1. CIS 82 Routing and Switching Essentials Chapter 6 VLANs
CIS 82 Routing Protocols and Concepts
Rick Graziani
Cabrillo College
Spring 2018

2. Chapter 6: Objectives
Explain the purpose of VLANs in a switched network.
Analyze how a switch forwards frames based on VLAN configuration in a multi-switched environment.
Configure a switch port to be assigned to a VLAN based on requirements.
Configure a trunk port on a LAN switch.
Configure Dynamic Trunk Protocol (DTP).
Troubleshoot VLAN and trunk configurations in a switched network.
Configure security features to mitigate attacks in a VLAN-segmented environment.
Explain security best practices for a VLAN-segmented environment.
Chapter 1 Objectives

3. VLAN Segmentation
1.1 Hierarchical Network Design  Overview

4. It’s all about the IP Address
Emmalia, you are in my neighborhood so I can take the letter to you!
Rick
Santa Cruz, Ca
Emmalia
Santa Cruz, Ca
Lucia, I see by your address that you are somewhere else. So I have to take your letter to the Post Office.
Rick
Santa Cruz, Ca
Lucia
Capitola, Ca
Emmalia
Santa Cruz, Ca
Even if two houses are on the same street, you only know the address so must take it to the local post office

5. Understanding IP communications
/24
Subnet A
MAC
aa.aa
MAC
bb.bb B
/24
Subnet
Destination Address bb.bb
Source Address
aa.aa
Type IP DA
FCS
Devices can only communicate with other devices on the same subnet
A knows that it is on the /24 subnet (AND operation with its IP address and subnet mask). (Same subnet = Same subnet mask)
A knows that B ( ) is on its same subnet (AND operation with B’s IP address and A’s subnet mask)
SAME Subnet
A can reach B directly without going through a router B
AND A
AND

6. Understanding IP communications
/24
Subnet A
MAC
aa.aa
MAC
cc.cc C
/24
Subnet
Destination Address
Source Address
Type IP DA
FCS
Devices can only communicate with other devices on the same subnet
A knows that it is on the /24 subnet (AND operation with its IP address and subnet mask) (Same subnet = Same subnet mask)
A knows that C ( ) is on a different subnet (AND operation with B’s IP address and A’s subnet mask) – Can’t get there directly!
DIFFERENT Subnets
A can NOT reach B directly. Must go through a router B
AND A
AND

7. The router will take care of it from there.
/24
Subnet
/24
Subnet A
MAC
aa.aa
MAC
11.11
MAC
22.22
MAC
cc.cc C
Destination Address
11.11
Source Address
aa.aa
Type IP DA
FCS
Destination Address
cc.cc
Source Address
22.22
Type IP DA
FCS
A sends packet to devices in a DIFFERENT subnet directly to a router which is on the same subnet as A.
The router will take care of it from there.
DIFFERENT Subnets
A can NOT reach B directly. Must go through a router
AND
AND

8. Understanding IP communicationsB A C A C
Devices can only communicate with other devices on the same subnet
Otherwise, they must go through a router, that is on its same subnet

9. Definition: VLAN
“A VLAN is a virtual LAN that logically segments switched networks based on functions, project teams, or applications of the organization regardless of the physical location or connections to the network.”

10. TO CLEAR A SWITCH ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!!
S1# delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
S1# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1# reload
Proceed with reload? [confirm]

11. Default VLAN Assignment
Default: All ports in the same VLAN (subnet)
Switch# show vlan
VLAN Name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
<output omitted>

12. Default VLAN Assignment
Default: All ports in the same VLAN
ARP Request
Broadcast A B C D
Hosts can communicate with each other because:
Same IP subnet
Switch ports are on the same VLAN (subnet)
Can A, B, C and D ping each other?
If A did an ARP request for B, who would see this Ethernet broadcast?

13. VLAN Definitions A VLAN is a logical partition of a Layer 2 network.
Multiple partitions can be created, allowing for multiple VLANs to co-exist.
Each VLAN is a broadcast domain, usually with its own IP network.
VLANs are mutually isolated and packets can only pass between them via a router.
The partitioning of the Layer 2 network takes place inside a Layer 2 device, usually via a switch.
The hosts grouped within a VLAN are unaware of the VLAN’s existence.
VLAN Definitions

14. With a single VLANs (“no VLANs”)
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
You can do this but devices can only communicate with each other that are on the same IP subnet…. Unless you have a …..
ROUTER (coming)
Who can A Ping? B ping? C ping? D ping?

15. A single VLAN (“no VLANs”) means no segmentation
ARP Request
Broadcast
Wasted bandwidth
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
Who can A Ping? B ping? C ping? D ping?
If A did an ARP request for B, who would see this Ethernet broadcast?
If C did an ARP request for D, who would see this Ethernet broadcast?
Remember: ARP requests are only when the source IP address and the destination IP address are on the SAME SUBNET.

16. A single VLAN (“no VLANs”) means no segmentation
ARP Request
Broadcast A B C D
Who can A Ping? B ping? C ping? D ping?
If A did an ARP request for B, who would see this Ethernet broadcast?
If C did an ARP request for D, who would see this Ethernet broadcast?
Remember: ARP requests are only when the source IP address and the destination IP address are on the SAME SUBNET.

17. VLANs and IP Addresses/Masks
VLANs are configured on the switch port
IP Addresses and subnet masks are configured on the devices that connect to the switch ports.
VLAN on the switch must match the IP network address of the device.

18. VLANs are configured on the switch port
Configured for VLAN 10
Configured for VLAN 10
Configured for VLAN 20
Configured for VLAN 20
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
VLANs are configured on the switch port
IP Addresses and subnet masks are configured on the devices that connect to the switch ports.
VLAN on the switch must match the IP network address of the device.

19. BEFORE (DEFAULT CONFIGURATION)
Default: All ports in the same VLAN (subnet)
Switch# show vlan
VLAN Name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2

20. AFTER CONFIGURATION A B C D 192.168.10.10 255.255.255.0 192.168.10.11
Switch# show vlan
VLAN Name Status Ports
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Gig0/1
active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24,
Gig0/2

21. VLANs give proper segmentation – Like having separate switches
VLANs do not have to be configured contiguously on the switch.
ARP Request
Broadcast
ARP Request
Broadcast A B C D
VLANs segment switches in to different VLANs or Subnets
Think of it like having separate switches
Who can A Ping? B ping? C ping? D ping?
If A did an ARP request for B, who would see this Ethernet broadcast?
If C did an ARP request for D, who would see this Ethernet broadcast?

22. Router and subnets/VLANs
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
Router is required to connect (route) between subnets/VLANs

23. MAC
22.22
PCA> ping
MAC
11.11
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
Router is required to connect (route) between subnets/VLANs
In this example, a single router with two IP addresses, one on each subnet, is connected to the switch.
Each of the router’s interfaces is connected to a proper VLAN port on the switch to match it’s IP subnet. (Just like the host computers!)

24. A does an ARP Request for 192.168.10.1 (Default gateway).
MAC
22.22
PCA> ping
MAC
11.11
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
ARP Cache
<-> 11.11
A does an ARP Request for (Default gateway).
Gets ARP Reply
A adds MAC and IP to ARP Cache

25. A sends Ethernet frame to default gateway, the router
MAC
22.22
PCA> ping
MAC
11.11
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
Destination Address
11.11
Source Address
aa.aa
Type
IP (ICMP) DA
FCS
A sends Ethernet frame to default gateway, the router

26. Router does an ARP Request for 192.168.20.12 (Destination IP).
ARP Cache
<-> cc.cc
MAC
22.22
MAC
11.11
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
PCA> ping
Router does an ARP Request for (Destination IP).
Gets ARP Reply
Router adds MAC and IP to ARP Cache

27. Router sends Ethernet frame to final destination, PC-C
MAC
22.22
PCA> ping
MAC
11.11
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
Destination Address
cc.cc
Source Address
22.22
Type
IP (ICMP) DA
FCS
Router sends Ethernet frame to final destination, PC-C

28. MAC
22.22
PCA> ping
.!!!!
MAC
11.11
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
Destination Address
22.22
Source Address
cc.cc
Type
IP (ICMP) DA
FCS
Destination Address
aa.aa
Source Address
11.11
Type
IP (ICMP) DA
FCS

29. Benefits of VLANs Security:
Improved by isolating user access to sensitive data and applications.
Cost reduction:
Reduces the need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
Smaller Broadcast Domains:
Divide a network into smaller logical networks, resulting in lower susceptibility to broadcast storms.
Better performance:
Divides the flat Layer 2 networks into multiple broadcast domains reducing unnecessary traffic on the network and boosts performance.
Improved IT staff efficiency:
Makes the network easier to manage.
Benefits of a VLAN
User productivity and network adaptability are key drivers for business growth and success. Implementing VLAN technology enables a network to more flexibly support business goals. The primary benefits of using VLANs are as follows:
Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. Faculty computers are on VLAN 10 and completely separated from student and guest data traffic.
Cost reduction - -
Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. As discussed in the "Configure a Switch" chapter, LAN segmentation prevents a broadcast storm from propagating to the whole network. In the figure you can see that although there are six computers on this network, there are only three broadcast domains: Faculty, Student, and Guest.
Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. In the figure, for easy identification VLAN 20 has been named "Student", VLAN 10 could be named "Faculty", and VLAN 30 "Guest."
Simpler project or application management - VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier, for example, an e-learning development platform for faculty. It is also easier to determine the scope of the effects of upgrading network services.

30. How many VLANs can you configure on a switch?
It depends….
on the switch and the switch’s capabilities and what you require.

31. Default VLAN Assignment
Switch# show vlan
VLAN Name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1 enet
1002 fddi
1003 tr
1004 fdnet ieee
1005 trnet ibm
Switch#

32. Normal Range VLANs
Switch# show vlan
VLAN Name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Used in small- and medium-sized business and enterprise networks.
VLAN Range: 1 – 1005
Reserved VLANs: VLANs 1, 1002 – 1005
Configurations stored in vlan.dat in flash memory.
Note:
VLAN Trunking Protocol (VTP) can manage normal range VLANs.
reserved for Token Ring and FDDI
VLAN 1 can’t be deleted

33. Extended Range VLANs
More on VTP in Chapter 4
Used in Service Provider networks (great number of customers) or large, global enterprises.
VLAN Range:
Support fewer VLAN features than normal range VLANs.
Saved in the running configuration file.

34. It can support up to 255 normal range and extended range VLANs.

35. Types of VLANs Default VLAN (VLAN 1 by default)
Native VLAN (VLAN 1 by default)
Used for untagged traffic (later)
User VLANs
Each IP subnet is a separate VLAN
Management VLAN
VLAN to connect to infrastructure devices such a switches
Voice VLAN
VLAN used to connect IP phones
Guest VLAN
For to connect guests and others who do not have access to internal resources, perhaps Internet access only
Garbage VLAN
For unused ports not yet configured for a specific VLAN

36. User VLAN examples VLAN = Subnet Business VLANs IT VLAN HR VLAN
Sales VLAN
College
Student VLAN
Faculty VLAN
Guest VLAN

37. Default VLAN VLAN 1 Default VLAN Native VLAN
Un-tagged (If trunking there is no 802.1Q or ISL encapsulation)
CDP, VTP, PAgP, LACP, DTP, BPDUs
By default all traffic is carried across VLAN 1.
By default all ports are on VLAN 1
VLAN 1 is:
The default VLAN (all user traffic)
Native VLAN: No trunking encapsulation even if configured as a trunk coming).
All Layer 2 control traffic (e.g., DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.), are associated with VLAN 1

38. Default VLAN 1 VLAN 1 cannot be deleted Security best practices:
S1# show vlan
VLAN Name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
VLAN 1 cannot be deleted
Security best practices:
Avoid using VLAN 1 for all VLANs other that control traffic which must be on VLAN1
In other words, create additional VLANs

39. User or Data VLANs
MAC
aa.aa
MAC
bb.bb
MAC
cc.cc A B C
MAC
dd.dd D
HR Department
Sales Department
These are VLANs used for different user VLANs/subnets
For user data traffic
What about the ports not in the Red or Blue VLAN?
They are still in VLAN 1 (default VLAN)
Change them to the Voice (VoIP) VLAN later.

40. Creating Static User VLANs
S1# configure terminal
S1(config)# vlan 10
S1(config-vlan)# name HR
S1(config-vlan)# exit
S1(config)# interface fastethernet 0/2
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# end
S1#
VLAN name is optional
Single host attached, not another switch (trunk)… later
VLAN 10 assigned to the port
Ports on a switch are manually assigned (CLI) to a VLAN.
If you assign an interface to a VLAN that does not exist, the new VLAN is created for you.
Note: Dynamic VLANs can be configured using a special server called a VLAN Membership Policy Server (VMPS). Beyond the scope of this course.

41. Configuring a Range of Ports
S1(config)# interface range fastethernet 0/1 - 10
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
S1(config-if-range)# exit
S1(config)# interface gigabitethernet 0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# end
S1#

42. Configuring a Range of Ports
S1(config)# vlan 20
S1(config-vlan)# name SALES
S1(config-vlan)# exit
S1(config)# interface range fastethernet 0/
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 20
S1(config-if-range)# exit
S1(config)# interface gigabitethernet 0/2
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# end
S1#

43. Configuring a Range of Ports
S1# show vlan
VLAN Name Status Ports
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2

44. Verifying VLAN Port Parameters
S1# show interface fa 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (HR)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
<some output omitted>
S1#

45. Verifying VLAN Port Parameters
S1# show interface fa 0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

46. Verifying VLANs S1# show vlan brief VLAN Name Status Ports
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
S1#

47. Verifying VLANs S1# show vlan id 10 VLAN Name Status Ports
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
<output omitted>
S1# show vlan name SALES
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
S1#

48. Verifying VLANs S1(config)# vlan 444 S1(config-vlan)# end
S1# show vlan
VLAN Name Status Ports
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
444 VLAN active
<output omitted>
S1# conf t
S1(config)# no vlan 444
S1(config)# end
S1# show vlan id 444
VLAN id 444 not found in current VLAN database
S1#

49. Management VLAN 1
VLAN 1
SSH to
S1(config)# inter vlan 1
S1(config-if)# description Management VLAN
S1(config-if)# ip address
S1(config-if)# no shutdown
A switch can be managed via HTTP, Telnet, SSH, or SNMP.
A management VLAN is used to manage the infrastructure devices including switches, routers, AP, etc.
Security best practice is to change the management VLAN to a VLAN other than VLAN 1.
We will discuss this later, because we will need to route to the management VLAN.

50. Native VLAN
A native VLAN is assigned to an IEEE 802.1Q trunk port (later).
Incoming traffic can be tagged (VLAN) or untagged traffic.
Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic.
Security best practice is to change the native VLAN to a VLAN other than VLAN 1.
We will come back to this later…

51. Voice VLAN VoIP traffic requires:
Assured bandwidth to ensure voice quality.
Transmission priority over other types of network traffic.
Ability to be routed around congested areas on the network.
Delay of less than 150 milliseconds (ms) across the network.
Security best practice is that voice traffic must be placed in a separate VLAN.

52. Power over Ethernet
Cisco IP Phone like other devices requires power to operate.
Power can come from one of two sources:
An external AC adapter
Power over Ethernet (DC) using the network data cable.

53. External Adapters External Adapters
External adapter are also known as wall warts.
Disadvantage of IP Phones: If power failure the IP Phone will fail.
Unlike the old days.

54. Power over Ethernet Inline power or Power over Ethernet (PoE)
Advantages of PoE:
Power where power may not be easily found.
Managed
Monitored
Offered only to selected devices

55. switchport voice vlan vvid
Tagged as vvid
802.1Q trunk
CoS in 802.1p bits
Data:
Untagged: Native VLAN
Recommended Option
Switch(config)# interface type mod/num
Switch(config-if)# switchport voice vlan vlan-id
Instructs the Cisco IP phone to forward all voice traffic through the specified VLAN.
By default, the Cisco IP phone forwards the voice traffic with an 802.1Q priority of 5.
Creates a special 802.1Q trunk (so called trunk later)
Negotiated by DTP and CDP (provisioning of the vvid)
CoS (Class of Service) in 802.1p bits (later)
vvid puts:
Voice packets on voice VLAN
Voice VLAN is configured.
Data packets in Native VLAN
VLAN 1 by default unless modified on the switch
Can configure the data VLAN to be a a VLAN other than Native or Voice. (coming)

56. Configuring Voice VLAN Operation
Tagged as voice VLAN 100
802.1Q trunk
CoS in 802.1p bits
Data:
Untagged: Native VLAN
Tagged as VLAN 20
Recommended Option
Switch(config)# interface FastEthernet0/24
Switch(config-if)# switchport voice vlan 100
Switch(config-if)# switchport access vlan 20
Portfast is automatically enabled with voice VLAN.
Switch# show run
interface FastEthernet0/24
switchport voice vlan 100
switchport access vlan 20
spanning-tree portfast
More to come!

57. VLAN Trunks VLAN 1 VLAN 10 VLAN 20 VLAN 100 VLAN 155 VLAN 199 VLAN 200
Default VLAN
VLAN 1
Control traffic (STP, DTP, VTP, CDP, …)
User VLAN
VLAN 10
HR – /24
VLAN 20
User VLAN
Sales– /24
VLAN 100
Voice VLAN
VoIP– /24
VLAN 155
Management VLAN
Guests – /24
VLAN 199
Garbage/Guest VLAN
Garbage – /24
VLAN 200
Native VLAN
Untagged traffic
A point-to-point link that carries more than one VLAN.
Extend VLANs across multiple switches
Cisco supports 802.1Q standard
Some older switches support legacy Cisco ISL

58. A Z
The TAG is added by the switch before it goes over a trunk link.
The TAG is removed by the switch at the other end of the trunk link.

59. Tag protocol ID (TPID)
Ethernet is 0x8100.
Priority
Used for QoS (802.1p standard) specifies how to expedite transmission of Layer 2 frames
Canonical Format Identifier (CFI)
Enables Token Ring frames to be carried across Ethernet links
VLAN ID (VID)
VLAN identification number that supports up to 4096 VLAN IDs

60. Native VLAN Native VLAN For devices that do not support tagging.
All trunks must have a native VLAN
Native VLAN must be the same on both ends (both switches).
Can be modified to be a VLAN other than VLAN 1.
Should not be used for user VLAN or Management VLAN.
Control traffic (CDP, VTP, PAgP, DTP) still transmitted over VLAN 1.
If Native VLAN is other than VLAN 1 then control traffic on VLAN 1 is sent tagged.
It is fine to leave VLAN 1 as the Native VLAN but should only carry control traffic and not user or management traffic.

61. Inter-switching links: Default and Trunking
VLAN 1
VLAN 1
All ports on VLAN 1
All ports on VLAN 1
VLAN
Trunk
VLAN Trunk
VLAN 1, 10, 20, 100, 155, 200
VLAN 1, 10, 20, 100, 155, 200

62. Configuring VLAN Trunks
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show vlan brief
VLAN Name Status Ports
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
S2# show vlan brief
VLAN Name Status Ports
1 default active Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 VLAN active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10
20 VLAN active Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20

63. Configuring VLAN Trunks
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1(config)# inter fa 0/1
S1(config-if)# no switchport access vlan 10
S1(config-if)# switchport trunk encapsulation dot1q
! Only needed on switches that also support ISL
S1(config-if)# switchport mode trunk
S1(config-if)#
S2(config)# inter fa 0/1
S2(config-if)# no switchport access vlan 10
S2(config-if)# switchport mode trunk
S2(config-if)#
Minimum configuration.

64. Configuring VLAN Trunks
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show vlan
VLAN Name Status Ports
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
No trunking information.
Fa 0/1 no longer included in VLAN 10

65. Configuring VLAN Trunks
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/
Port Vlans allowed and active in management domain
Fa0/ ,10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/ none
S1#

66. Configuring VLAN Trunks
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/
Port Vlans allowed and active in management domain
Fa0/ ,10,20
Port Vlans in spanning tree forwarding state and not pruned
S2#

67. Configuring the Native VLAN
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk native vlan 200
*Mar 1 01:59:34.927: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (200), with S2 FastEthernet0/1 (1)
S1(config-if)#
*Mar 1 02:00:39.267: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (1), with S1 FastEthernet0/1 (200).
S2(config)# inter fa 0/1
S2(config-if)# switchport trunk native vlan 200
S2(config-if)#
VLAN 200 (Native VLAN) does not need to be created on either switch but…
It must match on both ends of the trunk!
Control data (CDP, STP, etc.) is still sent across VLAN 1 but is now tagged.

68. Configuring the Native VLAN
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/
S2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/
Happy native VLANs now!
How about limiting which VLANs are allowed on the trunk?

69. Configuring Allowed VLANs
Fa0/1
Fa0/1 S1 S2
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk allowed vlan 10,20,200
S2(config)# inter fa 0/1
S2(config-if)# switchport trunk allowed vlan 10,20,200
No space between VLANs.
If the native VLAN (200) is not on the list, it is not a problem.
The trunk will not allow any data traffic for the native VLAN.

70. Configuring Allowed VLANs
Fa0/1
Fa0/1 S1 S2
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/ ,20,200
S2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/ ,20,200

71. What’s in the running-config?
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
interface FastEthernet0/1
switchport trunk native vlan 200
switchport trunk allowed vlan 10,20,200
switchport mode trunk !
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
interface FastEthernet0/3
<continued>
Trunk link
VLAN 10 access port

72. What’s in the running-config?
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2 !
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
interface FastEthernet0/14
interface FastEthernet0/15
No configuring…. Default VLAN 1
(Should be in garbage, temporary VLAN if port is not in use)
VLAN 20 access port

73. What’s in the running-config?
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2 !
interface Vlan1
no ip address
shutdown
SVI (Switched Virtual Interface)
Management VLAN
No current IP Address
Still in VLAN 1

74. Configuring Management VLAN
/24
VLAN 155
/24
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1(config)# interface vlan 155
S1(config-if)# ip address
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# vlan 155
S1(config-vlan)# name MANAGEMENT
S1(config-vlan)#
S2(config)# interface vlan 155
S2(config-if)# ip add
S2(config-if)# no shutdown
S2(config-if)# exit
S2(config)# vlan 155
S2(config-vlan)# name MANAGMENT
S2(config-vlan)# end
S2# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
???

75. Configuring Management VLAN
/24
VLAN 155
/24
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk allowed vlan 10,20,200,155
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk allowed vlan 10,20,200,155
S1(config-if)# end
S2# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
S2#

76. Verifying VLANs Once More
/24
VLAN 155
/24
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show vlan
VLAN Name Status Ports
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
MANAGEMENT active

77. Verifying VLANs Once More
/24
VLAN 155
/24
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/ on q trunking
Port Vlans allowed on trunk
Fa0/ ,20,155,200
S1# show interface vlan 155
Vlan155 is up, line protocol is up
Hardware is EtherSVI, address is 189c.5dff.fac1 (bia 189c.5dff.fac1)
Internet address is /24
MTU 1500 bytes, BW Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
<output omitted>

78. Verifying VLANs Once More
/24
VLAN 155
/24
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
S1# show interface fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 200 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
<output omitted>
Trunking VLANs Enabled: 10,20,155,200

79. Dynamic Trunk Protocol

80. Switch Ethernet Port Type
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
Switch Ethernet ports can be set to:
Access port: Non-trunking port used to connect to end-devices.
Trunking: Trunking port to carry VLAN information to another switch.
By default, Layer 2 switch ports want to trunk.

81. Access Port S1(config-if) # switchport mode access
Forces the link into access port.
It will never become a trunk!
Use to connect a host, server, printer, …

82. Dynamic Trunking Protocol - DTP
By default, Catalyst 2960 and Catalyst 3560 Series switches have Dynamic Trunking Protocol (DTP) enabled.
DTP is a Cisco proprietary protocol that negotiates trunking parameters between switches.
Operates on a point-to-point basis only, between network devices.
Designed to make interconnecting switches with VLANs easier.
DTP is only available on Cisco switches and not supported by other vendors.

83. Four DTP Trunking Modes
S1(config-if)# switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
S1(config-if)# switchport mode dynamic ?
auto Set trunking mode dynamic negotiation parameter to AUTO
desirable Set trunking mode dynamic negotiation parameter to DESIRABLE
S1(config-if)# switchport mode dynamic
On (default): Default mode. It’s locked into TRUNK mode.
switchport mode trunk
Dynamic Desirable: (default mode on Catalyst 2950 / 3550)
switchport mode dynamic desirable
Dynamic Auto:
switchport mode dynamic auto
Disabled: Nonegotiate. Turns off DTP.
switchport nonegotiate

84. Non-trunking by default
S2# show interfaces fastethernet 0/21 switchport
Name: Fa0/21
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
How the port was configured.
How the is operating.
VLANs 10, 20
VLANs 10, 20
Fa0/1
Fa0/1 S1 S2
Dynamic auto
Dynamic auto
Ports on the 2960 and 3560 are set to dynamic auto by default.
Does not trunk if both sides default to dynamic auto
This results in the interface being in access mode (non-trunking)

85. Dynamic Trunking Protocol (DTP)
S1(config-if)# switchport mode ?
Dynamic Trunking Protocol (DTP)
Access - Puts the interface into permanent non-trunking mode and negotiates to convert the link into a non-trunk link. The interface becomes a non-trunk interface even if the neighboring interface does not agree to the change.
Trunk - Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link. The interface becomes a trunk interface even if the neighboring interface does not agree to the change.
Nonegotiate - Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames. You must configure the neighboring interface manually as a trunk interface to establish a trunk link. Use this mode when connecting to a device that does not support DTP.
Dynamic desirable - Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
Dynamic auto - Makes the interface willing to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. This is the default mode for all Ethernet interfaces in Cisco IOS.
All recent Cisco Catalyst switches, except for the Catalyst 2900XL and 3500XL, use a Cisco proprietary point-to-point protocol called Dynamic Trunking Protocol (DTP) on trunk ports to negotiate the trunking state. DTP negotiates the operational mode of directly connected switch ports to a trunk port and selects an appropriate trunking protocol. Nego­tiating trunking is a recommended practice in multilayer switched networks because it avoids network issues resulting from trunking misconfigurations for initial configuration, but best practice is when the network is stable, change to trunk mode.
The default interface trunking mode is dynamic auto.

86. Trunk Modes Must be Compatible

87. DTP Mode: On (default) S1(config-if) # switchport mode trunk
Forces the link into permanent trunking (even if the neighbor doesn't agree)
Enables DTP and exchanges DTP frames.
Will trunk if remote is configured with:
On switchport mode trunk
Desirable switchport mode dynamic desirable
Dynamic Auto switchport mode dynamic auto
Will not trunk if remote is configured with:
Non-negotiate switchport nonegotiate
Access switchport mode access

88. DTP Dynamic Desirable
S1(config-if) # switchport mode dynamic desirable
Causes the port to proactively attempt to become a trunk.
Enables DTP and exchanges DTP frames.
Will trunk if remote is configured with:
On switchport mode trunk
Desirable switchport mode dynamic desirable
Dynamic Auto switchport mode dynamic auto
Will not trunk if remote is configured with:
Non-negotiate switchport nonegotiate
Access switchport mode access

89. DTP Dynamic Auto S1(config-if) # switchport mode dynamic auto
Causes the port to passively be willing to convert to trunking.
Enables DTP and exchanges DTP frames.
Will trunk if remote is configured with:
On switchport mode trunk
Desirable switchport mode dynamic desirable
Will not trunk if remote is configured with:
Dynamic Auto switchport mode dynamic auto
Non-negotiate switchport nonegotiate
Access switchport mode access

90. DTP Disabled S1(config-if) # switchport nonegotiate
Forces the port to permanently trunk.
Disables DTP and does not exchange any DTP frames.
Use to trunk with a different vendor’s switch.

91. #1 - “Trunk ” or “No Trunk”
#1 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode trunk
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode trunk
Will the ports trunk automatically?

92. #2 - “Trunk ” or “No Trunk”
#2 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode trunk
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic desirable
Will the ports trunk automatically?

93. #3 - “Trunk ” or “No Trunk”
#3 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode trunk
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic auto
Will the ports trunk automatically?

94. #4 - “Trunk ” or “No Trunk”X
#4 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode trunk
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport nonegotiate
Will the ports trunk automatically?

95. #5 - “Trunk ” or “No Trunk”
#5 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic desirable
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode trunk
Will the ports trunk automatically?

96. #6 - “Trunk ” or “No Trunk”
#6 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic desirable
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic desirable
Will the ports trunk automatically?

97. #7 - “Trunk ” or “No Trunk”
#7 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic desirable
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic auto
Will the ports trunk automatically?

98. #8 - “Trunk ” or “No Trunk”X
#8 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic desirable
F0/1
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport nonegotiate
Will the ports trunk automatically?

99. #9 - “Trunk ” or “No Trunk”
#9 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic auto
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode trunk
Will the ports trunk automatically?

100. #10 - “Trunk ” or “No Trunk”
#10 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic auto
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic desirable
Will the ports trunk automatically?

101. #11 - “Trunk ” or “No Trunk”X
#11 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic auto
F0/1
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic auto
Will the ports trunk automatically?

102. #12 - “Trunk ” or “No Trunk”X
#12 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport mode dynamic auto
F0/1
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport nonegotiate
Will the ports trunk automatically?

103. #13 - “Trunk ” or “No Trunk”X
#13 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport nonegotiate
F0/1
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode trunk
Will the ports trunk automatically?

104. #14 - “Trunk ” or “No Trunk”X
#14 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport nonegotiate
F0/1
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic desirable
Will the ports trunk automatically?

105. #15 - “Trunk ” or “No Trunk”X
#15 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport nonegotiate
F0/1
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport mode dynamic auto
Will the ports trunk automatically?

106. #16 - “Trunk ” or “No Trunk”
#16 - “Trunk ” or “No Trunk”
S1(config)# interface fa0/1
S1(config-if)# switchport nonegotiate
F0/1
F0/1 S1 S2
S2(config)# interface fa0/1
S2(config-if)# switchport nonegotiate
Will the ports trunk automatically?

107. Verifying DTP Trunk Links
S1# show dtp interface f0/1
DTP information for FastEthernet0/1:
TOS/TAS/TNS: TRUNK/ON/TRUNK
TOT/TAT/TNT: Q/802.1Q/802.1Q
Neighbor address 1: CD996D23F81
Neighbor address 2:
Hello timer expiration (sec/state): /RUNNING
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S6:TRUNK
# times multi & trunk
Enabled: yes
In STP: no
<output omitted>

108. TO CLEAR A SWITCH ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!!
S1# delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
S1# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1# reload
Proceed with reload? [confirm]

109. Troubleshooting VLANs

110. Troubleshooting VLANs and Trunks IP Addressing Issues with VLAN
It is a common practice to associate a VLAN with an IP network.
Because different IP networks only communicate through a router, all devices within a VLAN must be part of the same IP network to communicate.
The figure displays that PC1 cannot communicate to the server because it has a wrong IP address configured.
IP Addressing Issues with VLAN

111. Troubleshooting VLANs and Trunks Missing VLANs
If all the IP addresses mismatches have been solved, but the device still cannot connect, check if the VLAN exists in the switch.
Missing VLANs

112. Troubleshooting VLANs and Trunks Introduction to Troubleshooting Trunks

113. Troubleshooting VLANs and Trunks Common Problems with Trunks
Trunking issues are usually associated with incorrect configurations.
The most common type of trunk configuration errors are:
Native VLAN mismatches
Trunk mode mismatches 
Allowed VLANs on trunks
If a trunk problem is detected, the best practice guidelines recommend to troubleshoot in the order shown above.
Common Problems With Trunks

114. Troubleshooting VLANs and Trunks Trunk Mode Mismatches
If a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches.
Use the show interfaces trunk command to check the status of the trunk ports on the switches.
To fix the problem, configure the interfaces with proper trunk modes.
Trunk Mode Mismatches

115. Troubleshooting VLANs and Trunks Incorrect VLAN List
VLANs must be allowed in the trunk before their frames can be transmitted across the link.
Use the switchport trunk allowed vlan command to specify which VLANs are allowed in a trunk link.
Use the show interfaces trunk command to ensure the correct VLANs are permitted in a trunk.
Incorrect VLAN List

116. Troubleshooting VLAN Security

117. Attacks on VLANs Switch Spoofing Attack
To prevent a basic switch spoofing attack, turn off trunking on all ports, except the ones that specifically require trunking.

118. Attacks on VLANs Double-Tagging Attack
The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports.

119. Attacks on VLANs PVLAN Edge
The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between protected ports on the switch.

120. What is Inter-VLAN routing?
Layer 2 switches cannot forward traffic between VLANs without the assistance of a router.
Inter-VLAN routing is a process for forwarding network traffic from one VLAN to another, using a router.
What is Inter-VLAN routing?
Legacy Inter-VLAN Routing
Router-on-Stick
Switch SVI
Switch Routed Ports

121. Legacy Inter-VLAN Routing

122. Legacy Inter-VLAN Routing
Routers used to route between VLANs.
Each VLAN was connected to a different physical router interface.
Packets would arrive on the router through one through interface, be routed and leave through another.
Router interfaces connected to VLANs and have IP addresses from that specific VLAN.
Large networks with large number of VLANs required many router interfaces.

123. Legacy Inter-VLAN Routing
Legacy Inter-VLAN Routing A B C D GW GW GW GW
Router is required to connect (route) between subnets/VLANs

124. S1(config)# interface f0/11 S1(config-if)# switchport access vlan 10
S1(config)# vlan 10
S1(config-vlan)# exit
S1(config)# vlan 30
S1(config)# interface f0/11
S1(config-if)# switchport access vlan 10
S1(config-if)# exit
S1(config)# interface f0/4
S1(config)# interface f0/6
S1(config)# switchport access vlan 30
S1(config)# interface f0/5
S1(config-if)# switchport access vlan 30
Configure Legacy Inter-VLAN Routing: Switch Configuration

125. R1(config)# interface g0/0
R1(config-if)# ip address
R1(config-if)# no shutdown
R1(config)# exit
R1(config-if)# interface g0/1
R1(config-if)# ip address
Configure Legacy Inter-VLAN Routing: Switch Configuration

126. <output omitted>
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
<output omitted>
/16 is variably subnetted, 4 subnets, 2 masks
C /24 is directly connected, GigabitEthernet0/0
L /32 is directly connected, GigabitEthernet0/0
C /24 is directly connected, GigabitEthernet0/1
L /32 is directly connected, GigabitEthernet0/1
Configure Legacy Inter-VLAN Routing: Switch Configuration

127. 5.1.2.2 Configure Legacy Inter-VLAN Routing: Switch Configuration

128. Router-on-a-Stick

129. Router-on-a-Stick 172.17.10.1 172.17.30.1 VLAN 10 PC 2 172.17.10.30
The router-on-a-stick approach uses a different path to route between VLANs.
One of the router’s physical interfaces is configured as a 802.1Q trunk port so it can understand VLAN tags.
Logical subinterfaces are created; one subinterface per VLAN.
Each subinterface is configured with an IP address from the VLAN it represents.
VLAN members (hosts) are configured to use the subinterface address as a default gateway.
Only one of the router’s physical interface is used.

130. S1(config)# vlan 10
S1(config-vlan)# vlan 30
S1(config-vlan)# exit
S1(config)# interface f0/11
S1(config-if)# switchport access vlan 10
S1(config-if)# exit
S1(config)# interface f0/6
S1(config)# switchport access vlan 30
S1(config-vlan)# interface f0/5
S1(config-if)# switchport mode trunk
S1(config-if)#

131. R1(config)# interface g0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address
R1(config-subif)# exit
R1(config)# interface g0/0.30
R1(config-subif)# encapsulation dot1q 30
R1(config-subif)# ip address
R1(config)# interface g0/0
R1(config-if)# no shutdown

132. R1# show vlans
<output omitted>
Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: GigabitEthernet0/0.10
Protocols Configured: Address: Received: Transmitted: IP
Virtual LAN ID: 30 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: GigabitEthernet0/0.30 IP

133. R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP
<output omitted>
/16 is variably subnetted, 4 subnets, 2 masks
C /24 is directly connected, GigabitEthernet0/0.10
L /32 is directly connected, GigabitEthernet0/0.10
C /24 is directly connected, GigabitEthernet0/0.30
L /32 is directly connected, GigabitEthernet0/0.30

134. Problem #1 S1(config)# interface fa0/4
VLAN 10
S1(config)# interface fa0/4
S1(config-if)# switchport access vlan 10

135. Problem #2 S1(config)# interface fa0/5
Trunk
S1(config)# interface fa0/5
S1(config-if)# switchport mode trunk

136. Problem #3 S1(config)# interface fa0/5
Trunk
VLAN 10
S1(config)# interface fa0/5
S1(config-if)# switchport access vlan 10

137. Problem #4 R1(config)# interface g0/0
/24
R1(config)# interface g0/0
R1(config-if)# ip address

138. Problem #5
/24

139. Problem #6
/24

140. Multi-layer Switches and Inter-VLAN Routing – EXTRA (CIS 83)

141. Routers vs Multilayer Switches
Routers and multilayer switches both perform routing (connecting networks)
Routers may have different types of interfaces (Ethernet, serial, ATM, etc.) while multilayer switches will only have Ethernet interfaces.
While routers can be used to segment LAN devices, their major use is as WAN devices.
Each devices does have its own advantages.
Routers are:
The backbone devices of large intranets and of the Internet
They operate at Layer 3 (network layer) of the OSI model
They make decisions based on network addresses (IPv4, IPv6).

142. Switched Network Design
Core – Route/Switch packets quickly across between distribution multilayer switches.
Distribution – Route between VLANs/Subnets, ACLs
Access – Provide access to end devices and provide port security.

143. Multilayer Switch Inter-VLAN Routing
Multilayer switches can perform Layer 2 and Layer 3 functions, replacing the need for dedicated routers.
Multilayer switches support dynamic routing and inter-VLAN routing.
A switch virtual interface (SVI) exists for VLAN 1 by default.
On a multilayer switch, a logical (layer 3) interface can be configured for any VLAN.
With a multilayer switch, traffic is routed internal to the switch device.
This routing process is a suitable and scalable solution.

144. Configure Router On A Stick: 802.1Q Trunk Link
interface GigabitEthernet 0/0
no shutdown ! Does not show in config !
interface GigabitEthernet 0/0.2
description VLAN 2
encapsulation dot1Q 2 native
ip address
interface GigabitEthernet 0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address
interface GigabitEthernet 0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address
interface GigabitEthernet 0/0.30
description VLAN 30
encapsulation dot1Q 30
ip address
interface GigabitEthernet 0/0.40
description VLAN 40
encapsulation dot1Q 40
ip address
/24
/24
interface GigabitEthernet 1/1
switchport mode trunk
Purpose: This figure shows the configuration of the router on a stick.
Emphasize: Highlight the two different interconnecting networks, and
Router on a stick is very simple to implement.

145. Routed Ports versus Switched Virtual Interfaces
Routed Ports – Just like a router, the port has an IP address/mask that makes it a member of that subnet.
SVI – The switch is a member of that IP subnet/VLAN. All switch ports that are a member of that VLAN can communicate with the switch

146. Multilayer Switch Interfaces
Layer 2: Access or Trunk Ports
Physical Interface
Logical Interface (SVI)
Performs both Layer 2 switching and interVLAN routing.
Layer 2 Interface: Access or Trunk ports
Layer 3 Interface:
Has an IP address assigned to it.
The Default Gateway for any hosts connected to that interface or VLAN.
Physical interface
Same as a router
Aka “Routed Port”
Example: interface gigabit 0/1
Logical Interface
Represents an entire VLAN
Switched Virtual Interface (SVI)
Example: interface vlan 10

147. SVI VLAN 10
SVI VLAN 20 A B C D GW GW GW GW
Layer 3 functionality can also be enabled for an entire VLAN.
The IP address is assigned to the logical interface – the VLAN.
This is needed when routing is required between VLANs.
SVI (Switched Virtual Interface)
No physical connection
VLANs must be created before the SVI can be used.
The IP address associated of the VLAN interface is the default gateway of the workstation.

148. SVI VLAN 10
SVI VLAN 20 A B C D GW GW GW GW
<VLANs have been created or will be created when configured on the interface>
S1(config)# interface range fastethernet 0/1 - 12
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
S1(config-if-range)# exit
S1(config)# interface range fastethernet 0/
S1(config-if-range)# switchport access vlan 20
S1(config-if-range)# end

149. SVI VLAN 10
SVI VLAN 20 A B C D GW GW GW GW
DLS1(config)# inter vlan 10
DLS1(config-if)# description Engineering VLAN
DLS1(config-if)# ip address
DLS1(config-if)# no shutdown
DLS1(config)# inter vlan 20
DLS1(config-if)# description IT VLAN
DLS1(config-if)# ip address

150. Alternative Configuration
SVI VLAN 10
SVI VLAN 20 A B C D GW GW GW GW
Alternative Configuration

151. A B C D Distribution Layer Switch Trunk Access Layer Switch
SVI VLAN 10
SVI VLAN 20
Distribution Layer Switch
Trunk
Access Layer Switch A B C D GW GW GW GW
DLS1(config)# inter gig 0/2
DLS1(config-if)# switchport mode trunk
ALS1(config)# inter fa 0/9
ALS1(config-if)# switchport mode trunk

152. Multilayer Switch Interfaces
Layer 2: Access or Trunk Ports
Physical Interface (L3)
Logical Interface (SVI – L3)
DLS1# show interface gig 0/2 switchport
Name: Gig0/2
Switchport: Enabled
<output omitted>
Layer 2 or Layer 3 Interface? Is it a “switch” port?
Default on most Catalyst switches: Layer 2
Default on Catalyst 6500: Layer 3
Verify mode:
Switch# show interface type mod/num switchport
Switchport: Think Layer 2
Enabled: Layer 2
Disabled: Layer 3

153. Multilayer Switch Interfaces
Is it a “switch” port?
DLS1(config)# interface gig 0/2
DLS1(config-if)# no switchport
DLS1(config-if)# end
DLS1# show interface gig 0/2 switchport
Name: Gig0/2
Switchport: Disabled
<output omitted>
DLS1# config t
DLS1(config-if)# switchport
Switchport: Enabled
Converts interface to Layer 3
Layer 3
Converts interface to Layer 2
Layer 2
If in Layer 3 mode switchport interface command puts the port into Layer 2 mode.

154. SVI Interfaces - Logical InterfacesX
Switch(config)# vlan vlan-number
Switch(config-vlan)# name vlan-name
SwitchA(config)# interface vlan vlan-number
SwitchA(config-if)# ip address ip-address mask
SwitchA(config-if)# no shutdown
The Catalyst multilayer switches support three different types of Layer 3 interfaces:
Routed port— A pure Layer 3 interface similar to a routed port on a Cisco IOS router.
Switch virtual interface (SVI)— A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual routed VLAN interfaces.
Bridge virtual interface (BVI)— A Layer 3 virtual bridging interface. (Not discussed)
Layer 3 functionality can also be enabled for an entire VLAN.
The IP address is assigned to the logical interface – the VLAN.
This is needed when routing is required between VLANs.
SVI (Switched Virtual Interface)
No physical connection
VLANs must be created before the SVI can be used.
The IP address associated of the VLAN interface is the default gateway of the workstation.

155. Creating VLANs
DLS1: Create and name the user VLANs: 10, 11, 20 and 21.
DLS1: Create and name a Management VLAN (used to telnet into switches)
DLS1: Create and name a NATIVE VLAN other than VLAN 1 (default)
DLS1: Create and name a Garbage VLAN (assigned to all unused ports.)
All ports that are not used (trunks and access) will be assigned as an access port to this VLAN.
DLS1
vlan 2
name NATIVE
vlan 10
name Engineering
vlan 11
name IT
vlan 20
name Sales
vlan 21
name Administration
vlan 99
name ManagementVLAN
vlan 222
name GarbageVLAN

156. Default Gateway (SVI)
Configure DLS1 to be the default gateway for VLANs 10 and 11.
All hosts on these VLANs will use these addresses as their default gateway addresses.
DLS1(config)# inter vlan 99
DLS1(config-if)# description Management VLAN
DLS1(config-if)# ip address
DLS1(config-if)# no shutdown
DLS1(config)# inter vlan 10
DLS1(config-if)# description Engineering VLAN
DLS1(config-if)# ip address
DLS1(config)# inter vlan 11
DLS1(config-if)# description IT VLAN
DLS1(config-if)# ip address

157. Default Gateway (SVI)
Configure DLS2 to be the default gateway for VLANs 20 and 21.
All hosts on these VLANs will use these addresses as their default gateway addresses.
DLS2(config)# inter vlan 20
DLS2(config-if)# description Sales VLAN
DLS2(config-if)# ip address
DLS2(config-if)# no shut
DLS2(config)# inter vlan 21
DLS2(config-if)# description Administration VLAN
DLS2(config-if)# ip address

158. Default Gateway (SVI)
Statically or Dynamically assigned

159. Layer 3 Port Configuration – Physical Interfaces
DLS1(config)# interface gig 0/1
DLS1(config-if)# no switchport
DLS1(config-if)# ip address
DLS2(config)# interface gig 0/1
DLS2(config-if)# no switchport
DLS2(config-if)# ip address
Physical switch ports can operate as Layer 3 interfaces using the interface command:
Switch(config)# interface type mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask

160. G0/0
/24
G0/0
/24
/24 DF

161. interface vlan 10
/24
interface vlan 11
/24
interface vlan 20
/24
interface vlan 21
/24
Trunk =

162. Management VLAN (SVI)
For each device in the network we configured it to be a member of the management VLAN.
On each switch
Switch(config)# inter vlan 98
Switch(config-if)# description Management VLAN
Switch(config-if)# ip address x
Switch(config-if)# no shutdown
Switch(config-if)# exit
If you want to reach the management VLAN from other VLANs, assign this address to one of the multilayer switches (DLS1 and DLS2):
DLS1(config)# ip default-gateway

163. Management VLAN (SVI)
For each device in the network we configured it to be a member of the management VLAN.
On each switch
Switch(config)# inter vlan 99
Switch(config-if)# description Management VLAN
Switch(config-if)# ip address x
Switch(config-if)# no shutdown
Switch(config-if)# exit
If you want to reach the management VLAN from other VLANs, assign this address to one of the multilayer switches (DLS1 and DLS2):
DLS1(config)# ip default-gateway

164. interface vlan 98 172.16.98.1/24 On each switch
DLS1(config)# inter vlan 98
DLS1(config-if)# ip address
DLS1(config-if)# no shutdown
ALS10(config)# inter vlan 98
ALS10(config-if)# ip address
ALS10(config-if)# no shutdown
ALS10(config)# ip default-gateway

165. interface vlan 98
/24
interface vlan 99
/24

166. Switched Network Design
Core – Route/Switch packets quickly across between distribution multilayer switches.
Distribution – Route between VLANs/Subnets, ACLs
Access – Provide access to end devices and provide port security.
L3 = Routed Ports, over IP, separate subnets
L2 = SVI, VLANs over Trunks OR individual VLANs

167. Verifying Verify IP addresses DLS1#show ip inter brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/ YES manual up up
GigabitEthernet0/ YES manual up up
Vlan YES manual up up
Vlan YES manual up up

168. InterVLAN Routing External Router No VLANs External Router VLANs
Router on a stick
VLANs or No VLANs
VLANs 1, 2, 3
Trunk
VLAN 1
VLAN 2
Multilayer Switch
VLAN 3
Trunk
Multilayer Switch

169. SDM

170. Cisco Switch Database Manager (SDM)
A Catalyst 2960 switch can function as a Layer 3 device and route between VLANs and a limited number of static routes.
The Cisco Switch Database Manager (SDM) provides multiple templates for the 2960 switch.
The templates can be enabled to support specific roles depending on how the switch is used in the network.
For example, the sdm lanbase-routing template can be enabled to allow the switch to route between VLANs and to support static routing.

171. Switch Database Manager Template
show sdm prefer command applies the default template
Default does not support static routing.
If IPv6 addressing has been enabled, the template will be dual-ipv4-and-ipv6 default.
S1# show sdm prefer
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
number of unicast mac addresses: K
number of IPv4 IGMP groups: K
number of IPv4/MAC qos aces: k
number of IPv4/MAC security aces: k

172. SDM Template sdm prefer to change the template
Switch must be reloaded for the new template to take effect.
SDM Template
S1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# sdm prefer ?
default Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6
lanbase-routing Supports both IPv4 and IPv6 Static Routing
qos QoS bias
S1(config)# sdm prefer lanbase-routing
Changes to the running SDM preferences have been stored, but cannot take effect
until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
Switch(config)# do reload
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
[OK]
Proceed with reload? [confirm]
*Mar 20 00:10:24.557: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
Media Description:
Lab: Configuring Basic DHCPv4 on a Switch (from Switching, Chapter 7, Lab B)
Reference: Switch and Router Output.docx

173. 2960 Static Route Support lanbase-routing template is active on S1.
With this template, static routing is supported for up to 750 static routes.
Switch# show sdm prefer
The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
number of unicast mac addresses: K
number of IPv4 IGMP groups + multicast routes: K
number of IPv4 unicast routes: K
number of directly-connected IPv4 hosts: K
number of indirect IPv4 routes:
number of IPv6 multicast groups: k
number of directly-connected IPv6 addresses: K
number of indirect IPv6 unicast routes:
number of IPv4 policy based routing aces:
number of IPv4/MAC qos aces: k
number of IPv4/MAC security aces: k
number of IPv6 policy based routing aces:
number of IPv6 qos aces: k
number of IPv6 security aces:
Media Description:
Lab: Configuring Basic DHCPv4 on a Switch (from Switching, Chapter 7, Lab B)
Reference: Switch and Router Output.docx

174. Enabling IPv4 Routing Functionality on a 2960
Interface F0/6 on S1 is assigned to VLAN 2.
The SVIs for VLANs 1 and 2 are also configured with IP addresses /24 and /24, respectively.
IP routing is enabled with the ip routing global configuration mode command.
Enabling IPv4 Routing Functionality on a 2960
S1(config)# interface f0/6
S1(config-if)# switchport access vlan 2
S1(config-if)# interface vlan 1
S1(config-if)# ip address
S1(config-if)# interface vlan 2
S1(config-if)# ip address
S1(config-if)# no shutdown
Mar 20 01:00:25.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up
S1(config)# ip routing
S1(config)# do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
/24 is variably subnetted, 2 subnets, 2 masks
C /24 is directly connected, Vlan1
L /32 is directly connected, Vlan1
/24 is variably subnetted, 2 subnets, 2 masks
C /24 is directly connected, Vlan2
L /32 is directly connected, Vlan2

175. Router Participating in
Routing with a Switch
R1 has two IPv4 networks configured:
Interface G0/1 has IP address /24
loopback interface Lo0 has IP address /27
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
/24 is variably subnetted, 2 subnets, 2 masks
C /24 is directly connected, GigabitEthernet0/1
L /32 is directly connected, GigabitEthernet0/1
/24 is variably subnetted, 2 subnets, 2 masks
C /27 is directly connected, Loopback0
L /32 is directly connected, Loopback0
Media Description:
Lab: Configuring Basic DHCPv4 on a Switch (from Switching, Chapter 7, Lab B)
Reference: Switch and Router Output.docx

176. Configuring a Static Route on a 2960
A default route is configured on S1
S1(config)# ip route
S1(config)# do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is to network
S* /0 [1/0] via
/24 is variably subnetted, 2 subnets, 2 masks
C /24 is directly connected, Vlan1
L /32 is directly connected, Vlan1
/24 is variably subnetted, 2 subnets, 2 masks
C /24 is directly connected, Vlan2
L /32 is directly connected, Vlan2

177. Final Routing Table on Router
A static route to the remote network /24 (VLAN 2) is configured on R1
R1(config)# ip route g0/1
R1(config)# do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
/24 is variably subnetted, 2 subnets, 2 masks
C /24 is directly connected, GigabitEthernet0/1
L /32 is directly connected, GigabitEthernet0/1
S /24 is directly connected, GigabitEthernet0/1
/24 is variably subnetted, 2 subnets, 2 masks
C /27 is directly connected, Loopback0
L /32 is directly connected, Loopback0

178. Host Connectivity
/27
PC-A is configured with IP address /24 in VLAN 2
PC-B is configured with IP address /24 in VLAN 1.
PC-B is able to ping both PC-B and the loopback interface on R1.
/24
VLAN 2
/24
VLAN 1