Welcome to the beginning of this ccna training
series. In this series we're going to take the fundamentals that you already know and
build on them to make you even more awesome if you don't have the fundamentals yet
don't worry we have a series on that as well section one of this is going to start
by looking at layer 2 technologies starting right here in this video which focuses
on switching, vlans, and trunking. I hope you enjoy The basic function of switches is
to connect devices to the network of course they can do far more but every other
feature they have is to support connecting devices primarily switches work at layer 2. When we think
about layer 2 we think about things like mac addresses, ethernet frames, and vlans. A lot of
modern switches support some layer 3 functions that means ip addressing
routing and that sort of thing for this section of the series we're
going to focus our attention on layer 2. we commonly use ethernet protocols in our networks.
Each ethernet frame has a source mac address and a destination mac address. Ethernet and layer 2 in
general is used to deliver frames from one hop to the next. This means that with each hop the
source and destination mac will be updated. The source will be the device that's sending, and the
destination will be the next hop along the path. this process is called frame rewrite. Switches
don't count as hops in this sense. That is, they don't update the source and destination mac
addresses of each frame that passes through them so what are switches for? Connectivity! All devices
need to be connected to each other in some way but we can't literally connect
every device to every other device imagine how many cables we would need. Instead
the switch uses a process called frame switching Instead of connecting devices directly to each
other devices connect to switches. As you can see, this is so much simpler. When a frame arrives
at a switch the switch decides which link or interface to send the frame out of. This makes sure
that the frame gets to the correct destination the next question is how does a switch know
which link to send the frame on? It does this by learning the mac addresses of connected
devices and the interfaces they are connected to These details are stored in the mac address table.
When a frame arrives at a switch port, the switch takes a look at the destination mac address.
Remember that this is in the ethernet header It looks for this mac address in the mac
address table. Here it finds the port that the mac address belongs to. It then forwards the
frame out of this port. We should ask ourselves what happens if the mac address we're looking
for is not in the mac table? This means that the switch hasn't learned about this mac yet. In this
case it will flood the frame out of all ports that means a lot of devices will get that frame.
Most will ignore it as it's not meant for them the correct device will send its reply which the
switch will see. The switch can then learn which interface this device is connected to, and add
the entry to the mac address table for next time Do you want to see what a real mac address
table looks like? From the CLI we can use the command 'show mac address table'. Here we can see
all the mac addresses that the switch knows about and the port that should be used to reach
them. Entries don't stay in here forever though Once an entry is learned a timer starts. If
more traffic involving that mac address is seen, then the timer resets. But if the timer
expires the entry is removed from the table This is one way the switch keeps the
table fresh. For example we might have a laptop that we disconnect from one port
and then connect to another port If the mac address table didn't clean up after itself
traffic might get sent out the wrong interface if you're planning on taking the ccna exam we
have a few extra resources to get you ready these include study notes, quizzes, flashcards,
transcripts, and the command line summaries check the video description to get
a link to each of these resources usually quiz explanations are for
members of the site, however i've made all the quizzes in this video available
to everyone so you can see if you like them We've had a quick review on switching
in a simple network. But as networks grow and become more complex we usually
need to divide it up into logical parts we do this by configuring a vlan. Vlans create
one or more logical networks on a physical switch it's kind of like dividing a switch into a few
smaller switches. Some ports can be part of one vlan, other ports can be in a different vlan.
And they can both be separate from each other there are a few reasons we might want to do
this. The obvious one is to separate some traffic from some other traffic. This could be for
security or perhaps we have multiple customers that we need to keep separated. We might
use vlans to group certain traffic together for example we would create a vlan just for
voice traffic, that is phone calls. This makes it easier to give this traffic a higher priority
than other traffic. Or we could group devices into vlans. It's quite common to put servers in one vlan
printers in another and pcs in yet another vlan this is often done so you can put a firewall
between these vlans and apply security policies between them. We'll take a look at security
policies more in a later section of this series. Think about broadcast domains. As we know,
broadcasts are limited to the local network Each vlan is considered to be a different network so
creating vlans creates smaller broadcast domains there are many different reasons we might want
to use vlans. Don't worry too much about listing them all out. As you're getting experience
you'll start to appreciate their value and when to use them. For now we're just going
to focus on how they work and how they're configured in the switches cli we're going to create three
vlans with ids 10 20 and 30. this is as simple as typing 'vlan', and the vlan id. We can optionally
give each one a name. I recommend this as it makes it easier to see what each VLAN is for later
on. If you're not yet familiar with cisco's command line interface, I have a video on that to help
you get started. See the description for a link we can have up to 4094 vlans on a switch. Of
course it would be rare to need that many we only need three for now which are
for workstations, servers, and printers when we're done, we can check out the vlans that
we've created with 'show vlan brief'. You can see the three vlans that were created, and a few others. For
example cisco reserve four vlans for special use we can't move or change these. It's interesting to
know that historically cisco broke the vlan range into two smaller ranges; vlans 1 to 1001 were known
as the normal range, while vlans 1006 to 4094 were called the extended range. Keep in mind that this
is just a cisco thing, and other vendors don't do this the other vlan that we didn't create is vlan
1 which is the default vlan. Until we make any changes all ports are members of this vlan.
We'll talk a bit more about this one later so i hope this is all making sense
so far. Here are two more questions to help you think about it and
to challenge your understanding what if you have a lot of switches. Let's say you
manage the network for a university campus which might have 500 switches. Wouldn't it be nice if
we didn't have to configure vlans on each one years ago cisco created a technology called
VTP or Virtual Trunking Protocol this is no longer in the exam but you might see in the real
world so i'm going to give you a brief overview vtp would allow us to configure
vlans on a single switch and then have this configuration automatically
pushed out to all the other switches this means that we wouldn't need to
go and configure each switch manually so to make this work switches are configured as
one of three modes. Yhey can be server, they can be client, or they can be transparent. Servers are
configured with a list of vlans one or more server switches send this list in terms of vtp messages
which go out to all the switches in the vtp domain the vtp domain name is also included in
these messages. Client switches receive these messages and will pass them on to
other clients. In addition they automatically configure each vlan they see in this list as long
as they are part of the same vtp domain of course the result is that you only configure the
vlan on the server switch not on all switches be warned though the vlan list overwrites
whatever is already configured so if you make a mistake on the server you may cause a
problem across all switches in your network transparent switches; They'll
see these vtp messages but they'll only pass them on. They
don't configure any vlans themselves in the case of these switches they will
still need manual vlan configuration over time a lot of people found that vtp was
quite frankly more trouble than it's worth as we said a single mistake can bring down
your entire network. Plus there are better ways to configure your switches from one location
which we'll talk about in another section of this video series. So my personal recommendation is
that you set your switches to transparent mode this will ignore any vtp messages that are
seen and your vlans won't be overwritten if you run the command 'show vtp status'
you can see what mode your switch is in in this case you can see that the switch
is a vtp server. So to change it i'm going to jump into configuration mode and i'm
going to type in 'vtp mode transparent' there is a danger with putting a switch
that has been previously configured into a live network. Can you think of what
that danger might be, and how we may avoid it? we need to add interfaces to vlans
and when we do we have two options we can configure access ports or trunk ports.
Access ports are the interfaces that regular devices connect to. That includes workstations,
printers, phones, and other devices like that trunk ports are most commonly used when
we're connecting one switch to another switch however there are other cases where we
might connect servers to trunk ports too let's start by configuring an access port under the interface we set
the switch port mode to access we then configure the vlan id that
we want this port to belong to so now when we connect a device all traffic
entering or exiting this interface is part of that vlan. To check which interfaces belong to
which vlans enter the command 'show vlan brief' Here we can see the interface gigabit 0/1 belongs
to vlan 10, which is in the workstations of elan we usually think of an access port as
belonging to only one vlan, however there is an exception. This is when we have a phone
and a workstation connected to the same port usually the physical phone will connect to
the switch and the workstation will connect to a port on the back of the phone. In a case like
this we would configure a vlan for voice traffic in this example we'll make it vlan
40 and we'll give it the name voice then we'll enter interface gig 0/1, and
configure it with an additional voice vlan using the 'switchport voice vlan' command when we run 'show vlan brief' again we can see that the voice vlan has been created
but it isn't showing up on that interface i picked an interface that was down
unfortunately so it's not showing here so to check this one we can run
'show interfaces gi 0/1 switchport' here we can confirm that the voice
vlan is also configured on this port okay let's go back to trunk ports. As i said
earlier these are commonly used when connecting two switches together. They're also used a lot
when connecting to servers as most servers now have virtual switches inside them and virtual
servers are connected to those virtual switches we look at virtual servers and virtual
switches a bit later in another section trunk ports are capable of carrying
more than one vlan at a time they do this by adding a vlan id to each frame.
There are two possible ways of doing this. The old way uses a protocol called ISL. This is out of date
so we're not going to look at that any further the right way to do it these days is with an
encapsulation standard called 802.1 q. This takes the ethernet header in the frame and it adds in
a small tag. This tag simply contains the vlan id so if a switch needs to forward a
frame from one switch to another it will add this tag and then the receiving
switch will know which vlan that frame belongs to this process is often called 'tagging', and you can probably see why in fact while cisco refers to it as a trunk port
many other vendors will call it a tagged port it's really simple to configure a trunk port.
Under the interface we first need to select the type of encapsulation. This comes back to those
two methods i spoke of earlier isl or 802.1q you'll notice the third option, 'negotiate'. we'll talk about that soon as i said 1q is the option we want to use now.
Next we simply set the switch port mode to trunk we can get a bit of information with
the 'show interface trunk' command here we can see the encapsulation type as well
as the vlans that are allowed on this trunk link by default all vlans are allowed as long
as they have been defined on the switch we can limit our trunk to certain vlans if we
want to this is called vlan pruning because we're pruning off the vlans that we don't want to allow.
Personally i always set an allowed list of vlans as a matter of best practice rather than leaving
them all on. Now let's go back to that interface and then we'll use the switchport trunk allowed
command to provide this list of allowed vlans i would like to issue a strong warning here. When
we use this command we will overwrite the existing list of vlans that are allowed on this trunk
interface with the list that we provide Many people including myself have made this mistake
and caused the network to go down If we look at this interface again we can now see that we've
got an updated list of vlans that are allowed on occasion some traffic will arrive
at a trunk port with no vlan tag as you can imagine we call this untagged traffic
there are a few cases where we might see this for example if a workstation is connected
to a trunk port rather than an access port or when a cheap and nasty switch that doesn't
understand vlans is connected to a good switch there's even some traffic that switches send
to each other that's untagged. So you might be thinking the receiving switch needs the tag
to know which vlan the traffic belongs to so what happens when there is no tag? That's a good
question and one that has confused many people but it's not as tricky as it sounds on the trunk port
there is a special vlan called the native vlan by default vlan 1 is the native vlan. When untagged
traffic arrives at a trunk port it is assumed to be part of this native vlan. So by default
any untagged traffic will be part of vlan 1. we can change the native vlan to another
vlan if we want to we just configured the interface with the 'switchport trunk native
vlan' command, and we give it a new vlan id notice that we're getting a few syslog messages
reporting a native vlan mismatch? This is because cdp that is cisco discovery protocol has detected
that the switch on the other end of the link still has vlan 1 as its native vlan. It's important that
native vlans match at both ends of the link you'll even notice that spanning tree has blocked the
link we'll talk about that in two more videos time if you need to verify the native vlan on
an interface use the 'show interfaces switchport' command When we do this we can see that
the trunking native mode vlan is set to 10. you can probably work out how to
tell if an interface is a trunk by using the mac table alone.
Can you see how it's done? cisco provides an automatic option for
configuring trunk links called Dynamic Trunking Protocol, or DTP. This is a cisco only option which is turned on by default earlier we use the command 'switchport mode trunk' this manually configures a trunk link. As long
as this is configured on both ends of the link the link will be a trunk. But rather than manual
configuration we can configure the link as dynamic there are two types of dynamic configuration
called 'auto' and 'desirable'. The results depend on what we configure at each end of this link.
First let's think about the desirable option if this is configured the switch actively tries to
make this link a trunk link. This will succeed if the other end is also configured as desirable or
auto or trunk. Let's see the configuration for this we have two switches connected to each other
we first enter interface configuration mode then we configure 'switchport mode
dynamic desirable'. Although you can't see it here the switch on the other side
of the link is configured as dynamic auto if we run 'show interfaces trunk' we can
see that the mode is set to desirable in the status column we can see that this
link has successfully become a trunk link when the auto option is configured we're telling
the switch that we're happy if this interface becomes a trunk but don't actively try to make
it so. That means that if the other end tries to configure the trunk link this interface will agree
and the interface will become a trunk port. So you see that the particular combination of settings
will determine whether the link becomes a trunk or remains an access port. One recommendation
I can share is to avoid configuring one side manually as a trunk and the other
side manually as an access port we can dig up a bit more information with 'show dtp interface' It's not particularly exciting but
it may prove useful if you're troubleshooting dtp sends messages between the two switches
to convert a link to a trunk if we want we can disable this entirely by configuring the
interface with 'switchport trunk nonegotiate' this is something you might consider doing if
you're connecting a cisco switch to another vendor switch or you're connecting a switch that
you manage to a switch that somebody else manages personally i don't like to use dtp in practice
i always manually configure my trunk ports i find it has a lower chance of security
problems like configuring a trunk link where there isn't supposed to be one. It's
really up to your preference though there are two more quiz questions for you to think
about. Perhaps think about question 9 in particular which involves adding more vlans or trunk link
without breaking the ones that are already there there's another way that you can test your skills
most of the videos in this series will have a lab accompanying them on networkdirection.net. I've
built them using the cisco CML lab software but you can use another product if you want. Your
options include gns3, eveNG, and packet tracer in this particular lab you have a customer who
wants this network built you need to configure the four switches to meet their requirements. Once
that's done, you can try out some troubleshooting these labs are usually reserved as
a bonus for patreon supporters but this one's available for everyone
so you can see if you like it please continue to the next video where we will
look at interfaces this includes connecting interfaces, mtu and frame size, and troubleshooting interface status. Hope to see you there
