Tip:
Highlight text to annotate it
X
So we've got the concepts, we understand what VLANs are as well
as some scenarios where we might use them. Now, let's talk about how to configure them.
In no particular order, we're going through configuring trunking, the VLAN trunking protocol
which is what not a trunking protocol and we'll look at configuring VLANs.
There is two different scenarios I want to show you.
This first one kind of the simpler which is a single switch configuration of VLANs
and then I want to expand into it. I want to kind of nationally grow as we move
in to a multi-switch and that's where we're going
to get in the trunking and VTP and all that. But starting off simple, on a single switch,
all we need to do is create the VLANs and assign the devices.
Now I want to make sure, it's so easy when you get into Cisco to get lost in the commands
but then when you kind of come out of it, and you're like, "Okay,
so I've got the commands," you kind of miss. You're like, "Okay, what did I use those for
again? You know, it's like the concept and the commands
get this connected. So what we're doing here is creating VLANs
to separate devices. It could be we've got sales and marketing
over here. It could be that we have a server farm over
here and we've got our normal users over here. I mean there's all kinds of different scenarios.
Let me give you just one, I thought of this as a great common example
of where VLANs can be use to actually save a lot of money.
So, and I'll also put some disclaimers on this at the end.
But a common way to setup your internet connection is to put two routers on the outside
of your network that connects to the service provider.
So, let's say your service provider, let's just give it a name, is AT&T up here
and so we have redundant routers. So that way if one goes down, we have a backup
over the other so you've got this redundant router setup
and those redundant routers connect to a switch. And then that switch connects to yet another
layer called the firewall. So I'll put router, router, firewall, firewall
on here. So this think of this as like the second layer
of protection. These guys catch the big attacks that come
in but they're really routers. They're not meant to do too much security
but these guys are really the screeners. They're the ones that are like, okay if you
don't belong here, you're not getting in, that's the firewall.
And then we come back here to our internal switches or core switches.
And oftentimes, depending on the kind of internet connection,
we'll even have some switches on the outside like AT&T would plug into these switches.
And what that allows us to do is actually, I mean, if we were too look
at all the physical cabling, we would have-- let me add a different color here,
we'd have redundant connections like this. So that way, if anyone's switch went down,
if anyone's router went down, no matter what, we always had kind of a way that we can get
there, right? So you kind of-- that's the scenario.
Now that the problem with-- I shouldn't say problem but challenge
that some companies experience is Cisco switches are not cheap.
And when you look at buying this, you're like okay 1, 2, 3, 4, 5, I mean, it's kind of like,
1000, 2000, 3000, 4000 I mean, you just start adding up the thousands of dollars
that this kind of design works on. But one of the ways that you can use VLANs
and again, I'll disclaimer this but this is-- I've done this a lot to where you actually
have one switch-- no, we'll just say two switches here for the
redundancy. And I say, "Okay, these ports 1 through 4
are in VLAN 10, ports, let's do, 5 trough 8 are in VLAN 20.
And VLAN 10 will be-- we'll call it the outside, VLAN 20 will be what we call the DMZ VLAN
and then we'll have a VLAN 30, I'm just making sure I got enough ports here.
VLAN 30 which-- there are 9 through, we'll just say 24 if it's a 24-port switch.
VLAN 30 which is our inside. So what you could do is actually have-- now
the diagram is the same. We've got kind of the outside routers connected
to switches which connect to the-- you know AT&T network, right?
And then coming in here to what we would technically call the DMZ,
demilitarize zone that goes between the routers and the firewalls and the firewalls connecting
to the switches on the inside of network. Well, that-- still the same logical diagram
that connects everything together, you got all the redundant ports and all that
kind of stuff. But what happens is I'm actually taking like
these guys if I were to look at the physical connection.
Essentially, let's just say this is Fast Ethernet 0/0,
Fast Ethernet 0/0 on router 1 and router 2, right?
So I would have AT&T coming in to ports 1 and 2, router 1 going in here, router 2 going
in here on their Fast Ethernet 0/0 port and then we
get into the DMZ. We go, "Okay, well right here, I'm plugging
in router 1 on let's just say this is Fast-Ethernet 0/1
or something like that. You see what I'm doing here so Fast Ethernet
0/1. I don't think I gave myself enough ports but
you kind of get the idea, router 2 Fast Ethernet 0/1 goes right here
and then we have our firewalls, firewall 1 and firewall 2, that plug-in right here.
And then inside of here, this is where our inside interface.
You know, that would be this side right her, our inside interface or referral.
So what we're doing is we're taking one switch and we're actually using it
to function as three separate switches. Now, we've got two for redundancy in case
something goes down but we save thousands of dollars by doing
that. Now, let me add the disclaimer to that.
If you have a security auditor come into your network, well,
it depends how much they know about networking. Some security auditors will be like, "No way
dude, you've got the outside world plugging into the same switch as the DMZ as the inside.
No way, that is going to be a security violation. You can't do that because it's scary because
you have all of these things plug in the same switch."
Well, typically those are the security auditors that maybe don't know that much about VLANs.
Not saying all of them don't but some don't. And they've read in a book somewhere that
you shouldn't do that and I would say in a purest model, I would agree.
You know, if you've got thousands to spend and you can drop switches everywhere,
then sure, I would much rather do that. But a lot of times, networks don't.
Security auditors that know a lot about VLANs will look at this and they'll say,
I am not the most comfortable with it but let me look at your config.
Let me make sure that you've set your VLANs up the right way.
And if you have, they'll be like okay then you're good.
Yeah, I mean it's false. Now, I'm not going to tell you which security
auditor you're going to get if they ever do audit your network.
But I will say that's one of the things that you can use VLANs for.
I mean that's just, you know, I should have put that on the practical examples
but that's a tough one, that's a mind bender if you haven't really seen it before,
the words like, how did that work? So just keep the practical in mind, practical
examples as we start this configuration. So it doesn't just become a series of commands
that you are typing. Okay, so let's go into the configuration.
I'm going to bring up my switch, sitting here in user mode,
let's get into privilege mode, enable. And let's first off get our bearings, like
what's going on in this switch. I'm going to do a show VLAN.
Well, actually before I even do that, I'll do my favorite command, show IP interface
brief. So I type that in, I see okay, this is the
switch we've been using the entire time. VLAN1 is given the IP address 10.1.1.10.
Okay, good, good, got that. We've got the only port that is currently
operational, looks like Fast Ethernet 0/8-- I've got one more, Fast Ethernet 0/18.
But I'm also looking down, I got a laptop that I just plugged in there to Fast Ethernet
0/24. So, two ports that are up in this environment.
Now, let me add one more show command to your library.
I'm going to type in the command show VLAN. Now, some people will-- if you look at documentation,
a lot of times you'll see people type it all the time, show VLAN brief.
That's fine. I mean it's-- let me show you the difference.
So I do a show VLAN and it shows you kind of, you know, all the VLANs that exist,
so you've got these extraneous VLANs down here and then if you have remote span VLAN,
we're not even going to get in that. I mean just kind of a little more information.
If I do a show VLAN brief, you can see it kind of cuts off.
I mean it's not that big a deal but it cuts off these extraneous VLANs or this extra information
down at the bottom giving you kind of a little more detailed about information
about what those VLANs are all about. Really, all we care about I will say is the
output of show VLAN brief, so whatever, you know, whatever command you like to use.
So what we see from this output is that we have currently on the switch one VLAN.
And all of the ports are a member of that. Now, you might be saying, "Well, no Jeremy,
it's five VLANs because I see 1002, 3, 4." These are actually-- you can see that this
status is active. This one is active and unsupported.
The only reason that they're there is because somebody created the VLAN standard
many moons ago, I mean FDDI network, this was kind of one of the original fiber
optic networks, I mean token ring networks. It's like hello, we're back in years beyond,
you know, at that point. These were common place when VLANs were first
envisioned and created. And so the standard said, "You got to have
these VLANs for those things." So Cisco being like, "Well, we got to follow
the standard." You've got these VLANs that are on just about
every switch that really aren't used at all. So right now, we have one real VLAN we'll
say that exist and all the ports are a member of it.
So how do you set up more? First off, move to the global configuration
mode. Now, VLANs affect the switch as a whole.
So we do it from here. We type in VLAN followed by and I'll put the
question mark, and we type in what VLAN number we would like
to create. So I will say VLAN 50, how about we start
there, VLAN 50. Now, it takes me into a VLAN configuration
mode, not that much I can do from here. I mean I'll say there's one main thing that
I do and that is going to be changing the name of the VLAN.
You can see it right there in the list, asking name.
It's always good to name them because let me show you.
If I do a show VLAN-- you have to actually exit out to apply the VLAN configuration.
But you can see that it names it. The name of this is VLAN 0050.
Not too descriptive when you're trying to figure out what exactly that VLAN is.
So go back in there and I'll type in name and let's just do sales.
Any time I type names in Cisco, I like doing it in all capitals
because when I'm doing a show run, it stands out to me more.
I'm like, look, right there. That something I type in.
Or like when I do an interface description, if I go under an interface,
they do interface Fast Ethernet 0/1, I say description and I'll put on my caps lock key,
UPLINK TO AT&T ROUTER or something like that. That way when I do a show run interface, you
know, I see all the output. Immediately, I kept my eyes just kind of draw
to that. I'm like okay, that's what the description
is. So I now have my first VLAN.
Let me do a show VLAN brief and I've got VLAN 50 is sales, we've named it and it's that
easy. I mean we can go in there.
We can type in VLAN 100. Name, servers.
Now, I'm jumping VLAN by the 50's. That's not normal.
Usually people will say, okay, VLAN 10, VLAN 11, 12, 13.
But you can create any VLAN number you'd like between 1 in 4,096
so I can do that show VLAN brief. I now see two VLANs are created.
Now I've created them but they're not doing anything.
They're just there. They're in the running config.
I actually have to assign ports to them before they are active.
You can see step 3 up there on the screen. Now, right now let me get resituated here.
I'll do a show IP interface brief. Right now, I have port Fast Ethernet 0/17.
This guy right here. Oh wait, no 18, 18 is connected to my PC,
the one that I'm sitting in front of right now.
Now this PC happens to have on that interface the IP address 10.1.1.100.
And what I want to show-- my mouse is just jumping all over.
I think Cisco is all typing. I'm going to type in ping 10.1.1.10-T.
-T says just keep on pinging. Ping till the cows come home.
That's not the output I'd like to see. Okay, there we go.
The first thing sometimes just dies. So, we're pinging away and by the way, if
you highlight something, it stops so just hit the enter key.
So it's just pinging along, life is good. Because this guy, why, this guy, Fast Ethernet
0/18 is in VLAN 1 and I want to really emphasize this point.
Remember, when I say my ports are all in VLAN 1, I'm talking about a layer 2 concept.
They're like within this switch. This is kind of a-- layer 2 has nothing to
do with IP addresses or anything like that. But when I go into my switch and I type in
interface VLAN 1, now I'm configuring a layer 3 interface for
that VLAN. So in a nutshell, when you assign a port to
VLAN 1, it's going to be able to reach this interface
VLAN 1. That's how it's created.
Let me show that to you 'cause that, I know that can be one of those concepts.
It's like what, say that again. So when I see VLAN 1 right here, this is the
management interface of the switch and it's reachable by anybody in VLAN 1.
Now, let me show you this. I can also type in VLAN 1.
Now, what's the difference? I type in VLAN 1, that's moving into the configuration
mode for this one, layer 2 VLAN. Come back here, exit out.
Interface VLAN 1, I'm in the-- notice, one mode is a VLAN mode.
That's kind of the layer 2, that's where I can name VLANs and name VLANs.
I mean that's about the only thing that you do from there.
But interface VLAN 1 is where I'm into the layer 3 interface.
I always draw it like this when I'm drawing a switch, the little kind of sheep stuff.
That's where I go in and say, "Okay, the IP address on that VLAN interface is 10.1.1.10."
So any computer that's in VLAN 1 will be able to reach that.
Now, let me prove that to you. I'm going to into the switch and I've got
this ping continually going. We can't really see too much movement other
than that little two milliseconds moving beyond because it's all really fast.
So I'm going to exit out here and I'm going to go into interface Fast Ethernet 0/18.
Let's just put a description on there and we'll say this JEREMY'S PC.
And now, I'm going to-- I'm going to actually put that port into VLAN 50.
Here's how I do it. Switch port access VLAN 50, enter.
I've now moved that port out of VLAN 1 and in to VLAN 50 and I am totally flabbergasted
that this ping is continuing on right on that way.
Let me make sure that was indeed the right port.
And I got this guy coming in. Oh, that's not my PC.
Sorry, Fast Ethernet 0/18 up arrow, description, JEREMY'S LAPTOP.
Okay, let's [inaudible] EXIT. Interphase Fast Ethernet 0/24, there we go.
Description, JEREMY'S PC. That' the right port.
Okay. Now, let's keep that ping going. We've got 2-millisecond you can see it up
there. I'm going to hit the up arrow and I'm going
to throw this one into VLAN 50 as well. Now, you notice my little 2 milliseconds,
it stopped moving. Why? Because I just moved my port into a different
VLAN. And, it's saying, "Hey, you're down."
You know, that this-- we can longer connect to that.
Notice right here, VLAN 1 just went down as well.
Wow. That-- that's actually a really valuable concept to see but let me exit it out
and explain a little bit more before we get there.
I'm going to do a show VLAN brief, okay? And I can see now that both 18 and 24 have
moved over to VLAN 50. Now, you remember?
Wait, hang on. Let me grab my pen.
You remember that I have the management interface on here, VLAN 1.
Well, I just have a PC on 24 and a laptop on 18.
Here's my little laptop. And I just moved those guys into VLAN 50.
So what this switch is saying is okay, you're speaking on a totally different fabric,
a totally different layer 2 network. Then my management interface is on, you can't
reach it. Now here's the interesting thing.
This little status message right there is very interesting.
Let me do a show IP interface brief-- show IP interface brief.
And I noticed that VLAN 1, look at the status. Look at the status.
It says VLAN 1 has this IP address, it's up as in physically,
if I can say that about a logical interface. It's kind of there like it supposed to be
up like it's ready to run but the protocol, meaning layer 2, its communication is actually
down. Why is that?
Well there is a rule that Cisco has for VLAN interfaces.
They say if you have a VLAN interface but there's no active ports in that VLAN,
this interface will turn itself off. It will go down because it's kind of like,
well, I've got a VLAN 1 interface but there's no one here in VLAN 1.
I'm looking on at this vast terrain and I see nothing.
So, there's no point for me to even waste resources by running this VLAN 1 interface
because there's nothing out there to use it. There's nobody there.
Now let me show you this. I'm going to take a cable.
I'm going to move my laptop from port 18 to port-- I'm guessing that's 20?
Switch is upside down. So, I took it out of 18, right?
And I plugged it in to 20. So, I see Fast Ethernet 20, just got changed
up but wait, wait, hold it, hold it, watch it, it's coming, please.
It will get there, hang on. Wait, 'cause VLAN 20, let me add explanation
while this Cisco switch is thinking, show VLAN brief.
V-- Fast Ethernet 0/20 is in VLAN 1 and what's going to happen is as soon
as this Cisco switch gets off its rear and starts doing--
there it go-- get-- starts doing something. It's going to be like, "Oh, hey.
My VLAN 1 interface should go up and thank you Cisco switch
for bailing me out right there [inaudible]." Maybe-- maybe this is broken.
So, VLAN 1 has now gone up because it says, "Now, I've got an active interface.
Something is in the VLAN 1 network. So, now I can respond to that again."
Now, let me show you something else. Now this-- this is going to be-- this is a
bit-- a bit beyond. You know, my keyboard is just doing some funny
things, hang on. Hang on one second.
Wow, I actually had to exit the whole terminal programs.
Something odd happen. So I'm going to go in and do a sharp interface
brief again. So I see VLAN 1 is active and I want to show
you something. This is actually a little bit beyond but I
think you guys will catch it. Watch this.
I'm going to go in and I'm going to-- well, first of, remember we did, I do a show
VLAN brief, right? We created VLAN 50.
How did we do that? VLAN 50. How is it?
In it-- it's created. We named it then and that-- so that-- remember
VLAN 50 is the layer 2 VLAN. Here we go.
I'm going to type in interface VLAN 50. I've created a new interface that something
in VLAN 50 is able to access. Now, let me write something on the board here.
You remember, VLANs are a network. So, I'm going to-- I'm going to write a bold
statement on the board right now. VLANs equals an IP SUBNET equals a BROADCAST
DOMAIN. As in those are one in the same all across
the board. Like when you create a new VLAN, you have
to create a new IP subnet. We're going to talk about subnetting later.
But just think of it like a new network. Like if VLAN 1 is 10.1.1.0/24, which it is
right now, then VLAN 50 can't be 10.1.1.0. It's a different network.
So, I would have to come up with maybe 10.1.50.0. That would be a different network.
Oh, I missed my dot there. Because remember, /24 is a subnet mask of
255.255.255.0, trying to squeeze it in. So, that would mean that these first three
octets represent the network. So, that's a totally different network, right?
10.1.50. So we have to create for VLAN 50 a new network equals the broadcast domains.
That means the VLANs on 50 stay on VLAN 50. VLANs on 1 stay on 1.
So-- so when I come back here, I can go into VLAN 50 which--
let me do a show IP-- not show VLAN brief. Show IP interface brief and we now see this
fancy new interface that has appeared. It's virtual.
We just created it out of the blue. Call VLAN 50 but it doesn't have an IP address
yet. I have to give it one.
So, I'm going to go in there and I'm in interface VLAN 50 right now.
Do IP address 10.1.50.-- nah, let's stay consistent, 10, 255.255.0, bam.
I've added that in. And now, we have this IP address on this VLAN
50 interface. So, now-- now my computer is broken because
the problem is it's still in the old network. We do an IP config and my computer is still
in 10.1.1 and but I've moved it to VLAN 50. So this-- this is that VLAN 1 network.
This is not the VLAN 50 network. You follow?
You follow what I'm doing here? So I'm going to go in, bust out Control Panel.
Well, network status and check task, go to the adaptor setting
at my Apple USB Ethernet adaptor. I'm not going to change it.
I'm going to put him on the 10.1.50 network. So now, he's 10.1.50.100.
Close this guy down. Let'*** the upper arrow, make sure everything
is good. Going up 10.1.50.100.
So question, can I ping 10.1.50.10? And so you we're like, "Yes!"
Some of you like, "Maybe." Some, no, so there's-- I feel the mix of answers.
"Yes, I will be." 10.1.50.10, come on, get me that-- get me
passed that first little request time out. Oh, there we go.
Because now, it's saying you are now in this zone, right?
Essentially, I've created this little separation to where I've got this guy, which is my laptop
and VLAN 1, this guy-- I need a-- I got to have a new color of that, right?
This guy is in my PC, at my desktop which is in VLAN 50.
And I have two of those little routing interfaces, VLAN 1?
IP address 10.1.1.10 and VLAN 50, 10.1.1.50. Can I tell you something?
In that single switch demonstration where all I did was create couple VLANS,
created a VLAN interface, right? I've actually shown you-- I'm going to expand
on this later. I've actually shown you how to setup a layer
3 switch. Seriously, that's a CCNP concept right there.
That's like beyond, beyond, beyond. That what we've just done right there is setup
a layer 3 switch because this is 3550 actually has--
you can't see that but it's a 3550 actually has routing capabilities within it.
And what I can do, okay now-- forgive me if I'm going beyond and you're like I'm not hanging
with you, that's fine, fast forward, please. But for those that are, hang with me, I'm
going to point this guy. I can actually point this is guy which is
10.1.50.100. You know this is the zero network.
I can't point him to that as his default gateway. So, this computer is like, okay, where do
I go to get off my 10.1.50 network? How do I get there?
I'm going to look at my default gateway which is pointed to this guy who has routing capabilities
and this guy can now actually start routing him to other VLANs.
Maybe this guy has a connection to the internet. I mean, there's all kinds of possibilities.
Can you tell I'm kind of psych about this? So VLANs on a single switch, I-- you know,
I probably did within the first two minutes of this demonstration but just to show how
it was working to create those VLAN interfaces there, that
actually created a layer 3 switch for us. But we'll save the complete configuration
of that till later. I'm doing that because I totally have one
of those feeling right now that somebody is watching they're like, "Dude,
can't you just show me how to configure a VLAN
without going ballistic on me and busting out layer 3 switches?"
Yup, yup, yup, I totally, totally get that. So here's what I want to do.
It want to take now-- take us now into a multiple switch configuration and I want
to do it all over again with multiple switches kind of from scratch so we can see--
you can see the base level and just build upon, I think this will be really good.
The reason why is because, first off, we've got CBT Switch
that we've been configuring all this time. I'm going to rename that guy.
He's going to become CBTSWITCH1. And then down here, we've got our new friend
which doesn't have a name at all right now because he has no configuration.
So, I'm going to do-- I'm going to call him CBTSWITCH2 and I think this is going
to be really good because he has no configuration. It will give us a chance to do a flyby review
of essentially the base configuration of the switch
and then add the VLANs on top of it all in one place.
So, I just plugged in CBTSWITCH2. It's powering up.
Let's-- meanwhile, let's go into CBTSwitch which will now become hostname CBTSwitch1.
And I'm going to do-- let's do-- I'm going to do a few commands here.
I'm going to do no VLAN 50. No VLAN 100.
I mean I'm blowing away everything that we just did.
Okay, so I've eliminated those VLANs. Let's see what else we got.
Let's do a VTP mode transparent. I'll explain what I'm doing in just a moment.
VTP mode transparent, VTP domain and let's just call it NULL for now.
Okay, ignore-- ignore the pieces that I've put in place there.
Okay. So, I've now got this switch which-- let me do a show VLAN is now back to the way
it was. We just have VLAN 1 right there.
We've got our interfaces. We've got Fast Ethernet.
Notice one thing. Where is Fast Ethernet 0/18?
Missing. Where's Fast Ethernet 0/20? Missing. Because they, if I look at the switch,
they are umber, they are broken. Because if I do a show run interface Fast
Ethernet 0/-- let's go 24. Notice, this guy is still assigned to VLAN
50 and I just blew VLAN 50 away. That's a symptom I showed you last nugget
of what VTP can do by eliminating all of your-- all of your VLAN.
So-- we'll fix that but for now, let's jump over to our new friend CBTSwitch2, moving
my console cable. Okay, good.
So this guy is brand new, just moved my console cable over to him.
So, let's do a flyby based configuration. I think this would be a great test.
So, first of, privilege mode, global config. Hostname, CBTSwtich2.
Now, let's go under the console port, line console zero.
Let's do a password, cisco. Require logins to the port.
Let's also add in there, logging synchronus. So that those console messages don't interrupt
to what I'm typing. And I'll also do a no exec-timeout to keep
it from kicking me off when I'm sitting here for five minutes.
Not something good to do in production 'cause you want to keep that port secure.
And I will do enable secret, protect our privilege mode by doing enable secret cisco.
So now I'm requiring the password of cisco to get in there.
Let's see what else. Let's put a log on banner.
Log-- or write banner motd and we'll do-- let's just do ampersand.
Ampersand and we'll say asterisk, asterisks, asterisk, Welcome!
Just like it. Don't login, asterisk, asterisk.
I don't think that will stand up in court but nonetheless, we'll add it in there asterisk,
asterisk, asterisk and we'll put an ampersand there so it knows I'm done.
Hit the enter keys. I've got my logon banner configured, okay.
Okay, we've got to do-- we've got VLAN 1 port right there,
which I'll do interface VLAN 1 and power that guy on.
Let's do a no shutdown. And do-- give it the IP address 10.1.1.11
because I don't want to conflict with the other switch, 255.255.255.0.
Now, something-- something-- just going along with what we just saw
in the single switch config, if I do that show IP interface brief, you notice it's
staying down. Now why is that?
Because this switch has no active ports. Now, I do have these guys connected.
This guy is connected on Fast Ethernet 0/1 on both sides.
But if you remember, I shutdown the interfaces I wasn't using.
The first I think was like 12 interfaces. I shut them down on that switch and one of
the nuggets and it's actually the best practice is
to keep shutdown while you do all these configuration 'cause some
of the commands we're going to type in are going to make that interface go up and down,
and up and down, and up and down. So, we've got to shut down so that's good.
So, we've got enable secret. We've got everything-- everything should be
good. That's a good base configuration.
Actually, we forgot the most important command, save.
So now, we've got our config-- or well, official-- officially supported Cisco command,
copy, run, start, and now we are saved. Okay, so with that in place, we can now get
in-- again, we were going from scratch starting
off with VTP. Now-- right now, I'm going to do a show VTP
status on the switch. That's-- when we're dealing with VTP, that's
probably the command that you want to know. Show VTP status.
We can see that out of the box, this guy is a server.
That' running VTP version 1 which is fine. Version 2, by the way, add support for token
ring. So, if you're running to the new feature set,
that's the [inaudible] you're going to get in version 2.
Here are some other minor things but nothing big.
Oh, this is something worth knowing. VTP, so if you run VTP, how many-- we'll first.
How many VLAN numbers total are supported. Anyone remember?
You? Yes? 4096 total VLAN numbers. Well, if you use VTP, you're going to be limited
to an initial set of-- I think-- it's somewhere-- it's-- well, let me show
you this. We do a show VLAN brief.
You will be limited to up to 1002. Essentially, VTP does not support VLAN numbers
higher than 1005, which in these guys, you can't use it all.
So, 1001 and below are-- would be what you are able to use.
So, that is another limitation of VTP. Now, if you convert over to transparent mode
which you remember disables VTP then you're good.
But let's start off. Okay, so we're going to do-- try to think.
Should we-- we should-- why do we do this. I'm going to jump back over to CBTSwitch1
and let's start our configuration over there. I'm going to do a show VTP status on that
side. We're currently-- I just kind of reset everything.
I said VTP operating mode transparent was disabled VTP and set it to NULL.
The reason I did that is I wanted to make sure I zero out the configuration revision.
So, that we are not-- you know, get-- getting this strange configuration revisions
where something just suddenly starts replicating. We don't know what happen and all that.
I also want to mention what when you bring up a Cisco switch,
I don't think you'll see this documented. Like when we look at CBTSwitch2, CBTSwitch2,
you notice that VTP domain name is nothing. That is what Cisco officially calls NULL.
Now, I typed in-- I typed in NULL as the domain name but that's the actual name.
Cisco officially calls a blank domain name a NULL and this is kind of--
I don't want to say dangerous but something to be aware of.
When you pull a Cisco switch out that has no configuration for VTP like this guy,
the very first VTP advertisement that he receives, he will accept
and automatically join that domain. So, what that means is somebody can bring
in a brand. If you're not careful and somebody can negotiate
a trunk port with you, which we're going to stop
that in just a second, negotiate a trunk port with you.
And they bring in a brand new switch with no configuration, VTP will say, "Hey,
we're part of the domain name," let's just call it CBTNuggets as our domain name.
So I'm part of the CBTNuggets domain name and it replicates.
Now, if the switch has no domain name, it will automatically join whatever the first
domain name is that it hears. So, [inaudible]-- it'll say, "Okay, well great.
I'll be part of the CBTNuggets domain." And I will automatically download, if I could
spell. I can automatically download all of the VLANs
that you have and put them on my switch. Hello. Yikes.
Cisco did it that way so that you could pull new switches out of the box
and kind of have them plug and play. You just plug them in and poof, they negotiate,
they get the VLANs, they get all of that kind of stuff.
But if this is a malicious person with their switch cubicle,
that means they can also now add VLANs, delete VLANs, modify VLANs, do everything,
and it replicates back up here and pretty much destroys your network.
Not good. So, the key that we want to prevent is this.
This-- by the way, in VLAN security, absolutely, the number one key for all VLAN security--
I would say, if you want the most important security aspect of VLANs, this is it.
Make sure you hard code you're trunk ports, hard code.
And you disable that dynamic mode, that forsaken dynamic mode, that is on Cisco switch.
Remember this when we do a show-- let's do a show run interface Fast Ethernet
0/-- let's just do 5. Every port out of the box on Cisco switch
port mode dynamic desirable and now we can start getting an understanding
saying dynamic. Meaning I can be an access port which connects
to PCs or I can be a trunk port but I really desire to be a trunk.
No, you don't. I'm going in to interface range, Fast Ethernet
0/1 through 24. Every port that's on this switch and I'm doing
switch port mode access, done. Get that dynamic desirable mode out of there.
That is a huge security vulnerability because anybody can negotiate a trunk.
Anybody could join your VTP domain. It's not good.
So, then I go back and start configuring the trunk ports one by one.
So let me back up. So first of, configure the VTP domain or VTP
name and mode. Here's how you do it.
VTP domain and then whatever the name is. When-- I came up with CBTNuggets.
Key point to be aware of, this is case sensitive. So, if I use capital CBTN, I have to do that
on the other side, otherwise they won't replicate. So, I've-- I've changed my domain name over
and I'm going to type in VTP mode and we'll put server.
Now that's the default, I just kind of back it out to transparent and back to server so
I can-- I kind of reset the configuration revision.
Now, step 2, I'm going to configure my trunk ports.
My trunk is on interface Fast Ethernet 0/1. Remember, that is what is connected right
here to the other side. So, I'm going to go into-- I'm on CBTSwitch1.
I'm going to do switchport-- well the actual command is switchport mode trunk.
Remember this? These are the-- I would say the three major
modes: access, dynamic, trunk. We always want to use either access or trunk.
Don't even worry about this one. That's away down the road.
Access and trunk are the two that we use. Now, I'm going to get an arrow when I do this
because this is an older switch-- oh, wait a sec 'cause I did command previously.
So, there's actually-- let me go under an interface I haven't played with before.
I'll do interface 0/2 and do switchport mode trunk and this was the error that I expected.
An interface who's trunk encapsulation is auto cannot be configured as trunk mode.
When I-- when I just playing around before I started this recording,
I went in and tested a few commands to make sure that that they worked right.
One of them, let me go back under interface Fast Ethernet 0/1,
is the command switchport trunk encapsulation and I get to pick.
Now, newer switches. Do not support that command at all because
they have completely eliminated this protocol from the mix.
Remember, that was the proprietary Cisco trunking protocol
from way back in yesteryear that is gone. We now only use dot1q.
So, older switches will support both. Newer switches probably will not even see
this trunk encapsulation. So you can on newer switches, just type in
switchport mode trunk and you're on the way. So, I've got CBTSwitch1, I've got the VTP
domain name and mode. I've got the trunk port.
Now, let's add some VLANs back into the mix. So, I'm going to go exit out of here.
Let's do-- let's do VLAN 50 'cause I blew them away, right?
VLAN 50 and we'll do name SALES, exit out, VLAN 100 and we'll do name SERVERS, right?
It's what I did before. And the reason I'm recreating them now is
because now I'm in VTP server mode. And when I type in a show VTP status, look
at what's happening. Every VLAN I'm creating is incrementing my
configuration revision. Remember how this-- form the last nugget how
these guys stay in sync? These guys like, "Hey, I'm Rev-- I'm Rev 2."
This guy is going to say, "Well, I'm REV 0," when he comes up.
So, you beat me and I'll replace my VLAN database with your VLAN database.
So, that-- that's what I'm doing as I'm bringing those up.
Now, it's saying, okay, VLAN 50-- interface VLAN 50 changed
up because it was some active ports in there and that's good.
So, we're starting to see our switch come back to life.
Let's do a show VLAN brief. And you see those ports that are assigned
there now showing up again. Those were the ports that are assigned that
were umber a moment ago because I deleted all the VLANs out of the
show. So, we've got now-- okay, VLANs are configured.
We've named the VLANs and on this switch anyway, we've assigned the ports to VLAN.
All right, so now, hang on before we do all this, I'm going to click over to this switch,
CBTSwitch2 and do a show VTP status. He is still zeroed out and has no domain name
because remember, I have this port shutdown. I do a show IP interface brief and I have
to link it down between CBTSwitch1 and CBTSwitch2. So, let's see what happens when I bring it
up. Click back over, CBTSwitch1, show IP interface
brief. I can see Fast Ethernet 0/1 is indeed shutdown.
No shutdown. All right, we're bringing that port up and
as I mentioned, it's best to keep it shut down when you're doing this configuration
'cause configuring the trunk port, you're noting switchport mode trunks, switchport
trunk encapsulation at it and all of that stuff actually causes the
port to go up and down, up and down. And if you got a monitoring system, it will
start going nuts on using. Oh, you're interfaces are going down.
So, I'm going to back out. I'm going to do that command now that I haven't
talked about but we're going to use a lot, show CBT neighbors which shows you what directly
connected Cisco devices you have and I'm now seeing.
CBTSwitch1 sees CBTSwitch2 out its local interface Fast Ethernet 0/1.
So, I'm like, okay, it's online, it's good. So now, let's hop back over.
We'll actually and I mean, I have to bend over anymore and-- oops.
Get my console port. I'm going to trying and ping.
Let's do a show IP interface brief. Let's see if I can ping him on the other side.
Remember we gave him the IP address 10.1.1.11 and there we go.
We've got success. When you do pings, exclamation points are
good things, dots are drops. So, we drop the first one and continue down
from there. So now, I can actually type in telnet, this
is from CBTSwitch1, 10.1.1.11. Oh, my goodness.
Did I forget that from the base configuration? That's horrible.
See that's what happens when you do a base configuration.
Well no, no. Actually, I did this on purpose to demonstrate
a point. Remember where I told you way back in the
beginning, I said, if you don't set a port-- a password on your VTY ports then you're going
to get the message password required but none set and that's because I'm going--
I've jump back over that. I'm going to do a show run begin with line--
begin with line and I'll on here, there's my VTY lines.
They're requiring a login. I did it on the console port.
I forgot to do on the VTY. They're requiring a login but I didn't set
a password. Now, see, I just fully-- I completely did
that in purpose to demonstrate-- yeah, all right.
Whatever, you get it. So, I'm going to type in password cisco.
We've now assigned that. And you know that I've started, of course
I want to do it now. I'm going to jump back over the CBTSwitch1
and let's telnet over 10.1.1. There we go.
Now, it's asking for password. Cisco enable cisco.
Good. Now, I'm on CBTSwitch2. So now, I can do a show VTP status.
Let's see what going on over here. Check it out.
Previously, this guy was nothing, right? Previously, let's scroll back.
I didn't do anything to this guy. You know, behind the scene.
I'm live with you the whole time. Previously, we did a show VTP status, right?
He was blanked out. There was nothing there.
We went back over to-- so we did show IP interface brief,
showed that the interface is down. We went back over to switch1.
Did the configuration and/or actually just powered up that port.
That's all we did. And then all of a sudden, poof, this guy has
now this domain. That's what I was telling you.
It will accept the very first domain name that it hears about and except all the VLANs.
So, let's verify. Let's do a show VLAN brief and I can see that
VTP has done its job. VLAN 50, VLAN 100 are now over there and this
guy is a server as well, remember? Show VTP status, I can see he's a server as
well. So, we can even test to go in the other--
we can test to go in the other way. So, I'm going to go into global config.
Watch this. I'll create VLAN 150.
Let's name it the TECH department. Control Z. So now-- now I've got this and
if VTP is working right, right? I just went to the switch 2 and it's now a
config rev 3, show VTP or show VLAN brief. I see the TECH group over there.
Let's exit out from this telnet session and back over on switch 1
and I'll do a show VLAN over here. Seeing it?
VTP is doing it's job. It's replicating the VLANs between each other.
Now, all I would have to do is add whatever ports I wanted to, to those specific VLANS.
All right, last thing I wanted to show you before we wrap up is-- remember we are saying--
I said you can only create up to VLAN-- what I said, like a two thou-- 1002 if you're
running VTP. Let me first of prove that to you.
Let me go in and let's do VLAN-- let's do VLAN 2000.
No, no, initially, hang on, you're like, "Whoa, buddy, you're wrong."
No, no. Initially, it looks like you can create that.
You can even name it. I'm like name broken.
You can name it, you can do whatever you want but watch what happens.
I'm going to exit back out. Denied. It's like, sorry, you cannot-- you
can't-- you can't create that VLAN 2000 see, huh?
So VLAN 2000 can be created. You're in VTP server mode or essentially,
you're using VTP, this isn't allowed. Now, I can go in there and I can say VTP mode
transparent. Cisco's recommendation is to use that which
turns off VTP. Now, the other guy is running it server.
He's doing his server thing. That's fine.
We can now be transparent. Now, I can go in and create VLAN 2000, name
NOT_BROKEN. Exit back out.
And now, we're applying just fine. Show VLAN brief.
But notice, this-- this is not-- there it is right thee.
NOT_BROKEN VLAN, this is not going to replicate to the other side because VTP is not disabled.
So-- someone-- someone asked me once. They go-- it's a good strategy.
Maybe you're-- you're first setting up a network. It's a good strategy to use VTP, you know,
replicate all the VLANs and then go around and turn it all off.
Yeah, I could see that. I could totally agree with that if that's
something you'd like to do. I will say.
Once you get away from VTP though, for me, when I set up a new network,
I just manually go at everything. I go on every switch and mainly create only
the VLANs that belong there because VTP will replicate all VLANs everywhere.
So, it's a little-- little messier. So, let me do a show VLAN brief.
Just to prove VLAN 2000 does not show up on switch2.
So, we'll wrap up by putting Cisco's best practice on here.
VTP mode, transparent. And now, we have completely disabled VTP.
But in summary, we have now configured VLANs. We've set up VTP, we've set up trunking, and
we now have a VLAN capable environment. We have been too much beyond that with them.
But that's at least-- we'll call it the base configuration of all VLANs.
And I hope this has been informative for you and I'd like to thank you for viewing.