Today we will continue our consideration of VLAN and discuss the VTP protocol, as well as the concepts of VTP Pruning and Native VLAN. We already talked about VTP in one of the previous videos, and the first thing that should come to your mind when you hear about VTP is that it is not a trunking protocol, despite what is called "VLAN trunking protocol".
As you know, there are two popular trunking protocols - the proprietary Cisco ISL protocol, which is not used today, and the 802.q protocol, which is used in network devices from various manufacturers to encapsulate trunking traffic. This protocol is also used in Cisco switches. We have already said that VTP is a VLAN synchronization protocol, that is, it is designed to synchronize the VLAN database in all network switches.
We mentioned different VTP modes - server, client, transparent. If the device uses server mode, this allows you to make changes, add or remove VLANs. The client mode does not allow you to make changes to the switch settings, you can only configure the VLAN database through the VTP server, and it will be replicated on all VTP clients. A switch in transparent mode does not make changes to its own VLAN database, but simply passes through itself and transfers the changes to the next device in client mode. This mode is similar to disabling the VTP protocol on a specific device, turning it into a VLAN change information transporter.
Let's return to the Packet Tracer program and to the network topology discussed in the previous lesson. We configured the VLAN10 network for the sales department and the VLAN20 network for the marketing department, combining them with three switches.
Switches SW0 and SW1 communicate over the VLAN20 network, and between SW0 and SW2 communicate over the VLAN10 network due to the fact that we added VLAN10 to the VLAN database of the SW1 switch.
In order to consider the operation of the VTP protocol, let's use one of the switches as a VTP server, let it be SW0. If you remember, by default, all switches work in VTP server mode. Let's go to the switch command line terminal and enter the show vtp status command. You see the current version of the VTP protocol - 2 and the configuration revision number 4. If you remember, every time a change is made to the VTP database, the revision number increases by one.
The maximum number of supported VLANs is 255. This number depends on the brand of a particular Cisco switch, since different switches can support a different number of VLANs. The number of existing VLANs is 7, in a minute we will look at what these networks are. VTP control mode is server, no domain name is set, VTP Pruning mode is disabled, we will come back to this later. The VTP V2 and VTP Traps Generation modes are also disabled. You don't need to know about the last two modes to take the 200-125 CCNA exam, so you don't have to worry about them.
Let's take a look at the VLAN database using the show vlan command. As we saw in the previous video, we have 4 unsupported networks: 1002, 1003, 1004 and 1005.
It also lists the 2 networks we created, VLAN10 and 20, and the default network, VLAN1. Now let's move on to another switch and enter the same command to view the VTP status. You can see that the revision number of this switch is 3, it is in VTP server mode, and all other information is similar to the first switch. When I issue the show VLAN command, I see that we made 2 changes in the settings, one less than the SW0 switch, which is why the revision number of SW1 is 3. We made 3 changes to the default settings of the first switch, so its revision number increased to 4.
Now let's look at the status of SW2. The revision number here is 1, which is weird. We must have a second revision because there was 1 change to the settings. Let's look at the VLAN database.
We made one change, creating VLAN10, and I don't know why this information hasn't been updated. Perhaps this happened due to the fact that we do not have a real network, but a software network simulator, which may have errors. When you get the chance to work with real devices during your practice at Cisco, it will help you more than the Packet Tracer simulator. Another useful thing in the absence of real devices would be GNC3, or the Cisco Graphical Network Simulator. This is an emulator that uses the real operating system of a device, such as a router. There is a difference between a simulator and an emulator - the former is a program that looks like a real router, but is not. The emulator programmatically creates only the device itself, but uses real software to run it. But if you don't have the ability to work with real Cisco IOS software, Packet Tracer is your best bet.
So, we need to configure SW0 as a VTP server, for this I go into the global settings configuration mode and enter the vtp version 2 command. As I said, we can set the protocol version that we need - 1 or 2, in this case we need a second version. Next, with the vtp mode command, we set the VTP switch mode - server, client, or transparent. In this case, we need server mode, and after entering the vtp mode server command, the system displays a message that the device is already in server mode. Next, we must configure the VTP domain, for which we use the vtp domain nwking.org command. Why is this needed? If there is another device on the network with a higher revision number, all other devices with a lower revision number start to replicate the VLAN database from that device. However, this only happens when the devices have the same domain name. For example, if you work at nwking.org, you specify this domain, if at Cisco, then the cisco.com domain, and so on. The domain name of your company's devices allows you to distinguish them from devices from another company or any other external devices on the network. When you give a device a company domain name, you make it part of that company's network.
The next thing to do is to set the VTP password. It is needed so that a hacker, having a device with a large revision number, could not copy his VTP settings to your switch. I enter the cisco password using the vtp password cisco command. After that, replication of VTP data between switches will be possible only if the passwords match. If an incorrect password is used, the VLAN database will not be updated.
Let's try to create some more VLANs. To do this, I use the config t command, create a network with the number 200 with the vlan 200 command, give it the name TEST and save the changes with the exit command. Then I create another vlan 500 and call it TEST1. If you now enter the show vlan command, then in the table of virtual networks of the switch you can see these two new networks to which no ports are assigned.
Let's move on from SW1 and see its VTP status. We see that nothing has changed here, except for the domain name, the number of VLANs remains equal to 7. We do not see the appearance of the networks we created, because the VTP password does not match. Let's set the VTP password on this switch by entering the conf t, vtp pass and vtp password cisco commands in sequence. The system reported that the device's VLAN database now uses the cisco password. Let's take another look at the VTP status to see if the information has been replicated. As you can see, the number of existing VLANs has automatically increased to 9.
If you look at the VLAN database of this switch, you can see that the VLAN200 and VLAN500 networks we created automatically appeared in it.
The same must be done with the last switch SW2. Let's enter the show vlan command - you can see that no changes have occurred in it. Likewise, there is no change in the status of the VTP. In order for this switch to update the information, you must also set up a password, that is, enter the same commands as for SW1. After that, the number of VLANs in the SW2 status will increase to 9.
That's what the VTP protocol is for. This is a great feature that automatically updates information in all client network devices after changes are made to the server device. You do not need to manually make changes to the VLAN database of all switches - replication occurs automatically. If you have 200 network devices, your changes will be saved on all 2 devices at the same time. Just in case, we need to make sure that SWXNUMX is also a VTP client, so let's go to the settings with the config t command and enter the vtp mode client command.
Thus, in our network, only the first switch is in VTP Server mode, the other two operate in VTP Client mode. If I now enter the SW2 settings and enter the vlan 1000 command, I will receive a message: "VTP VLAN configuration is not allowed when the device is in client mode." Thus, I cannot make any changes to the VLAN database if the switch is in VTP client mode. If I want to make any changes, I need to go to the switch server.
I go into the settings of the SW0 terminal and enter the vlan 999, name IMRAN and exit commands. This new network appeared in the VLAN database of this switch, and if I now go to the SW2 switch client database, I will see that the same information has appeared here, that is, replication has occurred.
As I said, VTP is a great piece of software, but if used incorrectly, this protocol can disrupt an entire network. Therefore, you need to be very careful with the company network if the domain name and VTP password are not set. In this case, all the hacker needs is to insert the cable of his switch into the network socket on the wall, connect to any office switch using the DTP protocol, and then, using the created trunk, update all the information using the VTP protocol. So the hacker can remove all important VLANs, taking advantage of the fact that the revision number of his device is higher than the revision number of the rest of the switches. In this case, the company's switches will automatically replace all the information in the VLAN database with information replicated from the malicious switch, and your entire network will collapse.
This is due to the fact that computers are connected using a network cable to a specific switch port to which VLAN 10 or VLAN20 is attached. If these networks are removed from the switch's LAN database, it will automatically disable the port belonging to the non-existent network. Usually, a company's network can fail precisely because the switches will simply disable ports associated with VLANs that were removed during the next update.
In order to prevent such a problem from occurring, you need to set a VTP domain name and password, or use the Cisco Port Security feature, which allows you to control the MAC addresses of switch ports, introducing various restrictions on their use. For example, if someone else tries to change the MAC address, the port will be immediately disabled. Very soon we will get to know this feature of Cisco switches closely, but for now it is enough for you to know that Port Security allows you to make sure that the VTP is protected from an intruder.
Let's summarize what a VTP setting is. This is the choice of the protocol version - 1 or 2, the assignment of the VTP mode - server, client or transparent. As I said, the latter mode does not update the VLAN database of the device itself, but simply transmits all changes to neighboring devices. The following are the commands for assigning a domain name and password: vtp domain <domain name> and vtp password <password>.
Now let's talk about the VTP Pruning settings. If you look at the network topology, you can see that all three switches have the same VLAN database, which means that VLAN10 and VLAN20 are part of all 3 switches. Technically, the SW2 switch does not need VLAN20, because it does not have ports related to this network. However, regardless of this, all traffic directed from the Laptop0 computer via the VLAN20 network gets to the switch SW1 and from it goes through the trunk to the SW2 ports. Your main task as a network specialist is to ensure that as little unnecessary data is transmitted over the network as possible. You must ensure the transfer of the necessary data, but how to limit the transfer of information that is not needed by this device?
You must make sure that traffic destined for VLAN20 devices will not enter the SW2 ports through the trunk when it is not required. That is, Laptop0 traffic must reach SW1 and then to computers on the VLAN20 network, but must not go beyond the right trunk port of SW1. This can be achieved using VTP Pruning.
To do this, we need to go to the SW0 VTP server settings, because, as I said, VTP settings can only be made through the server, go to the global configuration settings and type the vtp pruning command. Since Packet Tracer is just a simulation program, there is no such command in its command line prompts. However, when I type vtp pruning and hit enter, the system says that vtp pruning is not available.
Using the show vtp status command, we will see that the VTP Pruning mode is in the disabled state, so we need to make it available by moving it to the enable position. Having done this, we will activate the VTP Pruning mode on all three switches of our network within the network domain.
Let me remind you what VTP Pruning is. When we enable this mode, the SW0 switch server tells the SW2 switch that only VLAN10 is configured on its ports. After that, switch SW2 tells switch SW1 that it does not need any traffic other than traffic destined for VLAN10. Now, thanks to VTP Pruning, the SW1 switch has the information that it does not need to send VLAN20 traffic over the SW1-SW2 trunk.
For you as a network administrator, this is very convenient. You don't need to manually enter commands as the switch is smart enough to send exactly what the specific network device needs. If tomorrow you place another division of the marketing department in a neighboring building and connect its VLAN20 network to switch SW2, this switch will immediately inform switch SW1 that it now has VLAN10 and VLAN20 networks, and asks to transfer traffic to it for both networks. This information is constantly updated on all devices, making communication more efficient.
There is another way to specify the traffic transfer is to use a command that allows data transfer only for the specified VLAN. I go into the SW1 switch settings, where I'm interested in the Fa0 / 4 port, and enter the int fa0 / 4 and switchport trunk allowed vlan commands. Since I already know that SW2 only has VLAN10, I can tell switch SW1 to let its trunk port only allow traffic for this network by using the allowed vlan command. Thus, I programmed the Fa0 / 4 trunk port to transmit traffic only for VLAN10. This means that this port will not allow further traffic from VLAN1, VLAN20, or any network other than the specified one.
You may ask which is better to use - VTP Pruning or the allowed vlan command. The answer is subjective, because in some cases it makes sense to use the first method, and in others - the second. As a network administrator, you must choose the best solution for yourself. In some cases, the decision to program the port to pass traffic of a specific VLAN can be good, and in some cases it can be bad. In the case of our network, using the allowed vlan command may be justified if we are not going to change the network topology. But if someone later wants to add a group of devices using VLAN2 to SW 20, it is more appropriate to use the VTP Pruning mode.
So, setting up VTP Pruning is to use the following commands. The vtp pruning command provides automatic use of this mode. If you want to configure VTP Pruning of a trunk port to allow traffic from a specific VLAN manually, then use the interface <#> trunk port number selection command, enable the switchport mode trunk trunk mode, and allow traffic for a specific network using the switchport trunk allowed vlan command .
There are 5 parameters that can be used in the last command. All means that traffic for all VLANs is allowed, none means traffic for all VLANs is denied. If you use the add parameter, you can add traffic for one more network. For example, we allow VLAN10 traffic, and with the add command, we can also allow traffic from the VLAN20 network to pass through. The remove command allows you to remove one of the networks, for example, if you use the remove parameter 20, only VLAN10 traffic will remain.
Now consider the native VLAN. We have already said that native VLAN is a virtual network for passing untagged traffic through a specific trunk port.
I go into the settings for a specific port, as indicated by the SW(config-if)# command line header, and use the switchport trunk native vlan <network number> command, for example, VLAN10. Now all VLAN10 traffic will go through the untagged trunk.
Let's return to the logical network topology in the Packet Tracer window. If I use the switchport trunk native vlan 20 command for the Fa0 / 4 switch port, then all VLAN20 network traffic will go through the Fa0 / 4 - SW2 trunk untagged. When the SW2 switch receives this traffic, it will think: βthis is untagged traffic, which means I should direct it to the native VLAN network.β For this switch, native VLAN is VLAN1. Networks 1 and 20 are not connected in any way, but since the native VLAN mode is used, we have the opportunity to direct VLAN20 traffic to a completely different network. However, this traffic will be unencapsulated, and the networks themselves must still match.
Let's look at this with an example. I will go into the SW1 settings and use the switchport trunk native vlan 10 command. Now any VLAN10 traffic will come out of the trunk port untagged. When it reaches the trunk port SW2, the switch will understand that it should direct it to VLAN1. As a result of this decision, traffic will not be able to reach computers PC2, 3 and 4, since they are connected to the access ports of the switch intended for VLAN10.
Technically, this will cause the system to report that the native VLAN of port Fa0/4, which is part of VLAN10, does not match the port Fa0/1, which is part of VLAN1. This means that the specified ports will not be able to work in trunk mode due to a native VLAN mismatch.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com