Sunday, April 4, 2010


To fully incorporate a switched network, I will have to make some modifications to the network topology. In this case, I'll also make some changes to the naming conventions and put in some addressing as well so it would be easier to follow. The topology now looks like this:

We'll now work to bring the switch ports into trunking mode and turn on VTP. First, we'll configure this on S1:
in ran f0/11 , f0/12
sw t e d
sw m t

And then configure this on S2 and S3:
in f0/1
sw t e d
sw m t

sw t e d may not work on some switches because they would not have an option to use ISL.

The default mode on a port is "switchport mode dynamic desirable". Dynamic desirable means that it desires to be negotiated into a trunk through DTP. Any new non-switch devices plugged in will turn the port into an access port.

Dynamic desirable will allow hackers to convert the switch port into a trunk port, essentially giving him access to all VLANs. Even a non-savvy hacker can plug any switch into the port to turn it into a trunk.

Best security practice is to hard code all non-trunk ports to access. Then, shut down all ports that are not in use.

To view the current VTP configuration, use:
show vtp stat

By default, revisions start from 0. A switch allows numbers from 1 to 4094 when you're on a VTP server. The extended ranges are allowed when VTP mode is set to transparent.

To see the current existing VLANs, use:
show vlan
show vlan-s

For a switch to be industry standard compliant, they would need to have 4 other VLANs from 1002 to 1005. Those are there by default and does not affect the switch in any other way.

The three most common things to set for VTP are:
1) Domain Name
2) Password
3) Mode

Now back on S1, configure the VTP domain:
vlan dat
vtp domain syraxius.ath.cx

Once the domain name is set on this switch, all other switches in the NULL domain will automatically join syraxius.ath.cx. A brand new switch plugged into an existing trunk port will automatically join the domain as well.

If you've set a password, you'll have to manually set it on all other switches. To set a password, go back into "vlan dat" and type:
vtp password cisco

To change the VTP mode, use:
vlan mode client
vlan client

To see an interface's switchport status, use:
sh int f0/1 sw

You would see Administrative Mode and Operational Mode. The Administrative Mode is what the administrator hard-coded it to. It can be "dynamic". The operational mode is the mode that the switch port is currently it.

To see all trunked interfaces, use:
show int trunk

No comments :

Post a Comment