DESIGN BY FATHIN NAUFAL

NETWORK ENGINEER

Switching cisco

CISCO PACKET
TRACER
INTRODUCTION
What Is Cisco Switch

Core Switch : is the primary backbone of a large network. This device

serves as a very high-speed traffic aggregation center that connects
various network segments or distribution switches. Its main focus is on
maximum reliability and speed, so the core switch must be able to
forward data packets as quickly as possible without performing
complex processing such as intensive packet filtering or policy
enforcement. A failure at this layer would be catastrophic for the entire
network; therefore, core switches typically have redundant
components and are designed for high availability.
Distribution Switch : acts as an intelligent bridge between the access
layer (users) and the core layer (backbone). Its function is to gather
traffic from all access switches and apply network policies before
forwarding it to the core. This is where processes such as inter-VLAN
routing, packet filtering using Access Control Lists (ACLs), and traffic
prioritization (Quality of Service/QoS) occur. The distribution switch
effectively separates local traffic from traffic that needs to cross the
backbone, thereby increasing network efficiency and security.
Access Switch : is the layer closest to the end-user. This device is
responsible for connecting devices such as computers, laptops,
printers, and IP phones to the network. Its primary function is to
provide network connectivity to individual ports and control network
access at a basic level. It is at this layer that features like port security,
segmentation through VLANs, and simple loop prevention are
implemented to manage and secure connections.

Design By Fathin Naufal - Network Engineer

INSTALL CISCO
PACKET TRACER
How To Install Cisco Packet Tracer

Please access the following link: [Link]

downloads?courseLang=en-US. If the link is inaccessible, please download
it via Nesaba Media using this link instead:
[Link]

Klik Skill For All

Login with google on netacad

Design By Fathin Naufal - Network Engineer

CORE SWITCH
What Is Core Switch

A core switch is a high-speed central switch that serves as the main backbone
of a network. This device becomes the central meeting point for all data traffic
from various network segments, ensuring data can travel from one part of the
network to another as quickly and reliably as possible.
Characteristics of a Core Switch
Very High Speed: Its primary focus is on speed (throughput) and low
latency. This device uses the fastest available port technologies (e.g.,
40Gbps or 100Gbps) to forward data packets without delay.
High Reliability and Availability: Because the entire network depends
on it, a core switch must always be operational. It is typically equipped
with redundant components such as dual power supplies and dual
cooling systems. A failure at this layer would paralyze the entire
network.
Aggregation Center: It does not connect directly to end-user devices
like computers or printers. Instead, it connects distribution switches
from various buildings, floors, or departments.
Focus on Fast Routing (Layer 3): Modern core switches are
sophisticated Layer 3 devices. Their job is to efficiently route traffic
between large network segments using dynamic routing protocols like
OSPF or EIGRP. They are not burdened with complex tasks like firewalls or
Access Control Lists (ACLs) that could slow down their performance.

Design By Fathin Naufal - Network Engineer

DISTRIBUTION
SWITCH
What Is Distribution Switch

A distribution switch is a network device that acts as an intelligent bridge

between the access layer (users) and the core layer of a network. Its primary
task is to aggregate traffic from multiple access switches, apply network policies,
and efficiently route data to the correct destination.
Characteristics of a Distribution Switch

Traffic Aggregation: It gathers connections from many access

switches into a single point before forwarding them to the core switch.
Policy Enforcement: This is its primary task. It is where security rules
and access controls are applied. For example, using Access Control
Lists (ACLs) to filter traffic or implementing Quality of Service (QoS) to
prioritize voice data.
Inter-VLAN Routing: When a user in the Staff VLAN needs to
communicate with a server in the Server VLAN, the distribution switch is
what performs the routing between those VLANs.
Redundant Gateway for Users: It provides an always-on default
gateway for users. With protocols like HSRP (Hot Standby Router
Protocol), if one distribution switch fails, its counterpart will immediately
take over without disrupting user connections.
Boundary between Layer 2 and Layer 3: This layer is the point where
the Layer 2 network (based on MAC addresses) from the access layer
meets the Layer 3 network (based on IP addresses) from the core layer.

Design By Fathin Naufal - Network Engineer

ACCESS SWITCH
What Is Access Switch

An access switch is a network device that serves as a direct connection point for
end-user devices—such as computers, printers, laptops, and IP phones—to the
network.

Characteristics of an Access Switch

Connectivity Provider: Its most fundamental task is to provide physical

ports (Ethernet connections) for user devices to connect to the network.
Network Segmentation (VLAN): It places users into different Virtual
Local Area Networks (VLANs). For example, separating traffic from the
Finance department (VLAN 10) from the Guest department (VLAN 20) to
improve security and management.
Port-Level Security (Port Security): It applies basic security policies
directly at the port level. The Port Security feature can be used to limit
the number of devices that can connect to a single port or to lock a
port so it can only be used by a device with a specific MAC address.
Power over Ethernet (PoE): Many modern access switches provide PoE,
which allows the switch to deliver electrical power over the Ethernet
cable to power devices like IP phones, security cameras, or wireless
access points without needing a separate power adapter.

Design By Fathin Naufal - Network Engineer

POE
What Is POE in Switch
PoE (Power over Ethernet)
Is a technology that allows Ethernet network
cables to transmit both data and electrical
power simultaneously over the same cable.
PoE turns your network cable into a "2-in-1"
cable, eliminating the need for separate power
adapters and outlets near connected devices.
This is very useful for installing devices in
locations that are difficult to reach with a
power source, such as CCTV cameras on
ceilings or Wi-Fi access points on walls.

PoE Switch to PoE Device (Ideal Scenario)

This is the most common and simplest implementation.
A PoE Network Switch (like many Cisco Catalyst models) has the capability to provide
power directly from its Ethernet ports.
You only need one Ethernet cable to connect and power a PoE Device (such as an IP Phone
or a CCTV camera).
Non-PoE Switch with a PoE Injector
This scenario is used when your switch does not support PoE, but you want to power a PoE
device.
The data cable from the Non-PoE Switch is connected to a PoE Injector.
The injector, which is plugged into an electrical outlet (AC), will "inject" power into the
network cable.
The output from the injector is a single cable that now contains both data and power,
ready to be connected to the PoE Device.
PoE Switch with a PoE Splitter
This scenario is used when you have a PoE source, but your destination device does not
support PoE.
The cable from the PoE Network Switch, containing both data and power, is connected to a
PoE Splitter.
The splitter will "separate" the signal back into two outputs: one Ethernet data cable and a
separate power cable.
These two cables are then connected to the Non-PoE Device (a regular device).
Non-PoE to Non-PoE Scenario (Using PoE Infrastructure)
This scenario combines an injector and a splitter. It demonstrates how you can transmit
power over an Ethernet cable for a long distance to power a non-PoE device from a non-PoE
switch source.

Design By Fathin Naufal - Network Engineer

PORT FLAPPING,
INTERFACE ERROR & LOG
What Is Port Flapping In Switch

Bad Cable
Cause: The Ethernet cable being used is physically damaged. This could be because the
cable is severely bent, stepped on, broken internally, or pins on the RJ-45 connector are
broken or missing. Solution: Swap the suspect cable with another cable that is confirmed
to be working properly (a known good cable).
Loose Connections
Cause: The cable connector is not plugged in tightly or is not fully inserted into the port.
Even if it appears to be connected, the connection may not be perfect. Solution: Unplug
the cable from the port, then plug it back in firmly to ensure the connection is completely
secure.
Patch Panels
Cause: The patch panel used to connect cables may be damaged or have a poor
connection. Solution: Try connecting the device directly to the switch, bypassing the
patch panel. If the problem disappears, then the patch panel is the cause.
Bad or Wrong SFP
Cause: This is specific to fiber optic connections. The SFP (transceiver) module being
used may be faulty, incompatible with the switch, or not the correct type. Solution:
Replace the suspect SFP module with another SFP that is confirmed to be working and
compatible.
Bad Port or Module Port
Cause: The fault is not with the cable or SFP, but with the physical port on the switch itself.
Solution: Move the cable to another port on the switch that is known to be working. If the
new port functions normally, the original port is likely faulty.
Bad or Old Endpoint Device
Cause: The problem lies with the device connected to the switch, such as a faulty or old
network interface card (NIC) in a computer, an IP phone, or a speaker. Solution: Replace
the endpoint device (PC, phone, etc.) with another device that is known to be working to
see if the problem is resolved.
Device Sleep Mode
Cause: A device like a laptop or PC enters sleep mode to save power. When entering and
exiting this mode, its network card will turn off and on, which will appear as a port flap in
the switch's logs. Solution: This is a "normal" or expected flap. Check the timestamp in the
logs. If the flap occurs periodically or intermittently (rather than flickering rapidly), it is
likely caused by the device's power-saving settings.

Design By Fathin Naufal - Network Engineer

PORT FLAPPING,
INTERFACE ERROR & LOG
Solution Port Flapping, Interface error & Log

Identifikasi Port Flaps

When analyzing system logs, you must pay attention to the timestamp of each port flap
event. This is important because it allows you to compare simultaneous events on that
specific port and validate whether the link flap (the port going up/down) is normal or not. For
example, if a flap occurs periodically every few hours, it might be caused by the sleep setting
on a connected device and is not necessarily a serious network issue.

Design By Fathin Naufal - Network Engineer

PORT FLAPPING,
INTERFACE ERROR & LOG
Solusi Port Flapping, Interface error & Log

Interface Show Commands

Explanation of Interface Error Counters

CRC (Cyclic Redundancy Check): A high number of CRC errors is usually caused by data
collisions but can also indicate a physical issue such as a bad cable, SFP, port, or NIC, or a
duplex mismatch.
Input Errors: This is the total of various types of errors occurring on incoming data packets,
such as runts (packets that are too small), giants (packets that are too large), CRC, frame,
overrun, and others.
Output Errors: This error occurs when a data packet is being sent out, usually because the
port's output queue size is too small or there is oversubscription (too much data being sent
to the port simultaneously).
Total output drops: Packets are discarded as they are being sent out, generally due to
interface oversubscription, which is when too much data traffic (for example, from several
1Gbps links) tries to exit through a single 10Gbps link at the same time, causing the port's
buffer to become full.
Unknown protocol drops: Packets are discarded because the switch does not recognize
the protocol being used. For example, if two switches are connected and you disable the
CDP protocol on one switch port, the CDP packets received on that port will be considered
an unknown protocol and will be dropped.

Design By Fathin Naufal - Network Engineer

PORT FLAPPING,
INTERFACE ERROR & LOG
Solution Port Flapping, Interface error & Log

show platform pm interface-flaps{interface{interface-number}}

Show idprom interface {interface-number}

The show idprom interface {interface-
number} command on a Cisco device is
used to display identity information
stored in the IDPROM, which is a memory
chip on a physical module like an SFP.
This information includes important
details such as the module type, vendor
name, and serial number, which are very
useful for hardware verification and asset
management. If you add the detail
keyword, the command will also display
the raw hexadecimal data from the chip
for advanced troubleshooting purposes,
helping to ensure the module is correctly
recognized by the system.

Design By Fathin Naufal - Network Engineer

MAC ADDRESS
Apa Itu MAC Address

MAC (Media Access Control) Address is a unique physical address assigned to

every piece of network hardware (like a LAN or Wi-Fi card) as a permanent
identifier. This address consists of 12 hexadecimal characters divided into two
main parts.
Organizationally Unique Identifier (OUI) is the first part of the MAC
address, which in this example is [Link] (the orange boxes). This is a
unique code assigned to identify the manufacturer or company that
made the hardware. For example, companies like Cisco, Intel, or Apple
have their own distinct OUIs. So, by looking at this part, you can tell who
produced the network device.
Network Interface Controller (NIC) Specific part is the second half,
which in this example is [Link] (the blue boxes). This portion is
specific to each device. It's a unique serial number assigned by the
manufacturer for every network card they produce. The combination of
the OUI and this unique number ensures that every device in the world
has a different MAC address and that no two are the same.

Simply put, a MAC address can be compared to a product's serial number:

the first half tells you who made it (OUI), and the second half is the unique
number of that product.

Design By Fathin Naufal - Network Engineer

MAC ADDRESS
Example Mac Address (Topologi 3 PC , 1 Switch)

Conclusion
Device Identity: PC1, with the IP
Periksa Mac Address Pada Switch
address [Link], is connected
to port Fa0/2 on the switch.
Through the ipconfig
command, it is known that PC1
has a unique physical or MAC
address of 0090.2B30.E880.
Switch Learning Process: When
PC1 sends data, the switch
Periksa Mac Address Pada PC automatically "learns" that MAC
address and records which port
the data came from.
Intelligent Switch Table: The
result is visible in the show
mac-address-table command,
where the switch has created a
mapping that shows the MAC
address 0090.2B30.E880 is
connected to port Fa0/2. This
allows the switch to send data
efficiently.

Design By Fathin Naufal - Network Engineer

ARP TABLE ON PC
Example ARP Table Pada PC

ARP (Address Resolution Protocol) table is a table used in computer networking

to map an IP (Internet Protocol) address to a MAC (Media Access Control)
address. It is a temporary table or list in a device's memory that serves as a
"notebook" to store the mapping between an IP Address (Layer 3) and a MAC
Address (Layer 2). Its function is to improve efficiency so that a device does not
need to repeatedly ask for this information every time it wants to send a packet.

Explanation of the ARP Table's Role in Packet Transmission:

Need to Send a Packet: Suppose PC1 ([Link]) wants to send data to PC2
([Link]). Before sending, PC1 will first check its own ARP Table to find the
MAC address for the IP address [Link].
ARP Request (If Data is Not in the Table): Because PC1 does not yet know the
MAC address, it performs the process seen in the "In Layers" section. PC1 sends
an ARP Request to the entire network (destination broadcast [Link]),
which essentially asks, "Who owns the IP address [Link]?"
ARP Reply: The "Out Layers" section shows PC2 answering the question. PC2
sends an ARP Reply directly to PC1, which contains the message, "I own the IP
[Link], and my MAC address is 0010.1146.3B67."
Updating the ARP Table: After receiving this reply, PC1 will update its ARP Table
by adding a new entry: IP [Link] -> MAC 0010.1146.3B67.

When PC1 wants to send the next packet to PC2, it will not repeat the process
above. Instead, it will directly look at its ARP Table to find the corresponding MAC
address.

Design By Fathin Naufal - Network Engineer

ARP TABLE ON SWITCH
ARP Table pada Switch

This flooding action ensures that the frame will eventually reach its destination
device (PC2). When PC2 later sends a reply, the switch will learn PC2's MAC
address and the port it is connected to. After that, future communications will be
sent directly to the correct port without needing to be flooded again.

Learning Process from the Source

Incoming Packet: In the "In Layers" section, the switch receives a frame (a
Layer 2 data packet) on port FastEthernet0/2.
Reading the Source Address: The first thing the switch does is look at the
Source MAC Address, which is 0090.2B30.E880.
Updating the Table: The switch then updates its MAC Address Table with the
information: "The device with MAC 0090.2B30.E880 is connected to port
Fa0/2." This is a very important "learning" process.

Forwarding Process to the Destination

Reading the Destination Address: The switch looks at the Destination MAC
Address, 0010.1146.3B67.
Searching the Table: The switch searches its MAC Address Table to answer
the question: "On which port is the device with MAC 0010.1146.3B67 located?"
Flooding Decision: In this scenario, the switch does not find the destination
MAC address in its table. Because it doesn't know where to send it, the switch
takes the only logical action: flooding.
Outgoing Packet: As seen in the "Out Layers" section, the switch forwards the
frame to all active ports (FastEthernet0/1 and FastEthernet0/3), except for the
port it came from (Fa0/2).

Design By Fathin Naufal - Network Engineer

BROADCAST DOMAIN
What Is Broadcast Domain

Broadcast domain is an area within a computer network where a broadcast

message sent by one device can be received by all other devices in that same
area. In other words, it defines the boundary that a broadcast message can
reach.

Explanation
Broadcast Area (Blue Box): All devices (computers, tablets, phones)
connected to the switch are inside one blue area. This area is a single
broadcast domain. This means if the PC in the top left corner sends a
broadcast message, all other devices connected to that switch will receive
and process that message.
Role of the Switch: A switch functions to forward traffic within a single
broadcast domain. It does not stop broadcast messages; instead, it forwards
them to all connected ports (except the one it came from). This is why all
devices connected to one switch (or multiple interconnected switches) are in
the same broadcast domain.
Role of the Router: A router acts as a wall or boundary for the broadcast
domain. As seen in the picture, the router is outside the blue area. Its job is to
stop broadcast messages from leaving the local network and spreading to
other networks (like the internet). Each interface on a router connects to a
different broadcast domain.

Design By Fathin Naufal - Network Engineer

BROADCAST DOMAIN
Example Broadcast Domain

Broadcast Domain on Switch

Conclusion
Switch handles broadcast traffic within the same broadcast domain as
follows: PC1 (IP [Link]) sends an ARP Request packet to find the physical
(MAC) address of PC2 (IP [Link]), which arrives at the switch via port
Fa0/2 with the destination address [Link] (the broadcast address).
True to its nature, the switch then performs flooding, which is to forward or
copy the broadcast packet to all other active ports within the same network
(except for the port it came from), to ensure the message reaches all
devices, including the intended destination, PC2.

Design By Fathin Naufal - Network Engineer

REMOTE SSH
What Is Remote SWITCH

Remote SSH, or Secure Shell, is a network protocol that allows users to securely connect to
and interact with a computer or server remotely. With SSH, users can execute commands,
transfer files, and manage servers without needing to be at the server's physical location.

Konfigurasi SSH

add username and password

change hostname and domain

Key rsa and bits

Design By Fathin Naufal - Network Engineer

REMOTE SSH
Login SSH switch in User

Input SSH client SSH, Ip adress and username

We'll enter the password we just created, which is "password1". Then, we'll
enter privileged mode by inputting the password we made earlier, which is
"cisco".

Design By Fathin Naufal - Network Engineer

VLAN
What Is VLAN

VLAN (Virtual Local Area Network) is a technology that allows you to logically divide a
single physical switch into multiple, separate virtual switches. Its purpose is to group
devices into different networks, even though they are physically connected to the
same switch.
One Physical Switch: You have a single physical switch on the left that is
connected to all the computers.
Separate Virtual Networks: Although connected to one switch, the devices have
been divided into three different groups (VLANs), with each VLAN being a separate
Broadcast Domain.
The main function of a VLAN is to create a separate Broadcast Domain for each group.
This means:
A broadcast message sent by a computer in VLAN 10 (Accounting) will only be
received by other computers in VLAN 10. Computers in VLAN 20 and 30 will not
receive the message.
The same applies to VLAN 20 and VLAN 30. They are isolated from each other.
This turns one switch into independent virtual switches. Computers from different
departments cannot communicate directly with each other, even though they are
plugged into the same physical device. To connect these three VLANs, you would need
a router (or a Layer 3 switch).

Design By Fathin Naufal - Network Engineer

VLAN
Configuration VLAN

To change a VLAN and its name on a switch, the

VLAN ID ranges from 1 (default) up to 4094.

Set the interface to access mode, then assign it to a VLAN ID / using a range.

Viewing the configured VLANs.

Design By Fathin Naufal - Network Engineer

TRUNK
What Is Trunk

On a switch, a trunk is a port designed to carry traffic from multiple VLANs (Virtual
LANs) simultaneously. Unlike an access port, which only handles a single VLAN, a trunk
port uses VLAN tagging to differentiate and direct traffic from various VLANs over a
single physical link.

The Function and Need for a Trunk

Network Condition: You have two switches. Each switch has devices belonging to
VLAN 10 (Accounting) and VLAN 20 (Marketing).
Problem: How can PC1 in VLAN 10 (on Switch1) communicate with PC6 in VLAN 10 (on
the second switch) if there is only one cable connecting the two switches?
Solution (Trunk): The answer is to configure the connection between the switches
(the dashed line on port Fa0/5) as a trunk link.

How Does a Trunk Work?

When a port is set up as a trunk, it uses a mechanism called VLAN Tagging (commonly
using the 802.1Q protocol).
When data from PC1 (VLAN 10) is about to be sent across the trunk link, Switch1
adds a digital "label" or tag to the data, indicating, "This data belongs to VLAN 10."
The tagged data is then sent through the cable to the destination switch.
When the destination switch receives the data, it reads the tag. Since the tag is
"VLAN 10," the switch knows that this data should only be forwarded to other ports
that are members of VLAN 10.
The same process occurs for data from VLAN 20, where the switch will assign it a "VLAN
20" tag.

Design By Fathin Naufal - Network Engineer

KONFIGURASI
TRUNK
Configuration Trunk

Configure the interfaces on Switch 1 and Switch 2 to trunk mode.

The allowed VLAN list on a trunk is used to allow (permit and secure) the
specific VLANs you are targeting. We will use this feature when there are two
LANs that need to be secured and permitted. By using the allowed VLAN list, we
can specify that only VLAN 10 and VLAN 20, which we have already configured,
are the ones that are permitted.

Adding VLAN 30 to the allowed trunk list with the add keyword.

Removing VLAN 10 from the allowed trunk list using the remove keyword.

if we enter the non-consecutive int range into Vlan 10

Design By Fathin Naufal - Network Engineer

TRUNK IN MLS
What Is Trunk MLS

On a Multilayer Switch (MLS), a Trunk is a special link or connection that functions to

carry data traffic from many VLANs simultaneously over a single physical cable, using
the 802.1q standard protocol.

Basic Function of a Trunk

The topology diagram shows three switches, each with devices in VLAN 10
(Accounting) and VLAN 20 (Marketing). For a PC in VLAN 10 on the first switch to
communicate with another PC in VLAN 10 on the third switch, the connection between
the switches (for example, on port Fa0/5) must be configured as a Trunk. This trunk
acts as a "highway" that carries traffic from all VLANs (10, 20, 30, etc.) simultaneously
on a single link.

Trunk Configuration: 802.1q (MLS Method) vs. ISL

This highlights the difference between two trunking protocols:
ISL (Inter-Switch Link): An older, Cisco-proprietary protocol.
802.1q (Dot1q): The modern protocol that is an industry standard (open standard).
The 802.1q method is referred to as the "MLS method" or "openstandard." This is the
best practice as it ensures your switch can connect with devices from other vendors.
As shown, the configuration is:
switchport trunk encapsulation dot1q (Sets the protocol)
switchport mode trunk (Enables trunk mode)

Special Role of a Multilayer Switch (MLS)

Although its trunking function is the same, the advantage of an MLS (Layer 3 Switch) is
its ability to perform Inter-VLAN Routing internally. This means that in addition to
forwarding VLAN traffic over a trunk, an MLS can also act as a router, allowing a device
in VLAN 10 to communicate with a device in VLAN 20 without needing an external
router.

Design By Fathin Naufal - Network Engineer

CONFIGURATION MLS
TRUNK
Trunk Configuration on an MLS If there are three switches
on the VLANs, we will trunk them using the MLS method.

For other switches, the trunk configuration between fellow Cisco devices can
use the default, ISL. For an open-standard trunk configuration, we use 802.1q.

To change the Trunk configuration to the open-standard MLS, use

encapsulation dot1q.

Here are the three switches that have been configured with ISL
and MLS trunks.

Design By Fathin Naufal - Network Engineer

DYNAMIC TRUNKING
PROTOCOL (DTP)
What Is Dynamic Trunking Protocol
Dynamic Trunking Protocol (DTP)
adalah protokol milik Cisco yang
berfungsi untuk menegosiasikan atau
membuat sebuah link antar-switch
menjadi link trunk secara otomatis. DTP
memungkinkan dua switch yang saling
terhubung untuk "berbicara" satu sama
lain dan memutuskan apakah koneksi di
antara mereka harus menjadi link trunk
(untuk membawa banyak VLAN) atau link
access (hanya untuk satu VLAN) tanpa
Mode-mode DTP perlu konfigurasi manual di kedua sisi.
Access: Mode ini secara permanen memaksa port untuk menjadi link access. Port
dalam mode ini tidak akan pernah menjadi trunk, meskipun switch tetangganya
menginginkannya.
Trunk: Mode ini secara permanen memaksa port untuk menjadi link trunk. Port ini
akan selalu mencoba membentuk trunk dengan switch tetangga.
Dynamic Auto: Ini adalah mode pasif. Port akan menjadi trunk jika dan hanya jika
port tetangganya secara aktif memintanya (dalam mode trunk atau dynamic
desirable). Jika tidak, ia akan menjadi port access. Ini adalah mode default pada
banyak switch Cisco.
Dynamic Desirable: Ini adalah mode aktif. Port akan secara aktif mencoba dan
meminta port tetangganya untuk menjadi link trunk.
Interaksi Antar Mode
Desirable + Desirable/Trunk/Auto = TRUNK : Sebuah port diatur ke Dynamic
Desirable, ia akan berhasil membentuk trunk dengan port tetangga yang
modenya Desirable, Trunk, atau Auto.
Auto + Desirable/Trunk = TRUNK : Port Dynamic Auto bersifat pasif, jadi ia hanya
akan menjadi trunk jika tetangganya aktif memintanya (Desirable atau Trunk).
Auto + Auto = ACCESS : kombinasi yang penting untuk diingat. Karena kedua port
sama-sama pasif dan hanya menunggu permintaan, tidak ada yang berinisiatif.
Hasilnya, koneksi akan menjadi link access, bukan trunk.
Access + Apapun = ACCESS : Satu sisi diatur secara manual ke mode Access,
maka link tersebut akan selalu menjadi access. Kombinasi Trunk + Access akan
menghasilkan konektivitas yang terbatas (Limited Connectivity) karena kedua sisi
tidak cocok.

Design By Fathin Naufal - Network Engineer

DYNAMIC TRUNKING
PROTOCOL (DTP)
Configure Dynamic Trunking Protocol

For Show Int fa0/5

Administrative mode is the mode we configure, and operational mode

is the final mode.

Invite to trunk on switch

DTP configuration results from desirable to trunk mode!

Description:
Dynamic auto: waiting (and cannot
connect to each other from switch 1 to
another switch)
Dynamic desirable: forced to become
a trunk (can connect to each other)

Changing both switches to dynamic auto trunk will

make it static access.

Design By Fathin Naufal - Network Engineer

TAGGED/UNTAGGED
What Is Tagged dan Untagged

In a VLAN network, untagged traffic is normal network data from a user device (such
as a PC) that has no VLAN information attached to it; the switch knows which VLAN this
data belongs to based on the configuration of the access port it is connected to.
However, when data from different VLANs must traverse a single link (such as a trunk
link between switches), the switch adds a digital label, or 'tag', to the data. This labeled
traffic is called tagged, with each tag containing a VLAN ID (e.g., "VLAN 10" or "VLAN 20")
to ensure the receiving switch knows exactly which VLAN to forward the data to,
preventing traffic from different VLANs from getting mixed up on the cable.

Tagged dot1q header. So, the tagged packets that pass through the trunk are
tagged packets. Tagged trunks identify the target VLAN. The TCI information
is the VLAN number in hexadecimal in the outbound. We are targeting VLAN
10.

Design By Fathin Naufal - Network Engineer

NATIVE VLAN
What Is Native VLAN

Native VLAN is a special VLAN configured on an 802.1Q trunk link whose data traffic is
treated uniquely and untagged. As shown in the figure, when data from other VLANs
(VLAN1, VLAN2, VLAN3) traverses the trunk, it is tagged for identification. Conversely,
data belonging to the Native VLAN is sent over the same trunk link in its original format
without labels.

Changing Native Vlan on trunk, Changing Native Vlan on trunk, Native Vlan has
been changed to 20. Returning native Vlan to default native Vlan

On int 0/7 the vlan has returned to native vlan 1, namely the default vlan.

Design By Fathin Naufal - Network Engineer

CONFIGURE
IP VLAN ON ROUTER
VLAN Add To IP

Configuration VLAN On Router

we enter the subif VLan fa0/0.10 (sub interface)

Defines for VLAN 10 and its IP address and subnet mask

to use trunk on router by connecting int out to switch, namely fa0/8

Design By Fathin Naufal - Network Engineer

SETTING DHCP SERVER ON
ROUTER TO SWITCH
Set IP, subnet mask, default gateway and DNS using
DHCP Server

Configure Vlan 1 (default) for all end users, IP addresses, subnet

masks, default gateways and DNS servers.

Configure Vlan 20 and 30 for all end users, IP addresses, subnet

masks, default gateways and DNS servers.

Design By Fathin Naufal - Network Engineer

SWITCH VIRTUAL
INTERFACE
What IsSwitch Virtual interface

Switch Virtual Interface (SVI) is a virtual or logical interface created within a

Multilayer Switch (Layer 3 Switch). This SVI has no physical form but functionally acts
as a gateway for all devices within a VLAN. Simply put, imagine a company with many
departments (VLANs). Each department needs a "representative" to communicate
with other departments. The SVI acts as this virtual representative for each VLAN inside
the switch.

Two Separate Networks: You have two isolated networks:

VLAN 10: Contains Workstations on the [Link]/24 network.
VLAN 20: Contains Servers on the [Link]/24 network.

SVI as a Gateway
To allow these two VLANs to communicate, the Layer 3 Switch creates two virtual
"gateways" inside it:
SVI 10: This is the virtual interface for VLAN 10. The switch is assigned the IP address
[Link] on this SVI. This address becomes the Default Gateway (GW) for all
workstations in VLAN 10.
SVI 20: This is the virtual interface for VLAN 20, with the IP address [Link]. This
address becomes the Default Gateway (GW) for all servers in VLAN 20.

Main Function: Inter-VLAN Routing

The primary function of an SVI is to enable Inter-VLAN Routing directly within the
switch, without needing an external router.

If a workstation in VLAN 10 wants to send data to a server in VLAN 20, the process is
as follows:
The workstation sends the data to its default gateway, which is SVI 10 ([Link]).
The Layer 3 Switch receives this data, sees its destination is on the VLAN 20 network,
and internally routes it to SVI 20 ([Link]).
The switch forwards the data to the destination server in VLAN 20.

Design By Fathin Naufal - Network Engineer

SWITCH VIRTUAL
INTERFACE
Example Configuration SVI
Mengatur switch virtual interface menggunakan multilayer switch (SVI)

Configure directly the Vlan 1 IP address and subnet mask, we don't need to
use encapsulation to configure SVI on the switch.

Description: fill in the VLAN on the switch using the SVI method, then to
check you can go to do show ip int brief, and for VLAN1 we will do no
shutdown

Design By Fathin Naufal - Network Engineer

SWITCH VIRTUAL
INTERFACE
SETTINGS SWITCH L2 TO L3

Keterangan : Multi layerswitch switch virtual interface

by default Multi layerswitch is layer 2 _*show ip route*_ if it is still layer 2 the
information is still there *ICMP redirect cache is empty" setting up a switch
virtual interface using a multilayer switch (SVI) we will change to layer 3 so
that the inter-VLAN can be connected using a multilayer switch we will
change to layer 3

Change From layer 2 ke layer 3

Description: The following layer 3 has come out

Design By Fathin Naufal - Network Engineer

SWITCH VIRTUAL
INTERFACE
DHCP SERVER WITH SVI

Change the IP address, default gateway and DNS using DHCP so

that they are filled in automatically.

Design By Fathin Naufal - Network Engineer

VIRTUAL TRUNK
PROTOCOL (VTP)
What Is Virtual Trunk Protocol

Note: We will prepare a topology that is already in trunk mode to perform VTP.
Server: A switch in this mode can create, delete, and modify VLANs across the
entire VTP domain. All changes made on this switch will be propagated to all
other switches in the same domain.
Transparent: A switch in this mode does not participate directly in VLAN
management via VTP. It does not propagate VLAN information received from
other switches but does forward it to other switches. However, any VLANs
created on this switch are not propagated to other switches.
Client: A switch in this mode only receives and applies VLAN information
received from a switch in server mode. It cannot create, delete, or modify VLANs.

Design By Fathin Naufal - Network Engineer

VIRTUAL TRUNK
PROTOCOL (VTP)
Example VTP

Configure VLAN On Router

Configure DHCP On Router

Design By Fathin Naufal - Network Engineer

PORT SECURITY
Practicr Port Security

Description: For example, we will register an end user interface connected

to a switch using port security. Next, our PC1 will act as a connection to the
switch that has not been registered. The hacker will try to access that
interface.
we will change it to access mode, switchport port-security

Design By Fathin Naufal - Network Engineer

PORT SECURITY
Practice Using Port Security
Copy mac adress end user

We will change it to access mode, switchport port-security

Description: We will configure port security for the MAC address, setting the
maximum number of allowed end users to 1 on a single interface. We will also define
the violation action that will occur on the interface if an end user with an unregistered
MAC address attempts to connect. If anyone tries to break in, the port will be shut
down.

Design By Fathin Naufal - Network Engineer

PORT SECURITY
Testing Port Security

Hackers break into server rooms and connect to interfaces

we see the interface is immediately shut down

fa0/1 down

Design By Fathin Naufal - Network Engineer

PORT SECURITY
Testing Port Security

we connect the interface to the server again. the cable that was just used by
the hacker

we see the interface to the server is still down

SOLUTION! We shut down to re-enable port security to the server. After

that, we stop shutting down.

Design By Fathin Naufal - Network Engineer

MAC ADRESS STICKY
What Is Mac Adress Sticky

MAC Address Sticky is a switch security feature that automatically learns and locks
the MAC address of the first device connected to a port. This feature dynamically
converts the learned MAC address into a secure entry within the configuration, so if
another device attempts to connect, the port will immediately block it according to
the established security policy.

We will try to connect port fa0/2 with

port security using MAC address sticky
(to learn the address automatically).
First, we'll enable port security. Then,
we'll activate MAC address sticky. We
will send a packet so that the sticky
MAC address is read and learned.
Finally, we will set the maximum
number of addresses and configure
the violation action to shutdown.

Design By Fathin Naufal - Network Engineer

PORT SECURITY
What Is Mac Adress Sticky

Protect : The security violation count is not incremented. It will still block the
hacker's access on the hacker's interface, and it will not shut down the interface.

Protect: If an unknown device attempts to connect, packets from that device will be
dropped. No notification is generated, the violation is not logged, and the port
remains active.
Restrict: If an unknown device attempts to connect, packets from that device will be
dropped, and this violation will be logged. However, the port remains active and can
be used by legitimate devices.
Shutdown: If a violation occurs, the port will be immediately shut down, so that no
devices can connect until the port is manually re-enabled.

Design By Fathin Naufal - Network Engineer

PORT SECURITY
Practice violation protect

Protect : We will put switchport fa0/3 into access mode, then configure port
security, and apply MAC address sticky. We will set the maximum to 1 end
user and set the violation mode to protect.

Protect :The output, after sending a

packet, will show the learned MAC
address. The violation count will be
empty and will not be incremented.

Protect : When the hacker keeps trying to

get in, the interface remains up, but the
packets they send are dropped. Even
when connected and attempting to reach
a server, the port will not shut down.

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PROTOCOL (STP)
What Is Spanning Tree Protocol (SPT)

STP : STP in this topology ensures that only one of the two paths between
Switch1 and Switch2 is used in order to avoid a loop. The other path remains
ready for use if the primary path experiences a problem. This keeps the
network stable and free from disruptions that could be caused by a loop.

Fa0/2 : We shut down to re-enable port

security to the server. After that, we stop
shutting down.

STP : In the following 3

switches we can see, and
we will calculate which int
is blocked by STP

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PROTOCOL (STP)
Blocking Spanning Tree Protocol (SPT)

Description: We will calculate and determine the appropriate blocking. We

determine the Root Bridge, Designated Port, Root Port (Non-Root Bridge),
and Alternate Port. When determining RB, DP, RP, and AP, we look at the
MAC address, Bridge IP, or Priority (32768).

Case
Switch A has the smallest MAC address, AAA, so its RB status will be UP.
Fa0/1 and 0/2 will automatically be DP status Up.
Switch B has the next smallest MAC address, BBB, so its DP and Int will
be RP status Up.
Switch C has the largest MAC address, CCC, so its AP status will be
DOWN.

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PROTOCOL (STP)
Practice Blocking Spanning Tree Protocol (SPT)

Switch A

Switch B

Switch C

Description : In SWA, SWB and SWC we will note the MAC address. In determining
RB, DP, RP and AP we look at the MAC address, Bridge IP or Priority (32768)

Case
Root Bridge: Switch B, as it has the lowest Bridge ID (MAC starting with 0009).
Designated Ports: Fa0/1 and Fa0/2 on Switch B (both are forwarding).
Root Ports: Fa0/1 on Switch C and Fa0/1 on Switch A (forwarding), as these
ports have the lowest cost path to the Root Bridge.
Designated Port: Fa0/2 on Switch C (forwarding), because its Bridge ID is
lower (MAC starting with 0060), winning the election for the segment
between Switch A and Switch C.
Alternate Port: Fa0/2 on Switch A (blocked).

Final Result : The calculation is

complete, and it has been
confirmed that the Alternate
Port is the correct interface to
be blocked.

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PROTOCOL (STP)
Verification Spanning Tree Protocol

Descripton: Here we can see the root bridge is on switch B.

On Switch B, its Spanning Tree

instance is connected to VLAN 1.
We only have VLAN 1.

Root ID: Provides information about the Root Bridge, including its priority and
MAC address.
Bridge ID: Provides information about the local switch (the one you are
currently on). Its priority is calculated by taking the base priority (default
32768) and adding the VLAN ID number. This is known as the System ID
Extension.
Example for VLAN 1: The calculation is 32768 + 1, resulting in a priority of 32769.
Example for VLAN 30: The calculation would be 32768 + 30, resulting in a
priority of 32799.
MAC address: This is the base MAC address of the local switch.

Note: Here, the role for all interfaces is Designated Port. This is because
Switch B is the Root Bridge, so all of its ports are in a forwarding state
(not blocked).

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PROTOCOL (STP)
Determining Cost in Spanning Tree Protocol

Cost is: On Switch A, it represents the fastest route to Switch B (the Root
Bridge). The cost is based on the bandwidth of the interface.

Cost : As we can see here, the lowest

cost path is from Switch B to Switch A.

Cost : If the interface cable is

unplugged, the route changes, and the
new cost becomes 19 + 19, which is 38

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PROTOCOL (STP)
Manipulation Bandwith

Change Bandwith : If the interface cable is unplugged, the route changes, and
the new cost becomes 19 + 19, which is 38

Change Bandwidth
In this case, we have changed the
bandwidth on interface Fa0/1 on the link
from Switch B to A, from 100Mbps to
10Mbps.
As a result, on the link from Switch A
to B, the cost changes from 19 to 100.
We can see that the Alternate Port
now switches to the path with the
higher cost of 100.

Design By Fathin Naufal - Network Engineer

PER VLAN SPANNING
TREE PROTOCOL (PVSTP)
What Is Per Vlan Spanning Tree Protocol (PVSTP)

Per-VLAN Spanning Tree Protocol (PVST+) is a Cisco proprietary enhancement to the

Spanning Tree Protocol (STP) that allows a network to run a separate STP instance for each
individual VLAN.
The Problem with Traditional STP (Single Root Bridge)
Shows the problem that PVST+ solves. In traditional STP, only one switch is elected as the Root
Bridge for all VLANs in the network.
Scenario: SW1 is elected as the Root Bridge for both VLAN 10 and VLAN 20.
Result: To prevent loops, STP will block one link. In this case, the link between SW2 and SW3
(port Fa0/16) is blocked for all traffic.
Weakness: This is inefficient. The link between SW2 and SW3 is completely unused (idle),
even though it could be utilized for traffic from another VLAN. This is a waste of bandwidth.

The Solution with PVST+: Different Root Bridges for Each VLAN
PVST+ allows you to configure a different Root Bridge for each VLAN, thereby creating a
different logical topology for each one.
As shown in your last images:
For VLAN 10: You configure SW1 as the Root Bridge. STP then calculates the best path and
blocks the redundant port only for VLAN 10. In this example, port Fa0/16 on SW3 is blocked.
For VLAN 20: You configure SW2 as the Root Bridge. STP calculates the paths again, but this
time from SW2's perspective. As a result, a different port is blocked only for VLAN 20 (in this
example, port Fa0/17 on SW1).

Seperti Main Advantage: Load Balancing

By separating the STP topology for each VLAN, PVST+ enables load balancing of traffic across
the network.
Traffic for VLAN 10 will flow through the SW1-SW2 and SW1-SW3 links.
Traffic for VLAN 20 will flow through the SW2-SW1 and SW2-SW3 links.
As a result, no link is completely idle. All physical links are used to forward traffic, which makes
the utilization of the network infrastructure far more efficient compared to traditional STP.

Design By Fathin Naufal - Network Engineer

PER VLAN SPANNING
TREE PROTOCOL (PVSTP)
Configuration PVSTP

Switch Mode Trunk: Connect to Trunk

Switch Mode Trunk: Create VLAN on Switch

Show Spanning-tree : After we have

created the VLANs and connected the
interfaces in trunk mode, we can see
information related to the Spanning Tree.
Each VLAN has its own separate
Spanning Tree information

Design By Fathin Naufal - Network Engineer

PER VLAN SPANNING
TREE PROTOCOL (PVSTP)
Manipulation Root Bridge PVSTP

Description : Here we can see that

there are three switches connected
by trunk links using PVSTP. Within this
setup, there are three VLANs: VLAN 1, 2,
and 3. VLAN 1 will connect PCs 3 and 5
(Pink), and VLAN 2 will connect PCs 4
and 6 (Blue).

Simulation : Here we will create a

simulation where traffic for VLAN 2 will
go through Switch C, and Switch C will
become the Root Bridge for that VLAN.
Meanwhile, traffic for VLAN 1 will go
through the original Root Bridge.
Spaning Vlan 2 : We will configure
Spanning Tree using the priority
method, setting the value to 20480.
Remember, the lower the priority, the
more likely it is to win the election and
have its ports go up. As a result, ports
Fa0/1 and Fa0/2 on this switch will
become Designated Ports (DP).

Spaning Vlan 2 SWB : On Switch B,

for VLAN 2, its Fa0/2 port is the root
port.

Blocking Vlan 2 : Switch A Fa0/1

Design By Fathin Naufal - Network Engineer

PER VLAN SPANNING
TREE PROTOCOL (PVSTP)
Simulation PVSTP

Fa0/4: On port Fa0/4, we will

configure access mode for VLAN 2.
This port will connect PC 6 and PC 4.

VLAN 1 Test: From PC 3 (VLAN 1), we

will perform a test by sending a
packet to PC 5. The packet travels via
Switch B to Switch A. The return
packet from PC 5 is then sent back
through Switch A to Switch B, and
VLAN 2 Test : From PC 4 to PC 6, here is what finally returns to PC 3, resulting in a
we will see. The packet from PC 4 will go to successful test.
Switch B. It will then be broadcast, but it gets
blocked on port Fa0/1 of Switch A. According
to the PVSTP topology, the path is from Switch
B to Switch C (via Fa0/2) and then to Switch A
(via Fa0/2)
Testing : What happens if we remove
Simulation PVSTP one of the interfaces? Traffic for both
VLAN 1 and VLAN 2 will now also pass
through Switch C, and there will be no
other significant impac

Explanation: If the primary one goes

down, it will automatically switch
over to the other connected switch.

Design By Fathin Naufal - Network Engineer

PRACTICE STP SWITCH
Simulation STP 2 Switch

Spanning Tree Protocol

Root Bridge: We look at the switches
and find which one has the smallest
MAC Address. In this case, it's the one
starting with 000a (Switch 1).
Designated Port: In the topology, since
Switch 1 is the Root Bridge, the
interfaces connected to it, which are
Fa0/1 and Fa0/2, become Designated
Ports.
Root Port: In this topology, we look for
the port that is closest to the Root
Bridge. The one that wins by being
closer to the Root Bridge is Fa0/1 on
Switch 2.
Alternate Port: And finally, the port that
loses the election will become the
Alternate Port.

Simulation STP 3 Switch

Explanation: In this case, we can see

that the costs are different. We can see
that the path from SW B to SW A has a
cost of 19, while the path from SWB to
SW C to SW A has a cost of 19 + 19 + 19
= 57.

Design By Fathin Naufal - Network Engineer

PRACTICE STP SWITCH
Manipulate 2 STP Switches (change fa0/1 on switch 1 to blocking)

Case : Here, we will change Switch 2

to become the Root Bridge. This will, in
turn, move the blocked port to Fa0/1
on Switch 1.
Primary : On Switch 2, we will configure
it as the Spanning Tree root primary for
VLAN 1. This will cause it to become the
Root Bridge.

Priority: Here we can see its priority has

changed to 24576. (This bridge is the
root)
Switch 2 : Looking at the do show
spanning-tree output, we can see that
for this VLAN, its ports (Fa0/1-3) are all
Designated Ports and are in a
forwarding (Up) state.
Switch 1 & 2 we change the bandwidth (Fa0/1)

Bandwith : As seen in this case, because we want to

force port Fa0/1 on Switch 1 into a blocking state, we are
going to change its bandwidth (which modifies the STP
cost). Switch 1 Fa0/1

Design By Fathin Naufal - Network Engineer

STATUS PORT STP
STP Port States (Status Port) STP

Stages When a Cable is Connected

When we connect a cable, there are status stages:
Listening: In this stage, Spanning Tree receives information to
determine if there is a loop. If a loop is detected, it will prepare to block
the port (15 seconds).
Learning: It learns the Spanning Tree topology and the MAC addresses
on the link (15 seconds).
Forwarding: The final stage where the port is Up and operational.

Design By Fathin Naufal - Network Engineer

SPANNING TREE
PORTFAST
Spanning Tree Portfast
(skip listening and learning on int connected to User)
Case: In this scenario, we will see that port
Fa0/3 (connected to a PC) does not need
to go through the Spanning Tree listening
and learning states. This is because the
Spanning Tree protocol is only necessary
for switch-to-switch connections.

Fa0/3 Switch 1: We can see that when you

unplug and replug an interface cable
connected to an end device (PC), it goes
through the Listening and Learning states.
Essentially, it takes a very long time to
reach the Forwarding state, up to 15 + 15 =
30 seconds.

Note: PortFast should only be used on

switchport interfaces that connect to
clients and must never be used on
interfaces that connect to another switch.
PortFast has been configured on interface
Fa0/3. This PortFast feature will function in
non-trunking mode. In conclusion, PortFast
allows the port to go directly into the
forwarding state without any delay.

Design By Fathin Naufal - Network Engineer

LOOP GUARD
What Is Loop Guard

Loop Guard is a Spanning Tree Protocol (STP)

security feature that prevents loops caused by a
unidirectional link failure or other issues that cause
a port that should be blocked to stop receiving BPDU
messages. Normally, a blocked port will transition to
forwarding mode if it no longer receives BPDUs,
which risks creating a loop. With Loop Guard active,
if the port stops receiving BPDUs, it will not transition
to forwarding but will instead be placed into a loop-
inconsistent state, where the port remains safely
blocked to prevent a loop until BPDUs are received
normally again.

Switch 1 & 2 & 3 (All)

Switch 1 On Switch 1 g0/2 we turn on the bpdufilter which is directed towards

the root port
Switch 2 On Switch 1 we check
inconsistent ports

BPDU Filter is a Spanning Tree Protocol (STP) feature that completely stops the sending and
processing of BPDU messages on a switch port. When enabled, the port stops participating in STP and
ignores all incoming BPDUs, which is very dangerous because the switch will be unable to detect a
potential loop. Unlike BPDU Guard, which shuts down a port upon receiving a BPDU as a security
measure, BPDU Filter simply ignores them, which can lead to a broadcast storm if another switch is
connected to that port.

Design By Fathin Naufal - Network Engineer

LOOP GUARD
Loop Guard Explanation
Switch 1 & 2 & 3 (All)

Switch 1 On Switch 1 g0/2 turn on the bpdufilter is directed the root port
Switch 2 Pada Switch 1 kita cek
inconsistentports

Explanation of Loop Guard

Loop Guard is a recommended security feature to prevent loops that occur if a port that should be
blocked suddenly stops receiving BPDU messages (for example, due to a unidirectional link failure).
Function: Prevents a blocked port from improperly transitioning to the forwarding state.
Global Configuration: The spanning-tree loopguard default command is enabled on all three
switches. This is a best practice that automatically applies Loop Guard to all point-to-point (switch-
to-switch) links.
Result (Logs & Verification):
[Link] %SPANTREE-2-LOOPGUARD_BLOCK log shows that Loop Guard has worked correctly. It
detected a problem on port GigabitEthernet0/1 (likely it stopped receiving BPDUs) and
immediately blocked the port to prevent a potential loop.
[Link] show spanning-tree inconsistentports command confirms this status, displaying port Gi0/1 in
a Loop Inconsistent state.

Explanation of BPDU Filter

BPDU Filter is a very different and potentially dangerous feature if not used correctly. Its function is to
completely stop a port's participation in STP.
Function: Stops the sending and processing of all BPDU messages on a port.
Configuration on SW1 (Port Gi0/2): The spanning-tree bpdufilter enable command is activated on
interface g0/2. This forces the port to ignore all incoming BPDUs and stop sending outgoing BPDUs.
Risk: This action is very dangerous on a switch-to-switch link. By enabling BPDU Filter here, SW1
becomes "blind" to the STP topology from SW3's direction through port g0/2. If other links fail, this
could easily cause a severe network loop because the switch can no longer detect the redundant
path through that port.

Important Warning: Configuring spanning-tree portfast on port g0/2, which is a trunk link between
switches, is a configuration mistake. PortFast should only be enabled on access ports connected to end-
user devices (like PCs), not to other switches.

Design By Fathin Naufal - Network Engineer

BPDU GUARD
What Is BPDU Guard

Here is the translation: In a network, only switches exchange BPDU messages to

manage the Spanning Tree Protocol (STP). Ports connected to users (like PCs) are
often set to PortFast mode for a faster connection. A problem arises if a PC is
unplugged and replaced with an unauthorized switch, as this new switch will send
BPDUs to the PortFast-enabled port. This can disrupt the entire STP topology,
potentially creating a loop or causing network instability.

switchport mode access: Sets all ports to serve only a single VLAN,
dedicated for devices like PCs.
spanning-tree portfast: Activates the port instantly when a PC
connects, without having to wait for the slow STP process (30-50
seconds).
spanning-tree bpduguard enable: As a security feature, this
command will automatically shut down the port if it detects another
(unauthorized) switch is connected, thereby protecting the network
from potential loops or disruptions.

Switch 2 (We do the same thing on all switches)

Design By Fathin Naufal - Network Engineer

ROOT GUARD
What Is Root Guard

Root Guard helps prevent loops indirectly by maintaining the stability of

the Spanning Tree Protocol (STP) topology. STP prevents loops by electing
one stable Root Bridge as its center and blocking redundant paths. The
Root Guard feature ensures the Root Bridge's position can never be taken
over by another unauthorized switch. By keeping the STP topology
consistent and predictable, Root Guard prevents incorrect recalculations
that could unblock a blocked port and create a loop, thereby acting as a
guardian for STP.

Switch 1

Switch 2

Switch 1 (Forced Root)

Root Guard prevents attempts to take over the Root Bridge position.
Protection (on SW1): The spanning-tree guard root command is enabled on
port Fa0/1 of SW1 to protect it from connecting to another switch that is
attempting to become the Root Bridge.
"Attacker" (on SW2): The spanning-tree vlan 1 priority 4096 command is used
to force SW2 to become the new Root Bridge by giving it a very high priority.
Result: When SW2 attempts to become the root, Root Guard on SW1 detects
this threat and immediately blocks port Fa0/1 by placing it in a root-
inconsistent state, thereby successfully maintaining SW1 as the legitimate
Root Bridge.

Design By Fathin Naufal - Network Engineer

ETHERCHANNEL
What Is EtherChannel Explanation: Let's say we need 300Mbps of
bandwidth on a switch, and we have three
interface cables available, but each cable
provides only 100Mbps. Normally, the switch
would only connect using a single interface
cable, while the other two would be blocked by
STP or serve as backup links. The purpose of
EtherChannel is to combine these three physical
cables into a single virtual cable. If all three are
Types of Etherchannel active, the bandwidth becomes 300Mbps.

LACP (Link Aggregation Control Protocol): An open standard protocol (IEEE

802.3ad) that combines multiple physical links into a single logical path to
increase bandwidth and provide redundancy. It is flexible for use with devices
from various vendors. (For all vendors) (Layer 2)
PAgP (Port Aggregation Protocol): A Cisco proprietary protocol that functions
similarly to LACP but only works on Cisco devices. It is used to manage and
bundle physical links. (Cisco only) (Layer 2)
Layer 3 EtherChannel: An EtherChannel that operates at Layer 3 (the network
layer). It is used to bundle links that can perform routing between networks or
VLANs, not just switching. (For Multilayer switches only) (Layer 3)

NOTE: Network engineers today more commonly use LACP (Link Aggregation Control
Protocol) for several key reasons:
Open Standard: LACP is an open standard protocol (IEEE 802.3ad), which makes it
compatible with devices from various vendors. This provides flexibility in multi-
vendor environments where network devices from different manufacturers are
used together.
Flexibility: LACP allows for the automatic bundling of multiple physical links into a
single logical path, with the ability to dynamically add or remove links as needed
without disrupting network traffic.
Redundancy and Reliability: LACP automatically determines which links are active
and which are on standby, so if one link fails, traffic is automatically redirected to
another active link. This increases network reliability.
Ease of Management: LACP simplifies link aggregation management by providing
an automatic mechanism to manage and optimize bandwidth usage, thereby
reducing the engineer's workload in monitoring and configuring the network.

Design By Fathin Naufal - Network Engineer

ETHERCHANNEL
Configuration Etherchannel LACP (For All Devices)
Etherchannel LACP (Layer2)
LACP (Link Aggregation Control Protocol): An
CONFIGRUATION TRUNK! open standard protocol (IEEE 802.3ad) that
combines multiple physical links into a single
logical path to increase bandwidth and
provide redundancy. It is flexible for use with
Configuration Etherchannel LACP devices from various vendors.
Steps
Switch 0
1. First, we will configure trunk mode for the links that
connect the switches.
2. Next, we will create a channel group. There are 6
channel groups available (1-6), meaning we can create
up to 6 EtherChannels. The channel group for each
inter-switch link must be different. For example, if the
link from SW0 to SW1 is Group 1, then the link from SW1 to
SW2 must be a group other than 1.
3. Set the channel group mode to Active or Passive

Penjelasan Mode LACP

LACP Active : Then one of the switches must be
active
Switch 1 LACP Passive : Waiting (Not Active)
Active to Active : Berhasil
Passive to Passive : Failed
Result!
Active to Passive : Success Active
Note: The point is that the connected ones must be the
same! For example, if switch 0 is in group 1, then the
connected switch 1 must also use group 1. And for the
connected port when switch 0 is active, then the
connected switch can be active or passive. For other
ether connectors, the group must be different!

Conclusion: The results of the EtherChannel are:

Po1: Port Channel, and 1 is Group 1
SU: S (Layer 2) and U (In Use) are used
Protocol: LACP
P: In Port Channel
The total speed of all three cables is 300 Mbps.

Design By Fathin Naufal - Network Engineer

ETHERCHANNEL
Configuration Etherchannel PAGP (CISCO ONLY)
Etherchannel PAGP (Layer2)
Configuration Trunk!
PAgP (Port Aggregation Protocol)
is a Cisco-proprietary protocol used to
automate the aggregation of Ethernet links to
form an EtherChannel. EtherChannel itself is a
technology that combines multiple physical
links into a single logical link to increase
bandwidth and provide redundancy
Configuration Etherchannel PAGP
Steps
Switch 1
We'll first create a trunk mode to connect
switches.
We'll create a channel group. Channel groups 1-6
available here. We can create up to six EtherChan
groups. Each switch must be connected to a diffe
group! For example, if SW0-SW1 (Group 1), then SW
SW2 must be in a different group than Group 1.
Channel group mode: auto/desirable
Multi layer switch
Explanation Mode PAGP
Auto : Waiting
Desirable : Invite
Note: In multilayer switches we must Desirable to Auto : Success
encapsulate first! Auto to Auto : Failed
Hasil! Desirable to Desirable : Success
Note: The point is that the connected ones must
be the same! For example, if switch 1 is in group
2, then the connected multilayer switch must
also use group 2. And for the connected port
when switch 1 is desirable, then the connected
switch can be desired or auto. For other ether
connectors, the groups must be different!

Conclusion:
Po2: Port Channel, and 2 is Group 2
SU: S (Layer 2) and U (In Use) are used.
Protocol: PAgP
P: In Port Channel
All three cables have a total capacity of 300Mbps.

Design By Fathin Naufal - Network Engineer

ETHERCHANNEL
Configuration Etherchannel Layer 3
No Trunk! Config IP Adress!
Layer 3 EtherChannel: An EtherChannel
that operates at layer 3 (network). Used
to combine links that can perform
routing between networks or between
VLANs, not just switching.
Konfigurasi Etherchannel PAGP
Multilayer switch1 Step by Step
no switchport: We disable the switch interface
so we can configure the IP address.
channel-group 1 mode on: Here, we can enter
mode 1-48 and configure it for all connected
multilayer switches. cttn (do not use the same
configuration across all topologies)
int po1: Interface port 1
Configure IP Address

Layer 3 Etherchannel Mode

Explanation
On: Active mode for configuring IP addresses
on a multilayer switch.

Hasil! Note: Etherchannel layer 3 can only be used on

multilayer switches. In this Etherchannel, we
configure it using the IP address on the switch.

Conclusion: The results of the EtherChannel are:

Po2: Port Channel, and 2 is Group 2
RU: S (Layer 3) and U (In Use) are used
Protocol: - (None)
P: In Port Channel
The total speed of all three cables is 300Mbps.

Design By Fathin Naufal - Network Engineer

SNMP
Apa Itu SNMP Cisco
SNMP (Simple Network Management
Protocol) is a standard protocol used
to manage and monitor network
devices such as switches, routers, and
servers from a central location. Simply
put, imagine you're a building manager
(network) with many rooms (devices).

SNMP is an intercom system that allows you to check the status of each room—such
as temperature (CPU load), electricity usage (traffic bandwidth), or whether the door
is locked (port status)—without having to visit each room individually.

How SNMP Works

SNMP works on a simple manager-agent model to gather information. There are three
main components involved:
SNMP Manager: This is centralized software (often called a Network Management
Station or NMS) used by an administrator to monitor the network. The manager
sends requests to get data.
SNMP Agent: This is software that runs inside each managed network device (like
a switch). The agent's task is to collect data about the device and respond to
requests from the Manager.
Management Information Base (MIB): This is a structured database within the
agent that contains all the information and statistics about the device, such as
CPU usage, the amount of traffic per port, and operational status. Each piece of
information has a unique identifier called an Object Identifier (OID).

The SNMP Process

Get-Request: The SNMP Manager sends a "Get" request to an agent on a switch to
ask for specific information (for example, "How much data has passed through
port Fa0/1?").
Get-Response: The SNMP Agent on the switch checks its MIB, retrieves the
requested data, and sends it back to the Manager.
Trap: If an important event or anomaly occurs on the switch (for example, one of
its ports goes down), the agent can proactively send a warning message called a
"Trap" to the Manager without having to be asked.

Design By Fathin Naufal - Network Engineer

 SNMP
Configuration SNMP Cisco

SNMP Configuration
The middle section shows the configuration commands entered on three different devices,
likely named data1, data2, and data3.
The purpose of this configuration is to enable the SNMP Agent on the devices and set a
"password" called the Community String. Two types of access are configured:
snmp-server community public ro
public: This is the community string (password). Anyone who wants to access this device
must use the password "TRUMP".
ro (Read-Only): This is the access level. Users with the community string "TRUMP" can only
view or read data (such as port status, traffic), but cannot change any configuration. .
snmp-server community private rw
private: This is the second community string with a higher level of security.
rw (Read-Write): This is the access level. Users with the community string "OBAMA" can
both view and modify the device configuration. This access is much more powerful and is
typically only granted to administrators.
Important: This configuration uses SNMPv1 or SNMPv2c, which are considered insecure
because the community string is sent in plain text. The more secure version is SNMPv3.
Log Messages (Configuration Results) The final section shows the log messages that appear
after the configuration command is entered.
SNMP-5-WARMSTART: SNMP agent on host data1 is undergoing a warm start
This message confirms that the SNMP (Agent) service on the device has been successfully
enabled or restarted after a configuration change. host data1 refers to the name of the
device on which the command was executed. The appearance of this message indicates
that the configuration was successful..

Design By Fathin Naufal - Network Engineer

SNMP
Login to SNMP

Address to advance, Enter Read namely “TRUMP” and write “OBAMA”

Menu SNMP

Design By Fathin Naufal - Network Engineer

SNMP
Example we will change name on devices

Change name “IT Services”

Design By Fathin Naufal - Network Engineer

NTP (NETWORK
TIME PROTOCOL)
What Is NTP Server

NTP (Network Time Protocol) server provides an accurate time synchronization

service for all devices within a computer network, such as servers, routers, switches,
and computers. Simply put, imagine an NTP Server as the "master clock" or central
time source for the entire network. Its job is to ensure that every device on the network
has the exact same time, down to the millisecond, so that all time-dependent
activities can run in a coordinated and accurate manner.

Main Functions of an NTP Server

Time Synchronization: Ensures all devices on the network have a uniform and
accurate time.
Log Accuracy: In troubleshooting and security auditing processes, it is crucial that
the timestamps on log files from various devices are synchronized. Otherwise, it
becomes very difficult to correctly trace the sequence of events.
Authentication and Security: Many security protocols (like Kerberos) depend on
synchronized time to prevent time-based attacks.
Task Automation: Scheduled tasks and automated scripts across various
systems require a consistent time reference to run correctly.

Design By Fathin Naufal - Network Engineer

SYSLOG
What Is Syslog

Syslog is a standard protocol used by Cisco

devices to send log messages or event
notifications to a central server called a
Syslog Server. Simply put, imagine each
network device (router, switch) having a
"logbook" to record all important events.

Main Functions of Syslog

Centralized Monitoring: Gathers log messages from tens or hundreds of devices onto a
single server, making it easier for administrators to monitor the health of the entire
network.
Problem Analysis (Troubleshooting): When a problem occurs, the collected logs
become a very valuable source of information for tracking the cause and sequence of
events.
Early Warning (Alerting): The syslog server can be configured to send notifications (for
example, via email) to administrators if it receives a log message with a certain severity
level.
Security Auditing and Compliance: Logs provide an important audit trail, showing who
logged into a device, when, and what configuration changes were made.

Severity Levels
Level 0 (Emergency): The most critical. Indicates the system is completely unusable.
Example: System is unusable.
Level 1 (Alert): Requires immediate action from an administrator. Example: Immediate
action is needed.
Level 2 (Critical): A critical condition, such as a major hardware or software failure.
Example: Critical condition.
Level 3 (Error): An error condition that may not be as critical as level 2 but still indicates
a problem. Example: Error condition.
Level 4 (Warning): A warning condition that could become a problem if not addressed.
Example: Warning condition.
Level 5 (Notification): A notification message for a normal but significant event, such as
a port coming up or going down. Example: Normal but significant condition.
Level 6 (Informational): A regular, informative message. Example: Normal information
message.
Level 7 (Debugging): The least critical. Contains highly detailed debugging messages,
usually only enabled during intensive troubleshooting processes. Example: Debugging
message.

Design By Fathin Naufal - Network Engineer

SYSLOG
Configure Syslog Server

Go To Syslog and On Syslog Services

Go To NTP And your active “On”

Design By Fathin Naufal - Network Engineer

SYSLOG
Configuration Router For Syslog

Explanation
The ntp server [Link] command tells the router to use the NTP server with
that address.
The service timestamps log datetime msec command tells the router to enable
timestamps on log messages. Depending on the options selected, the
timestamp can include the date, the time in milliseconds compared to the local
time zone, and the time zone name.
The ntp status command is used to verify NTP. It displays the NTP status and
association data with the NTP server.
The show clock command displays the current time and clock on the router.

Design By Fathin Naufal - Network Engineer

SYSLOG
Configuration Switch For Syslog

Configuration Logging To Server Syslog

The logging command [Link] instructs the device to forward any logs
generated to the syslog server at that address.

Design By Fathin Naufal - Network Engineer

SYSLOG
Results Syslog Server

Keterangan :
The above example of log data from a syslog server includes the time, hostname/IP
address, and the contents of the log message, which is -5-, meaning notification.
With a syslog server, storing and reading logs is much easier.
For example, what we can understand from the log message above is that when the
interface connection between SW1 (Gi0/0), which is directly connected to RT (Gi0/0),
changes status from UP to DOWN (on both the interface and the line protocol), we
know that RT (Router) is down.

How To Read Syslog Status

Design By Fathin Naufal - Network Engineer