Looking over some things before I go write the BCMSN exam this is something I wanted to waffle on about again because the reason for both aren’t so clear to me and why to use what when.
So short and sweet an Access Control List (ACL) is something that comes from the CCNA course and is something one can use to manage and control traffic that passes through a switch (mind passes through and doesn’t originate on) either in an inbound or outbound direction. Cisco Catalyst Switches filter traffic through the use of a TCAM (mentioned on this post). The reason for VLAN Access Control List (VACL) is that only traffic that passes between VLANs can be filtered using ACLs.
So this means logicaly that traffic that stays in the same VLAN doesn’t necessarily have a direction (inbound or outbound) in relation to the interface and also isn’t crossing any interface boundries. There is also the fact that the packets may also be non-IP, non-IPX, or completely bridged. VACLs are mechanisms that can directly affect packets inside a VLAN. VACLs are configured using access-maps
elete the vlan.dat file
BCMSN VTP Lab 4
VTP
This post I am going to deviate from how I have done things. In the previous posts I wrote out the entire configurations, in this post all I need is a working configuration. Use the initial config and work from here that has trunk links and setup VTP.
Run the following config on the DSW switches (both of them)
DSW1(config)#interface range fastethernet 0/1 - 4DSW1(config-if-range)#no switchport trunk allowed vlan 1,100
DSW1(config)#interface range fastethernet 0/11 - 12
DSW1(config-if-range)#no switchport trunk allowed vlan 1,100
And this config on the ASW switches (both of them)
ASW1(config)#interface range fastethernet 0/1 - 4ASW1(config-if-range)#no switchport trunk allowed vlan 1,100
This is because the top commands restrict the vlans to only allow vlan 1 and vlan 100 on the trunk. By default a trunk link will allow all vlans but one can restrict what vlans are allowed over a trunk through the use of the above commands (slipped it in there didn’t I).
Some comment on VTP is that it is a very funny animal to work with (even if it is dead useful. If you do it wrong you lose all VLANs in the VLAN database because of how an update happens from server to client. This makes VTP a very dangerous beast because in large networks there may be 100s of VLANs (you can double that number if you run voice and use separate vlans for each voice end-point) and if you add a new switch to VTP that’s configured wrong…. POOF…..like magic all VLANs gone
To begin a VTP configuration see below and notice how I start with the mode command, this is just something I do because I like knowing it starts in the right mode, its paranoia more than anything and getting it wrong enough that makes me do this. You may do it in another way (at your own risk).
Its an idea to go over the table I have on this page regarding the VTP Modes so that you understand why you use a certain mode at a certain times. If you need to for example add a switch to a network where the switch must NEVER participate in VTP for example you use transparent
Step 1.1: Configure VTP
Enter Global Configuration ModeASW1#configure terminal
Set the VTP Mode
ASW1(config)#vtp mode transparent
Set the VTP Version 1/2 and 3 (higher level switch platforms)
ASW1(config)#vtp version 2
Set the password and domain to prevent unauthorized joining to the VTP domain
ASW1(config)#vtp password cisco
ASW1(config)#vtp domain ciscolabnet
Exit Global Configuration Mode
ASW1(config)#exit
Step 1.2: Add VLANs
Enter VLAN Database ModeASW1#vlan database
Create a VLAN and assign it a name
ASW1(vlan)#vlan 100 name Marketing
VLAN 100 added:
Name: Marketing
Create another VLAN and assign it a name
ASW1(vlan)#vlan 150 name Sales
VLAN 150 added:
Name: Sales
APPLY your config (it will do this anyway on the next step but just make sure it applies changes)
ASW1(vlan)#apply
Exit VLAN Database Mode
ASW1(vlan)#exit
APPLY completed.
Exiting.......
Repeat the above steps exactly on ASW2. The VTP process is now running on both ASW switches. To check that this is the case:
ASW2#show vtp statusThe DSWs I am going to make clients to the ASWs (bottom-up)
Step 2: Configure VTP on the DSW switches
Enter Global Configuration ModeDSW1#configure terminal
Set the VTP Mode
DSW1(config)#vtp mode client
Set the VTP Version 1/2 and 3 (higher level switch platforms)
DSW1(config)#vtp version 2
Set the password and domain to prevent unauthorized joining to the VTP domain
DSW1(config)#vtp password cisco
DSW1(config)#vtp domain cisco
Exit Global Configuration Mode
DSW1(config)#exit
Step 3: Change the VTP Mode on the ASW switches
Do the same config on DSW2 making sure you configure the mode as client. After this is done go back to the ASWs and change them to servers:
ASW1#configure terminalASW1(config)#vtp mode server
ASW2#configure terminalASW2(config)#vtp mode server
After you have done this go to all the switches and try the following command
ASW2#show vlanYou should see the Sales and Marketing VLANS propogated on all the switches.
Notes and Notices:
This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.