1 00:00:08,720 --> 00:00:14,120 So in this example, let's assume A is sending a frame to DH. 2 00:00:14,150 --> 00:00:19,310 So the source address at layer two will be A and the destination address will be DH. 3 00:00:19,430 --> 00:00:21,590 I will send the frame to switch one. 4 00:00:22,200 --> 00:00:28,280 Switch one will then copy that frame to all ports based once again on the switch architecture. 5 00:00:28,310 --> 00:00:34,700 The central asec will check the destination in the cam table and let's assume for the moment that DH 6 00:00:34,700 --> 00:00:37,850 is not in switch one's cam table or MAC address table. 7 00:00:37,970 --> 00:00:43,970 So the frame will attempt to go out of this port zero two But because the internal tag color is red 8 00:00:43,970 --> 00:00:49,010 for that frame and this is a green port, the frame is not permitted out of zero two. 9 00:00:49,460 --> 00:00:54,290 However, on this port, because it's a trunk link and let's assume for the moment that all VLANs are 10 00:00:54,290 --> 00:01:00,830 allowed across this trunk, that frame will be sent out of Port zero three to switch two. 11 00:01:01,460 --> 00:01:06,500 However, just before the frame is sent out, it needs to be tagged with the VLAN number. 12 00:01:06,890 --> 00:01:09,710 So in this case the villain identifier would be red. 13 00:01:09,920 --> 00:01:13,850 Now as mentioned in switches, VLANs identified by numbers. 14 00:01:13,850 --> 00:01:16,820 But to keep these examples simple, we're going to use colors. 15 00:01:17,150 --> 00:01:21,710 So this would in actual fact be a number from 0 to 4096. 16 00:01:22,190 --> 00:01:27,740 That frame is then sent across the trunk to switch to who then receives the frame. 17 00:01:28,360 --> 00:01:31,600 Once again, the frame is processed internally. 18 00:01:31,930 --> 00:01:37,270 Now this switch reads the VLAN, identifying the attitude of one Q header and sees that it belongs to 19 00:01:37,270 --> 00:01:40,720 the red VLAN that is tagged internally within the switch. 20 00:01:40,990 --> 00:01:45,010 The frame is sent to all ports zero two as well as zero one. 21 00:01:45,010 --> 00:01:50,560 And let's assume once again that the Mac address table of switch two does not contain the Mac address 22 00:01:50,560 --> 00:01:51,160 of DX. 23 00:01:51,370 --> 00:01:57,280 So when the frame is attempting to go out of Port zero one, it is denied because the color of the frame 24 00:01:57,280 --> 00:02:00,490 is red and thus interfaces in the green VLAN. 25 00:02:00,670 --> 00:02:02,260 So the frame is dropped. 26 00:02:02,590 --> 00:02:09,130 However, out of this interface the frame is permitted because the port is in the red VLAN and the frame 27 00:02:09,130 --> 00:02:11,260 is tagged with the red VLAN. 28 00:02:11,740 --> 00:02:19,030 All tagging is stripped out of this port, so it's sent as a normal ethernet frame to PCD. 29 00:02:19,060 --> 00:02:23,740 Once again, the PCs are oblivious to the fact that they have been put into VLANs. 30 00:02:23,860 --> 00:02:26,140 They just see standard Ethernet. 31 00:02:26,470 --> 00:02:30,190 So a standard frame with a source address of a destination address. 32 00:02:30,190 --> 00:02:35,170 A DX is transmitted out of port zero to and processed by the PC. 33 00:02:36,000 --> 00:02:40,560 Edit2 one key trunks have a special VLAN known as the native VLAN. 34 00:02:40,860 --> 00:02:46,050 Native VLANs are untagged when a port on the switch is set up as a trunk. 35 00:02:46,470 --> 00:02:53,310 For instance, this interface on switch one and switch two, that interface can receive and transmit 36 00:02:53,310 --> 00:02:54,540 tagged frames. 37 00:02:54,540 --> 00:03:00,570 Frames belonging to the native VLAN do not carry VLAN tags when sent over this trunk. 38 00:03:01,170 --> 00:03:07,290 By the same token, if an untagged frame were received on this trunk port, that frame would automatically 39 00:03:07,290 --> 00:03:10,320 be associated with a native VLAN for the support. 40 00:03:10,800 --> 00:03:14,970 Now specific management traffic will go across the native VLAN. 41 00:03:14,970 --> 00:03:22,140 So for instance spanning tree CPUs will use the native VLAN and so will dynamic trunking protocol. 42 00:03:22,710 --> 00:03:28,620 Dynamic Trunking Protocol is a way that switches negotiate to set up a trunk between themselves automatically. 43 00:03:28,710 --> 00:03:30,870 And I'll show you an example of that in a moment. 44 00:03:31,910 --> 00:03:35,060 Certain management traffic always uses VLAN one. 45 00:03:35,330 --> 00:03:44,030 If you have left VLAN one as the native VLAN traffic like CDP, http, agp and UDL dx will be transmitted 46 00:03:44,030 --> 00:03:46,340 across the native VLAN untagged. 47 00:03:46,700 --> 00:03:52,760 If however, the native VLAN is changed to something other than VLAN one, these protocols will then 48 00:03:52,790 --> 00:03:55,100 be tagged in that specific VLAN. 49 00:03:55,490 --> 00:03:58,820 CDP was explained in the ICD one portion of this course. 50 00:03:59,150 --> 00:04:02,240 It allows us to view directly connected devices. 51 00:04:02,630 --> 00:04:06,200 VLAN trunking protocol we're going to discuss in the next few slides. 52 00:04:06,410 --> 00:04:13,430 It is a way to dynamically update other switches with changes made on a single switch in a HTTP domain. 53 00:04:13,940 --> 00:04:21,260 AGP or port aggregation protocol is a protocol used for the automatic creation of either channels and 54 00:04:21,260 --> 00:04:22,940 UDL, dx or uni. 55 00:04:22,940 --> 00:04:29,480 Directional link detection is used to monitor the physical configuration of cables between devices and 56 00:04:29,480 --> 00:04:31,490 detect unidirectional links. 57 00:04:31,970 --> 00:04:35,030 This allows us to detect incorrectly cabled links. 58 00:04:35,150 --> 00:04:40,310 The important thing to take note of here is that on trunk links there is a special VLAN known as the 59 00:04:40,310 --> 00:04:45,650 native VLAN where traffic is sent untagged if left at the default of VLAN one. 60 00:04:45,680 --> 00:04:49,280 A lot of management traffic will be sent across that native VLAN. 61 00:04:49,700 --> 00:04:54,410 It's important that the native VLAN on both sides of the trunk be the same. 62 00:04:54,500 --> 00:04:56,270 If they not set the same. 63 00:04:56,300 --> 00:05:00,350 The switches will notify you by telling you that there's a native VLAN mismatch. 64 00:05:00,950 --> 00:05:07,010 The issue that arises if the native VLANs are not the same is that traffic from one VLAN on this switch 65 00:05:07,010 --> 00:05:11,540 will automatically be associated and end up in a different VLAN on another switch. 66 00:05:11,590 --> 00:05:17,150 And obviously the whole concept of VLANs is to separate traffic into a specific VLAN. 67 00:05:17,180 --> 00:05:22,850 In other words, a separate broadcast domain or separate subnet traffic from one VLAN should not end 68 00:05:22,850 --> 00:05:27,200 up in another VLAN because of a native VLAN misconfiguration. 69 00:05:28,240 --> 00:05:31,060 Now, this is something you probably not see in networks today. 70 00:05:31,330 --> 00:05:38,500 In theory, with a native VLAN, a switch like switch one could send tagged frames to switch to and 71 00:05:38,500 --> 00:05:40,590 untagged frames to this MacBook. 72 00:05:40,600 --> 00:05:47,140 So by using the native VLAN, this MacBook or a PC would still be able to communicate with the network 73 00:05:47,140 --> 00:05:53,320 even though it doesn't understand tagged frames edited on one cue frames or tagged frames are useful. 74 00:05:53,320 --> 00:05:59,680 Communicating VLAN information between networking devices like switches this end device wouldn't necessarily 75 00:05:59,680 --> 00:06:04,990 understand edited or one Q frames, but could still communicate with the network by using the native 76 00:06:04,990 --> 00:06:05,680 VLAN. 77 00:06:05,950 --> 00:06:07,720 However, that's not common today. 78 00:06:07,750 --> 00:06:16,060 What is more typical today is a scenario like this where you have a PC connected to an IP phone connected 79 00:06:16,060 --> 00:06:17,230 to a Cisco switch. 80 00:06:17,530 --> 00:06:21,320 Now a Cisco IP phone has a built in three way switch. 81 00:06:21,340 --> 00:06:24,910 One port is connected back to the network infrastructure. 82 00:06:24,910 --> 00:06:31,960 So our Cisco switch a second port allows the PC to connect to the infrastructure through the phone and 83 00:06:31,960 --> 00:06:38,530 a third port allows for voice traffic from the handset to be prioritized over data when sent to the 84 00:06:38,530 --> 00:06:39,820 network infrastructure. 85 00:06:40,120 --> 00:06:45,940 So the phone has a built in three way switch, always prioritizing voice over data. 86 00:06:46,860 --> 00:06:52,350 The thing to take note of here, though, is that the phone can be configured in a separate VLAN to 87 00:06:52,350 --> 00:06:57,630 the PC, so the phone could be in the red VLAN and the PC could be in the green VLAN. 88 00:06:57,810 --> 00:07:00,540 There are a lot of advantages to doing it this way. 89 00:07:00,570 --> 00:07:07,290 Firstly, from a security point of view, this PC will not be able to sniff voice traffic and therefore 90 00:07:07,290 --> 00:07:09,180 listen in on the voice conversation. 91 00:07:09,600 --> 00:07:11,850 Now there are a lot of caveats relating to Cisco. 92 00:07:11,850 --> 00:07:17,430 Phones and different models are set up different ways, but in theory the concept is that the phone 93 00:07:17,430 --> 00:07:23,700 is in a separate VLAN to the PC and therefore the PC is not able to see the voice traffic. 94 00:07:23,820 --> 00:07:29,670 There are applications like Cane Enable, which is a very powerful hacking tool that allow you to sniff 95 00:07:29,670 --> 00:07:36,120 the network, capture the voice traffic, and then replay that traffic as a web file on your local PC 96 00:07:36,240 --> 00:07:38,910 so you can replay the voice conversation. 97 00:07:39,150 --> 00:07:44,880 But if the phone is in a separate VLAN, security is enhanced because the PC is not able to see the 98 00:07:44,880 --> 00:07:47,820 voice traffic from a quality of service point of view. 99 00:07:47,850 --> 00:07:53,100 This is also a lot better because it's easier to prioritize the voice traffic over the data traffic 100 00:07:53,100 --> 00:07:56,570 if it's in a separate VLAN setting up your network this way. 101 00:07:56,570 --> 00:08:02,520 It also has the advantages of easier IP address management because you can assign a separate subnet 102 00:08:02,520 --> 00:08:06,390 to your phones versus your PCs and thus scale your IP address. 103 00:08:07,170 --> 00:08:13,170 So what happens is the switch is configured with what's called a voice VLAN and a native VLAN. 104 00:08:13,200 --> 00:08:19,590 The voice VLAN is tagged, so tagged frames get sent to the phone and the phone with its built in three 105 00:08:19,590 --> 00:08:26,190 way switch is able to read the attitude of one Q frames, untagged frames or send on what's called the 106 00:08:26,190 --> 00:08:28,560 native VLAN or data VLAN. 107 00:08:28,920 --> 00:08:34,350 That information is sent to the phone and the phone just switches that to the PC. 108 00:08:34,590 --> 00:08:41,490 So the PC receives the untagged or native VLAN frames and the phone receives the tagged or voice VLAN 109 00:08:41,490 --> 00:08:42,150 frames. 110 00:08:42,539 --> 00:08:45,840 No configuration of the phone is necessary to enable this. 111 00:08:45,870 --> 00:08:51,240 You literally type a few commands on the switch, telling the switch what the voice VLAN is and what 112 00:08:51,240 --> 00:08:52,430 the data VLAN is. 113 00:08:52,440 --> 00:08:58,980 And this happens automatically because when the phones boot up they query the switch through CDP to 114 00:08:58,980 --> 00:09:00,840 find out which VLAN they belong to. 115 00:09:01,020 --> 00:09:06,300 So the switch updates the phone's configuration through the use of CDP. 116 00:09:06,690 --> 00:09:11,520 So this is a very common implementation of native VLANs in the real world today. 117 00:09:12,300 --> 00:09:15,660 So just to sum up how ports are assigned to VLANs. 118 00:09:16,080 --> 00:09:19,260 Firstly, they can be statically assigned by an administrator. 119 00:09:19,410 --> 00:09:24,960 So use an administrator, go on to an interface and statically put that port into a VLAN. 120 00:09:25,290 --> 00:09:31,080 The second option is to create what are called dynamic VLANs using a VLAN membership policy server. 121 00:09:31,560 --> 00:09:39,120 Dynamic VLANs allow for a ports VLAN to be dynamically updated based on the Mac address of the device 122 00:09:39,120 --> 00:09:40,410 attached to that port. 123 00:09:40,710 --> 00:09:45,840 So in a boardroom, for example, when a director plugs in a laptop based on the Mac address of that 124 00:09:45,840 --> 00:09:49,680 laptop, that port is dynamically assigned to the director's VLAN. 125 00:09:49,950 --> 00:09:56,640 When a manager plugs his laptop into that same port the next day, for example, that VLAN is automatically 126 00:09:56,640 --> 00:09:58,590 updated to the manager's VLAN. 127 00:09:58,920 --> 00:10:04,380 So based on the source MAC address of frames received on the port, the port is automatically assigned 128 00:10:04,380 --> 00:10:05,820 to different VLANs. 129 00:10:06,180 --> 00:10:10,470 And lastly, we have voice VLANs, which are used specifically for IP phones. 130 00:10:11,520 --> 00:10:19,650 VP or VLAN Trunking Protocol is a Cisco proprietary layer two protocol which allows for the propagation 131 00:10:19,650 --> 00:10:25,850 of VLAN information from one switch to another rather than TELNET to multiple switches. 132 00:10:25,860 --> 00:10:32,850 You can create, delete or rename VLANs on one switch and have that information automatically propagated 133 00:10:32,850 --> 00:10:35,130 to other switches across trunk links. 134 00:10:35,400 --> 00:10:38,280 Notice the name VLAN Trunking protocol. 135 00:10:38,610 --> 00:10:42,240 This information can only be propagated across trunk links. 136 00:10:42,600 --> 00:10:48,690 Now HTTP can save you a lot of time, but as a lot of Cisco engineers will tell you, VoIP can cause 137 00:10:48,690 --> 00:10:49,860 you a lot of headaches. 138 00:10:49,980 --> 00:10:56,520 Switches can have the entire VLAN configuration wiped out if a new switch is added to the network without 139 00:10:56,520 --> 00:10:58,200 following a proper procedure. 140 00:10:58,350 --> 00:11:04,500 So a lot of Cisco engineers will not enable VoIP in modern environments because of the inherent risks 141 00:11:04,500 --> 00:11:06,150 associated with this protocol. 142 00:11:07,550 --> 00:11:13,670 HTTP messages are sent to the following MAC address, which is a well known multicast address for flooding 143 00:11:13,670 --> 00:11:16,550 of the CDP and HTTP protocols. 144 00:11:16,790 --> 00:11:18,320 There are three types of messages. 145 00:11:18,320 --> 00:11:25,250 In HTTP, you have summary advertisements, subset advertisements and advertisement requests, and I'll 146 00:11:25,250 --> 00:11:28,580 explain each of these in more detail in the upcoming slides. 147 00:11:28,730 --> 00:11:31,340 But please be aware that there are three message types. 148 00:11:32,070 --> 00:11:36,780 When setting up VoIP devices will by default belong to the null domain. 149 00:11:36,870 --> 00:11:42,660 For VDP to work, you need to configure and put the devices into a specific HTTP domain. 150 00:11:43,110 --> 00:11:48,900 Only devices within the same HTTP domain will be updated with VLAN information. 151 00:11:49,380 --> 00:11:54,030 The switch can only be configured in a single HTTP domain at any given time. 152 00:11:54,420 --> 00:12:02,460 By default, Cisco switches are in the null domain or no management domain until they receive an advertisement 153 00:12:02,460 --> 00:12:07,980 for a domain over trunk link or until you manually configure a management domain. 154 00:12:08,400 --> 00:12:14,670 So in this example, let's assume that these devices have been put into the HTTP domain with the name 155 00:12:14,670 --> 00:12:15,480 of Cisco. 156 00:12:15,870 --> 00:12:16,680 Remember, please. 157 00:12:16,800 --> 00:12:22,020 HTTP is a layer two protocol and requires trunk links for communication. 158 00:12:22,350 --> 00:12:24,510 So HTTP will not traverse errata. 159 00:12:25,200 --> 00:12:30,420 An important concept to understand in HTTP is the concept of a revision number. 160 00:12:31,220 --> 00:12:38,180 Every time it changes made to the VLAN database, the revision number in VP will increment by one. 161 00:12:38,180 --> 00:12:43,070 So let's assume that all devices in this topology have a revision number of one. 162 00:12:44,270 --> 00:12:48,530 You as an administrator at a VLAN, let's say VLAN three to this switch. 163 00:12:48,830 --> 00:12:53,480 Each revision number will then increment from a vision number one to revision number two. 164 00:12:54,390 --> 00:13:01,080 That information will then be advertised to all other switches in the HTTP domain so that they can synchronize 165 00:13:01,080 --> 00:13:05,880 their databases to the latest revision number, which is revision number two. 166 00:13:06,330 --> 00:13:11,640 So the switch at the top will send what is called a HTTP summary advertisement to all other switches, 167 00:13:11,640 --> 00:13:14,550 informing them that a change has been made. 168 00:13:14,640 --> 00:13:17,520 Remember, this is sent using a multicast address. 169 00:13:17,520 --> 00:13:20,550 So all of these devices will see that message. 170 00:13:20,820 --> 00:13:26,010 They will then request the latest information using an advertisement request, and the switch at the 171 00:13:26,010 --> 00:13:30,450 top will send them detailed information about the change using a subset. 172 00:13:30,450 --> 00:13:31,320 Advertisement. 173 00:13:31,560 --> 00:13:37,080 The net result is that the revision numbers in all of these switches will increment to the same revision 174 00:13:37,080 --> 00:13:40,170 number as the switch where the change was made. 175 00:13:40,530 --> 00:13:46,440 So VLAN three will appear in all the databases of these switches and the revision number will be set 176 00:13:46,440 --> 00:13:47,820 to revision number two. 177 00:13:48,060 --> 00:13:53,280 The whole concept with VPP is that you can make changes on an individual device. 178 00:13:53,280 --> 00:13:58,740 As those changes are made, all other switches are informed of the change and they will synchronize 179 00:13:58,740 --> 00:14:04,680 their databases to the latest revision number so that they end up having the same VLANs in their VLAN 180 00:14:04,680 --> 00:14:05,670 databases. 181 00:14:06,060 --> 00:14:11,610 That means that you as the administrator only need to make changes on one switch rather than five switches 182 00:14:11,610 --> 00:14:12,720 in this topology. 183 00:14:12,990 --> 00:14:18,150 Please note ports are put into individual VLANs by, for example, an administrator. 184 00:14:18,480 --> 00:14:25,230 VDP does not put ports into individual VLANs, it just updates the VLAN database so that the switches 185 00:14:25,230 --> 00:14:26,940 know which VLANs exist. 186 00:14:27,300 --> 00:14:31,680 Use an administrator still need to put those ports into the relevant vlans. 187 00:14:31,800 --> 00:14:39,090 So this is just a VLAN database update mechanism so that switches know the vlans that exist in the topology. 188 00:14:40,570 --> 00:14:43,210 So let's look at the HTTP messages in more detail. 189 00:14:43,240 --> 00:14:46,480 The first type of HTTP message is a summary advertisement. 190 00:14:46,510 --> 00:14:51,070 This is sent every 5 minutes or whenever there's a change. 191 00:14:51,370 --> 00:14:57,640 So whenever an administrator makes a change on a switch by for instance, adding a VLAN, a summary 192 00:14:57,640 --> 00:15:03,160 advertisement will be sent out on the well-known multicast address to all other switches in the domain. 193 00:15:03,310 --> 00:15:10,120 So this is used to inform other switches of the current HTTP domain and the current configuration revision 194 00:15:10,120 --> 00:15:10,750 number. 195 00:15:10,930 --> 00:15:16,670 So as an example on switch one, the administrator adds another VLAN, let's say VLAN four. 196 00:15:16,750 --> 00:15:18,960 The revision number will be incremented. 197 00:15:18,970 --> 00:15:23,020 So if the revision number was three, it would now be incremented to four. 198 00:15:23,410 --> 00:15:29,590 This switch will send a summary advertisement to all neighboring switches, informing them of the current 199 00:15:29,680 --> 00:15:36,850 HTTP domain and the new configuration revision number switches that receive that summary advertisement 200 00:15:36,850 --> 00:15:43,240 will then send back a summary request asking for detailed information of the changes that have been 201 00:15:43,240 --> 00:15:43,870 made. 202 00:15:43,900 --> 00:15:46,960 There are three situations when summary requests are used. 203 00:15:47,110 --> 00:15:54,340 Firstly, when a switch has been reset or when the HTTP domain name has been changed, or when the switch 204 00:15:54,340 --> 00:16:00,070 has received a VDP summary advertisement with a higher configuration revision number than its own. 205 00:16:00,310 --> 00:16:06,970 So because switch two received a summary advertisement from switch one indicating a high revision number. 206 00:16:07,300 --> 00:16:11,680 In other words, the revision number on switch one is revision number four, and the revision number 207 00:16:11,680 --> 00:16:13,940 on switch two is revision number three. 208 00:16:13,960 --> 00:16:20,920 Switch two will now request information from switch one so that it can update its database with the 209 00:16:20,920 --> 00:16:22,720 latest VLAN information. 210 00:16:23,260 --> 00:16:29,440 That detailed information is sent from switch one to switch to using what's called a subset advertisement. 211 00:16:29,470 --> 00:16:36,820 This contains a list of VLAN information and if there are several VLANs, more than one subset advertisement 212 00:16:36,820 --> 00:16:41,960 may be required to update and synchronize the databases of other switches. 213 00:16:41,980 --> 00:16:47,140 So essentially what this is, is detailed information of the changes that have been made. 214 00:16:47,290 --> 00:16:52,840 The summary advertisement just informs the switch in summary format of the latest revision number and 215 00:16:52,960 --> 00:16:54,040 HTTP domain. 216 00:16:54,280 --> 00:17:00,250 If the local switch sees that it's out of date, it will request detailed information so that it can 217 00:17:00,250 --> 00:17:05,109 synchronize its database and that information will be provided using a subset. 218 00:17:05,109 --> 00:17:05,980 Advertisement. 219 00:17:06,369 --> 00:17:12,220 The switch is now able to synchronize their local databases to the database of the switch with the latest 220 00:17:12,220 --> 00:17:13,089 information. 221 00:17:14,089 --> 00:17:16,760 Now there are three modes in FTP. 222 00:17:16,790 --> 00:17:19,250 The default mode is server. 223 00:17:19,910 --> 00:17:26,200 A VP switch in server mode can create VLANs, modify VLANs and delete VLANs. 224 00:17:26,210 --> 00:17:32,360 It also sends and forwards advertisements, so if it received an advertisement from another switch, 225 00:17:32,360 --> 00:17:33,200 it would forward that. 226 00:17:33,200 --> 00:17:38,510 On if you made changes on the local switch, it would send summary advertisements. 227 00:17:38,870 --> 00:17:45,140 It would also synchronize its local database to the latest revision number and it also saves the VLAN 228 00:17:45,140 --> 00:17:47,200 configuration information locally. 229 00:17:47,210 --> 00:17:50,120 So this is the device where you're going to make your changes. 230 00:17:50,360 --> 00:17:56,000 Multiple switches can be configured as HTTP servers, but you need to be really careful with this. 231 00:17:56,390 --> 00:17:58,580 The second mode is VOIP client. 232 00:17:58,910 --> 00:18:03,320 A HTTP client cannot create change or delete VLANs. 233 00:18:03,830 --> 00:18:09,980 It is also able to send and forward advertisements so it can send any VLANs currently listed in its 234 00:18:09,980 --> 00:18:12,350 database to other HTTP switches. 235 00:18:12,770 --> 00:18:16,790 It can also forward advertisements received from other switches. 236 00:18:17,180 --> 00:18:22,130 Thirdly, it would also synchronize its database to the latest configuration revision number. 237 00:18:23,270 --> 00:18:29,450 This is a major potential issue with FTP and has burnt many Cisco engineers in the past. 238 00:18:29,840 --> 00:18:33,530 A lot of Cisco engineers will not use HTTP because of this issue. 239 00:18:33,680 --> 00:18:35,510 So here's a sample topology. 240 00:18:36,080 --> 00:18:41,270 Notice we have a HTTP server and let's assume that all of these switches at the top are configured as 241 00:18:41,420 --> 00:18:42,500 HTTP clients. 242 00:18:42,980 --> 00:18:49,280 The host machines are in the red VLAN or green VLAN, and currently the revision number for the domain 243 00:18:49,280 --> 00:18:50,630 is revision number two. 244 00:18:51,620 --> 00:18:59,480 So the latest configuration revision number is to the HTTP domain is Cisco and the VLANs that have been 245 00:18:59,480 --> 00:19:03,350 configured on the switches of VLANs, red and green. 246 00:19:03,350 --> 00:19:06,620 Please note once again that the switches have a VLAN database. 247 00:19:06,620 --> 00:19:12,950 That is what HTTP updates the individual ports on the switches need to manually be put in the correct 248 00:19:12,950 --> 00:19:13,730 VLANs. 249 00:19:14,240 --> 00:19:20,720 Now someone plugs another switch into the topology from, for instance, a lab environment. 250 00:19:21,290 --> 00:19:27,350 The reason why this is dangerous is that in a lab environment, VLANs may have been added and removed 251 00:19:27,350 --> 00:19:31,730 and thus the revision number may be a lot higher than the production network. 252 00:19:32,000 --> 00:19:35,120 So let's assume for the moment that the revision number is 50. 253 00:19:35,480 --> 00:19:42,260 This switch only has the blue VLAN configured on it, so the green and red vlans do not exist in the 254 00:19:42,260 --> 00:19:43,430 VLAN database. 255 00:19:44,000 --> 00:19:49,910 A lot of people make the mistake of assuming that as long as the switch is configured as a HTTP client, 256 00:19:50,060 --> 00:19:52,730 it will not cause any problems on the network. 257 00:19:53,060 --> 00:19:58,070 So an administrator plugs in the switch and configures this port as a trunk. 258 00:19:58,340 --> 00:20:02,450 Please note once again that VDP advertisements are only sent across trunk ports. 259 00:20:02,450 --> 00:20:07,580 So let's assume that throughout the network all of these links are configured as trunks. 260 00:20:08,360 --> 00:20:11,240 As soon as this client is added to the HTTP domain. 261 00:20:11,240 --> 00:20:17,630 And what's really scary is that this client can be automatically updated with the HTTP information. 262 00:20:17,810 --> 00:20:22,670 In other words, if it's configured with a null domain, it can automatically join the current HTTP 263 00:20:22,670 --> 00:20:23,860 domain of Cisco. 264 00:20:23,870 --> 00:20:29,390 And as soon as that happens, the devices will synchronize their databases to the latest configuration 265 00:20:29,390 --> 00:20:32,300 revision number, which in this case is 50. 266 00:20:32,990 --> 00:20:38,990 So on all switches in the live domain, the revision number is changed to 50 because all of the switches, 267 00:20:38,990 --> 00:20:43,730 including the HTTP server, will synchronize automatically to the HTTP client. 268 00:20:44,210 --> 00:20:51,680 The current VLANs, red and green are automatically removed from the VLAN database and the only VLAN 269 00:20:51,680 --> 00:20:58,190 that will now be available in the VLAN databases of all of these switches is VLAN blue. 270 00:20:58,550 --> 00:21:05,990 Now all of the ports on, all the switches that have manually been put into the green or red VLAN are 271 00:21:05,990 --> 00:21:07,160 error disabled. 272 00:21:07,430 --> 00:21:14,330 The issue here is that a port belongs to the red VLAN, but the red VLAN does not exist in the database, 273 00:21:14,750 --> 00:21:17,270 so the port is automatically disabled. 274 00:21:17,570 --> 00:21:23,450 That means that no traffic can be sent or received on this port and the same thing happens on all other 275 00:21:23,450 --> 00:21:24,230 switches. 276 00:21:24,560 --> 00:21:29,960 Essentially what happens is that the entire network is brought down by the introduction of the single 277 00:21:29,960 --> 00:21:30,590 switch. 278 00:21:31,040 --> 00:21:37,100 That's extremely worrying, to say the least, that the introduction of a single switch can bring down 279 00:21:37,100 --> 00:21:39,230 an entire enterprise network. 280 00:21:39,620 --> 00:21:46,760 The only way to fix this is to physically connect to the HTTP server and then manually add the VLANs 281 00:21:46,760 --> 00:21:48,170 that have been deleted.