R.G.-SWITCH-2-VLANs-Part2

VLANs, Trunking, VTP, Port AggregationPart 2

CIS 187 Multilayer Switched NetworksCCNP SWITCHRick GrazianiSpring 2011

2

Storing VLAN information

Storage of VLAN information is model dependent. Cisco: “The memory location name where the vlan.dat file is stored varies

from device to device. Refer to the respective product documentation before you issue the copy command.”

VLAN information for 29xx and 35xx switches is automatically stored in vlan.dat file in flash. VTP information: Domain Name, Configuration Revision Number VLAN information (configured or via VTP): VLAN Number, VLAN Name

DLS1(config)# vtp domain WestDLS1(config)# vlan 10DLS1(config-vlan)# name WestSalesDLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEng

vlan.dat

3

Storing VLAN information

Interface commands are stored in running-config and will need to be saved to startup-config in NVRAM

DLS1(config)# inter fa 0/1DLS1(config-if)#switchport mode accessDLS1(config-if)# switchport access vlan 10DLS1(config-if)# copy running-config startup-config

vlan.datrunning-config

startup-config

4

Storing VLAN information - No longer recommendedDLS1# vlan database% Warning: It is recommended to configure VLAN from config mode,

as VLAN database mode is being deprecated. Please consult user

documentation for configuring VTP/VLAN in config mode.

DLS1(vlan)# exitAPPLY completed.

Exiting....

DLS1#

Note: The vlan database command is no longer recommended by Cisco.

One less thing we need to remember!

VLAN Trunking Protocol

VLAN Trunking Protocol (VTP)

Cisco-proprietary protocol Automates the propagation of VLAN information between switches via

trunk links. Minimizes misconfigurations and configuration inconsistencies. VTP domains define sets of interconnected switches sharing the same

VTP configuration.

VTP ModesMode DescriptionClient • Cannot create, change, or delete VLANs on command-line interface

(CLI).• Forwards advertisements to other switches.• Synchronizes VLAN configuration with latest information received from

other switches in the management domain.• Does not save VLAN configuration in nonvolatile RAM (NVRAM).

Server • Can create, modify, and delete VLANs.• Sends and forwards advertisements to other switches.• Synchronizes VLAN configuration with latest information received from

other switches in the management domain.• Saves VLAN configuration in NVRAM.

Transparent • Can create, modify, and delete VLANs only on the local switch.• Forwards VTP advertisements received from other switches in the same

management domain.• Does not synchronize its VLAN configuration with information received

from other switches in the management domain.• Saves VLAN configuration in NVRAM.

VTP Versions

Three VTP versions: V1, V2, V3. Versions are not interoperable

V2 supports token ring VLANs but V1 does not

9

VTP version 3

Not part of CCNP SWITCH Only available on CatOS no IOS “With 12.2(33)SXI VTP version 3 will be supported by IOS, closing

the feature gap in this area compared to CAT OS. VTP version 3 will be available within all IOS feature sets. “

Features: Supports ISL VLAN range from 1 to 1001, Supports 802.1Q VLAN range up to 4095. Can transfer information regarding Private VLAN (PVLAN)

structures. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/

solution_guide_c78_508010.html

VTP Messages

VTP Message Types

Summary Advertisements Subset Advertisements Advertisement Requests

VTP Summary Advertisements

By default, Catalyst switches issue summary advertisements in 5-minute increments.

Informs adjacent switches of: • VTP domain name • Configuration revision number

When the switch receives a summary advertisement packet, the switch compares the VTP domain name to its own VTP domain name.

• If the name is different, the switch ignores the packet. • If the name is the same, the switch then compares the configuration

revision to its own revision. • If its own configuration revision is higher or equal, the packet is ignored.

• If it is lower, an advertisement request is sent.

VTP Subset Advertisements

When you add, delete, or change a VLAN: The VTP server where the changes are made increments the configuration

revision and issues a summary advertisement. One or more subset advertisements follow the summary advertisement.

• Contains a list of VLAN information.

VTP Advertisement Requests

A switch issues a VTP advertisement request in these situations: The switch has been reset. The VTP domain name has been changed. The switch has received a VTP summary advertisement with a

higher configuration revision than its own. Upon receipt of an advertisement request, a VTP device sends a

summary advertisement. One or more subset advertisements follow the summary

advertisement.

15

VTP Messages

VTP Summary advertisements By default, sent every five-minutes. Inform adjacent switches of the current VTP domain name and the configuration

revision number. Receiving switch compares the VTP domain name to its own VTP domain name.

If the name is different, the switch simply ignores the packet. Same or Different?

If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored.

Own Config Rev higher or equal than sender’s? Otherwise, it is lower and a VTP Advertisement Request is sent.

VTP Domain = CiscoVTP Mode = ServerConfig Rev = 0VLANs = 1

VTP Domain = CiscoVTP Mode = ServerConfig Rev = 2VLANs = 1, 2, 3

Same

No, it is lower

NOTE: Whenever you add, delete, or change (name) a VLAN on a VTP server, it increments the configuration revision number and a summary advertisement is sent.

Summary

Subset

16

VTP Messages

VTP Subset advertisements Sent in response to a VTP Advertisement Request Also, sent whenever there is a change to VLAN information on a VTP

server. First the server sends a VTP Summary Advertisement Then the server sends a VTP Subset Advertisement

One or several subset advertisements follow the summary advertisement.

A subset advertisement contains a list of VLAN information.



22, 3

Summary

Subset

22, 3

17

VTP Domain = nullVTP Mode = ServerConfig Rev = 0VLANs = 1



No Trunks Configured Let’s take a look at VTP

Messages and Server, Client and Transparent Switches.

By default all switches are VTP Servers.

18


VTP Domain = nullVTP Mode = TransparentConfig Rev = 0VLANs = 1

VTP Domain = nullVTP Mode = ClientConfig Rev = 0VLANs = 1

Switch B is now a Client Switch C is now Transparent VLAN servers maintain a list of all

VLANs in NVRAM. Client cannot add, delete or

rename VLANs. Client does not store VLAN

information in NVRAM. If a client reboots it loses VLAN

information and relying on a VTP server to restore the information.

19




Transparent mode switches must have their VLANs configured manually.

Does not participate in VTP or advertise their VLANs.

Ideal for switches with VLANs which should be local to that switch.

20




VTP server: Domain Name configured as

Cisco VLANs 2 and 3 added Config Rev increased to 2

(one for each VLAN added)

Cisco

2, 32

21



VTP works only over trunk links. Switch A (Server) sends summary

advertisement over trunk links on VLAN 1 Includes Domain and Revision Number Multicast 01-00-0C-CC-CC-CC

Switch B updates its Domain Because of the higher revision number in

the Summary, B replies with Advertisement Request

Switch A sends a VTP Subset advertisementSwitch B updates its VLAN configuration revision number and VLANs. (May be preceeded by another Summary advertisement.)


Cisco

1, 2, 32

22


VTP Domain = CiscoVTP Mode = ClientConfig Rev = 2VLANs = 1, 2, 3

VTP advertisements sent to Transparent switch. (Shown together)

Switch C does not make any changes based on these advertisements.

Now, lets say Switch C is configured with: Domain name Cisco VLANs 2, 3, 4, 5, 6

Even though in same domain, Switch C does not advertise these VLANs to other switches.

The Configuration Revision number remains at 0 even when VLAN configuration is changed.

Transparent switches will relay VTP messages it receives to other switches if it is in the same domain or in a null domain (let take a look…).


Cisco

1, 2, 3, 4, 5, 6

23

VTP Domain = CiscoVTP Mode = TransparentConfig Rev = 0VLANs = 1, 2, 3, 4, 5, 6

VTP Domain = CiscoVTP Mode = ClientConfig Rev = 2VLANs = 1, 2, 3

VTP Client Switch D added to the network. Switch A (Server) sends summary advertisement

over trunk links on VLAN 1 Switch D updates its Domain

Replies with Advertisement Request Switch A sends a VTP Subset advertisement Switch

D updates its VLAN configuration revision number and VLANs



Relays VTP Advertisements

No changes to Rev or VLANs

Cisco

1, 2, 32

Understanding and Troubleshooting Common VTP Issues

25

VTP Domain = WestVTP Mode = ServerConfig Rev = 3VLANs = 1, 20, 21, 22

VTP Domain = WestVTP Mode = ServerConfig Rev = 3VLANs = 1, 10, 11, 12

Both switches are VTP Servers and in the same Domain, but different VLAN information. Let’s see what happens when trunking is enabled between the switches…

We both have the same Config Rev number so no

changes

We both have the same Config Rev number so no

changes

, 30

When two switches with same Domain Name and same Configuration Revision Numbers exchange VTP information: No change

If Switch A adds a new VLAN, VLAN 30, Config Rev is increased by 1. Switch A will send VTP information to Switch B who will synchronize its

VLAN information with Switch A, losing current “local” VLANs

4 410, 11, 12, 30

26

Example: Using DLS1 (Switch A) and DLS2 (Switch B)DLS1(config)# inter range fa 0/1 - 24DLS1(config-if-range)# switchport mode dynamic auto

DLS2(config)# inter range fa 0/1 - 24DLS2(config-if-range)# switchport mode dynamic autoDLS1# show inter trunk

DLS1#

Note: Because Pod2 2690’s and 3560’s are incorrectly defaulting to dynamic desirable they will trunk by default, which we do not want in this example.

This was also done on ALS1 and ALS2 to prevent any trunking.

27

When DLS1 gets a higher Config Rev Number…

DLS1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/9, Fa0/13

Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Fa0/19, Fa0/20, Fa0/21

Fa0/22, Fa0/23, Fa0/24, Gi0/1

Gi0/2

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

Default VLANs

28


DLS1#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 1005

Number of existing VLANs : 5

VTP Operating Mode : Server

VTP Domain Name :

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 0.0.0.0 (no valid interface found)

DLS1#

Default VTP information: Configuration Revision Number = 0

Increased by 1 whenever VLAN is added or deleted VTP Mode = Server VTP Domain Name = <blank> (null)

29

When DLS1 gets a higher Config Rev Number…DLS2# show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Gi0/1, Gi0/2

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

DLS2# show vtp statusVTP Version : 2





VTP Domain Name :

<output omitted>

Same on DLS2.

30


DLS1(config)# vtp domain WestDLS1(config)# vlan 10DLS1(config-vlan)# name WestSalesDLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEngDLS1(config-vlan)# vlan 12DLS1(config-vlan)# name WestAdmin

DLS1# show vtp statusVTP Version : 2Configuration Revision : 3Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : West<output omitted>

Add VTP Domain Name and configure VLANs Configuration Revision changed to 3 (one for each VLAN) Remember, no trunking (yet)

31


DLS1# show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

Verified.

32


DLS2(config)# vtp domain WestDLS2(config)# vlan 20DLS2(config-vlan)# name WestAcctDLS2(config-vlan)# vlan 21DLS2(config-vlan)# WestMngtDLS2(config-vlan)# name WestMngtDLS2(config-vlan)# vlan 22DLS2(config-vlan)# name WestManuf


Now on DLS2: Add VTP Domain Name and configure different VLANs Configuration Revision changed to 3 Still no trunking

33


DLS2# show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active

22 WestManuf active

Verified.

34


DLS1(config)# inter range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encap dot1qDLS1(config-if-range)# switchport mode trunk

DLS1# show inter trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 on 802.1q trunking 1

Fa0/12 on 802.1q trunking 1

Trunking configured between DLS1 and DLS2. VTP messages can now be sent but no changes because

Configuration Revision numbers are the same.

35







VTP Domain Name : West

<output omitted>







<output omitted>

Configuration Revision still 3 Number of existing VLANs (known by each switch) still 8

36

When DLS1 gets a higher Config Rev Number…DLS1# show vlanVLAN Name Status Ports

---- -------------------------------- --------- -------------------------------


<output omitted>

Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

DLS2# show vlanVLAN Name Status Ports

---- -------------------------------- --------- -------------------------------


<output omitted>

Fa0/23, Fa0/24, Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active

22 WestManuf active

Verify that there are no DLS2 VLANs on DLS1. Verify that there are no DLS1 VLANs on DLS2.

37


DLS1(config)# vlan 30DLS1(config-vlan)# name Guest







<output omitted>

VLAN 30 added on DLS1. Configuration Revision increased by 1 to 4. DLS1 now has the higher Configuration Revision number between the

two servers (the highest in the Domain).

38


DLS1# show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

30 Guest active

Verified.

39








<output omitted>

DLS2 receives VTP update from DLS1 with higher Configuration Revision Number.

DLS2 synchronizes its VLAN database with DLS1’s information including Configuration Revision Number and VLAN information.

40


DLS2# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

<output omitted>Fa0/23, Fa0/24, Gi0/1, Gi0/2

20 WestAcct active 21 WestMngt active 22 WestManuf active

DLS2# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

<output omitted>Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active 11 WestEng active 12 WestAdmin active 30 Guest active

DLS2 lost previous VLANs 20, 21, and 22. DLS2’s VLAN database overwritten with DLS1’s information. Good news: Both Servers both in sync (identical) so any changes will mean the VLAN

information is the same on both.

Previous VLANS

Current VLANS sync’d with DLS1

41


DLS2(config)# vlan 20 DLS2(config-vlan)# name WestAcctDLS2(config-vlan)# vlan 21DLS2(config-vlan)# name WestMngtDLS2(config-vlan)# vlan 22DLS2(config-vlan)# name WestManuf







To correct this we need to add the VLANs back to DLS2. DLS2 will send VTP update to DLS1 so VLAN information will be the

same.

42


DLS2# show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

Verified.

43

When DLS1 gets a higher Config Rev Number…DLS1# show vtp statusVTP Version : 2






<output omittd>


---- -------------------------------- --------- -------------------------------


<output omitted>

Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

DLS1 receives VTP update and updates VLAN information including Configuration Revision number.

Domain is still in sync.

44

What happens when Client/Server enters with higher Configuration Revision number?

Both switches are in the same domain. Switch C can be Client OR Server Switch C has Higher Configuration Revision number Even if Switch C is a Client when enters VTP domain it will overwrite

DLS1’s VLAN information because it has higher Configuration Revision number.

VTP Domain = WestVTP Mode = Client (or Server)Config Rev = 13VLANs = 1, 20, 21, 22, 30

VTP Domain = WestVTP Mode = ServerConfig Rev = 10VLANs = 1, 10, 11, 12, 20, 21, 22, 30

13

45

Client/Server enters with Higher RevisionDLS1(config)# inter fa 0/1DLS1(config-if)# switchport mode accessDLS1(config-if)# switchport access vlan 10DLS1(config-if)# exitDLS1(config)# inter fa 0/2DLS1(config-if)# switchport mode accessDLS1(config-if)# switchport access vlan 11DLS1# show vlanVLAN Name Status Ports

---- -------------------------------- --------- -------------------------------


<output omitted>

Gi0/1, Gi0/2

10 WestSales active Fa0/1

11 WestEng active Fa0/2

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

Assign VLANs to interfaces. (no specific reason)

46

DLS1(config)# inter range fa 0/11 -12DLS1(config-if-range)# shutdown

Shutdown interface so we can modify DLS2 (Switch B) We will adding the trunk back to simulate a switch being entered into

the network.

Client/Server enters with Higher Revision

47



DLS2#show vtp statusVTP Version : 2Configuration Revision : 10Maximum VLANs supported locally : 1005Number of existing VLANs : 12VTP Operating Mode : ServerVTP Domain Name : West

Right now both switches have same Configuration Revision number, let’s change that.

Note: Configuration Revision numbers not necessarily the same as previous example due to this was done in a different session.

48


DLS2#show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

We are going to remove these three VLANs on DLS2 so it has different VLANs and a higher Configuration Revision Number.

Remember, DLS1 has same VLAN information and also has: Fa0/1 in VLAN 10 Fa0/2 in VLAN 11

49


DLS2(config)# no vlan 10DLS2(config)# no vlan 11DLS2(config)# no vlan 12

DLS2(config)# vtp mode clientSetting device to VTP CLIENT mode.





VTP Operating Mode : Client


<output omitted>

Three VLANs deleted. Change VTP mode to Client Configuration Revision updated from 10 to 13

50


DLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

<output omitted>Gi0/1, Gi0/2

20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

Verify VLANs 10, 11, and 12 were deleted.

51








<output omitted>

DLS1 has a lower Configuration Revision number 10. DLS2’s Configuration Revision number is 13.

52

DLS1(config)# inter range fa 0/11 -12DLS1(config-if-range)# no shutdown







<output omitted>







<output omitted>

DLS2 (Switch B) is brought online (no shutdown on DLS1).

DLS2 (Client) has higher Configuration Revision number 13.

DLS1 (Switch A) with lower revision number (10) updates its VLAN information to be in sync with DLS2 including its Configuration Revision number to 13.

53

VTP Revision NumberDLS1# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6


10 WestSales active Fa0/111 WestEng active Fa0/212 WestAdmin active 20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

DLS1# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6


20 WestAcct active 21 WestMngt active 22 WestManuf active 30 Guest active

Missing VLANs 10, 11, and 12.

Previous VLANS

Current VLANS sync’d with DLS2

54

Fix itDLS1(config)# vlan 10DLS1(config-vlan)# name WestSalesDLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEngDLS1(config-vlan)# vlan 12DLS1(config-vlan)# name WestAdmin


---- -------------------------------- --------- -------------------------------


<output omitted>

Gi0/1, Gi0/2

10 WestSales active Fa0/1

11 WestEng active Fa0/2

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

To fix it must reconfigure VLANs on DLS1. Interfaces Fa0/1 and Fa0/2 brought from inactive to active

55

DLS2# show vlan


---- -------------------------------- --------- -------------------------------


<output omitted>

Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

DLS2(config)# no vlan 10VTP VLAN configuration not allowed when device is in CLIENT mode.

DLS2(config)#

DLS2 gets VLANS 10, 11, 12 in VTP update from DLS1. DLS2 is a Client and can no longer delete (or add) VLANs.

56







DLS2# show vtp status

VTP Version : 2






Still in sync!

VTP Domain = WestVTP Mode = Client (or Server)Config Rev = 16VLANs = 1, 10, 11, 12, 20, 21, 22, 30


57

How to make sure switch has Lower Config Rev: VTP Mode

Setting a switch to Transparent mode reset the configuration to 0. Then set it back to Client or Server.

VTP Domain = WestVTP Mode = ClientConfig Rev = 16VLANs = 1


0TransparentClient

1, 10, 11, 12, 20, 21, 22, 3010

DLS2(config)# vtp mode ?client Set the device to client mode.

server Set the device to server mode.

transparent Set the device to transparent mode.

DLS2(config)#

Not all VTP Messages shown

58

How to make sure switch has Lower Config Rev: VTP Domain

Changing the Domain Name on a switch will reset the configuration to 0. Then set it back to the correct Domain Name.

VTP Domain = WestVTP Mode = ClientConfig Rev = 16VLANs = 1


0

EastWest

1, 10, 11, 12, 20, 21, 22, 3016

DLS2(config)# vtp domain WestChanging VTP domain name from East to West

Not all VTP Messages shown

VTP Pruning

VTP Pruning

Prevents flooded traffic from propagating to switches that do not have members in specific VLANs.

VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly.

61

VTP Pruning

How would VLANs affect the ARP broadcast? Host C and Host D would not receive the ARP Request. But broadcast would be transmitted across all trunk links.

If VTP pruning is enabled, ALS1 would not send broadcasts for VLAN 120 to DLS1 or DLS2 (dashed lines).

VTP pruning increases the available bandwidth by restricting flooded traffic to those trunk links that traffic must use to access the appropriate network devices.

XX

No access ports on VLAN 120

No access ports on VLAN 120

62

VTP Pruning is disabled by default

DLS1# show vtp statusVTP Version : 2Configuration Revision : 2Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ServerVTP Domain Name : CabrilloVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xAB 0x0C 0xEB 0xDE 0x6A 0x89

0x0C 0xAD Configuration last modified by 10.1.1.101 at 3-1-93 00:17:55Local updater ID is 10.1.1.101 on interface Vl1 (lowest numbered

VLAN interface found)DLS1#

63

It is easy to configure

DLS1(config)# vtp pruningDLS1(config)# end

DLS1# show vtp statusVTP Version : 2Configuration Revision : 2Maximum VLANs supported locally : 1005Number of existing VLANs : 9VTP Operating Mode : ServerVTP Domain Name : CabrilloVTP Pruning Mode : EnabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xAB 0x0C 0xEB 0xDE 0x6A 0x89

0x0C 0xAD Configuration last modified by 10.1.1.101 at 3-1-93 00:17:55Local updater ID is 10.1.1.101 on interface Vl1 (lowest numbered

VLAN interface found)DLS1#

Enable VTP pruning on all switches.

VTP Authentication

VTP domains can be secured by using the VTP password feature. Passwords and domain name must be the same otherwise, a switch

will not become a member of the VTP domain. Cisco switches use MD5 to encode passwords in 16-byte words.

Propagated inside VTP summary advertisements. Case-sensitive and can be 8 to 64 characters in length.

VTP authentication is a recommended practice. Default: No VTP password

Switch(config)# vtp password password_string

VTP Troubleshooting Check that switches are interconnected by active trunk links. Check that the trunking protocol matches on opposite ends of a

trunk link. Check VTP domain name (case-sensitive) and password. Check the VTP mode of the switches. Check the VTP versions of the switches.

Default, Native and Management VLANs

FLAN: Predecessor to the VLAN

67

Extended VLANs

VLANs are typically from VLAN 1 through VLAN 1005. The IEEE 802.1Q standard provides for support of up to 4096 VLANs.

VLANs 0 and 4095 are reserved by the IEEE 802.1Q standard and you cannot create, delete, or modify them (not displayed).

Beginning with Cisco IOS Release 12.4(15)T, you can configure VLAN IDs in the range from 1006 to 4094 on specified routers. There are some configuration restrictions, for example may only be able

to configure on VTP Transparent and Client switches, For more information:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/ht_xvlan.html

Extended VLANS

1 - 1005Normal VLANS

1006 – 4095

68

Native VLAN

By default all traffic is carried across VLAN 1. VLAN 1 is:

The default VLAN (all user traffic) Native VLAN: No trunking encapsulation even if configured as a trunk. VLAN for CDP, VTP, PAgP (Port Aggregation Protocol), LACP (Link

Aggregation Control Protocol), and DTP A topic that causes considerable confusion is the native VLAN.

VLAN 1

Native VLANUn-tagged (If trunking there is no 802.1Q or ISL encapsulation)

CDP, VTP, PAgP, LACP, DTP

Default VLAN

69

Native VLAN

The IEEE committee that defined 802.1Q decided to support a native VLAN for backwards compatibility: Allows 802.1Q capable ports to talk to old 802.3 ports directly by

sending and receiving untagged traffic. Loss of identification also means a loss of classification.

You should avoid using VLAN 1 (or whatever your Native VLAN is) for data traffic, so it can be classified for QoS.

We will see examples later with IP Telephony.

Note: We have not yet discussed routing between these VLANS. (But we will!)

Common VLAN configuration

70

Best Practices

Native VLAN Can be modified to be a VLAN other than VLAN 1. Must be the same on both ends, both switches. Should not be used for user VLAN or Management VLAN. Control traffic (CDP, VTP, PAgP, DTP) still transmitted over VLAN 1.

If Native VLAN is other than VLAN 1 then control traffic is sent tagged. It is fine to leave VLAN 1 as the Native VLAN but should only carry control

traffic and not user or management traffic. Note: Router uses subinterfaces for trunking and the native VLAN is

configured using the native option. (Discussed later)

71

Best Practices

Management VLAN The Management VLAN is the VLAN used to reach (ping, telnet)

devices.

Switch(config)# hostname DLS2DLS2(config)# interface vlan 99DLS2(config-if)# ip address 10.0.99.1 255.255.255.0

72

Best Practices

Garbage VLAN This is the VLAN you can assign to all switch ports until it is assigned to

a user or management VLAN. A way of isolating or managing all non-business traffic. You may wish to limit this VLAN as an access port and not include this

VLAN across trunk links.

DLS2(config)# interface range fa 0/1 - 24DLS2(config-if)# switchport mode access DLS2(config-if)# switchport access vlan 222

73

Best Practices

Limiting VLANs on a trunk You can manually configure which VLANs should be allowed on a trunk. If you remove VLAN 1 from a trunk port, the interface continues to send

and receive management traffic, CDP, PAgP, LACP, DTP and VTP in VLAN 1. Sometimes done to reduce the risk of VLAN 1 STP loops or storms

usually due to misconfiguration. (CCIE stuff)

DLS2(config)# interface fa 0/11DLS2(config-if)# switchport trunk allowed vlan 1, 10-99DLS2(config-if)# switchport trunk allowed vlan remove 20

74

Best Practices

Looking at a complete configuration for a trunk link

DLS2(config)# interface fa 0/11DLS2(config-if)# switchport trunk encapsulation dot1qDLS2(config-if)# switchport mode trunkDLS2(config-if)# switchport trunk native vlan 2DLS2(config-if)# switchport trunk allowed vlan 1, 10-99DLS2(config-if)# switchport trunk allowed vlan remove 20

Private VLAN

76

Private VLANs

Private VLANs (pVLAN) provide isolation between ports within the same VLAN.

pVLANs require VTP switches to be in transparent mode. pVLANs can go across trunks.

Community VLAN A Ports

Community VLAN B Ports

Isolated VLAN C Ports

Promiscuous Ports

VTP Transparent

77

Private VLANs

pVlans: Provide security Reduce the number of IP subnets

Service providers use pVLANs to deploy hosting services and network access where all devices reside in the same subnet but only communicate to a default gateway, servers or another network.

Same subnet but different pVLANs

Promiscuous Ports

78

Private VLANs

pVlans consist of two supporting VLANs: Primary VLAN

High-level VLAN Can have many secondary VLANs Secondary VLANs belong to same subnet as Primary VLAN

Secondary VLAN Child to a Primary End devices belong to a secondary VLAN

Secondary VLANs

Primary VLANs Promiscuous Ports

79

Private VLANs

Two types of secondary VLANs Community VLANs

These ports communicate with other ports in the same community and promiscuous ports

Isolated VLANs These ports can only communicate with promiscuous ports.

Community VLANs

Isolated VLANs

Promiscuous Ports

80

Community VLANs ports communicate with other ports in the same community and promiscuous ports. What devices can Community VLAN A PCs communicate with? What devices can Community VLAN B PCs communicate with?

Isolated VLANs ports can only communicate with promiscuous ports. What devices can Isolated VLAN C PCs communicate with?




Promiscuous Ports

Private VLANs

81

Configuring pVLANs: Creating the pVLANs

Switch(config)# vlan 100Switch(config-vlan)# private-vlan primarySwitch(config)# vlan 200Switch(config-vlan)# private-vlan communitySwitch(config)# vlan 201Switch(config-vlan)# private-vlan communitySwitch(config)# vlan 300Switch(config-vlan)# private-vlan isolated

Switch(config)# vlan 100Switch(config-vlan)# private-vlan association 200,201,300

Switch(config)# interface vlan 100Switch(config-if)# private-vlan mapping add 200,201,300

Configure Primary VLAN Configure Secondary VLANs (two community, one isolated) Associate secondary VLANs to primary VLAN Map secondary VLANs to Layer 3 VLAN interface of primary VLAN to

allow Layer 3 switching (later).

Secondary VLANs

Primary VLANs

82




Promiscuous PortsPrivate VLANs

Switch(config)# vlan 100Switch(config-vlan)# private-vlan primarySwitch(config)# vlan 200Switch(config-vlan)# private-vlan communitySwitch(config)# vlan 201Switch(config-vlan)# private-vlan communitySwitch(config)# vlan 300Switch(config-vlan)# private-vlan isolatedSwitch(config)# vlan 100Switch(config-vlan)# private-vlan association 200,201,300Switch(config)# interface vlan 100Switch(config-if)# private-vlan mapping add 200,201,300

VLAN 100

VLAN 200VLAN 201

VLAN 300

83

Configuring pVLANs: Port AssociationSwitch(config)# interface range fa 0/1 – 5Switch(config-if)# switchport mode private-vlan promiscuousSwitch(config-if)# exitSwitch(config)# interface range fa 0/10 – 12Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 200Switch(config-if)# exitSwitch(config)# interface range fa 0/15 – 18Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 201Switch(config-if)# exitSwitch(config)# interface range fa 0/20 – 25Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 300Switch(config-if)# exit

Configure access ports for promiscuous mode. Configure access ports for community pVLANs. Configure access ports for isolated pVLANs.

Primary Secondary

84

Switch(config)# vlan 100Switch(config-vlan)# private-vlan primarySwitch(config)# vlan 200Switch(config-vlan)# private-vlan communitySwitch(config)# vlan 201Switch(config-vlan)# private-vlan communitySwitch(config)# vlan 300Switch(config-vlan)# private-vlan isolatedSwitch(config)# vlan 100Switch(config-vlan)# private-vlan association 200,201,300Switch(config)# interface vlan 100Switch(config-if)# private-vlan mapping add 200,201,300

Configuring pVLANs - Review

85

Switch(config)# interface range fa 0/1 – 5Switch(config-if)# switchport mode private-vlan promiscuousSwitch(config-if)# exitSwitch(config)# interface range fa 0/10 – 12Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 200Switch(config-if)# exitSwitch(config)# interface range fa 0/15 – 18Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 201Switch(config-if)# exitSwitch(config)# interface range fa 0/20 – 25Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 300Switch(config-if)# exit

Primary Secondary

VLAN 200

VLAN 201

VLAN 300

Port Aggregation (EtherChannel)


Configuring Link Aggregation with Etherchannel

88

Spanning Tree and EtherChannel

Spanning Tree only allows a single link between switches to prevent bridging loops.

Cisco’s EtherChannel technology allows for the scaling of link bandwidth by aggregating or bundling parallel links. Treated as a single, logical link. Access or Trunk link Allows you to expand the link’s capacity without having to

purchase new hardware (modules, devices).

Etherchannel Bundle

89

EtherChannel

EtherChannel allows for two to eight links. Fast Ethernet (FE) Fast EtherChannel Up to 1600 Mbps Gigabit Ethernet (GE) Gigabit EtherChannel Up to 16 Gbps 10-Gigabit Ethernet (10GE) 10 Gigabit EtherChannel Up to 160

Gbps

This does not mean the total bandwidth of the bundle equals the sum of the links. The load is not always distributed evenly (coming).

90

EtherChannel

The Cisco Catalyst family of switches supports two types of link aggregation: Port Aggregation Protocol (PAgP) - Cisco proprietary

Default when port channel is created (coming) Link Aggregation Control Protocol (LACP) - Industry standard

802.3ad-based protocol EtherChannel provides redundancy.

If one link fails traffic is automatically moved to an active link. Transparent to end user. LACP (coming) also allows for standby links (coming).

91

The key is consistency for all links in the bundle: Media

Same media type and speed Same duplex

VLANs – All ports within the bundle must be configure with: Same VLAN (if access) Same trunking encapsulation and mode (if trunk)

Mode on opposite switches do not have to be the same as long as it still forms a trunk.

Same Native VLAN Pass the same set of VLANs

Fast EthernetFull duplexDot1q autoNative = VLAN 2VLANs 1 thru 100

Fast EthernetFull duplexDot1q autoNative = VLAN 2VLANs 1 thru 100

92

Distribution of Traffic and Load Balancing

Load is not balanced equally across links. EtherChannel uses a hashing algorithm.

Single input is used (such as Source IP address), the hash will only look at the bits associated with this input. (coming)

Two inputs are used (such as Source IP address and Destination IP address), the hash will perform an exclusive OR (XOR) operation on both inputs. (coming!)

Both of these will compute a binary number that selects a link number in the bundle to carry the frame. (coming!!!)

93

Load Balancing

Let’s take a brief look at how this works. We will focus on the 2, 4 and 8 link possibilities as this is easier to

understand and the only options that provide more ideal load balancing. A 2 link EtherChannel bundle requires a 1-bit index using an XOR.

If the index is 0, link 0 is selected If the index is 1, link 1 is selected

A 4 link EtherChannel bundle requires a 2-bit index using an XOR. 4 possible links: 00, 01, 10, 11

An 8 link EtherChannel bundle requires a 3-bit index using an XOR. 8 possible links: 000, 001, 010, 011, 100, 101, 110, 111

94

Boolean Operations - XOR

XOR (Exclusive OR) operation 0 = FALSE 1 = TRUE If both bits have the same value (both 0, both 1), the XOR will result in a 0

Otherwise, if they differ (one is a 0 and the other a 1) the result will be 1. One and ONLY one input value can be TRUE for output to be TRUE Rick is going to surf the Hook XOR Liquor Stores at noon I cannot surf BOTH spots. If I did this would not be TRUE.

XOR = TRUETRUE False

95

Boolean Operations – XOR Gate

0 = FALSE1 = TRUEXOR operation Only one input value is

TRUE for output to be TRUE

Truth Table

Inputs Output

0 0

0 1

1 0

1 1

0

00

00

11 1

1

01

1

1

10

0

96

Load Balancing

Example: 2 Link EtherChannel. Packet sent from 172.16.1.1 to 10.10.10.16 The chosen hash uses Source IP and Destination IP address

At most there can only be 8 links in bundle, so only the last 3 rightmost bits (least-significant) of the addresses will ever need to be indexed or examined. 3 bits will give us 8 choices (8 links max in a bundle) 172.16.1.1 => 00000001 10.10.10.46 => 00101110

In our example we have 2 links in the EtherChannel (1 bit index): The XOR is performed only on the rightmost bit 1 XOR 0 1 XOR 0 = 1 Link 1 is used

01

97

Load Balancing

Example: 2 Link EtherChannel. Our hash used the Source IP and Destination IP address

The XOR on the rightmost bit of our Source IP and Destination IPaddress could result in Link 0 or Link 1 being used. Depends on the last bit of each address! 172.16.1.1 => 00000001 10.10.10.46 => 00101110

If XOR of the two bits result in 0, then link 0 is used. If XOR of the two bits result in 1, then link 1 is used.

01

98

Load Balancing

Example: 4 Link EtherChannel Packet sent from 172.16.1.1 to 10.10.10.16 Our hash used the Source IP and Destination IP address 172.16.1.1 => 00000001 10.10.10.46 => 00101110

If there are 4 links in the EtherChannel (2 bit index): The XOR is performed only on 2 rightmost bits 01 XOR 10 Each bit is computed separately 01 XOR 10 = 11

1 XOR 0 = 10 XOR 1 = 1

Link 3 (112) is used

0

3

99

Load Balancing

Example: 8 Link EtherChannel Packet sent from 172.16.1.1 to 10.10.10.16 Our hash used the Source IP and Destination IP address 172.16.1.1 => 00000001 10.10.10.46 => 00101110

If there are 8 links in the EtherChannel (3 bit index): The XOR is performed only on the 3 rightmost bits 001 XOR 110 Each bit is computed separately 001 XOR 110 = 111

1 XOR 0 = 10 XOR 1 = 10 XOR 1 = 1

Link 7 (1112) is used

0

7

100

For more information

For information about load balancing the number of links other than 2, 4 or 8: Understanding EtherChannel Load Balancing and

Redundancy on Catalyst Switches http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech

_note09186a0080094714.shtml

Configuring EtherChannel

102

Configuring EtherChannel Load Balancing

Switch(config)# port-channel load-balance method

The load balancing method is configured in global configuration mode.

103

Load BalancingSwitch(config)# port-channel load-balance ?dst-ip Dst IP Addr bitsdst-mac Dst Mac Addr bitssrc-dst-ip Src XOR Dst IP Addr XORsrc-dst-mac Src XOR Dst Mac Addr XORsrc-ip Src IP Addr bitssrc-mac Src Mac Addr bits

6500 and 4500 switches also allow hash input to be based on: dst-port (destination port) src-dst-port (source and destination ports)

Dafaults for 29xx and 35xx (this may vary so check documentation) Layer 2 switching (switched port) is src-mac (coming) Layer 3 switching (routed port) is src-dst-ip (coming)

For non-IP traffic the switch will distribute frames based on MAC addresses.

Multicasts and broadcasts sent over one link in the EtherChannel are not sent back over other links in the EtherChannel.

Hash Operation

default

104

Load Balancing

Switch(config)# port-channel load-balance src-dst-ip

Normally, the default Source IP and Destination IP addresses will result in a fair statistical distribution of frames.

This is because of the random nature of multiple Source and Destination IP addresses.

However, if a single server’s destination IP address is receiving most of the traffic this may cause one link to be overused in a two link EtherChannel. Two links in a four link EtherChannel Four links in an eight link EtherChannel.

Use only Source IP address or include MAC addresses to create a more balanced load across the bundle.

Switch(config)# port-channel load-balance ?dst-ip Dst IP Addr bitsdst-mac Dst Mac Addr bitssrc-dst-ip Src XOR Dst IP Addr XORsrc-dst-mac Src XOR Dst Mac Addr XORsrc-ip Src IP Addr bitssrc-mac Src Mac Addr bits

105

EtherChannel Protocols

The Cisco Catalyst family of switches supports both: Port Aggregation Protocol (PAgP) - Cisco proprietary

Default when port channel is created (coming) Link Aggregation Control Protocol (LACP) - Industry standard

802.3ad-based protocol Not many differences. When a Cisco switch is connected to a non-Cisco switch use LACP. Must be the same on both ends!

PAgP PAgPLACP LACP

106


DLS1(config)# interface range fa 0/1 - 4DLS1(config-if-range)# channel-protocol ?lacp Prepare interface for LACP protocol

pagp Prepare interface for PAgP protocol

DLS1(config-if-range)# channel-protocol pagp

PAgP requres identical static VLANs or trunking encapsulation with same allowed VLANs.

If the VLAN, speed or duplex on a port in the bundle is changed PAgP automatically reconfigures the rest of the ports in that bundle.

Fa0/1

Fa0/4

107


DLS1(config)# interface range fa 0/1 - 4DLS1(config-if-range)# channel-protocol ?lacp Prepare interface for LACP protocol

pagp Prepare interface for PAgP protocol

DLS1(config-if-range)# channel-group number mode {active | on | {auto [non-silent]} | {desirable [non-silent]} | passive}

Channel-group number: 1 – 64 Does not need to be the same on both switches but its

recommended that it usually is.

Fa0/1

Fa0/4

Channel Group

108

No PAgP or LACP negotiation

DLS1(config)# interface range fa 0/1 - 4DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode ?

active Enable LACP unconditionallyauto Enable PAgP only if a PAgP device is detecteddesirable Enable PAgP unconditionallyon Enable Etherchannel onlypassive Enable LACP only if a LACP device is detected

on – Forces port to channel without PAgP negotiation. Both ends must be on. All ports channeling

You can use channel-group # mode on when the connecting device does not support PAgP and you need to set up the channel unconditionally.

on on

EtherChannel

109

PAgP modes



An interface in desirable mode can form an EtherChannel with another interface that is in desirable or auto mode. Desirable (Active) - Actively asks to form a channel

desirable desirableEtherChannel

auto

110

PAgP modes



An interface in auto mode can form an EtherChannel with another interface in desirable mode. Auto (default, passive) - Waits to be asked to form a channel.

An interface in auto mode cannot form an EtherChannel with another interface that is also in auto mode because neither interface starts PAgP negotiation.

auto

EtherChannel

desirable

111

PAgP Silent FYI


active Enable LACP unconditionally

auto Enable PAgP only if a PAgP device is detecteddesirable Enable PAgP unconditionallyon Enable Etherchannel onlypassive Enable LACP only if a LACP device is detected

DLS1(config-if-range)# channel-group 1 mode auto ?non-silent Start negotiation only after data packets received

By default PAgP uses the silent submode for desirable and auto. If you expect a switch to be on the other end you should use non-silent. “Use the non-silent keyword when you connect to a device that transmits bridge protocol data units

(BPDUs) or other traffic.” “Use the silent keyword when you connect to a silent partner (which is a device that does not generate

BPDUs or other traffic).” Either will work between switches. For more information on when to use silent or non-silent: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094953.s

html

EtherChannel

112

LACP modes

DLS1(config)# interface range fa 0/1 - 4DLS1(config-if-range)# channel-protocol lacp DLS1(config-if-range)# channel-group 1 mode ?


An interface in the active mode can form an EtherChannel with another interface that is in the active or passive mode.

active activeEtherChannel

passive

113

LACP modes

DLS1(config)# interface range fa 0/1 - 4DLS1(config-if-range)# channel-protocol lacp DLS1(config-if-range)# channel-group 1 mode ?


An interface in the passive mode can form an EtherChannel with another interface that is in the active mode.

An interface in the passive mode cannot form an EtherChannel with another interface that is also in the passive mode because neither interface starts LACP negotiation.

passive

EtherChannel

active

114

Forming EtherChannelsEtherChannel

on on

PAgP Negotiated EtherChannel

desirable desirable

auto

LACP Negotiated EtherChannelactive active

passive

115

Configuring PAgPDLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

Notice: Load balancing does not have to match but usually it does. DTP on DLS2 is dyanmic auto (result is trunk with DLS1) PAgP configured on both ends

DLS2(config)# port-channel load-balance src-dst-ipDLS2(config)# interface range fa 0/11 - 12DLS2(config-if-range)# switchport trunk encapsulation dot1qDLS2(config-if-range)# channel-protocol pagp DLS2(config-if-range)# channel-group 1 mode auto

116

VerifyingDLS1#show run!port-channel load-balance dst-ip!interface Port-channel1switchport trunk encapsulation dot1qswitchport mode trunk

!interface FastEthernet0/1! ...interface FastEthernet0/11switchport trunk encapsulation dot1qswitchport mode trunkchannel-group 1 mode desirable

!interface FastEthernet0/12switchport trunk encapsulation dot1qswitchport mode trunkchannel-group 1 mode desirable

DLS2#show run!port-channel load-balance src-dst-ip!interface Port-channel1switchport trunk encapsulation dot1q

!!interface FastEthernet0/1! ...interface FastEthernet0/11switchport trunk encapsulation dot1qchannel-group 1 mode auto

!!interface FastEthernet0/12switchport trunk encapsulation dot1qchannel-group 1 mode auto

We will discuss the significance of the Port-channel interface with MLS.

117

VerifyingDLS1# show etherchannel protocol

Group: 1

----------

Protocol: PAgP

DLS1# show etherchannel load-balanceEtherChannel Load-Balancing Operational State (dst-ip):

Non-IP: Destination MAC address

IPv4: Destination IP address


DLS1# DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

118

DLS1# show etherchannel summaryFlags: D - down P - in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2U - in use f - failed to allocate aggregator

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-------------------------------

1 Po1(SU) PAgP Fa0/11(P) Fa0/12(P)

DLS1# DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

119

DLS1# show etherchannel port

Group: 1 ----------

Port: Fa0/11------------

Port state = Up Mstr In-Bndl Channel group = 1 Mode = Desirable-Sl Gcchange = 0Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1Port index = 0 Load = 0x00 Protocol = PAgP

Flags: S - Device is sending Slow hello. C - Device is in Consistent state.<output omitted>

Timers: H - Hello timer is running. Q - Quit timer is running.<output omitted>

Local information:Hello Partner PAgP Learning Group

Port Flags State Timers Interval Count Priority Method IfindexFa0/11 SC

Partner's information:

Partner Partner Partner Partner GroupPort Name Device ID Port Age Flags Cap.Fa0/11 DLS2 001b.8fc8.0080

Age of the port in the current state: 00d:00h:35m:29s

Port: Fa0/12------------...

DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# channel-protocol pagp DLS1(config-if-range)# channel-group 1 mode desirable

Can help determine if the load balancing is being distributed equally across the links

120

Configuring LACPDLS1(config)# port-channel load-balance dst-ipDLS1(config)# lacp system-priority 11111DLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# channel-protocol lacp DLS1(config-if-range)# channel-group 1 mode activeDLS1(config-if-range)# lacp port-priority 99

DLS1(config)# interface range fa 0/13 - 14DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# channel-protocol lacp DLS1(config-if-range)# channel-group 1 mode active

Port Priority - (Optional for LACP) LACP uses the port priority to decide which ports should be put in standby mode. Not typically used (more with hardware limitation). Ports with lower priority are active, rest are standby. (Default is 32,768)

System Priority - (Optional for LACP) Valid values are 1 through 65535. Higher numbers have lower priority. (Default is 32768, switch MAC is tiebreaker) Recommended only when some ports are in standby.

Fa0/13-14 has a higher port priority so these will become the standby links should something happen to any of the active links.

Default port-priority = 32,768

121

Configuring LACP: DLS1 and DLS2

DLS2(config)# port-channel load-balance src-dst-ip

DLS2(config)# interface range fa 0/11 - 12DLS2(config-if-range)# switchport trunk encapsulation dot1qDLS2(config-if-range)# channel-protocol lacp DLS2(config-if-range)# channel-group 1 mode passive


DLS1(config)# port-channel load-balance dst-ipDLS1(config)# lacp system-priority 11111

DLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# channel-protocol lacp DLS1(config-if-range)# channel-group 1 mode activeDLS1(config-if-range)# lacp port-priority 99


122

Verifying (only showing DLS1)DLS1#show run!port-channel load-balance dst-ip!interface Port-channel1switchport trunk encapsulation dot1qswitchport mode trunk

!interface FastEthernet0/11switchport trunk encapsulation dot1qswitchport mode trunklacp port-priority 99channel-group 1 mode active

!interface FastEthernet0/12switchport trunk encapsulation dot1qswitchport mode trunklacp port-priority 99channel-group 1 mode active

!

interface FastEthernet0/13switchport trunk encapsulation dot1qswitchport mode trunkchannel-group 1 mode active

!interface FastEthernet0/14switchport trunk encapsulation dot1qswitchport mode trunkchannel-group 1 mode active

123

VerifyingDLS1# show etherchannel protocol

Group: 1

----------

Protocol: LACP

DLS1# show etherchannel load-balanceEtherChannel Load-Balancing Operational State (dst-ip):

Non-IP: Destination MAC address



DLS1# DLS1(config)# port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunkDLS1(config-if-range)# channel-protocol lacp DLS1(config-if-range)# channel-group 1 mode activeDLS1(config-if-range)# lacp port-priority 99<output imitted>

124

VerifyingDLS1# show etherchannel summaryFlags: D - down P - in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------

1 Po1(SU) LACP Fa0/11(P) Fa0/12(P) Fa0/13(H) Fa0/14(H)

DLS1#

125

Odds and Ends (FYI)

Trunk ports send and receive PAgP and LACP protocol data units (PDUs) on the lowest numbered VLAN.

Spanning tree sends packets over the first interface in the EtherChannel.

For more information on Configuring EtherChannel http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/soft

ware/release/12.1_13_ea1/configuration/guide/swethchl.html

Troubleshooting Trunk Links

Ensure that the Layer 2 interface mode configured on both ends of the link is valid.

The trunk mode should be trunk or desirable for at least one side of the trunk.

Ensure that the trunk encapsulation type configured on both ends of the link is valid and compatible.

On IEEE 802.1Q trunks, make sure the native VLAN is the same on both ends of the trunk.

When using DTP, ensure that both ends of the link are in the same VTP domain.

Chapter 2 Summary A VLAN is a logical grouping of switch ports independent of physical location. Local

VLANs are now recommended over end-to-end VLAN implementations.

A trunk is a Layer 2 point-to-point link between networking devices carry the traffic of multiple VLANs.

ISL and 802.1Q are the two trunking protocols that can connect two switches.

VTP is used to distribute and synchronize information about VLANs configured throughout a switched network.

VTP pruning helps to stop flooding of unnecessary traffic on trunk links.

Device communication within the same VLAN can be fine-tuned using pVLANs. A pVLAN is associated to a primary VLAN, and then mapped to one or several ports. A primary VLAN can map to one isolated and several community VLANs. pVLANs can span across several switches using regular 802.1q trunks or pVLAN trunks.

Use EtherChannel by aggregating individual, similar links between switches. EtherChannel can be dynamically configured between switches using either the Cisco-proprietary PAgP or the IEEE 802.3ad LACP. EtherChannel load balances traffic over all the links in the bundle. The method that is chosen directly impacts the efficiency of this load-balancing mechanism.

Best Practices for VLAN Design One to three VLANs per access module and limit those VLANs to a couple

of access switches and the distribution switches. Avoid using VLAN 1 as the "blackhole" for all unused ports. Use a dedicated

VLAN separate from VLAN 1 to assign all the unused ports. Separate the voice VLANs, data VLANs, the management VLAN, the native

VLAN, blackhole VLANs, and the default VLAN (VLAN 1). Avoid VTP when using local VLANs; use manually allowed VLANs on

trunks. For trunk ports, turn off Dynamic Trunking Protocol (DTP) and configure

trunking. Use IEEE 802.1Q rather than ISL because it has better support for QoS and is a standard protocol.

Manually configure access ports that are not specifically intended for a trunk link.

Prevent all data traffic from VLAN 1; only permit control protocols to run on VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.).

Avoid using Telnet because of security risks; enable SSH support on management VLANs.

VLANs, Trunking, VTP, Port AggregationPart 2


R.G.-SWITCH-2-VLANs-Part2

Documents

subset advertisements

disabled md5

destination

balancing

cisco catalyst

storing vlan

destination

vtp subset