Table of contents
- 0. CCNA Exam Questions
- 4. Features in CISCO switches
3rd Lesson - CCNA Fast Track (May 20, 2025). We left off at page 43.
0. CCNA Exam Questions
- How many default VLANs are in a normal switch ?
Ans: 5 (VLAN1, VLAN1002, VLAN1003, VLAN1004, VLAN1005), these cannot be deleted
- What should one do when there are unused ports ? (2 steps)
Ans: Those ports should be shutdown and assigned to an unused VLAN (we can create an unused VLAN). Else, cybersecurity risks.
During the CCNA practical exam, please verify after you configure !!
- MC will ask about Native VLAN mismatch, how do we tackle this issue?
Ans: 2 answers, both works. Either merge (left and right native VLAN merges) or spanning-tree block blocking both VLANs together!
- Need to learn to to check trunk links!
Ans: using
switchport trunk encapsulation dot1q&switchport mode trunk&switchport trunk native vlan 1 - InterVLAN will be tested as MC! Q: Why do we need InterVLAN when we have VLAN 1 and VLAN 2?
Because we can keep the 3 benefits of VLAN while maintaining VLAN 1 and VLAN 2 communication via L3 InterVLAN !
DTP stuff (Dynamic Trunk Protocol) will be tested in MC: DTP switchport modes…likely
Exam will cover lab on Ether Channel, bundling >=2 links into one big logical channel
- CDP will be tested, what device information is visable in CDP?
- Ans: Native VLAN, Device ID, Capability (Router/Switch), Port ID, IP Address, platform(model), IOS…
4. Features in CISCO switches
4.3 Default VLAN
- Showing default vlan with
sh vlan…VLAN Name Status Ports ------------------------------------------------------------------------------- 1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3, Gi1/0, Gi1/1, Gi1/2, Gi1/3 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup . . .- The 8 ports are all under VLAN 1.
- The only usable VLAN is VLAN1 for now.
- VLAN has 2 different ranges:
- VLAN 1-1005 = Normal Range
- VLAN 1006-4094 = Extended Range
4.3.2 VLAN Configuration
- Practice 1: Creating VLAN 2 and assign g0/2 into VLAN 2!
- Step 1: Create VLAN 2 on Switch 1 via
vlan 2and takes you to VLAN COnfiguration mode and change name withname Accounting.en config t vlan 2 name Accounting end
- Step 2: Assign switch port g0/2 to VLAN2 via
int 0/2= entering interface config mode and modify switch port setting and assign it to VLAN 2 withswitchport access vlan 2.en config t int g0/2 switchport access vlan 2 end
- Step 3: Verify with
sh vlan! Done !VLAN Name Status Ports ------------------------------------------------------------------------------- 1 default active Gi0/0, Gi0/1, Gi0/3, Gi1/0, Gi1/1, Gi1/2, Gi1/3 2 Accounting active Gi0/2 <================================= NICEEEE 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup . . .
- Step 1: Create VLAN 2 on Switch 1 via
- Practice 2: Configuring multiple swtich ports?
- Ans: do these 2 things
- Step 1:
int range g0/1-3orint range g0/1, g0/3. These two expressions both works - Step 2:
switchport access vlan 2
- Step 1:
- Ans: do these 2 things
4.3.3 VLAN Trunk!! (VERY IMPORTANT!)
- Important:
- VLAN Trunk can handle + forward all VLAN frames and all VLAN traffic through one single connection.
- If VLAN Trunk doesn’t exist… 1 new VLAN needs 1 new switch port… # of cables will be unmanageable in the long run… Hence, use VLAN trunk!
- Trunk ports will add VLAN info = VLAN tag to the forwarded data frame.
When do we use a tag ? Ans: all non-native VLANs’s data frame will be tagged!
- Two trunk protocols:
- IEEE:
- ISL: Inter-Switch Link (Cisco proprietary)
- Native VLAN, default is VLAN 1. However, native VLAN can be set by specifying a VLAN ID during trunk port configurations.
- Adding VLAN information to data frames is under this protocol: IEEE 802.1Q or 802.1q encapsulation (dot 1 Q)
- Please note! MUST configure the same native VLAN for the trunk ports for both sides of the connection!!! Otherwise, Native VLAN Mismatch !!!
- Refer to this diagram for an example for VLAN
- Native VLAN mismatch:
- You’ll see this on the log…
- Meaning VLAN 7 and VLAN 88 are clashing since they’re both configured as Native VLAN in their own respective trunks!
Switch1# %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/2 (8), with Switch2 GigabitEthernet1/2 (99). - Diagram of the VLAN mismatch
- Meaning VLAN 7 and VLAN 88 are clashing since they’re both configured as Native VLAN in their own respective trunks!
Practice 3: Configure VLAN trunk IEEE 802.1q between Switch 1 and Switch 2’s g1/2. Native default VLAN 1. Also verify VLAN status for Switch 1.
- Configure switch 1:
en config t int g1/2 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 1 switchport trunk encapsulation dot1q: Setting encapsulation, setting trunk port to be dot1Qswitchport mode trunk: Configuring the port to trunk portswitchport trunk native vlan 1: set native VLAN to VLAN 1 (optional command, since default is VLAN 1)- Configure switch 2:
en config t int g1/2 switchport trunk encapsulation dot1q switchport mode trunk end - Verify switch 1:
show int trunk(= shows info of all trunk ports)- Trunk encapsulation the trunk showing 802.1q
- Native VLAN of trunk is VLAN 1
- VLAN can only be sent through 1-4094 (Cisco default opens all VLAN 1-4094) (VLAN is 12 bit, has 4095)
Port Mode Encapsulation Status Native vlan Gi1/2 on 802.1q trunking 1 Port vlans allowed on trunk Gi1/2 1-4094 . . .- Practice 4: Configure multiple native VLANs for multiple
- Command:
swtichport trunk allowed vlanto define all allowed VLANs on the trunk link. 
en config t int g1/2 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 1,3-4 int g1/3 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 2 end- Verify switchport !
show interfaces g1/2 switchport Name: Gi 1/2 Switchport: Enable Administrative Mode: trunk Operational Mode: trunk Admin...: ... Operational Trunking eEncapsulation: dot1q . . .- Verify switchport!
show vlan brief(shows only the VLAN descriptions top part) as oppose toshow vlan - Notice! Gi1/2 (or g1/2) is removed from the all ports since trunk port BELONG TO ALL (not just one single VLAN)
VLAN Name Status Forts ------------------------------------------------- 1 default active Gi0/0, Gi0/1, Gi0/3, Gi1/0 Gi1/1, Gi1/3 2 Accounting active G0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup . .
- Command:
4.3.5 IMPORTANT: InterVLAN Routing
- On L2, different VLANs cannot communicate…but with L3/ IP routing it’s possible, we call this method: InterVLAN routing!
- This is how InterVLAN works:
4.3.6 Other VLAN and Trunk related features
4.3.6.1 Important: DTP concepts
- DTP = Dynamic Trunking Protocol (Cisco proprietary)
- DTP allows negotiation (via DTP messages) between 2 switches and decides whether a trunk link should be formed!
- There are 4 different DTP switchport modes:
- switchport modes
trunk= permanently perming trunking (Compatible modes: ALL but access)
- switchport modes
- switchport modes
dynamic desirable= actively requesting trunking (Compatible modes: ALL but access)
- switchport modes
- switchport modes
dynamic auto= willing to passively perform trunking (Compatible modes: ALL but access + dynamic auto)
- switchport modes
- switchport modes
access= permanently NOT performing trunking (Compatible modes: None)
- switchport modes
- Verify trunk mode with
show interface trunk - If both switch port modes are access then are a few possibilities other than just no trunk being formed…
- other issues…
- To solve it: Setting up Native VLAN to resolve this issue! (out syll)
4.3.6.2 Important: VTP concepts
- Important concepts:
- Trunk Link must be set up before VTP can be used.
- VTP MUST be propagated via trunk link under the same domain link (set same domain with
vtp domain SysDomain) - VTP can propagate VLAN info (VLAN ID, VLAN Name) automatically via trunk links to all switches as long as they are under the same domain link
- VTP guarantees setting same VLAN across all switches across the network (passwords must be the same too)
- 3 modes of VTP:
- Server Mode: Will attempt to affect other switches by taking charge of sending VTP messages
- Configuring Server Mode:
vtp mode server en config t vtp domain SysDomain vtp mode server vtp password ccna vlan 2 name Accounting end
- Configuring Server Mode:
- Client Mode: Pass on VTP message nit cannot initiate removal/adding of VLAN
- Configuring Client Mode:
vtp mode client en config t vtp domain SysDomain vtp mode client vtp password ccna exit
- Configuring Client Mode:
- Transparent Mode: Can remove/add VLAN but doesn’t join in the fun and pass on VTP message
- Configuring Transparent Mode:
vtp mode transparent en config t vtp domain SysDomain vtp mode transparent vtp password ccna end
- Configuring Transparent Mode:
- Note: If we want to set another server mode Switch… we don’t have to create another vlan like
vlan 2
- Server Mode: Will attempt to affect other switches by taking charge of sending VTP messages
4.4 EtherChannel
4.4.1 Overview
- EtherChannel = Aggregating >= 2 ethernet connection into 1 (i.e. 4 * 1Gi = 4 Gi)
- Ensuring stability and grouping, the individual physical links works best at same speed + same duplex mode
- Layer 2 (Trunk/ VLAN & cannot set IP) vs Layer 3 (can set IP, mainly Routing)
4.4.2 Configuring L2 EtherChannel (Lab)
- Topology of the design of EtherChannel configuration
- Step 1: Switch left = Switch 1: Resetting to default status
en config t default interface g1/2 default interface g1/3 end- assign clean up/ resetting switch ports to default with
default interface g1/2
- Step 2: Bundle the 2 switch ports
int <switch ports>thenchannel-group 1 mode activeen config t int range g1/2-3 channel-group 1 mode active <-------- 2 ports will send LACP messages requesting to form EtherChannel endNote:
activehere means the LACP is active, allowing the 2 switches to negotiate whether a EtherChannel should be constructed. LACP is IEEE 802.3ad protocol, so it’s also available on non-cisco devices.- There are 2 LACP modes:
activeandpassiveactive: LACP packet is sent by port requesting to form EtherChannelpassive: Port accepts EtherChannel request when received LACP request. LACP confirmation packet is sent ONLY IF another LACP request packet is sent.Don’t think too hard… just LACP messages is okay
- Out Syll stuff: Cisco proprietary protocol (PAgP)
- ……….. later ….. (on page 54)
- Step 3: Don’t forget to configure the other switch!! This switch will take
passivemodes for its porten config t default interface g1/2 default interface g1/3 int range g1/2-3 channel-group 1 mode passive end
- Step 4: Sanity check and verify !!
- In left switch: use
show etherchannel summary. This command shows an easy output with all the port channel interface, the negotiation protocol and # of member port, and its status - You should see the summary like this:
Flags: D - down ... S - layer 2 P - bundled in port channel M - not in use, minimum links not met m - not in use, port not aggregated due to minimum links not met Number of channel-groups in use: 1 Number of aggregators: 1 Group Port Channel Protocol Ports ------------------------------------------------------------------------ 1 Po1(SU) LACP Gi1/2(P) Gi1/3(P)- If you see
(SD)then it’s down,(SU)then it’s up.
- In left switch: use
- Step 5: Check LACP passive and active protocols
- Verify in swtich 1:
show lacp neighbor.(SP)means it’s configured into LACP Passive mode.- result:
Flags: S - Device is requesting slow LACPDUs F - Device is requesting fast LACPDUs A - Device is in Active Mode P - Device is in Passive Mode Channel Group 1 neighbors Partners information: LACP Port Admin Oper Port Port Port Flags Priority Dev ID Age key Key Number State Gi 1/2 SP 32768 5001.0004.8000 12s 0x0 0x1 0x103 0x3C Gi 132 SP 32768 5001.0004.8000 12s 0x0 0x1 0x103 0x3C
- result:
- Verify in switch 2:
show lacp neighbor.(SA)means it’s configured into LACP active mode.result: ```bash Flags: S - Device is requesting slow LACPDUs F - Device is requesting fast LACPDUs A - Device is in Active Mode P - Device is in Passive Mode
Channel Group 1 neighbors
Partners information:
LACP Port Admin Oper Port Port Port Flags Priority Dev ID Age key Key Number State Gi 1/2 SA 32768 5001.0005.8000 19s 0x0 0x1 0x103 0x3C Gi 132 SA 32768 5001.0005.8000 19s 0x0 0x1 0x103 0x3C
```
- Verify in swtich 1:
- Step 6: We check the new etherChannel with command
sh int po1.Note: Both port channel + line protocol needs to be up together!!
Port-channel1 is up, line protocol is up (connected) Hardware is EtherChannel address is .... omitted the rest ...- EtherChannel is formed, hence logical interface of Po1 is “up” here.
- Step 7: Further verifying EtherChannel with spanning-tree with
sh spanning-treeVLAN0001 Spanning tree enabled protocol rstp Root ID Priority 32769 (Default for VLAN is 32768) Address 5001.0004.0000 This bridge is the root (sometimes this gets covered up in the exam) Hello Time ... Bridge ID Priority 32769 Address 5001.0004.0000 Hello Time ... Interface -------------------- Gi0/0 Gi0/1 Gi0/2 Gi0/3 Gi1/0 Gi1/1 . . . Po1- Note these findings:
- g1/2 and g1/3 are no longer shown (since they are bundled by EtherChannel)
- A single interface called Po1 is showed (has 1+1 Gb = a total of 2Gb of speed)
4.4.x Configuring EtherChannel as trunk link (Assuming EtherChannel is already formed) (Lab)
- Step 1: Do everything all at once… for Switch1
- Config new VLAN, called VLAN 2
- int the new EtherChannel Po1 (Port Channel 1)
- Encapsulate as 802.1 dot1Q trunk port
- Enable trunk mode
- Assign trunk to VLAN 2 (VLAN 2 as native VLAN)
en config t vlan 2 name Accounting exit int Po1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 2 end
- Step 2: Repeat the same setup for Switch2
en config t vlan 2 name Accounting exit int Po1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 2 end Step 3: Please verify with
sh int trunk- If you see this, Channel Port 1, has native vlan 2 and successfully configured as IEEE 802.1Q trunk link
Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 2 Port vlans allowed on trunk Po1 1-4094 . . .
4.4.3 Configuring L3 EtherChannel
- Idea: L3 EtherChannel = L2 EtherChannel + IP address [Syll 1.1.b]
- Step 1: Configure for Switch 1
config t
hostname Switch1
int range g1/2-3
channel-group 1 mode active
exit
int po1
no switchport
ip address 172.16.0.1 255.255.0.0
end
no switchportconfigure port to L3 port/ Router port. The IP 172.16.0.1 can beStep 2: Configure for Switch 2
config t
hostname Switch1
int range g1/2-3
channel-group 1 mode active
exit
int po1
no switchport
ip address 172.16.0.1 255.255.0.0
end
- Step 3: Verify to see if can ping 172.16.0.2 with
show etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use; no aggregation f - failed to allocate aggregator M - not in use, minimum links not met m - not in use, port not aggregated due to minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port A - formed by Auto LAG Number of channel-groups in use: 1 Number of aggregators: 1 Group Port Channel Protocol Ports ------------------------------------------------------------------------ 1 Po1(SU) LACP Gi1/2(P) Gi1/3(P)
4.4.z New Skills
erase startup-config= resetting switch and no save configreload–>no= not saving config- if fails to reload:
int range g1/2-3shutno shut
- if fails to reload:
4.5 Port Security [Syll pt. 5.7]
- Port security can block host/ MAC address that are accessing the LAN
- Why do we need port security? Ans: Attacker can access with hub
- Lab 1: Topology for port security in Router & Switch, port-security mode as
access
- Step 1: Set up Router 1 (note: the port is int g0/0), Recall router is off by default.
en config t int g0/0 no shutdown end
- Step 2: Set up Switch 1 (note: the port is int g1/1), Recall router is off by default.
config t int g1/1 switchport mode accessswitchport mode access= Set DTP switchport mode to “access”- Setting it to “access” or “trunk” to enable port security later
- Step 3: Set up port-security in switch 1
switchport port-security maximum 1 switchport port-security mac-address 0000.1111.1111 switchport port-security violation shutdown switchport port-security endswitchport port-security maximum 1= Setting the maximum number of MAC Address to 1 (default is already 1)switchport port-security mac-address 0000.1111.1111= The allowed MAC addressswitchport port-security violation shutdown= Setting violation actions. Currently it’s “shutdown”- There are a total of 3 different violation actions:
shutdown= “error-disable”, will display logs, violation counter will increase.restrict= violation frames will drop, will display logs, violation counter will increase.protect= violation frames will drop, will NOT display logs, violation counter will NOT increase.
- There are a total of 3 different violation actions:
switchport port-security= Starting up port security
- Step 4: Let’s check Switch 1 and verify it’s mac address is blocked. Need to wait a bit.
*Mar 1 16:20:18.376: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 50001.0001.0000 on port GigabitEthernet1/1. . . . *Mar 1 16:20:18.376: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down.- Recap, we allowed
0000.1111.1111to be white-listed in Switch1 but Router1 is sending50001.0001.0000as seen in the log!. Hence the frame is dropped and port is shot down!
- Step 5: Verify that the port is down by port security with 3 different commands
show int g1/1/show port-security/show port-security interface g1/1Nice, now we can verify g1/1 is down
- Method 1:
show int g1/1.show int g1/1 GigabitEthernet1/1 is down, line protocol is down (err-disabled) - Method 2:
show port-security.Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) ------------------------------------------------------------------------------------------------------ Gi1/1 1 1 1 Shutdown ------------------------------------------------------------------------------------------------------ Total Addresses in System (exclusion one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 4096Notice: SecurityViolation has now been increased to 1
- Method 3:
show port-security interface g1/1.Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins <--- means no aging config, so the protected/ configured MAC address (0000.1111.1111) will be deleted after aging time Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC address : 1 Configured MAC Addresses : 1 <---- There is one address that is protected, but it never shows up here Sticky MAC Addresses : 0 Last Source Address:Vlan : 50001.0001.000:1 <------ This is our attacker Security Violation Count : 1Note if aging time = 10mins, the SOLE MAC address will only be protected for 10 mins
- Step 5: Clean up, reset all the ports to default status!
- Idea: clearing up all the port security configs ! ```bash config t default interface g1/1 <—- resetting port g1/1 int g1/1 shutdown <— Remember we shut and no shut due to err-disable from port-security. Port is re-enabled in this way. no shutdown end show port-security interface g1/1
- The report now looks like this: ```bash Port Name Status Vlan Duplex Speed Type Gi1/1 Connected 1 a-full auto RJ45
Lab 2: Topology for port security in Router & Switch, port-security violation mode as
protect- Step 1: Not hard coding MAC Address and violation mode is set to
protect.config t int g1/1 switchport mode access switchport port-security maximum 1 switchport port-security mac-address sticky <---- the MAC address is not hard coded ~ Any MAC address come this way will auto enter the port config setting switchport port-security port-security violation protect switchport port-security end - Step 2: Verify that the Router1 IP has been picked up by port-security successfully, with
sh run int g1/1```bash Building Configuration…
Current configuration : 253 bytes
interface GigabitEthernet1/1 switchport mode access switchport port-security violation protect switchport port-security mac-address sticky switchport port-security mac-address sticky 5001.0001.0000 switchport port-security negotiation auto end ```
- Step 3: Verify the port-security for the sticky MAC address
sh port-security interface g1/1 - Violation mode is “protect”
Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC address : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 50001.0001.000:1 Security Violation Count : 0
Notes: unknown MAC address will be dropped and security count will not increase
- Step 1: Not hard coding MAC Address and violation mode is set to
4.6 CDP & LLDP
- CDP = Cisco proprietary L2 Data Link Layer protocol
- LLDP = Non-Cisco link layer discovery protocol
4.6.1 CDP = Cisco proprietary L2 Data Link Layer protocol (Cisco Discovery Protocol)
- Some devices don’t support CDP: Cisco products (including: ADA (Adaptive Security Appliance), firewall products)
- But MOST devices support CDP
- Use of CDP: Allows user to check neighboring device information! (i.e. Native VLAN(Enable trunk link pls) + Device ID, capability, Port ID, IP Address…)
- Note: CDP is on by default
- Note: CDP sends new messages/refresh every 60 secs
Lab 1: CDP Topology from Router perspective
- Device information list:
- Device ID: Name of the device (e.g. Router1)
- Local Interface: Switch g1/1 is connection to Router1
- Holdtime: Reminding seconds, before the entry is cleared. Hold time is 180s (will live 120-180s) (CDP messages refreshes every 60s)
- If holdtime is 0, then the records will be cleared
- Capability: Device is a Router (R), Source Route Bridge(B) = Broadband Router
- Port ID: Router 1 device (Yourself) is using g0/0 to Switch1 (Neighbors)
- Step 1: Change Router name and turn it on
config t hostname Router1 int g0/0 no shut <-------- Recall Router is off by default~ end
- Step 2: Check neighbors with CDP capability with
sh cdp neighbors g1/1 Capability codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac relay Device ID Local Intrfce Holdtme Capability Platform PortID Router Gig 1/1 134 R B Gig 0/0 <Local Interface: This is the neighbor> <PortID: This is Yourself> Total cdp entries displayed : 1- Step 3 will be discussed in lesson 4, there’s another way to check neighbors using CDP