2.

0 Network Access

2.1 Configure and verify VLANs (normal range) spanning multiple switches
VLAN stands for a virtual local area network, additionally referred to as a Logical Network VLAN can
logically create many virtual networks to split network broadcast traffic. VLANs are primarily based totally
on logical connections, So it facilitates minimizing broadcasting traffic, and management work could be
accomplished quickly.

VLANs also can enhance the network’s overall performance due to the fact VLANs make organizations of
devices that communicate very frequently.

Virtual LAN (VLAN) is a concept in which we can divide the devices logically on layer 2 (data link layer).
Generally, layer 3 devices divide the broadcast domain but the broadcast domain can be divided by
switches using the concept of VLAN.

A broadcast domain is a network segment in which if a device broadcasts a packet then all the devices in
the same broadcast domain will receive it. The devices in the same broadcast domain will receive all the
broadcast packets but it is limited to switches only as routers don’t forward out the broadcast packet. To
forward out the packets to different VLAN (from one VLAN to another) or broadcast domains, inter Vlan
routing is needed. Through VLAN, different small-size sub-networks are created which are comparatively
easy to handle.

VLAN ranges:

VLAN 0, 4095: These are reserved VLAN which cannot be seen or used.

VLAN 1: It is the default VLAN of switches. By default, all switch ports are in VLAN. This VLAN can’t be
deleted or edited but can be used.

VLAN 2-1001: This is a normal VLAN range. We can create, edit and delete these VLAN.

VLAN 1002-1005: These are CISCO defaults for fddi and token rings. These VLAN can’t be deleted.

Vlan 1006-4094: This is the extended range of Vlan.

# Access and Trunk Ports

Switch ports are Layer 2 interfaces that are used to carry layer 2 traffic. A single switch port can carry
single VLAN traffic. Frames are handled differently according to the type of link they are traversing.

Note: All switch ports are assigned VLAN 1 by default (VLAN 1 cannot be modified or deleted).

There are 2 different types of ports in a switched environment:

Access Ports
These switch ports belong to carry the traffic of only one VLAN. By default, it will carry the traffic of native
VLAN (VLAN 1) . If the switch ports are assigned as access ports then they can be considered as the
switch ports belongs to a single broadcast domain. Any traffic arriving on these switch ports is considered
as it belongs to the VLAN assigned to the port.

Advantages:

Access ports are used to connect end devices, such as PCs, printers, and servers, to the switch. These
ports are simple to configure and provide a direct connection to the network.

Access ports are typically configured to carry traffic for a single VLAN, which provides a layer of security
by segregating traffic between different VLANs.

Access ports are less complex than trunk ports, which makes them easier to configure and troubleshoot.

Disadvantages:

Access ports can only carry traffic for a single VLAN, which can limit network flexibility and scalability. If a
device needs to communicate with devices on another VLAN, it must go through a router or Layer 3
switch.

Access ports are susceptible to VLAN hopping attacks, where an attacker can gain access to another
VLAN by exploiting weaknesses in the network.

Trunk portsAccess Port:

These switch ports belong to and carry the traffic of more than one VLAN. This is a great advantage as to
carry the traffic of a group of VLAN, a single switch port can be used. These are of great use if the user
wants to exchange traffic between more than one switch having more than one VLAN configured. To
identify traffic belongs to VLAN, the VLAN identification method (802.1q or ISL) is used. Also, to carry
traffic between more than one VLAN, then inter VLAN routing is required, in which the link between router
and switch is configured as trunk as the link has to carry the traffic of more than one VLAN (in case of a
router on a stick configuration not in inter VLAN routing by layer 3 switches).

Note: Trunk links can carry the traffic of different VLANs across them but by default, if the links between
switches are not trunk then only information from the configured access VLAN will be exchanged.

2.1.a Access ports (data and voice)

Voice and data access ports are required when an end host is connected to a VoIP device. These are
known as Multi VLAN Access Ports(MVAP). Using this allows both the PC and Phone to communicate
using a single switch port which would otherwise require 2 ports.

2.1.b Default VLAN

The default VLAN is a pre-configured VLAN on a network switch that is used for untagged or unassigned
network traffic. It is typically VLAN 1 and is used to carry traffic from devices that are not assigned to a
specific VLAN.

In a switched network, all switch ports are assigned to a VLAN by default, typically VLAN 1. If a device is
connected to a switch port that is assigned to VLAN 1, the device will be part of the default VLAN and its
traffic will be sent over that VLAN.

It is generally recommended to avoid using the default VLAN for security reasons, as all untagged traffic
on a switch port is part of the default VLAN. Instead, you should create and assign specific VLANs for
your network devices to ensure a more secure and efficient network.

To change the default VLAN, you need to create a new VLAN and assign it to the switch ports as needed.
You can also change the VLAN assignment for a specific port using the "switchport access vlan [vlan-id]"
command.

2.2 Configure and verify interswitch connectivity

Trunk ports, 802.1Q, and Native VLAN

Trunk ports, 802.1Q, and the Native VLAN are important concepts in CCNA that are related to the
configuration of VLANs in a network.

1. Trunk ports: Trunk ports are switch ports that are used to carry traffic for multiple VLANs. A trunk port
allows traffic from multiple VLANs to pass through a single physical link, providing inter-VLAN
connectivity. Trunk ports are typically used to connect switches together and allow for the exchange of
VLAN information between switches.

2. 802.1Q: 802.1Q is a networking standard that defines a method for inserting VLAN information into
Ethernet frames. It is used to identify which VLAN a frame belongs to and is essential for inter-VLAN
communication. 802.1Q uses a 4-byte tag in the Ethernet frame to carry the VLAN information, making it
possible for switches to identify and forward traffic for specific VLANs.

3. Native VLAN: The Native VLAN is a VLAN that is associated with a trunk port and is used to carry
untagged traffic. This means that traffic that is not assigned to a specific VLAN will be sent over the
Native VLAN. By default, the Native VLAN is typically VLAN 1, but it can be changed to another VLAN if
desired.

2.3 Configure and verify Layer 2 discovery protocols (Cisco Discovery Protocol
and LLDP)

Layer 2 discovery protocols, such as Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol
(LLDP), allow network devices to learn about other directly connected Cisco equipment, such as
switches, routers, and other devices. Here's how to configure and verify these protocols:

1. Configure CDP:

Enter global configuration mode using the "configure terminal" command.

Enable CDP globally using the "cdp run" command.

Verify the CDP status using the "show cdp" command.

2. Configure LLDP:

Enter global configuration mode using the "configure terminal" command.

Enable LLDP globally using the "lldp run" command.

Verify the LLDP status using the "show lldp" command.

To verify the information learned by these protocols, use the following commands:

1. CDP:

Use the "show cdp neighbors" command to display information about directly connected CDP-enabled
devices, including device type, IOS version, and local and remote interfaces.

2. LLDP:

Use the "show lldp neighbors" command to display information about directly connected LLDP-enabled
devices, including device type, IOS version, and local and remote interfaces.

Note: CDP is a proprietary protocol developed by Cisco, while LLDP is an industry-standard protocol.
LLDP can be used to discover information about devices from different vendors, while CDP is limited to
discovering information about Cisco devices only.

2.4 Configure and verify (Layer 2/Layer 3) EtherChannel (LACP)

EtherChannel is a technology that allows you to bundle multiple physical Ethernet links into a single
logical link, providing increased bandwidth and redundancy. There are two types of EtherChannel
protocols: Link Aggregation Control Protocol (LACP) and PAgP (Port Aggregation Protocol). Here's how
to configure and verify LACP EtherChannel:

1. Configure LACP EtherChannel:

Enter interface configuration mode for the desired ports using the "interface [port]" command.

Configure the port as a trunk using the "switchport mode trunk" command.

Enable LACP EtherChannel using the "channel-group [group-number] mode active" command.

Verify the EtherChannel configuration using the "show interfaces [port-channel-number] channel"
command.

2. Verify LACP EtherChannel:

Use the "show interfaces [port-channel-number] status" command to display information about the
EtherChannel, including the current state of the bundle, the number of active links, and the speed and
duplex settings.

Use the "show interfaces [port-channel-number] etherchannel" command to display information about the
LACP configuration, including the LACP status, the number of active and passive links, and the current
LACP rate.

Note: To use LACP EtherChannel, both ends of the link must be configured with LACP and the switch
must support LACP. Additionally, the same EtherChannel configuration must be applied to both switches,
including the channel group number, the allowed VLANs, and the mode (active or passive).

2.5 Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

Rapid PVST+ is Cisco’s proprietary implementation of the Rapid Spanning Tree Protocol (RSTP) that
runs a separate instance of RSTP for each VLAN. It enhances the original STP (Spanning Tree
Protocol) by providing faster convergence and improved efficiency.

2.5.a Root port, root bridge (primary/secondary), and other port names

1. Root Bridge

●​ The Root Bridge is the central reference point in the spanning tree topology.
●​ It is elected based on the lowest Bridge ID (BID), which combines:
○​ Bridge Priority (default = 32768)
○​ MAC Address (used as a tiebreaker)
●​ All other switches calculate the best path to the Root Bridge.

Root Bridge Election Example:

Switch(config)# spanning-tree vlan 10 root primary

Switch(config)# spanning-tree vlan 10 root secondary

●​ Primary Root Bridge: Chosen with the lowest BID.

●​ Secondary Root Bridge: Acts as backup in case the primary fails.

2. Root Port (RP)

●​ The Root Port is the port on a non-root switch that has the best path (lowest cost) to the Root
Bridge.
●​ Each non-root switch will have one Root Port.
Example:

Switch(config)# interface GigabitEthernet0/1

Switch(config-if)# spanning-tree port-priority 64

●​ Lower priority values increase the chance of becoming the Root Port.

3. Designated Port (DP)

●​ The Designated Port is the port on a network segment that offers the best path to the Root
Bridge.
●​ Each network segment has one Designated Port.

4. Alternate Port

●​ An Alternate Port is a backup for the Root Port. It moves to Forwarding mode if the Root Port
fails.

5. Backup Port

●​ A Backup Port is a redundant port on a shared segment that backs up a Designated Port.

Summary Table of Port Roles

Port Role Function State

Root Port Best path to Root Bridge Forwarding

Designated Port Best path to Root Bridge on a segment Forwarding

Alternate Port Backup for Root Port Discarding (Blocking)

 Backup Port Backup for Designated Port (rarely used) Discarding (Blocking)

2.5.b Port states (forwarding/blocking)

In Rapid PVST+, ports follow specific states during convergence to prevent network loops.

Port States in Rapid PVST+:

State Description

Discarding (Blocking) Port does not forward data frames. Only listens for BPDUs. Prevents
loops.

Learning Port builds its MAC address table but does not forward data frames yet.

Forwarding Port is fully operational and forwards data frames.

Disabled Port is administratively shut down or has failed.

Key Features of RSTP Port Transitions

●​ Fast Convergence: Rapid PVST+ achieves faster convergence by skipping the lengthy
Listening and Learning stages found in classic STP.

2.5.c PortFast

PortFast is a feature that immediately transitions a port to the Forwarding state, bypassing the normal
STP stages. It is used on access ports connected to end devices (like PCs, printers, etc.) to improve
network performance.

Why Use PortFast?

●​ Reduces connectivity delay when end devices power on.

 ●​ Prevents unnecessary STP calculations for ports that don’t form network loops.

PortFast Configuration:

1.​ Enable PortFast on access ports:

Switch(config)# interface FastEthernet0/2

Switch(config-if)# spanning-tree portfast

2.​ Enable PortFast globally for all access ports:

Switch(config)# spanning-tree portfast default

Important Note:

●​ PortFast should only be enabled on edge ports connected to end devices.

●​ Enabling PortFast on trunk ports or switch-to-switch links can cause network loops.

2.6 Describe Cisco Wireless Architectures and AP modes

Cisco Wireless Architectures and Access Point (AP) Modes

Cisco offers various wireless architectures and AP modes to ensure efficient wireless network
deployment, management, and scalability. Understanding these is crucial for designing a robust wireless
network.

1. Cisco Wireless Architectures

Cisco wireless solutions typically use one of the following architectures:

1.1. Autonomous (Standalone) Architecture

●​ Each AP operates independently with its own configuration.

●​ Configuration, management, and updates must be performed individually on each AP.
●​ Suitable for small-scale networks with minimal APs.
 ✅
✅
Key Features: No controller required​

✅
Each AP handles its own security, mobility, and traffic management​
Limited scalability

Example Use Case: Small office environments or branch offices with a few APs.

1.2. Centralized (Controller-Based) Architecture

●​ Utilizes a Wireless LAN Controller (WLC) to manage multiple lightweight APs (known as
Lightweight Access Points - LAPs).
●​ APs forward all client traffic and management data to the WLC.
●​ Suitable for medium to large-scale networks.

✅
✅
Key Features: Centralized management and configuration​

✅
Enhanced security features like rogue AP detection​
Seamless client roaming between APs

Example Use Case: Large enterprises, universities, or hospitals.

1.3. Cloud-Based Architecture (Meraki)

●​ Cisco Meraki APs are managed via the Meraki Cloud Dashboard.
●​ Offers zero-touch provisioning, making deployment simple and fast.
●​ Suitable for distributed environments with multiple locations.

✅
✅
Key Features: Centralized cloud-based control with no on-premises controller​

✅
Automatic firmware updates and monitoring​
Scalable with minimal physical infrastructure

Example Use Case: Retail chains, branch offices, and remote locations.

1.4. Embedded Wireless Controller (EWC) Architecture

●​ A Cisco Catalyst AP acts as both an AP and a controller, eliminating the need for a dedicated
WLC.
●​ Offers similar functionality as a traditional controller but is embedded within the AP itself.
●​ Suitable for small to medium-sized networks.

✅
✅
Key Features: Combines AP and controller functionality​

✅
Cost-effective solution for smaller deployments​
Provides local management without reliance on external controllers

Example Use Case: Small businesses or branch offices with limited APs.
2. Cisco AP Modes
Cisco APs operate in various modes depending on the network architecture and deployment
requirements.

2.1. Local Mode (Default Mode)

●​ Standard mode for lightweight APs in a controller-based architecture.

●​ The AP handles client data forwarding while forwarding control and management data to the
controller.

✅
✅
Key Features: Ideal for environments requiring centralized control​
Ensures seamless client roaming and mobility

2.2. FlexConnect Mode (Formerly H-REAP)

●​ Designed for remote or branch offices.

●​ APs operate independently if the WLC connection is lost.

✅
✅
Key Features: Data is locally switched, reducing bandwidth usage on WAN links​
Allows APs to continue operating even if the WLC goes offline

Example Use Case: Remote branch offices with limited WAN connectivity.

2.3. Monitor Mode

●​ AP functions solely as a dedicated sensor for wireless monitoring.

●​ Does not serve client devices.

✅
✅
Key Features: Detects rogue APs, interference sources, and security threats​
Ideal for wireless intrusion prevention systems (WIPS)

2.4. Sniffer Mode

●​ The AP captures 802.11 traffic and forwards it to a protocol analyzer like Wireshark for detailed
analysis.

✅
✅
Key Features: Useful for troubleshooting wireless issues​
Provides in-depth packet analysis for performance and security
2.5. Rogue Detector Mode

●​ AP monitors the wired network for rogue devices by checking MAC addresses and DHCP
requests.

✅
✅
Key Features: Identifies unauthorized APs or wireless clients​
Enhances wireless security by preventing rogue access

2.6. Bridge Mode (Mesh Mode)

●​ APs operate as wireless bridges, creating point-to-point or point-to-multipoint connections.

✅
✅
Key Features: Extends network connectivity to areas without Ethernet cabling​
Ideal for outdoor deployments, warehouses, or campus environments

2.7. SE-Connect Mode (Spectrum Expert Mode)

●​ AP acts as a dedicated spectrum analyzer to detect and analyze RF interference.

✅
✅
Key Features: Identifies sources of interference like microwaves, Bluetooth devices, etc.​
Useful for troubleshooting persistent wireless performance issues

3. Summary of AP Modes

Mode Purpose Primary Use Case

Local Mode Standard mode for central WLC control Large campuses and enterprise
networks

FlexConnect Enables local data switching during Branch offices with limited WAN
WLC loss bandwidth
Monitor Mode Dedicated monitoring of RF environment Security threat detection and analysis

Sniffer Mode Captures wireless traffic for analysis Wireless troubleshooting and
diagnostics

Rogue Detector Identifies rogue APs on the wired Enhanced network security
network

Bridge Mode Establishes point-to-point wireless links Outdoor and remote site connectivity

SE-Connect Analyzes RF spectrum for interference RF troubleshooting and optimization

Mode detection