Friday, January 20, 2017

Investigating the MAC Address Table and SDM Templates

                  A really common troubleshooting approach we use when we have a device like an End user PC that cannot get to some destination out on the network “is to follow the path as we following the path during our troubleshooting, the first step along that path is often a wiring clauses Switch to which that End devices connected, what we might want to do is go to that Switch and Verify that the clients mac-address has been learned on the appropriate port on that Switch, let see how to we can take a look at context of Switch Mac-address table, we can do a
Ø  Sw1#show mac address-table

Notice that, we got several Static entries and few dynamic entries and Static entries could be an entry that we made ourselves
Ø  We could of Statically
Ø  We could of manually said, this Mac-Address of this Port
                     However, you notice that all of these ports say CPU these Mac-Addresses associated with the Switches Processor, it looks like we have not statically entered any Mac-Addresses mapping but we have Dynamically learned a few.
                       Different Switches have different capacities to store Mac-Addresses maybe this is because we have just a really really large network with thousands of Mac-Addresses but it could be because of Security issue sometime, an Attacker would send just a flood of frames into a Switch with each of those frames claiming to be from a different Mac-Address and that can fairly quickly fill up Switches Mac Address-Table.
                      If that Table fills to capacity, what happens when we add a new device to the Switch there is no room to learned the Mac-Address of that new Device, so what happens when a frame comes in destined for that device?
                       Well since the Switch has not learned of which port that Mac-Address lives, to make sure gets to the right place, the Switch is going to flood that frame another words, it’s gonna send a copy of that frame out of all other Switchport’s other than the port on which the frame was received and that might allow the attacker to start capturing they could start sniffing the packets coming of the different port, we can prevent that attack by Port Security which is the topic we talked about back in the CCNP Switch Course.
                              If the Mac Address-Table is filling up not because of an Attack because we just have a large network we got lots of Switches that are interconnected, to help prevent that Mac-Address Table from filing to capacity what we could do is make sure that if we have not heard from one of those Devices with one of those Mac-Addresses for a certain period of time, we can age them out we can remove them from the Mac Address-Table, we can simply relearn the Mac-Address, no need keeping Mac-Addresses for Hours and Days or Weeks possibly, what we can do is Time out Mac-Address entry again if don’t heard from that Mac-Address for a while, here is a command we can issue to see how quickly aging out those entries
Ø  Sw1#show mac address-table aging-time

                      On looks like, this Cisco 3750 Series Switch the aging time is 300 Seconds or 5 Minutes, i am aging out Mac-Address entries every 5 Minutes if i am not heard from those Mac-Addresses within the last 5 minutes and Well Layer 2 Switch makes a forwarding decision based on Mac-Mddresses, many our Switches are Multilayer Switches they can make forwarding decision based on other criteria such as Destination IP Addresses, such as Quality of Service Access Control Entries or Qos ACE’s, we might have Security ACE’s, Security Access Control Entries which make up Security ACL an Access Control List, and many of our Switches have a TCAM or Ternary Content Addressable Memory
                       That can help us Switch make a forwarding decision based on criteria like that very very rapidly the TCAM can help us Switch very efficiently make a forwarding decision because it combines Quality of Service Entries, Security Access Control Lists and IPv4 Route information into an area of memory that can be queried when the Switch wants to make a forwarding decision and notice i said IP Version 4, there is a way for the TCAM to support IPv6 Routing but it might not be enabled by default on your Cisco Catalyst Switch, it’s not enabled by default on Cisco Catalyst 3750 Series Switch but depending on what we want our Switch to,
Ø  We want to do IPv4 and IPv6 Routing?
Ø  Do we want to keep track lots of Route?
Ø  Do we want to support multiple Routed interfaces?
Ø  Or would we rather it just learned lots of lots Mac-Addresses
                      With that finite amount of resources in our TCAM and we can reallocate there resources depending on what we want to Switch to do, where it’s going to be playing a role of our network but a great news is we got some flexibility and how we allocate these resources we can apply a SDM Templates
                        SDM that stands for Switch Database Management and this templates can tell the TCAM how to allocate its resources for example, let’s say we had a Switch that needed to keep track of lots of Vlan or lots of Mac-Addresses but it didn’t need to do much if any routing or we would probably want the TCAM configure differently than a Switch, we might have at the distribution Layer or the Core Layer we might need to keep track of lots of IP Routes
To see what SDM Templets were running right now we can give this command
Sw1#show sdm prefer
                      And right now, it says we are running Desktop Default that’s the SDM templates we are running and that’s the default on this Switch and notice
Ø  It supports 8 Routed interfaces
Ø  It supports the 1024 Vlans
Ø  And its support certain number of Qos Entries
Ø  A certain number of Security Access Control Entries
Ø  A certain number of IPv4 Unicast Routes
                      Notice this output doesn’t say anything about IPv6 but there is a way i am gonna demonstrated for you to support IPv6 routing on this Cisco Catalyst Switch, infect let’s look at command that lets us select the SDM Templates to use.
Ø  Sw1(config)#sdm prefer ?
We have got 5 options here
Ø  Access: - The Access SDM Templates might be appropriate for an Access Layer Switch where we know about lots of Vlan’s but we are not doing much Routing
Ø  Default: - What we have by default and it gives us mixture of support for some Routing and the ability to know about several Vlans
Ø  Dual IPv4 and IPv6: - is going to add IPv6 Routing support and this is the SDM Templates we going to applying just a movement
Ø  Routing: - A Routing might appropriate for a distribution Layer Switch or Core Layer Switch where we need to keep track of multiple Routes but keep in mind if you just say Routing by itself that only giving you IPv4 support, you are not routing IPv6 traffic.
Ø  Vlan: - If we have a lot of Vlans and those Vlan contain lots of devices, we might need to go with this Templates in order to store all of the Mac-Address
                              Now let’s say that we got a Trouble Ticket that’s indicating this Multi-Layer Switch is unable to Route IPv6 traffic, we might begin by saying what’s is the SDM Templates applied right now and does it gives IPv6 support let’s go to global Configuration mode
Ø  Sw1(config)#sdm prefer dual-ipv4-and-ipv6 default
Now when i do this it doesn’t take effect immediately, let me prove that
Ø  Sw#show sdm prefer
You will see it still in desktop default if i try to configure IPv6 unicast-routing, it will not let me check this out
Ø  Sw1(config)#ipv6 unicast-routing
                        It doesn’t even know about the IPv6 command because this change that i have made doesn’t take effect until we reload, it says next reload the templates is gonna be installed, lets reload the Switch.
All right Switch has been rebooted, let’s see what our SDM Templates is now
Ø  Sw1#show sdm prefer
                  This time it says “desktop ipv4 and IPv6 default”, now we see references IPv6 and this output, let’s see we can now enable IPv6 Routing
Ø  Sw1(config)#ipv6 unicast-routing
                      We now have IPv6 Routing support by changing the SDM templates and that’s one of most common reason would change the SDM Templates another reason, we might change this Templates is we running out of specific resource and we want to reallocate the TCAM resources to see the current usage of the TCAM resources, we can give this command
Ø  Sw1#show platform tcam utilization
                  Notice that, we have columns for the maximum number of values that TCAM can accommodate for things like IPv4 Qos ACE’s, IPv4 Security ACE’s for example it looks like i can support a maximum of 768 Qos Access Control Entries and i am currently using 260 of those 768 available entries, if the number in the used columns are approaching the maximum values that might be a concern to us.
                    One of things that i would encourage you to do first before just changing the SDM Templates is to see if it can more efficient in your Configuration for example, if you running out of entries for IPv4 Unicast Indirectly Connected Routes instead of changing the SDM Templates with if you did Route Summarization that can cut down the number of Route Entries you had, think about ways optimize the current Configuration before changing the SDM template.

                     If You Like the Post. Don’t forget 
            to “Subscribe/Share/Comment”. Thank You.

Read More

Sunday, January 15, 2017

Voice Vlan Configuration

                           Now the we talked about the theory of Voice Vlans, let’s take a look at how to configure them and remember that, there are 3 approaches we can do a Single Vlan Access Port that was the least Desirable but in some cases, we said we might need to do a Single Vlan Access Port for both an IPPhone and attached PC, where sending traffic into the same Vlan
                          The second option was a Multi-Vlan Access Port that a special type of Access Port where Cisco says “you can have two Vlans on a single Access Port if and if one of those Vlans is to decleared to be a Voice Vlan” and our third option was to create a Trunk Port and we know that, Trunk Ports can carry traffic for lots of Vlans infect, that could be a challenge for Security reason for Quality of Service reason, we probably don’t want that trunk between the Phone and the Wiring Switch carrying traffic for all of our Vlans, really we wanna carrying traffic for couple of Vlans, the Voice Vlan of course to get the Phone and if we do have an attached PC, we want to be carrying traffic for the Native Vlan remember that, the Native Vlan is the Vlan on a DOT1Q trunk that does not have those 4 extra Tag Bytes we call it an Untagged Vlan that’s the Vlan of PC attached to our IPPhone, first let’s see how to setup a Single Vlan Access Port and we gonna be using this topology on Picture
                     Notice we have got Laptop running a software based IP Phone and it’s plugging into interface fast Ethernet 1/0/10 on Switch SW1, how would we set up a Single Vlan Access Port, let’s go into a global Configuration mode and
Ø  Sw1(config)#interface fastetherent 1/0/10
Ø  Sw1(config-if)#switchport mode access
Ø  Sw1(config-if)#switchport access vlan 300
                             But we said that with a Single Vlan Access Port if maybe we had third party IP Phone that was Plugin to this type of Port and that Third Party Phone did not support the concept of Voice Vlan having a Phone to send traffic to one Vlan and attached PC sending traffic to different Vlan, we said that even though we could not get the Vlan separation, there was still a way if the Phone or the software PC supported it to give Priority marking to that Voice traffic, it was a DOT1P marking, it’s very simple to set that up, we simply say
Ø  Sw1(config-if)#switchport voice vlan dot1p
                        We are saying if any traffic comes in with a DOT1P tag, that traffic is part of our Vlan Voice Vlan and the Priority marking can be embedded inside of those Tag Bytes, let’s setup another port fastetherent 1/0/11, let’s set it up as a Multi-Vlan Access Port, we go into an interface
Ø  Sw1(config)#interface fastetherent 1/0/11
Ø  Sw1(config-if)#switchport mode access
Now we can specify the two different Vlan’s that can be on that Port, that Data Vlan another words the Access Vlan and the Voice Vlan
Ø  Sw1(config-if)#switchport access vlan 300
Ø  Sw1(config-if)#switchport voice vlan 400
                        How does the Phone know that it’s the Voice Vlan, if we using Multi-Vlan Access Port Configuration CDP specifically CDPv2 is going to tell the attached Phonehere is your Voice Vlan you belong to Vlan 400” now when that Phone boots up and it does a DHCP Request out on the network to get it’s IP Address and other information but the way the Phone knows how to make a DHCP Request thanks to CDP Version 2 we said, if we are not running CDP though if we running LLDP-Med, this was not an option for instead we need to have a trunk Connection between our Switch and IP Phone, let’s see how to set that up using
Ø  Sw1(config)#interface fastetherent 1/0/12
Ø  Sw1(config-if)#switchport trunk encapsulation dot1q
Ø  Sw1(config-if)#switchport mode trunk
                         Now the we said this Port is a trunk we need to define what the Native Vlan remember, the Native Vlan that’s the Vlan in to which PC would belong, if we had a PC plugged into that IP Phone and we can specify that Vlan which is going to be Vlan 300 in our Case for the Data Vlan, we can specify that with a command
Ø  Sw1(config-if)#switchport trunk native vlan 300
Now let’s specify the Voice Vlan
Ø  Sw1(config-if)#switchport voice vlan 400
                      And this Configuration by itself would work however, we now have a trunk between this Cisco Catalyst Switch and the IP Phone and that trunk by default is gonna be carrying traffic for all of the Vlan we probably don’t want that let’s do Prun off the unneeded Vlan, remember our discussion of Vlan Pruning on Trunks
Ø  Sw1(config-if)#switchport trunk allowed 300,400
                            We have now configured 3 different Ports to connect out IP Phones and if we want to verify the configuration one of those ports, let’s do fastetherent 1/0/11 of an example
Ø  Sw1#show interfaces fastethernet 1/0/11 switchport
                            This is gonna give us information such as what kind of port is this, we can see this is an Access Vlan or the Data Vlan of 300 that’s not going to have any Tags on it, and we got a Vlan of 400 that’s the Voice Vlan it will be tagged, the Voice frames have 4 extra Bytes added.

                    If You Like the Post. Don’t forget 
            to “Subscribe/Share/Comment”. Thank You.
Read More

Wednesday, January 11, 2017

Voice Vlan Theory

                 Well we are on the topic of Vlans and Trunks, i wanna tell you about the Special type of Vlan, it’s a Voice Vlan let’s imagine that we have a situation like we have depicted on Picture
                      Maybe we replacing Traditional IP Telephony PBX Phones with IP Phones, these IP Phones they are Ethernet devices they plug into that RJ45 Connector in the wall but if a particular office and Cubical only had one Ethernet Connection to start with and we had a PC, we have a Laptop plugged into that Connection and now suddenly we adding a Phone that means we have to put Switch in this office to accommodate another Ethernet Port.
                     Well the great news is many of our Cisco IP Phones have a Port on the back labeled PC Port and it allows us to sort of Daisy chain, the PC into the Phone then go into the Wall, the Phone itself is acting as a little Switch its technically 3 Ports Switch
Ø  One Ports goes to the Wall Jack
Ø  One Port goes to the internal workings Phone itself and
Ø  This other Port can connect to this PC
                             We don’t have to run additional cabling we don’t have to add an another Switch into that office, the Phone will handle that for us, and notice what’s happening here the PC that attached to the Phone gets to be in a different Vlan, here on i am saying that the Laptop is in Vlan 300 Data Vlan and the Phone is in Vlan 400 a Voice Vlan, and that’s gonna give us some benefits it’s gonna give us performance benefits for one thing by having Vlan’s Separation if we had a big Broadcast Storm on the Data Vlan that’s not going to negatively impact the Voice Vlan and it could also help out from a Security prospective somebody not gonna able to attach a network sniffer to the network and start sniffing Voice packets that’s the idea behind a Voice Vlan we have a Separate Subnet for Voice traffic, and there are different ways of we can set up.
                 This Port into which the Phone is connecting into the Switch it could be a Single Vlan Access Port, in which case the PC and the Phone would be a member of the Same Vlan and that’s the least Desirable of this option by the way.
                    Another option is it can be connected into a Special type of Access Port in Multi-Vlan access Port or it can connect into a Trunk Port, we know the Trunk can carry traffic for Multiple Vlan’s, and that Trunk between the Phone and Switch could carry traffic for the Voice Vlan and the Data Vlan let’s take a look at these one at a time beginning with the Single Vlan Access Port.
                With the Single Vlan Access Port that Port into which that Phone is connected, it is an Access Port and like most Access Ports are it is configured for only 1 Vlan meaning that the Phone and the PC are the member of the same Vlan it doesn’t seem like this giving us much more benefits does it, when would we use such a thing?
                Well maybe we were using a non-Cisco IP Phone that doesn’t support the concept of Voice Vlan or maybe we have a Software based Client on our Laptop on or PC, maybe its Zebra Client maybe its Cisco IP Communicator but if it’s the same device that’s acting as a Data Device and the Voice device then we might need to use a Single Vlan access Port however, even though we doing that we still can get some Quality of Service benefits from this Configuration.
                         Remember when we were talking about an 802.1Q Trunk, we mentioned that except for the Native Vlan the other Vlans had 4 Bytes added to their frame and inside of 4 Bytes we had 3 bits called the Priority bits and those 3 bits could be used to indicate the Priority of our frame and with 3 bits to work with that gave us 8 Possible values of Priority because 23=8 but Cisco says do not use values of 6 and 7 those are reserved for Network use, we can only use values for Production traffic and the range of 0-5, and that’s the value to which Voice frames should be set they should have a marking a COS a Class of Service marking of 5 on a DOT1Q trunk and the great news is Cisco IP Phone do that for us by default, and we enable DOT1P on our Switch even though we have a single Vlan, it can still accept frames that come in that have 4 extra Bytes and this is not a Trunk but if we enable the Port for DOT1P
                  It will accept the frame that looks similar to a Trunk frames and i say similar because it still going to have 4 extra Bytes added inside of the 4 Bytes, there are 3 Bits that are gonna be used to mark the Priority marking but we called this a DOT1P marking.
What’s the difference between DOT1P marking and regular COS marking that we would have on a DOT1Q Trunk?
                    Well a DOT1Q trunk uses 12 bits in those 4 Bytes to indicate a Vlan ID, DOT1P does not do that DOT1P is not tagging a frame it belonging to a particular Vlan, infect if you were take a look at these bits representing the Vlan Field, they would all be the set to 0, that’s the big difference between a DOT1P marking and a COS marking which is part of DOT1Q Trunk and we see on few movement how to configure that Switchport to accept DOT1P marking
                 Another option we have is to configure the Switchport as a Multi-Vlan Access Port, Cisco gives an exception here, Cisco says we can have a couple of Vlans appearing on an Access Port if and only, if we say that one of those Vlans is a Voice Vlan, what a great solution this way we can go to this Port and plug in a Laptop and it’s gonna just fine like an Access Port because it is an Access Port but if we have a Phone plugged in maybe we got a PC plugged into that Phone, the Phone will automatically learn that it belong to the Voice Vlan and the PC is belong the a Data Vlan how does this work?
                 Like we said this truly is an Access Port, we set the Switchport Mode to Access Port however, it can support two Vlans if we say one of those Vlans is an Access Vlan or Data Vlan and the other Vlan is the Voice Vlan, the way Phone learns which Vlan is the Voice Vlan is thanks to CDP a Cisco Discovery Protocol, the Switch is going to send a CDP message by the way it has to be CDP Version 2 this doesn’t work with CDP Version 1 but the Switch is gonna send a CDP Version 2 message to the Phone to say “here is your Voice Vlan and now when the Phone sends out a DHCP Request to get it’s IP Address and Subnet Mask and it’s Default Gateway and IP Address of TFTP Server that it needs, when it does that it not gonna be able to do that as a member of appropriate Vlan, it’s gonna be asking for an IP Address belonging to in this case Vlan 400
                  Remember we talk earlier about CDP the Cisco Discovery Protocol vs LLDP the Link Layer Discovery Protocol, this approach of having a Multi-Vlan Access Port this does not work with LLDP-Med, Link Layer Discovery Layer Protocol-Media Endpoint Discovery
                      If we relying on LLDP, instead of CDP we can only run one or other on your Switch then the Phone is not automatically learn it’s Vlan assignments gonna be able to, if we have a situation like that if we using LLDP-Med we should probably make that Port a Trunk Port and we talk about that in just a movement if we are using CDP this is great way to go and we do a Packet Capture on frame Flowing between that Phone and that Switch, it would look like a DOT1Q trunk frame, infect i were to use a Packet Capturing say “can you tell me, is this frame going into a Multi-Vlan Access Port or it’s going into a Trunk Port” you would not able to tell me difference because it is identical to a Trunk frame that we would find on a DOT1Q Trunk.
                   It specifically frame coming from the Phone are going to be tagged, they are going to have those 4 extra Bytes and those 4 extra Bytes do contain a Vlan Tag in this Case Vlan 400 we gonna have 3 bits on those Bytes they gonna marked the COS Class of Service Priority marking for Phones traffic and Phone automatically sets those to a COS of 5 and remember on DOT1Q Trunk we have 1 Vlan that we say it’s Untagged Vlan, well the Data Vlan in this case is gonna be untagged Vlan the PC’s frame is going into the Switch they do not have these extra 4 Bytes, those are 2 options for connecting an IP Phone to our Cisco Catalyst Switch, let’s take a look at another option.
                 And that other option is to use a Trunk Port and in this case the Port is a Trunk Port that’s gonna be a DOT1Q Trunk Port and we know that, the Trunk can carry traffic for Multiple Vlans and if we already using LLDP-Med or we using CDP this is gonna be compatible because we are not using that Special exception Cisco gives us for a Multi-Vlan Access Port and the frames truly are DOT1Q Trunk frames they look identical frames but here we do technically have a Trunk the switchport itself is configured in a Trunk Mode but that in self brings up bit a challenge because think about for movement by default traffic for what Vlan’s flow over a Trunk?
                    And the answer is all of our Vlans that means
Ø  That depending on how you have your Phone setup
Ø  You could have in some cases depending on your Phone Model
Ø  Depending on your Configuration
                 But in some cases, you could have the attached PC, attached Laptop runs some sort of Packet Capture utility and capture traffic not just for Data Vlan but for all the Vlans appearing on that Trunk you could see unknow uncast frames, broadcast and multicast frames from a security prospective that’s not good therefore Cisco strongly advises though as to Prun off any unneeded Vlans from that Trunk
Those are the 3 option for connecting and IP Phone into the Switch, that the look at the Theory of Voice Vlans.

 In our next session, we wanna see how to Configure Voice Vlan

                     If You Like the Post. Don’t forget 
            to “Subscribe/Share/Comment”. Thank You.
Read More

Friday, January 6, 2017

VTP Configuration

Now the we talked about the theory of VTP, let’s see how to set it up in this topology

                We already created a Trunk links between Sw1 and Sw2 and also between Sw1 and Sw3, now let’s configure VTP on all of the switches such that, if we were to add a Vlan let’s say the Switch Sw1, that newly created Vlan would be advertised over these Trunk links and that newly created Vlan would be learned by the other Switches in this example, let’s say that Sw1 and Sw2 are gonna be in a Server Mode and Sw3 is gonna be a Client Mode, let’s begin our Configuration on Switch Sw1, first let’s set Sw1 to Server Mode and maybe it already be in a Server mode let’s just confirm that and by being in Server Mode we gonna be able to make changes to our local Vlan Database, let’s go to Global Configuration mode an say
Ø  Sw1(config)#vtp mode server
Next let’s set the VTP Domain name, this is the Case-sensitive Domain name.
Ø  Sw1(config)#vtp domain VTPDEMO
And also, set the Password, we can do that by
Ø  Sw1(config)#vtp password S3cret
                    It might also be a good idea to turn on VTP Pruning remember what that does, it’s says if the far end Switch doesn’t have any ports belonging to a particular Vlan, there is no need to send traffic for that Vlan over the Trunk, however if we make a change to that far end Switch, maybe we do assign a port to that Vlan, VTP is gonna recognize dynamically and start sending traffic for that Vlan over the Trunk, that Vlan is no longer gonna be Pruned, it truly simple to set this up, we just say
Ø  Sw1(config)#vtp pruning
                  And let’s also hard code the Version of VTP that we want to run, although we have Versions of 1, 2 and 3 available many of our new higher end Switches, we might have some Switches on network that only support Versions 1 and 2
                Well the good news is Version 3 is backwards compatible with Version 2 but personally i like to keep things consistent and i am just gonna configure these Switches for VTP Version 2, we can do that by
Ø  Sw1(config)#vtp version 2

Let’s take a look at the VTP configuration that we now have on Switch Sw1, to do that we gonna give the command.
Ø  Sw1#show vtp status
                       This is the main command we use when we dealing Verification and Troubleshooting of VTP, it show that this Switch is capable of running VTP Versions 1 or 2 or 3 but
Ø  Currently the Version that were running is Version 2
Ø  Our Domain name is a VTPDEMO
Ø  Pruning is currently enabled
Ø   Notice that we have a Hash Digest for the password we configured it’s an MD5 Hash rather than the Plain text password, that’s probably good thing
Ø   we can also see our Current Configuration Revision Number it’s 1
Ø   And the number of Existing Vlans we have right now 7

Now let’s perform an identical configuration on Switch Sw2
Let’s go to Switch Sw2
Ø  Sw2(config)#vtp mode Server
Ø  Sw2(config)#vtp domain VTPDEMO
Ø  Sw2(config)#vtp password S3cret
Ø  Sw2(config)#vtp pruning
Will make sure that our Version is Version 2
Ø  Sw2(config)#vtp version 2

                    Let’s go our Switch Sw3 now and do a nearly identical Configuration but the difference is let’s make Switch Sw3 a Client Mode Switch, we going to go to Global Configuration Mode and let’s set the VTP mode to Client
Ø  Sw3(config)#vtp mode client
Ø  Sw3(config)#vtp domain VTPDEMO
Ø  Sw3(config)vtp password S3cret
                     Let’s go back to Switch Sw1 and create a new Vlan and see that i newly created Vlan gets advertised over to Switches Sw2 and Sw3, let’s go to Global Configuration Mode and say
Ø  Sw1(config)#vlan 300
Ø  Sw1(config-vlan)#name VTP_TEST
Ø  Sw1(config-vlan)#exit
Now take a look at our local Vlan database
Ø  Sw1#show vlan brief
                       And we can see that we have Vlan’s 100, 200 and 300 that we created, no surprise that Vlan 300 is showing up because we created on this Switch
Let’s also see for our Configuration Revision Number got incremented when we did that.
Ø  Sw1#show vtp status
                    And just a movement ago our Configuration Revision number was 1, now it’s 2 we added a Vlan and that incremented the Configuration Revision Number by 1, let’s make sure that the Switches Sw2 and Sw3 know about the this newly created Vlan 300 (VTP_TEST)
Let’s go over Switch Sw2 and do a
Ø  Sw2#show vlan brief
Yes, indeed it have learned about Vlan 300 and if we do a
Ø  Sw2#show vtp status
                         We should see a matching Configuration Revision Number of 2, we should see something very similar on Sw3, let’s do a
Ø  Sw3#show vlan brief
And we do see the newly created Vlan of 300 and if we do
Ø  Sw3#show vtp status
                        We have now confirmed that thanks to VTP, we are able to create a Vlan on One Switch and have that Vlan propagated to the other Switches and now let’s think about that Configuration Revision Number, let’s say that i disconnected Switch Sw2 from this topology when Switch Sw2 disconnected, i added some Vlans, deleting some Vlans and i modified some Vlans maybe, each time i made a change the Configuration Revision Number One up it got incremented by One, for every change i made, now what would happened if i reintroduced that Switch into the topology
Ø  it’s has matching Domain Name
Ø  it’s got matching Password which means that it’s higher Configuration Revision number would make its Vlan Database to most believable Vlan database all of the Switches in the topology
                         And in the Vlan Databases are Switches Sw1 and Sw3 they would be wiped out and replaced with this newly learned Vlan information from Switch Sw2, we might do that accidently however, we might have a malicious user who did such a thing intentionally which is the big reason that we want to have a Password assign to our VTP Domain, the moral of the story is we need to be an extremely conscious when we introducing the Switch into our topology, the safest thing to do is to set the Configuration Revision Number for Switch that you about to add to a topology, to set that Configuration Revision number to 0 however, there is a lot of confusion about how that works and i wanted to demonstrated for you.
                 Now what i am going to do is disconnecting the Switch Sw2 from Sw1, i am gonna disconnect that Trunk connection and i am gonna make some changes on it, so did it has the higher Configuration Revision Number, after i disconnected Switch Sw2, i made some changes to its Vlan Database notice that if i do a
Ø  Sw2#show vtp status
It’s Configuration Revision Number of 7 and if i take a look my Vlan database, let’s do that a
Ø  Sw2#show vlan brief
                    You will see that i didn’t have any longer a Vlan 100,200,300 but i have got couple of new Vlans that i just been adding or been playing with this on my desk let say, that’s what the Vlan Database currently looks like for Switch Sw2 but it’s disconnected so we good if i go back to Switch Sw1 and do a
Ø  Sw1#show vtp status
                You can see that it’s Configuration Revision Number is a 2, it’s much lower than the what we have on a Sw2 and if i take a look at the Vlan Database, we do a
Ø  Sw1#show vlan brief
                          We have the Vlans that we had a few movement ago, 100, 200 and 300 and let’s say that after experimenting with Switch Sw2 and trying a few things maybe upgrading the Cisco iOS on a Switch, i am ready to reintroduce this Switch Sw2 into my topology.
                        Let’s say that i know about VTP and i know that with this higher Configuration Revision Number of 7, i would blow away the existing Vlan Databases on my Switches, here is common misconception many people think, to prevent that happening i just set the Switch to Client mode and please make sure that i am saying this is a misconception setting this to Client Mode is not a solution, i am about to prove that to you but some people would mistakenly say
Ø  Sw2(config)#vtp mode client
What harm could client do, well we set the mode to a Client but if we take a look at VTP status using
Ø  Sw2#show vtp status
                       That didn’t reset my configuration Revision Number but i am client what harm could it do, let’s reconnect Switch Sw2 back into the Network. I have now reconnected Switch Sw2 to the network, let’s go over to Switch Sw1 and see if anything changed on Switch Sw1.
Ø  Sw1#show vlan brief
                    Oh no! what happened Switch Sw1 had its Vlan Database blown away, we are now missing Vlans 100 and 200 and 300, now we have these 200 Odd Vlans that we didn’t want, Vlans 400 and 500, what happened was we introduce Switch Sw2 on the network, it had a matching Domain Name, it had a matching Password and it had a higher Configuration Revision number and it wiped out the Vlan Databases on Switch Sw1 and SW3, let’s confirm that on Sw3
Ø  Sw3#show vlan brief
                         Same problem here, we have done some serious damage and i don’t want you to do that accidently in a production network, so the question is how do we fix this?
How do we safely add a Switch into the topology, well we would like to have the Configuration Revision Number set to a 0, i am gonna go over and disconnect Switch Sw2 again, and with it disconnected, i am going to repair our Vlan Databases on Switch Sw1 and Sw3, let’s go to Switch Sw1 and let’s delete Vlan 400 and 500
Ø  Sw1(config)#no vlan 400
Ø  Sw1(config)#no vlan 500
Let’s put back the Vlan we originally had, we had
Ø  Sw1(config)#vlan 100
Ø  Sw1(config-vlan)#name ACCT
Ø  Sw1(config-vlan)#exit

Ø  Sw1(config)#vlan 200
Ø  Sw1(config-vlan)#name SALES
Ø  Sw1(config-vlan)#exit

Ø  Sw1(config)#vlan 300
Ø  Sw1(config-vlan)#name VTP_TEST
Ø  Sw1(config-vlan)#exit
Ø  Sw1#show vlan brief
                    That looks better, has this been advertised over to Switch Sw3, it should have been let just confirm that, let do a
Sw3#show vlan brief 
                      Things are looking happy here as well, now back to Switch Sw2, Switch Sw2 is now been disconnected from Sw1, before introducing the Switch into the network, let’s make Configuration Revision Number 0. How do we do that, setting it to Client mode didn’t help because a Client Mode Switch can originate and did originate VTP advertisements, how do we set this to 0?
We toggle on and off Transparent Mode here what I mean, let’s go to Global Configuration Mode in Sw2
Ø  Sw2#vtp mode transparent
And in transparent mode, let’s take a look at our VTP status.
Ø  Sw2#show vtp status
               Our Configuration Revision Number is 0, interestingly is, and now i can put it back to something else, i could set it back to Server if i wanted to
Ø  Sw2#vtp mode server
                      If we look at our VTP status the Configuration Revision Number remains at 0, until we start making changes to Vlan Database then it would go up by 1 but now a Server Mode Switch and my Configuration Revision Number is 0, it’s now safe to add this back into the network.
                Some people like to take this step beyond this, beyond just setting the Configuration Revision Number to a 0 some people like to also wipe out the Vlan Database on a Switch before they added to the network, if you did wanna do that remember that Vlan Database is stored in a separate file in our Flash it’s called vlan.dat
We can just delete that, if we want, we could say
Ø  Sw2#delete flash:vlan.dat
                   After pressing the Enter it’s gonna be safe to reconnect Switch Sw2 to the network and it’s safe not because we delete the vlan.dat file it’s safe because my Configuration Revision number is 0 let’s reconnect it
                  Switch Sw2 is now been reconnected to the network and we introduced it to safely because we had Configuration Revision number of 0 on that Switch let’s see what its current VTP status is
Ø  Sw2#show vtp status
                 Look at this its Configuration Revision Number went from a 0 up to 12, it now knows about the Vlans in our topology we can prove that with a
Ø  Sw2#show vlan brief
                  It knows about Vlan 100,200 and 300, it no longer knows about 400 and 500 we introduced the Switch with the Configuration Revision Number of 0 and as a result we learned from a Switch Sw1 what the Vlan Database should look like for this topology.
That’s the look at how to Configure VTP and how we could safely add a Switch into an existing Switch topology

Join me on next session about Voice Vlan Theory

                     If You Like the Post. Don’t forget 
            to “Subscribe/Share/Comment”. Thank You.
Read More