Building Cisco Multilayer Switched Networks (BCMSN) Instructor Name MR.SIDDIQ AHMED CCIE # 17864
Implementing VLANs
A VLAN = A Broadcast Domain = Logical Network (Subnet) VLAN Overview Layer 2 connectivity Logical organizational flexibility Single broadcast domain Management Basic security Purpose: Emphasize: A VLAN is a broadcast domain. Note: In order to have inter-VLAN communications, a router is required. A VLAN = A Broadcast Domain = Logical Network (Subnet)
VLANs Establish Broadcast Domains Purpose: VLANs create broadcast domains that can greatly reduce unnecessary traffic Emphasize: VLANs can create multiple broadcast domains Transition: Lets take a look at an example of network that has implemented VLANs to complete our review VLANs plus routing limits broadcasts to the domain of origin.
Local VLANs Local VLANs generally reside in the wiring closet. Purpose: This page discusses the characteristics of local VLANs. Emphasize: Local VLANs are sometimes referred to a Geographic VLANs. Local VLANs are assigned based on a physical location like a wiring closet, wing, or building of a corporation. They allow for a deterministic approach to Layer 3 routing, Spanning Tree Protocol behavior, etc. They also make the management process much easier. Local VLANs facilitate the new Campus Model rule of 20/80 or 20% of your traffic is local, 80% of your traffic is remote. Transition: Now that you have finished discussing the types of VLANs what are the configuration options for VLANs? Local VLANs generally reside in the wiring closet.
All users attached to same switch port must be in the same VLAN. Static VLANs Purpose: Provide the student with the basic information Emphasize: Slide contents Transition: All users attached to same switch port must be in the same VLAN. 25 28 8 25
VLAN Membership Modes VLAN membership can either be static or dynamic. Note: Once a port has been assigned to a VLAN, it cannot send or receive traffic from devices in another VLAN without the intervention of a Layer 3 device like a router. The 1900 can’t be configure as the VMPS. A CiscoWorks 2000 or CWSI management station or a Catalyst 5000 switch can be configured as the VMPS. In the future, dynamic VLANs may also offer membership based on other criteria such as protocol or application. Dynamic VLANs are covered in the Managing Cisco Switched Internetworks class. VLAN membership can either be static or dynamic.
Configuring VLANs in Global Mode Switch#configure terminal Switch(config)#vlan 3 Switch(config-vlan)#name Vlan3 Switch(config-vlan)#exit Switch(config)#end
Configuring VLANs in VLAN Database Mode Switch#vlan database Switch(vlan)#vlan 3 VLAN 3 added: Name: VLAN0003 Switch(vlan)#exit APPLY completed. Exiting....
Assigning Access Ports to a VLAN Switch(config)#interface gigabitethernet 1/1 Enters interface configuration mode Switch(config-if)#switchport mode access Configures the interface as an access port Switch(config-if)#switchport access vlan 3 Assigns the access port to a VLAN
Verifying the VLAN Configuration Switch#show vlan [id | name] [vlan_num | vlan_name] VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/11, Fa0/12 Gi0/1, Gi0/2 2 VLAN0002 active 51 VLAN0051 active 52 VLAN0052 active … VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 1002 1003 2 enet 100002 1500 - - - - - 0 0 51 enet 100051 1500 - - - - - 0 0 52 enet 100052 1500 - - - - - 0 0
Verifying the VLAN Port Configuration Switch#show running-config interface {fastethernet | gigabitethernet} slot/port Displays the running configuration of the interface Switch#show interfaces [{fastethernet | gigabitethernet} slot/port] switchport Displays the switch port configuration of the interface Switch#show mac-address-table interface interface-id [vlan vlan-id] [ | {begin | exclude | include} expression] Displays the MAC address table information for the specified interface in the specified VLAN
Implementing VLAN Trunks
Trunk Link Physical Implementation
VLAN Trunking
Switch Ports and Trunk Ports Command Function switchport mode access Access port Sets the switch port to unconditionally be an access port switchport mode trunk Trunk port Sets the switch port to unconditionally become a trunk port switchport mode dynamic Dynamic port Sets the switch port to dynamically negotiate the status (access or trunk)
Switch Port DTP Modes Mode Function access Unconditionally sets a switch port to access mode, regardless of other DTP functions trunk Sets the switch port to unconditional trunking mode and negotiates to become a trunk link, regardless of neighbor interface mode nonegotiate Specifies that DTP negotiation packets are not sent on the Layer 2 interface dynamic desirable Sets the switch port to actively send and respond to DTP negotiation frames. Default for Ethernet dynamic auto Sets the switch port to respond but not to actively send DTP negotiation frames
ISL Encapsulation Performed with ASIC Not intrusive to client stations; client does not see the header Effective between switches, and between routers and switches Note: The 1900 only supports ISL trunking. ISL is Cisco proprietary. 802.1Q is an IEEE standard. Other trunk types: LANE (VLANSs over ATM) 802.10 (FDDI trunk)
ISL and Layer 2 Encapsulation
802.1Q Frame
802.1Q and Layer 2 Encapsulation
802.1Q Native VLANs
Cisco defaults for FDDI and Token Ring For Ethernet VLANs only VLAN Ranges VLAN Range Range Usage 0, 4095 Reserved For system use only 1 Normal Cisco default 2-1001 Normal For Ethernet VLANs Cisco defaults for FDDI and Token Ring 1002-1005 Normal 1025-4094 Extended For Ethernet VLANs only
Configuring ISL Trunking Switch(config)#interface fastethernet 2/1 Enters interface configuration mode Switch(config-if)#switchport trunk encapsulation isl Selects the encapsulation Switch(config-if)#switchport mode trunk Configures the interface as a Layer 2 trunk
Verifying ISL Trunking Switch#show running-config interface {fastethernet | gigabitethernet} slot/port Switch#show interfaces [fastethernet | gigabitethernet] slot/port [ switchport | trunk ] Switch#show interfaces fastethernet 2/1 trunk Port Mode Encapsulation Status Native VLAN Fa2/1 desirable isl trunking 1 Port VLANs allowed on trunk Fa2/1 1-1005 Port VLANs allowed and active in management domain Fa2/1 1-2,1002-1005 Port VLANs in spanning tree forwarding state and not pruned
Configuring 802.1Q Trunking Switch(config)#interface fastethernet 5/8 Switch(config-if)#shutdown Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport trunk allowed vlan 1,15,11,1002-1005 Switch(config-if)#switchport mode trunk Switch(config-if)#switchport nonegotiate Switch(config-if)#no shutdown
Verifying 802.1Q Trunking Switch#show running-config interface {fastethernet | gigabitethernet} slot/port Switch#show interfaces [fastethernet | gigabitethernet] slot/port [ switchport | trunk ] Switch#show interfaces gigabitEthernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 . . .
Implementing VLAN Trunk Protocol
VTP Protocol Features Advertises VLAN configuration information Maintains VLAN configuration consistency throughout a common administrative domain Sends advertisements on trunk ports only Notes: VTP is a Cisco proprietary feature. VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. A VTP domain (also called a VLAN management domain) is one switch or several interconnected switches sharing the same VTP domain. A switch is configured to be in only one VTP domain. You make global VLAN configuration changes for the domain by using the Cisco IOS command-line interface (CLI), Cisco Visual Switch Manager Software, or Simple Network Management Protocol (SNMP). By default, a 1900 switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link or you configure a management domain. The default VTP mode is server mode, but VLANs are not propagated over the network until a management domain name is specified or learned. If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name and configuration revision number. The switch then ignores advertisements with a different management domain name or an earlier configuration revision number. When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are transmitted out all trunk connections, including Inter-Switch Link (ISL), IEEE 802.1Q, IEEE 802.10, and ATM LAN Emulation (LANE). If you configure a switch from VTP transparent mode, you can create and modify VLANs, but the changes are not transmitted to other switches in the domain, and they affect only the individual switch.
VTP Operation VTP advertisements are sent as multicast frames. VTP servers and clients are synchronized to the latest revision number. VTP advertisements are sent every 5 minutes or when there is a change. Layer 2 of 2 Emphasize: The latest revision number is what the switches will synchronize to.
VTP Modes Creates, modifies, and deletes VLANs Sends and forwards advertisements Synchronizes VLAN configurations Saves configuration in NVRAM Cannot create, change, or delete VLANs Forwards advertisements Synchronizes VLAN configurations Does not save in NVRAM Creates, modifies, and deletes VLANs locally only Forwards advertisements Does not synchronize VLAN configurations Saves configuration in NVRAM Emphasize: Default VTP mode on the Catalyst switches is server. Be careful when adding new switches into an existing network. This is covered in more detail later.
VTP Pruning Increases available bandwidth by reducing unnecessary flooded traffic Example: Station A sends broadcast, and broadcast is flooded only toward any switch with ports assigned to the red VLAN. Emphasize: VTP prunning provides optimized flooding. Without VTP prunning, station A’s broadcast will be flooded to all switches whether they have any port in the red VLAN or not. Note: VLAN1 can’t be prunned. STP, CDP, VTP updates are sent on VLAN1. All switches in the switched network must support prunning or prunning will be disabled. Each trunk port maintains a state variable per VLAN indicating if the switch has any port assigned to a particular VLAN or not.
VTP Configuration Guidelines Configure the following: VTP domain name VTP mode (server mode is the default) VTP pruning VTP password VTP trap Use caution when adding a new switch into an existing domain. Add a new switch in client mode to prevent the new switch from propagating incorrect VLAN information. Notes: All switches in a VTP domain must run the same VTP version. The password entered with a domain name should be the same for all switches in the domain. If you configure a VTP password, the management domain will not function properly if you do not assign the management domain password to each switch in the domain. A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1, provided version 2 is disabled on the version 2-capable switch (version 2 is disabled by default). Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2-capable. When you enable version 2 on a switch, all of the version 2-capable switches in the domain must have version 2 enabled. If there is a version 1-only switch, it will not exchange VTP information with switches with version 2 enabled. If there are Token Ring networks in your environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly. Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain. In the lab, all the switches are set to VTP transparent mode.
Configuring a VTP Server Switch(config)#vtp server Configures VTP server mode Switch(config)#vtp domain domain-name Specifies a domain name Switch(config)#vtp password password Layer 2 of 2 Note: The two commands shown in the slide can also be combined into one command: vtp domain switchlab transparent Sets a VTP password Switch(config)#vtp pruning Enables VTP pruning in the domain
Configuring a VTP Server Switch#configure terminal Switch(config)#vtp server Setting device to VTP SERVER mode. Switch(config)#vtp domain Lab_Network Setting VTP domain name to Lab_Network Switch(config)#end
Verifying the VTP Configuration Switch#show vtp status Switch#show vtp status VTP Version : 2 Configuration Revision : 247 Maximum VLANs supported locally : 1005 Number of existing VLANs : 33 VTP Operating Mode : Client VTP Domain Name : Lab_Network VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0.0.0.0 at 8-12-99 15:04:49 Switch#
Tomorrow's Topics : Spanning Tree Protocol (STP) Rapid Spanning Tree Protocol (RSTP) Multiple Spanning Tree Protocol (MSTP)