Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:08,940 --> 00:00:14,220 Send this example let's assume A is sending a frame to D. 2 00:00:14,440 --> 00:00:17,260 So the source address that led to will be a. 3 00:00:17,380 --> 00:00:19,370 And the destination address will be D. 4 00:00:19,600 --> 00:00:27,010 I will send the frame to switch one which one will then copy that frame to all ports based once again 5 00:00:27,010 --> 00:00:28,380 on the switch architecture. 6 00:00:28,510 --> 00:00:34,480 The central async will check the destination in the camp table and let's assume for the moment that 7 00:00:34,480 --> 00:00:37,990 does not answer which ones can table or MAC Address table. 8 00:00:38,230 --> 00:00:44,050 So the frame will attempt to go out of this port to 0 2 but because the internal tagged color is red 9 00:00:44,050 --> 00:00:44,880 for that frame. 10 00:00:44,920 --> 00:00:46,590 And this is a Greenport. 11 00:00:46,720 --> 00:00:49,280 The frame is not permitted out of 0 2. 12 00:00:49,600 --> 00:00:52,040 However on this port because it's a trunk link. 13 00:00:52,210 --> 00:00:57,400 And let's assume for the moment that all the lands are allowed across this trunk that frame will be 14 00:00:57,400 --> 00:01:04,220 sent out of port 0 3 to switch to however just before the frame is sent out. 15 00:01:04,220 --> 00:01:06,760 It needs to be tagged with the villain number. 16 00:01:07,100 --> 00:01:10,080 So in this case the villain identifier would be red. 17 00:01:10,130 --> 00:01:15,750 Now as mentioned in switches villans identified by numbers but to keep these examples simple we are 18 00:01:15,760 --> 00:01:17,310 going to use colors. 19 00:01:17,330 --> 00:01:24,470 So this would in actual fact be a number from 0 to 4000 and 96 bedframe is then sent across the trunk 20 00:01:24,830 --> 00:01:32,120 to switch to who then receives the frame once again the frame is processed internally. 21 00:01:32,120 --> 00:01:37,430 Now this switch reads the villain identify an edited or one Q header and sees that it belongs to the 22 00:01:37,430 --> 00:01:44,540 red Villon that is tagged internally within the switch the frame is sent to Allport 0 2 as well as 0 23 00:01:44,540 --> 00:01:45,160 1. 24 00:01:45,260 --> 00:01:50,630 And let's assume once again that the MAC address table is switched to does not contain the MAC address 25 00:01:50,630 --> 00:01:51,570 of D. 26 00:01:51,650 --> 00:01:58,040 So when the frame is attempting to go to port 0 1 it is denied because the color of the frame is red 27 00:01:58,430 --> 00:02:00,760 and this interface is in the green Villon. 28 00:02:00,920 --> 00:02:02,710 So the frame is dropped. 29 00:02:02,730 --> 00:02:08,840 However out of this interface the frame is permitted because the port is in the red villain and the 30 00:02:08,840 --> 00:02:14,920 frame is tagged with the red villaine all tagging is stripped out of this port. 31 00:02:14,960 --> 00:02:19,340 So it's same as a normal Ethernet frame to PCD. 32 00:02:19,340 --> 00:02:24,080 Once again the PCs are oblivious to the fact that they have been put into villains. 33 00:02:24,110 --> 00:02:26,660 They just see stented Ethernet. 34 00:02:26,660 --> 00:02:32,420 So a standard frame where the source address of a destination address a D is transmitted out of port 35 00:02:32,420 --> 00:02:40,450 0 to and processed by the PC edited in one key trunked have a spatial villain known as the native villaine 36 00:02:41,050 --> 00:02:46,270 native villans are untagged when a port on the switch is set up as a trunk. 37 00:02:46,630 --> 00:02:53,800 For instance this interface on switch one and switch to that interface can receive and transmit tagged 38 00:02:53,800 --> 00:03:01,450 frames frames belonging to the native villaine do not carry violent tags when sent over this trunk by 39 00:03:01,450 --> 00:03:07,480 the same token if an untagged frame were received on the trunk port that frame would automatically be 40 00:03:07,480 --> 00:03:11,030 associated with the native land for the sport. 41 00:03:11,050 --> 00:03:15,030 Now specific management traffic will go across the native land. 42 00:03:15,220 --> 00:03:22,090 So for instance spanning tree BPT use will use the native Villon and so will dynamic trunking critical 43 00:03:22,930 --> 00:03:28,450 dynamic trunking protocol is a way that switches negotiate to set up a trunk between themselves automatically 44 00:03:28,900 --> 00:03:31,010 and I'll show you an example of that in a moment. 45 00:03:32,130 --> 00:03:38,370 Certain management traffic always uses villaine one if you have left the line one as the native LAN 46 00:03:38,760 --> 00:03:45,480 traffic like CPV DP AGP and you DL D will be transmitted across the native land. 47 00:03:45,540 --> 00:03:52,650 Untagged if I ever The native land is changed to something other than land one these protocols will 48 00:03:52,650 --> 00:03:59,280 then be tagged in that specific villaine CTP was explained in the ICD 1 portion of this course. 49 00:03:59,340 --> 00:04:05,190 It allows us to view directly connected devices and trunking protocol we are going to discuss in the 50 00:04:05,190 --> 00:04:06,550 next few slides. 51 00:04:06,600 --> 00:04:13,350 It is a way to dynamically update other switches with changes made on a single switch in a VTB domain 52 00:04:13,960 --> 00:04:21,330 AGP or port aggregation protocol is a protocol used for the automatic creation of ether channels and 53 00:04:21,330 --> 00:04:28,380 you DLT or you need directional linked detection is used to monitor the physical configuration of cables 54 00:04:28,380 --> 00:04:32,120 between devices and detect unique directional links. 55 00:04:32,130 --> 00:04:35,330 This allows us to detect incorrectly cabled links. 56 00:04:35,340 --> 00:04:40,380 The important thing to take note of here is that trunk links there is a special villain known as the 57 00:04:40,380 --> 00:04:46,770 native land where traffic is sent untagged if left at the default of Villa and one a lot of management 58 00:04:46,770 --> 00:04:49,880 traffic will be sent across that native land. 59 00:04:49,890 --> 00:04:56,460 Its important that the native land on both sides of the trunk be the same if they not set the same. 60 00:04:56,460 --> 00:05:00,620 The searchers will notify you by telling you that theres a native villaine mismatch. 61 00:05:01,080 --> 00:05:06,990 The issue that arises if the native lands are not the same is that traffic from one villain on the switch 62 00:05:07,170 --> 00:05:11,750 will automatically be associated and end up in a different than on another switch. 63 00:05:11,760 --> 00:05:17,400 And obviously the whole concept of feline's is to separate traffic into a specific Thielen. 64 00:05:17,430 --> 00:05:23,100 In other words a separate broadcast domain or separate subnet traffic from one VLAN should not end up 65 00:05:23,160 --> 00:05:28,320 in another villaine because of a native villaine misconfiguration. 66 00:05:28,340 --> 00:05:31,360 Now this is something you probably not see in networks today. 67 00:05:31,580 --> 00:05:38,510 In theory with a native villaine a switch like switch one could say tagged frame's to switch to and 68 00:05:38,600 --> 00:05:40,680 untagged frames to this MacBook. 69 00:05:40,820 --> 00:05:47,030 So by using the native Villon this MacBook or a PC would still be able to communicate with the network 70 00:05:47,330 --> 00:05:53,360 even though it doesn't understand tagged frames edited or one keyframes or tagged frames are used for 71 00:05:53,360 --> 00:05:58,040 communicating via information between networking devices like switches. 72 00:05:58,040 --> 00:06:03,410 This device wouldn't necessarily understand edited or one keyframes but could still communicate with 73 00:06:03,410 --> 00:06:05,840 the network by using the native villaine. 74 00:06:06,110 --> 00:06:07,800 However that's not common today. 75 00:06:07,970 --> 00:06:16,130 What is more typical Today is a scenario like this where you have a PC connected to an IP phone connected 76 00:06:16,130 --> 00:06:17,770 to a Cisco switch. 77 00:06:17,780 --> 00:06:25,010 Now Cisco IP phone has a built in three way switch one port is connected back to the network infrastructure. 78 00:06:25,130 --> 00:06:32,030 So a Cisco switch a second port allows the PC to connect to the infrastructure through the phone and 79 00:06:32,030 --> 00:06:38,600 a third port allows for voice traffic from the handset to be prioritized over data when sent to the 80 00:06:38,600 --> 00:06:40,000 network infrastructure. 81 00:06:40,340 --> 00:06:46,970 So the phone has a built in three way switch always proud rising voice over data. 82 00:06:47,020 --> 00:06:52,510 The thing to take note of here though is that the phone can be configured in a separate Villon to the 83 00:06:52,510 --> 00:06:53,380 PC. 84 00:06:53,380 --> 00:06:57,900 So the phone could be in the red violin and the PC could be in the green line. 85 00:06:58,030 --> 00:07:00,610 There are a lot of advantages to doing it this way. 86 00:07:00,850 --> 00:07:07,270 So usually from a security point of view this PC will not be able to sniff voice traffic and therefore 87 00:07:07,330 --> 00:07:09,760 listening on the voice conversation. 88 00:07:09,760 --> 00:07:14,600 Now there are a lot of caveats relating to Cisco phones and different models are set up different ways 89 00:07:14,830 --> 00:07:21,160 but in theory the concept is that the phone is in a separate violent to the PC and therefore the PC 90 00:07:21,160 --> 00:07:24,090 is not able to see the voice traffic. 91 00:07:24,100 --> 00:07:29,740 There are applications like Cain and Abel which is a very powerful hacking tool that allow you to sniff 92 00:07:29,740 --> 00:07:36,820 the network capture the voice traffic and then replay that traffic as a file on your local PC so you 93 00:07:36,820 --> 00:07:39,000 can replay the voice conversation. 94 00:07:39,340 --> 00:07:44,950 But if the phone is in a separate Villon security is enhanced because the PC is not able to see the 95 00:07:44,950 --> 00:07:47,920 voice traffic from a quality of service point of view. 96 00:07:47,920 --> 00:07:53,130 This is also a lot better because its easier to prioritize the voice traffic over the data traffic. 97 00:07:53,290 --> 00:07:59,530 If its in a separate VM setting up your network this way also has the advantages of easier IP address 98 00:07:59,530 --> 00:08:03,680 management because you can assign a separate subnet to your phones. 99 00:08:03,690 --> 00:08:07,380 This is your PCs and thus scale your IP addressing. 100 00:08:07,420 --> 00:08:13,030 So what happens is the switch is configured with what's called a voice Freelon and a native villaine 101 00:08:13,420 --> 00:08:19,780 the voice feel is tagged so tagged frames get sent to the phone and the phone with its boltin threeway 102 00:08:19,840 --> 00:08:26,650 switch is able to read the edited or one keyframes untagged frames are saved on what's called the native 103 00:08:26,660 --> 00:08:28,960 illum or data line. 104 00:08:29,110 --> 00:08:34,730 That information is sent to the phone and the phone just switches that to the PC. 105 00:08:34,840 --> 00:08:41,440 So the PC receives the untagged on native land frames and the phone receives that tagged or voice file 106 00:08:41,440 --> 00:08:46,040 and frames no configuration and the phone is necessary to enable this. 107 00:08:46,150 --> 00:08:51,280 You literally typed a few commands on the switch telling the switch what the voice the land is and what 108 00:08:51,280 --> 00:08:52,550 the DTV Bil'in is. 109 00:08:52,750 --> 00:08:59,020 And this happens automatically because when the phone's boot up they query the switch through CGP to 110 00:08:59,020 --> 00:09:01,010 find out which feel they belong to. 111 00:09:01,270 --> 00:09:06,530 So the switch up dates the phone's configuration through the use of CTP. 112 00:09:06,850 --> 00:09:11,580 So this is a very common implementation of native lands in the real world today. 113 00:09:12,530 --> 00:09:18,410 So just to sum up how ports are assigned to villans seriously they can be statically assigned by an 114 00:09:18,410 --> 00:09:19,490 administrator. 115 00:09:19,520 --> 00:09:25,460 So to use an administrator go into an interface and steadily put that port into a villain. 116 00:09:25,460 --> 00:09:30,980 The second option is to create what are called Dynamic villains using a villain membership policy server 117 00:09:31,700 --> 00:09:39,170 dynamic villans allow for a ports deal and to be done emic updated based on the Mac address of the device 118 00:09:39,170 --> 00:09:40,600 attached to that port. 119 00:09:40,910 --> 00:09:46,400 So in a boardroom for example when a director plugs in a laptop based on the Mac address of that laptop 120 00:09:46,490 --> 00:09:52,640 that port is dynamically assigned to the directors the plan when a manager plugs his laptop into that 121 00:09:52,640 --> 00:09:59,020 same port the next day for example that Villon is automatically updated to the managers Villon. 122 00:09:59,030 --> 00:10:04,400 So based on the source Mac address of frame's received in the port the port is automatically assigned 123 00:10:04,580 --> 00:10:12,400 to different lands and last year we have voice villans which are used specifically for IP phones BTP 124 00:10:12,490 --> 00:10:19,720 or villaine trunking protocol is a Cisco proprietary layer to protocol which allows for the Propagation 125 00:10:19,720 --> 00:10:25,980 of the information from one switch to another rather than telnetting to multiple switches. 126 00:10:26,080 --> 00:10:32,710 You can Karaite delete or rename the lands on one switch and have that information automatically propagated 127 00:10:33,100 --> 00:10:35,610 to other switches across trunk links. 128 00:10:35,620 --> 00:10:38,750 Notice the name villaine trunking protocol. 129 00:10:38,770 --> 00:10:42,820 This information can only be propagated across trunk links. 130 00:10:42,820 --> 00:10:48,820 Now ETP can save you a lot of time that has a lot of Sisk engineers will tell the BTP can cause you 131 00:10:48,850 --> 00:10:50,190 a lot of headaches. 132 00:10:50,200 --> 00:10:55,960 Switches can have the entire villaine configuration wiped out if a new switch is added to the network 133 00:10:56,200 --> 00:10:58,320 without following a proper procedure. 134 00:10:58,570 --> 00:11:04,540 So a lot of Cisco engineers will not enable VCP in modern environments because of the inherent risks 135 00:11:04,540 --> 00:11:06,340 associated with this protocol. 136 00:11:07,440 --> 00:11:13,650 GTP messages are sent to the following Mac address which is a well-known multicast address for flooding 137 00:11:13,770 --> 00:11:16,950 of the CTP and DTP protocols. 138 00:11:16,950 --> 00:11:19,400 There are three types of messages in DTP. 139 00:11:19,410 --> 00:11:25,950 You have some free advertisement subset advertisements and advertisement requests and I'll explain each 140 00:11:25,950 --> 00:11:28,790 of these in more detail in the upcoming slides. 141 00:11:28,890 --> 00:11:35,380 But please be aware that there are three message typed when setting up DP devices will by default belong 142 00:11:35,380 --> 00:11:38,560 to the null domain VDB to work. 143 00:11:38,560 --> 00:11:45,490 You need to configure and put the devices into a specific VTB domain only devices within the same DTP 144 00:11:45,490 --> 00:11:49,460 domain will be updated with the line information. 145 00:11:49,480 --> 00:11:56,920 A switch can only be configured in a single VTB domain at any given time by default Cisco switches are 146 00:11:56,920 --> 00:12:04,450 in the nold domain or no management domain until they receive an advertisement for a domain over trunked 147 00:12:04,450 --> 00:12:04,980 link. 148 00:12:05,080 --> 00:12:08,350 Or until you manually configure a management domain. 149 00:12:08,580 --> 00:12:14,830 So in this example let's assume that these devices have been put into the VTB domain with the name of 150 00:12:14,830 --> 00:12:15,750 Cecka. 151 00:12:16,030 --> 00:12:22,300 Remember these VCP is a layer to protocol and requires trunked links for communication. 152 00:12:22,540 --> 00:12:29,860 So VDB will not traverse Harada an important concept to understand NVP is the concept of a revision 153 00:12:29,860 --> 00:12:30,490 number. 154 00:12:31,380 --> 00:12:38,260 Every time it changes made to the villain database the revision number in BTP will increment by 1. 155 00:12:38,460 --> 00:12:45,410 So let's assume that all devices in this apology have a revision number of 1 yours in a ministry to 156 00:12:45,600 --> 00:12:51,720 a villain let's say we three to the switch it's revision number will then increment from a vision number 157 00:12:51,720 --> 00:12:59,320 1 to revision number 2 that information will then be advertised to all other switches in the VTB domain 158 00:12:59,650 --> 00:13:05,410 so that they can synchronize their databases to the latest revision number which is revision number 159 00:13:05,410 --> 00:13:06,440 2. 160 00:13:06,550 --> 00:13:11,680 So the switch at the top will send what is called a GTP summary advertisement to all of the switches 161 00:13:11,710 --> 00:13:14,860 informing them that a change has been made. 162 00:13:14,860 --> 00:13:17,610 Remember this is sent using a multicast address. 163 00:13:17,740 --> 00:13:21,070 So all of these devices will see that message. 164 00:13:21,070 --> 00:13:26,440 They will then request the latest information using an advertisement request and the switch at the top 165 00:13:26,620 --> 00:13:31,800 will send them detailed information about the change using a subset advertisement. 166 00:13:31,810 --> 00:13:37,150 The net result is that the revision numbers and all of these switches will increment to the same revision 167 00:13:37,150 --> 00:13:40,740 number as a switch where the change was made. 168 00:13:40,780 --> 00:13:46,210 So Viola and three will appear in all the databases of the switches and the revision number will be 169 00:13:46,210 --> 00:13:48,100 set to revision number two. 170 00:13:48,250 --> 00:13:54,430 The whole concept with VTB is that you can make changes on an individual device as those changes are 171 00:13:54,430 --> 00:13:55,190 made. 172 00:13:55,300 --> 00:14:00,700 All other switches are informed of the change and they will synchronize their databases to the latest 173 00:14:00,700 --> 00:14:06,130 revision number so that they end up having the same B plans and maybe Lenn databases. 174 00:14:06,130 --> 00:14:11,680 That means that you as the administrator only to make changes on one switch rather than five switches 175 00:14:11,680 --> 00:14:18,300 in the apology please note ports are put into individual villans by for example an administrator. 176 00:14:18,610 --> 00:14:25,300 The DP does not put ports into individual villans it just updates the database so that the switches 177 00:14:25,300 --> 00:14:31,770 know which villains exist use an administrator still need to put those ports into the relevant villans. 178 00:14:31,990 --> 00:14:38,230 So this is just a villain database update mechanism so that switches know the villains that exist in 179 00:14:38,230 --> 00:14:40,810 the typology. 180 00:14:40,820 --> 00:14:43,500 So let's look at the VDB messages in more detail. 181 00:14:43,520 --> 00:14:46,760 The first stop of VDB message is a summary advertisement. 182 00:14:46,760 --> 00:14:51,620 This is sent every five minutes or whenever there's a change. 183 00:14:51,620 --> 00:14:58,340 So whenever an administrator makes a change on a switch by for instance adding a Villon a summary advertisement 184 00:14:58,340 --> 00:15:03,590 will be sent out on the well-known multicast address to all of the switches in the domain. 185 00:15:03,590 --> 00:15:10,190 So this is used to inform other switches of the current VCP domain and the current configuration revision 186 00:15:10,190 --> 00:15:10,910 number. 187 00:15:11,210 --> 00:15:17,510 So as an example on switch one the administrator adds another villain let's say villain for the revision 188 00:15:17,510 --> 00:15:19,150 number will be incremented. 189 00:15:19,150 --> 00:15:23,160 So if the revision number was three it would not be incremented to 4. 190 00:15:23,660 --> 00:15:29,660 This switch will say in a summary advertisement to all neighboring switches informing them of the current 191 00:15:29,660 --> 00:15:36,740 VTB domain and the new configuration revision number switches that receive that summary advertisement 192 00:15:37,060 --> 00:15:43,310 will then send back a summary request asking for detailed information of the changes that have been 193 00:15:43,310 --> 00:15:44,160 made. 194 00:15:44,180 --> 00:15:50,240 There are three situations when some requests are used Firstly when a switch has been reset or when 195 00:15:50,240 --> 00:15:57,250 the VTB domain name is being changed or when the switch has received a VTB summary advertisement with 196 00:15:57,250 --> 00:16:00,500 a higher configuration revision number than its own. 197 00:16:00,500 --> 00:16:07,370 So because switch to received the summary advertisement from one indicating a high revision number. 198 00:16:07,490 --> 00:16:12,170 In other words the revision number and which one is revision before and the revision number on switch 199 00:16:12,170 --> 00:16:20,090 2 is revision number 3 switch 2 will now request information from switch 1 so that it can update its 200 00:16:20,090 --> 00:16:26,750 database with the latest the information that detailed information is sent from which one to switch 201 00:16:26,750 --> 00:16:28,520 to using what's called a subset. 202 00:16:28,550 --> 00:16:29,780 Advertisement. 203 00:16:29,780 --> 00:16:36,890 This contains a list of the information and if they are several villans more than one subset advertisement 204 00:16:36,890 --> 00:16:42,280 may be required to update and synchronize the databases of other switches. 205 00:16:42,290 --> 00:16:47,370 So essentially what this is is detailed information of the changes that have been made. 206 00:16:47,540 --> 00:16:52,910 The summary advertisement just informs the switch in summary format of the latest revision number and 207 00:16:52,910 --> 00:16:54,290 BTP domain. 208 00:16:54,500 --> 00:17:00,860 If the local switch sees that it's out of date it will request detailed information so that it can synchronize 209 00:17:00,860 --> 00:17:06,500 its database and that information will be provided using a subset advertisement. 210 00:17:06,530 --> 00:17:12,290 The switch is now able to synchronize the local databases to the database of the switch with the latest 211 00:17:12,290 --> 00:17:13,140 information. 212 00:17:14,310 --> 00:17:16,910 Now there are three modes in BTP. 213 00:17:17,100 --> 00:17:25,500 The default mode is server a VTB switch in server mode can create villans modify villains and delete 214 00:17:25,500 --> 00:17:26,370 villans. 215 00:17:26,400 --> 00:17:29,650 It also sends and forwards advertisements. 216 00:17:29,790 --> 00:17:34,040 So if it received an advertisement from another switch it would forward that on. 217 00:17:34,290 --> 00:17:39,070 If you made changes on the local switch it would send some real advertisements. 218 00:17:39,090 --> 00:17:43,340 It would also synchronize its local database to the latest revision number. 219 00:17:43,650 --> 00:17:47,460 And it also saves the villain configuration information locally. 220 00:17:47,460 --> 00:17:52,500 So this is the device where you're going to make your changes multiple switches can be configured as 221 00:17:52,500 --> 00:17:56,530 VTB servers but you need to be really careful with this. 222 00:17:56,580 --> 00:18:03,780 The second mode is VTB client a VTB client can not create change or delete villans. 223 00:18:04,020 --> 00:18:10,050 It is also able to send forward advertisements so it can say in any violence currently listed in its 224 00:18:10,050 --> 00:18:17,310 database to other VTB switches it can also forward advertisement receive from other switches. 225 00:18:17,310 --> 00:18:23,760 Thirdly it would also synchronize its database to the latest configuration revision number this is a 226 00:18:23,760 --> 00:18:29,970 major potential issue with GTP and has burned to many Cisco engineers in the past. 227 00:18:29,970 --> 00:18:33,670 A lot of Cisco engineers will not use VTB because of this issue. 228 00:18:33,930 --> 00:18:36,020 So he has a sample typology. 229 00:18:36,240 --> 00:18:41,850 Now we have a VTB server and it's a scene that all of the switches at the top are configured as VTB 230 00:18:41,850 --> 00:18:48,600 clients the host machines are in the raid Villano green Bil'in and currently the revision number for 231 00:18:48,660 --> 00:18:50,320 the domain is the revision number. 232 00:18:51,790 --> 00:18:57,200 So the latest configuration revision number is to the VTB domain. 233 00:18:57,220 --> 00:19:03,580 Is Cisco and the villains that have been configured on the switches are villains red and green. 234 00:19:03,580 --> 00:19:06,880 Please note once again that the switches have a villain database. 235 00:19:06,880 --> 00:19:13,030 That is what VTB updates the individual ports and the switches need to manually be put in the correct 236 00:19:13,030 --> 00:19:14,460 the. 237 00:19:14,500 --> 00:19:21,000 Now someone plugs a nother switch into the topology from for instance a lab environment. 238 00:19:21,400 --> 00:19:27,270 The reason why this is dangerous is that in a lab environment the lens may have been added and removed 239 00:19:27,610 --> 00:19:32,200 and thus the revision number may be a lot higher than the production network. 240 00:19:32,200 --> 00:19:38,020 So let's assume for the moment that the revision number is 50 this switch only has the blue villaine 241 00:19:38,020 --> 00:19:39,430 configured on it. 242 00:19:39,430 --> 00:19:44,140 So the green and red villans do not exist in the villain database. 243 00:19:44,140 --> 00:19:49,750 A lot of people make the mistake of assuming that as long as the switches configured as a VTB client 244 00:19:50,260 --> 00:19:53,290 it will not cause any problems on the network. 245 00:19:53,290 --> 00:19:58,210 So an administrator plugged in the switch and configures this port as a trunk. 246 00:19:58,510 --> 00:20:02,610 Please note once again that ETP advertisement only sent across trunk ports. 247 00:20:02,710 --> 00:20:08,880 So let's assume that throughout the network all of these links are configured as trunk's as soon as 248 00:20:08,880 --> 00:20:11,380 this client is added to the VCP domain. 249 00:20:11,520 --> 00:20:17,980 And what's really scary is that this client can be automatically updated with the VCP information. 250 00:20:18,030 --> 00:20:23,130 In other words if it's configured with a nold domain it can automatically join the current VCP domain 251 00:20:23,130 --> 00:20:23,920 of Cisco. 252 00:20:24,180 --> 00:20:29,490 And as soon as that happens the devices will synchronize their databases to the latest configuration 253 00:20:29,490 --> 00:20:35,160 revision number which in this case is 50 sun all switches in the live domain. 254 00:20:35,160 --> 00:20:41,730 The revision number is changed to 50 because all of the switches including the VTB server will synchronize 255 00:20:41,760 --> 00:20:49,080 automatically to the VTB client the current villans red and green are automatically removed from the 256 00:20:49,080 --> 00:20:55,230 violent database and the only villain that will now be available in the violent databases of all of 257 00:20:55,230 --> 00:20:58,800 these switches is violently. 258 00:20:58,800 --> 00:21:05,960 Now all of the ports on all the switches that have manually been put into the green or red Villon or 259 00:21:06,090 --> 00:21:07,650 heire disabled. 260 00:21:07,650 --> 00:21:14,810 The issue here is that a port belongs to the red Villon but the red Villon does not exist in the database. 261 00:21:14,910 --> 00:21:17,510 So the port is automatically disabled. 262 00:21:17,790 --> 00:21:23,500 That means that no traffic can be sent or received on the sport and the same thing happens on all other 263 00:21:23,520 --> 00:21:24,720 switches. 264 00:21:24,750 --> 00:21:30,030 Essentially what happens is that the entire network is brought down by the introduction of the single 265 00:21:30,030 --> 00:21:31,200 switch. 266 00:21:31,200 --> 00:21:37,350 That's extremely worrying to say the least that the introduction of a single switch can bring down an 267 00:21:37,350 --> 00:21:39,690 entire enterprise network. 268 00:21:39,810 --> 00:21:46,830 The only way to fix this is to physically connect to the VTB server and then manually add the villans 269 00:21:46,920 --> 00:21:49,200 that have been deleted. 30286