Tag Archives: lab

VLAN Trunking Protocol (VTP) Version 3

CCIE Security, , , , ,

VTP

In this Nugget, let’s make sure we are up to speed on the basics of VTP version 3 for a variety of Cisco Certifications, including foremost on my mind, the CCIE Security Written.

VTP v3 does everything that your older versions 1 and 2 can do, plus a lot more. Here is a summary of those additional features:

  • Enhanced authentication—in VTP version 3, you can configure the authentication password to be hidden using the vtp password command. When you configure the authentication password to be hidden, it does not appear in plain text in the configuration. Instead, the secret associated with the password is saved in hexadecimal format in the running configuration.
  • The extended range VLANs and private VLAN features are fully supported!
  • VTP v3 supports the synchronization of remote-SPAN VLANs.
  • VTP v3 supports MST database propagation finally. This is done separately from the VLAN database.
  • VTP status is made up of primary and secondary servers. You use the primary status only when you need to make changes to the VLAN database. By default, your switches come up as secondary servers.
  • To communicate across a VTP domain of version 1 or 2, that domain must be configured in transparent mode.
  • VTP v3 can be configured on and off on a global or per-trunk basis.

Here is a look at a sample configuration:

vtp domain MYDOMAIN
vtp version 3
vtp primary
vlan 100
!
vtp mode server mst
exit
vtp primary mst

IPv4 Access Lists in the CCIE Lab Exam

CCIE Coaching, CCIE R&S, , , ,

Security

I am getting ready for my Nugget on the above subject and I wanted to provide some thoughts and notes here on the blog on this important subject.

I am currently training for a half-marathon. Yes, and thanks for putting up with all of my RunKeeper Tweets on the subject. 🙂 With the training, there are certain metrics you need to hit in order to really determine if you can finish on race day. It is the same way the CCIE. One metric is ACLs. If you do not have them mastered, you are in big trouble on race day. Think about it, you use them for traffic filtering, and then traffic identification for a whole host of features on the devices. QoS, network management, the list goes on and on.

The traffic filtering part gets really scary. Drop one in that is not doctored up for the other traffic required in your lab scenario and you can easily break things well enough to fail. And when you are building the lists, you must really take your time to ensure that you are meeting their specific directions. Are you getting the EXACT traffic they want, in the correct direction?

Here is a list of tips and things to think about for this important topic. These are in no particular order:

  • Read so carefully if you need to build an ACL traffic filter. Often, you will be asked to block something extremely specific, for example, echo-replies. Should you block too generally, like requests and replies, you fail the task.
  • Drawing out the scenario on your scratch paper will often help you with what specifically to match and in what direction.
  • You certainly would want to avoid this in production, but in the lab it is fine to end your ACLs with deny ip any any log-input. This will allow you to see just what you broke in your lab with your ACL!
  • Remember that an outbound ACL will not impact traffic generated by that local router.
  • access-group is used for traffic filtering on your interfaces, while access-class is used for your VTY lines. Remember with the access-class out command, it is controlling where someone can Telnet out of your router AFTER they have already Telnetted into it.