Cabrillo College - PowerPoint PPT Presentation

1 / 110
About This Presentation
Title:

Cabrillo College

Description:

Cabrillo College CCNP Multilayer Switching Introduction to VLANs Rick Graziani, Instructor March 27, 2001 VLANs Switched networks that are logically segmented on ... – PowerPoint PPT presentation

Number of Views:452
Avg rating:3.0/5.0
Slides: 111
Provided by: RickG168
Category:
Tags: cabrillo | college | fddi

less

Transcript and Presenter's Notes

Title: Cabrillo College


1
Cabrillo College
  • CCNP Multilayer Switching
  • Introduction to VLANs
  • Rick Graziani, Instructor
  • March 27, 2001

2
VLANs
  • Switched networks that are logically segmented on
    an organizational basis by functions, project
    teams, or applications rather than on a physical
    or geographical basis

3
VLANs
  • Can be thought of as a broadcast domain that
    exists within a defined set of switches
  • Provide the segmentation services traditionally
    provided by routers
  • Offer scalability, security, and improved network
    management
  • Routers in VLAN topologies provide broadcast
    filtering, security, address summarization, and
    traffic flow management.

4
VLANs
What are the issues if these were only separate
subnets and not vlans? To solve this problem,
normally the router would only be attached to one
subnet and the hosts on physically separate
subnets, in order to divide the broadcast domains.
5
VLANs
6
VLANs are secure
  • Whenever a station transmits in a shared network
    such as a legacy half-duplex 10BaseT system, all
    stations attached to the segment receive a copy
    of the frame, even if they are not the intended
    recipients.
  • Anyone with such a network sniffer can capture
    passwords, sensitive e-mail, and any other
    traffic on the shared network.

7
VLANs are secure - Switches
  • Switches allow for microsegmentation
  • Each user that connects directly to a switch port
    is on his or her own segment.
  • If every device has its own segment (switchport)
    then only the sender and receiver will see
    unicast traffic, unless the switch has to flood
    the unicast traffic for that vlan.
  • More in a moment!
  • VLANs contain broadcast traffic
  • Only users on the same VLAN will see broadcasts

8
Side Note - Transparent Bridging
  • Transparent bridging (normal switching process)
    is defined in IEEE 802.1d describing the five
    bridging processes of
  • learning
  • flooding filtering
  • forwarding
  • aging
  • These will be discussed further in STP

9
Transparent Bridge Process - Jeff Doyle
Receive Packet
Learn source address or refresh aging timer
Is the destination a broadcast, multicast or
unknown unicast?
Yes
Flood Packet
No
Are the source and destination on the same
interface?
Filter Packet
Yes
No
Forward unicast to correct port
10
Transparent Bridging
  • Switches will flood unicast traffic out all ports
    if it does not have the destination MAC address
    in its source address table.
  • This can be especially true for large flat
    networks where switches cannot contain all of the
    MAC addresses.
  • MAC address table can be 1,024 (or less) and more
    than 16,000 addresses depending upon vendor and
    model
  • Addresses will also age out of the source address
    table which means the frames will be flooded.
    This traffic may include confidential information
    including passwords.
  • Cisco and Bay default is 5 minutes (common)
  • Why so small? Dynamic and current.

11
Changing and viewing the aging timer
  • Set-based
  • Switch_1gt (enable) set cam agingtime vlan
    agingtime_in_msec
  • Switch_1gt (enable) show cam agingtime
  • VLAN 1 aging time 300 sec
  • VLAN 2 aging time 300 sec
  • IOS-based
  • Switch(config) mac-address-table aging-time
    seconds vlan vlan
  • Switch show mac-address-table aging-time
  • 300

12
Show Mac-Address-Table (Source Address Table)
  • Set-based
  • Consolegt (enable) show cam dynamic
  • Static Entry. Permanent Entry. System
    Entry. R Router Entry. X Port Security Entry
  • VLAN Dest MAC/Route Des CoS Destination
    Ports
  • ---- ------------------ -----
    -------------------
  • 1 00-a0-c9-66-86-94 2/6 ALL
  • Total Matching CAM Entries Displayed 1

13
Show Mac-Address-Table (Source Address Table)
  • IOS-based
  • Switchshow mac-address-table dynamic
  • Non-static Address Table
  • Destination Address Address Type VLAN ... Port
  • ------------------- ------------ ----
    ...------
  • 00a0.c966.8694 Dynamic 1
    FastEthernet0/5

14
VLANs are secure - Switches
  • VLANs contain broadcast, multicast (later) and
    unknown unicast traffic to the specific VLAN

15
VLANs control broadcasts
16
VLANs control broadcasts
  • Broadcast traffic is a necessary evil
  • Routing protocols and network services typically
    rely on broadcasts
  • Multimedia applications may also use broadcast
    frames/packets
  • Each VLAN is its own broadcast domain
  • Traffic of any kind cannot leave a VLAN without
    L3 services (a router)
  • Administrators can control the size of a
    broadcast domain by defining the size of the VLAN

17
VLANs improve BW utilization
  • Bandwidth is shared in legacy Ethernet a switch
    improves BW utilization by eliminating collisions
    (microsegmentation).
  • VLANs further improve BW utilization by confining
    broadcasts and other traffic
  • Switches only flood ports that belong to the
    source ports VLAN.

18
VLANs decrease latency
If switches and VLANs were used here instead of
routers, Accounting users would experience less
latency.
19
When NOT to VLAN
20
Types of VLANs
  • When scaling VLANs in the switch block, there are
    two basic methods of defining the VLAN
    boundaries
  • End-to-end VLANs (no longer recommended by Cisco
    due to management and STP concerns)
  • Local VLANs

21
Types of VLANs
  • Remember a one-to-one correspondence between
    VLANs and IP subnets is strongly recommended!
  • Typically, this results in VLANs of 254 hosts or
    less. (Depending upon the subnetting scheme
    used.)

22
End-to-End VLANs
  • Users are grouped into VLANs independent of
    physical location and dependent on group or job
    function.
  • All users in a VLAN should have the same 80/20
    traffic flow patterns.
  • As a user moves around the campus, VLAN
    membership for that user should not change.
  • Each VLAN has a common set of security
    requirements for all members.

23
End-to-End VLANs
24
Local VLANs
  • As many corporate networks have moved to
    centralize their resources, end-to-end VLANs
    became more difficult to maintain.
  • Users are required to use many different
    resources, many of which are no longer in their
    VLAN.
  • Because of this shift in placement and usage of
    resources, VLANs are now more frequently being
    created around geographic boundaries rather than
    commonality boundaries.

25
Local VLANs
  • Can span a geographic location as large as an
    entire building or as small a one switch
  • 20/80 rule in effect with 80 percent of the
    traffic remote to the user and 20 percent of the
    traffic local to the user
  • A user must cross a L3 device in order to reach
    80 percent of the resources
  • However, this design allows the network to
    provide for a deterministic, consistent method of
    accessing resources.

26
VLAN Types
  • The two common approaches to assigning VLAN
    membership are
  • Static VLANs
  • Dynamic VLANs

27
Static VLANs
  • Also referred to as port-based membership
  • VLAN assignments are created by assigning ports
    to a VLAN
  • As a device enters the network, the device
    automatically assumes the VLAN of the port.
  • If the user changes ports and needs access to the
    same VLAN, the network administrator must
    manually make a port-to-VLAN assignment for the
    new connection.

28
Static VLANs
29
Static VLANs
  • The port is assigned to a specific VLAN
    independent of the user or system attached to the
    port.
  • The port cannot send or receive from devices in
    another VLAN without the intervention of a L3
    device.
  • The device that is attached to the port likely
    has no understanding that a VLAN exists.
  • The device simply knows that it is a member of a
    subnet. (ip address and subnet mask)

30
Static VLANs
  • Switch is responsible for identifying that the
    information came from a specific VLAN and for
    ensuring that the information gets to all other
    members of the VLAN.
  • The switch is further responsible for ensuring
    that ports in a different VLAN do not receive the
    information.

31
Static VLANs
  • This approach is quite simple, fast, and easy to
    manage in that there are no complex lookup tables
    required for VLAN segmentation.
  • If port-to-VLAN association is done with an
    application-specific integrated circuit (ASIC),
    the performance is very good.
  • An ASIC allows the port-to-VLAN mapping to be
    done at the hardware level.

32
Configuring Static VLANs
  • IOS-Based Switch
  • Switch vlan database
  • Switch(vlan) vlan vlan-num name vlan-name
  • Switch(config)interface fastethernet 0
  • Switch(config-if) switchport access vlan vlan-num

33
Configuring Static VLANs
  • Set-Based Switch
  • Switch(enable) set vlan vlan-num name name
  • Switch(enable) set vlan vlan-num mod/num_list
  • Switch(enable) set vlan 10 2/19-24

34
Dynamic VLANs
  • Created through the use of software packages such
    as CiscoWorks 2000
  • Allow for membership based on the MAC address of
    the device
  • As a device enters the network, the device
    queries a database for VLAN membership

35
Dynamic VLANs
36
Dynamic VLANs
  • With a VLAN Management Policy Server (VMPS), you
    can assign switch ports to VLANs dynamically,
    based on the source MAC address of the device
    connected to the port.
  • When you move a host from a port on one switch in
    the network to a port on another switch in the
    network, the switch assigns the new port to the
    proper VLAN for that host dynamically.

37
Dynamic VLANs
  • When you enable VMPS, a MAC address-to-VLAN
    mapping database downloads from a Trivial File
    Transfer Protocol (TFTP) server and VMPS begins
    to accept client requests.
  • If you reset or power cycle the Catalyst 5000,
    4000, 900, 3500, or 6000 Series Switch, the VMPS
    database downloads from the TFTP server
    automatically and VMPS is reenabled.

38
Dynamic VLANs
  • VMPS opens a UDP socket to communicate and listen
    to client Catalyst requests.
  • When the VMPS server receives a valid request
    from a client Catalyst, it searches its database
    for a MAC address-to-VLAN mapping.

39
Access and Trunk Links
40
Access Links
  • An access link is a link on the switch that is a
    member of only one VLAN.
  • This VLAN is referred to as the native VLAN of
    the port.
  • Any device that is attached to the port is
    completely unaware that a VLAN exists.

41
Trunk Links
  • A trunk link is capable of supporting multiple
    VLANs.
  • Trunk links are typically used to connect
    switches to other switches or routers.
  • Switches support trunk links on both Fast
    Ethernet and Gigabit Ethernet ports.

42
Access and Trunk Links
43
Trunk Links
Without trunking
With trunking
44
Trunking
  • A trunk is a point-to-point link that supports
    several VLANs
  • A trunk is to saves ports when creating a link
    between two devices implementing VLANs
  • Trunking covered in more detail in next section

45
Trunk Links
  • A trunk link does not belong to a specific VLAN.
  • Acts as a conduit for VLANs between switches and
    routers.
  • The trunk link can be configured to transport all
    VLANs or to transport a limited number of VLANs.
  • A trunk link may, however, have a native VLAN.
  • The native VLAN of the trunk is the VLAN that the
    trunk uses if the trunk link fails for any reason.

46
Trunk Links
  • In Ethernet, the switch has two methods of
    identifying the VLAN that a frame belongs to
  • ISL InterSwitch Link
  • (Cisco proprietary)
  • IEEE 802.1Q (standards-based)
  • aka, dot1q

47
VLAN Identification
  • ISL - This protocol is a Cisco proprietary
    encapsulation protocol for interconnecting
    multiple switches it is supported in switches as
    well as routers.
  • Even though its Cisco proprietary, ISL is not
    natively supported by the Catalyst 4000.
  • The L3 blade does give the Cat4000s router two
    ISL-capable ports (Gig 1 and Gig 2).

48
VLAN Identification
  • IEEE 802.1Q - This protocol is an IEEE standard
    method for identifying VLANs by inserting a VLAN
    identifier into the frame header.
  • This process is referred to as frame tagging.
  • Note In practice, both ISL and dot1q are called
    frame tagging

49
VLAN Identification
  • 802.10 - This standard is a Cisco proprietary
    method of transporting VLAN information inside
    the standard 802.10 frame (FDDI).
  • The VLAN information is written to the security
    association identifier (SAID) portion of the
    802.10 frame.
  • This method is typically used to transport VLANs
    across FDDI backbones.

50
VLAN Identification
  • LAN Emulation (LANE) - LANE is an ATM Forum
    standard that can be used for transporting VLANs
    over Asynchronous Transfer Mode (ATM) networks.

51
VLAN Identification
Both 802.1Q and ISL do Explicit tagging.
802.1Q uses an internal tagging process that
modifies the existing Ethernet frame with the
VLAN ID. This allows 802.1Q frames to work on
both access and trunk links as it appears to be a
standard Ethernet frame. ISL uses external
tagging process, where the original frame is not
altered but it is encapsulated with a new 26-byte
ISL header (tag). This means that only ISL aware
devices can interpret this frame.
52
ISL (Frame Encapsulation)
Ethernet Frame1500 bytes plus 18 byte header
(1518 bytes)
53
ISL
  • An Ethernet frame is encapsulated with a header
    that transports VLAN IDs
  • It adds overhead to the packet as a 26-byte
    header containing a 10-bit VLAN ID.
  • In addition, a 4-byte cyclic redundancy check
    (CRC) is appended to the end of each frame.
  • This CRC is in addition to any frame checking
    that the Ethernet frame requires.

54
ISL - Selected fields
  • DA - Destination Address
  • The DA field of the ISL packet is a 40 bit
    destination address. This address is a multicast
    address and is currently set to be
    0x01_00_0C_00_00. The first 40 bits of the DA
    field signal the receiver that the packet is in
    ISL format.
  • TYPE - Frame Type
  • The TYPE field indicates the type of frame that
    is encapsulated and could be used in the future
    to indicate alternative encapsulations. The
    following TYPE codes have been defined
  • Code Meaning
  • 0000 Ethernet
  • 0001 Token-Ring
  • 0010 FDDI
  • 0011 ATM

55
ISL - Selected fields
  • SA - Source Address
  • The SA field is the source address field of the
    ISL packet. It should be set to the 802.3 MAC
    address of the switch port transmitting the
    frame. It is a 48-bit value. The receiving device
    may ignore the SA field of the frame.
  • VLAN - Virtual LAN ID
  • The VLAN field is the virtual LAN ID of the
    packet. It is a 15-bit value that is used to
    distinguish frames on different VLANs. This field
    is often referred to as the "color" of the packet
  • BPDU - BPDU and CDP Indicator
  • The BPDU bit is set for all bridge protocol data
    units that are encapsulated by the ISL packet.
    The BPDUs are used by the spanning tree algorithm
    to determine information about the topology of
    the network.

56
ISL - Selected fields
  • ENCAP FRAME - Encapsulated Frame
  • The ENCAP FRAME is the encapsulated frame,
    including its own CRC value, completely
    unmodified. The internal frame must have a CRC
    value that is valid once the ISL encapsulation
    fields are removed. The length of this field can
    be from 1 to 24575 bytes long to accommodate
    Ethernet, Token Ring, and FDDI frames. A
    receiving switch may strip off the ISL
    encapsulation fields and use this ENCAP FRAME as
    the frame is received, associating the
    appropriate VLAN and other values with the
    received frame as indicated above for switching
    purposes.
  • CRC - Frame Checksum
  • The CRC is a standard 32-bit CRC value calculated
    on the entire encapsulated frame from the DA
    field to the ENCAP FRAME field. The receiving MAC
    will check this CRC and can discard packets that
    do not have a valid CRC on them. Note that this
    CRC is in addition to the one at the end of the
    ENCAP FRAME field.

57
802.1q
NIC cards and networking devices can understand
this baby giant frame (1522 bytes). However, a
Cisco switch must remove this encapsulation
before sending the frame out on an access link.
SA and DA MACs
SA and DA MACs
802.1q Tag
Type/Length Field
Data (max 1500 bytes)
CRC
NewCRC
Tag Protocol Identifier Tag Control Info
(includes VLAN ID)
58
802.1q
  • Significantly less overhead than the ISL
  • As opposed to the 30 bytes added by ISL, 802.1Q
    inserts only an additional 4 bytes into the
    Ethernet frame

59
802.1q
  • A 4-byte tag header containing a tag protocol
    identifier (TPID) and tag control information
    (TCI) with the following elements

60
802.1q
  • TPID
  • A 2-byte TPID with a fixed value of 0x8100. This
    value indicates that the frame carries the
    802.1Q/802.1p tag information.
  • TCI
  • A TCI containing the following elements
  • - Three-bit user priority (8 priority levels, 0
    thru 7)
  • - One-bit canonical format (CFI indicator), 0
    canonical, 1 noncanonical, to signal bit order
    in the encapsulated frame (www.faqs.org/rfcs/rfc24
    69.html - A Caution On the Canonical Ordering of
    Link-Layer Addresses)
  • - Twelve-bit VLAN identifier (VID)-Uniquely
    identifies the VLAN to which the frame belongs,
    defining 4,096 VLANs, with 0 and 4095 reserved.

61
Trunk Links - once again...
Without trunking
With trunking
62
Trunking
  • Before attempting to configure a VLAN trunk on a
    port, you should to determine what encapsulation
    the port can support.
  • Set-based switches
  • switchgt (enable) show port capabilities
  • Note the Catalyst 4000 does not support ISL
    (except the router blade)
  • IOS-based switches
  • switch(config-if) switchport trunk encapsulation
    ?
  • (only way I know)

63
Next week...
  • More Trunking next week, along with VTP (VLAN
    Trunking Protocol)
  • Next few slides, review of vlan commands

64
Creating VLANs - access ports
  • IOS-Based
  • Switch(config) interface fastethernet mod/num
  • Switch(config-if) switchport access vlan
    vlan-num
  • Remove
  • Switch(config-if) no switchport access vlan
    vlan-num
  • Set-Based
  • Switchgt (enable) set vlan vlan-num mod/num_list
  • Remove
  • Switchgt (enable) clear vlan vlan-num
  • When you clear a VLAN, all ports assigned to that
    VLAN become inactive and can be reactivated using
    set vlan vlan-num state active or by assigning
    the ports to another vlan.

65
Naming a VLAN
  • IOS-Based
  • Switch vlan database (not in global config!)
  • Switch(vlan) vlan vlan-num name vlan-name

Set-Based Switchgt (enable) set vlan vlan-num name
vlan-name
66
Viewing VLAN information
  • IOS-Based
  • Switch show vlan
  • Switch show vlan brief

Set-Based Switchgt (enable) show vlan Switchgt
(enable) show interface
67
  • IOS-based
  • CIS-2900-ServerFarmgtshow vlan
  • VLAN Name Status
    Ports
  • ---- -------------------------------- ---------
    -----------------
  • 1 default active
  • 2 VLAN0002 active
  • 3 VLAN0003 active
  • 4 VLAN0004 active
  • 5 VLAN0005 active
  • 10 VLAN0010 active
  • 50 SeverFarm active
    Fa0/1, Fa0/2, Fa0/3, Fa0/4,

  • Fa0/5, Fa0/6, Fa0/7, Fa0/8,

  • ltoutput omitted)

  • Fa0/21, Fa0/22
  • 1002 fddi-default active
  • lttext omittedgt
  • VLAN Type SAID MTU Parent RingNo
    BridgeNo Stp BrdgMode Trans1 Trans2

68
  • IOS-based
  • CIS-2900-ServerFarmgtshow vlan brief
  • VLAN Name Status
    Ports
  • ---- -------------------------------- ---------
    -----------------
  • 1 default active
  • 2 VLAN0002 active
  • 3 VLAN0003 active
  • 4 VLAN0004 active
  • 5 VLAN0005 active
  • 10 VLAN0010 active
  • 50 SeverFarm active
    Fa0/1, Fa0/2, Fa0/3, Fa0/4,

  • Fa0/5, Fa0/6, Fa0/7, Fa0/8,

  • ltoutput omitted)

  • Fa0/21, Fa0/22
  • 1002 fddi-default active
  • 1003 token-ring-default active
  • 1004 fddinet-default active
  • 1005 trnet-default active

69
  • Set-based
  • CIS-4003-MainSwitchgt show vlan
  • VLAN Name Status
    IfIndex Mod/Ports
  • ---- -------------------------------- ---------
    ------- --------------
  • 1 default active 4
    2/1-12
  • 2 VLAN0002 active 9
    2/13-36
  • 3 VLAN0003 active
    10 2/37-40
  • 4 VLAN0004 active
    11 2/41-44
  • 5 VLAN0005 active
    60
  • 10 VLAN0010 active
    68
  • 50 SeverFarm active
    62 2/47
  • 1002 fddi-default active 5
  • 1003 token-ring-default active 8
  • 1004 fddinet-default active 6
  • 1005 trnet-default active 7
  • VLAN Type SAID MTU Parent RingNo BrdgNo
    Stp BrdgMode Trans1 Trans2
  • ---- ----- ---------- ----- ------ ------ ------
    ---- -------- ------ ------
  • 1 enet 100001 1500 - - -
    - - 0 0

70
  • IOS-based
  • Switch show running-config
  • !
  • interface FastEthernet0/1
  • switchport access vlan 50
  • !
  • interface FastEthernet0/2
  • switchport access vlan 50
  • !
  • interface FastEthernet0/3
  • switchport access vlan 50
  • !
  • interface FastEthernet0/4
  • switchport access vlan 50

71
  • Set-based
  • Switchgt(enable)show config
  • vtp
  • set vtp domain CIS-classrooms
  • set vlan 1 name default type ethernet mtu 1500
    said 100001 state active
  • set vlan 50 name SeverFarm type ethernet mtu 1500
    said 100050 state active
  • module 2 48-port 10/100BaseTx Ethernet
  • set vlan 2 2/13-36
  • set vlan 3 2/37-40
  • set vlan 4 2/41-44
  • set vlan 10 2/48
  • set vlan 50 2/47

72
Trunking continued (Part II)
  • A trunk is a point-to-point link between
  • Two switches
  • A switch and a router
  • Trunks carry traffic of multiple VLANs
  • Cisco supports one or both of these Trunking
    protocols
  • IEEE 802.1Q (dot1q)
  • ISL (Cisco proprietary)

73
Trunking
  • Cisco offers DTP and DISL which negotiates
    trunking between two ends of a link and the
    compatible trunking protocol (DTP).
  • Dynamic Trunking Protocol (DTP) manages trunk
    negotiation on a Catalyst Supervisor engine
    software release 4.2 and later
  • Supports both 802.1Q and ISL
  • Dynamic Inter-Switch Link (DISL) was used prior
    to release 4.2.
  • Used only with ISL.
  • Set-based switches only (as far as I know)

74
DTP and DISL
  • Cisco also adapted its Dynamic ISL (DISL)
    protocol and turned it into Dynamic Trunking
    Protocol (DTP).
  • DISL can negotiate ISL trunking on a link between
    two devices DTP can, in addition, negotiate the
    type of trunking encapsulation (802.1q or ISL)
    that will be used as well.
  • This is an interesting feature as some Cisco
    devices support only ISL or 802.1q, whereas some
    are able to run both.

75
DTP Modes
  • When configuring a port for trunking, two
    parameters can be set the trunking mode and the
    encapsulation type (if DTP is supported on that
    port).
  • The trunking mode defines how the port will
    negotiate the set up of a trunk with its peer
    port.
  • The encapsulation type allows the user to specify
    whether 802.1q or ISL should be used when setting
    up the trunk. Of course, the parameter is only
    relevant if the module you are using is able to
    use both.

76
Configuring Trunking
  • Fast Ethernet and Gigabit Ethernet trunking
    modes
  • On
  • Off
  • Desirable
  • Auto Nonegotiate
  • Switch(enable) set trunk mod/port
  • on off desirable auto nonegotiate
  • isl dot1q dot10 lane negotiate
  • vlan range

77
(No Transcript)
78
Configuring Trunking
  • On
  • This mode puts the port into permanent trunking.
  • The port becomes a trunk port even if the
    neighboring port does not agree to the change.
  • The on state does not allow for the negotiation
    of an encapsulation type.
  • You must, therefore, specify the encapsulation in
    the configuration

79
Configuring Trunking
  • Off
  • This mode puts the port into permanent
    nontrunking mode and negotiates to convert the
    link into a nontrunk link.
  • The port becomes a nontrunk port even if the
    neighboring port does not agree to the change.

80
Configuring Trunking
  • Desirable
  • This mode makes the port actively attempt to
    convert the link to a trunk link. The port
    becomes a trunk port if the neighboring port is
    set to on, desirable, or auto mode.

81
Configuring Trunking
  • Auto
  • This mode makes the port willing to convert the
    link to a trunk link.
  • The port becomes a trunk port if the neighboring
    port is set to on or desirable mode.
  • This is the default mode for Fast and Gigabit
    Ethernet ports.
  • if the default setting is left on both sides of
    the trunk link, the link will not become a trunk
  • Do not want both sides to be set to Auto

82
Configuring Trunking
  • Nonegotiate
  • This mode puts the port into permanent trunking
    mode but prevents the port from generating
    Dynamic Trunking Protocol (DTP) frames.
  • You must configure the neighboring port manually
    as a trunk port to establish a trunk link.

83
Encapsulation Type
  • Switch(enable) set trunk mod/port
  • on off desirable auto
    nonegotiate
  • isl dot1q dot10 lane
    negotiate
  • vlan range

84
Configuring Trunking
  • For trunking to be autonegotiated on Fast
    Ethernet or Gigabit Ethernet ports, the ports
    must be in the same VTP domain.
  • However, you can use on or nonegotiate mode
    to force a port to become a trunk, even if it is
    in a different domain.

85
Configuring Trunking
  • IOS-Based Switch
  • Switch(config) interface fastethernet 0
  • Switch(config-if) switchport mode access
    multi trunk
  • Switch(config-if) switchport trunk encapsulation
    isldot1q
  • Switch(config-if) switchport trunk allowed vlan
    remove vlan-list
  • Switch(config-if) switchport trunk allowed vlan
    add vlan-list
  • By default, all VLANS, 1-1005 transported
    automatically

86
Configuring Trunking
  • Set-Based Switch
  • Switch(enable) set trunk mod/port on off
    desirable auto nonegotiate isl dot1q
    dot10 lane negotiate vlan range
  • Switch(enable) clear trunk mod/port vlan-range
  • By default, all VLANS, 1-1005 transported
    automatically

87
(No Transcript)
88
IOS 1924 Switch
  • interface FastEthernet0/22
  • switchport access vlan 50
  • !
  • interface FastEthernet0/23
  • port group 1 distribution destination
  • switchport mode trunk
  • switchport trunk encapsulation dot1q
  • !
  • interface FastEthernet0/24
  • port group 1 distribution destination
  • switchport mode trunk
  • switchport trunk encapsulation dot1q
  • !

89
Catalyst 4003
  • set trunk 2/45 on dot1q 1-1005 (to 4003)
  • set trunk 2/46 on dot1q 1-1005 (to 4003)
  • set trunk 2/48 on dot1q 1-1005 (to Rtr)
  • By default, all VLANS, 1-1005 transported
    automatically

90
Router
  • interface FastEthernet0/1.1
  • encapsulation dot1Q 1
  • ip address 172.30.1.1 255.255.255.0
  • ip access-group 100 in
  • ip helper-address 172.30.50.50
  • no ip directed-broadcast
  • !
  • interface FastEthernet0/1.2
  • encapsulation dot1Q 2
  • ip address 172.30.2.1 255.255.255.0
  • ip access-group 102 in
  • ip helper-address 172.30.50.255
  • ip helper-address 172.30.50.10
  • no ip directed-broadcast

91
VLAN Trunking Protocol
  • VTP maintains VLAN configuration consistency
    across the entire network.
  • VTP is a messaging protocol that uses Layer 2
    trunk frames to manage the addition, deletion,
    and renaming of VLANs on a network-wide basis.
  • Further, VTP allows you to make centralized
    changes that are communicated to all other
    switches in the network.

92
VTP
  • Create VLANs on the VTP Server
  • Those VLANs get sent to other client switches
  • On the client switches, you can now assign ports
    to those vlans.
  • Cannot create vlans on the client switches like
    you could previously before configuring the
    switch to be a VTP client.

93
VTP Benefits
94
VTP
  • All switches in the same management domain share
    their VLAN information with each other, and a
    switch can participate in only one VTP management
    domain.
  • Switches in different domains do not share VTP
    information.
  • Using VTP, switches advertise
  • Management domain
  • Configuration revision number
  • Known VLANs and their specific parameters

95
VTP
  • Switches can be configured not to accept VTP
    information.
  • These switches will forward VTP information on
    trunk ports in order to ensure that other
    switches receive the update, but the switches
    will not modify their database, nor will the
    switches send out an update indicating a change
    in VLAN status.
  • This is referred to as transparent mode.

96
VTP
  • By default, management domains are set to a
    nonsecure mode, meaning that the switches
    interact without using a password.
  • Adding a password automatically sets the
    management domain to secure mode.
  • A password must be configured on every switch in
    the management domain to use secure mode.

97
VTP
  • The VTP database contains a revision number.
  • Each time a change is made, the switch increments
    the revision number

98
VTP
  • A higher configuration revision number indicates
    that the VLAN information that is being sent is
    more current then the stored copy.
  • Any time a switch receives an update that has a
    higher configuration revision number, the switch
    will overwrite the stored information with the
    new information being sent in the VTP update.

99
VTP Modes
  • Switches can operate in any one of the following
    three VTP modes
  • Server
  • Client
  • Transparent

100
VTP Modes
  • Server - If you configure the switch for server
    mode, you can create, modify, and delete VLANs,
    and specify other configuration parameters (such
    as VTP version and VTP pruning) for the entire
    VTP domain.
  • VTP servers
  • advertise their VLAN configuration to other
    switches in the same VTP domain
  • synchronize the VLAN configuration with other
    switches based on advertisements received over
    trunk links.
  • Recommended you have at least 2 VTP servers in
    case one goes down
  • This is the default mode on the switch.

101
VTP Modes
  • Client - VTP clients behave the same way as VTP
    servers. However, you cannot create, change, or
    delete VLANs on a VTP client.

102
VTP Modes
  • Transparent - VTP transparent switches do not
    participate in VTP.
  • A VTP transparent switch does not advertise its
    VLAN configuration, and does not synchronize its
    VLAN configuration based on received
    advertisements.
  • However, in VTP Version 2, transparent switches
    do forward VTP advertisements that the switches
    receive out their trunk ports.

103
Configuring VTP
104
Configuring VTP
  • IOS-Based Switch
  • Switch vlan database
  • Switch(vlan) vtp domain domain-name
  • Switch(vlan) vtp server client transparent
  • Optional
  • Switch(vlan) vtp password password
  • Switch(vlan) vtp v2-mode (version2)
  • Example
  • ALSwitch vlan database
  • ALSwitch(vlan) vtp domain corp
  • ALSwitch(vlan) vtp client

105
Configuring VTP
  • Set-Based Switch
  • Switch(enable) set vtp domain domain-name mode
    server client transparentpassword
    password
  • Switch(enable) set vtp v2 enable (version 2)
  • Example
  • DLSwitch(enable) set vtp domain corp
  • DLSwitch(enable) set vtp mode server

106
VTP Pruning
  • VTP pruning enhances network bandwidth use by
    reducing unnecessary flooding of traffic, such as
    broadcast, multicast, unknown, and flooded
    unicast packets.
  • VTP pruning increases available bandwidth by
    restricting flooded traffic to those trunk links
    that the traffic must use to access the
    appropriate network devices.
  • By default, VTP pruning is disabled.

107
VTP Pruning
108
VTP Pruning
  • Enabling VTP pruning on a VTP server enables
    pruning for the entire management domain.
  • VTP pruning takes effect several seconds after
    you enable it.
  • By default, VLANs 2 through 1000 are pruning
    eligible.
  • VLAN 1 is always pruning ineligible, so traffic
    from VLAN 1 cannot be pruned.
  • You have the option to make specific VLANs
    pruning eligible or pruning ineligible on the
    device.

109
Configuring VTP Pruning
  • IOS-Based Switch
  • Switch vlan database
  • Switch(vlan) vtp pruning
  • Remove VLANs from being pruned
  • Switch(config-if) switchport trunk pruning vlan
    remove vlan-list
  • By default, all Vlans pruned in management domain

110
Configuring VTP Pruning
  • Set-Based Switch
  • Switch(enable) set vtp pruning enable
  • Optional
  • Switch(enable) set vtp pruneeligible vlan-range
  • Switch(enable) clear vtp pruning vlan-range
  • By default, all Vlans pruned in management
    domain.
Write a Comment
User Comments (0)
About PowerShow.com