Cisco CCIE Security 350-701 Topic: L2-Security Advanced Part 1
December 16, 2022

1. MAC Flooding Attack – Port Security

Now, in this video, I’ll introduce you to one type of attack that can occur in the land. We call it the “Mac Flooding” attack. We’ll try to figure out how the Mac Flooding Attacks work, and then we’ll figure out what the solution is. Now, the solution is port security. How is port security going to prevent the Mac Flooding Attack? So, first, let’s try to define a Mac flooding attack. So the Mac Flooding Attack is a method in which an attacker attempts to send some numeric invalid source Mac addresses and floods the Mac table with those invalid source Mac addresses. So let’s try to understand how it generally works generally. Now, take an example. I installed a switch here in the land, and all of the users are connected. Now, there is also an attacker sitting here.

So, let’s say there’s an attacker in the land who is also my internal user, okay? Now, if you remember in the basic switching concepts, we learned the switches are more intelligent devices because they can store a table called the “Cam table” or “Mac table,” which is going to have information on what port’s number or what Mac address is connected. Now, each and every port has some Mac address information. And by default, for the first time, maybe the Mac table will be empty. But initially, it will broadcast. And then, based on that, it is going to update the Mac table as a unicast. Based on that, it will update the Mac table. And then let’s say there is a user connecting here. Someone attempted to communicate with another into 16814 somewhere around here. And this AA’s Mac address is, let’s say, ad. Now, whenever a switch receives a packet on a particular port, it’s going to see the destination Mac address. And if there is an entry, it is going to forward it as a unicast. And if there’s no entry, it’s going to simply broadcast that particular frame. Now, there’s something switches will do as their default behavior.

But switches are intelligent devices that can forward a packet based on the unique, as well as the entries, or whatever is in the Mac table. But now what attackers can do is sit here in the Lamb and flood it with countless invalid Mac addresses. Now, this can be done by running some of the basic tools. Let’s take an example. The attacker is sending some numeric invalid requests on a particular port. Let’s say port number ten. And every time he’s sending a message or broadcast, he’s going to change his Mac addresses, like he’s going to send XY, XXX, or something like this. So execute is something different that Mac addresses. Now, whenever a switch is going to receive a new Mac address, it’s going to try to see whether that particular entry is present in the Mac table or not. If that particular entry does not exist in the Mac table, an attempt is made to update the Mac table. Now that hacker is going to send some numeric, invalid Mac addresses. So that means now your Mac table will get filled with some potentially invalid Mac addresses, and once it reaches the limit, it’s going to start removing the valid Mac addresses.

Now what it is going to do is remove all your invalid valid Mac addresses and valid source Mac addresses because whenever any new entry is added, it’s going to automatically remove the previous entries if it reaches the limit. Now, in this scenario, if a valid user one wants to communicate with user four, let’s say the Mac address is AA and the Mac address is ad. Now that your packet has reached the switch, the switch is going to see the cam table. At that particular camp table, there is no entry for the destination Mac address. And now the switches, whenever there is no entry for the destination Mac address, are going to simply send a broadcast or a flood toward the network. Now, every time any valid user wants to communicate with any other user in the land, it’s going to simply flood that into the network. Switches are capable of doing so. Now you can see this kind of attack, which we call the Mac table overflow attack or the Mac flooding attack. Mac Flooding, also known as Mac Table Overflow Attack, occurs when an attacker sends a number of invalid Mac addresses to your cam table, filling it with all of your invalid Mac addresses while valid users do not make an entry and continue to work based on the broadcast. Now, typically switches will do unicast, but now it’s going to work like a hub, where each and every packet coming from a valid user will be broadcasted to all the ports automatically.

Now we call this a “Mac Flooding Attack.” Here’s a summary of the Mac Flooding Attacker’s strategy: flood the camp table with an infinite number of invalid source Mac addresses so that the valid host cannot create entries in the Mac table. So, in simple terms, there is no entry for your valid Mac addresses. Now, if a valid user tries to communicate with another valid user in the Lamb, the normal traffic will flood out of all the ports because there are no CAM entries for the valid users. Now we call this a “Mac Flooding” attack. Now, how do we overcome this MacFending attack? That’s the next thing. To counteract this MacFending attack, we can enable a feature on the switches known as port security. Now in this port security feature, what we are going to do is restrict any particular port, and we are going to limit the number of Mac addresses it can learn. Now, let’s say I’m going to limit the Mac address to a maximum of three. So, if a user sends with a Mac address, say an attacker is attempting to flood with the Mac address of AA, it may be a valid user and will accept. If he’s sending it with another Misaddress, AB, it’s going to accept it.

And then he’s sending it with a Mac address of AC, which it’s going to accept because the maximum entries we have defined is something called three. So that means a maximum of three Mac addresses can be learned on one particular port, and this number can be changed as per our requirement. But we are going to use this as something called three. And whenever a switcher associates a Mac address with something, that becomes the fourth Mac address. So once it receives the fourth Mac address automatically, it is going to put the port into a shutdown state, more like an error-disabled state. We call it And this port will not be able to access any of the resources because it has a violation rule and the default violation rule. What we are going to do is shut down the port. This is something we can do in the case of port security, where we will limit the number of Mac addresses that can be learned on a specific port.

If anyone violates that rule, if it learns more than the specified number of Mac addresses, it will simply disable the port. Now, to configure the security of this port, we can see the commands here. Now, if you want to implement port security on port number one, or we can define the range of ports, I can simply go to interface range L zero by 112 by ten. And a port can be either an access port or a trunk port. And the port security feature is not going to work. If your port is in dynamic, desirable, or dynamic auto modes, and mostly on the switches, the port will be in dynamic, desirable, or auto modes. Auto is something about default mode. Port security is not going to work. As a result, we must ensure that the port in question is either an access port or a transport port. Okay? So we can define the maximum number of Mac addresses.

Like in my example, I’m going to define a maximum of three Mac addresses that can be learned on this particular port. This command switch port security will now enable feature port security on that specific port. And in the next command, we are going to define the maximum number of Mac addresses that can be learned on that particular port. And then the last thing is that this command is optional, not compulsory, like if it reaches the maximum limit. So I’m going to define three Mac addresses. If it learns the fourth Mac address, what is the violation? What is the port security violation? We need to configure it so that the default is shutdown; it’s going to put the port into a redisable state, which means it will automatically go into more of a shutdown state. And this port will only come back if you configure any specific ports we need to shut down. And no shutdown command was required. Okay? As a result, we had to shut down, but there was no shut down. That’s the only way you can make this interface work to up.

In fact, you can also use some error-disabled recovery options, but we generally go with this one. Now, there are some other options we can use, like the “protect” and “restrict” options. Now, there is a slight difference between the shutdowns. So when we say shut down the port, it simply puts the port into an error-disabled state. And this is the default violation rule whenever you implement port security. Now, in some cases, we don’t want to put the port into an error-disabled state; we don’t want to put it into a shutdown state. We can also use an option called “restrict” or “protect.” The distinction between these ports is that in protect mode, let’s say I set the maximum Mac addresses to three.

So whenever it learns the fourth Mac address, which is a violation of the rule, it is not going to put the port into a disabled state. So the port will be up, but it is going to ignore the Mac addresses that are beyond that limit, which means it is not going to update the Mac table, and it’s just going to ignore those Mac addresses and the new fourth Mac address. From this point on, they will not be able to communicate with the land resources, but the remaining three valid Mac addresses, whatever we have initially defined, will still be able to access the resources. But when a new Mac address is learned, the fourth Mac address, they will not be able to access the resources. It’s a LAN. That means that if a user sends traffic with the three valid Mac addresses that they have learned, they will be able to access the resources. But still, the fourth Mac address or the fifth Mac address—whatever is learned other than those three—will not be able to access the resources. Now, restrict is more like protect, which is the same thing. But the one thing extract will do is generate a log message.

And based on that log message, if you have some external log servers, it’s going to send some log information to the external servers, it’s going to inform the Syslog server, or it is going to send a console message. If you have a default console login, it’s going to show you the log message that this violation has been done; it’s going to generate that log message on the switch. However, the project will not collect any log data. So there’s a major difference between protecting and restricting. In the event of a shutdown, the port is simply redisabled; however, in the event of a protect and restrict mode, this is not the case. It’s going to keep the interface up, and the valid Mac address will still be able to access the resources. But the major difference is that in protect mode, there is no logging done, whereas in restrict mode, it’s going to generate some log messages on the switch. So that’s the only difference between these two options. Now, depending on the requirement, we can go with any one of these options, but if you don’t define this violation rule, the default rule will be a shutdown state.

2. MAC Spoofing Attack – Port Security

In this video, we’ll talk about what a Misaddress proofing attack is and generally how it happens, how the port security feature is going to be used, and how it’s going to provide this kind of attack. That’s something we are going to see here. The first thing a Mac address proofing attack is like is that, like normally, when the user sends a request, the attacker is going to provide false Mac address information, which is going to introduce some man-in-the-middle attacks. So let’s take an example. In my scenario, I have a user, a user A, who is using the Mac address of A, and there’s another user, B. And these two particular users are trying to communicate with each other. Now, in general, whenever a switch generates a request, the switch is going to update the information. The Mac table and his user A are connecting on port number one, and user B is also connecting on port number two. So we got an entry on ports one and two with the Mac addresses A and B.

Now there’s an attacker in the land, and he’s possibly connecting on port number ten, and the attacker is attempting to provide incorrect information. Like in this scenario, the default communication goes from A to B, where the source Mac address will be A and the destination Mac address will be B. The attacker is now going to pretend to be a B. Now he’s going to say that the normal Mac address is X, which is the Mac address of the attacker. The attacker is going to send a request, saying that he is the user who is supposed to communicate. Now the switch is going to update the entry on the Mac table. Maybe it will remove port number two and add port number 10. So the normal communication, which is supposed to go directly from port one to port two, will go to the attacker, and the attacker will send back to the B saying that he is A and he is B. Now, the attacker will change his Mac address and password to A and B, respectively, and will communicate with A and send information to X, assuming that this is B. The attacker will then change the Mac address back to A and send the information to B again.

So here is the actual traffic that is supposed to flow directly between these two users, a and b. It’s not going directly; it’s going to the attacker, who then sends it back to B here. Now we call this a man-in-the-middle attack, where the attacker is going to introduce some kind of man-in-the-middle attack where the attacker can see all the information and can extract all the communication between these two devices. This is now known as a “Mac spoofing attack” or “Macaddress spoofing attack,” in which an attacker provides incorrect Mac address information and pretends to be someone in the network, which he can do by using packet capturing tools. He can find the valid Mac addresses and is going to pretend to be someone. Now, how can we overcome this kind of attack? Now, to overcome this kind of attack, we can use a feature called port security. Again, the same feature that we discussed previously is available. Now, in that port’s security, what I can do is manually bind the Mac address to specific ports.

We can specifically bind the Mac address to a port number. So let’s take an example. These are the correct entries for ports 1–3. If the traffic is received from the Mac address that is binding the port number, it’s going to accept the traffic. If the traffic is received with the Mac address, which is bound to the same port, it’s going to accept the traffic. And you can see the Mac address. Whatever is bound for here will accept the traffic. But if a particular port number is 4, in my scenario, the actual binding of the Mac address is BB. BBB. And then we did the binding with this Mac address. And if it receives any other Mac address that is not part of the binding or that is not bound, it’s going to simply drop that particular traffic. Now, there’s something we call “port security,” where we can add an additional feature called “binding the Mac addresses.” We can link the mac address to specific port numbers. If that particular port receives traffic with that particular bound Mac address, then only it is going to accept the traffic. Now, in this way, we can prevent these ARP spoofing attacks, because if it receives any unauthorised Mac address that is not part of a binding, it is going to simply drop that particular traffic. Now, to make this possible, we can use some port security features. Again, I can define the same configurations that we discussed.

We can define a maximum of two Mac addresses, let’s say. And we can either do the manual binding, in which I define what a port is, say port number one. And I can define what Mac address should be learned on port number one. So I can say that on port number one, I should learn only the Mac address with AA and AB. So that means I’m defining the maximum value as two. So two different Mac addresses are allowed on port number one. And if it learns any other Mac address besides these two, let’s say I’m listening with XY. In that case, it’s not going to accept the traffic from this particular port. And, according to the default violation rule, if I say shut down, it will simply disable the port, or we can use a dynamic binding, something called the “Sticky Option,” where we can manually define, like sticky. Now, “sticky” is an option that will do automatic binding. So let’s say I’m defining the macro Mac address as two.

And by default, on port number one, there are no Mac entries. Because those are dynamic, they will be removed automatically. So if it learns any Mac address other than AB for the first time, it’s going to manually bind this Mac. And if it learns any other Mac address, AC, it’s going to bind on port number one. So that means every time a new Mac address is learned on that particular port, it will be automatically bound to that particular port number one. And, in my scenario, if it learns any other Mac address, it will learn the third Mac address as the default violation. The maximum value is two. It’s going to allow only two Mac addresses to be bound. And this is something that is dynamically bound. We don’t need to specifically say “Macaddress” and then type the Mac address. If you’re doing it manually, we need to know the Mac address, and then we can say AB and then AC in two different lines. So instead of doing it manually, we can also do the binding automatically by using the sticky option. Now, Port Security is going to prevent the Macaddress spoofing attack, where an attacker can spoof an invalid or any other Mac address. And what we can do is overcome that Mac address poaching attack by using a feature called Port Security, where we can manually pin the Mac addresses on those particular ports.

3. Port Security – Configuration

Now in this video, we’ll verify the port security feature. We’ll try to configure some switches with a port security option, and then we’ll try to connect some multiple devices, and then we’ll verify port security in this lab. So the first thing, let me give some basic ideas on what we are going to do. My topology is similar to the one shown in the diagram. I got my switch, which is connecting port number one to one computer, 1921-6811, and port number two is connecting to 1921-6812. So what we are going to do is limit the port security on this particular port to two Mac addresses.

And then having two Mac addresses means it’s going to learn from this Mac address and the PC one. And then I’m going to connect another computer. Later on, I’ll change, I’ll disconnect this connection here, and then connect another PC—one, three—which means the maximum Mac addresses learned are one and two. And then I’m going to define the default violation rule and the default violation rule shutdown here, and I’m going to remove this connection before connecting another device. As a result, the Mac addresses of one and two have been learned. And if it learns the third Mac address, it’s going to simply put the port into an error-disabled state. So that’s something we are going to verify here, port security. The first thing I’m going to do is go to the switch command line. On the switch command line, the first thing I’m going to do is configure the port security options.

 If you remember the port security commands we have seen previously, the first command we need to enable port security is Now remember, port security can be enabled only on static ports, which means it has to be either an access or dynamic port. So the command will reject it if it is in a dynamic, desirable, or dynamic auto mode. And then we need to enable port security. And then the default maximum Mac address is going to be defined as two. And then I’m going to say that it has to bind the Mac addresses automatically to static entries. Whatever the Mac address, learn it on that particular port by using the sticky option. So let’s go to the switch and configure the same. I’m going to interface them one by one. I’m going to say switch port security. The first thing I need to do is configure an access port, and then I’m going to enable switch port security, and then I’m going to define the maximum Mac addresses that can be learned on this particular port.

If I define it as two, we can define it as one, three, or whatever the number in my scenario is, but I’m going to make it two. And then I’m going to say “switch port security,” Mac address. Either we can define a manual Mac address in my scenario, or I’m not going to do it manually. I’ll just go with the “sticky” option, which will do automatic, dynamic binding of whatever Mac address is learned on that specific port. And then I’m not going to define the violation rule because the default violation rule is sticky anyway. So let’s verify the same configuration in “Show running configs.” You can see there are configurations here. If you simply try to verify the Mac address table, it will now display the Mac address table. Now the default Mac table is empty. If it is not empty, we can also use a clear Mac table, Mac address, or iPhone table. So the default Mac table is empty here. The next thing I’ll do is increase traffic from one to two. For verification, I’ll try to generate traffic from one computer. This is my 192, 161 PC, and 1 and 2 are linked. In the lamb, you can see I’m able to generate the traffic I’m able to ping if you verify the Mac table. Let me generate it one more time if you verify the Mac table and show the Mac address table. You can see a Mac address PC on port number one. One is connected, and the Mac address for PC two is dynamically learned. I see an entry called “Static” on port number one because it has manually bound whatever the Mac address is on that specific port. Now this is the entry that it makes automatically because we have defined the option of being sticky. It’s going to manually bind this Mac address. And if you verify “Show port security,” you can see the maximum count we have defined as two here. And for the time being, it has only learned one Mac address.

So what I’m going to do is remove the connection from port number one, and then I’ll try to connect another device, port number 1, to port number 1. Now one thing I suggest you do is enable spanning-tree reporting whenever you are making any just enable spanning report fast.It will bypass the listening and learning stages, and it will make the port available for immediate forwarding, otherwise it will generally take some time generally.Now, if I generate some traffic by pinging from one nine to 16013 to one two, you can see that I can still communicate with the one two. Now in this scenario, what I did was remove the connection from port number one, PC 1, and move it to PC 3. If you go and check on the switch, if I use “Show port security,” I can see the maximum count is two. And right now the currently learned Mac addresses are two, and you can verify the same thing. You can see the two Mac entries have been bound manually because there are two different Mac addresses learned.

Now if it learns any third Mac address, because the maximum option we have defined is two, it’s either going to simply ignore them or it is going to put the port into a red disabled state. Let’s try to connect the fourth computer. We connected one, and we connected three. I’m going to connect one to four. Now I’m going to disconnect from one three and connect the same port number one to the specific port. Now, if you see a schwaip interface brief, if you verifyhere, you can see the interface is changed to down. Furthermore, if you verify Show port security, You can see the security violation is one that has happened once, and right now the current security action it has to take whenever it violates the rule is to put the system into a shutdown state. Another reason why the port is not completely shut down; rather, it is close to being shut down. We call this an “error-disabled state.”

You can also use a command called Show Interface Status. This command doesn’t work in the packet tracer here, but this command shows the status of the interface at zero by one as a disabled state. Now the reason is because of the security violation here. Now what I’ll do is remove the connection from here and try to connect back to any one of these ports. Now you can see the port will be in a shutdown state by default, even if it is connected to a valid host. The reason for this is that once it is in a redistributable state, we must say shut down and no shut down command to bring this port back up. You can see the port reopening now. Now if I try to communicate from one to two, I can still communicate here. Similarly, if you disconnect from here and reconnect to one-three, we can still communicate because these are the two Mac entries that are bound to port number one. And if the traffic is coming from these two ports, it’s going to forward; otherwise, it is not going to do that.

It simply puts the port into a disabled state if it connects any other two devices other than these two because of the dynamic bindings that it has set based on the sticky option. Now the next thing I’m going to do is enable, let’s go to the interface, and I’ll try to change the features for port security violations. I’m going to use Protect mode instead of Shutdown mode. Now the default is shut down.Because it is now in protect mode, it will not disable the port. I can see the Show Mac Address table already on Port Number One. We have two entries that are bound automatically. If it discovers a third entry, it will automatically go into shutdown mode. However, because we are currently in Protect mode, the port should not be shut down. It must instead disregard the learning of those Mac addresses. Let’s try connecting the device. Now. In my scenario, if I give Show port security, I can already see the violation. The Mac domain has been reached. Now I’m going to remove the connection again before connecting to the third computer, which is number four. Let’s generate some traffic here if I enable show port security. I’ll try to ping one one two from one four, which is connected in the lamp. I can see from the one dot that the port is still up, but it’s not able to communicate. You can see it’s not able to communicate even if you wait for some time. In addition, the current Mac address is discovered. Normally, you’ll see a count here indicating that the protection is in the protect mode. If you verify the interface status by swiping the interface brief, you can see the interface is still up.

And if you verify the show Mac address table, I can see the two entries. If it learns a third Mac address, it is simply going to ignore those things. And the new device, whichever connects to the portable device other than this one to learn, is going to simply ignore the traffic. So that means that particular user will not be able to communicate if he connects. If I connect these ports back to this particular port again, we can still communicate. Let’s try to remove the connection from here. And let me try to connect to one PC from the other one. I can still communicate here. Now, the only difference between your protect and the shutdown is that when you connect on the same port-to-port connections, it’s going to forward the traffic. If any third device is connected, it’s going to simply put the port into a shutdown state. However, if the port is in protection mode, it will not be shut down downstream. It’s going to ignore the traffic from the third Mac. Whatever we learn in a similar manner, we can switch to restrict mode. The only thing it will do extra in restrict mode is protect. Along with that, it is going to log the information. It is going to generate some logging to send to external servers or to the console.

4. Spanning Tree Port Fast

Port fast. In this video, we’ll see a feature, a Cisco proprietary enhancement to the spanning tree, to accelerate access port convergence. If you just go back to the basic spanning tree behavior, let’s take an example: I have a switch that is connecting to some of the access ports. Now, whenever I provide a connection on this particular port, by default the port goes through the listening and learning stages. Now, this listening and learning stage is a default behaviour because every port goes through a sparing tree verification where it takes about 30 seconds before it actually transitions into a forwarding state. So once it confirms that there’s no possibility of loops or BPU messages on this particular port, it’s going to put the port into a forwarding state, but after 30 seconds. Now, because of this default behaviour of the spanning tree, let’s take an example of some services that might get affected. Let’s take an example.

I have some DHCP server here, and probably whenever you power on the PC here, it’s connected to a port, and whenever you power on this PC, it’s going to send some broadcast request requesting a DHCP server to assign the IP address. But the switch is not going to forward those particular messages for another 30 seconds. So that means you have a 30-second downtime by default on each and every access port. And because of that downtime, there might be cases where some of the services, like DSCP service requests, may not reach the DSCP servers, and that is something we really don’t want.

Now let’s verify the default behavior. I’m going to connect this PC to port number one, and if I go to the command line and verify the default behaviour of the spanning tree here, you can see the port number one that I connected to if I just show spanning tree .The end host is going through some listening state, and after some time, you’ll see the port go into the learning stage before it actually transitions into forwarding. I see the port number is now up to date. Now it turns green. Now the port transitions into forwarding. That is the default behavior. Now we actually don’t want this behavior. What we can do now is make some changes to the default spanning tree behaviour so that we can disable spanning tree on these specific access ports. So in fact, we are not disabling spanning trees. We can say we are going to enable the podcast feature, which will allow the particular access points to transition into forwarding immediately without listening or learning, bypassing the listening and learning stages. So that means once you enable Port Fast, this particular port will not go through the listening and learning stages.

So there are no more listening and learning stages, and that transitions immediately into doing. So when you enable portfast, it means automatically that you are disabling the span entry on that particular port, and you need to be very careful because if you do this on the port that is connecting to a switch, a hub, or any other device where there is a possibility of loops, So, keep in mind that you should not enable the port fast on the ports that connect to the switcheson hubs because this can cause temporary loops. So portfast has to be enabled on the port that is connecting to a single end station, and if you enable portfast on a port that is connecting to another networking device, it can cause temporary loops. As a result, we must ensure that the ports on the links connecting to switches are not enabled. So once you enable portfast, the administrator is going to ensure that these ports are not connecting to any networking devices or the switch or a hub, and we’re saying that these are connecting to the end devices and there’s no possibility of loops. Now, this way, we can save the 30 seconds of initial downtime for access ports.

Now, to enable the portfast on the access ports, we can either go to the specific interface or we can enable it by using a range command. If you want to enable it on multiple ports, we can use the “spanning tree portfast” command on the interface-specific side, or we can enable it globally. So by using this command, called “spanning tree podcast default,” Now, if you’re going to enable the portfast feature globally in the global configuration mode, it is going to make each and every access port automatically enabled with the portfast feature. So that means the trunk links will not be confirmed as a PortFast port, but every access port will automatically become a PortFast port. So either we can define a specific interface or we can make every access port go into portfolio state. So let’s go to the command line here for verification. I’m going to switch one, and I’m going to configure the interface range by one to 10. So I’m assuming that the first ten ports are going to be connected to my end devices, and then I’m giving a command called “spanning report fast.” Now, once you enable this spanning report, you can see there is a warning message that says that the portfolio should be enabled only on the ports that are connecting to a single host.

And if you have any of these particular ports connected to hub concentrators, which are any of the networking devices, it’s going to create some temporary loops. It’s just a warning message. And then it says that the podcast has been configured on these ten interfaces due to the range command that we have used, and portfast will only have an effect when the interfaces are in non-tunneling mode. So right now, these ports are not in trunking mode. So now for verification, what I can do is have some connections on the end devices on port numbers two, three, and four, and I can go and verify which shows spanning three. I can now see ports 2, 3, and 4 immediately transitioning into a forwarding state without listening or learning. So this is how we can optimize. It’s a Cisco proprietary feature for speeding up convergence on the access ports, and it can be enabled either in interface-specific mode or in global configuration mode. So, depending on the configuration requirements, you can use either of these configurations, and both will have the same effect on the switches.

5. Native VLAN

Now in this video, we’ll talk about the concept of “native VLANs,” what a native VLAN is, what best practises we need to follow for native VLANs, and some of the configuration and verification commands. So native VLAN is like, you know, if SF receives any specific frame without any tag, it is going to assume that it belongs to the native VLAN. For instance, I’m connected to a hub here, and then I have some links between switches one and two.

Now, by default, between the switches, we run something called 8021 Q or ISL trunking. And let’s say there is specific traffic coming from VLAN 10, and what it is going to do before it sends over the trunk link is add a tag—the swap frame tagging process. And this method ensures that the switch understands which frame belongs to which VLAN, allowing it to only forward traffic out of the ports to that VLAN.

But there are some cases where you may receive a frame, like if you are receiving from the hubs; they don’t understand the tagging and the concept of VLANs if you receive anything without a tag. When the switch receives any specific information without a tag, it will assume that it belongs to native VLAN and will simply forward out of the ports that belong to native VLAN, sending by default to VLAN mall. That’s a default behavior. Now, the best practises for a native VLAN are that, generally, in most cases, it’s always recommended to create one VLAN called “any navy land,” which is not in use.

That’s something that’s recommended, and it’s recommended to change the native VLAN to six, six, or any other VLAN that is not in use. And you don’t have any single-port devices associated with that particular VLAN. So there’s something recommended, but by default, the VLAN one is the native VLAN, and it’s not really recommended to use the native VLAN as the VLAN one. So you had to use a VLAN that is not in use, and there is nothing associated with that VLAN. So because there is some kind of attack or VLAN hopping attack where a user can try to gain access by using this native VLAN information, which is something we really don’t want, if any kind of attack comes, it should go to that VLAN and it should get dropped over there. That’s something that’s generally recommended when it comes to native VLANs.

As previously stated, the nativevan’s default configuration will be wheel and one.But we can change it to VLAN nine and nine. So in that case, we just need to add a command called “switchport trunk,” native villan nine, and nine. But one thing we need to ensure is that on the Cisco switches, the native VLAN must match on both sides. That’s mandatory, okay. If there is a native VLAN mismatch, you will most likely see a console message on the screen that says something like “native villain mismatch. “This type of message can be seen on that.

Now for verification, we can use a command called Show Interface Trunk. And by default, if you don’t change the native villain, you will see the default as one. But here, as we have changed to VLAN nine and nine, You can also use the command “Show interface F 0 by 20 switch ports. “And also, you can see that information here. Now, coming back to the lab verification, I have some switches added here. And what I’ll do is connect the two switches, switch one and switch room. And then we’ll configure some trunks, some native VLANs, and attempt to communicate between these two hosts. By default, they’ll communicate, but once we create a native VLAN mismatch on those particular links, they probably will not communicate in general. So that’s something we will verify in this lab.

So I’ll go change one console screen. If you look here on switch one, you’ll see that I have a connection from switch one to switch two on port number 20.So the first thing I’m going to do is connect switchone and switchtwo to other trunk links. So, switch four trunks, gasolation dot one Q, and switchboard mode trunk. And then the same thing I can do on the switchboard as well: interface F zero by 20 and then switchboard trunk encapsulation on Q and then switchboard motor trunk. Now for verification of the trunk link, we can use a command called Show Interface Trunk. And as you can see, the first one is the default native VLAN. Okay? So, now that we’ve done that, we’re going to try to verify the communication process between these two computers. I’m on one eight to 168 one if I go to one of the PCs here and verify the IP configuration.

And if I try to ping one into 168, one into two, Now you can see the reply is coming because the packet goes to the switch, which will send it to the switch, and then it works fine. Now these hosts can be in any VLAN. It can be VLAN 10, VLAN 20, or whatever the VLAN is. Now what I’m going to do is I’m going to create one VLAN called VLAN sum VLAN. Let’s say I’m going to create a new VLAN, VLAN nine nine nine. And then I want to make this particular VLAN (nine nine nine) my native VLAN, and I don’t have any ports associated with it. So let’s create the VLAN on both switches, or you can confirm VDP to synchronise the VLAN formation. So on the switch one and switch to, I’m going to say switch port trunk native. We can say VLAN, and we can change the VLAN to nine and nine.

Now that the native VLAN has been changed, I only changed it on switch 1, but not on switch 2. Nonetheless, I should be seeing some messages. On switch two, you can see the received aBP with the inconsistent and a native VLAN mismatch, and if you just look at the show spanning tree, you can see the port goes into inconsistent, and you can see the main reason for this is a VLAN mismatch, which is actually a native van mismatch here. So, if I verify the first trunk on switch one, there is a link between switch two, which has a native VLAN of one, and switch one, which has a native VLAN of nine nine. That is what it is. Now I can see in the show spanning tree that the port is in a state called blocking. Something like blocking it is an inconsistent state. Whenever the switch realises that there is a mismatch of native VLANs, it is going to put the port into an inconsistent state. It’s not going to follow the traffic.

That is one confirmation. Even if I try to ping, there won’t be any communication between them. Now to fix this, you need to have a common native VLAN on both sides. Now what I’m going to do is change interface zero to 20 and then change the native VLAN to nine nine nine native switch port trunk, nativeVLAN nine nine, and once I change this one, I should see the interface come up. So, if I show a spanning tree, the ports should go to the listening and learning stages, which is typical spanning tree behavior, and once they come up, I should see the listening and learning stages. Now I should see the communication starting between the devices here again. So that’s how we can verify the native VLAN. And we need to just keep that in mind when we are doing some troubleshooting kind of stuff in the CCI exam. You should probably make sure that if two hosts in the same VLAN aren’t pinging each other, one of the reasons could be a native VLAN mismatch. And we can verify with a command called “show interface trunk.”

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!