Network Access

Network Access (20%)

• Configures and verifies VLANs (Virtual Local Area Networks)
• Understands and applies concepts of trunking and inter-switch communication (ISL and VTP)
• Configures and verifies DHCP (Dynamic Host Configuration Protocol)
• Troubleshoots common switching issues

Configures and verifies VLANs (Virtual Local Area Networks)

Configuring and verifying VLANs is a core skill tested in the CCNA exam. Here's a breakdown of the process:

Creating a VLAN:

1. Access Switch Mode: The first step is to ensure your switch is in privileged mode (enable mode) for configuration.
2. VLAN Database Mode (Optional): Some Cisco switches offer a VLAN database mode specifically for VLAN configuration. You can enter this mode using the vlan command.
3. Create VLAN: Use the vlan <vlan-id> command to create a new VLAN. Here, <vlan-id> is a number between 1 and 4094 (except for some reserved VLANs).
4. Name the VLAN (Optional): You can assign a descriptive name to the VLAN using the name <name> command within VLAN configuration mode.

Assigning Switch Ports to a VLAN:

1. Interface Configuration Mode: Use the interface range <interface-range> command to enter interface configuration mode for a specific range of switch ports. You can also use interface <interface-number> for a single port.
2. Switch Port Mode: By default, switch ports operate in access mode, where they allow traffic only for a single VLAN. Use the switchport mode access command to ensure the port is in access mode.
3. Assign VLAN: Use the switchport access vlan <vlan-id> command to assign the desired VLAN ID to the switch port. This will restrict traffic on that port to the specified VLAN.

Verifying VLAN Configuration:

1. Show Commands: Use Cisco IOS commands to verify your VLAN configuration:
   • show vlan brief: This displays a summary of all VLANs, including their ID, name (if assigned), and status.
   • show interfaces switchport: This displays information about switch ports, including the assigned VLAN for access ports.

Additional Considerations:

• Trunk Ports: If you need to carry multiple VLANs across a single switch link, you'll need to configure trunk ports. Trunk ports operate in a special mode that allows them to handle traffic for multiple VLANs.
• VLAN Management: You can further manage VLANs by:
  • Restricting traffic flow between VLANs using Access Control Lists (ACLs).
  • Implementing VLAN hopping techniques to allow controlled communication between VLANs.

Here are some resources that can help you practice VLAN configuration:

• Cisco Packet Tracer: https://www.netacad.com/courses/packet-tracer (Free network simulation tool)
• Online Tutorials and Labs: Many websites offer tutorials and labs on configuring VLANs on Cisco switches.

By understanding these steps and practicing configuration in a simulated environment, you can gain the skills necessary to configure and verify VLANs for the CCNA exam.

Configuring and Verifying VLANs Spanning Multiple Switches (Normal Range)

This process involves creating VLANs, assigning ports to those VLANs on multiple switches, and optionally, enabling communication between VLANs. Here's a breakdown of the steps for access ports, default VLAN, and inter-VLAN connectivity:

a Access Ports (Data and Voice):

1. Create VLANs:
   • Access each switch and enter privileged mode (enable mode).
   • Optionally, enter VLAN database mode (vlan) on some Cisco switches.
   • Create VLANs for data and voice traffic using the vlan <vlan-id> command (e.g., vlan 10 for data, vlan 20 for voice). Use VLAN IDs within the normal range (1-1023).
   • (Optional) Assign descriptive names to the VLANs using the name <name> command within VLAN configuration mode.
2. Assign Ports to VLANs:
   • On each switch, enter interface configuration mode for the ports you want to use for data and voice traffic using interface range <interface-range> or interface <interface-number>.
   • Ensure the ports are in access mode using switchport mode access.
   • Assign the appropriate VLAN to each port using switchport access vlan <vlan-id> (e.g., switchport access vlan 10 for a data port, switchport access vlan 20 for a voice port).

b Default VLAN:

The default VLAN (usually VLAN 1) typically carries untagged traffic. You can leave it as is or use it for untagged management access on all switch ports if needed. Avoid assigning user data or voice traffic to the default VLAN for security reasons.

c Inter-VLAN Connectivity (Optional):

By default, VLANs are isolated, meaning devices in one VLAN cannot communicate with devices in another VLAN. To enable communication between VLANs, you have two main options:

1. Routing: Configure a router with interfaces on each VLAN. The router will act as a Layer 3 device, routing packets between VLANs based on their IP addresses.
2. Layer 2 Trunking Protocol (L2TP) (Optional):
   • Configure trunk ports on switches that need to connect VLANs. Trunk ports carry traffic for multiple VLANs encapsulated with VLAN tags.
   • On each switch, configure the trunk ports using interface range <interface-range> or interface <interface-number>.
   • Set the switchport mode to trunk using switchport mode trunk.
   • Define the allowed VLANs on the trunk port using switchport trunk allowed vlan <vlan-id list> (e.g., switchport trunk allowed vlan 10, 20).

Verification:

• Use the following commands on each switch to verify your configuration:
  • show vlan brief: Shows a summary of VLANs.
  • show interfaces switchport: Shows switch port information, including the assigned VLAN for access ports.
  • (For trunking) show interface trunk: Displays information about trunk ports.

Additional Notes:

• Use a consistent naming convention for VLANs and switch ports for easier management.
• Document your VLAN configuration for future reference.
• Security considerations: While using separate VLANs improves security by isolating traffic, it's still recommended to implement additional security measures like Access Control Lists (ACLs) to control traffic flow within and between VLANs.

By following these steps and practicing in a simulated environment, you can develop the skills required to configure and verify VLANs spanning multiple switches for the CCNA exam.

Configuring and Verifying Interswitch Connectivity

In this scenario, you'll establish communication between switches using trunk ports, following the 802.1Q standard for VLAN tagging, and potentially configuring a native VLAN for untagged traffic.

a Trunk Ports:

1. Identify Switch Ports: Determine the switch ports you'll use to connect the switches together. These ports will be configured as trunk ports.
2. Interface Configuration Mode: On each switch, enter interface configuration mode for the designated ports using interface range <interface-range> or interface <interface-number>.
3. Switchport Mode: Set the switchport mode to trunk using the switchport mode trunk command. This enables the port to handle traffic for multiple VLANs.

b 802.1Q:

802.1Q is a standard that defines how VLAN information is encapsulated within Ethernet frames. When enabled on trunk ports, 802.1Q adds a VLAN tag to each frame, identifying the VLAN it belongs to. This allows multiple VLANs to share a single physical link between switches.

c Native VLAN (Optional):

A native VLAN is an optional configuration on trunk ports. It defines the VLAN that will be assigned to untagged traffic received on the trunk port. By default, some switches may have a pre-configured native VLAN (often VLAN 1).

Configuration Considerations:

• Allowed VLANs: You can optionally specify the allowed VLANs on a trunk port using switchport trunk allowed vlan <vlan-id list> (e.g., switchport trunk allowed vlan 10, 20). This restricts the trunk port to only carry traffic for the listed VLANs.
• Trunking Protocol (Optional): In some scenarios, you might need to configure a trunking protocol (like VTP) to advertise and synchronize VLAN information across multiple switches. However, for basic interswitch connectivity, this may not be necessary.

Verification:

• Use the following commands on each switch to verify your configuration:
  • show interface trunk: Displays information about trunk ports, including the allowed VLANs and trunking mode.
  • Use VLAN verification commands (like show vlan brief) to ensure your VLANs are configured correctly on both switches.

Additional Notes:

• Ensure both switches are configured for trunking on the designated ports.
• Verify that the allowed VLANs on the trunk ports match the VLANs you want to pass between switches.
• Consider using a native VLAN only if you have untagged traffic that needs to be carried on the trunk port. Otherwise, it's generally recommended to leave it untagged for flexibility.

By following these steps and practicing in a simulated environment, you can gain the skills to configure and verify interswitch connectivity using trunk ports and 802.1Q for the CCNA exam.

Configuring and Verifying Layer 2 Discovery Protocols (CDP and LLDP)

Layer 2 discovery protocols like Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) help network devices discover their neighbors on the same Layer 2 segment. Here's a breakdown of how to configure and verify them:

a Cisco Discovery Protocol (CDP):

Configuration (Optional):

• By default, CDP is enabled on most Cisco devices on broadcast interfaces.
• To verify the default state, use the show cdp running command.
• (Optional) To disable CDP on an interface, use the no cdp enable command in interface configuration mode.
• (Optional) To adjust timers or other CDP parameters, use the following commands in global configuration mode:
  • cdp timer <hold-time> <reload-time> (adjusts advertisement timers)
  • cdp advertise <type> (controls what information is advertised)

Verification:

• Use the show cdp neighbors command to see a list of neighboring devices discovered by CDP, including their device type, IP address, and port information.

b Link Layer Discovery Protocol (LLDP):

Configuration:

• LLDP is typically disabled by default on Cisco devices.
• To enable LLDP globally, use the lldp run command in global configuration mode.
• To enable LLDP on specific interfaces, use the lldp transmit and lldp receive commands in interface configuration mode.

Verification:

• Use the show lldp neighbors command to see a list of neighboring devices discovered by LLDP, including similar information to CDP output.

General Considerations:

• Both CDP and LLDP use multicast packets to advertise information. Ensure multicast forwarding is enabled on your switches for these protocols to function properly.
• CDP is a Cisco proprietary protocol, while LLDP is a vendor-neutral standard. LLDP might provide more limited information about some non-Cisco devices compared to CDP.
• You can choose to enable only one protocol (CDP or LLDP) or both depending on your needs.

Additional Resources:

• Cisco Documentation: https://learningnetwork.cisco.com/s/article/cisco-discovery-protocol-cdp-x
• LLDP Information: https://www.ieee802.org/3/frame_study/0409/blatherwick_1_0409.pdf

By understanding these steps and practicing configuration in a simulated environment, you can develop the skills required to configure and verify Layer 2 discovery protocols for the CCNA exam.

Configuring and Verifying EtherChannel (LACP)

EtherChannel allows you to group multiple physical ports into a single logical link, increasing bandwidth, redundancy, and fault tolerance. You can configure EtherChannel using Link Aggregation Control Protocol (LACP) for dynamic negotiation or statically. Here's a breakdown for both Layer 2 and Layer 3 EtherChannel configurations:

LACP Configuration (Layer 2 or Layer 3):

1. Enable LACP Globally:

• Enter global configuration mode (config terminal).
• Use the lacp enable command to enable LACP globally on the switch.

2. Configure Channel Group:

• Enter interface configuration mode for the first port in the EtherChannel group (interface range <port-range>).
• Use the channel-group <group-number> command to assign the port to a specific EtherChannel group. Here, <group-number> is a value between 1 and 64.
• Repeat the above steps for all ports you want to include in the EtherChannel group.

3. Configure LACP Mode (Optional):

• By default, the channel mode is set to active, which means the port will attempt to negotiate an LACP bundle.
• You can optionally configure individual ports within the group to be passive using the channel-group <group-number> mode passive command within interface configuration mode for that specific port. In passive mode, the port will only participate in LACP negotiation if initiated by the peer device.

4. (Optional) Verify LACP:

• Use the show interfaces channel-group <group-number> command to view information about the EtherChannel group, including member ports, negotiation status, and bundle status.

Layer 2 vs. Layer 3 EtherChannel:

• Layer 2: In Layer 2 EtherChannel, all ports in the bundle must belong to the same VLAN. This is suitable for situations where you want to increase bandwidth for a single VLAN segment.
• Layer 3: In Layer 3 EtherChannel, member ports can belong to different VLANs. This offers more flexibility for inter-VLAN routing or traffic aggregation across different Layer 3 networks. However, Layer 3 EtherChannel requires additional configuration on your routing devices.

Additional Considerations:

• Ensure all member ports in the EtherChannel group are of the same speed and duplex mode.
• Verify that the switch platform supports the desired number of EtherChannel groups.
• LACP negotiation must be successful between the switch and the device connected to the EtherChannel for the bundle to form.

Static EtherChannel Configuration (Optional):

While LACP is the preferred method for automatic negotiation, you can configure a static EtherChannel. This involves setting the channel mode to on for all member ports and doesn't require LACP negotiation. However, static EtherChannel offers less flexibility and fault tolerance compared to LACP.

Verification:

• Use the show interfaces channel-group <group-number> command to view information about the EtherChannel group, including its operational status and member ports.

By following these steps and consulting your switch's specific documentation, you can configure and verify EtherChannel (LACP) for both Layer 2 and Layer 3 scenarios. Remember to practice in a simulated environment to solidify your configuration skills.

Rapid PVST+ Spanning Tree Protocol Operations

Rapid PVST+ is a Cisco implementation of the Spanning Tree Protocol (STP) that helps prevent bridging loops in Ethernet networks. Here's a breakdown of its key operations and components:

a. Port Roles and Bridges:

• Root Bridge: This is the central switch in the spanning tree topology, responsible for calculating the loop-free path. It's elected based on the Bridge ID (combination of MAC address and priority). The switch with the lowest Bridge ID becomes the root bridge.
• Secondary/Alternate Root Bridge: In some configurations, a secondary root bridge might be designated for redundancy purposes. However, ideally, there should only be one active root bridge.
• Root Port: This is the port on a switch that connects directly to the root bridge. It's the designated forwarding port for traffic towards the root bridge.
• Designated Port: A switch port that connects to another switch and is chosen as the best path towards the root bridge within its segment. Only one designated port exists per segment to avoid loops.
• Non-Designated Port: Any switch port that is not a root port or designated port. These ports are initially blocked to prevent loops but can transition to forwarding state if necessary.

b. Port States (Forwarding/Blocking):

• Forwarding: In this state, the port can send and receive data traffic. This is the desired state for designated ports and the root port.
• Blocking: In this state, the port is shut down and cannot send or receive data traffic. This is typically the initial state for non-designated ports to prevent loops. A blocked port can eventually transition to listening or learning states before becoming forwarding if needed.

c. PortFast:

PortFast is a Cisco feature that allows certain types of ports, like those connected to end devices (PCs, printers), to transition directly to the forwarding state upon link-up. This avoids the normal listening and learning stages, speeding up the port's ability to forward traffic. However, PortFast should be used with caution as it can introduce loops if accidentally enabled on ports that might connect to another switch.

Here's a table summarizing the key points:

Term	Description
Root Bridge	Switch with the lowest Bridge ID, responsible for the spanning tree topology.
Secondary Root Bridge	Optional redundant root bridge.
Root Port	Port that connects directly to the root bridge and forwards traffic towards it.
Designated Port	Best path towards the root bridge within a switch segment.
Non-Designated Port	Any port that is not a root port or designated port (initially blocked).
Forwarding State	Port can send and receive data traffic.
Blocking State	Port is shut down and cannot send or receive data traffic.
PortFast	Feature that speeds up a port's transition to forwarding state.

By understanding these concepts, you can interpret the basic operations of Rapid PVST+ and how it manages spanning tree convergence in a network.

Cisco Wireless Architectures and AP modes

Cisco offers various wireless network architectures and access point (AP) modes to cater to different network requirements and scales. Here's a breakdown of the most common ones:

1. Cisco Wireless Architectures:

These architectures define the overall network design for managing and controlling your wireless access points. There are three main architectures:

• Autonomous AP Architecture: This is a simple and self-contained solution. Each access point has its own configuration and operates independently. They are suitable for small networks or locations with limited wireless needs. Management is done directly on each AP through a web interface or CLI.
• Cloud-Based AP Architecture: This architecture utilizes a cloud-based management platform to control and configure access points. Cisco Meraki is a popular example. APs connect to the cloud for configuration, updates, and monitoring. This offers centralized management and scalability for geographically dispersed networks.
• Split-MAC AP Architecture: This architecture combines elements of autonomous and controller-based approaches. Access points have some intelligence for basic functionality but rely on a lightweight controller for centralized management and policy enforcement. This offers a balance between scalability and centralized control.

2. Cisco AP Modes:

These modes define how access points operate within the chosen architecture:

• Autonomous Mode: This mode is used in the Autonomous AP architecture. APs function independently and require individual configuration.
• Lightweight Access Point (LWAP) Mode: This mode is used with a central controller in architectures like Split-MAC. LWAPs rely on the controller for configuration, policy enforcement, and software updates. They offer reduced processing load on the APs themselves.
• FlexConnect Mode: This mode provides flexibility within a controller-based architecture. An AP can operate in either Lightweight (LWAP) mode, connecting to a controller, or in autonomous mode, functioning independently. This allows for centralized management while enabling local failover capabilities.
• Bridge Mode: This mode allows access points to connect two separate wireless networks, essentially acting as a bridge. This can be useful for extending wireless coverage across non-contiguous areas.

Choosing the Right Architecture and Mode:

The ideal choice depends on factors like network size, complexity, desired management level, and budget.

• Small Networks: Autonomous APs might be sufficient for very small deployments.
• Scalability and Centralized Management: Cloud-based or controller-based architectures are better suited for larger networks requiring centralized control.
• Flexibility: FlexConnect mode offers a balance between centralized management and local failover.

By understanding these architectures and AP modes, you can design and implement an efficient and scalable wireless network solution using Cisco products.

Physical Connections in a Cisco WLAN

A Cisco Wireless Local Area Network (WLAN) relies on several physical components working together to provide wireless connectivity. Here's a breakdown of the key components and their connections:

1. Access Points (APs):

• Function: These are the physical devices that broadcast the wireless signal and handle communication between wireless clients (laptops, phones) and the wired network.
• Connection: APs connect to the wired network using standard Ethernet cables. The specific port type (access or trunk) depends on the network configuration.

2. Wireless LAN Controllers (WLCs):

• Function: These are central devices that manage and control multiple access points. They handle tasks like configuration, security, and client association.
• Connection: WLCs connect to the wired network using Ethernet cables. They typically require multiple ports depending on the number of APs managed and network traffic.

3. Access Ports:

• Function: These are standard switch ports configured to allow traffic only for a single VLAN (Virtual Local Area Network). They are typically used for connecting APs to the wired network.
• Connection: An Ethernet cable connects the access port on a switch to the Ethernet port on the access point.

4. Trunk Ports:

• Function: These are switch ports configured to carry traffic for multiple VLANs. They are sometimes used for connecting WLCs, especially when managing APs on different VLANs.
• Connection: An Ethernet cable connects the trunk port on a switch to the Ethernet port on the WLC.

5. Link Aggregation Group (LAG):

• Function: LAG is a technology that bundles multiple physical ports together to create a single logical link. This can increase bandwidth and redundancy for critical connections, like the one between a WLC and a switch.
• Connection: Multiple Ethernet cables connect the switch ports that are configured as part of the LAG to the corresponding Ethernet ports on the WLC.

Here's a table summarizing the connections:

Component	Connection Type	Purpose
Access Point (AP)	Ethernet Cable	Connects AP to wired network (usually to access port on switch).
Wireless LAN Controller (WLC)	Ethernet Cable	Connects WLC to wired network (may use access or trunk port depending on configuration).
Access Port	Ethernet Cable	Connects switch to AP, allowing traffic for a single VLAN.
Trunk Port	Ethernet Cable	Connects switch to WLC, allowing traffic for multiple VLANs (optional).
Link Aggregation Group (LAG)	Multiple Ethernet Cables	Bundles multiple physical ports for increased bandwidth and redundancy (WLC to switch connection).

Additional Notes:

• The specific cabling and port configuration will depend on your network design and desired functionality.
• Security measures like port security and VLAN configuration are crucial for protecting your wireless network.
• Cisco provides various tools and documentation to assist with configuring and managing WLAN components.

Cisco AP and WLC Management Access Connections

Cisco access points (APs) and Wireless LAN Controllers (WLCs) offer various methods for establishing management access connections. Here's a breakdown of the most common options:

Connection Methods:

• Telnet: Insecure remote access that transmits data in plain text. Not recommended due to security vulnerabilities.
• SSH (Secure Shell): Secure remote access protocol that encrypts data transmission, providing a more secure alternative to Telnet. This is the preferred method for remote management.
• HTTP (Hypertext Transfer Protocol): Standard web protocol used for basic management tasks like viewing configuration or status. However, it's not recommended for making configuration changes due to lack of encryption.
• HTTPS (Hypertext Transfer Protocol Secure): Secure version of HTTP that encrypts data transmission for secure web management. This is the preferred method for web-based configuration.
• Console: Direct physical connection to the device using a console cable. This is typically used for initial configuration or troubleshooting when remote access is unavailable.
• TACACS+ (Terminal Access Controller Access Control System Plus) / RADIUS (Remote Authentication Dial-In User Service): These are authentication protocols that provide centralized user access control and authorization for managing network devices. They offer features like role-based access control and auditing.

Applicability:

• APs: Management access methods available on an AP typically depend on the model and firmware version. Lower-end models might only offer console and Telnet access, while higher-end models might support SSH, HTTPS, and TACACS+.
• WLCs: WLCs generally support all the mentioned connection methods.

Choosing the Right Method:

• Security: Prioritize secure methods like SSH and HTTPS whenever possible. Avoid Telnet due to its inherent security risks.
• Convenience: Remote access methods like SSH and HTTPS offer more flexibility compared to the physical console connection.
• Centralized Management: TACACS+ or RADIUS can be beneficial for managing multiple devices with role-based access control.

Additional Notes:

• By default, some management interfaces (like HTTP) might be disabled for security reasons. You may need to enable them on the device itself through the console or a secure method.
• Strong passwords and access control policies are crucial for protecting your WLCs and APs from unauthorized access.

By understanding these management access connections and their security implications, you can choose the most appropriate method for securely managing your Cisco WLAN infrastructure.

Interpreting Wireless LAN GUI Configuration for Client Connectivity

The Cisco WLAN GUI provides various options for configuring wireless network settings that affect client connectivity. Here's a breakdown of some key configuration areas:

1. WLAN Creation:

• SSID (Service Set Identifier): This is the name of your wireless network that clients will see and connect to. It should be clear and easily identifiable for users.
• Broadcast SSID: This option determines whether the SSID is advertised by the access point. Disabling broadcast can improve security by making the network hidden, but clients will need to know the SSID manually to connect.
• VLAN: Specify the VLAN to which wireless clients will be assigned upon association. This helps segregate traffic and enhance network security.

2. Security Settings:

• Authentication: This defines the method used to verify a client's identity before granting access. Common options include:
  • Open: No authentication (not recommended due to security risks).
  • WPA/WPA2 Personal: Uses a pre-shared key (PSK) for shared authentication.
  • WPA/WPA2 Enterprise: Uses an external authentication server (RADIUS) for more robust security.
• Encryption: This defines the level of data encryption used to protect wireless traffic. WPA/WPA2 with AES encryption is the recommended standard for secure wireless networks.

3. QoS Profiles (Quality of Service):

• QoS allows you to prioritize traffic based on different categories (voice, video, data) to ensure smoother performance for critical applications.
• You can configure parameters like traffic prioritization, bandwidth allocation, and packet queuing to manage network resources efficiently.

4. Advanced Settings:

• Radio Settings: Configure parameters like transmit power, channel selection, and band (2.4 GHz or 5 GHz) to optimize wireless signal coverage and performance.
• Client Isolation: This option can be enabled to prevent wireless clients from communicating directly with each other, improving security by limiting lateral movement within the network.
• Fast Roaming: This feature allows clients to seamlessly switch between access points while maintaining their connection, enhancing user experience.

Understanding the interrelationships between these settings is crucial for configuring a secure and functional wireless network. Here are some additional tips for interpreting the GUI:

• Look for tooltips or help menus within the GUI for detailed information about specific settings.
• Cisco documentation provides detailed explanations of various WLAN configuration options.
• Consider best practices for wireless security when configuring authentication and encryption.

By familiarizing yourself with these configuration options and their impact on client connectivity, you can effectively manage your Cisco WLAN through the GUI.

Next: IP Connectivity