Network Access


  1. Configuring Access Ports for Data:
    • On Switch:
      Switch> enable
      Switch#configure terminal
      Switch(config)# interface [interface-id]
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan [VLAN-ID]
  2. Configuring Access Ports for Voice:
    • To configure a Voice VLAN, after setting up your data VLAN:
      Switch(config-if)# switchport voice vlan [VLAN-ID]

  • All switch ports are members of the default VLAN, which is VLAN 1. It is essential to note that the default VLAN should not be used for regular network traffic for security reasons.
  • While you cannot delete VLAN 1, it’s recommended to change the native VLAN and not use VLAN 1 for data traffic.

InterVLAN routing allows devices in different VLANs to communicate with each other. Here’s how it’s set up:

  1. Using a Layer 3 Switch:
    • Create the VLANs:
      Switch# configure terminal
      Switch(config)# vlan [VLAN-ID]
      Switch(config-vlan)# name [VLAN-NAME]
      Switch(config-vlan)# exit
    • Configure an SVI (Switched Virtual Interface) for each VLAN:
      interface vlan [VLAN-ID]
      Switch(config-if)# ip address [IP-ADDRESS] [SUBNET-MASK]
      Switch(config-if)# no shutdown
  2. Using a Router-On-A-Stick:
    • The router interface connected to the switch is divided into sub-interfaces, one for each VLAN. Each sub-interface is configured with an IP address from the VLAN’s subnet.
    • On the router:
      Router# configure terminal
      Router(config)# interface [INTERFACE-ID].[VLAN-ID]
      Router(config-subif)# encapsulation dot1Q [VLAN-ID]
      Router(config-subif)# ip address [IP-ADDRESS] [SUBNET-MASK]
    • Ensure that the trunk port on the switch allows the necessary VLANs.

Additional Notes:

  • When VLANs span multiple switches, ensure that trunk ports are configured between the switches to allow multiple VLANs to pass between switches.
  • Ensure that VLAN IDs and configurations are consistent across switches.
  • Always verify configurations using commands such as show vlan or show interfaces trunk.


A trunk port is used to carry multiple VLANs between switches. To configure a trunk port:

  1. Access the switch via the terminal and enter privileged EXEC mode.
  2. Access the specific interface you intend to configure as a trunk.
    Switch# configure terminal
    Switch(config)# interface [interface-id]
  3. Set the mode of the interface to trunk:
    Switch(config-if)# switchport mode trunk

802.1Q is the IEEE standard for tagging frames on a trunk. It allows for VLAN identification, enabling multiple VLANs to share the same physical link.

  • To specify that the trunk will use 802.1Q tagging:
    Switch(config-if)# switchport trunk encapsulation dot1q
  • By default, all VLANs are allowed on a trunk. However, you can specify which VLANs are allowed:
    Switch(config-if)# switchport trunk allowed vlan [vlan-list]

The Native VLAN is the VLAN that corresponds to untagged traffic on a trunk. By default, this is VLAN 1, but you can (and often should, for security reasons) change it.

  • To set a Native VLAN different from the default:
    Switch(config-if)# switchport trunk native vlan [VLAN-ID]
  • Note: It’s crucial that the native VLAN is consistent on both ends of a trunk link. Mismatched native VLANs can lead to VLAN hopping attacks.


After configuring interswitch connectivity, always verify your configurations:

  1. Trunk Information: Use show interfaces [interface-id] switchport to see trunking status, the Native VLAN, and the allowed VLANs on the trunk.
  2. VLANs on Trunk: Use show interfaces trunk to view which VLANs are active on which trunk ports.
  3. 802.1Q: The encapsulation type can be seen in the output of the show interfaces [interface-id] switchport command.

Remember, in real-world scenarios, you may also need to consider other settings and factors, such as DTP (Dynamic Trunking Protocol), VTP (VLAN Trunking Protocol), or STP (Spanning Tree Protocol) configurations, to ensure smooth interswitch operations.


Layer 2 discovery protocols, such as Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP), are essential tools for network administrators to gain insights into neighboring devices directly connected to a router or switch. They facilitate easier management, mapping, and troubleshooting of networks.

Let’s delve into the configuration and verification of both protocols:

Cisco Discovery Protocol (CDP):

CDP is a proprietary protocol developed by Cisco.

  1. Enable CDP Globally:
    Switch# configure terminal
    Switch(config)# cdp run
  2. Enable CDP on an Interface:
    Switch(config)# interface [interface-id]
    Switch(config-if)# cdp enable
  3. Disable CDP on an Interface:
    Switch(config-if)# no cdp enable
  4. Verify CDP Information:
    • To view details about neighboring devices:
      Switch# show cdp neighbors
    • To view detailed information about a specific neighbor:
      Switch# show cdp neighbors [interface-id] detail

Link Layer Discovery Protocol (LLDP):

LLDP is a vendor-neutral discovery protocol standardized by IEEE.

  1. Enable LLDP Globally:
    Switch# configure terminal
    Switch(config)# lldp run
  2. Enable LLDP on an Interface:
    Switch(config)# interface [interface-id]
    Switch(config-if)# lldp transmit
    Switch(config-if)# lldp receive
  3. Disable LLDP on an Interface:
    Switch(config-if)# no lldp transmit
    Switch(config-if)# no lldp receive
  4. Verify LLDP Information:
    • To view details about neighboring devices:
      Switch# show lldp neighbors
    • For detailed information about a specific neighbor:
      Switch# show lldp neighbors [interface-id] detail

Additional Points:

  • Ensure that CDP or LLDP is supported and enabled on both devices for them to discover each other.
  • These protocols operate only on directly connected devices.
  • They can provide details like device ID, IP address, port ID, platform, and capabilities, making them valuable tools for network documentation and troubleshooting.

Remember to be cautious with discovery protocols, especially in environments where security is a concern. Malicious users could exploit the information from these protocols. Consider disabling them on interfaces that don’t require them or on edge ports facing untrusted networks.


EtherChannel is a port link aggregation technology that allows the grouping of several physical Ethernet links to create a single logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers, and servers. Two main protocols manage EtherChannel links: Port Aggregation Protocol (PAgP) which is Cisco-proprietary, and Link Aggregation Control Protocol (LACP) which is an IEEE standard (802.3ad).

  1. Create the EtherChannel:
    Switch# configure terminal
    Switch(config)# interface port-channel [channel-number]
  2. Configure the physical interfaces for EtherChannel:
    Switch(config)# interface range [interface-range]
    Switch(config-if-range)# channel-group [channel-number] mode active
    • active means the interface is using LACP to negotiate the EtherChannel.
  3. Assign VLANs (if necessary):
    Switch(config-if-range)# switchport mode access
    Switch(config-if-range)# switchport access vlan [vlan-number

  1. Create the EtherChannel:
    Switch# configure terminal
    Switch(config)# interface port-channel [channel-number]
  2. Configure the physical interfaces for EtherChannel:
    Switch(config)# interface range [interface-range]
    Switch(config-if-range)# channel-group [channel-number] mode active
  3. Assign an IP address:
    Switch(config)# interface port-channel [channel-number]
    Switch(config-if)# ip address [ip-address] [subnet-mask]


  1. Verify EtherChannel status:
    Switch# show etherchannel summary
  2. Verify LACP:
    Switch# show etherchannel port details
  3. For Layer 3 EtherChannel:
    Switch# show ip interface brief
    • This command should display the port-channel interface with its assigned IP address.

Additional Points:

  • The member ports of an EtherChannel must have the same configuration (speed, duplex mode, native VLAN, allowed VLAN list, etc.).
  • Ensure you use the active keyword for devices that support LACP and that you want to actively negotiate an EtherChannel. If the other side is expected to initiate the EtherChannel negotiation, use the passive keyword.
  • Remember, EtherChannel balances the traffic load across the links based on the source and destination MAC addresses, IP addresses, or port numbers.

EtherChannel, when set up correctly, enhances the network’s bandwidth capacity and provides link redundancy, ensuring network reliability and efficiency.


Spanning Tree Protocol (STP) is essential in preventing loops in Ethernet networks. Rapid PVST+ (Per-VLAN Spanning Tree Plus) is a Cisco enhancement of STP that provides a separate 802.1w Rapid Spanning Tree instance for each VLAN

  • Root Bridge: It’s the central reference point in the STP network. All other switches determine their path to the root bridge to avoid loops.
    • Primary Root Bridge: In a network, this is the main root bridge. In PVST+, you can manually define this bridge using the priority value.
    • Secondary Root Bridge: Acts as a backup to the primary root bridge.
  • Root Port (RP): It’s the port on a switch with the lowest path cost to the root bridge. Each non-root switch should have one root port.
  • Designated Port (DP): For every network segment, there’s one designated port. It’s the switch port with the lowest path cost to that segment.
  • Blocked Port: A port that is prevented from participating in frame forwarding to avoid loops.

With Rapid STP (RSTP, which Rapid PVST+ is based on), there are fewer port states compared to the traditional 802.1D STP:

  • Forwarding: The port is actively forwarding frames.
  • Learning: The port is populating its MAC address table but not yet forwarding frames.
  • Blocking: The port is in standby mode, not forwarding frames to prevent loops. However, it listens for STP messages to determine if it should transition to another state.
  • Disabled: The port is administratively shut down.

In traditional STP, you’d also encounter states like “Listening” and “Broken,” but with RSTP, the process is streamlined for faster convergence.

PortFast is a Cisco optimization to make the STP process more efficient.

  • Purpose: PortFast allows a switch port to immediately transition to the forwarding state upon linkup. This bypasses the traditional listening and learning states.
  • Use Cases: It’s typically used for ports connecting to end devices like computers or servers. Since these devices don’t participate in STP, waiting through the listening/learning states is unnecessary.
  • Benefits:
    • Fast Start: End devices can start sending/receiving data almost immediately upon being connected.
    • DHCP Improvements: Devices that need to obtain an IP address via DHCP can do so faster since they don’t wait for the STP stages.
  • Caution: PortFast should ONLY be enabled on ports connected to end devices. If a switch or hub is connected to a PortFast-enabled port, loops could occur.

In summary, Rapid PVST+ is a Cisco enhancement to ensure fast reconvergence and loop prevention on a per-VLAN basis. Understanding its basic operations, states, and optimizations like PortFast is crucial for network stability and performance.


  1. Autonomous or Standalone Architecture:
    • Each AP operates independently of others.
    • Configuration is done individually on each AP.
    • Suitable for small networks where centralized control isn’t crucial.
  2. Controller-based or Centralized Architecture:
    • Uses Wireless LAN Controllers (WLC) to manage multiple APs.
    • Provides a central point for configuration, management, and policy enforcement.
    • Suitable for medium to large enterprises.
  3. FlexConnect (previously known as Hybrid Remote Edge Access Point or H-REAP):
    • APs can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost.
    • Useful for branch or remote offices that might have WAN connectivity issues.
  4. Cloud-based (Meraki):
    • Management of APs is done through a cloud interface.
    • Simplifies global deployments and offers scalability.
    • Suitable for organizations with multiple sites and those preferring a cloud-managed solution.
  5. Converged Access:
    • Integrates wireless and wired networks on a single platform.
    • Uses Cisco’s Unified Access Data Plane (UADP) application-specific integrated circuit (ASIC).
  6. Mobility Express:
    • Lightweight solution where one of the APs takes the role of the wireless controller.
    • Suitable for small to medium-sized deployments.

AP Modes:

  1. Autonomous or Standalone Mode:
    • AP works independently without a controller.
    • All configurations are local to the AP.
  2. Local Mode (Controller-based):
    • Default mode for APs in a controller-based setup.
    • All client traffic tunnels through the WLC.
  3. FlexConnect Mode:
    • APs can switch client data traffic locally, even if they lose connectivity with the WLC.
    • APs can also authenticate clients locally.
  4. Monitor Mode:
    • AP doesn’t serve clients.
    • Focuses on monitoring the full spectrum for rogue devices, interference, and other potential issues.
  5. Sniffer Mode:
    • Captures and forwards all the packets on a particular channel to a remote machine for analysis.
  6. Rogue Detector Mode:
    • Detects rogue APs.
    • Doesn’t handle data traffic for clients.
  7. Bridge Mode:
    • Primarily used for building-to-building connectivity.
  8. SE-Connect Mode:
    • Used for Spectrum Analysis, offering insights into interference and air quality.

Understanding these architectures and modes helps in choosing the right solution based on the scalability, manageability, and functionality required for a specific deployment scenario.


Access Points are devices that provide wireless connectivity to the network. They connect wireless devices to the wired LAN.

  • Connection to Switch: APs are typically connected to switch access ports. The specific VLAN assigned to that access port is often the native VLAN for the AP’s management traffic.
  • Power: Many APs receive power through Power over Ethernet (PoE) from the switch they’re connected to, eliminating the need for a separate power source.

WLCs manage multiple APs and handle functions like system-wide wireless configurations, RF management, load balancing, and mobility.

  • Connection to Switch: The WLC is usually connected to a switch’s trunk port because it needs to manage traffic from multiple VLANs (each potentially corresponding to a different SSID from the APs).
  • Redundancy: For increased reliability and bandwidth, WLCs can use multiple connections to a switch or even multiple switches. This setup is typically achieved using Link Aggregation (LAG).

  • Access Ports: These ports are part of only one VLAN, and they typically connect devices like computers, printers, or APs to a single VLAN on the switch.
  • Trunk Ports: Trunk ports can carry multiple VLANs. They are used to interconnect switches or to connect devices that handle multiple VLANs, like WLCs. These ports use tagging, typically 802.1Q, to differentiate traffic from different VLANs.

Link Aggregation, or LAG, combines multiple physical connections into a single logical connection, increasing redundancy and bandwidth.

  • Use with WLCs: When a WLC uses LAG, all of its ports are aggregated into a single logical link to the switch or switches. This LAG connection usually connects to a switch’s trunk ports, as the WLC manages traffic from multiple VLANs.
  • Protocol: LAG often uses the Link Aggregation Control Protocol (LACP) to negotiate automatic bundling of links. However, in the context of Cisco WLC, LAG doesn’t use LACP or PAgP, and the configuration needs to be done manually on both the WLC and the switch.

When setting up or troubleshooting WLANs, having a clear understanding of these physical infrastructure connections helps ensure optimal performance, scalability, and reliability of the wireless network.

Describe AP and WLC management access connections (Telnet, SSH, HTTP,HTTPS, console, and TACACS+/RADIUS)

  • Description: A protocol used for remote access to devices, including APs and WLCs.
  • Security: Not secure; transmits data, including login credentials, in plaintext.
  • Usage: Generally replaced by SSH due to its security vulnerabilities, but it’s available on many devices for legacy reasons.

  • Description: A cryptographic network protocol used for securely accessing network devices remotely.
  • Security: Encrypts the session to keep it confidential.
  • Usage: Preferred over Telnet for secure remote access.

  • Description: A protocol used to access the web-based management interface of devices.
  • Security: Not secure; data transmitted is not encrypted.
  • Usage: For accessing the GUI (Graphical User Interface) of WLCs and some advanced APs.

  • Description: A secure version of HTTP, used for accessing the web-based management interface of devices.
  • Security: Encrypts the session using SSL/TLS to ensure data confidentiality and integrity.
  • Usage: Preferred over HTTP for secure web access to device management interfaces.

  • Description: A physical management interface, usually accessed using a console cable that connects directly to the device.
  • Security: Physical access required, providing a level of security; however, additional configurations can further secure console access.
  • Usage: Essential for initial device configurations, troubleshooting, and scenarios where remote access methods are unavailable.

  • Description: A remote authentication protocol used to communicate with an authentication server.
  • Security: Encrypts the entire body of the packet but leaves a standard TACACS+ header. Separates the functions of authentication, authorization, and accounting for flexibility.
  • Usage: Often used in larger enterprises for centralized authentication and policy enforcement.

  • Description: Another remote authentication protocol used to communicate with an authentication server.
  • Security: Encrypts only the password in the access-request packet from the client to the server. Combines authentication and authorization.
  • Usage: Widely used for network access authentication, including in wireless networks.

When setting up and managing APs and WLCs, it’s essential to use the most secure management access methods available and suitable for the given context. This ensures that network resources remain secure and that unauthorized users can’t make potentially harmful changes.

Configure the components of a wireless LAN access for client connectivity using GUI only such as WLAN creation, security settings, QoS profiles, and advanced WLAN settings

  1. Login to the WLC GUI:
    • Open a web browser and enter the IP address of the WLC.
    • Use your credentials to log in.
  2. WLAN Creation:
    • Navigate to WLANs > Create New and click ‘Go’.
    • Provide a profile name and SSID (Service Set Identifier). SSID is the network name that clients will see.
    • Click Apply to save the settings.
  3. Security Settings:
    • Under the WLAN settings, navigate to the Security tab.
    • Choose the Layer 2 security option, which could be None, WPA/WPA2, etc.
      • If selecting WPA2, specify the encryption type (e.g., AES) and enter the passphrase.
    • For enterprise environments, under the AAA Servers section, you might need to define RADIUS servers for authentication.
  4. QoS Profiles:
    • Go to the QoS tab.
    • Choose the desired QoS profile from the dropdown list. For instance, select ‘Platinum’ for voice applications.
    • Ensure other QoS settings like WMM (Wi-Fi Multimedia) are appropriately set based on the WLAN’s intended use.
  5. Advanced WLAN Settings:
    • Navigate to the Advanced tab under WLAN settings.
    • Here, you can configure a variety of advanced settings such as:
      • DHCP Address Assignment: If you want the WLC to control DHCP address assignment.
      • Session Timeout: Duration before a client must re-authenticate.
      • Load Balancing: To balance client distribution among APs.
      • Broadcast/Multicast Settings: Control how these types of frames are handled.
      • Client Limits: Limit the number of clients per AP.
      • And many more based on the specific requirements of your deployment.
  6. Save & Enable the WLAN:
    • After making all the configurations, ensure you save them.
    • Navigate back to the WLAN list, locate your newly created WLAN, and enable it.
  7. Testing:
    • Use a wireless client (e.g., a smartphone or laptop) to locate the SSID and try connecting using the appropriate security credentials.
    • Verify connectivity and access to network resources.

Remember, while this process provides a general guideline, the actual steps, names of tabs, or available options might vary depending on the specific model and software version of the WLC. Always refer to the documentation relevant to your specific device/version when configuring it.