CCNA 3 CHAPTER 4: VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol allows a Network manager to configure a Switch so that it propagates the VLAN configuration to other Switches in the network.

A Switch is configure as Server which is the one in charge of propagating those changes to the other Switches that are configure in Client mode, more on that later.

Benefits of VTP:

  • VLAN is consistent across the network.
  • Accurate VLAN information.
  • Dynamic  reporting of added VLANs across a network.
  • Dynamic trunk configuration when VLANs are added to the network.

VTP Components:

  • Domain : Consist of one or more inter-connected Switches that share VLAN configuration information using advertisements, a Router or a layer 3 Switch defines the boundary of a domain. All Switches in a domain have the same domain name.

        One of the Benefits of having multiple domains is that VTP Domains limit the extent         to which a configuration change propagates in the network, if an error occur only           a part of the network would be affected.

  • Modes: A Switch can be configured in one of the modes: Server, Client, Transparent.
  • Server: It is the designated Switch to advertise the VTP information to other Switches, it can create, delete and modify the VLANs in the domain. It stores the VLAN information in NVRAM. By default all Switches are set in Server mode.
  • Client: Cannot create, change, or delete VLANs, it stores the VLAN information only while the Switch is on.
  • Transparent: These Switches forward the advertisements sent by the Server Switch but do not include then, they do not participate in VTP. They can create, rename and delete VLANs but VLANs created in these Switches are local to that Switch only.

        The information is saved in NVRAM, which means that when the Switch reboots it           does not default back to server mode.

  • Pruning: Increases available Bandwidth  by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices.

Default VTP Configuration:

  • VTP Version = 1
  • VTP Domain Name = null
  • VTP Mode = Server
  • Configuration Revision = 0
  • VLANs = 1

VTP Version: VTP has three versions, 1, 2, and 3. All Switches in a domain must have the same version.

VTP Configuration Revision Number:  It is use so that a Switch knows if the new information that it is receiving in a VTP advertisement is newer than the one it currently has stored. Th e revision number plays an important role in enabling VTP to distribute and synchronize VTP domain and VLAN configuration information.

VTP Advertisements

Summary Advertisements

The summary advertisement contains the VTP domain name, the current revision number, and other VTP configuration details.

Summary advertisements are sent:

  • Every 5 minutes by a VTP server or client to inform neighboring VTP-enabled switches of the current VTP configuration revision number for its VTP domain
  • Immediately after a configuration has been made

Subset Advertisements

A subset advertisement contains VLAN information. Changes that trigger the subset advertisement include:

  • Creating or deleting a VLAN
  • Suspending or activating a VLAN
  • Changing the name of a VLAN
  • Changing the MTU of a VLAN

It may take multiple subset advertisements to fully update the VLAN information.

Request Advertisements

When a request advertisement is sent to a VTP server in the same VTP domain, the VTP server responds by sending a summary advertisement and then a subset advertisement.

Request advertisements are sent if:

  • The VTP domain name has been changed
  • The switch receives a summary advertisement with a higher configuration revision number than its own
  • A subset advertisement message is missed for some reason
  • The switch has been reset

Here are the Packet Tracer files i work with in this chapter:

CCNA3 CHAPTER 3: VLAN’s

A VLAN allows for multiple IP networks and subnets to exist on the same switched network.

Benefits of using VLAN’s:

  • Security:  Different kind of users are separated on the network, for example guest are separated from the rest of the network.
  • Better Performance: As the network is divided in different VLAN’s there is less unnecessary traffic on the network which increases performance.
  • Improved IT staff efficiency: The network is easier to manage, because similar users are group together.

Switch ports

When a VLAN is configure a number ID and optionally a name are assign to it. Switch ports are associated with  particular VLANs, the port can be configure  with a membership or mode that specifies the kind of traffic it will carry and the VLAN it belongs to.

The types of VLAN a port can be configure are:

  • Static VLAN: In these ports the VLANs are manually assign
  • Dynamic VLAN: dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). With the VMPS, you assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. The benefit comes when you move a host from a port on one switch in the network to a port on another switch in the network-the switch dynamically assigns the new port to the proper VLAN for that host.
  • Voice VLAN:  Is a special VLAN used to carry voice and data packets, taking in consideration that voice packets will have priority over data packets.

What is a Trunk?

A trunk is a point to point link that carries the traffic for more than one vlan, they allow you to extend the VLANs across the entire network, it good to mention that a trunk does not belong to a specific vlan, it is just the medium between Switches and Routers.

Also trunks allow you to use a single cable to route the VLANs instead of a dedicated cable for each VLAN.

Trunking Modes

There are two Trunking modes:

  • Inter-Switch Link (ISL): It is a legacy trunking protocol, meaning it can only be found in legacy systems and it Is an option on the Switch software configuration guide, but it is not in use.

         In an ISL trunk port, all received packets are expected to be encapsulated with an ISL          header, and all transmitted packets are sent with an ISL header. Non-tagged frames            received from an ISL trunk port are dropped. As I said earlier ISL is not recommended          and a number of Cisco Switches do not even support it.

  • IEEE 802.1Q: Supports both tagged and untagged traffic, a trunk port is assign a default PVID, and all untagged traffic travels on the port default PVID, all untagged traffic and tagged traffic with a null VLAN ID are assumed to belong to the port default PVID.

Dynamic Trunking Protocol (DTP)

Is  a Cisco proprietary protocol, it is used to manage trunk negotiation, only if the switch ports are configure in a mode that supports DTP. It supports both ISL and 802.1Q trunks.

Switches do not need DTP to do trunking and some Cisco Switches and Routers do not support it.

A Switch port support a number of trunking modes, they define how the port negotiates the trunk link to be established with the port in the other Switch.

The Trunking modes are:

  • On (Deafult): The Switch port periodically sends DTP frames to the remote port, the local Switch port advertises to the remote port that it is dynamically changing to a trunking state and it keeps on tha state regardless of the responses it gets.
  • Dynamic Auto: The Switch port periodically sends DTP frames to the remote port, the local Switch port sais to the remote port that it is able to trunk but do not request to be in a trunking state, after the negotiation the local port changes to a trunking state only if the remote port is set on “ON” or “Dynamic desirable”.

         If both ports are set to “Auto” they do not negotiate to be on a trunking state and                  remain in the access mode.

  • Dynamic Desirable: DTP frames are sent periodically to the remote port. The local Switch port advertises to the remote port that it is able to trunk and ask the remote port to change to trunking, it the remote port is configure to “on”, “dynamic desirable” or “auto” it will change to trunking mode. If it has been configure to “nonegotiate” or “DTP off” the port will remain in the current state and no changes will  be made.
  • Turn off DTP / nonegotiate: In this mode the local port will not send out DTP frames to the remote port. The local port is then considered in a unconditional trunking state. This feature is useful when a Trunk is configure with a Switch that is not Cisco’s.

Here is a short video on Basic trunk configuration:

Packet tracer files:

CCNA3 CHAPTER 2: Basic Switch Concepts and Configuration

This chapter touches on concepts learned in the previous modules, brings new information about malicious threat to Switches and how to protect against these threats.

There are three ways in which communication can occur on the Switch:

  • Unicast When a message is sent directly from one host to the other. Some protocols that use unicast are HTTP, FTP and telnet.
  • Broadcast When a message is sent from one host all the host.
  • Multicast When a message is sent from one host to a specific set of hosts.

There are two types of duplex settings used for communications:

Half-duplex

  • Communication can only go one way at the time, sending or receiving.
  • Higher potential for collision
  • Hub connectivity

Full-duplex

  • Communication can go in both directions at the same time
  • Attached to dedicated switched port
  • Collision free
  • Requires full-duplex support on both ends

The main reasons for network congestion are:

  • As computers get more and more powerful they can put data at higher rates on the network, also they can process more data at higher rates.
  • As the network grows so does network traffic
  • Software applications demand more network bandwidth

 Security Attacks Basic switch security is not enough to stop malicious attacks, some of these attacks are:

  • MAC Address Flooding The attacker floods the switch with fake or bogus MAC addresses until the Switch MAC address tables is full, then the Switch basically acts as a Hub and begin to broadcast all packets because it cannot found the Destination MAC address on the table, those broadcast packets then reach the attacker.
  • Spoofing Attacks The intruder spoof responses that would be sent to a valid DHCP server, the spoofing device respond to clients request and offers an IP address to the host computer and puts itself as the Default  gateway, receiving, in that way all packets send from that station, this kind of attack is also called man In the middle attack.
  • DHCP starvation attack The intruder continually request IP addresses from the DHCP server, until all lease IP addresses are allocated, preventing real clients to connect to the network.

Types of Telnet attacks

  • Brute force passwords attacks The first phase of a brute force password attack starts with the attacker using a list of common passwords and a program designed to try to establish a Telnet session using each word on the dictionary list. The second phase of a brute force attack, the attacker uses a program that creates sequential character combinations in an attempt to “guess” the password. Given enough time, a brute force password attack can crack almost all passwords used.
  • DoS Attacks the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable. This sort of attack is mostly a nuisance because it prevents an administrator from performing switch management functions.

 How to protect the system against Brute Force passwords attacks

  • Change the password frequently
  • Use strong passwords
  • Limit who can communicate with the vty lines

Here are the some of the packet tracer files i completed while studying this chapter:

 

 

 

Cisco Certified Network Associate (CCNA) Module 3 Chapter 1

If CCNA module 2 was all about routers and routing protocols, CCNA module 3 or CCNA3 for short,  is all about Switches and integrating wireless devices into the LAN.

I will write a little summary of the chapters and then upload the packet tracer assignments, sometimes we meet problems, form example an assignment that cannot be completed 100%, and looking at what other people did and compare to yours can help in finding what went wrong or why your PT assignment is not completed.

Chapter 1 LAN Design

The hierarchical model

It involves dividing the network into 3 layers:

Access: This is the layer where end devices connect to the network, because of this Switches need to support: Port security, VLANs, Fast or Gigabit Ethernet, PoE and link aggregation.

  • Port Security is the first line of defense against unwanted access to the network, it allows the switch to know how many or which specific devices can connect to the network.
  • PoE (Power over Ethernet) is use to power on devices such as IP phone or cameras without the need to run a power cord or if the physical location of the device makes it difficult to run a power cord to that place.
  • Link Aggregation allows the switch to use multiple ports as if they were one and add up the capacity.

Distribution: This layer aggregates the data that is received from the devices at the access layer and then is transmitted to the Core layer. The distribution layer controls the network traffic flow and performs routing functions between VLANs.

  • ACL or Access Control List, allows the switch to prevent certain types of traffic and permit others, they also allow you to control which network device can communicate on the network.
  • Is worth mentioning that ACL is a CPU-intensive task because the Switch needs to inspect every packet and see if it matches one of the ACL rules defined on the switch.
  • Layer 3 support is required at this layer because of the advance security policies that can be apply to network traffic.

Core:  Is the backbone of the network, its function is critical therefore, the core layer has to be highly available and redundant. This redundancy can be achieved with redundant link and redundant components as having hot swappable  fans and power supplies, so there is no down time during maintenance.

Here are the Packet Tracer Assignment for Chapter 1: