Introduction to VLANs

advertisement
Cabrillo College
CCNP – Multilayer Switching
Introduction to VLANs
Rick Graziani, Instructor
March 27, 2001
1
VLANs

Switched networks that are logically
segmented on an organizational basis
by functions, project teams, or
applications rather than on a physical or
geographical basis
2
VLANs




Can be thought of as a broadcast domain that
exists within a defined set of switches
Provide the segmentation services
traditionally provided by routers
Offer scalability, security, and improved
network management
Routers in VLAN topologies provide
broadcast filtering, security, address
summarization, and traffic flow management.
3
VLANs
What are the issues if these were only separate subnets and not
vlans? To solve this problem, normally the router would only be
attached to one subnet and the hosts on physically separate
subnets, in order to divide the broadcast domains.
4
VLANs
5
VLANs are secure


Whenever a station transmits in a shared
network such as a legacy half-duplex
10BaseT system, all stations attached to the
segment receive a copy of the frame, even if
they are not the intended recipients.
Anyone with such a network sniffer can
capture passwords, sensitive e-mail, and any
other traffic on the shared network.
6
VLANs are secure - Switches

Switches allow for microsegmentation
– Each user that connects directly to a switch
port is on his or her own segment.
• If every device has its own segment
(switchport) then only the sender and receiver
will “see” unicast traffic, unless the switch has
to flood the unicast traffic for that vlan.
• More in a moment!

VLANs contain broadcast traffic
– Only users on the same VLAN will see
broadcasts
7
Side Note - Transparent Bridging

Transparent bridging (normal switching
process) is defined in IEEE 802.1d describing
the five bridging processes of:
–
–
–
–

learning
flooding filtering
forwarding
aging
These will be discussed further in STP
8
Transparent Bridge Process - Jeff Doyle
Receive Packet
Learn source address or refresh aging timer
Is the destination a broadcast, multicast or unknown unicast?
No
Yes
Flood Packet
Are the source and destination on the same interface?
No
Yes
Filter Packet
Forward unicast to correct port
9
Transparent Bridging



Switches will flood unicast traffic out all ports if it does
not have the destination MAC address in its source
address table.
This can be especially true for large flat networks
where switches cannot contain all of the MAC
addresses.
– MAC address table can be 1,024 (or less) and
more than 16,000 addresses depending upon
vendor and model
Addresses will also age out of the source address
table which means the frames will be flooded. This
traffic may include confidential information including
passwords.
– Cisco and Bay default is 5 minutes (common)
– Why so small? Dynamic and current.
10
Changing and viewing the aging timer

Set-based
Switch_1> (enable) set cam agingtime vlan
agingtime_in_msec
Switch_1> (enable) show cam agingtime
VLAN 1 aging time = 300 sec
VLAN 2 aging time = 300 sec

IOS-based
Switch(config)# mac-address-table agingtime seconds [vlan vlan]
Switch# show mac-address-table aging-time
300
11
Show Mac-Address-Table
(Source Address Table)

Set-based
Console> (enable) show cam dynamic
* = Static Entry. + = Permanent Entry. # = System
Entry. R = Router Entry. X = Port Security Entry
VLAN Dest MAC/Route Des
[CoS] Destination Ports…
---- ---------------------- ------------------1
00-a0-c9-66-86-94
2/6 [ALL]
Total Matching CAM Entries Displayed = 1
12
Show Mac-Address-Table
(Source Address Table)

IOS-based
Switch#show mac-address-table dynamic
Non-static Address Table:
Destination Address Address Type VLAN
------------------- ------------ ---00a0.c966.8694
Dynamic
1
... Port
...-----FastEthernet0/5
13
VLANs are secure - Switches

VLANs contain broadcast, multicast
(later) and unknown unicast traffic to the
specific VLAN
14
VLANs control broadcasts
15
VLANs control broadcasts

Broadcast traffic is a necessary evil
– Routing protocols and network services typically
rely on broadcasts
– Multimedia applications may also use broadcast
frames/packets

Each VLAN is its own broadcast domain
– Traffic of any kind cannot leave a VLAN without L3
services (a router)
– Administrators can control the size of a broadcast
domain by defining the size of the VLAN
16
VLANs improve BW utilization



Bandwidth is shared in legacy Ethernet; a
switch improves BW utilization by eliminating
collisions (microsegmentation).
VLANs further improve BW utilization by
confining broadcasts and other traffic
Switches only flood ports that belong to the
source port’s VLAN.
17
VLANs decrease latency
If switches and VLANs were used here instead of
routers, Accounting users would experience less
latency.
18
When NOT to VLAN
19
Types of VLANs

When scaling VLANs in the switch block,
there are two basic methods of defining the
VLAN boundaries:
– End-to-end VLANs (no longer
recommended by Cisco due to
management and STP concerns)
– Local VLANs
20
Types of VLANs

Remember: a one-to-one correspondence
between VLANs and IP subnets is strongly
recommended!
– Typically, this results in VLANs of 254
hosts or less. (Depending upon the
subnetting scheme used.)
21
End-to-End VLANs




Users are grouped into VLANs independent
of physical location and dependent on group
or job function.
All users in a VLAN should have the same
80/20 traffic flow patterns.
As a user moves around the campus, VLAN
membership for that user should not change.
Each VLAN has a common set of security
requirements for all members.
22
End-to-End VLANs
23
Local VLANs



As many corporate networks have moved to
centralize their resources, end-to-end VLANs
became more difficult to maintain.
Users are required to use many different
resources, many of which are no longer in
their VLAN.
Because of this shift in placement and usage
of resources, VLANs are now more frequently
being created around geographic boundaries
rather than commonality boundaries.
24
Local VLANs



Can span a geographic location as large as
an entire building or as small a one switch
20/80 rule in effect with 80 percent of the
traffic remote to the user and 20 percent of
the traffic local to the user
A user must cross a L3 device in order to
reach 80 percent of the resources
– However, this design allows the network to
provide for a deterministic, consistent
method of accessing resources.
25
VLAN Types

The two common approaches to assigning
VLAN membership are:
– Static VLANs
– Dynamic VLANs
26
Static VLANs



Also referred to as port-based membership
VLAN assignments are created by assigning
ports to a VLAN
As a device enters the network, the device
automatically assumes the VLAN of the port.
– If the user changes ports and needs access to the
same VLAN, the network administrator must
manually make a port-to-VLAN assignment for the
new connection.
27
Static VLANs
28
Static VLANs


The port is assigned to a specific VLAN
independent of the user or system attached
to the port.
The port cannot send or receive from devices
in another VLAN without the intervention of a
L3 device.
– The device that is attached to the port likely has
no understanding that a VLAN exists.
– The device simply knows that it is a member of a
subnet. (ip address and subnet mask)
29
Static VLANs

Switch is responsible for identifying that the
information came from a specific VLAN and
for ensuring that the information gets to all
other members of the VLAN.
– The switch is further responsible for
ensuring that ports in a different VLAN do
not receive the information.
30
Static VLANs



This approach is quite simple, fast, and easy
to manage in that there are no complex
lookup tables required for VLAN
segmentation.
If port-to-VLAN association is done with an
application-specific integrated circuit (ASIC),
the performance is very good.
An ASIC allows the port-to-VLAN mapping to
be done at the hardware level.
31
Configuring Static VLANs
IOS-Based Switch
Switch# vlan database
Switch(vlan)# vlan vlan-num name vlan-name
Switch(config)#interface fastethernet 0
Switch(config-if)# switchport access vlan
vlan-num
32
Configuring Static VLANs
Set-Based Switch
Switch(enable) set vlan vlan-num [name name]
Switch(enable) set vlan vlan-num
mod/num_list
Switch(enable) set vlan 10 2/19-24
33
Dynamic VLANs



Created through the use of software
packages such as CiscoWorks 2000
Allow for membership based on the MAC
address of the device
As a device enters the network, the device
queries a database for VLAN membership
34
Dynamic VLANs
35
Dynamic VLANs


With a VLAN Management Policy Server
(VMPS), you can assign switch ports to
VLANs dynamically, based on the source
MAC address of the device connected to the
port.
When you move a host from a port on one
switch in the network to a port on another
switch in the network, the switch assigns the
new port to the proper VLAN for that host
dynamically.
36
Dynamic VLANs

When you enable VMPS, a MAC address-toVLAN mapping database downloads from a
Trivial File Transfer Protocol (TFTP) server
and VMPS begins to accept client requests.
– If you reset or power cycle the Catalyst
5000, 4000, 900, 3500, or 6000 Series
Switch, the VMPS database downloads
from the TFTP server automatically and
VMPS is reenabled.
37
Dynamic VLANs


VMPS opens a UDP socket to communicate
and listen to client Catalyst requests.
When the VMPS server receives a valid
request from a client Catalyst, it searches its
database for a MAC address-to-VLAN
mapping.
38
Access and Trunk Links
39
Access Links


An access link is a link on the switch that is a
member of only one VLAN.
This VLAN is referred to as the native VLAN
of the port.
– Any device that is attached to the port is
completely unaware that a VLAN exists.
40
Trunk Links



A trunk link is capable of supporting multiple
VLANs.
Trunk links are typically used to connect
switches to other switches or routers.
Switches support trunk links on both Fast
Ethernet and Gigabit Ethernet ports.
41
Access and Trunk Links
42
Trunk Links
Without trunking
With trunking
43
Trunking



A trunk is a point-to-point link that supports
several VLANs
A trunk is to saves ports when creating a link
between two devices implementing VLANs
Trunking covered in more detail in next
section
44
Trunk Links



A trunk link does not belong to a specific
VLAN.
– Acts as a conduit for VLANs between
switches and routers.
The trunk link can be configured to transport
all VLANs or to transport a limited number of
VLANs.
A trunk link may, however, have a native
VLAN.
– The native VLAN of the trunk is the VLAN
that the trunk uses if the trunk link fails for
any reason.
45
Trunk Links

In Ethernet, the switch has two methods of
identifying the VLAN that a frame belongs to:
– ISL – InterSwitch Link
• (Cisco proprietary)
– IEEE 802.1Q (standards-based)
• aka, dot1q
46
VLAN Identification


ISL - This protocol is a Cisco proprietary
encapsulation protocol for interconnecting
multiple switches; it is supported in switches
as well as routers.
Even though it’s Cisco proprietary, ISL is not
natively supported by the Catalyst 4000.
– The L3 blade does give the Cat4000s
router two ISL-capable ports (Gig 1 and
Gig 2).
47
VLAN Identification


IEEE 802.1Q - This protocol is an IEEE
standard method for identifying VLANs by
inserting a VLAN identifier into the frame
header.
This process is referred to as frame tagging.
– Note: In practice, both ISL and dot1q are
called frame tagging
48
VLAN Identification

802.10 - This standard is a Cisco proprietary
method of transporting VLAN information
inside the standard 802.10 frame (FDDI).
– The VLAN information is written to the
security association identifier (SAID)
portion of the 802.10 frame.
– This method is typically used to transport
VLANs across FDDI backbones.
49
VLAN Identification

LAN Emulation (LANE) - LANE is an ATM
Forum standard that can be used for
transporting VLANs over Asynchronous
Transfer Mode (ATM) networks.
50
VLAN Identification
Both 802.1Q and ISL do “Explicit tagging.” 802.1Q uses an
“internal tagging process” that modifies the existing Ethernet
frame with the VLAN ID. This allows 802.1Q frames to work on
both access and trunk links as it appears to be a standard
Ethernet frame. ISL uses external tagging process, where the
original frame is not altered but it is encapsulated with a new 26byte ISL header (tag). This means that only ISL aware devices
can interpret this frame.
51
ISL (Frame Encapsulation)
Ethernet Frame
1500 bytes plus 18 byte header
(1518 bytes)
Standard NIC cards and networking devices don’t understand
this giant frame. A Cisco switch must remove this
encapsulation before sending the frame out on an access link.
52
ISL



An Ethernet frame is encapsulated with a
header that transports VLAN IDs
It adds overhead to the packet as a 26-byte
header containing a 10-bit VLAN ID.
In addition, a 4-byte cyclic redundancy check
(CRC) is appended to the end of each frame.
– This CRC is in addition to any frame
checking that the Ethernet frame requires.
53
ISL - Selected fields

DA - Destination Address
The DA field of the ISL packet is a 40 bit destination address. This
address is a multicast address and is currently set to be:
0x01_00_0C_00_00. The first 40 bits of the DA field signal the
receiver that the packet is in ISL format.

TYPE - Frame Type
The TYPE field indicates the type of frame that is encapsulated and
could be used in the future to indicate alternative
encapsulations. The following TYPE codes have been defined:
Code Meaning
0000 Ethernet
0001 Token-Ring
0010 FDDI
0011 ATM
54
ISL - Selected fields

SA - Source Address
The SA field is the source address field of the ISL packet. It should
be set to the 802.3 MAC address of the switch port transmitting
the frame. It is a 48-bit value. The receiving device may ignore
the SA field of the frame.

VLAN - Virtual LAN ID
The VLAN field is the virtual LAN ID of the packet. It is a 15-bit
value that is used to distinguish frames on different VLANs. This
field is often referred to as the "color" of the packet

BPDU - BPDU and CDP Indicator
The BPDU bit is set for all bridge protocol data units that are
encapsulated by the ISL packet. The BPDUs are used by the
spanning tree algorithm to determine information about the
topology of the network.
55
ISL - Selected fields

ENCAP FRAME - Encapsulated Frame
The ENCAP FRAME is the encapsulated frame, including its own
CRC value, completely unmodified. The internal frame must have
a CRC value that is valid once the ISL encapsulation fields are
removed. The length of this field can be from 1 to 24575 bytes
long to accommodate Ethernet, Token Ring, and FDDI frames. A
receiving switch may strip off the ISL encapsulation fields and use
this ENCAP FRAME as the frame is received, associating the
appropriate VLAN and other values with the received frame as
indicated above for switching purposes.

CRC - Frame Checksum
The CRC is a standard 32-bit CRC value calculated on the entire
encapsulated frame from the DA field to the ENCAP FRAME field.
The receiving MAC will check this CRC and can discard packets
that do not have a valid CRC on them. Note that this CRC is in
addition to the one at the end of the ENCAP FRAME field.
56
802.1q
NIC cards and networking devices can understand this “baby
giant” frame (1522 bytes). However, a Cisco switch must
remove this encapsulation before sending the frame out on an
access link.
SA and DASA and
802.1q
DA
MACs
MACsTag
Type/Length
Field
Data (max 1500
bytes)
2-byte TPID
Tag Protocol Identifier
2-byte TCI
Tag Control Info (includes
VLAN ID)
CRC
New
CRC
57
802.1q


Significantly less overhead than the ISL
As opposed to the 30 bytes added by ISL,
802.1Q inserts only an additional 4 bytes into
the Ethernet frame
58
802.1q

A 4-byte tag header containing a tag protocol
identifier (TPID) and tag control information
(TCI) with the following elements:
59
802.1q
TPID
A 2-byte TPID with a fixed value of 0x8100. This value
indicates that the frame carries the 802.1Q/802.1p
tag information.
 TCI
A TCI containing the following elements:
- Three-bit user priority (8 priority levels, 0 thru 7)
- One-bit canonical format (CFI indicator), 0 =
canonical, 1 = noncanonical, to signal bit order in
the encapsulated frame
(www.faqs.org/rfcs/rfc2469.html - “A Caution On
the Canonical Ordering of Link-Layer Addresses”)
- Twelve-bit VLAN identifier (VID)-Uniquely identifies
the VLAN to which the frame belongs, defining
4,096 VLANs, with 0 and 4095 reserved.

60
Trunk Links - once again...
Without trunking
With trunking
61
Trunking


Before attempting to configure a VLAN trunk
on a port, you should to determine what
encapsulation the port can support.
Set-based switches:
switch> (enable) show port capabilities
– Note: the Catalyst 4000 does not support ISL
(except the router blade)

IOS-based switches:
switch(config-if)# switchport trunk
encapsulation ?
– (only way I know)
62
Next week...


More Trunking next week, along with
VTP (VLAN Trunking Protocol)
Next few slides, review of vlan
commands
63
Creating VLANs - access ports
IOS-Based
Switch(config)# interface fastethernet mod/num
Switch(config-if)# switchport access vlan vlan-num
Remove
Switch(config-if)# no switchport access vlan vlan-num
Set-Based
Switch> (enable) set vlan vlan-num mod/num_list
Remove
Switch> (enable) clear vlan vlan-num
 When you clear a VLAN, all ports assigned to that
VLAN become inactive and can be reactivated using
set vlan vlan-num state active or by assigning the
64
ports to another vlan.
Naming a VLAN
IOS-Based
Switch# vlan database (not in global config!)
Switch(vlan)# vlan vlan-num name vlan-name
Set-Based
Switch> (enable) set vlan vlan-num name vlan-name
65
Viewing VLAN information
IOS-Based
Switch# show vlan
Switch# show vlan brief
Set-Based
Switch> (enable) show vlan
Switch> (enable) show interface
66

IOS-based
CIS-2900-ServerFarm>show vlan
VLAN Name
---- -------------------------------1
default
2
VLAN0002
3
VLAN0003
4
VLAN0004
5
VLAN0005
10
VLAN0010
50
SeverFarm
1002 fddi-default
<text omitted>
Status
Ports
--------- ----------------active
active
active
active
active
active
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
<output omitted)
Fa0/21, Fa0/22
active
VLAN Type SAID
MTU
Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ----1
enet 100001
1500 0
0
<Text omitted>
67

IOS-based
CIS-2900-ServerFarm>show vlan brief
VLAN Name
---- -------------------------------1
default
2
VLAN0002
3
VLAN0003
4
VLAN0004
5
VLAN0005
10
VLAN0010
50
SeverFarm
1002
1003
1004
1005
fddi-default
token-ring-default
fddinet-default
trnet-default
Status
Ports
--------- ----------------active
active
active
active
active
active
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
<output omitted)
Fa0/21, Fa0/22
active
active
active
active
68

Set-based
CIS-4003-MainSwitch> show vlan
VLAN Name
---- -------------------------------1
default
2
VLAN0002
3
VLAN0003
4
VLAN0004
5
VLAN0005
10
VLAN0010
50
SeverFarm
1002 fddi-default
1003 token-ring-default
1004 fddinet-default
1005 trnet-default
VLAN
---1
2
3
4
Type
----enet
enet
enet
enet
SAID
---------100001
100002
100003
100004
MTU
----1500
1500
1500
1500
Parent
------
RingNo
------
Status
IfIndex Mod/Ports
--------- ------- -------------active
4
2/1-12
active
9
2/13-36
active
10
2/37-40
active
11
2/41-44
active
60
active
68
active
62
2/47
active
5
active
8
active
6
active
7
BrdgNo
------
Stp
----
BrdgMode
--------
Trans1
-----0
0
0
0
Trans2
-----0
0
0
0
69
 IOS-based
Switch# show running-config
!
interface FastEthernet0/1
switchport access vlan 50
!
interface FastEthernet0/2
switchport access vlan 50
!
interface FastEthernet0/3
switchport access vlan 50
!
interface FastEthernet0/4
switchport access vlan 50
70

Set-based
Switch>(enable)show config
#vtp
set vtp domain CIS-classrooms
set vlan 1 name default type ethernet mtu 1500
said 100001 state active
set vlan 50 name SeverFarm type ethernet mtu 1500
said 100050 state active
…
#module 2 : 48-port 10/100BaseTx Ethernet
set vlan 2
2/13-36
set vlan 3
2/37-40
set vlan 4
2/41-44
set vlan 10
2/48
set vlan 50
2/47
71
Trunking continued (Part II)

A trunk is a point-to-point link between:
– Two switches
– A switch and a router


Trunks carry traffic of multiple VLANs
Cisco supports one or both of these
Trunking protocols:
– IEEE 802.1Q (dot1q)
– ISL (Cisco proprietary)
72
Trunking

Cisco offers DTP and DISL which negotiates
trunking between two ends of a link and the
compatible trunking protocol (DTP).
– Dynamic Trunking Protocol (DTP) manages trunk
negotiation on a Catalyst Supervisor engine
software release 4.2 and later
• Supports both 802.1Q and ISL
– Dynamic Inter-Switch Link (DISL) was used prior
to release 4.2.
• Used only with ISL.

Set-based switches only (as far as I know)
73
DTP and DISL

Cisco also adapted its Dynamic ISL (DISL)
protocol and turned it into Dynamic Trunking
Protocol (DTP).

DISL can negotiate ISL trunking on a link
between two devices; DTP can, in addition,
negotiate the type of trunking encapsulation
(802.1q or ISL) that will be used as well.

This is an interesting feature as some Cisco
devices support only ISL or 802.1q, whereas
some are able to run both.
74
DTP Modes

When configuring a port for trunking, two parameters
can be set: the trunking mode and the
encapsulation type (if DTP is supported on that
port).
• The trunking mode defines how the port will
negotiate the set up of a trunk with its peer port.
• The encapsulation type allows the user to
specify whether 802.1q or ISL should be used
when setting up the trunk. Of course, the
parameter is only relevant if the module you are
using is able to use both.
75
Configuring Trunking

Fast Ethernet and Gigabit Ethernet
trunking modes:
– On
– Off
– Desirable
– Auto Nonegotiate
Switch(enable) set trunk mod/port
[on | off |desirable | auto | nonegotiate]
[isl | dot1q | dot10 | lane | negotiate]
vlan range
76
Trunking
Mode
DTP
frames
sent
Description
Final state (local port)
on
The local port advertises the
YES,
remote it is going to the
periodic
trunking state.
Trunking, unconditionally.
auto
The local port advertises the
YES, remote it is able to trunk but
periodic does not request to go to the
trunking state.
The port will end up in trunking
state only if the remote wants to,
that is, the remote mode is on or
desirable.
desirable
nonegotiate
off
If the port detects that the remote
The local port advertises the
is able to trunk (remote in on,
YES,
remote it is able to trunk and desirable or auto mode), it will
periodic
ask to go to the trunking state. end up in trunking state, else will
stay non-trunking.
NO
YES
Local port goes to
unconditionally trunking, with
Trunking, unconditionally.
no DTP notification to the
remote.
Disable trunking on the port.
DTP frames are only sent out
when the port is transitioning
to non-trunking.
Non trunking, unconditionally.
77
Configuring Trunking
On
 This mode puts the port into permanent
trunking.
 The port becomes a trunk port even if the
neighboring port does not agree to the
change.
 The on state does not allow for the
negotiation of an encapsulation type.
– You must, therefore, specify the
encapsulation in the configuration
78
Configuring Trunking
Off
 This mode puts the port into permanent
nontrunking mode and negotiates to convert
the link into a nontrunk link.
 The port becomes a nontrunk port even if the
neighboring port does not agree to the
change.
79
Configuring Trunking
Desirable
 This mode makes the port actively attempt to
convert the link to a trunk link. The port
becomes a trunk port if the neighboring port
is set to on, desirable, or auto mode.
80
Configuring Trunking
Auto
 This mode makes the port willing to convert
the link to a trunk link.
 The port becomes a trunk port if the
neighboring port is set to on or desirable
mode.
 This is the default mode for Fast and Gigabit
Ethernet ports.
– if the default setting is left on both sides of
the trunk link, the link will not become a
trunk
– Do not want both sides to be set to Auto 81
Configuring Trunking
Nonegotiate
 This mode puts the port into permanent
trunking mode but prevents the port from
generating Dynamic Trunking Protocol (DTP)
frames.
– You must configure the neighboring port
manually as a trunk port to establish a
trunk link.
82
Encapsulation Type
Encapsulation
type
ISL
dot1q
Description
Sets the port encapsulation to ISL.
Sets the port encapsulation to 802.1q.
This encapsulation is only available in auto or desirable trunking
modes.

negotiate
If the remote has a negotiate encapsulation type, the trunk will
eventually be set up with ISL.
 If the remote is configured for ISL or 802.1q or only able to do
ISL or 802.1q, then the trunking encapsulation used will be the
one of the remote port.
Switch(enable) set trunk mod/port
[on | off |desirable | auto | nonegotiate]
[isl | dot1q | dot10 | lane | negotiate]
vlan range
83
Configuring Trunking


For trunking to be autonegotiated on Fast
Ethernet or Gigabit Ethernet ports, the ports
must be in the same VTP domain.
However, you can use “on” or “nonegotiate”
mode to force a port to become a trunk, even
if it is in a different domain.
84
Configuring Trunking
IOS-Based Switch
Switch(config)# interface fastethernet 0
Switch(config-if)# switchport mode [access | multi | trunk]
Switch(config-if)# switchport trunk encapsulation {isl|dot1q}
Switch(config-if)# switchport trunk allowed vlan remove vlan-list
Switch(config-if)# switchport trunk allowed vlan add vlan-list

By default, all VLANS, 1-1005 transported automatically
85
Configuring Trunking
Set-Based Switch
Switch(enable) set trunk mod/port [on | off |desirable |
auto | nonegotiate]
[isl | dot1q | dot10 | lane |
negotiate] vlan range
Switch(enable) clear trunk mod/port vlan-range

By default, all VLANS, 1-1005 transported automatically
86
87
IOS 1924 Switch
interface FastEthernet0/22
switchport access vlan 50
!
interface FastEthernet0/23
port group 1 distribution destination
switchport mode trunk
switchport trunk encapsulation dot1q
!
interface FastEthernet0/24
port group 1 distribution destination
switchport mode trunk
switchport trunk encapsulation dot1q
!
88
Catalyst 4003
set trunk 2/45 on dot1q 1-1005
set trunk 2/46 on dot1q 1-1005
set trunk 2/48 on dot1q 1-1005

(to 4003)
(to 4003)
(to Rtr)
By default, all VLANS, 1-1005 transported
automatically
89
Router
interface FastEthernet0/1.1
encapsulation dot1Q 1
ip address 172.30.1.1 255.255.255.0
ip access-group 100 in
ip helper-address 172.30.50.50
no ip directed-broadcast
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.30.2.1 255.255.255.0
ip access-group 102 in
ip helper-address 172.30.50.255
ip helper-address 172.30.50.10
no ip directed-broadcast
90
VLAN Trunking Protocol



VTP maintains VLAN configuration
consistency across the entire network.
VTP is a messaging protocol that uses Layer
2 trunk frames to manage the addition,
deletion, and renaming of VLANs on a
network-wide basis.
Further, VTP allows you to make centralized
changes that are communicated to all other
switches in the network.
91
VTP




Create VLANs on the VTP Server
Those VLANs get sent to other client
switches
On the client switches, you can now
assign ports to those vlans.
Cannot create vlans on the client
switches like you could previously
before configuring the switch to be a
VTP client.
92
VTP Benefits
93
VTP



All switches in the same management
domain share their VLAN information with
each other, and a switch can participate in
only one VTP management domain.
Switches in different domains do not share
VTP information.
Using VTP, switches advertise:
– Management domain
– Configuration revision number
– Known VLANs and their specific parameters
94
VTP


Switches can be configured not to accept
VTP information.
These switches will forward VTP information
on trunk ports in order to ensure that other
switches receive the update, but the switches
will not modify their database, nor will the
switches send out an update indicating a
change in VLAN status.
– This is referred to as transparent mode.
95
VTP


By default, management domains are
set to a nonsecure mode, meaning that
the switches interact without using a
password.
Adding a password automatically sets
the management domain to secure
mode.
– A password must be configured on every
switch in the management domain to use
secure mode.
96
VTP


The VTP database contains a revision
number.
Each time a change is made, the switch
increments the revision number
97
VTP


A higher configuration revision number
indicates that the VLAN information that is
being sent is more current then the stored
copy.
Any time a switch receives an update that has
a higher configuration revision number, the
switch will overwrite the stored information
with the new information being sent in the
VTP update.
98
VTP Modes

Switches can operate in any one of the
following three VTP modes:
– Server
– Client
– Transparent
99
VTP Modes


Server - If you configure the switch for server
mode, you can create, modify, and delete
VLANs, and specify other configuration
parameters (such as VTP version and VTP
pruning) for the entire VTP domain.
VTP servers:
– advertise their VLAN configuration to other
switches in the same VTP domain
– synchronize the VLAN configuration with other
switches based on advertisements received over
trunk links.
– Recommended you have at least 2 VTP servers in
case one goes down

This is the default mode on the switch.
100
VTP Modes

Client - VTP clients behave the same
way as VTP servers. However, you
cannot create, change, or delete VLANs
on a VTP client.
101
VTP Modes


Transparent - VTP transparent switches do
not participate in VTP.
A VTP transparent switch does not advertise
its VLAN configuration, and does not
synchronize its VLAN configuration based on
received advertisements.
– However, in VTP Version 2, transparent switches
do forward VTP advertisements that the switches
receive out their trunk ports.
102
Configuring VTP
103
Configuring VTP
IOS-Based Switch
Switch# vlan database
Switch(vlan)# vtp domain domain-name
Switch(vlan)# vtp {server | client | transparent}
Optional:
Switch(vlan)# vtp password password
Switch(vlan)# vtp v2-mode (version2)
Example:
ALSwitch# vlan database
ALSwitch(vlan)# vtp domain corp
ALSwitch(vlan)# vtp client
104
Configuring VTP
Set-Based Switch
Switch(enable) set vtp [domain domain-name] [mode {server
| client | transparent}[password password]
Switch(enable) set vtp v2 enable (version 2)
Example:
DLSwitch(enable) set vtp domain corp
DLSwitch(enable) set vtp mode server
105
VTP Pruning



VTP pruning enhances network bandwidth
use by reducing unnecessary flooding of
traffic, such as broadcast, multicast,
unknown, and flooded unicast packets.
VTP pruning increases available bandwidth
by restricting flooded traffic to those trunk
links that the traffic must use to access the
appropriate network devices.
By default, VTP pruning is disabled.
106
VTP Pruning
107
VTP Pruning



Enabling VTP pruning on a VTP server
enables pruning for the entire management
domain.
VTP pruning takes effect several seconds
after you enable it.
By default, VLANs 2 through 1000 are
pruning eligible.
– VLAN 1 is always pruning ineligible, so traffic from
VLAN 1 cannot be pruned.
– You have the option to make specific VLANs
pruning eligible or pruning ineligible on the device.
108
Configuring VTP Pruning
IOS-Based Switch
Switch# vlan database
Switch(vlan)# vtp pruning
Remove VLANs from being pruned:
Switch(config-if)# switchport trunk pruning vlan
remove vlan-list

By default, all Vlans pruned in management domain
109
Configuring VTP Pruning
Set-Based Switch
Switch(enable) set vtp pruning enable
Optional:
Switch(enable) set vtp pruneeligible vlan-range
Switch(enable) clear vtp pruning vlan-range

By default, all Vlans pruned in management domain.
110
Download