1.3.b STP root bridge selection
1.4 Configure, verify, and troubleshoot STP-related optional features
1.4.a PortFast
1.4.b BPDU guard
1.5 Configure, verify, and troubleshoot (Layer 2/Layer 3) EtherChannel
1.5.a Static
1.5.b PAGP
1.5.c LACP
1.7 Describe common access layer threat mitigation techniques
1.7.c Nondefault native VLAN
2.0 Routing Technologies
2.1 Configure, verify, and troubleshoot Inter-VLAN routing
2.1.a Router on a stick
2.1.b SVI
Long ago, a company called Digital Equipment Corporation (DEC) created the original version of Spanning Tree Protocol (STP). The IEEE later created its own version of STP called 802.1d. Cisco has moved toward another industry standard in its newer switches called 802.1w. We'll explore both the old and new versions of STP in this chapter, but first, I'll define some important STP basics.
Routing protocols like RIP, EIGRP, and OSPF have processes for preventing loops from occurring at the Network layer, but if you have redundant physical links between your switches, these protocols won't do a thing to stop loops from occurring at the Data Link layer. That's exactly why STP was developed – to put an end to loop issues in a layer 2 switched network. It's also why we'll be thoroughly exploring the key features of this vital protocol as well as how it works within a switched network in this chapter.
After covering STP in detail, we'll move on to explore EtherChannel.
To find up-to-the-minute updates for this chapter, please see www.lammle.com/ccna or the book's web page at www.sybex.com/go/ccna.
VLAN Review
As you may remember from ICND1, configuring VLANs is actually pretty easy. It's just that figuring out which users you want in each VLAN is not, and doing that can eat up a lot of your time! But once you've decided on the number of VLANs you want to create and established which users you want to belong to each one, it's time to bring your first VLAN into the world.
To configure VLANs on a Cisco Catalyst switch, use the global config vlan
command. In the following example, I'm going to demonstrate how to configure VLANs on the S1 switch by creating three VLANs for three different departments – again, remember that VLAN 1 is the native and management VLAN by default:
In this output, you can see that you can create VLANs from 1 to 4094. But this is only mostly true. As I said, VLANs can really only be created up to 1001, and you can't use, change, rename, or delete VLANs 1 or 1002 through 1005 because they're reserved. The VLAN with numbers above 1005 are called extended VLANs and won't be saved in the database unless your switch is set to what is called VLAN Trunking Protocol (VTP) transparent mode. You won't see these VLAN numbers used too often in production. Here's an example of me attempting to set my S1 switch to VLAN 4000 when my switch is set to VTP server mode (the default VTP mode, which we'll talk about shortly):
After you create the VLANs that you want, you can use the show vlan
command to check them out. But notice that, by default, all ports on the switch are in VLAN 1. To change the VLAN associated with a port, you need to go to each interface and specifically tell it which VLAN to be a part of.
Remember that a created VLAN is unused until it is assigned to a switch port or ports and that all ports are always assigned in VLAN 1 unless set otherwise.
Once the VLANs are created, verify your configuration with the show vlan
command (sh vlan
for short):
If you want to see which ports are assigned to a particular VLAN (for example, VLAN 200), you can obviously use the show vlan
command as shown above, or you can use the show vlan id 200
command to get ports assigned only to VLAN 200.
This may seem repetitive, but it's important, and I want you to remember it: You can't change, delete, or rename VLAN 1 because it's the default VLAN and you just can't change that – period. It's also the native VLAN of all switches by default, and Cisco recommends that you use it as your management VLAN. If you're worried about security issues, then change the native VLAN! Basically, any ports that aren't specifically assigned to a different VLAN will be sent down to the native VLAN – VLAN 1.
In the preceding S1 output, you can see that ports Fa0/1 through Fa0/14, Fa0/19 through 23, and the Gi0/1 and Gi02 uplinks are all in VLAN 1. But where are ports 15 through 18? First, understand that the command show vlan
only displays access ports, so now that you know what you're looking at with the show vlan
command, where do you think ports Fa15–18 are? That's right! They are trunked ports. Cisco switches run a proprietary protocol called Dynamic Trunk Protocol (DTP), and if there is a compatible switch connected, they will start trunking automatically, which is precisely where my four ports are. You have to use the show interfaces trunk
command to see your trunked ports like this:
This output reveals that the VLANs from 1 to 4094 are allowed across the trunk by default. Another helpful command, which is also part of the Cisco exam objectives, is the show interfaces
interface switchport
command:
The highlighted output shows us the administrative mode of dynamic desirable
, that the port is a trunk port, and that DTP was used to negotiate the frame-tagging method of ISL. It also predictably shows that the native VLAN is the default of 1.
Now that we can see the VLANs created, we can assign switch ports to specific ones. Each port can be part of only one VLAN, with the exception of voice access ports. Using trunking, you can make a port available to traffic from all VLANs. I'll cover that next.
Assigning Switch Ports to VLANs
You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries plus the number of VLANs it can belong to. You can also configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport
command. You can even configure multiple ports at the same time with the interface range
command.
In the next example, I'll configure interface Fa0/3 to VLAN 3. This is the connection from the S3 switch to the host device:
Well now, what do we have here? There's some new stuff showing up in our output now. We can see various commands – some that I've