Cabrillo College

About This Presentation

Title:

Cabrillo College

Description:

Cabrillo College CCNP Multilayer Switching Introduction to VLANs Rick Graziani, Instructor March 27, 2001 VLANs Switched networks that are logically segmented on ... – PowerPoint PPT presentation

Number of Views:450

Avg rating:3.0/5.0

Slides: 111

Provided by: RickG168

Category:

more less

Transcript and Presenter's Notes

Title: Cabrillo College

1
Cabrillo College

CCNP Multilayer Switching
Introduction to VLANs
Rick Graziani, Instructor
March 27, 2001

2
VLANs

Switched networks that are logically segmented on
an organizational basis by functions, project
teams, or applications rather than on a physical
or geographical basis

3
VLANs

Can be thought of as a broadcast domain that
exists within a defined set of switches
Provide the segmentation services traditionally
provided by routers
Offer scalability, security, and improved network
management
Routers in VLAN topologies provide broadcast
filtering, security, address summarization, and
traffic flow management.

4
VLANs
What are the issues if these were only separate
subnets and not vlans? To solve this problem,
normally the router would only be attached to one
subnet and the hosts on physically separate
subnets, in order to divide the broadcast domains.
5
VLANs
6
VLANs are secure

Whenever a station transmits in a shared network
such as a legacy half-duplex 10BaseT system, all
stations attached to the segment receive a copy
of the frame, even if they are not the intended
recipients.
Anyone with such a network sniffer can capture
passwords, sensitive e-mail, and any other
traffic on the shared network.

7
VLANs are secure - Switches

Switches allow for microsegmentation
Each user that connects directly to a switch port
is on his or her own segment.
If every device has its own segment (switchport)
then only the sender and receiver will see
unicast traffic, unless the switch has to flood
the unicast traffic for that vlan.
More in a moment!
VLANs contain broadcast traffic
Only users on the same VLAN will see broadcasts

8
Side Note - Transparent Bridging

Transparent bridging (normal switching process)
is defined in IEEE 802.1d describing the five
bridging processes of
learning
flooding filtering
forwarding
aging
These will be discussed further in STP

9
Transparent Bridge Process - Jeff Doyle
Receive Packet
Learn source address or refresh aging timer
Is the destination a broadcast, multicast or
unknown unicast?
Yes
Flood Packet
No
Are the source and destination on the same
interface?
Filter Packet
Yes
No
Forward unicast to correct port
10
Transparent Bridging

Switches will flood unicast traffic out all ports
if it does not have the destination MAC address
in its source address table.
This can be especially true for large flat
networks where switches cannot contain all of the
MAC addresses.
MAC address table can be 1,024 (or less) and more
than 16,000 addresses depending upon vendor and
model
Addresses will also age out of the source address
table which means the frames will be flooded.
This traffic may include confidential information
including passwords.
Cisco and Bay default is 5 minutes (common)
Why so small? Dynamic and current.

11
Changing and viewing the aging timer

Set-based
Switch_1gt (enable) set cam agingtime vlan
agingtime_in_msec
Switch_1gt (enable) show cam agingtime
VLAN 1 aging time 300 sec
VLAN 2 aging time 300 sec
IOS-based
Switch(config) mac-address-table aging-time
seconds vlan vlan
Switch show mac-address-table aging-time
300

12
Show Mac-Address-Table (Source Address Table)

Set-based
Consolegt (enable) show cam dynamic
Static Entry. Permanent Entry. System
Entry. R Router Entry. X Port Security Entry
VLAN Dest MAC/Route Des CoS Destination
Ports
---- ------------------ -----
-------------------
1 00-a0-c9-66-86-94 2/6 ALL
Total Matching CAM Entries Displayed 1

13
Show Mac-Address-Table (Source Address Table)

IOS-based
Switchshow mac-address-table dynamic
Non-static Address Table
Destination Address Address Type VLAN ... Port
------------------- ------------ ----
...------
00a0.c966.8694 Dynamic 1
FastEthernet0/5

14
VLANs are secure - Switches

VLANs contain broadcast, multicast (later) and
unknown unicast traffic to the specific VLAN

15
VLANs control broadcasts
16
VLANs control broadcasts

Broadcast traffic is a necessary evil
Routing protocols and network services typically
rely on broadcasts
Multimedia applications may also use broadcast
frames/packets
Each VLAN is its own broadcast domain
Traffic of any kind cannot leave a VLAN without
L3 services (a router)
Administrators can control the size of a
broadcast domain by defining the size of the VLAN

17
VLANs improve BW utilization

Bandwidth is shared in legacy Ethernet a switch
improves BW utilization by eliminating collisions
(microsegmentation).
VLANs further improve BW utilization by confining
broadcasts and other traffic
Switches only flood ports that belong to the
source ports VLAN.

18
VLANs decrease latency
If switches and VLANs were used here instead of
routers, Accounting users would experience less
latency.
19
When NOT to VLAN
20
Types of VLANs

When scaling VLANs in the switch block, there are
two basic methods of defining the VLAN
boundaries
End-to-end VLANs (no longer recommended by Cisco
due to management and STP concerns)
Local VLANs

21
Types of VLANs

Remember a one-to-one correspondence between
VLANs and IP subnets is strongly recommended!
Typically, this results in VLANs of 254 hosts or
less. (Depending upon the subnetting scheme
used.)

22
End-to-End VLANs

Users are grouped into VLANs independent of
physical location and dependent on group or job
function.
All users in a VLAN should have the same 80/20
traffic flow patterns.
As a user moves around the campus, VLAN
membership for that user should not change.
Each VLAN has a common set of security
requirements for all members.

23
End-to-End VLANs
24
Local VLANs

As many corporate networks have moved to
centralize their resources, end-to-end VLANs
became more difficult to maintain.
Users are required to use many different
resources, many of which are no longer in their
VLAN.
Because of this shift in placement and usage of
resources, VLANs are now more frequently being
created around geographic boundaries rather than
commonality boundaries.

25
Local VLANs

Can span a geographic location as large as an
entire building or as small a one switch
20/80 rule in effect with 80 percent of the
traffic remote to the user and 20 percent of the
traffic local to the user
A user must cross a L3 device in order to reach
80 percent of the resources
However, this design allows the network to
provide for a deterministic, consistent method of
accessing resources.

26
VLAN Types

The two common approaches to assigning VLAN
membership are
Static VLANs
Dynamic VLANs

27
Static VLANs

Also referred to as port-based membership
VLAN assignments are created by assigning ports
to a VLAN
As a device enters the network, the device
automatically assumes the VLAN of the port.
If the user changes ports and needs access to the
same VLAN, the network administrator must
manually make a port-to-VLAN assignment for the
new connection.

28
Static VLANs
29
Static VLANs

The port is assigned to a specific VLAN
independent of the user or system attached to the
port.
The port cannot send or receive from devices in
another VLAN without the intervention of a L3
device.
The device that is attached to the port likely
has no understanding that a VLAN exists.
The device simply knows that it is a member of a
subnet. (ip address and subnet mask)

30
Static VLANs

Switch is responsible for identifying that the
information came from a specific VLAN and for
ensuring that the information gets to all other
members of the VLAN.
The switch is further responsible for ensuring
that ports in a different VLAN do not receive the
information.

31
Static VLANs

This approach is quite simple, fast, and easy to
manage in that there are no complex lookup tables
required for VLAN segmentation.
If port-to-VLAN association is done with an
application-specific integrated circuit (ASIC),
the performance is very good.
An ASIC allows the port-to-VLAN mapping to be
done at the hardware level.

32
Configuring Static VLANs

IOS-Based Switch
Switch vlan database
Switch(vlan) vlan vlan-num name vlan-name
Switch(config)interface fastethernet 0
Switch(config-if) switchport access vlan vlan-num

33
Configuring Static VLANs

Set-Based Switch
Switch(enable) set vlan vlan-num name name
Switch(enable) set vlan vlan-num mod/num_list
Switch(enable) set vlan 10 2/19-24

34
Dynamic VLANs

Created through the use of software packages such
as CiscoWorks 2000
Allow for membership based on the MAC address of
the device
As a device enters the network, the device
queries a database for VLAN membership

35
Dynamic VLANs
36
Dynamic VLANs

With a VLAN Management Policy Server (VMPS), you
can assign switch ports to VLANs dynamically,
based on the source MAC address of the device
connected to the port.
When you move a host from a port on one switch in
the network to a port on another switch in the
network, the switch assigns the new port to the
proper VLAN for that host dynamically.

37
Dynamic VLANs

When you enable VMPS, a MAC address-to-VLAN
mapping database downloads from a Trivial File
Transfer Protocol (TFTP) server and VMPS begins
to accept client requests.
If you reset or power cycle the Catalyst 5000,
4000, 900, 3500, or 6000 Series Switch, the VMPS
database downloads from the TFTP server
automatically and VMPS is reenabled.

38
Dynamic VLANs

VMPS opens a UDP socket to communicate and listen
to client Catalyst requests.
When the VMPS server receives a valid request
from a client Catalyst, it searches its database
for a MAC address-to-VLAN mapping.

39
Access and Trunk Links
40
Access Links

An access link is a link on the switch that is a
member of only one VLAN.
This VLAN is referred to as the native VLAN of
the port.
Any device that is attached to the port is
completely unaware that a VLAN exists.

41
Trunk Links

A trunk link is capable of supporting multiple
VLANs.
Trunk links are typically used to connect
switches to other switches or routers.
Switches support trunk links on both Fast
Ethernet and Gigabit Ethernet ports.

42
Access and Trunk Links
43
Trunk Links
Without trunking
With trunking
44
Trunking

A trunk is a point-to-point link that supports
several VLANs
A trunk is to saves ports when creating a link
between two devices implementing VLANs
Trunking covered in more detail in next section

45
Trunk Links

A trunk link does not belong to a specific VLAN.
Acts as a conduit for VLANs between switches and
routers.
The trunk link can be configured to transport all
VLANs or to transport a limited number of VLANs.
A trunk link may, however, have a native VLAN.
The native VLAN of the trunk is the VLAN that the
trunk uses if the trunk link fails for any reason.

46
Trunk Links

In Ethernet, the switch has two methods of
identifying the VLAN that a frame belongs to
ISL InterSwitch Link
(Cisco proprietary)
IEEE 802.1Q (standards-based)
aka, dot1q

47
VLAN Identification

ISL - This protocol is a Cisco proprietary
encapsulation protocol for interconnecting
multiple switches it is supported in switches as
well as routers.
Even though its Cisco proprietary, ISL is not
natively supported by the Catalyst 4000.
The L3 blade does give the Cat4000s router two
ISL-capable ports (Gig 1 and Gig 2).

48
VLAN Identification

IEEE 802.1Q - This protocol is an IEEE standard
method for identifying VLANs by inserting a VLAN
identifier into the frame header.
This process is referred to as frame tagging.
Note In practice, both ISL and dot1q are called
frame tagging

49
VLAN Identification

802.10 - This standard is a Cisco proprietary
method of transporting VLAN information inside
the standard 802.10 frame (FDDI).
The VLAN information is written to the security
association identifier (SAID) portion of the
802.10 frame.
This method is typically used to transport VLANs
across FDDI backbones.

50
VLAN Identification

LAN Emulation (LANE) - LANE is an ATM Forum
standard that can be used for transporting VLANs
over Asynchronous Transfer Mode (ATM) networks.

51
VLAN Identification
Both 802.1Q and ISL do Explicit tagging.
802.1Q uses an internal tagging process that
modifies the existing Ethernet frame with the
VLAN ID. This allows 802.1Q frames to work on
both access and trunk links as it appears to be a
standard Ethernet frame. ISL uses external
tagging process, where the original frame is not
altered but it is encapsulated with a new 26-byte
ISL header (tag). This means that only ISL aware
devices can interpret this frame.
52
ISL (Frame Encapsulation)
Ethernet Frame1500 bytes plus 18 byte header
(1518 bytes)
53
ISL

An Ethernet frame is encapsulated with a header
that transports VLAN IDs
It adds overhead to the packet as a 26-byte
header containing a 10-bit VLAN ID.
In addition, a 4-byte cyclic redundancy check
(CRC) is appended to the end of each frame.
This CRC is in addition to any frame checking
that the Ethernet frame requires.

54
ISL - Selected fields

DA - Destination Address
The DA field of the ISL packet is a 40 bit
destination address. This address is a multicast
address and is currently set to be
0x01_00_0C_00_00. The first 40 bits of the DA
field signal the receiver that the packet is in
ISL format.
TYPE - Frame Type
The TYPE field indicates the type of frame that
is encapsulated and could be used in the future
to indicate alternative encapsulations. The
following TYPE codes have been defined
Code Meaning
0000 Ethernet
0001 Token-Ring
0010 FDDI
0011 ATM

55
ISL - Selected fields

SA - Source Address
The SA field is the source address field of the
ISL packet. It should be set to the 802.3 MAC
address of the switch port transmitting the
frame. It is a 48-bit value. The receiving device
may ignore the SA field of the frame.
VLAN - Virtual LAN ID
The VLAN field is the virtual LAN ID of the
packet. It is a 15-bit value that is used to
distinguish frames on different VLANs. This field
is often referred to as the "color" of the packet
BPDU - BPDU and CDP Indicator
The BPDU bit is set for all bridge protocol data
units that are encapsulated by the ISL packet.
The BPDUs are used by the spanning tree algorithm
to determine information about the topology of
the network.

56
ISL - Selected fields

ENCAP FRAME - Encapsulated Frame
The ENCAP FRAME is the encapsulated frame,
including its own CRC value, completely
unmodified. The internal frame must have a CRC
value that is valid once the ISL encapsulation
fields are removed. The length of this field can
be from 1 to 24575 bytes long to accommodate
Ethernet, Token Ring, and FDDI frames. A
receiving switch may strip off the ISL
encapsulation fields and use this ENCAP FRAME as
the frame is received, associating the
appropriate VLAN and other values with the
received frame as indicated above for switching
purposes.
CRC - Frame Checksum
The CRC is a standard 32-bit CRC value calculated
on the entire encapsulated frame from the DA
field to the ENCAP FRAME field. The receiving MAC
will check this CRC and can discard packets that
do not have a valid CRC on them. Note that this
CRC is in addition to the one at the end of the
ENCAP FRAME field.

57
802.1q
NIC cards and networking devices can understand
this baby giant frame (1522 bytes). However, a
Cisco switch must remove this encapsulation
before sending the frame out on an access link.
SA and DA MACs
SA and DA MACs
802.1q Tag
Type/Length Field
Data (max 1500 bytes)
CRC
NewCRC
Tag Protocol Identifier Tag Control Info
(includes VLAN ID)
58
802.1q

Significantly less overhead than the ISL
As opposed to the 30 bytes added by ISL, 802.1Q
inserts only an additional 4 bytes into the
Ethernet frame

59
802.1q

A 4-byte tag header containing a tag protocol
identifier (TPID) and tag control information
(TCI) with the following elements

60
802.1q

TPID
A 2-byte TPID with a fixed value of 0x8100. This
value indicates that the frame carries the
802.1Q/802.1p tag information.
TCI
A TCI containing the following elements
- Three-bit user priority (8 priority levels, 0
thru 7)
- One-bit canonical format (CFI indicator), 0
canonical, 1 noncanonical, to signal bit order
in the encapsulated frame (www.faqs.org/rfcs/rfc24
69.html - A Caution On the Canonical Ordering of
Link-Layer Addresses)
- Twelve-bit VLAN identifier (VID)-Uniquely
identifies the VLAN to which the frame belongs,
defining 4,096 VLANs, with 0 and 4095 reserved.

61
Trunk Links - once again...
Without trunking
With trunking
62
Trunking

Before attempting to configure a VLAN trunk on a
port, you should to determine what encapsulation
the port can support.
Set-based switches
switchgt (enable) show port capabilities
Note the Catalyst 4000 does not support ISL
(except the router blade)
IOS-based switches
switch(config-if) switchport trunk encapsulation
?
(only way I know)

63
Next week...

More Trunking next week, along with VTP (VLAN
Trunking Protocol)
Next few slides, review of vlan commands

64
Creating VLANs - access ports

IOS-Based
Switch(config) interface fastethernet mod/num
Switch(config-if) switchport access vlan
vlan-num
Remove
Switch(config-if) no switchport access vlan
vlan-num

Set-Based
Switchgt (enable) set vlan vlan-num mod/num_list
Remove
Switchgt (enable) clear vlan vlan-num
When you clear a VLAN, all ports assigned to that
VLAN become inactive and can be reactivated using
set vlan vlan-num state active or by assigning
the ports to another vlan.

65
Naming a VLAN

IOS-Based
Switch vlan database (not in global config!)
Switch(vlan) vlan vlan-num name vlan-name

Set-Based Switchgt (enable) set vlan vlan-num name
vlan-name
66
Viewing VLAN information

IOS-Based
Switch show vlan
Switch show vlan brief

Set-Based Switchgt (enable) show vlan Switchgt
(enable) show interface
67

IOS-based
CIS-2900-ServerFarmgtshow vlan
VLAN Name Status
Ports
---- -------------------------------- ---------
-----------------
1 default active
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
10 VLAN0010 active
50 SeverFarm active
Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
ltoutput omitted)
Fa0/21, Fa0/22
1002 fddi-default active
lttext omittedgt
VLAN Type SAID MTU Parent RingNo
BridgeNo Stp BrdgMode Trans1 Trans2

IOS-based
CIS-2900-ServerFarmgtshow vlan brief
VLAN Name Status
Ports
---- -------------------------------- ---------
-----------------
1 default active
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
10 VLAN0010 active
50 SeverFarm active
Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
ltoutput omitted)
Fa0/21, Fa0/22
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

Set-based
CIS-4003-MainSwitchgt show vlan
VLAN Name Status
IfIndex Mod/Ports
---- -------------------------------- ---------
------- --------------
1 default active 4
2/1-12
2 VLAN0002 active 9
2/13-36
3 VLAN0003 active
10 2/37-40
4 VLAN0004 active
11 2/41-44
5 VLAN0005 active
60
10 VLAN0010 active
68
50 SeverFarm active
62 2/47
1002 fddi-default active 5
1003 token-ring-default active 8
1004 fddinet-default active 6
1005 trnet-default active 7
VLAN Type SAID MTU Parent RingNo BrdgNo
Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------
---- -------- ------ ------
1 enet 100001 1500 - - -
- - 0 0

IOS-based
Switch show running-config
!
interface FastEthernet0/1
switchport access vlan 50
!
interface FastEthernet0/2
switchport access vlan 50
!
interface FastEthernet0/3
switchport access vlan 50
!
interface FastEthernet0/4
switchport access vlan 50

Set-based
Switchgt(enable)show config
vtp
set vtp domain CIS-classrooms
set vlan 1 name default type ethernet mtu 1500
said 100001 state active
set vlan 50 name SeverFarm type ethernet mtu 1500
said 100050 state active
module 2 48-port 10/100BaseTx Ethernet
set vlan 2 2/13-36
set vlan 3 2/37-40
set vlan 4 2/41-44
set vlan 10 2/48
set vlan 50 2/47

72
Trunking continued (Part II)

A trunk is a point-to-point link between
Two switches
A switch and a router
Trunks carry traffic of multiple VLANs
Cisco supports one or both of these Trunking
protocols
IEEE 802.1Q (dot1q)
ISL (Cisco proprietary)

73
Trunking

Cisco offers DTP and DISL which negotiates
trunking between two ends of a link and the
compatible trunking protocol (DTP).
Dynamic Trunking Protocol (DTP) manages trunk
negotiation on a Catalyst Supervisor engine
software release 4.2 and later
Supports both 802.1Q and ISL
Dynamic Inter-Switch Link (DISL) was used prior
to release 4.2.
Used only with ISL.
Set-based switches only (as far as I know)

74
DTP and DISL

Cisco also adapted its Dynamic ISL (DISL)
protocol and turned it into Dynamic Trunking
Protocol (DTP).
DISL can negotiate ISL trunking on a link between
two devices DTP can, in addition, negotiate the
type of trunking encapsulation (802.1q or ISL)
that will be used as well.
This is an interesting feature as some Cisco
devices support only ISL or 802.1q, whereas some
are able to run both.

75
DTP Modes

When configuring a port for trunking, two
parameters can be set the trunking mode and the
encapsulation type (if DTP is supported on that
port).
The trunking mode defines how the port will
negotiate the set up of a trunk with its peer
port.
The encapsulation type allows the user to specify
whether 802.1q or ISL should be used when setting
up the trunk. Of course, the parameter is only
relevant if the module you are using is able to
use both.

76
Configuring Trunking

Fast Ethernet and Gigabit Ethernet trunking
modes
On
Off
Desirable
Auto Nonegotiate
Switch(enable) set trunk mod/port
on off desirable auto nonegotiate
isl dot1q dot10 lane negotiate
vlan range

77
(No Transcript)
78
Configuring Trunking

On
This mode puts the port into permanent trunking.
The port becomes a trunk port even if the
neighboring port does not agree to the change.
The on state does not allow for the negotiation
of an encapsulation type.
You must, therefore, specify the encapsulation in
the configuration

79
Configuring Trunking

Off
This mode puts the port into permanent
nontrunking mode and negotiates to convert the
link into a nontrunk link.
The port becomes a nontrunk port even if the
neighboring port does not agree to the change.

80
Configuring Trunking

Desirable
This mode makes the port actively attempt to
convert the link to a trunk link. The port
becomes a trunk port if the neighboring port is
set to on, desirable, or auto mode.

81
Configuring Trunking

Auto
This mode makes the port willing to convert the
link to a trunk link.
The port becomes a trunk port if the neighboring
port is set to on or desirable mode.
This is the default mode for Fast and Gigabit
Ethernet ports.
if the default setting is left on both sides of
the trunk link, the link will not become a trunk
Do not want both sides to be set to Auto

82
Configuring Trunking

Nonegotiate
This mode puts the port into permanent trunking
mode but prevents the port from generating
Dynamic Trunking Protocol (DTP) frames.
You must configure the neighboring port manually
as a trunk port to establish a trunk link.

83
Encapsulation Type

Switch(enable) set trunk mod/port
on off desirable auto
nonegotiate
isl dot1q dot10 lane
negotiate
vlan range

84
Configuring Trunking

For trunking to be autonegotiated on Fast
Ethernet or Gigabit Ethernet ports, the ports
must be in the same VTP domain.
However, you can use on or nonegotiate mode
to force a port to become a trunk, even if it is
in a different domain.

85
Configuring Trunking

IOS-Based Switch
Switch(config) interface fastethernet 0
Switch(config-if) switchport mode access
multi trunk
Switch(config-if) switchport trunk encapsulation
isldot1q
Switch(config-if) switchport trunk allowed vlan
remove vlan-list
Switch(config-if) switchport trunk allowed vlan
add vlan-list
By default, all VLANS, 1-1005 transported
automatically

86
Configuring Trunking

Set-Based Switch
Switch(enable) set trunk mod/port on off
desirable auto nonegotiate isl dot1q
dot10 lane negotiate vlan range
Switch(enable) clear trunk mod/port vlan-range
By default, all VLANS, 1-1005 transported
automatically

87
(No Transcript)
88
IOS 1924 Switch

interface FastEthernet0/22
switchport access vlan 50
!
interface FastEthernet0/23
port group 1 distribution destination
switchport mode trunk
switchport trunk encapsulation dot1q
!
interface FastEthernet0/24
port group 1 distribution destination
switchport mode trunk
switchport trunk encapsulation dot1q
!

89
Catalyst 4003

set trunk 2/45 on dot1q 1-1005 (to 4003)
set trunk 2/46 on dot1q 1-1005 (to 4003)
set trunk 2/48 on dot1q 1-1005 (to Rtr)
By default, all VLANS, 1-1005 transported
automatically

90
Router

interface FastEthernet0/1.1
encapsulation dot1Q 1
ip address 172.30.1.1 255.255.255.0
ip access-group 100 in
ip helper-address 172.30.50.50
no ip directed-broadcast
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.30.2.1 255.255.255.0
ip access-group 102 in
ip helper-address 172.30.50.255
ip helper-address 172.30.50.10
no ip directed-broadcast

91
VLAN Trunking Protocol

VTP maintains VLAN configuration consistency
across the entire network.
VTP is a messaging protocol that uses Layer 2
trunk frames to manage the addition, deletion,
and renaming of VLANs on a network-wide basis.
Further, VTP allows you to make centralized
changes that are communicated to all other
switches in the network.

92
VTP

Create VLANs on the VTP Server
Those VLANs get sent to other client switches
On the client switches, you can now assign ports
to those vlans.
Cannot create vlans on the client switches like
you could previously before configuring the
switch to be a VTP client.

93
VTP Benefits
94
VTP

All switches in the same management domain share
their VLAN information with each other, and a
switch can participate in only one VTP management
domain.
Switches in different domains do not share VTP
information.
Using VTP, switches advertise
Management domain
Configuration revision number
Known VLANs and their specific parameters

95
VTP

Switches can be configured not to accept VTP
information.
These switches will forward VTP information on
trunk ports in order to ensure that other
switches receive the update, but the switches
will not modify their database, nor will the
switches send out an update indicating a change
in VLAN status.
This is referred to as transparent mode.

96
VTP

By default, management domains are set to a
nonsecure mode, meaning that the switches
interact without using a password.
Adding a password automatically sets the
management domain to secure mode.
A password must be configured on every switch in
the management domain to use secure mode.

97
VTP

The VTP database contains a revision number.
Each time a change is made, the switch increments
the revision number

98
VTP

A higher configuration revision number indicates
that the VLAN information that is being sent is
more current then the stored copy.
Any time a switch receives an update that has a
higher configuration revision number, the switch
will overwrite the stored information with the
new information being sent in the VTP update.

99
VTP Modes

Switches can operate in any one of the following
three VTP modes
Server
Client
Transparent

100
VTP Modes

Server - If you configure the switch for server
mode, you can create, modify, and delete VLANs,
and specify other configuration parameters (such
as VTP version and VTP pruning) for the entire
VTP domain.
VTP servers
advertise their VLAN configuration to other
switches in the same VTP domain
synchronize the VLAN configuration with other
switches based on advertisements received over
trunk links.
Recommended you have at least 2 VTP servers in
case one goes down
This is the default mode on the switch.

101
VTP Modes

Client - VTP clients behave the same way as VTP
servers. However, you cannot create, change, or
delete VLANs on a VTP client.

102
VTP Modes

Transparent - VTP transparent switches do not
participate in VTP.
A VTP transparent switch does not advertise its
VLAN configuration, and does not synchronize its
VLAN configuration based on received
advertisements.
However, in VTP Version 2, transparent switches
do forward VTP advertisements that the switches
receive out their trunk ports.

103
Configuring VTP
104
Configuring VTP

IOS-Based Switch
Switch vlan database
Switch(vlan) vtp domain domain-name
Switch(vlan) vtp server client transparent
Optional
Switch(vlan) vtp password password
Switch(vlan) vtp v2-mode (version2)
Example
ALSwitch vlan database
ALSwitch(vlan) vtp domain corp
ALSwitch(vlan) vtp client

105
Configuring VTP

Set-Based Switch
Switch(enable) set vtp domain domain-name mode
server client transparentpassword
password
Switch(enable) set vtp v2 enable (version 2)
Example
DLSwitch(enable) set vtp domain corp
DLSwitch(enable) set vtp mode server

106
VTP Pruning

VTP pruning enhances network bandwidth use by
reducing unnecessary flooding of traffic, such as
broadcast, multicast, unknown, and flooded
unicast packets.
VTP pruning increases available bandwidth by
restricting flooded traffic to those trunk links
that the traffic must use to access the
appropriate network devices.
By default, VTP pruning is disabled.

107
VTP Pruning
108
VTP Pruning

Enabling VTP pruning on a VTP server enables
pruning for the entire management domain.
VTP pruning takes effect several seconds after
you enable it.
By default, VLANs 2 through 1000 are pruning
eligible.
VLAN 1 is always pruning ineligible, so traffic
from VLAN 1 cannot be pruned.
You have the option to make specific VLANs
pruning eligible or pruning ineligible on the
device.

109
Configuring VTP Pruning