VLANs and Private VLANs

VLANs

A VLAN is a group of switch ports administratively configured to share the same broadcast domain. L2 switches are not able to forward packets between VLANs. In that case, a L3 switch, also known as Multilayer Switch (MLS), or a router would be necessary.

Granting VLAN membership to devices can be performed using Static VLAN configuration (port based) or by Dynamic VLAN Configuration (device’s MAC address based).

Dynamic VLAN configuration requires the use of Cisco Works and a VLAN Membership Policy Server (VPMS). VPMS stores the client MAC address database which is queried by switches to establish VLAN membership.

Due to its tendency to make troubleshooting process rather awkward, Dynamic VLANs must be used if extremely necessary. Besides, Dynamic VLANs considerably increase the administrative overhead.

The rest of this post will deal with Static VLANs configuration processes only.

Configuring VLANsS in Cisco switches is pretty simple. To achieve that, one would need to perform only two steps:

1. create the VLAN(s)
2. associate the correct ports to each VLAN (at this point the VLAN is considered to be “operational”)

On Cisco switches, VLAN creation can be done using either: VLAN Database Mode or Configuration mode.

(more…)

…and then, after a long, long time…

.. I’m back !

Well, a lot of things happened last months. The most important are:

1. I earned my CCNP ! Now, I’m a Cisco Certified Network Professional (sounds good huh?)
2. I’ve started studying to obtain my CCIE. Tough challenge, but I’m going for it !
3. There’s a huge probability that I’ll got a new job in the next weeks (well, actually if everything stay as is, I gonna work in the same place employed on a different company though)
4. Starting this post, this blog will be written in English only

First of all, the great news is that I earned my CCNP on July, 17. It was a really great feeling to receive a Cisco’s Certification Team mail congratulating me for this. I had the impression that the  ONT exam was the least difficult of all, maybe because I really enjoyed to study it’s topics.

Also, I began studying to the CCIE written exam this week. I was planing to earn my CCSA and CCSE first, but I don’t feel like working in the Security area anymore. I’d been working on firewalls, IPSs, IDSs, ALGs and all kind of security devices for the last five years.

Honestly, I never had a crush for IT security as I got for (inter)networking. Everything was just happening and I was kind of “conducted” to act in this area. I’ve no complains: security jobs has been payed all my bills. Also, I’ve learned a lot of stuffs that have been helping me on all other IT areas.

However, I felt like it was the time to move on. It was the time to do what I really love to do. It was the time to pursuit my dreams and to pay the price for that.

I’m completely aware about the magnitude of the challenge. I’m sure that it’s gonna be difficult and it’s very likely that somewhere, sometime(s) during my journey I’ll ask to myself: “be worth ?”.

I know the answer. But I must prove it BY myself. I must prove it TO myself.

Now, at the beginning of my journey, I’ve got a lot of doubts and just one absolute certainty: Anyone can do it, so do I.

OK, to give our simple, miserable lives a bit of real thrill, one issue that has been particularly worrying me and my co-workers, is the probability that our employee lost its contract and, consequently, have to fire some of us. Our employee is (well… was) one of three biggest Brazilian outsourcing companies. Unfortunately the company had been headed wrongly in the last 2 years. They have been continuously lost several important contracts. And guess what ? One of them is ours !

The only thing we can do now is wait. It’s very likely that the new company hire some of us due to our years’ experience on the client’s network infrastructure.

Last, but not least, starting this one I’ll add new posts only in English. That’s the way I found to practice my English skills. I’d like to excuse me for the lots of  grammar, misspelling or any other errors that you guys might noticed. I promise I’ll try to improve my writing skills every post.

Feel free to correct any of my sentences. I believe the only way one can reach full knowledge on a given subject is by *making* mistakes, *knowing* his/her mistakes and *correcting* these mistakes.

Fortunately, I’ve got Ingvar Kamprad in my favor:

“Only those who are asleep make no mistakes”

Cya.

Krupp – Kritical Audio (original mix)

Tópicos avançados do protocolo 802.1D (STP)

O principal objetivo do protocolo 802.1D (Spanning Tree Protocol) é evitar o surgimento de loops em uma rede LAN.

Os resultados do surgimento de um loop em sua rede local pode variar do apagão em uma sub-rede, à total indisponibilidade da rede LAN e dos serviços por ela disponibilizados, tanto internos quanto externos.

Vale ressaltar que o 802.1D por si só não é a melhor escolha em se tratando de velocidade de convergência, pois depende de vários timers. Por exemplo, o tempo de convergência após a detecção de uma mudança de topologia direta é de aproximadamente 30 segundos (2 ForwardDelay timers) e no caso de uma mudança de topologia indireta, 52 segundos (MaxAge + 2 ForwardDelay + 1 Hello). Dependendo dos requisitos de negócio da empresa, uma indisponibilidade de 30 segundos é uma eternidade.

Em ambientes de produção usa-se o 802.1w, o RSTP (Rapid Spanning Tree Protocol). Mas isso é assunto pra um futuro post.

Visando aperfeiçoar o 802.1D, a Cisco adicionou alguns recursos ao seu IOS que melhoram o a escalabilidade, resilência e deteção de loops do Spanning Tree.

(more…)

Montando um lab simples para a BCMSN

Quem usou Dynagen/Dynamips para a BSCI, sabe o quanto esta ferramenta ajuda na boa compreensão dos tópicos da prova, especialemente nas questões práticas.

O alto nível da emulação, possibilita uma experiência idêntica a de acessar um roteador “real” Cisco. É virtualmente possível montar qualquer topologia. O limite é quantidade de memória e o poder de processamento da máquina onde o Dynagen está sendo executadorodando.

O que muita gente não sabe, é que é possível usar o Dynagen também para a prova de switching, a BCMSN. Para isto basta habilitar o módulo NM-16ESW, com o IOS adequado, no caso, a imagem c3725-adventerprisek9-mz.124-23.bin c3725-adventerprisek9-mz.124-15.T5.bin (para encontrá-la, faça uma busca no 4shared). Desta forma, ao invés de um router virtual, tem-se um switch L3 virtual.

A listagem do arquivo .net segue abaixo:


autostart = false
ghostios = True
[localhost]

[[3725]]
image = /usr/local/dynagen/images/c3725-adventerprisek9-mz.124-15.T5.bin
ram = 256

[[ROUTER SW1]]
model = 3725
console = 2010
slot1 = NM-16ESW

[[ROUTER SW2]]
model = 3725
console = 2011
slot1 = NM-16ESW

[[ROUTER SW3]]
model = 3725
console = 2012
slot1 = NM-16ESW

Como trata-se de um um exemplo simples, para fins de aprendizado, não foi feita nenhuma ligação entre os switches. Em outras palavras: não há conectividade entre os switches virtuais. Sinta-se livre para usar o exemplo acima e alterá-lo conforme suas necessidades.

O switch virtual irá suportar todos comandos necessários para entendimento do conteúdo da parte de switching da prova 642-812: configuração de VLANS, HSRP, VTP, Trunks, EtherChannel, Spanning-Tree, L3 Switching, etc.