642-813 3 VLANs and Trunks

Introduction
The VLANs and trunks module provides you with the instructions and Cisco hardware to develop
your hands on skills in the configuring VLANs, trunks and VTP on Cisco switches. This module
includes the following exercises:
1) Configuring VLANs
2) Configuring Trunk Links
3) Configuring VTP
4) Securing Trunk Links
Lab Diagram
During your session you will have access to the following lab configuration. Depending on the
exercises you may or may not use all of the devices, but they are shown here in the layout to get an
overall understanding of the topology of the lab.
Internet
ISP1 ISP2
172.14.0.3/24 172.14.0.4/24
Frame-Relay
WAN NYEDGE1 NYEDGE2
Gi0/1 Gi0/1 Cisco
Cisco
2911 Router Ser0/0/0 2911 Router
LDNWAN1
Ser0/0/0
Ser0/0/1
Ser0/0/1
Gi0/0 Ser0/0/1 Gi0/0
Ser0/1/1
Ser0/0/0 Ser0/1/0
Fas1/0/1 Fas1/0/1
Gi0/1 Gi0/0 Fas1/0/2 Fas1/0/12
172.16.16.0/24 Fas1/0/23
NYWAN1 Fas1/0/24 Cisco

Cisco NYCORE1 Fas1/0/22 Fas1/0/22 NYCORE2 IP Phone
NWRKWAN1 Cisco 3750v2-24PS Cisco 3750v2-24PS
2911 Router
Switch Switch
Fas0/24 Fas0/23
PLABCSCO01 NYACCESS1
Cisco Tools Server Lab Nic Fas0/1 Cisco 2960-24
192.168.16.10/24 Switch
Connecting to your lab
In this module you will be working on the following equipment to carry out the steps defined in each
exercise.
NYCORE1
NYCORE2
NYACCESS1
PLABCSCO01
Each exercise will detail which terminal you are required to work on to carry out the steps.
During the boot up process an activity indicator will be displayed in the device name tab:
Black - Powered Off

Orange - Working on your request
Green - Ready to access
If the remote terminal is not displayed automatically in the main window (or popup) click the
Connect icon located in the tools bar to start your session.
Copyright Notice
This document and its content is copyright of Practice-IT - Practice-IT 2014. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than
the following:
1) You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2) You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express
written permission, distribute or commercially exploit the content. Nor may you transmit it or store
it in any other website or other form of electronic retrieval system.
Exercise 1 Configuring VLANs
In this exercise you will learn how to configure VLANs, name them and assign switch ports to be
members of the specified VLANs on a Cisco switch. Please refer to your course material or use your
preferred search engine to gain an understanding of these tasks.
Configuring VLANs
Configuring VLANs on Cisco switches is a straightforward task, however if you are working on a large
switched network then caution should always be used when created, and especially removing
VLANs.
In this exercise well create a number of VLANs, configure interface settings so that an interface is a
member of these VLANs.
Creating a VLAN
First ensure that NYCORE1, NYCORE2 and NYACCESS1 are powered on then power on the Cisco
Tools Server in the lab. Well use these switches to build our VLANs, and the Cisco tools server will
be used for testing VLAN membership.
Step 1
To create a VLAN, connect to NYCORE1 in the lab and use the following configuration commands.
These commands will give each VLAN ID a name which represents a business unit within an
organisation. You need to be in global configuration mode to create a VLAN, the commands below
will create a number of VLANs, the first command specifies the VLAN id with the second command
assigning the VLAN a name.
vlan 5
name Management
vlan 10
name InformationTech
vlan 20
name Marketing
vlan 30
name Research
vlan 40
name HumanResources
This creates us 5 VLANs with IDs 5, 10, 20, 30 and 40 respectively. You will notice that in the output
below I have used exit sometimes and not others. You do not have to type exit once you have
configured a VLANs settings, you can simply jump from one VLAN configuration to another by
simply typing vlan followed by the ID.
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#vlan 5
NYCORE1(config-vlan)#name Management
NYCORE1(config-vlan)#exit
NYCORE1(config-vlan)#name InformationTech
NYCORE1(config-vlan)#vlan 20
NYCORE1(config-vlan)#name Marketing
NYCORE1(config-vlan)#name Research
NYCORE1(config-vlan)#name HumanResources
NYCORE1(config)#
Step 2
To confirm that we have configured these VLANs we can use the command:
show vlan
The output on NYCORE1:
NYCORE1#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15

Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/23, Fa1/0/24, Gi1/0/1
Gi1/0/2
5 Management active
10 InformationTech active
20 Marketing active
30 Research active
40 HumanResources active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
You will notice that we have the default of VLAN 1, plus some additional VLANs at the end of the list
that which are default.
You will also notice in the output that all the interfaces are members of VLAN1 by default.
Step 3
Create an interface for VLAN5 (management) on NYCORE1 and assign it an IP address as follows:
interface vlan 5
ip address 192.168.16.5 255.255.255.0
no shutdown
NYCORE1(config)#interface vlan 5
*Mar 1 00:06:36.705: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan5,

changed state to up
NYCORE1(config-if)#ip address 192.168.16.5 255.255.255.0
NYCORE1(config-if)#no shutdown
Step 4
Next we will configure some interfaces to be members of a VLAN. For this example we are going to
make interfaces 8 through 16 members of the InformationTech VLAN, use the range command you
learnt in the previous module to achieve this:
interface range fastethernet 1/0/8-16
switchport mode access
switchport access vlan 10
The script for NYCORE1:
NYCORE1(config)#interface range fastEthernet 1/0/8-16
NYCORE1(config-if-range)#switchport mode access
NYCORE1(config-if-range)#switchport access vlan 10
Notice that we use the VLAN id, not the name to make an interface a member of a VLAN.
Step 5
To view the new settings, issue the show vlan command:
NYCORE1#show vlan
---- -------------------------------- --------- -------------------------------
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/23, Fa1/0/24, Gi1/0/1
Gi1/0/2
5 Management active
10 InformationTech active Fa1/0/8, Fa1/0/9, Fa1/0/10
Fa1/0/11, Fa1/0/12, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
20 Marketing active
30 Research active
Step 6
The PLABCSCO01 server has an IP Address of 192.168.16.10. Next well see that that we are unable
to communicate to this server from a device in another VLAN. Remember that to get from one VLAN
to another, you must go through a layer 3 device.
Recall that you configured an IP Address of 192.168.16.5 on the VLAN 5 interface on the NYCORE1
switch at the start of this exercise. Do you remember what VLAN interfaces are a member of by
default? The server and switch have IP addresses in the same subnet, but can they communicate,
are they in the same VLAN and can you get from one VLAN to another?
NYCORE1#ping 192.168.16.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
As we would have predicted, it appears that our icmp packets are either not getting to the server, or
replying from the server (or both).
An ARP request would have been sent out to resolve the IP address to a MAC address, but it would
have been incomplete so no data would have gone anywhere:
NYCORE1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.16.10 0 Incomplete ARPA
Internet 192.168.16.5 - 0024.514b.0841 ARPA Vlan5
We will resolve this problem later once we have built our network.
Viewing VLAN information

To view the VLAN information so far we have used the show vlan command. Next well use some
additional commands to view information about our VLANs.
The show vlan id command shows us more focused information on the VLAN, this is handy for
checking which interfaces on the switch are members of the VLAN, if there are any SPANs attached
to this VLAN, the name etc:
NYCORE1#show vlan id 10
---- -------------------------------- --------- -------------------------------
Fa1/0/11, Fa1/0/12, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa1/0/22
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
10 enet 100010 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
A fantastic command that displays some in depth information is the show interface switchport
commands:
show interfaces fastethernet 1/0/1 switchport
Output on NYCORE1:
NYCORE1#show interfaces fastEthernet 1/0/1 switchport
Name: Fa1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
This shows a wealth of information on the interface, VLAN membership, Access-Lists, Native VLANs,
Voice VLANs and much more.
The next command which shows some detailed information is the show dtp interface command.
This command can be useful to see if the port is in STP, which mode the interface is in, when it last
came up, when it last went down etc.
View the output from the following two commands; observe the differences between a trunk link
and an access port:
show dtp interface fastethernet 1/0/16
NYCORE1#show dtp interface fastEthernet 1/0/16
DTP information for FastEthernet1/0/16:
TOS/TAS/TNS: ACCESS/OFF/ACCESS
TOT/TAT/TNT: NATIVE/NEGOTIATE/NATIVE
Neighbor address 1: 000000000000
Hello timer expiration (sec/state): never/STOPPED
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S1:OFF
# times multi & trunk 0
Enabled: no
In STP: no
Statistics
----------
0 packets received (0 good)
0 packets dropped
0 nonegotiate, 0 bad version, 0 domain mismatches,
0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
0 packets output (0 good)
0 native, 0 software encap isl, 0 isl hardware native
0 output errors
0 trunk timeouts
1 link ups, last link up on Mon Mar 01 1993, 00:01:47
1 link downs, last link down on Mon Mar 01 1993, 00:08:20

show dtp interface fastethernet 1/0/24
TOS/TAS/TNS: ACCESS/OFF/ACCESS
TOT/TAT/TNT: NATIVE/NEGOTIATE/NATIVE
Hello timer expiration (sec/state): never/STOPPED
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S1:OFF
# times multi & trunk 0
Enabled: no
In STP: no
Statistics
----------
1 packets received (0 good)
1 packets dropped
0 nonegotiate, 0 bad version, 0 domain mismatches,
0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 1 other
0 packets output (0 good)
0 native, 0 software encap isl, 0 isl hardware native
0 output errors
0 trunk timeouts
1 link ups, last link up on Mon Mar 01 1993, 00:01:49
1 link downs, last link down on Mon Mar 01 1993, 00:02:07
Extending this configuration

Continue to the next exercise to configure trunks and see the VLANs configured here come to life.
Exercise 2 Configuring Trunk Links
In this exercise you will learn how to configure trunk links. Use your course information or use your
preferred search engine to gain an understanding of these tasks.
Configuring trunk links between switches

In this exercise we are going to configure trunk links between our 3 switches. If you have not
continued on from the previous exercise then you will need to complete that exercise first before
continuing this one.
Trunk links as you will have learnt enable a number of VLANs to traverse a single link. In the previous
exercise we configured a single interface to be a member of a VLAN, imagine if you had to connect
to another switch with just a single VLAN, what if you had 100 VLANs on a switch? Well this is where
trunk links come in to play.
Almost every switch I have ever configured always has more than one VLAN on it. At a minimum you
normally have two, one for the devices attached to the switch and a separate one for the
management of the switch itself (normally not on VLAN 1). Then of course you want all this to be
redundant so you set up a second link and have all the VLANs coming out of that interface too.
Lets configure a trunk link between NYCORE1 and NYCORE2. These two switches have two
fastethernet connections between them and well trunk the VLANs previously configured on
NYCORE1 down this interface.
Step 1
Connect to NYCORE2 in the lab and confirm that there is no VLAN configuration:
NYCORE2#sho vlan
---- -------------------------------- --------- -------------------------------
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/23, Fa1/0/24, Gi1/0/1
Gi1/0/2
1002 fddi-default act/unsup

1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
As we can see from the output from the show vlan command there is no other VLAN configuration
other than what is default.
We need to put a base configuration on NYCORE2, including the VLANs that we created on
NYCORE1:
vlan 5
name Management
vlan 10
name InformationTech
vlan 20
name Marketing
vlan 30
name Research
vlan 40
name HumanResources
Script from NYCORE2:
NYCORE2(config-vlan)#name Management
NYCORE2(config-vlan)#name InformationTech
NYCORE2(config-vlan)#name Marketing
NYCORE2(config-vlan)#name Research
NYCORE2(config-vlan)#name JumanResources
NYCORE2(config-vlan)#name HumanResources
NYCORE2(config)#
Step 2
Next we will configure a trunk link, for this example we will configure a trunk on interface
Fastethernet 1/0/24 on both switches, we should configure the trunk link at both ends, this means
configuring both NYCORE1 and NYCORE2 with the following commands:
interface fastethernet 1/0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan all
switchport mode trunk
Note: There is no requirement for the command switchport trunk allowed vlan all.
NYCORE1(config)#interface fastethernet 1/0/24
NYCORE1(config-if)#switchport trunk encapsulation dot1q
NYCORE1(config-if)#switchport trunk allowed vlan all
NYCORE1(config-if)#switchport mode trunk
Repeat this process on NYCORE2.
NYCORE2(config)#interface fastEthernet 1/0/24
NYCORE2(config-if)#switchport trunk encapsulation dot1q
NYCORE2(config-if)#switchport trunk allowed vlan all

NYCORE2(config-if)#switchport mode trunk
To confirm the trunk is operational use the following commands:
show interfaces trunk
The output from this command on NYCORE2:
NYCORE2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/22 auto n-802.1q trunking 1
Fa1/0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/22 1-4094
Fa1/0/24 1-4094
Port Vlans allowed and active in management domain
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,10,20,30,40
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,10,20,30,40
show interfaces fastethernet 1/0/24 trunk
NYCORE2#show interfaces fastEthernet 1/0/24 trunk
Fa1/0/24 1-4094
Fa1/0/24 1,5,10,20,30,40

Fa1/0/24 1,5,10,20,30,40
show interfaces status
The output from this command on NYCORE2 (most of the output has been omitted):
NYCORE2#show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa1/0/24 connected trunk a-full a-100 10/100BaseTX
Notice that VLANs Allowed on trunk is essentially all VLANs and that all VLANs that are active which
includes all the VLANs that are present on the switch. Also note the native VLAN, if the trunk fails
this VLAN will be the VLAN that is active, as an extra point which VLAN do you think you should set
this to?
Proving the trunk

Next we want to prove that our trunk link works. Recall in exercise 1 that we configured an IP
address on NYCORE1 and we were unable to communicate to the PLABCSCO01 server? Well lets
add an IP Address to NYCORE2 to confirm that our trunk and VLAN works.
Step 1
Configure interface VLAN 5 on NYCORE2 with an IP Address of 192.168.16.6 /24. Please note that
Layer 3 switching is covered in a separate module.
interface vlan 5
ip address 192.168.16.6 255.255.255.0
no shutdown
NYCORE2(config)#interface vlan 5
NYCORE2(config-if)#ip address 192.168.16.6 255.255.255.0
NYCORE2(config-if)#no shutdown
Step 2
Now lets see if we can communicate to NYCORE1 at 192.168.16.5:
ping 192.168.16.5
Output from NYCORE2:
NYCORE2#ping 192.168.16.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms
Our trunk link works!
Restricting VLANs on a trunk

There are a number of ways to ensure a trunk link only carries the traffic that you want it to.
You may want to do this for a number of reasons, personally I prefer to nail-down the VLANs that
are allowed on trunks as this stops admins from just adding users in to VLANs that shouldnt really
be on that switch. Later you will see that VTP allows you to add VLANs all over your switched
network with the ease, and this is when things can rapidly get out of hand unless you keep a tight
leash on things.
To remove a VLAN from a trunk you can use the following commands:
switchport trunk allowed vlan remove 10
switchport trunk allowed vlan all except 10
Both of these examples remove VLAN 10 from the trunk link:
NYCORE2(config)#interface fas
NYCORE2(config-if)#switchport trunk allowed vlan remove 10
Confirm using the show interface trunk command:
NYCORE2#show interfaces trunk
Fa1/0/22 auto n-802.1q trunking 1

Fa1/0/22 1-4094
Fa1/0/24 1-9,11-4094
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,20,30,40
Fa1/0/22 1,5,10,20,30,40
Fa1/0/24 1,5,20,30,40
A VLAN only has to be removed at one end for the setting to take affect (however this is NOT
recommended as packets from the removed VLANs will still traverse the link only to be dropped at
the other end, a waste of valuable bandwidth!). Observe the output from the same command on
NYCORE1.
Adding VLANs to a trunk is very similar:
switchport trunk allowed vlan add 10
switchport trunk allowed vlan all
The script from NYCORE2:
NYCORE2(config-if)#switchport trunk allowed vlan add 10
Confirming that the VLAN has been added using the show interface trunk command.
Changing the trunking mode

By default the trunk was hard set when we used the command switchport mode trunk, this setting
can be seen using the show interface fastehernet 1/0/24 switchport command:
Name: Fa1/0/24
Switchport: Enabled
Administrative Mode: trunk

Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
However, if you want to set the configuration so that a trunk link is desirable or even off you can use
the following commands:
switchport mode dynamic desirable
switchport mode dynamic auto
This output configures the interface trunking mode as desirable on NYCORE1:
NYCORE1(config-if)#switchport mode dynamic desirable
You can view the change in trunk state using the show interface fastethernet1/ 0/24 switchport
command:
Name: Fa1/0/24
Switchport: Enabled
Administrative Mode: dynamic desirable
The show interfaces status command also shows the operational state of an interface:
NYCORE1#show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa1/0/1 notconnect 1 auto auto 10/100BaseTX
Fa1/0/2 connected 1 a-full a-100 10/100BaseTX

As you can see in the output the fas1/0/24 interface is set to a trunk (you will also notice a number
of other interfaces are also in a trunked state, do you know why?).
Also view the output from the show dtp interface fastethernet 1/0/24 command:
TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Broken trunks and native VLANs

So we have a working trunk link, but what happens if it breaks for some reason? The native VLAN is
the fall back VLAN that will be used in the event that a trunk link fails. Ultimately you would want
management of your switch in this scenario so that you can fix the underlying problem, therefore
whichever VLAN your switch has that is management, its this VLAN that (I would recommend) you
use for your native VLAN.
Step 1
On NYCORE2 we configured an address on VLAN 5. Lets set VLAN 5 as the native VLAN (this should
be set both ends otherwise CDP picks up on the problem and continually warns you, although this is
not a major issue, its not good practice).
Use the following command on Fastethernet 1/0/24 on both NYCORE1 and NYCORE2 switches:
switchport trunk native vlan 5
NYCORE2(config-if)#switchport trunk native vlan 5
Notice the CDP error on NYCORE2 (you will need to leave the configuration off of NYCORE2 for a
minute for the error to occur):
*Mar 1 00:42:01.791: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent

peer vlan id 1 on FastEthernet1/0/24 VLAN5.
*Mar 1 00:42:01.791: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet1/0/24 on

VLAN0001. Inconsistent peer vlan.
*Mar 1 00:42:01.791: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet1/0/24 on

VLAN0005. Inconsistent local vlan.
*Mar 1 00:42:23.115: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered

on FastEthernet1/0/24 (5), with NYCORE1.practice-labs.com FastEthernet1/0/24 (1).
Then we add the configuration to NYCORE1:
NYCORE1(config-if)#switchport trunk native vlan 5
Once configured you will notice the log message generated:
*Mar 1 00:43:57.638: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking

FastEthernet1/0/24 on VLAN0005. Port consistency restored.
Continue to the next exercise leaving your lab switches in their current state.
Exercise 3 Configuring VTP
In this exercise you will learn how to configure VTP (VLAN Trunking Protocol) and use it to take the
burden of configuring VLANs on every switch in your environment. Please refer to your course
material or use your preferred search engine to gain an understanding of these tasks.
Creating a VTP server

The first step in configuring VTP is to set up our server (or servers). As we have already configured
VLANs on NYCORE1 and NYCORE2 we can configure these as servers, and use the NYACCESS1 as a
client to see the benefits of VTP.
Note: This exercise assumes you are continuing on from exercise 1 and 2 in this module, if you are
not you will need to make the configuration changes to the lab that are outlined in the previous
exercises.
Step 1
On NYCORE1, check to see which VTP operating mode the switch is running in by using the following
command:
show vtp status
NYCORE1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 0024.514b.0800
Configuration last modified by 0.0.0.0 at 3-1-93 00:03:27
Local updater ID is 192.168.16.5 on interface Vl5 (lowest numbered VLAN interface

found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 10
Configuration Revision : 5
MD5 digest : 0x46 0x05 0x29 0x2B 0x51 0x01 0xD6 0xB7
0x36 0x4E 0x87 0xC9 0x4D 0xE7 0x3A 0xAA
Use the same command on NYCORE2 and you will notice that they are both already VTP servers. As
there is no domain name, the switches wont exchange any information. Also note, which is very
important, the configuration revision that is displayed in this output (in my output the revision
number is 5).
You can also see that the VTP version running is version 1. In the next step well change this to
version 2.
Step 2
Next well change the domain name and set a password up so that we exchange information only to
authenticated peers.
Repeat these commands in global configuration mode on both NYCORE1 and NYCORE2:
vtp domain practicelabs
vtp version 2
vtp password labs123
Script on NYCORE1:
NYCORE1(config)#vtp domain practicelabs
Changing VTP domain name from NULL to practicelabs
*Mar 1 00:49:03.008: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to

practicelabs.
NYCORE1(config)#vtp version 2
NYCORE1(config)#vtp password labs123
Setting device VTP password to labs123
You will notice that when you configure the second switch that some of the commands will report
that the domain and version has already been set!
NYCORE2(config)#vtp domain practicelabs

Domain name already set to practicelabs.
NYCORE2(config)#vtp version 2
VTP version is already in V2.
NYCORE2(config)#vtp password labs123
Setting device VTP password to labs123
Step 3
Next we will test VTP functionality by creating a new VLAN on NYCORE1 and see if this VLAN
information gets propagated to NYCORE2. First verify the VLAN database by using the show vlan
command:
NYCORE1#show vlan
---- -------------------------------- --------- -------------------------------
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/23, Gi1/0/1, Gi1/0/2
5 Management active
Fa1/0/11, Fa1/0/12, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
20 Marketing active
30 Research active
We can see that VLANs 5, 10, 20, 30 and 40 are present. Create VLAN id 50 with a name of Finance:
vlan 50
name Finance
Script output on NYCORE1:
NYCORE1(config-vlan)#name Finance
Now observe the VLAN database on NYCORE2:
NYCORE2#show vlan
---- -------------------------------- --------- -------------------------------
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/23, Gi1/0/1, Gi1/0/2
5 Management active
20 Marketing active
30 Research active
50 Finance active
We can see that our VLAN 50 is now present!
Step 4
Next well add NYACCESS1 to the mix, but this time well make NYACCESS1 a client:
vtp mode client
vtp domain practicelabs
vtp password labs123

Script output from NYACCESS1:
NYACCESS1#configure terminal
NYACCESS1(config)#vtp mode client
Setting device to VTP CLIENT mode.
NYACCESS1(config)#vtp domain practicelabs
Domain name already set to practicelabs.
NYACCESS1(config)#vtp password labs123
Setting device VLAN database password to labs123
Step 5
You will find that the trunk links between all the switches have been dynamically created, which is
the default behaviour. Use the commands you learnt in the previous exercise to confirm this.
If you have completed everything correctly you should have a VLAN database on NYACCESS1 as
follows:
NYACCESS1#show vlan
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22
5 Management active
20 Marketing active
30 Research active
50 Finance active
VTP Counters
Next well look at the VTP counters, these can be useful for troubleshooting to see if advertisements
are occurring or not. On NYACCESS1, use the command:
show vtp counters
Output from NYACCESS1:
NYACCESS1#show vtp counters
VTP statistics:
Summary advertisements received : 12
Subset advertisements received : 10
Request advertisements received : 0
Summary advertisements transmitted : 8
Subset advertisements transmitted : 6
Request advertisements transmitted : 5
Number of config revision errors : 0
Number of config digest errors : 4
Number of V1 summary errors : 0
VTP pruning statistics:
Trunk Join Transmitted Join Received Summary advts received from
non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Fa0/23 1 1 0
Fa0/24 1 0 0
Now create a new VLAN on either NYCORE2 (just to prove this is also a server), use VLAN Id 60 with
a name of Sales, take a note of the new counters on NYACCESS1:
NYACCESS1#show vtp counters
VTP statistics:
Summary advertisements received : 14
Subset advertisements received : 12
Request advertisements received : 0
Summary advertisements transmitted : 10

Subset advertisements transmitted : 8
Request advertisements transmitted : 5
Number of config revision errors : 0
Number of config digest errors : 4
Number of V1 summary errors : 0
VTP pruning statistics:
Trunk Join Transmitted Join Received Summary advts received from
non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Fa0/23 1 1 0
Fa0/24 1 0 0
VTP Pruning
Finally well cover VTP pruning which limits the VLAN present on trunk links by working out which
VLANS are required on the Switch.
NYACCESS1 for example shows that all the VLANs are allowed and are in the spanning-tree domain
on the switch:
NYACCESS1#show interfaces trunk
Fa0/23 desirable 802.1q trunking 1
Fa0/23 1-4094
Fa0/24 1-4094
Fa0/23 1,5,10,20,30,40,50,60
Fa0/24 1,5,10,20,30,40,50,60
Fa0/23 1,5,10,20,30,40,50,60
Fa0/24 1,5,10,20,30,40,50,60
However this switches ports are all present in VLAN 1 so it doesnt really need all those other VLANs
on the trunk.
VTP pruning helps us in this situation. To enable pruning use the following global configuration
command on one of the VTP Servers:
vtp pruning
Script on NYCORE2:
NYCORE2(config)#vtp pruning
Pruning switched on
Now look at the output from the command show interface trunk on NYACCESS1:
Fa0/23 1-4094
Fa0/24 1-4094
Fa0/23 1,5,10,20,30,40,50,60
Fa0/24 1,5,10,20,30,40,50,60
Fa0/23 1,5
Fa0/24 1,5,10
Now restrict the VLANs on the trunk to only allow VLANs 1, 5 and 10 using the following command
on interface fastethernet 1/0/23 and 1/0/24:
switchport trunk allowed vlan none
switchport trunk allowed vlan add 1,5,10

Script on NYACCESS1:
NYACCESS1(config)#interface range fastEthernet 0/23 - 24
NYACCESS1(config-if-range)#switchport trunk allowed vlan none
NYACCESS1(config-if-range)#switchport trunk allowed vlan add 1,5,10
Re-look at the output from the show interface trunk command:
Fa0/23 1,5,10
Fa0/24 1,5,10
Fa0/23 1,5,10
Fa0/24 1,5,10
Fa0/23 1,5
Fa0/24 1,5,10
Confirming your configuration using the PLABCSCO01 Server

Finally in this exercise we will configure the server to be a member of VLAN 5, then connect to the
server and try to ping the NYCOREx switches. This will confirm our trunking and VLANs are all
operational still.
Step 1
First configure the servers connection to the network to be in VLAN 5. To locate the server we can
use some commands we have previously learnt:
Confirm the MAC address of the Lab_nic on the server:

In my example the MAC address is 00-50-56-A3-6F-F2.
Locate this MAC address on the network (replace the relevant address with your results from the
server):
show mac address-table | inc 6ff2
show cdp neighbors fas 1/0/22
Output from these commands on NYCORE1
NYCORE1#show mac address-table | inc 6ff2
1 0050.56a3.6ff2 DYNAMIC Fa1/0/22
NYCORE1#
NYCORE1#show cdp neighbors fas 1/0/22
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
NYACCESS1 Fas 1/0/22 134 S I WS-C2950- Fas 0/24
We can see that the server is connected to NYACCESS1.
Step 2
Confirm where the servers connection is located on NYACCESS1:
NYACCESS1#show mac address-table | inc 6ff2
1 0050.56a3.6ff2 DYNAMIC Fa0/1
Step 3
Change the interface where the server is connected to be in VLAN 5:
interface fas 0/1
Script from NYACCESS1:
NYACCESS1(config)#interface fastEthernet 0/1
NYACCESS1(config-if)#switchport access vlan 5
Step 4
Finally confirm using a ping on the server that you can reach NYCORE1 and NYCORE2:
Leave the devices powered on and in their current states and continue to the next exercise.
Exercise 4 Securing Trunk Links
In this exercise you will learn how to secure trunk links from a number of attacks, namely switch
spoofing and VLAN hopping.
Switch spoofing
Switch spoofing can occur if a switch port has been left to its default configuration. Spoofing can be
attempted by sending DTP packets (dynamic trunking protocol packets) to the switch interface by a
rogue device (say a PC for example). By default, a switchport will attempt to negotiate a trunk (as
you have seen already), PCs dont normally send out these packets, but if a PC did then potentially it
could negotiate a trunk link (servers often have trunk links, especially in todays networks due to the
rapid rise of VMWare).
Notice the default mode on an interface:
Name: Fa1/0/18
Switchport: Enabled
Administrative Mode: dynamic auto
If your real trunk between the switch that this PC is connected to, and the next in the chain also has
default configuration, then the switch will pass ALL VLANs down the trunk, which would give the
attacker access to ALL the VLANs on your network (albeit there may be other mitigating factors that
would prevent this).
Resolution
The fix for this problem is to change the default configuration of your switch interfaces. It is a very
simple fix, you can simply use the commands:
interface mod/port
switchport access vlan y
For example, you can try these commands on NYCORE1:
interface range fastethernet 1/0/17 20

Script on NYCORE1:
NYCORE1(config)#interface range fastEthernet 1/0/17 - 20
NYCORE1(config-if-range)#switchport access vlan 999
% Access VLAN does not exist. Creating vlan 999
NYCORE1(config-if-range)#sw
NYCORE1(config-if-range)#switchport mode access
This would stop any of these interfaces from negotiating a trunk and place them in an unused VLAN
of 999 (in our lab, in your production environment VLAN 999 may be used so be careful!). Notice
that the command created VLAN 999.
Viewing the switchport configuration:
NYCORE1#show int fas 1/0/17 switchport
Name: Fa1/0/17
Switchport: Enabled
Administrative Mode: static access
Negotiation of Trunking: Off
Access Mode VLAN: 999 (VLAN0999)
VLAN Hopping
Consider a scenario where you have two switches, NYCORE1 and NYCORE2. There is a trunk link
between the two switches with a native VLAN configured as VLAN 100. The attacker is also on VLAN
100 as you have decided that you want your PCs to be able to communicate in the event the trunk
link fails.
The attacker crafts a frame that has a double VLAN tag in it, VLAN 100 as the outer tag and for
example VLAN 200, he sends the frame, the frame then gets received by NYCORE1 on VLAN 100,
NYCORE1 forwards the frame across the trunk link as its first tag is the same as the native VLAN.
When NYCORE2 receives the frame it inspects the tag it has which is now just VLAN 200, by which
the switch removes the tag and forwards the packet on to VLAN 200. At this point, the attacker has
successfully managed to get a frame from VLAN 100 on to VLAN 200 without the requirement of a
router or layer 3 device!
Resolution
Contrary to my previous statement about having a native VLAN of the management address, the fix
for this attack is to set the native VLAN on a trunk to a VLAN id that is not in use, 999 for example
may be a good id (or 911 if you are in the US!).
You must then also remove this VLAN from the trunk.
For example:
vlan 999
name HOPAVOID
switchport trunk native vlan 999
swithcport trunk allowed vlan remove 999
Feel free to try these commands on NYCORE1/2.

Summary
In this module you achieved the following activities:
You configured a number of VLANs on your switches.

You configured a trunk link between the two CORE switches and change the mode to
desirable.
You configured VTP to help propagate VLAN information in your network.
You configured the VTP version and password, and saw that once you configured VTP on a
switch, the other switches also took this configuration setting.
You saw how devices cant access other VLANs (the server for example communicating from
VLAN1 to VLAN5). You then learnt how an attack could bypass this.
You learnt about VLAN hopping and switch spoofing.
Also Try
Using your lab infrastructure you can attempt the following topics at your own pace, these are
additional tasks that can be done building on what you have learnt in this module:
Configure the trunk between the two CORE switches to use ISL instead of 802.1Q encapsulation.
Can you change this on NYACCESS1?
Can you create a VLAN on NYACCESS1?
Change NYACCESS1 to transparent mode and try and create a VLAN (switch it back to a client
after).

642-813 3 VLANs and Trunks

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

642-813 3 VLANs and Trunks

Încărcat de

Drepturi de autor:

Formate disponibile

Introduction

2) Configuring Trunk Links

4) Securing Trunk Links

NYWAN1 Fas1/0/24 Cisco

Black - Powered Off

Enter configuration commands, one per line. End with CNTL/Z.

The output on NYCORE1:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3

Fa1/0/4, Fa1/0/5, Fa1/0/6

Fa1/0/7, Fa1/0/8, Fa1/0/9

Fa1/0/10, Fa1/0/11, Fa1/0/12

Fa1/0/13, Fa1/0/14, Fa1/0/15

Fa1/0/19, Fa1/0/20, Fa1/0/21

Fa1/0/23, Fa1/0/24, Gi1/0/1

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

ip address 192.168.16.5 255.255.255.0

Enter configuration commands, one per line. End with CNTL/Z.

*Mar 1 00:06:36.705: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan5,

NYCORE1(config-if)#ip address 192.168.16.5 255.255.255.0

interface range fastethernet 1/0/8-16

switchport mode access

switchport access vlan 10

The script for NYCORE1:

Enter configuration commands, one per line. End with CNTL/Z.

NYCORE1(config)#interface range fastEthernet 1/0/8-16

NYCORE1(config-if-range)#switchport mode access

NYCORE1(config-if-range)#switchport access vlan 10

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3

Fa1/0/4, Fa1/0/5, Fa1/0/6

Fa1/0/7, Fa1/0/17, Fa1/0/18

Fa1/0/19, Fa1/0/20, Fa1/0/21

Fa1/0/23, Fa1/0/24, Gi1/0/1

10 InformationTech active Fa1/0/8, Fa1/0/9, Fa1/0/10

Fa1/0/11, Fa1/0/12, Fa1/0/13

Fa1/0/14, Fa1/0/15, Fa1/0/16

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.16.10, timeout is 2 seconds:

Success rate is 0 percent (0/5)

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.16.10 0 Incomplete ARPA

Internet 192.168.16.5 - 0024.514b.0841 ARPA Vlan5

Viewing VLAN information

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

10 InformationTech active Fa1/0/8, Fa1/0/9, Fa1/0/10

Fa1/0/11, Fa1/0/12, Fa1/0/13

Fa1/0/14, Fa1/0/15, Fa1/0/16

10 enet 100010 1500 - - - - - 0 0

Remote SPAN VLAN

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

show interfaces fastethernet 1/0/1 switchport

NYCORE1#show interfaces fastEthernet 1/0/1 switchport

Administrative Mode: dynamic auto

Operational Mode: down

Administrative Trunking Encapsulation: negotiate

Access Mode VLAN: 1 (default)