Ether Channels can be created as Layer 2 or Layer3. The obvious difference between the 2 is that a Layer 3 link will have a IP address associated and hence traffic can be routed between the 2 switches. A layer 2 ether channel will not have IP addresses attached and all traffic will be switched between the 2 devices.

There is a misconception about how the ‘load balancing’ works over a ether channel, so firstly lets clear that up.

An ether channel allows us to group multiple interfaces together so they act as one. This means that if I have 5 x 1 Gigabit Ethernet interfaces that I bind together I will in theory have a 5 Gigabit Ethernet interface. This is partly true but let’s dig deeper into how the switch will send traffic over the new link.

By Default, most Cisco switches are configured with a load balancing option of ‘source to destination IP’, what this means is that when the first session is created between machine A and machine B their traffic will use the same physical interface from the ether channel bundle. The packets will not be load balanced between all the ports. However when machine C sends traffic to machine D they would use a different physical interface compared to machine A and B. What we can derive from this, is that the load-balancing is session orientated and each session will be limited to 1 physical interface. So although the total throughput of data between the 2 switches is 5 Gigabit, the maximum throughput between 2 machines is the total of 1 physical interface of the ether channel.

The load-balancing technique can be changed from its default using the port-channel load-balance command, as seen below.

port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port}

NOTE: not all switches support all options of load-balancing!

So now that we have seen the concept of Ether Channels and how their load-balancing works, here is the configuration for configuring a Layer 2 Ether Channel.

AOIP.ORG-Switch(config)# interface range f0/4 – 5

The interface range command allow me to configure multiple interfaces at the same time, in this case FastEthernet 0/4 and 0/5

AOIP.ORG-Switch(config-if-range)# channel-group 1 mode desirable

This associates the interfaces to a new logical interface and tells the interface to actively negotiate a trunk.

AOIP.ORG-Switch(config-if-range)# no shut

AOIP.ORG-Switch(config-if-range)# exit

AOIP.ORG-Switch(config)# exit

In order to configure a Layer 2 Ether Channel, the following configuration can be used.

AOIP.ORG-Switch(config)# interface port-channel 10

This enters the logical interface used for the Ether Channel, I have given it a ‘name’ of 10

AOIP.ORG-Switch(config-if)# no switchport

Forces the port to act as a routed port and not a switchport

AOIP.ORG-Switch(config-if)# ip address 10.0.100.1 255.255.255.0

Assigns the IP address to the interface

AOIP.ORG-Switch(config-if)# no shut

AOIP.ORG-Switch(config-if)# exit

AOIP.ORG-Switch(config)# interface range f0/4 -5

Same as above, I’m configuring 2 interfaces to belong to the Ether Channel

AOIP.ORG-Switch(config-if-range)# no switchport

Forcing the physical ports in Routed ports

AOIP.ORG-Switch(config-if-range)# no ip address

Removing any IP addresses that may be configured on the physical interfaces. They may not have an IP address as it will be associated to the logical interface (port-channel 10)

AOIP.ORG-Switch(config-if-range)# channel-group 10 mode desirable

Binds the physical interfaces to the logical interface

AOIP.ORG-Switch(config-if-range)# no shut

AOIP.ORG-Switch(config-if-range)# exit

AOIP.ORG-Switch(config)# exit

Related posts:

1. ISDN and Multilink with load-threshold
2. Inter-VLAN Routing (Router on a Stick)
3. Configuring a Trunk port on a Cisco Switch

As an example, I have 2 VLANS, VLAN 10 and VLAN 20 which have subnets 10.0.10.0/24 and 10.0.20.0/24 respectively. In order to have traffic from one subnet communicate with the other routing would have to take place. Furthermore the switch I have used in the example below is a layer 2 switch so there is no routing functionality available so I am forced to use a router.

This leaves me with 2 options.

1/ Plug my router into my switch with 2 cables. Configure 1 port on the router to be in subnet 10.0.10.0/24 and in VLAN 10, and configure a second port to be in subnet 10.0.20.0/24 and associate that port to VLAN 20.

This is not a major issue, and this is something that could easily be configured, however it will require a router with 2 interfaces free for me to use. What if I had more than 2 VLAN’s? What if I had 200 VLAN’s (Not an uncommon scenario)? Not only would this mean I need a router with 200 interfaces, but it would also mean that my switch would need 200 interfaces. So far this is not looking like a very scalable solution.

2/ I can plug my router in my switch with a single cable. Configure Sub-interfaces on the router and associate each sub-interface to each VLAN. This is FAR more scalable and would allow me to configure more than 2 VLAN’s on a single interface

NOTE: A sub-interface is a logical separation of the physical interface. Each sub-interface can be configured as if it were a physical port on the device.

As you can see from the above, option 2 is the only logical solution for scalability and ease. There is however one small problem with using this option. In order to have multiple VLAN’s been sent over a single cable/port the port needs to be configured as a Trunk port. In my example I have already configured the switch and made FastEthernet 0/23 a trunk port using dot1q as my encapsulation protocol. (Port f0/23 on the switch is plugged into the router’s port f0/1)

Here is the breakdown of the configuration needed to configure a Router on a stick.

AOIP.ORG# ping 10.0.10.2

Confirming that ping does not work to the interface VLAN 10 on my switch which has IP address 10.0.10.2

AOIP.ORG# ping 10.0.20.2

Confirming that ping does not work to the interface VLAN 20 on my switch which has IP address 10.0.20.2

AOIP.ORG(config)# interface fastethernet 0/1.10

This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘10’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.

AOIP.ORG(config-subif)# encapsulation dot1q 10

Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 10

AOIP.ORG(config-subif)# ip address 10.0.10.1 255.255.255.0

Associate an IP address to the sub-interface

AOIP.ORG(config-subif)# exit

AOIP.ORG(config)# interface fastethernet 0/1.20

This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘20’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.

AOIP.ORG(config-subif)# encapsulation dot1q 20

Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 20

AOIP.ORG(config-subif)# ip address 10.0.20.1 255.255.255.0

Associate an IP address to the sub-interface

AOIP.ORG(config-subif)# exit

AOIP.ORG(config)# exit

AOIP.ORG# ping 10.0.10.2

Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this

AOIP.ORG# ping 10.0.20.2

Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this

In order to complete the design and installation of the above, all computers that are in VLAN 10 would need to have their Default-gateway configured as 10.0.10.1 and machines in VLAN 20 would need their Default-gateway configured as 10.0.20.1.

When a machine from VLAN 10 tries to communicate with a machine in VLAN 20 the following will take place

1/ Packet enters the switch

2/ The Switch will send the packet via the TRUNK port on VLAN 10 to the router.

3/  The router will receive the packet on sub-interface f0/1.10 tagged as VLAN 10

4/ The router will remove the TAG on the packet and do a lookup in the routing table

5/ The router will encapsulate the packet with a TAG for VLAN 20

6/ The router will send the packet via the TRUNK to the switch on VLAN 20 through sub-interface f0/1.20

7/ The switch will receive the packet on the trunk port on VLAN 20

8/ The switch will send the packet to the destination computer.

Below is the live demo.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. VTP (VLAN Trunking Protocol)
3. Configuring an Access port on a Cisco switch

1/ VLAN information will only be sent on trunk ports

2/ Only the VLAN identity is replicated, NOT which ports are configured to use that VLAN!

3/ Maintains database consistency through a common administrative domain. Switches that are not in the same VTP domain WILL NOT replicate!

4/ VTP advertisement are sent as multicast frames

5/ VTP advertisements are sent every 5 minutes or when there is a change.

So based on the above, when I create a new VLAN on a switch, that VLAN will be replicated to all other switches that are in the same VTP domain as the switch I made the change. This allows me to create a VLAN once and have the rest of the network learn about the creation via replication. Once the VLAN information has been replicated, then the switches will be able to allocate ports to the VLAN. At no time will a switch inform other switches about which ports are in which VLANS. VTP purely replicates the existence of the VLAN.

Further to the above, a switch can be configured to be in one of 3 modes of VTP (Server, Client, Transparent)

Server Mode

-          Creates VLAN’s

-          Modifies VLAN’s
-          Deletes VLAN’s

-          Sends and forwards the advertisements about the VLAN’s

-          Synchronizes changes with other switches

-          Saves the information to NVRAM (non volatile RAM)

Client Mode

-          Cannot create, change or delete VLAN’s

-          Forwards advertisements that it has received

-          Synchronizes changes with other switches

-          Does NOT save information to NVRAM, so when it’s rebooted it has to relearn the information

Transparent Mode

-          Creates LOCAL VLAN’s only (This information will not be sent or advertised to any other devices)

-          Modifies LOCAL VLAN’s only

-          Deletes LOCAL VLAN’s only

-          Sends and forwards advertisements that it has received from other devices

-          Does NOT synchronize

-          Saves its OWN configuration to NVRAM

Further to the above it’s important to understand that Transparent mode VTP is usually used in DMZ’s where the information should not be replicated or shared to any other devices on the network. Anything configured on a switch in Transparent mode, remains local to the device. It will not replicate the information with any other devices, and it will not learn any information from other devices.

In most cases, you would have a Server were changes to the VLAN’s would be done, and those changes would be replicated to all other switches in your network which would be running in client mode.

IMPORTANT NOTE: NEVER plug a new switch into a network unless you have configured it as CLIENT MODE!!!. If the new device was configured as a server and it happened to have a higher revision number (Synchronisation number) than the REAL server, the entire database will be overwritten and all VLAN configuration will be lost! This could cause the ENTIRE network to crash. This happens frequently when you have a test network, and you decide to use one of the test switches in the live network.

VTP pruning increases the available bandwidth by reducing unnecessary flooding traffic. This takes form in the following way…

If I have 6 switches in my network, and only 4 of them have any ports configured for VLAN 10, then only 4 switches would need to receive traffic destined for VLAN 10. The other 2 switches would learn about VLAN 10 through VTP and identify that they do not have any ports configured for that VLAN. They will then send a message (prune message) to all other switches asking them not to forward traffic destined for VLAN 10 to them as it will not be useful. If at any point these 2 switches DID have a port configured for VLAN 10, they would un prune themselves. Based on this, traffic destined for VLAN 10 would only be sent to switches that had ports configured to belong to VLAN 10. Please note, VTP does NOT send the port information to other switches, if a switch receives a prune message it would know not to forward traffic to that device for that particular VLAN, it does NOT know what the port configuration is of the neighbour switch.

In order to increase the security of the VTP information, as password can be set. Only devices that share the same password will be able to exchange information with each other. The password checking between devices is done through the use of MD5 hashing, so the password is never sent over the wire.

Additionally, there are currently 2 versions of VTP, VTP version 2 supports the same functions and features as version 1, but also includes the following

-          Token Ring Support

-          Unrecognized Type-Length-Values (TLV)

-          Version-Dependent Transparent mode

-          Consistency Checks

Below is the configuration breakdown used in the live demo.

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# vtp mode server

Set the mode to Server

AOIP.ORG_Switch(config)# vtp domain AOIP

Defines the Domain name (it is CaSeSeNsItIvE)

AOIP.ORG_Switch(config)# vtp password aoip

Sets the password

AOIP.ORG_Switch(config)# vtp pruning

Turns on VTP pruning

AOIP.ORG_Switch(config)# vtp version 2

Changes to version to version 2 support

AOIP.ORG_Switch(config)#exit

AOIP.ORG_Switch# show vtp status

Shows the current configuration of VTP as well as the replication revision number as seen in the below diagram.

Below is the Live Demo.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Inter-VLAN Routing (Router on a Stick)
3. Configuring an Access port on a Cisco switch

Duplex defines how traffic will be sent and can be related to a 2-way radio vs. A telephone.

With a 2-way radio, more so when there are more than 2 people on the same radio frequency, only 1 person may speak at the same time. If 2 people were to push the PTT (push to talk) button at the same time, they would hear a squelch. Both people would hear the squelch, release the PTT button and try again at a random time interval. Hopefully only 1 person would press the button this time and would be able to speak on the radio frequency, of course if both people pressed the button at the same time again, they would have to repeat the procedure until they managed to be the only person communicating.

In terms of Duplex, a 2-way radio would be the same as ‘Half-Duplex’ were only 1 person may communicate at the same time, if computers tried to talk at the same time, they would have a ‘collision’. Like the people, the 2 computers notice the collision and wait a random time frame before transmitting the packet again.

Full duplex on the other hand is like a telephone. Both parties in a telephone call can talk at the same time. Granted most humans cannot hear and talk at the same time on the phone, but the telephone is able to transmit both flows of traffic from both sides of the telephone line at the same time. If 2 computers wished to send data to each other, and full duplex was available, they would be able to transmit and receive at the same time.

NOTE: A hub can ONLY run at half-duplex. It is not possible for a hub to run at full duplex. A Switch however can be configured for either.

AOIP.ORG_Switch# show interface f0/7

In the live demo below you will notice I have highlighted the current status of the interface (Auto-duplex, Auto-speed)

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# interface fastethernet 0/7

Enter the interface you wish to configure

AOIP.ORG_Switch(config-if)# duplex full

Set the Duplex to Full, Half or Auto. Auto doesn’t always end up with the best result, so forcing the duplex to the correct value to recommended

AOIP.ORG_Switch(config-if)# speed 100

Set the speed of the interface. Depending on the interface will depend on the possible options. Ethernet can only be set at 10Mbps, FastEthernet can be set at either 10Mbps or 100Mbps, and GigabitEthernet can be set to 10/100/1000 mbps

AOIP.ORG_Switch(config-if)# no shut

Activate the interface

AOIP.ORG_Switch(config-if)# do show interface f0/7

Confirm the new setting have taken effect.

Related posts:

1. Configuring an IP address and Default-Gateway on a Cisco Switch
2. Port Security on a Cisco Switch
3. Configuring a Trunk port on a Cisco Switch

In previous years, an office would have a physical switch or hub in each office, and offices were structured around the job function. In other words, all sales people would be in the same office and would all be connected to the same switch or hub. This allowed for physical association of devices in our networks. In today’s networks people are often spread across multiple offices but we still want to have them separated from a logical point of view.

One reason we want to separate machines logically is to implement access controls. If I don’t want to allow sales people to share and copy files with the marketing people then I would need to implement an ACL (Access Control List) that would deny the traffic. This is easy to achieve if the sales and marketing people are in separate subnets and logically separated from each other. VLAN’s give us this exact option. If you computer has been plugged into a port that is configured in VLAN 10, you are only able to communicate with people in VLAN 10. In order for you to communicate with a different VLAN you traffic MUST go through a router (multi-layer switches have built in routers) and hence the router would be able to run Access lists to allow or deny the traffic.

Another reason for separating the traffic is to isolate broadcasts. Routers do not forward broadcast messages, so any broadcasts that take place on VLAN 10 would remain in VLAN 10.

Another important thing to remember about VLAN’S is:

A VLAN is equal to a Subnet. This means that if I have 2 VLANS, I have at least 2 subnets. I can have more than 1 subnet in a single VLAN, but I cannot have 1 subnet in multiple VLANS.

Below is the configuration to configure a VLAN. To see how to configure a port to belong to a VLAN see the article Configuring an Access port on a Cisco switch

AOIP.ORG# conf t

AOIP.ORG(config)# vlan 2

This creates VLAN 2

AOIP.ORG(config-vlan)# name sales

In order to make your life easier to troubleshoot, naming the VLAN is a good idea. In this case ‘sales’ is the name of our vlan

AOIP.ORG(config-vlan)#exit

AOIP.ORG(config-vlan)# vlan 3

This creates VLAN 2

AOIP.ORG(config-vlan)# name marketing

Naming VLAN 3 – marketing

AOIP.ORG(config-vlan)# exit

AOIP.ORG(config)# exit

AOIP.ORG# show vlan

You will now be able to see which VLAN’s have been created on your device and which ports have been allocated to them.

Related posts:

1. Inter-VLAN Routing (Router on a Stick)
2. VTP (VLAN Trunking Protocol)
3. Configuring a Trunk port on a Cisco Switch

In this tutorial I’m going to explain how to use this command, and different options available using it.

Below is the breakdown of the commands I used in the live demo, and an explanation of each.

AOIP.ORG_Switch# terminal monitor

Since I was connected to my switch via telnet, and I knew there were going to be messages from the switch, I needed to configure Terminal Monitor so I would have these messages sent to my telnet session. By default when connected to a Cisco device via telnet or ssh, no messages will be displayed to your terminal.

AOIP.ORG_Switch(config)# interface fa0/6

Enter the interface that I wish to configure the port security on

AOIP.ORG_Switch(config-if)# switchport mode access

In order for port security to be used, the port MUST be an access port, this command defines that

AOIP.ORG_Switch(config-if)# switchport port-security

This enables the port security feature, and allows me to define the commands below.

AOIP.ORG_Switch(config-if)# switchport port-security maximum 1

I have chosen to only allow 1 mac-address to be learned on this port. At any point if more than 1 mac address was to be discovered, the violation action I define will come into effect.

AOIP.ORG_Switch(config-if)# switchport port-security mac-address aaaa.bbbb.cccc

I have further secured the switch port by defining what mac address is allowed to be learned on this port. If a machine is plugged into this port that does NOT have this mac-address, the violation action will take effect.

AOIP.ORG_Switch(config-if)# switchport port-security violation shutdown

I have 3 choices when defining the violation action

                1/ protect – The switch will drop packets until the violation has been removed

                2/ restrict – This is the same as protect, however it also causes the Security/Violation counter to increment

                3/ shutdown – This will put the interface into a error-disabled state and send an SNMP trap notification

I have chosen the more harsh of the options, and the port will be shut if any of my conditions (more than 1 mac address is learned on the port, and if that one mac address is not aaaa.bbbb.cccc)

AOIP.ORG_Switch(config-if)# exit

AOIP.ORG_Switch(config)# exit

AOIP.ORG_Switch# show port-security interface f 0/6

The first time I ran this command in the live demo, you will notice the configuration on the port that I had just made, however there are no violations recorded. Shortly afterwards, I plugged a device into port f0/6 that DID NOT have the mac address aaaa.bbbb.cccc which caused a violation. You will notice I received error messages on screen (thanks to term mon), and when I run the show port-security command again, you will notice the violation count has incremented.

Additional commands I could have used are.

AOIP.ORG_Switch(config-if)# switchport port-security aging time 5

If you have configured the switch to allow 5 mac addresses to be learned dynamically, those addresses will be kept in the database until the aging time has expired. This command will set the aging time to 5 minutes, which overrides my switches default value of 20 minutes.

AOIP.ORG_Switch(config-if)# no switchport port-security aging

This will DISABLE the aging time.

In order to activate a port that has been put into ‘error-disabled’ state. Shut the port, and no shut it afterwards. If the violation has not been removed, the port will revert back to error-disabled.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Configuring an Access port on a Cisco switch
3. Configuring an IP address and Default-Gateway on a Cisco Switch

A Trunk port is a port that has been configured to send and receive traffic from ANY and ALL VLANS.

In order to send traffic over a trunk port, the original information about the VLAN needs to be maintained. Since multiple VLANS will be sent over a single cable / port, the next switch or router would not be able to identify which VLAN it needs to belong to without some type of identification process.

There are currently 2 supported methods on Cisco switches and routers for maintaining the VLAN information over a trunk.

1/ 802.1Q – Otherwise known as ‘dot1q’

2/ ISL – Inter-Switch Link (Cisco proprietary protocol)

Below is the minimum configuration required for configuring a trunk port. Please note, the same would need to be done on the switch on the other end of the cable as well.

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# interface g 0/1

Enter the interface mode

AOIP.ORG_Switch(config-if)# switchport trunk encapsulation dot1q

Define the trunking protocol as dot1q or isl

AOIP.ORG_Switch(config-if)# switchport mode trunk

Force the mode of the port to be a trunk port

AOIP.ORG_Switch(config-if)# no shut

Activate the interface

Related posts:

1. Configuring an Access port on a Cisco switch
2. Port Security on a Cisco Switch
3. Inter-VLAN Routing (Router on a Stick)

If you are certain that you will not be causing loops on your network by plugging certain types of devices into your switch, you can force the switch to go live immediately, rather than waiting the 50 second default value.

Firstly, the command we will use to allow this is “spanning-tree portfast”, which can only be configured on a port that is NOT acting as a trunk. So before configuring portfast we need to insure our port is configured as an access port.

When configuring a port as an access port you also want to define which VLAN (Virtual LAN) the port belongs to.

Here is the breakdown of the configuration required.

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# interface fastethernet 0/10

Enter the interface you wish to configure

AOIP.ORG_Switch(config-if)# switchport mode access

Configure the port as an access port

AOIP.ORG_Switch(config-if)# switchport access vlan 10

Define the access port to belong to vlan 10

AOIP.ORG_Switch(config-if)# spanning-tree portfast

This configures portfast and will allow the port to go live immediately when something is plugged in.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Configuring an IP address and Default-Gateway on a Cisco Switch
3. Port Security on a Cisco Switch

On a router we configure the IP address on the physical interface, however on a switch the physical interfaces are running at Layer 2 and hence don’t have IP addresses configured on them.

Even though a switch does not need an IP address to be able to switch packets, in order for you to connect to the switch via telnet or SSH you need to have a management IP address configured. Similarly, if you are connecting to the switch from a different subnet, the switch will require a default-gateway in order to have the packets routed back to you.

Since the IP address is not bound to any physical interface on the switch, we need to bind it to a logical interface. On a switch the logical interface is known as a ‘vlan interface’ (VLAN – Virtual LAN). This is similar to a loopback interface found on a Cisco router.

Here is the breakdown of the commands used in the live demo below.

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# interface vlan 1

This enters the logical interface ‘vlan 1’. Vlan 1 is the native vlan and used for management purposes.

AOIP.ORG_Switch(config-if)# ip address 192.168.1.11 255.255.255.0

Assigns the ip address 192.168.1.11 to the interface

AOIP.ORG_Switch(config-if)# no shut

Activates the interface

AOIP.ORG_Switch(config-if)# exit

AOIP.ORG_Switch(config)# ip default-gateway 192.168.1.1

Defines a default-gateway for this switch.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Configuring an Access port on a Cisco switch
3. Port Security on a Cisco Switch

In order for us to have any type of sniffing function (IPS, IDS, Wireshark etc), we must configure the switch to send traffic to the port you have plugged your sniffer into.

In the live demo below I have configured my switch to send any and all traffic going to, or coming from FastEthernet ports 0/1 – 0/ 10 to my sniffer which is plugged in on FastEthernet 0/15.

Here is the breakdown of the commands

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# monitor session 1 source interface fastethernet 0/1 – 10 both

This defines the source ports, and the direction of traffic I want to monitor. The session number ‘1’ must be referenced in my next statement

AOIP.ORG_Switch(config)# monitor session 1 destination interface fastethernet 0/15

This defines the destination port I wish to have a copy of the traffic sent to, and links this to the session number used to define the source ports.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Port Security on a Cisco Switch
3. Configuring an Access port on a Cisco switch