Compare commits

..

2 Commits

Author SHA1 Message Date
shango-wk
c5fa59b6e0 add DTP VLAN and Subnetting 2026-05-13 17:26:51 +02:00
shango-wk
2566897246 ajout VLAN (part1) brouillon 2026-05-09 23:50:57 +02:00
5 changed files with 578 additions and 0 deletions

View File

@@ -25,3 +25,7 @@ tags:
[[Subnetting (Part 1)]] [[Subnetting (Part 1)]]
[[Subnetting (Part 2)]] [[Subnetting (Part 2)]]
[[Subnetting (Part 3 - VLSM)]] [[Subnetting (Part 3 - VLSM)]]
[[VLAN (Part 1)]]
[[VLAN (Part 2)]]
[[VLAN (Part 3)]]
[[DTP - VTP]]

85
16. VLAN (Part 1).md Normal file
View File

@@ -0,0 +1,85 @@
---
id: 16. VLAN (Part 1)
aliases: []
tags: []
---
# VLAN (Part 1)
## What is a [[LAN]]?
Previously i said that a LAN is a group of devices (PCs, servers, routers, switches) in a single
location (home office, etc.)
A more specific definition: A LAN is a single [[broadcast domain]], including all devices in that
broadcast domain.
## Broadcast domains
A broadcast domain is the group of devices which will receive a broadcast frame (destination [[MAC]]
FFFF.FFFF.FFFF) sent by any one of the members.
Perfomance: lots of unnecessary broadcast traffic can reduce network performance
Security : Even within the same office you want to limit who has access to what. You can apply
security policies on a [[router]]/[[firewall]]
Because this is one LAN, PCs can reach each other directly, without traffic passing through the router
So even if you configure security policies, they won't have any effect.
Although we separated the three departments into three subnets ([[OSI|Layer 3]]), they are still in
the same broadcast domain ([[OSI|Layer 2]])
## What is a [[VLAN]]
A [[switch]] will not forward traffic between VLANs, including broadcast/unknown unicast traffic
- VLANs are configured on switches on a **per-interface** basis.
- logically separate end hosts at Layer 2.
The switch does not perform inter-Vlan routing. It must send the traffic through the router
### VLAN configuration
to display all the VLAN's available you can do the command
```Cisco
SW1#show vlan brief
```
By default all interfaces are set to VLAN 1
But VLANs1, 10002-1005 exist by default and *cannot be deleted*
to assign interfaces to a VLAN
```Cisco
SW1(config)#interface range g1/0 - 3
SW1(config)#switchport mode access
SW1(config)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
```
An access port is a switchport which belongs to asingle VLAN, and usually connects to end hosts
like PCs
Switchports which carry multiple VLANs are called 'trunk ports' (More information on trunks in
the next lesson)
You can change the name of the VLAN with the command :
```Cisco
SW1(config)#vlan 10
SW1(config-vlan)#name ENGINEERING
```
This Commang creates a VLAN.
(In this case it was already automatically created when we assigned the interfaces)
## Review
- What is a (LAN)?
- Broadcast domains
- What is a Vlan
- What is the purpose of VLANs?
- How to configure VLANs on Cisco switches

199
17. VLAN (Part 2).md Normal file
View File

@@ -0,0 +1,199 @@
---
id: 17. VLAN (Part 2)
aliases: []
tags: []
---
# VLAN (Part 2)
## Trunk ports
In a small network with few [[VLAN]]s it is possible to use separate interface for each VLAN
when connecting switches to switches, and switches to routers.
However, when the number of VLANs increases, this is not viable. it will result in wasted interfaces,
and often routers won't have enough interfaces for each VLAN.
You can use trunk ports to carry traffic from multiple VLANs over a single interface.
Switches wil 'tag' all frames that they send over a trunk link.
This allows the receiving switch to know which VLAN the frame belong to.
Trunk ports = 'tagged' ports
Access ports = 'untagged' ports
### VLAN Tagging
- There are two main trunking protocols: [[ISL]] (Inter-Switch Link) and [[IEEE 802.1Q]] (dot1q)
- ISL is an old Cisco proprietary protocol created before the industry standard IEEE 802.1Q
- IEEE 802.1Q is an industry standard protocol created by the [[IEEE]] (Institure of Electrical and
Electronics Engineers)
- You will probably NEVER use ISL in the real world. Even modern Cisco equipment doesn't support it
For the CCNA you only need to learn 802.1Q
#### inside Ethernet Header
Preamble | SFF | Destination | Source | 802.1Q | Type
The 802.1Q tag is inserted between the Source and Type/Length fields of the Ethernet frame.
The tag is 4 bytes (32 bits) in length.
The tag consists of two main fields:
- Tag Protocol Identifier [[TPID]]
- Tag Control Information [[TCI]]
The TCI consists of three sub-fields.
802.1Q tag Format
+-----------------------------------+
|16 bits | 3 | 1 |12 bits |
| | bits | bit | |
| TPID | TCI |
| | PCP | DEI | VID |
+-----------------------------------+
##### TPID ( Tag Protocol Identifier)
- 16 bits (2bytes) in length
- Always set to a alue of 0x8100. This indicate that the frame is 802.1Q-tagged.
##### PCP (Priority code point)
- 3 bits in length
- Used for Class of Service (CoS), which prioritizes iimportant traffic in congested network
##### DEI ( Drop Eligible Indicator)
- 1 bit in length
- Used to indicate frames that can be dropped if the network is congested.
##### VID (VLAN ID)
- 12 bits in lenght
- Indentifies the VLAN the frame elongs to.
- 12 bits in length = 4096 total VLANs (2^12), range of 0 - 4095
- VLANs 0 and 4095 are reserved and can't be used
- Therefore the actula range of VLANs is 1-4094
- Cisco's proprietary ISL also has a VLAN range of 1 - 4094
more info https://en.wikipedia.org/wiki/IEEE_802.1Q
## VLAN Ranges
- The range of VLANs (1-4094) is divided into two sections:
Normal VLANs: 1-1005
Extended VLANs : 1006-4094
- Some older devices cannot use the extended VLAN range, however it's safe to expect that modern
switches will support the extended VLAN range.
## Native VLAN
- 802.1Q has a feature called the **native VLAN**.
ISL does not have this feature
- The native VLAN is VLAN 1 by default on all trunk ports, however this can be manually configured
on each trunk port.
- The switch does not ad an 802.1Q tag to frames in the native VLAN.
- When a switch receives an untagged frame on a trunk port, it assumes the frame belongs to
the native VLAN.
**It's very important that the native VLAN matches!**
## Trunk Configuration
```Cisco
SW1(config)#interface g0/0
SW1(config-if)#switchport mode trunk
command rejected
```
Many modern switches do not support Cisco;s ISL at all. They only support 802.1Q (dot1q)
However, switches that do support both (like the one I'm using in this example) have a trunk
encapsulation of Auto by default
To manually configure the interface as a trunk port, you must first set the encapsulation to
802.1Q or ISL. On switches that only support 802.1Q this is not necessary
```Cisco
SW1(config)#interface g0/0
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
```
To see the configurations about the trunk
```Cisco
SW1#show interfaces trunk
Port Mode encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 1
```
```Cisco
## for security reason you must not allow every vlan on the trunk
SW1(config-if)#switchport trunk allowed vlan 10,30
### for adding VLAN
SW1(config-if)#switchport trunk allowed vlan add 20
## For removing Vlan in the trunk use this command
SW1(config-if)#switchport trunk allowed vlan remove 20
### The all option is to allowed all vlan
SW1(config-if)#switchport trunk allowed vlan all
## The except command if for all vlan except a range or a specific vlan
SW1(config-if)#switchport trunk allowed except 1-5,10
## The none disable every VLAN
SW1(config-if)#switchport trunk allowed none
```
For security purposes, it is best to change the native VLAN to an unused VLAN.
(network security will be explained more-in depth later in the course)
**Make sure the native VLAN matches on between switches**
The command to change the native VLAN is :
```Cisco
SW1(config-if)#switchport trunk native vlan 1001
```
note : the show vlan brief command shows the access prots assigned to each VLAN, not
the trunk ports that allow each VLAN.
Use the **show interfaces trunk** command instead to confirm trunk ports.
## ROAS (Router on a stick)
For three VLAN in the same interface
```Cisco
R1(config)#interface g0/0
R1(config-if)#no shutdown
R1(config-if)#interface g0/0.10
R1(config-if)#encapsulation dot1q 10
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
R1(config-if)#encapsulation dot1q 20
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
R1(config-if)#encapsulation dot1q 30
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
```
The subinterface number does not have to match the VLAN number.
Howerver it is highly recommended that they do match, to make it easier to understand
- ROAS is used to route beween multiple VLANs using a single interface on the router and switch.
- The switch interface is configured as a regular trunk.
- The router interface is configured using subinterfaces.
- You configure the VLAN tag and IP address on each subinterface.
- The router will behave as if frames arriving with a certain VLAN tag have arrived on the
subinterface configured with that VLAN tag.
- The router will tag frames sent out of each subinterface with the VLAN tag configured on the
subinterface.
## Review
- What is a trunk port ?
- What is the purpose of trunk ports?
- 802.1Q Encapsulation
- How to configure trunk ports
- 'Router on a Stick'(ROAS)

90
18. VLAN (Part 3).md Normal file
View File

@@ -0,0 +1,90 @@
---
id: 1778493954-IJHJ
aliases:
- VLAN (Part 3)
tags: []
---
# VLAN (Part 3)
## Native VLAN on a router (ROAS)
There 2 methods for configuring the native VLAN on a router:
1.
```Cisco
R1(config)# int g0/0.10
R1(config-subif)#encapsulaton dot1q *vlan-id* native
```
2.
Configure the [[IP address]] for the native VLAN on the router's physical interface
(the command is not necessary)
```Cisco
R1(config)# int g0/0.10
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
```
## Layer 3 (Multilayer) switches
- A multilayer switch is capable of both switching and routing.
- It is 'Layer 3 aware'
- You can assign IP addresses to its interfaces, like a router.
- You can create virtual interfaces for each VLAN, and assign IP addresses to those interfaces.
- You can configure routes on it, just like a router.
- it can be used for inter-VLAN routing
### Inter-VLAN routing via SVI
- SVIs (Switch Virtual Interfaces) are the virtual interfaces you can assign IP addresses to
in a multilayer switch.
- Configure each PC to use the SVI (Not the router) as their gateway address.
- To send traffic to different subnets/VLANs, the PCs will send traffic to the switch,
and the switch will route the traffic
the command to enable Layer 3 routing on the switch is
```Cisco
SW2(config)#ip routing
## this configure the interface as a 'routed port'
## (Layer 3 port, not Layer 2 /switchport)
SW2(config)#interface g0/1
SW2(config-if)#no switchport
## then you can configure an IP address on the interface like a regular router interface
SW2(config-if)#ip address 192.168.1.193 255.255.255.252
## then you can configure the default route
SW2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.194
```
To configure SVI you can assign ip address to each vlan
```Cisco
SW2(config)#interface vlan10
SW2(config-if)#ip address 192.168.1.62 255.255.255.192
SW2(config-if)#no shutdown
SW2(config)#interface vlan20
SW2(config-if)#ip address 192.168.1.126 255.255.255.192
SW2(config-if)#no shutdown
SW2(config)#interface vlan30
SW2(config-if)#ip address 192.168.1.190 255.255.255.192
SW2(config-if)#no shutdown
```
1. The Vlan must exist on the switch
2. The swithc must have at least one access port in the VLAN in an up/up state, AND/OR
one trunk port that allows the VLAN that is in an up/up state
3. The VLAN must not be shutdown (you can use the shutdown command to disable a VLAN)
4. The SVI must not be shutdown (SVIs are disabled by default)
## Review
- Native VLAN on a router
- Wireshark analysis
- Layer 3 Switching/multilayer Switching
**next lesson**
- DTP (Dynamic Trunking Protocol)
- VTP (VLAN trunking Protocol)

200
19. DTP - VTP.md Normal file
View File

@@ -0,0 +1,200 @@
---
id: 19. DTP - VTP
aliases: []
tags: []
---
# DTP - VTP
Note: DTP and VTP were removed from the CCNA exam topics list for the new exam (200-301).
However, it's important to know their function, and you may still get questions about them
on the exam even though they are not on the topics list
## DTP Dynamic Trunking Protocol
DTP is a [[Cisco]] proprietary protocol that allows Cisco switches to dynamically determine
their interface status (access or trunk) without manual configuration
DTP is enabled by default on all Cisco switch interfaces.
So far, we have been manually configuring switchports using these command :
- switchport mode access
- switchport mode trunk
For security purposes, manual configuration is recommended. DTP should be disabled on all switchports
### CLI
```Cisco
SW2(config-if)#switchport mode ?
## we will focus on the dynamic option
SW2(config-if)#switchport mode dynamic ?
## we have to mode auto or desirable
```
A switchport in dynamic desirable mode will actively try to form a trunk with other Cisco switches,
it will form a trunk if connected to another switchport in the following modes:
1. switchport mode trunk
1. switchport mode dynamic desirable
1. switchport mode dynamic auto
to verify you can
```Cisco
SW1# show interfaces g0/0 switchport
Name: Gi0/0
Switchport: Enabled
Administrative Mode: Dynamic desirable
Operational Mode: trunk
```
### Static access
Static access means an access port that belongs to a single VLAN that doesnt change (unless
you configure a different VLAN).
There are also 'dynamic access' ports, in which a server automatically assings the VLAN depending
on the [[MAC]] address on the connected device.
(This is out of the scope of the CCNA)
| Administrative mode | Trunk | Dynamic desirable | Access | Dynamic Auto |
| ------------- | -------------- | -------------- |------------ |------------ |
| Trunk | Trunk | Trunk | x | Trunk|
| Dynamic Desirable | Trunk | Trunk | Access | Trunk|
| Access | x | Access | Access | Access |
| Dynamic Auto | Trunk | Trunk | Access | Access |
DTP will not form a trunk with a router, PC, etc.
The switchport will be in access mode
On *older* switches, **swithport mode dynamic desirable** is the default administrative mode.
On *newer* switches, **swithport mode dynamic auto** is the default administrative mode.
You can disable DTP negotiation on the interface with this command:
- switchport nonegotiate
Configuring an access port with **switchport mode access** also disables DTP negotiation on
an interface
It is recommended that you disable DTP on all switchports and manually confugre them as access or
trunk ports.
### Encapsulation
[[Switches]] that support both [[802.1Q]] and ISL trunk encapsulations can use DTP to negotiate
The encasulation they will use.
This negotiation is enabled by default, as the default trunk encapsulation mode is :
**switchport trunk encapsulation negotiate**
*ISL is favored over 802.1Q, so if both switches support ISL, it will be selected*
DTP frames are sent in VLAN1 when using ISL or in the [[native VLAN]] whe using 802.1Q
(the default native VLAN is VLAN1, however)
## VTP VLAN Trunking Protocol
VTP allows you to configure VLANs on a central VTP server switch, and other switches (VTP client)
will synchronize their VLAN database to the server.
It is designed for large networks with many VLANs, so that you don't have to configure each VLAN
on every switch
It is rarely used, and it is recommended that you do not use it.
There are three VTP versions: 1, 2, and 3.
There are three VTP modes: server, client, and transparent.
*Cisco switches operate in VTP server mode by default*
### VTP Servers
Can add/modify/delete VLANs
Store the VLAN database in non-volatile RAM (NVRAM)
Will increase the revision number every time a VLAN database on trunk interfaces, and
The VTP clients will synchronize their VLAN database to it
VTP servers also function as VTP client
Therefore, A VTP server will synchronize to anothre VTP server with a higher revision number
### VTP clients
Cannot add/modify/delete VLANs
Do not store the VLAN database in NVRAM (in VTPv3 they do)
Will synchronize their VLAN database to the server with the highest revision number in their VTP domain
Will advertise their VLAN database, and forward VTP advertisements to other client over their trunk
ports.
### How it's work
to see all the VTP type
```Cisco
SW1#Show VTP status
```
VTPvv1/v2 do not support the extended VLAN range (1006-4094) only BTPv3 supports them
to set a domain name
```Cisco
SW1#vtp domain cisco
```
now on switch 1 can do
```Cisco
SW1#vlan 10
SW1#name engineering
```
switch 2 will have the same vtp domain and vlan configured
pass along to switch 3 and 4
If a switch with no VTP domain (domain NULL) receives a VTP advertisement with a VTP domain name,
it will automatically join that VTP domain
If a switch receives a VTP advertisement in the same VTP domain with a higher revision number
it will update its VLAN database to match
### **ONE DANGER OF VTP**
If you connect an old switch with a higher revision number to your network ( and the VTP domain
matches), all switches in the domain will sync their VLAN database to that switch
### VTP transparent mode
Does not participate in the VTP domain (does not sync its VLAN database).
Maintains its own VLAN database in NVRAM. it can add/modify/delete VLANs, byt they won't be
advertised to other switches.
Will forward VTP advertisements that are in the same domain as it.
NOTE : Changing the VTP domain to an unused domain will reset the revision number to 0
Changing the VTP mode to transparent will also reset the revision number to 0
### VTP version
You can change the VTP version with this command
```Cisco
SW1(config)#vtp version 2
```
VTP V2 is not much different than VTP V1. The major difference is that VTP V2 introduces support
for Token RIng VLANs. if you use Token Ring VLANs, you must enable VTP V2. Otherwise there is
no reason to use VTP V2
For the V3 it's Beyond the scope of the CCNA
# Review
note: Recommended that you disable this protocol for security purposes.
DTP (dynamic trunking Protocol)
a protocol that allows Cisco switches to form trunk connections with other cisco switch without
manual configuration
VTP (VLAN Trunking Protocol)
Allow to configure VLAN on switches that operate as central VTP servers, which then advertise
Their VLAN database,and VTP client switches sync their database to it