1 Cabrillo College CCNP – Multilayer Switching CCNP – Multilayer Switching Introduction to VLANs Introduction to VLANs Rick Graziani, Instructor March 27, 2001 March 27, 2001
1
Cabrillo College
CCNP – Multilayer Switching CCNP – Multilayer Switching
Introduction to VLANsIntroduction to VLANsRick Graziani, Instructor
March 27, 2001March 27, 2001
2
VLANs
Switched networks that are logically segmented on an organizational basis by functions, project teams, or applications rather than on a physical or geographical basis
3
VLANs
Can be thought of as a broadcast domain that exists within a defined set of switches
Provide the segmentation services traditionally provided by routers
Offer scalability, security, and improved network management
Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management.
4
VLANs
What are the issues if these were only separate subnets and not vlans? To solve this problem, normally the router would only be attached to one subnet and the hosts on physically separate subnets, in order to divide the broadcast domains.
5
VLANs
6
VLANs are secure Whenever a station transmits in a shared
network such as a legacy half-duplex 10BaseT system, all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients.
Anyone with such a network sniffer can capture passwords, sensitive e-mail, and any other traffic on the shared network.
7
VLANs are secure - Switches
Switches allow for microsegmentation– Each user that connects directly to a switch
port is on his or her own segment.• If every device has its own segment
(switchport) then only the sender and receiver will “see” unicast traffic, unless the switch has to flood the unicast traffic for that vlan.
• More in a moment!
VLANs contain broadcast traffic– Only users on the same VLAN will see
broadcasts
8
Side Note - Transparent Bridging Transparent bridging (normal switching
process) is defined in IEEE 802.1d describing the five bridging processes of:– learning– flooding filtering– forwarding– aging
These will be discussed further in STP
9
Transparent Bridge Process - Jeff DoyleReceive Packet
Learn source address or refresh aging timer
Is the destination a broadcast, multicast or unknown unicast?
Are the source and destination on the same interface?
Forward unicast to correct port
Flood Packet
Filter Packet
Yes
Yes
No
No
10
Transparent Bridging Switches will flood unicast traffic out all ports if it does
not have the destination MAC address in its source address table.
This can be especially true for large flat networks where switches cannot contain all of the MAC addresses.– MAC address table can be 1,024 (or less) and more
than 16,000 addresses depending upon vendor and model
Addresses will also age out of the source address table which means the frames will be flooded. This traffic may include confidential information including passwords.– Cisco and Bay default is 5 minutes (common)– Why so small? Dynamic and current.
11
Changing and viewing the aging timer Set-basedSwitch_1> (enable) set cam agingtime vlan
agingtime_in_msec
Switch_1> (enable) show cam agingtime
VLAN 1 aging time = 300 sec
VLAN 2 aging time = 300 sec
IOS-basedSwitch(config)# mac-address-table aging-time seconds [vlan vlan]
Switch# show mac-address-table aging-time
300
12
Show Mac-Address-Table (Source Address Table)
Set-basedConsole> (enable) show cam dynamic
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports…
---- ------------------ ----- -------------------
1 00-a0-c9-66-86-94 2/6 [ALL]
Total Matching CAM Entries Displayed = 1
13
Show Mac-Address-Table (Source Address Table)
IOS-basedSwitch#show mac-address-table dynamic
Non-static Address Table:
Destination Address Address Type VLAN ... Port
------------------- ------------ ---- ...------
00a0.c966.8694 Dynamic 1 FastEthernet0/5
14
VLANs contain broadcast, multicast (later) and unknown unicast traffic to the specific VLAN
VLANs are secure - Switches
15
VLANs control broadcasts
16
VLANs control broadcasts Broadcast traffic is a necessary evil
– Routing protocols and network services typically rely on broadcasts
– Multimedia applications may also use broadcast frames/packets
Each VLAN is its own broadcast domain– Traffic of any kind cannot leave a VLAN without L3
services (a router)– Administrators can control the size of a broadcast
domain by defining the size of the VLAN
17
VLANs improve BW utilization
Bandwidth is shared in legacy Ethernet; a switch improves BW utilization by eliminating collisions (microsegmentation).
VLANs further improve BW utilization by confining broadcasts and other traffic
Switches only flood ports that belong to the source port’s VLAN.
18
VLANs decrease latency
If switches and VLANs were used here instead of routers, Accounting users would experience less latency.
19
When NOT to VLAN
20
Types of VLANs When scaling VLANs in the switch block,
there are two basic methods of defining the VLAN boundaries:– End-to-end VLANs (no longer
recommended by Cisco due to management and STP concerns)
– Local VLANs
21
Types of VLANs Remember: a one-to-one correspondence
between VLANs and IP subnets is strongly recommended!– Typically, this results in VLANs of 254
hosts or less. (Depending upon the subnetting scheme used.)
22
End-to-End VLANs Users are grouped into VLANs independent
of physical location and dependent on group or job function.
All users in a VLAN should have the same 80/20 traffic flow patterns.
As a user moves around the campus, VLAN membership for that user should not change.
Each VLAN has a common set of security requirements for all members.
23
End-to-End VLANs
24
Local VLANs As many corporate networks have moved to
centralize their resources, end-to-end VLANs became more difficult to maintain.
Users are required to use many different resources, many of which are no longer in their VLAN.
Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.
25
Local VLANs Can span a geographic location as large as
an entire building or as small a one switch 20/80 rule in effect with 80 percent of the
traffic remote to the user and 20 percent of the traffic local to the user
A user must cross a L3 device in order to reach 80 percent of the resources– However, this design allows the network to
provide for a deterministic, consistent method of accessing resources.
26
VLAN Types
The two common approaches to assigning VLAN membership are:– Static VLANs– Dynamic VLANs
27
Static VLANs Also referred to as port-based membership VLAN assignments are created by assigning
ports to a VLAN As a device enters the network, the device
automatically assumes the VLAN of the port. – If the user changes ports and needs access to the
same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.
28
Static VLANs
29
Static VLANs The port is assigned to a specific VLAN
independent of the user or system attached to the port.
The port cannot send or receive from devices in another VLAN without the intervention of a L3 device.– The device that is attached to the port likely has
no understanding that a VLAN exists. – The device simply knows that it is a member of a
subnet. (ip address and subnet mask)
30
Static VLANs Switch is responsible for identifying that the
information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN.– The switch is further responsible for
ensuring that ports in a different VLAN do not receive the information.
31
Static VLANs This approach is quite simple, fast, and easy
to manage in that there are no complex lookup tables required for VLAN segmentation.
If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good.
An ASIC allows the port-to-VLAN mapping to be done at the hardware level.
32
Configuring Static VLANs
IOS-Based SwitchSwitch# vlan database
Switch(vlan)# vlan vlan-num name vlan-name
Switch(config)#interface fastethernet 0
Switch(config-if)# switchport access vlan vlan-num
33
Configuring Static VLANs
Set-Based SwitchSwitch(enable) set vlan vlan-num [name name]
Switch(enable) set vlan vlan-num mod/num_list
Switch(enable) set vlan 10 2/19-24
34
Dynamic VLANs Created through the use of software
packages such as CiscoWorks 2000 Allow for membership based on the MAC
address of the device As a device enters the network, the device
queries a database for VLAN membership
35
Dynamic VLANs
36
Dynamic VLANs With a VLAN Management Policy Server
(VMPS), you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port.
When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.
37
Dynamic VLANs When you enable VMPS, a MAC address-to-
VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. – If you reset or power cycle the Catalyst
5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.
38
Dynamic VLANs
VMPS opens a UDP socket to communicate and listen to client Catalyst requests.
When the VMPS server receives a valid request from a client Catalyst, it searches its database for a MAC address-to-VLAN mapping.
39
Access and Trunk Links
40
Access Links An access link is a link on the switch that is a
member of only one VLAN. This VLAN is referred to as the native VLAN
of the port. – Any device that is attached to the port is
completely unaware that a VLAN exists.
41
Trunk Links A trunk link is capable of supporting multiple
VLANs. Trunk links are typically used to connect
switches to other switches or routers. Switches support trunk links on both Fast
Ethernet and Gigabit Ethernet ports.
42
Access and Trunk Links
43
Trunk Links
Without trunking
With trunking
44
Trunking
A trunk is a point-to-point link that supports several VLANs
A trunk is to saves ports when creating a link between two devices implementing VLANs
Trunking covered in more detail in next section
45
Trunk Links A trunk link does not belong to a specific
VLAN. – Acts as a conduit for VLANs between
switches and routers. The trunk link can be configured to transport
all VLANs or to transport a limited number of VLANs.
A trunk link may, however, have a native VLAN. – The native VLAN of the trunk is the VLAN
that the trunk uses if the trunk link fails for any reason.
46
Trunk Links In Ethernet, the switch has two methods of
identifying the VLAN that a frame belongs to:– ISL – InterSwitch Link
• (Cisco proprietary)– IEEE 802.1Q (standards-based)
• aka, dot1q
47
VLAN Identification ISL - This protocol is a Cisco proprietary
encapsulation protocol for interconnecting multiple switches; it is supported in switches as well as routers.
Even though it’s Cisco proprietary, ISL is not natively supported by the Catalyst 4000.– The L3 blade does give the Cat4000s
router two ISL-capable ports (Gig 1 and Gig 2).
48
VLAN Identification
IEEE 802.1Q - This protocol is an IEEE standard method for identifying VLANs by inserting a VLAN identifier into the frame header.
This process is referred to as frame tagging. – Note: In practice, both ISL and dot1q are
called frame tagging
49
VLAN Identification 802.10 - This standard is a Cisco proprietary
method of transporting VLAN information inside the standard 802.10 frame (FDDI).– The VLAN information is written to the
security association identifier (SAID) portion of the 802.10 frame.
– This method is typically used to transport VLANs across FDDI backbones.
50
VLAN Identification
LAN Emulation (LANE) - LANE is an ATM Forum standard that can be used for transporting VLANs over Asynchronous Transfer Mode (ATM) networks.
51
VLAN IdentificationBoth 802.1Q and ISL do “Explicit tagging.” 802.1Q uses an “internal tagging process” that modifies the existing Ethernet frame with the VLAN ID. This allows 802.1Q frames to work on both access and trunk links as it appears to be a standard Ethernet frame. ISL uses external tagging process, where the original frame is not altered but it is encapsulated with a new 26-byte ISL header (tag). This means that only ISL aware devices can interpret this frame.
52
ISL (Frame Encapsulation)
Ethernet Frame1500 bytes plus 18 byte header
(1518 bytes)
Standard NIC cards and networking devices don’t understand this giant frame. A Cisco switch must remove this encapsulation before sending the frame out on an access link.
53
ISL An Ethernet frame is encapsulated with a
header that transports VLAN IDs It adds overhead to the packet as a 26-byte
header containing a 10-bit VLAN ID. In addition, a 4-byte cyclic redundancy check
(CRC) is appended to the end of each frame.– This CRC is in addition to any frame
checking that the Ethernet frame requires.
54
ISL - Selected fields DA - Destination Address
The DA field of the ISL packet is a 40 bit destination address. This address is a multicast address and is currently set to be: 0x01_00_0C_00_00. The first 40 bits of the DA field signal the receiver that the packet is in ISL format.
TYPE - Frame Type
The TYPE field indicates the type of frame that is encapsulated and could be used in the future to indicate alternative encapsulations. The following TYPE codes have been defined:
Code Meaning 0000 Ethernet 0001 Token-Ring 0010 FDDI 0011 ATM
55
ISL - Selected fields SA - Source Address
The SA field is the source address field of the ISL packet. It should be set to the 802.3 MAC address of the switch port transmitting the frame. It is a 48-bit value. The receiving device may ignore the SA field of the frame.
VLAN - Virtual LAN ID
The VLAN field is the virtual LAN ID of the packet. It is a 15-bit value that is used to distinguish frames on different VLANs. This field is often referred to as the "color" of the packet
BPDU - BPDU and CDP Indicator
The BPDU bit is set for all bridge protocol data units that are encapsulated by the ISL packet. The BPDUs are used by the spanning tree algorithm to determine information about the
topology of the network.
56
ISL - Selected fields ENCAP FRAME - Encapsulated Frame
The ENCAP FRAME is the encapsulated frame, including its own CRC value, completely unmodified. The internal frame must have a CRC value that is valid once the ISL encapsulation fields are removed. The length of this field can be from 1 to 24575 bytes long to accommodate Ethernet, Token Ring, and FDDI frames. A receiving switch may strip off the ISL encapsulation fields and use this ENCAP FRAME as the frame is received, associating the appropriate VLAN and other values with the received frame as indicated above for switching purposes.
CRC - Frame Checksum
The CRC is a standard 32-bit CRC value calculated on the entire encapsulated frame from the DA field to the ENCAP FRAME field. The receiving MAC will check this CRC and can discard packets that do not have a valid CRC on them. Note that this CRC is in addition to the one at the end of the ENCAP FRAME field.
57
2-byte TPID
2-byte TCI
802.1q
SA and DA MACs
SA and DA MACs
802.1q Tag
Type/Length Field
Data (max 1500 bytes)
CRCNewCRC
NIC cards and networking devices can understand this “baby giant” frame (1522 bytes). However, a Cisco switch must remove this encapsulation before sending the frame out on an access link.
Tag Protocol Identifier
Tag Control Info (includes VLAN ID)
58
802.1q
Significantly less overhead than the ISL As opposed to the 30 bytes added by ISL,
802.1Q inserts only an additional 4 bytes into the Ethernet frame
59
802.1q A 4-byte tag header containing a tag protocol
identifier (TPID) and tag control information (TCI) with the following elements:
60
802.1q TPIDA 2-byte TPID with a fixed value of 0x8100. This value
indicates that the frame carries the 802.1Q/802.1p tag information.
TCIA TCI containing the following elements:
- Three-bit user priority (8 priority levels, 0 thru 7)- One-bit canonical format (CFI indicator), 0 =
canonical, 1 = noncanonical, to signal bit order in the encapsulated frame (www.faqs.org/rfcs/rfc2469.html - “A Caution On the Canonical Ordering of Link-Layer Addresses”)
- Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs, defining 4,096 VLANs, with 0 and 4095 reserved.
61
Trunk Links - once again...
Without trunking
With trunking
62
Trunking Before attempting to configure a VLAN trunk
on a port, you should to determine what encapsulation the port can support.
Set-based switches:
switch> (enable) show port capabilities – Note: the Catalyst 4000 does not support ISL
(except the router blade) IOS-based switches:switch(config-if)# switchport trunk encapsulation ?– (only way I know)
63
Next week...
More Trunking next week, along with VTP (VLAN Trunking Protocol)
Next few slides, review of vlan commands
64
Creating VLANs - access portsIOS-BasedSwitch(config)# interface fastethernet mod/num
Switch(config-if)# switchport access vlan vlan-num
Remove
Switch(config-if)# no switchport access vlan vlan-num
Set-BasedSwitch> (enable) set vlan vlan-num mod/num_list
Remove
Switch> (enable) clear vlan vlan-num When you clear a VLAN, all ports assigned to that
VLAN become inactive and can be reactivated using set vlan vlan-num state active or by assigning the ports to another vlan.
65
Naming a VLANIOS-BasedSwitch# vlan database (not in global config!)
Switch(vlan)# vlan vlan-num name vlan-name
Set-BasedSwitch> (enable) set vlan vlan-num name vlan-name
66
Viewing VLAN informationIOS-BasedSwitch# show vlan
Switch# show vlan brief
Set-BasedSwitch> (enable) show vlan
Switch> (enable) show interface
67
IOS-based
CIS-2900-ServerFarm>show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------
1 default active
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
10 VLAN0010 active
50 SeverFarm active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
<output omitted)
Fa0/21, Fa0/22
1002 fddi-default active
<text omitted>
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
<Text omitted>
68
IOS-based
CIS-2900-ServerFarm>show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -----------------
1 default active
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
10 VLAN0010 active
50 SeverFarm active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
<output omitted)
Fa0/21, Fa0/22
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
69
Set-basedCIS-4003-MainSwitch> show vlan
VLAN Name Status IfIndex Mod/Ports
---- -------------------------------- --------- ------- --------------
1 default active 4 2/1-12
2 VLAN0002 active 9 2/13-36
3 VLAN0003 active 10 2/37-40
4 VLAN0004 active 11 2/41-44
5 VLAN0005 active 60
10 VLAN0010 active 68
50 SeverFarm active 62 2/47
1002 fddi-default active 5
1003 token-ring-default active 8
1004 fddinet-default active 6
1005 trnet-default active 7
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
70
IOS-basedSwitch# show running-config
!
interface FastEthernet0/1
switchport access vlan 50
!
interface FastEthernet0/2
switchport access vlan 50
!
interface FastEthernet0/3
switchport access vlan 50
!
interface FastEthernet0/4
switchport access vlan 50
71
Set-basedSwitch>(enable)show config
#vtp
set vtp domain CIS-classrooms
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 50 name SeverFarm type ethernet mtu 1500 said 100050 state active
…
#module 2 : 48-port 10/100BaseTx Ethernet
set vlan 2 2/13-36
set vlan 3 2/37-40
set vlan 4 2/41-44
set vlan 10 2/48
set vlan 50 2/47
72
Trunking continued (Part II) A trunk is a point-to-point link between:
– Two switches– A switch and a router
Trunks carry traffic of multiple VLANs Cisco supports one or both of these
Trunking protocols:– IEEE 802.1Q (dot1q)– ISL (Cisco proprietary)
73
Trunking Cisco offers DTP and DISL which negotiates
trunking between two ends of a link and the compatible trunking protocol (DTP).– Dynamic Trunking Protocol (DTP) manages trunk
negotiation on a Catalyst Supervisor engine software release 4.2 and later
• Supports both 802.1Q and ISL– Dynamic Inter-Switch Link (DISL) was used prior
to release 4.2.• Used only with ISL.
Set-based switches only (as far as I know)
74
DTP and DISL Cisco also adapted its Dynamic ISL (DISL)
protocol and turned it into Dynamic Trunking Protocol (DTP).
DISL can negotiate ISL trunking on a link between two devices; DTP can, in addition, negotiate the type of trunking encapsulation (802.1q or ISL) that will be used as well.
This is an interesting feature as some Cisco devices support only ISL or 802.1q, whereas some are able to run both.
75
When configuring a port for trunking, two parameters can be set: the trunking mode and the encapsulation type (if DTP is supported on that
port). • The trunking mode defines how the port will
negotiate the set up of a trunk with its peer port.
• The encapsulation type allows the user to specify whether 802.1q or ISL should be used when setting up the trunk. Of course, the parameter is only relevant if the module you are using is able to use both.
DTP Modes
76
Configuring Trunking Fast Ethernet and Gigabit Ethernet
trunking modes:– On– Off– Desirable– Auto Nonegotiate
Switch(enable) set trunk mod/port
[on | off |desirable | auto | nonegotiate]
[isl | dot1q | dot10 | lane | negotiate]
vlan range
77
Trunking Mode
DTP frames
sent Description
Final state (local port)
on YES,
periodic
The local port advertises the remote it is going to the trunking state.
Trunking, unconditionally.
auto YES,
periodic
The local port advertises the remote it is able to trunk but does not request to go to the trunking state.
The port will end up in trunking state only if the remote wants to, that is, the remote mode is on or desirable.
desirable YES,
periodic
The local port advertises the remote it is able to trunk and ask to go to the trunking state.
If the port detects that the remote is able to trunk (remote in on, desirable or auto mode), it will end up in trunking state, else will stay non-trunking.
nonegotiate NO
Local port goes to unconditionally trunking, with no DTP notification to the remote.
Trunking, unconditionally.
off YES
Disable trunking on the port. DTP frames are only sent out when the port is transitioning to non-trunking.
Non trunking, unconditionally.
78
Configuring Trunking
On This mode puts the port into permanent
trunking. The port becomes a trunk port even if the
neighboring port does not agree to the change.
The on state does not allow for the negotiation of an encapsulation type. – You must, therefore, specify the
encapsulation in the configuration
79
Off This mode puts the port into permanent
nontrunking mode and negotiates to convert the link into a nontrunk link.
The port becomes a nontrunk port even if the neighboring port does not agree to the change.
Configuring Trunking
80
Desirable This mode makes the port actively attempt to
convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode.
Configuring Trunking
81
Auto This mode makes the port willing to convert the
link to a trunk link. The port becomes a trunk port if the neighboring
port is set to on or desirable mode. This is the default mode for Fast and Gigabit
Ethernet ports. – if the default setting is left on both sides of the
trunk link, the link will not become a trunk– Do not want both sides to be set to Auto
Configuring Trunking
82
Nonegotiate This mode puts the port into permanent
trunking mode but prevents the port from generating Dynamic Trunking Protocol (DTP) frames. – You must configure the neighboring port
manually as a trunk port to establish a trunk link.
Configuring Trunking
83
Encapsulation TypeEncapsulation
type Description
ISL Sets the port encapsulation to ISL.
dot1q Sets the port encapsulation to 802.1q.
negotiate
This encapsulation is only available in auto or desirable trunking modes.
If the remote has a negotiate encapsulation type, the trunk will eventually be set up with ISL.
If the remote is configured for ISL or 802.1q or only able to do ISL or 802.1q, then the trunking encapsulation used will be the one of the remote port.
Switch(enable) set trunk mod/port
[on | off |desirable | auto | nonegotiate]
[isl | dot1q | dot10 | lane | negotiate]
vlan range
84
For trunking to be autonegotiated on Fast Ethernet or Gigabit Ethernet ports, the ports must be in the same VTP domain.
However, you can use “on” or “nonegotiate” mode to force a port to become a trunk, even if it is in a different domain.
Configuring Trunking
85
Configuring TrunkingIOS-Based SwitchSwitch(config)# interface fastethernet 0
Switch(config-if)# switchport mode [access | multi | trunk]
Switch(config-if)# switchport trunk encapsulation {isl|dot1q}
Switch(config-if)# switchport trunk allowed vlan remove vlan-list
Switch(config-if)# switchport trunk allowed vlan add vlan-list
By default, all VLANS, 1-1005 transported automatically
86
Configuring Trunking
Set-Based SwitchSwitch(enable) set trunk mod/port [on | off |desirable |
auto | nonegotiate] [isl | dot1q | dot10 | lane | negotiate] vlan range
Switch(enable) clear trunk mod/port vlan-range
By default, all VLANS, 1-1005 transported automatically
87
88
IOS 1924 Switchinterface FastEthernet0/22
switchport access vlan 50
!
interface FastEthernet0/23
port group 1 distribution destination
switchport mode trunk
switchport trunk encapsulation dot1q
!
interface FastEthernet0/24
port group 1 distribution destination
switchport mode trunk
switchport trunk encapsulation dot1q
!
89
Catalyst 4003
set trunk 2/45 on dot1q 1-1005 (to 4003)
set trunk 2/46 on dot1q 1-1005 (to 4003)
set trunk 2/48 on dot1q 1-1005 (to Rtr)
By default, all VLANS, 1-1005 transported automatically
90
Routerinterface FastEthernet0/1.1
encapsulation dot1Q 1
ip address 172.30.1.1 255.255.255.0
ip access-group 100 in
ip helper-address 172.30.50.50
no ip directed-broadcast
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.30.2.1 255.255.255.0
ip access-group 102 in
ip helper-address 172.30.50.255
ip helper-address 172.30.50.10
no ip directed-broadcast
91
VLAN Trunking Protocol
VTP maintains VLAN configuration consistency across the entire network.
VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis.
Further, VTP allows you to make centralized changes that are communicated to all other switches in the network.
92
VTP Create VLANs on the VTP Server Those VLANs get sent to other client
switches On the client switches, you can now
assign ports to those vlans. Cannot create vlans on the client
switches like you could previously before configuring the switch to be a VTP client.
93
VTP Benefits
94
VTP All switches in the same management domain
share their VLAN information with each other, and a switch can participate in only one VTP management domain.
Switches in different domains do not share VTP information.
Using VTP, switches advertise: – Management domain – Configuration revision number – Known VLANs and their specific parameters
95
VTP Switches can be configured not to accept
VTP information. These switches will forward VTP information
on trunk ports in order to ensure that other switches receive the update, but the switches will not modify their database, nor will the switches send out an update indicating a change in VLAN status. – This is referred to as transparent mode.
96
VTP By default, management domains are
set to a nonsecure mode, meaning that the switches interact without using a password.
Adding a password automatically sets the management domain to secure mode. – A password must be configured on every
switch in the management domain to use secure mode.
97
VTP
The VTP database contains a revision number.
Each time a change is made, the switch increments the revision number
98
VTP A higher configuration revision number
indicates that the VLAN information that is being sent is more current then the stored copy.
Any time a switch receives an update that has a higher configuration revision number, the switch will overwrite the stored information with the new information being sent in the VTP update.
99
VTP Modes
Switches can operate in any one of the following three VTP modes: – Server– Client– Transparent
100
VTP Modes Server - If you configure the switch for server
mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain.
VTP servers:– advertise their VLAN configuration to other switches
in the same VTP domain– synchronize the VLAN configuration with other
switches based on advertisements received over trunk links.
– Recommended you have at least 2 VTP servers in case one goes down
This is the default mode on the switch.
101
VTP Modes
Client - VTP clients behave the same way as VTP servers. However, you cannot create, change, or delete VLANs on a VTP client.
102
VTP Modes
Transparent - VTP transparent switches do not participate in VTP.
A VTP transparent switch does not advertise its VLAN configuration, and does not synchronize its VLAN configuration based on received advertisements.– However, in VTP Version 2, transparent switches
do forward VTP advertisements that the switches receive out their trunk ports.
103
Configuring VTP
104
Configuring VTPIOS-Based SwitchSwitch# vlan database
Switch(vlan)# vtp domain domain-name
Switch(vlan)# vtp {server | client | transparent}
Optional:
Switch(vlan)# vtp password password
Switch(vlan)# vtp v2-mode (version2)
Example:
ALSwitch# vlan database
ALSwitch(vlan)# vtp domain corp
ALSwitch(vlan)# vtp client
105
Configuring VTPSet-Based SwitchSwitch(enable) set vtp [domain domain-name] [mode {server
| client | transparent}[password password]
Switch(enable) set vtp v2 enable (version 2)
Example:
DLSwitch(enable) set vtp domain corp
DLSwitch(enable) set vtp mode server
106
VTP Pruning
VTP pruning enhances network bandwidth use by reducing unnecessary flooding of traffic, such as broadcast, multicast, unknown, and flooded unicast packets.
VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.
By default, VTP pruning is disabled.
107
VTP Pruning
108
VTP Pruning Enabling VTP pruning on a VTP server
enables pruning for the entire management domain.
VTP pruning takes effect several seconds after you enable it.
By default, VLANs 2 through 1000 are pruning eligible. – VLAN 1 is always pruning ineligible, so traffic from
VLAN 1 cannot be pruned.– You have the option to make specific VLANs
pruning eligible or pruning ineligible on the device.
109
Configuring VTP Pruning
IOS-Based SwitchSwitch# vlan database
Switch(vlan)# vtp pruning
Remove VLANs from being pruned:
Switch(config-if)# switchport trunk pruning vlan remove vlan-list
By default, all Vlans pruned in management domain
110
Configuring VTP Pruning
Set-Based SwitchSwitch(enable) set vtp pruning enable
Optional:
Switch(enable) set vtp pruneeligible vlan-range
Switch(enable) clear vtp pruning vlan-range
By default, all Vlans pruned in management domain.