CAPACITY BUILDING ON

Hardware and Network Servicing

TRAINING FOR TVT
(HNS)
Day-2
TRAINERS
August
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
UNIT 2 Implementing Ethernet LAN

Part II: Outline(cont…)

Session

2 Switch Security: Management and

Implementation

2
VLAN and VLAN Trunking
3
3
WLAN
4 2

INNOVATIVE PEDAGOGY AND DIGITAL INTEGRATION AUGUST 2024

UNIT 2 Implementing Ethernet LAN: Switch Security

Discussion Questions
What methods are available to restrict
unauthorized access to switch management?

How can you limit access to a port using MAC

addresses?

In which scenarios would it be useful to enable

sticky MAC addresses?

In which scenarios would it be useful to enable

sticky MAC addresses?
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

3
UNIT 2 Implementing Ethernet LAN: Switch Security
Secure Remote Access
SSH Operation
 Secure Shell (SSH) is a protocol that provides a secure (encrypted)
command-line based connection to a remote device
 SSH is commonly used in UNIX-based systems

 Cisco IOS also supports SSH

 A version of the IOS software including cryptographic (encrypted)

features and capabilities is required in order to enable SSH on Catalyst
2960 switches
 Because its strong encryption features, SSH should replace Telnet for
management connections
 SSH uses TCP port 22 by default. Telnet uses TCP port 23
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
UNIT 2 Implementing Ethernet LAN: Switch Security
Secure Remote Access
SSH Operation

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
UNIT 2 Implementing Ethernet LAN: Switch Security
Secure Remote Access
Configuring SSH

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
UNIT 2 Implementing Ethernet LAN: Switch Security
Secure Remote Access
Verifying SSH

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Secure Unused Ports
Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also
be mitigated with some common Layer 2 solutions.
• All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
• A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. Navigate to each
unused port and issue the Cisco IOS shutdown command. If a port must be
reactivated at a later time, it can be enabled with the no shutdown command.
• To configure a range of ports, use the interface range command.

Switch(config)# interface range type module/first-number – last-number

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
UNIT 2 Implementing Ethernet LAN: Switch Security

Implement Port Security

Mitigate MAC Address Table Attacks
The simplest and most effective method to prevent MAC address table overflow
attacks is to enable port security.
• Port security limits the number of valid MAC addresses allowed on a port. It
allows an administrator to manually configure MAC addresses for a port or
to permit the switch to dynamically learn a limited number of MAC
addresses. When a port configured with port security receives a frame, the
source MAC address of the frame is compared to the list of secure source
MAC addresses that were manually configured or dynamically learned on
the port.
• By limiting the number of permitted MAC addresses on a port to one, port
security can be used to control unauthorized access to the network.
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Enable Port Security
• Port security is enabled with the switchport port-security interface configuration
command.
• Notice in the example, the switchport port-security command was rejected. This is
because port security can only be configured on manually configured access ports or
manually configured trunk ports.
• By default, Layer 2 switch ports are set to dynamic auto (trunking on). Therefore, in the
example, the port is configured with the switchport mode access interface configuration
command.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Enable Port Security (Cont.)
• Use the show port-security interface command
to display the current port security settings for
FastEthernet 0/1.
• Notice how port security is enabled, the violation
mode is shutdown, and how the maximum
number of MAC addresses is 1.
• If a device is connected to the port, the switch will
automatically add the device’s MAC address as a
secure MAC. In this example, no device is
connected to the port.

Note: If an active port is configured with the switchport

port-security command and more than one device is
connected to that port, the port will transition to the error-
disabled state.
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Enable Port Security (Cont.)
• After port security is enabled, other port security specifics can be configured, as shown
in the example.
UNIT 2 Implementing Ethernet LAN: Switch Security

Implement Port Security

Limit and Learn MAC Addresses
• To set the maximum number of MAC addresses allowed on a port, use the following
command:
Switch(config-if)# switchport port-security maximum value

• The default port security value is 1.

• The maximum number of secure MAC addresses that can be configured depends the
switch and the IOS.
• In this example, the maximum is 8192.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Limit and Learn MAC Addresses (Cont.)
The switch can be configured to learn about MAC addresses on a secure port in one of
three ways:
1. Manually Configured: The administrator manually configures a static MAC
address(es) by using the following command for each secure MAC address on the port:
Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned: When the switchport port-security command is entered,

the current source MAC for the device connected to the port is automatically secured
but is not added to the running configuration. If the switch is rebooted, the port will
have to re-learn the device’s MAC address.

3. Dynamically Learned – Sticky: The administrator can enable the switch to

dynamically learn the MAC address and “stick” them to the running configuration by
using the following command:
Switch(config-if)# switchport port-security mac-address sticky
Saving the running configuration will commit the dynamically ©learned MAC address to NVRAM.
2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Limit and Learn MAC Addresses (Cont.)
The example demonstrates a complete
port security configuration for
FastEthernet 0/1.
• The administrator specifies a
maximum of 4 MAC addresses,
manually configures one secure MAC
address, and then configures the port
to dynamically learn additional secure
MAC addresses up to the 4 secure
MAC address maximum.
• Use the show port-security
interface and the show port-
security address command to verify
the configuration. © 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure
addresses on a port and two types of aging are supported per port:
• Absolute - The secure addresses on the port are deleted after the specified aging time.
• Inactivity - The secure addresses on the port are deleted if they are inactive for a specified time.

Use aging to remove secure MAC addresses on a secure port without manually deleting
the existing secure MAC addresses.
• Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.

Use the switchport port-security aging command to enable or disable static aging for
the secure port, or to set the aging time or type.
Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Port Security Aging (Cont.)
The example shows an
administrator configuring the
aging type to 10 minutes of
inactivity.

The show port-security

command confirms the
changes. interface command
to verify the configuration.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Port Security Violation Modes
If the MAC address of a device attached to a port differs from the list of secure addresses,
then a port violation occurs and the port enters the error-disabled state.
• To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

The following table shows how a switch reacts based on the configured violation mode.

Mode Description

The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog
shutdown message. It increments the violation counter. When a secure port is in the error-disabled state, an
(default) administrator must re-enable it by entering the shutdown and no shutdown commands.
The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC
addresses to drop below the maximum value or increase the maximum value. This mode causes the Security
restrict
Violation counter to increment and generates a syslog message.
This is the least secure of the security violation modes. The port drops packets with unknown MAC source
addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value
protect © 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
or increase the maximum value. No syslog message is sent.
UNIT 2 Implementing Ethernet LAN: Switch Security

Implement Port Security

Port Security Violation Modes (Cont.)

The example shows an administrator

changing the security violation to
“Restrict”.

The output of the show port-security

interface command confirms that the
change has been made.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Ports in error-disabled State
When a port is shutdown and placed in the error-disabled state, no traffic is sent or
received on that port.
A series of port security related messages display on the console, as shown in the
following example.

Note: The port protocol and link status are changed to down and the port LED is turned off.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Ports in error-disabled State (Cont.)
• In the example, the show interface command
identifies the port status as err-disabled. The
output of the show port-security
interface command now shows the port status
as secure-shutdown. The Security Violation
counter increments by 1.
• The administrator should determine what
caused the security violation If an unauthorized
device is connected to a secure port, the
security threat is eliminated before re-enabling
the port.
• To re-enable the port, first use
the shutdown command, then, use the no
shutdown command.
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
UNIT 2 Implementing Ethernet LAN: Switch Security
Implement Port Security
Verify Port Security
After configuring port security on a switch, check each interface to verify that the port
security is set correctly, and check to ensure that the static MAC addresses have been
configured correctly.

To display port security settings for the switch, use the show port-security command.
• The example indicates that all 24
interfaces are configured with
the switchport port-security command
because the maximum allowed is 1 and
the violation mode is shutdown.
• No devices are connected, therefore, the
CurrentAddr (Count) is 0 for each
interface.
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
UNIT 2 Implementing Ethernet LAN: Switch Security

Implement Port Security

Verify Port Security (Cont.)

Use the show port-security

interface command to view
details for a specific interface, as
shown previously and in this
example.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
UNIT 2 Implementing Ethernet LAN: Switch Security

Implement Port Security

Verify Port Security (Cont.)

To verify that MAC addresses are

“sticking” to the configuration, use
the show run command as
shown in the example for
FastEthernet 0/19.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
UNIT 2 Implementing Ethernet LAN: Switch Security

Implement Port Security

Verify Port Security (Cont.)

To display all secure MAC

addresses that are manually
configured or dynamically learned
on all switch interfaces, use
the show port-security
address command as shown in
the example.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
UNIT 2 Implementing Ethernet LAN: Activities

Activities/task: configuring Switch Security Features

1. Refer the following network topology and addressing table exercise
the following listed under part-1 up to parts-4

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
UNIT 2 Implementing Ethernet LAN: Activities
Activities
Part 1: Set Up the Topology and Initialize Devices
Part 2: Configure Basic Device Settings and Verify Connectivity
Part 3: Configure and Verify SSH Access on S1
• Configure SSH access.
• Modify SSH parameters.
• Verify the SSH configuration.
Part 4: Configure and Verify Security Features on S1
• Configure and verify general security features.
• Configure and verify port security.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
UNIT 2 Implementing Ethernet LAN:VLAN

Discussion Questions
What is a management VLAN, and why is it
important?

Can devices in different VLANs communicate

directly? Why or why not?

How do VLANs enhance security by isolating

traffic?

What protocol is used to maintain VLAN

information across multiple switches?
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

2
UNIT 2 Implementing Ethernet LAN:VLAN

Virtual LANs VLANs are logical connections with other similar

devices.
VLAN Definitions
Placing devices into various VLANs have the
following characteristics:
• Provides segmentation of the various groups
of devices on the same switches
• Provide organization that is more
manageable
• Broadcasts, multicasts and unicasts are
isolated in the individual VLAN
• Each VLAN will have its own unique range
of IP addressing
• Smaller broadcast domains

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
UNIT 2 Implementing Ethernet LAN:VLAN

Overview of VLANs
Benefits of a VLAN Design

Benefits of using VLANs are as follows:

Benefits Description
Smaller Broadcast Dividing the LAN reduces the number of broadcast domains
Domains
Improved Security Only users in the same VLAN can communicate together
Improved IT Efficiency VLANs can group devices with similar requirements, e.g. faculty vs. students

Reduced Cost One switch can support multiple groups or VLANs

Better Performance Small broadcast domains reduce traffic, improving bandwidth
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Simpler Management Similar groups will need similar applications and other network resources
UNIT 2 Implementing Ethernet LAN:VLAN
Overview of VLANs
Types of VLANs
Default VLAN
VLAN 1 is the following:
• The default VLAN
• The default Native VLAN
• The default Management
VLAN
• Cannot be deleted or
renamed
Note: While we cannot delete
VLAN1 Cisco will recommend
that we assign these default
features to other VLANs
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
UNIT 2 Implementing Ethernet LAN:VLAN
Overview of VLANs
Types of VLANs (Cont.)
Data VLAN
• Dedicated to user-generated traffic (email and web traffic).

• VLAN 1 is the default data VLAN because all interfaces are assigned to this VLAN.

Native VLAN
• This is used for trunk links only.

• All frames are tagged on an 802.1Q trunk link except for those on the native VLAN.

Management VLAN
• This is used for SSH/Telnet VTY traffic and should not be carried with end user traffic.

• Typically, the VLAN that is the SVI for the Layer 2 switch.
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
UNIT 2 Implementing Ethernet LAN:VLAN

Overview of VLANs
Types of VLANs (Cont.)
Voice VLAN
• A separate VLAN is required because Voice
traffic requires:
• Assured bandwidth
• High QoS priority
• Ability to avoid congestion
• Delay less that 150 ms from source to
destination
• The entire network must be designed to
support voice.
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
UNIT 2 Implementing Ethernet LAN:VLAN

VLANs in a Multi-Switched Environment

Defining VLAN Trunks
A trunk is a point-to-point link between
two network devices.
Cisco trunk functions:
• Allow more than one VLAN

• Extend the VLAN across the entire

network
• By default, supports all VLANs

• Supports 802.1Q trunking

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
UNIT 2 Implementing Ethernet LAN:VLAN
VLANs in a Multi-Switched Environment
Networks without VLANs
Without VLANs, all devices connected to the switches will receive all unicast, multicast, and
broadcast traffic.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
UNIT 2 Implementing Ethernet LAN:VLAN
VLANs in a Multi-Switched Environment
Networks with VLANs
With VLANs, unicast, multicast, and broadcast traffic is confined to a VLAN. Without a Layer
3 device to connect the VLANs, devices in different VLANs cannot communicate.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
UNIT 2 Implementing Ethernet LAN:VLAN
VLANs in a Multi-Switched Environment
Native VLANs and 802.1Q Tagging
802.1Q trunk basics:
• Tagging is typically done on all VLANs.

• The use of a native VLAN was designed for

legacy use, like the hub in the example.
• Unless changed, VLAN1 is the native VLAN.

• Both ends of a trunk link must be configured

with the same native VLAN.
• Each trunk is configured separately, so it is
possible to have a different native VLANs on
separate trunks.
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
VLAN Ranges on Catalyst Switches
Catalyst switches 2960 and 3650 support over
4000 VLANs.

Normal Range VLAN 1 – 1005 Extended Range VLAN 1006 - 4095

Used in Small to Medium sized businesses Used by Service Providers

1002 – 1005 are reserved for legacy VLANs Are in Running-Config
1, 1002 – 1005 are auto created and cannot be Supports fewer VLAN features
deleted
Stored in the [Link] file in flash Requires VTP configurations
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
VTP can synchronize between switches
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
VLAN Creation Commands
VLAN details are stored in the [Link] file. You create VLANs in the global
configuration mode.

Task IOS Command

Enter global configuration mode. Switch# configure terminal
Create a VLAN with a valid ID number. Switch(config)# vlan vlan-id
Specify a unique name to identify the
Switch(config-vlan)# name vlan-name
VLAN.
Return to the privileged EXEC mode. Switch(config-vlan)# end
Enter global configuration mode. Switch# configure terminal
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
VLAN Creation Example

• If the Student PC is going to be in

VLAN 20, we will create the VLAN first
and then name it.
Prompt Command
• If you do not name it, the Cisco IOS S1# Configure terminal
will give it a default name of vlan and
the four digit number of the VLAN. E.g. S1(config)# vlan 20
vlan0020 for VLAN 20. S1(config-vlan)# name student
S1(config-vlan)# end
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
VLAN Port Assignment Commands
Once the VLAN is created, we can then assign it to the correct interfaces.

Task Command
Enter global configuration mode. Switch# configure terminal

Enter interface configuration mode. Switch(config)# interface interface-id

Set the port to access mode. Switch(config-if)# switchport mode access

Assign the port to a VLAN. Switch(config-if)# switchport access vlan vlan-id

Return to the privileged EXEC mode. Switch(config-if)# end

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
VLAN Port Assignment Example

We can assign the VLAN to the port

interface.
• Once the device is assigned the
Prompt Command
VLAN, then the end device will need
the IP address information for that S1# Configure terminal
VLAN S1(config)# Interface fa0/18
• Here, Student PC receives S1(config-if)# Switchport mode access
[Link] S1(config-if)# Switchport access vlan 20
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

S1(config-if)# end
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
Data and Voice VLANs

An access port may only be assigned to

one data VLAN. However it may also be
assigned to one Voice VLAN for when a
phone and an end device are off of the
same switchport.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
UNIT 2 Implementing Ethernet LAN:VLAN
VLAN Configuration
Data and Voice VLAN Example
• We will want to create and name both Voice
and Data VLANs.
• In addition to assigning the data VLAN, we
will also assign the Voice VLAN and turn on
QoS for the voice traffic to the interface.
• The newer catalyst switch will automatically
create the VLAN, if it does not already exist,
when it is assigned to an interface.
Note: QoS is beyond the scope of this course.
Here we do show the use of the mls qos trust
[cos | device cisco-phone | dscp | ip-
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
precedence] command.
UNIT 2 Implementing Ethernet LAN:VLAN
VLAN Configuration
Verify VLAN Information
Use the show vlan command. The
complete syntax is:
show vlan [brief | id vlan-id | name
vlan-name | summary]

Task Command Option

Display VLAN name, status, and its ports one VLAN per line. brief
Display information about the identified VLAN ID number. id vlan-id
Display information about the identified VLAN name. The vlan-name
name vlan-name
is an ASCII string from 1 to 32 characters.
Display VLAN summary information. summary
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
Change VLAN Port Membership
There are a number of ways to change VLAN
membership:
• re-enter switchport access vlan vlan-id
command
• use the no switchport access vlan to
place interface back in VLAN 1
Use the show vlan brief or the show
interface fa0/18 switchport commands to
verify the correct VLAN association.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Configuration
Delete VLANs
Delete VLANs with the no vlan vlan-id command.
Caution: Before deleting a VLAN, reassign all member ports to a different VLAN.
• Delete all VLANs with the delete flash:[Link] or delete [Link] commands.

• Reload the switch when deleting all VLANs.

Note: To restore to factory default – unplug all data cables, erase the startup-configuration
and delete the [Link] file, then reload the device.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
UNIT 2 Implementing Ethernet LAN:VLAN
VLAN Trunks
Trunk Configuration Commands
Configure and verify VLAN trunks. Trunks are layer 2 and carry traffic for all VLANs.

Task IOS Command

Enter global configuration mode. Switch# configure terminal
Enter interface configuration mode. Switch(config)# interface interface-id
Set the port to permanent trunking mode. Switch(config-if)# switchport mode trunk
Sets the native VLAN to something other Switch(config-if)# switchport trunk native vlan
than VLAN 1. vlan-id
Specify the list of VLANs to be allowed on Switch(config-if)# switchport trunk allowed
the trunk link. vlan vlan-list
Return to the privileged EXEC mode. Switch(config-if)# end
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
UNIT 2 Implementing Ethernet LAN:VLAN
VLAN Trunks
Trunk Configuration Example
The subnets associated with each VLAN are:
• VLAN 10 - Faculty/Staff - [Link]/24
• VLAN 20 - Students - [Link]/24
• VLAN 30 - Guests - [Link]/24
• VLAN 99 - Native - [Link]/24
Prompt Command
F0/1 port on S1 is configured as
a trunk port. S1(config)# Interface fa0/1
S1(config-if)# Switchport mode trunk
Note: This assumes a 2960
switch using 802.1q tagging. S1(config-if)# Switchport trunk native vlan 99
Layer 3 switches require the S1(config-if)# Switchport trunk allowed vlan 10,20,30,99
encapsulation to be configured
before the trunk mode. S1(config-if)# end © 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
UNIT 2 Implementing Ethernet LAN:VLAN

VLAN Trunks
Verify Trunk Configuration
Set the trunk mode and native vlan.
Notice sh int fa0/1 switchport command:
• Is set to trunk administratively

• Is set as trunk operationally (functioning)

• Encapsulation is dot1q

• Native VLAN set to VLAN 99

• All VLANs created on the switch will pass

traffic on this trunk
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
UNIT 2 Implementing Ethernet LAN:VLAN
VLAN Trunks
Reset the Trunk to the Default State
• Reset the default trunk settings with
the no command.
• All VLANs allowed to pass traffic
• Native VLAN = VLAN 1
• Verify the default settings with a
sh int fa0/1 switchport command.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
UNIT 2 Implementing Ethernet LAN:VLAN
VLAN Trunks
Reset the Trunk to the Default State (Cont.)

Reset the trunk to an access mode with the

switchport mode access command:
• Is set to an access interface administratively
• Is set as an access interface operationally
(functioning)

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
UNIT 2 Implementing Ethernet LAN: Activities

Activities/task: Configuring VLANs and Trunking

Refer to the following network topology and addressing table , configure VLAN
and trunking

Activities

Part 1: Build the Network and Configure Basic Device Settings

Part 2: Create VLANs and Assign Switch Ports

Part 3: Maintain VLAN Port Assignments and the VLAN Database

Part 4: Configure an 802.1Q Trunk between the Switches

Part 5: Delete the VLAN Database © 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
 Implementing Ethernet LAN: Activities
UNIT 2

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
UNIT 2 Implementing Ethernet LAN: Wireless LANs

Discussion Questions
What is the difference between a wireless
access point (AP) and a wireless router?

What are the different IEEE 802.11 standards

(e.g., 802.11a/b/g/n/ac/ax)?

How can you prevent unauthorized users from

connecting to your WLAN?

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55

5
UNIT 2 Implementing Ethernet LAN: Wireless LANs

WLAN Components
Benefits of Wireless
 Increased flexibility

 Increased productivity

 Reduced costs

 Ability to grow and

adapt to changing
requirements

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Components of WLANs
Wireless NICs
Wireless deployment
requires:
 End devices with wireless
NICs
 Infrastructure device,
such as a wireless router
or wireless AP

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Components of WLANs
Wireless Home Router

A home user typically

interconnects wireless
devices using a small,
integrated wireless router.

These serve as:

 access point
 Ethernet switch
 router © 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Components of WLANs
Business Wireless Solutions

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Components of WLANs
Wireless Access Points

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Wireless Operation
Wireless Clients and Access Point Association

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Wireless Operation
Association Parameters
 SSID – Unique identifier that wireless clients use to distinguish between multiple wireless
networks in the same vicinity.
 Password – Required from the wireless client to authenticate to the AP. Sometimes called
the security key.

 Network mode – Refers to the 802.11a/b/g/n/ac/ad WLAN standards. APs and wireless
routers can operate in a mixed mode; i.e., it can simultaneously use multiple standards.
 Security mode – Refers to the security parameter settings, such as WEP, WPA, or WPA2.

 Channel settings – Refers to the frequency bands used to transmit wireless data. Wireless
routers and AP can choose the channel setting or it can be manually set.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Configure a Wireless Router
Configuring a Wireless Router
An Implementation Plan consists of the following steps:

Step 1. Start the WLAN implementation process with a single AP and a single
wireless client, without enabling wireless security.

Step 2. Verify that the client has received a DHCP IP address and can ping
the local, wired default router, and then browse to the external Internet.

Step 3. Configure wireless security using WPA2/WPA Mixed Personal. Never

use WEP unless no other options exist.

Step 4. Back up the configuration. © 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Configure a Wireless Router
Set Up and
. Install the Linksys EAS6500

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Configure a Wireless Router
Configuring a Linksys Smart Wi-Fi Homepage

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Configure a Wireless Router
Backing Up a Configuration
To back up the configuration with the Linksys EA6500 wireless router, perform the
following steps:
Step 1. Log in to the Smart Wi-Fi Home page. Click the Troubleshooting icon to
display the Troubleshooting Status window.
Step 2. Click the Diagnostic tab to open the Diagnostic Troubleshooting window.
Step 3. Under the Router configuration title, click Backup and save the file to an
appropriate folder.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
UNIT 2 Implementing Ethernet LAN: Wireless LANs
Configuring Wireless Clients
Connecting Wireless Clients

 After the AP or wireless router has been configured, the wireless NIC
on the client must be altered to allow it to connect to the WLAN.
 The user should verify that the client has successfully connected to the
correct wireless network, because there may be many WLANs
available with which to connect.

© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
© 2019, 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69