:16	Once this goes to learning and then to forwarding,
1:01:20	if we look at the show interfaces pruning
1:01:24	this output should change so we should see that VLANs
1:01:29	VLAN traffic requested of the neighbor
1:01:33	number forty should be added in here
1:01:36	because now we have forty assigned or we are in the transit path for forty.
1:01:41	Okay, which in this case we just have forty assigned which is here.
1:01:45	So we need to tell the other routers or the other switches you need to update your trunk links in order to actually forward me this traffic back
1:01:55	which it did so now forty's included.

Now Viewing

CCIE Routing & Switching Advanced Technologies Class
Title:	CCIE Routing & Switching Advanced Technologies Class
Duration:	81h 59m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

VTP, VTP Authentication, VTP Pruning

Create Bookmark