1 Cabrillo College CCNP – Multilayer Switching Introduction to VLANs Introduction to VLANs Rick Graziani, Instructor March 27, 2001.

1

Cabrillo College

CCNP – Multilayer Switching CCNP – Multilayer Switching

Introduction to VLANsIntroduction to VLANsRick Graziani, Instructor

March 27, 2001March 27, 2001

2

VLANs

Switched networks that are logically segmented on an organizational basis by functions, project teams, or applications rather than on a physical or geographical basis

3

VLANs

Can be thought of as a broadcast domain that exists within a defined set of switches

Provide the segmentation services traditionally provided by routers

Offer scalability, security, and improved network management

Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management.

4

VLANs

What are the issues if these were only separate subnets and not vlans? To solve this problem, normally the router would only be attached to one subnet and the hosts on physically separate subnets, in order to divide the broadcast domains.

5

VLANs

6

VLANs are secure Whenever a station transmits in a shared

network such as a legacy half-duplex 10BaseT system, all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients.

Anyone with such a network sniffer can capture passwords, sensitive e-mail, and any other traffic on the shared network.

7

VLANs are secure - Switches

Switches allow for microsegmentation– Each user that connects directly to a switch

port is on his or her own segment.• If every device has its own segment

(switchport) then only the sender and receiver will “see” unicast traffic, unless the switch has to flood the unicast traffic for that vlan.

• More in a moment!

VLANs contain broadcast traffic– Only users on the same VLAN will see

broadcasts

8

Side Note - Transparent Bridging Transparent bridging (normal switching

process) is defined in IEEE 802.1d describing the five bridging processes of:– learning– flooding filtering– forwarding– aging

These will be discussed further in STP

9

Transparent Bridge Process - Jeff DoyleReceive Packet

Learn source address or refresh aging timer

Is the destination a broadcast, multicast or unknown unicast?

Are the source and destination on the same interface?

Forward unicast to correct port

Flood Packet

Filter Packet

Yes

Yes

No

No

10

Transparent Bridging Switches will flood unicast traffic out all ports if it does

not have the destination MAC address in its source address table.

This can be especially true for large flat networks where switches cannot contain all of the MAC addresses.– MAC address table can be 1,024 (or less) and more

than 16,000 addresses depending upon vendor and model

Addresses will also age out of the source address table which means the frames will be flooded. This traffic may include confidential information including passwords.– Cisco and Bay default is 5 minutes (common)– Why so small? Dynamic and current.

11

Changing and viewing the aging timer Set-basedSwitch_1> (enable) set cam agingtime vlan

agingtime_in_msec

Switch_1> (enable) show cam agingtime

VLAN 1 aging time = 300 sec

VLAN 2 aging time = 300 sec

IOS-basedSwitch(config)# mac-address-table aging-time seconds [vlan vlan]

Switch# show mac-address-table aging-time

300

12

Show Mac-Address-Table (Source Address Table)

Set-basedConsole> (enable) show cam dynamic

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port Security Entry

VLAN Dest MAC/Route Des [CoS] Destination Ports…

---- ------------------ ----- -------------------

1 00-a0-c9-66-86-94 2/6 [ALL]

Total Matching CAM Entries Displayed = 1

13

Show Mac-Address-Table (Source Address Table)

IOS-basedSwitch#show mac-address-table dynamic

Non-static Address Table:

Destination Address Address Type VLAN ... Port

------------------- ------------ ---- ...------

00a0.c966.8694 Dynamic 1 FastEthernet0/5

14

VLANs contain broadcast, multicast (later) and unknown unicast traffic to the specific VLAN

VLANs are secure - Switches

15

VLANs control broadcasts

16

VLANs control broadcasts Broadcast traffic is a necessary evil

– Routing protocols and network services typically rely on broadcasts

– Multimedia applications may also use broadcast frames/packets

Each VLAN is its own broadcast domain– Traffic of any kind cannot leave a VLAN without L3

services (a router)– Administrators can control the size of a broadcast

domain by defining the size of the VLAN

17

VLANs improve BW utilization

Bandwidth is shared in legacy Ethernet; a switch improves BW utilization by eliminating collisions (microsegmentation).

VLANs further improve BW utilization by confining broadcasts and other traffic

Switches only flood ports that belong to the source port’s VLAN.

18

VLANs decrease latency

If switches and VLANs were used here instead of routers, Accounting users would experience less latency.

19

When NOT to VLAN

20

Types of VLANs When scaling VLANs in the switch block,

there are two basic methods of defining the VLAN boundaries:– End-to-end VLANs (no longer

recommended by Cisco due to management and STP concerns)

– Local VLANs

21

Types of VLANs Remember: a one-to-one correspondence

between VLANs and IP subnets is strongly recommended!– Typically, this results in VLANs of 254

hosts or less. (Depending upon the subnetting scheme used.)

22

End-to-End VLANs Users are grouped into VLANs independent

of physical location and dependent on group or job function.

All users in a VLAN should have the same 80/20 traffic flow patterns.

As a user moves around the campus, VLAN membership for that user should not change.

Each VLAN has a common set of security requirements for all members.

23

End-to-End VLANs

24

Local VLANs As many corporate networks have moved to

centralize their resources, end-to-end VLANs became more difficult to maintain.

Users are required to use many different resources, many of which are no longer in their VLAN.

Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.

25

Local VLANs Can span a geographic location as large as

an entire building or as small a one switch 20/80 rule in effect with 80 percent of the

traffic remote to the user and 20 percent of the traffic local to the user

A user must cross a L3 device in order to reach 80 percent of the resources– However, this design allows the network to

provide for a deterministic, consistent method of accessing resources.

26

VLAN Types

The two common approaches to assigning VLAN membership are:– Static VLANs– Dynamic VLANs

27

Static VLANs Also referred to as port-based membership VLAN assignments are created by assigning

ports to a VLAN As a device enters the network, the device

automatically assumes the VLAN of the port. – If the user changes ports and needs access to the

same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

28

Static VLANs

29

Static VLANs The port is assigned to a specific VLAN

independent of the user or system attached to the port.

The port cannot send or receive from devices in another VLAN without the intervention of a L3 device.– The device that is attached to the port likely has

no understanding that a VLAN exists. – The device simply knows that it is a member of a

subnet. (ip address and subnet mask)

30

Static VLANs Switch is responsible for identifying that the

information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN.– The switch is further responsible for

ensuring that ports in a different VLAN do not receive the information.

31

Static VLANs This approach is quite simple, fast, and easy

to manage in that there are no complex lookup tables required for VLAN segmentation.

If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good.

An ASIC allows the port-to-VLAN mapping to be done at the hardware level.

32

Configuring Static VLANs

IOS-Based SwitchSwitch# vlan database

Switch(vlan)# vlan vlan-num name vlan-name

Switch(config)#interface fastethernet 0

Switch(config-if)# switchport access vlan vlan-num

33

Configuring Static VLANs

Set-Based SwitchSwitch(enable) set vlan vlan-num [name name]

Switch(enable) set vlan vlan-num mod/num_list

Switch(enable) set vlan 10 2/19-24

34

Dynamic VLANs Created through the use of software

packages such as CiscoWorks 2000 Allow for membership based on the MAC

address of the device As a device enters the network, the device

queries a database for VLAN membership

35

Dynamic VLANs

36

Dynamic VLANs With a VLAN Management Policy Server

(VMPS), you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port.

When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.

37

Dynamic VLANs When you enable VMPS, a MAC address-to-

VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. – If you reset or power cycle the Catalyst

5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.

38

Dynamic VLANs

VMPS opens a UDP socket to communicate and listen to client Catalyst requests.

When the VMPS server receives a valid request from a client Catalyst, it searches its database for a MAC address-to-VLAN mapping.

39

Access and Trunk Links

40

Access Links An access link is a link on the switch that is a

member of only one VLAN. This VLAN is referred to as the native VLAN

of the port. – Any device that is attached to the port is

completely unaware that a VLAN exists.

41

Trunk Links A trunk link is capable of supporting multiple

VLANs. Trunk links are typically used to connect

switches to other switches or routers. Switches support trunk links on both Fast

Ethernet and Gigabit Ethernet ports.

42

Access and Trunk Links

43

Trunk Links

Without trunking

With trunking

44

Trunking

A trunk is a point-to-point link that supports several VLANs

A trunk is to saves ports when creating a link between two devices implementing VLANs

Trunking covered in more detail in next section

45

Trunk Links A trunk link does not belong to a specific

VLAN. – Acts as a conduit for VLANs between

switches and routers. The trunk link can be configured to transport

all VLANs or to transport a limited number of VLANs.

A trunk link may, however, have a native VLAN. – The native VLAN of the trunk is the VLAN

that the trunk uses if the trunk link fails for any reason.

46

Trunk Links In Ethernet, the switch has two methods of

identifying the VLAN that a frame belongs to:– ISL – InterSwitch Link

• (Cisco proprietary)– IEEE 802.1Q (standards-based)

• aka, dot1q

47

VLAN Identification ISL - This protocol is a Cisco proprietary

encapsulation protocol for interconnecting multiple switches; it is supported in switches as well as routers.

Even though it’s Cisco proprietary, ISL is not natively supported by the Catalyst 4000.– The L3 blade does give the Cat4000s

router two ISL-capable ports (Gig 1 and Gig 2).

48

VLAN Identification

IEEE 802.1Q - This protocol is an IEEE standard method for identifying VLANs by inserting a VLAN identifier into the frame header.

This process is referred to as frame tagging. – Note: In practice, both ISL and dot1q are

called frame tagging

49

VLAN Identification 802.10 - This standard is a Cisco proprietary

method of transporting VLAN information inside the standard 802.10 frame (FDDI).– The VLAN information is written to the

security association identifier (SAID) portion of the 802.10 frame.

– This method is typically used to transport VLANs across FDDI backbones.

50

VLAN Identification

LAN Emulation (LANE) - LANE is an ATM Forum standard that can be used for transporting VLANs over Asynchronous Transfer Mode (ATM) networks.

51

VLAN IdentificationBoth 802.1Q and ISL do “Explicit tagging.” 802.1Q uses an “internal tagging process” that modifies the existing Ethernet frame with the VLAN ID. This allows 802.1Q frames to work on both access and trunk links as it appears to be a standard Ethernet frame. ISL uses external tagging process, where the original frame is not altered but it is encapsulated with a new 26-byte ISL header (tag). This means that only ISL aware devices can interpret this frame.

52

ISL (Frame Encapsulation)

Ethernet Frame1500 bytes plus 18 byte header

(1518 bytes)

Standard NIC cards and networking devices don’t understand this giant frame. A Cisco switch must remove this encapsulation before sending the frame out on an access link.

53

ISL An Ethernet frame is encapsulated with a

header that transports VLAN IDs It adds overhead to the packet as a 26-byte

header containing a 10-bit VLAN ID. In addition, a 4-byte cyclic redundancy check

(CRC) is appended to the end of each frame.– This CRC is in addition to any frame

checking that the Ethernet frame requires.

54

ISL - Selected fields DA - Destination Address

The DA field of the ISL packet is a 40 bit destination address. This address is a multicast address and is currently set to be: 0x01_00_0C_00_00. The first 40 bits of the DA field signal the receiver that the packet is in ISL format.

TYPE - Frame Type

The TYPE field indicates the type of frame that is encapsulated and could be used in the future to indicate alternative encapsulations. The following TYPE codes have been defined:

Code Meaning 0000 Ethernet 0001 Token-Ring 0010 FDDI 0011 ATM

55

ISL - Selected fields SA - Source Address

The SA field is the source address field of the ISL packet. It should be set to the 802.3 MAC address of the switch port transmitting the frame. It is a 48-bit value. The receiving device may ignore the SA field of the frame.

VLAN - Virtual LAN ID

The VLAN field is the virtual LAN ID of the packet. It is a 15-bit value that is used to distinguish frames on different VLANs. This field is often referred to as the "color" of the packet

BPDU - BPDU and CDP Indicator

The BPDU bit is set for all bridge protocol data units that are encapsulated by the ISL packet. The BPDUs are used by the spanning tree algorithm to determine information about the

topology of the network.

56

ISL - Selected fields ENCAP FRAME - Encapsulated Frame

The ENCAP FRAME is the encapsulated frame, including its own CRC value, completely unmodified. The internal frame must have a CRC value that is valid once the ISL encapsulation fields are removed. The length of this field can be from 1 to 24575 bytes long to accommodate Ethernet, Token Ring, and FDDI frames. A receiving switch may strip off the ISL encapsulation fields and use this ENCAP FRAME as the frame is received, associating the appropriate VLAN and other values with the received frame as indicated above for switching purposes.

CRC - Frame Checksum

The CRC is a standard 32-bit CRC value calculated on the entire encapsulated frame from the DA field to the ENCAP FRAME field. The receiving MAC will check this CRC and can discard packets that do not have a valid CRC on them. Note that this CRC is in addition to the one at the end of the ENCAP FRAME field.

57

2-byte TPID

2-byte TCI

802.1q

SA and DA MACs

SA and DA MACs

802.1q Tag

Type/Length Field

Data (max 1500 bytes)

CRCNewCRC

NIC cards and networking devices can understand this “baby giant” frame (1522 bytes). However, a Cisco switch must remove this encapsulation before sending the frame out on an access link.

Tag Protocol Identifier

Tag Control Info (includes VLAN ID)

58

802.1q

Significantly less overhead than the ISL As opposed to the 30 bytes added by ISL,

802.1Q inserts only an additional 4 bytes into the Ethernet frame

59

802.1q A 4-byte tag header containing a tag protocol

identifier (TPID) and tag control information (TCI) with the following elements:

60

802.1q TPIDA 2-byte TPID with a fixed value of 0x8100. This value

indicates that the frame carries the 802.1Q/802.1p tag information.

TCIA TCI containing the following elements:

- Three-bit user priority (8 priority levels, 0 thru 7)- One-bit canonical format (CFI indicator), 0 =

canonical, 1 = noncanonical, to signal bit order in the encapsulated frame (www.faqs.org/rfcs/rfc2469.html - “A Caution On the Canonical Ordering of Link-Layer Addresses”)

- Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs, defining 4,096 VLANs, with 0 and 4095 reserved.

61

Trunk Links - once again...

Without trunking

With trunking

62

Trunking Before attempting to configure a VLAN trunk

on a port, you should to determine what encapsulation the port can support.

Set-based switches:

switch> (enable) show port capabilities – Note: the Catalyst 4000 does not support ISL

(except the router blade) IOS-based switches:switch(config-if)# switchport trunk encapsulation ?– (only way I know)

63

Next week...

More Trunking next week, along with VTP (VLAN Trunking Protocol)

Next few slides, review of vlan commands

64

Creating VLANs - access portsIOS-BasedSwitch(config)# interface fastethernet mod/num

Switch(config-if)# switchport access vlan vlan-num

Remove

Switch(config-if)# no switchport access vlan vlan-num

Set-BasedSwitch> (enable) set vlan vlan-num mod/num_list

Remove

Switch> (enable) clear vlan vlan-num When you clear a VLAN, all ports assigned to that

VLAN become inactive and can be reactivated using set vlan vlan-num state active or by assigning the ports to another vlan.

65

Naming a VLANIOS-BasedSwitch# vlan database (not in global config!)

Switch(vlan)# vlan vlan-num name vlan-name

Set-BasedSwitch> (enable) set vlan vlan-num name vlan-name

66

Viewing VLAN informationIOS-BasedSwitch# show vlan

Switch# show vlan brief

Set-BasedSwitch> (enable) show vlan

Switch> (enable) show interface

67

IOS-based

CIS-2900-ServerFarm>show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -----------------

1 default active

2 VLAN0002 active

3 VLAN0003 active

4 VLAN0004 active

5 VLAN0005 active

10 VLAN0010 active

50 SeverFarm active Fa0/1, Fa0/2, Fa0/3, Fa0/4,

Fa0/5, Fa0/6, Fa0/7, Fa0/8,

<output omitted)

Fa0/21, Fa0/22

1002 fddi-default active

<text omitted>

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

<Text omitted>

68

IOS-based

CIS-2900-ServerFarm>show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -----------------

1 default active

2 VLAN0002 active

3 VLAN0003 active

4 VLAN0004 active

5 VLAN0005 active

10 VLAN0010 active

50 SeverFarm active Fa0/1, Fa0/2, Fa0/3, Fa0/4,

Fa0/5, Fa0/6, Fa0/7, Fa0/8,

<output omitted)

Fa0/21, Fa0/22

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

69

Set-basedCIS-4003-MainSwitch> show vlan

VLAN Name Status IfIndex Mod/Ports

---- -------------------------------- --------- ------- --------------

1 default active 4 2/1-12

2 VLAN0002 active 9 2/13-36

3 VLAN0003 active 10 2/37-40

4 VLAN0004 active 11 2/41-44

5 VLAN0005 active 60

10 VLAN0010 active 68

50 SeverFarm active 62 2/47

1002 fddi-default active 5

1003 token-ring-default active 8

1004 fddinet-default active 6

1005 trnet-default active 7

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

2 enet 100002 1500 - - - - - 0 0

3 enet 100003 1500 - - - - - 0 0

4 enet 100004 1500 - - - - - 0 0

70

IOS-basedSwitch# show running-config

!

interface FastEthernet0/1

switchport access vlan 50

!

interface FastEthernet0/2

switchport access vlan 50

!

interface FastEthernet0/3

switchport access vlan 50

!

interface FastEthernet0/4

switchport access vlan 50

71

Set-basedSwitch>(enable)show config

#vtp

set vtp domain CIS-classrooms

set vlan 1 name default type ethernet mtu 1500 said 100001 state active

set vlan 50 name SeverFarm type ethernet mtu 1500 said 100050 state active

…

#module 2 : 48-port 10/100BaseTx Ethernet

set vlan 2 2/13-36

set vlan 3 2/37-40

set vlan 4 2/41-44

set vlan 10 2/48

set vlan 50 2/47

72

Trunking continued (Part II) A trunk is a point-to-point link between:

– Two switches– A switch and a router

Trunks carry traffic of multiple VLANs Cisco supports one or both of these

Trunking protocols:– IEEE 802.1Q (dot1q)– ISL (Cisco proprietary)

73

Trunking Cisco offers DTP and DISL which negotiates

trunking between two ends of a link and the compatible trunking protocol (DTP).– Dynamic Trunking Protocol (DTP) manages trunk

negotiation on a Catalyst Supervisor engine software release 4.2 and later

• Supports both 802.1Q and ISL– Dynamic Inter-Switch Link (DISL) was used prior

to release 4.2.• Used only with ISL.

Set-based switches only (as far as I know)

74

DTP and DISL Cisco also adapted its Dynamic ISL (DISL)

protocol and turned it into Dynamic Trunking Protocol (DTP).

DISL can negotiate ISL trunking on a link between two devices; DTP can, in addition, negotiate the type of trunking encapsulation (802.1q or ISL) that will be used as well.

This is an interesting feature as some Cisco devices support only ISL or 802.1q, whereas some are able to run both.

75

When configuring a port for trunking, two parameters can be set: the trunking mode and the encapsulation type (if DTP is supported on that

port). • The trunking mode defines how the port will

negotiate the set up of a trunk with its peer port.

• The encapsulation type allows the user to specify whether 802.1q or ISL should be used when setting up the trunk. Of course, the parameter is only relevant if the module you are using is able to use both.

DTP Modes

76

Configuring Trunking Fast Ethernet and Gigabit Ethernet

trunking modes:– On– Off– Desirable– Auto Nonegotiate

Switch(enable) set trunk mod/port

[on | off |desirable | auto | nonegotiate]

[isl | dot1q | dot10 | lane | negotiate]

vlan range

77

Trunking Mode

DTP frames

sent Description

Final state (local port)

on YES,

periodic

The local port advertises the remote it is going to the trunking state.

Trunking, unconditionally.

auto YES,

periodic

The local port advertises the remote it is able to trunk but does not request to go to the trunking state.

The port will end up in trunking state only if the remote wants to, that is, the remote mode is on or desirable.

desirable YES,

periodic

The local port advertises the remote it is able to trunk and ask to go to the trunking state.

If the port detects that the remote is able to trunk (remote in on, desirable or auto mode), it will end up in trunking state, else will stay non-trunking.

nonegotiate NO

Local port goes to unconditionally trunking, with no DTP notification to the remote.

Trunking, unconditionally.

off YES

Disable trunking on the port. DTP frames are only sent out when the port is transitioning to non-trunking.

Non trunking, unconditionally.

78

Configuring Trunking

On This mode puts the port into permanent

trunking. The port becomes a trunk port even if the

neighboring port does not agree to the change.

The on state does not allow for the negotiation of an encapsulation type. – You must, therefore, specify the

encapsulation in the configuration

79

Off This mode puts the port into permanent

nontrunking mode and negotiates to convert the link into a nontrunk link.

The port becomes a nontrunk port even if the neighboring port does not agree to the change.

Configuring Trunking

80

Desirable This mode makes the port actively attempt to

convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode.

Configuring Trunking

81

Auto This mode makes the port willing to convert the

link to a trunk link. The port becomes a trunk port if the neighboring

port is set to on or desirable mode. This is the default mode for Fast and Gigabit

Ethernet ports. – if the default setting is left on both sides of the

trunk link, the link will not become a trunk– Do not want both sides to be set to Auto

Configuring Trunking

82

Nonegotiate This mode puts the port into permanent

trunking mode but prevents the port from generating Dynamic Trunking Protocol (DTP) frames. – You must configure the neighboring port

manually as a trunk port to establish a trunk link.

Configuring Trunking

83

Encapsulation TypeEncapsulation

type Description

ISL Sets the port encapsulation to ISL.

dot1q Sets the port encapsulation to 802.1q.

negotiate

This encapsulation is only available in auto or desirable trunking modes.

If the remote has a negotiate encapsulation type, the trunk will eventually be set up with ISL.

If the remote is configured for ISL or 802.1q or only able to do ISL or 802.1q, then the trunking encapsulation used will be the one of the remote port.

Switch(enable) set trunk mod/port

[on | off |desirable | auto | nonegotiate]

[isl | dot1q | dot10 | lane | negotiate]

vlan range

84

For trunking to be autonegotiated on Fast Ethernet or Gigabit Ethernet ports, the ports must be in the same VTP domain.

However, you can use “on” or “nonegotiate” mode to force a port to become a trunk, even if it is in a different domain.

Configuring Trunking

85

Configuring TrunkingIOS-Based SwitchSwitch(config)# interface fastethernet 0

Switch(config-if)# switchport mode [access | multi | trunk]

Switch(config-if)# switchport trunk encapsulation {isl|dot1q}

Switch(config-if)# switchport trunk allowed vlan remove vlan-list

Switch(config-if)# switchport trunk allowed vlan add vlan-list

By default, all VLANS, 1-1005 transported automatically

86

Configuring Trunking

Set-Based SwitchSwitch(enable) set trunk mod/port [on | off |desirable |

auto | nonegotiate] [isl | dot1q | dot10 | lane | negotiate] vlan range

Switch(enable) clear trunk mod/port vlan-range

By default, all VLANS, 1-1005 transported automatically

87

88

IOS 1924 Switchinterface FastEthernet0/22

switchport access vlan 50

!

interface FastEthernet0/23

port group 1 distribution destination

switchport mode trunk

switchport trunk encapsulation dot1q

!

interface FastEthernet0/24

port group 1 distribution destination

switchport mode trunk

switchport trunk encapsulation dot1q

!

89

Catalyst 4003

set trunk 2/45 on dot1q 1-1005 (to 4003)

set trunk 2/46 on dot1q 1-1005 (to 4003)

set trunk 2/48 on dot1q 1-1005 (to Rtr)

By default, all VLANS, 1-1005 transported automatically

90

Routerinterface FastEthernet0/1.1

encapsulation dot1Q 1

ip address 172.30.1.1 255.255.255.0

ip access-group 100 in

ip helper-address 172.30.50.50

no ip directed-broadcast

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 172.30.2.1 255.255.255.0

ip access-group 102 in

ip helper-address 172.30.50.255

ip helper-address 172.30.50.10

no ip directed-broadcast

91

VLAN Trunking Protocol

VTP maintains VLAN configuration consistency across the entire network.

VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis.

Further, VTP allows you to make centralized changes that are communicated to all other switches in the network.

92

VTP Create VLANs on the VTP Server Those VLANs get sent to other client

switches On the client switches, you can now

assign ports to those vlans. Cannot create vlans on the client

switches like you could previously before configuring the switch to be a VTP client.

93

VTP Benefits

94

VTP All switches in the same management domain

share their VLAN information with each other, and a switch can participate in only one VTP management domain.

Switches in different domains do not share VTP information.

Using VTP, switches advertise: – Management domain – Configuration revision number – Known VLANs and their specific parameters

95

VTP Switches can be configured not to accept

VTP information. These switches will forward VTP information

on trunk ports in order to ensure that other switches receive the update, but the switches will not modify their database, nor will the switches send out an update indicating a change in VLAN status. – This is referred to as transparent mode.

96

VTP By default, management domains are

set to a nonsecure mode, meaning that the switches interact without using a password.

Adding a password automatically sets the management domain to secure mode. – A password must be configured on every

switch in the management domain to use secure mode.

97

VTP

The VTP database contains a revision number.

Each time a change is made, the switch increments the revision number

98

VTP A higher configuration revision number

indicates that the VLAN information that is being sent is more current then the stored copy.

Any time a switch receives an update that has a higher configuration revision number, the switch will overwrite the stored information with the new information being sent in the VTP update.

99

VTP Modes

Switches can operate in any one of the following three VTP modes: – Server– Client– Transparent

100

VTP Modes Server - If you configure the switch for server

mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain.

VTP servers:– advertise their VLAN configuration to other switches

in the same VTP domain– synchronize the VLAN configuration with other

switches based on advertisements received over trunk links.

– Recommended you have at least 2 VTP servers in case one goes down

This is the default mode on the switch.

101

VTP Modes

Client - VTP clients behave the same way as VTP servers. However, you cannot create, change, or delete VLANs on a VTP client.

102

VTP Modes

Transparent - VTP transparent switches do not participate in VTP.

A VTP transparent switch does not advertise its VLAN configuration, and does not synchronize its VLAN configuration based on received advertisements.– However, in VTP Version 2, transparent switches

do forward VTP advertisements that the switches receive out their trunk ports.

103

Configuring VTP

104

Configuring VTPIOS-Based SwitchSwitch# vlan database

Switch(vlan)# vtp domain domain-name

Switch(vlan)# vtp {server | client | transparent}

Optional:

Switch(vlan)# vtp password password

Switch(vlan)# vtp v2-mode (version2)

Example:

ALSwitch# vlan database

ALSwitch(vlan)# vtp domain corp

ALSwitch(vlan)# vtp client

105

Configuring VTPSet-Based SwitchSwitch(enable) set vtp [domain domain-name] [mode {server

| client | transparent}[password password]

Switch(enable) set vtp v2 enable (version 2)

Example:

DLSwitch(enable) set vtp domain corp

DLSwitch(enable) set vtp mode server

106

VTP Pruning

VTP pruning enhances network bandwidth use by reducing unnecessary flooding of traffic, such as broadcast, multicast, unknown, and flooded unicast packets.

VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.

By default, VTP pruning is disabled.

107

VTP Pruning

108

VTP Pruning Enabling VTP pruning on a VTP server

enables pruning for the entire management domain.

VTP pruning takes effect several seconds after you enable it.

By default, VLANs 2 through 1000 are pruning eligible. – VLAN 1 is always pruning ineligible, so traffic from

VLAN 1 cannot be pruned.– You have the option to make specific VLANs

pruning eligible or pruning ineligible on the device.

109

Configuring VTP Pruning

IOS-Based SwitchSwitch# vlan database

Switch(vlan)# vtp pruning

Remove VLANs from being pruned:

Switch(config-if)# switchport trunk pruning vlan remove vlan-list

By default, all Vlans pruned in management domain

110

Configuring VTP Pruning

Set-Based SwitchSwitch(enable) set vtp pruning enable

Optional:

Switch(enable) set vtp pruneeligible vlan-range

Switch(enable) clear vtp pruning vlan-range

By default, all Vlans pruned in management domain.