martes, 30 de junio de 2009

CCNP-Modulo2.5

2.5 Correcting Common VLAN Configuration Errors


2.5.1 Describing Issues with 802.1Q Native VLANs


Figure shows a frequent configuration error. The native VLAN configured on each end of an 802.1Q trunk must be the same. Remember that a switch receiving an untagged frame assigns it to the native VLAN of the trunk. If one end is configured for native VLAN 1 and the other to native VLAN 2, a frame sent in VLAN 1 on one side is received on VLAN 2 on the other. VLAN 1 and 2 have been segmented and merged. There is no reason this should be required, and connectivity issues will occur in the network.

Cisco switches use Cisco Discovery Protocol (CDP) to warn of a native VLAN mismatch.

In Figure , the PCs connected to the hub are sending untagged frames. Because the frames are untagged, they become part of VLAN 1 on the left-hand switch and part of VLAN 2 on the right-hand switch.

Figure describes the mitigation of 802.1Q native VLAN issues.



2.5.2 Resolving Issues with 802.1Q Native VLANs


Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link:

  • The native VLAN interface configurations must match at both ends of the link or the trunk may not form.

  • By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a trunk should be set to a specific VID that is not used for normal operations elsewhere on the network.

Switch(config-if)#switchport trunk native vlan vlan-id

  • If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning) issues a “native VLAN mismatch” error.

  • On select versions of Cisco IOS software, CDP may not be transmitted or automatically turns off if VLAN1 is disabled on the trunk.

  • If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address (0180.c200.0000) untagged.

  • When troubleshooting VLANs, note that a link can have one native VLAN association when in access mode, and another native VLAN association when in trunk mode.

2.5.3 Describing Trunk Link Problems


The trunking mode, the trunk encapsulation type, the VTP domain, and the hardware capabilities of two connected ports determine whether an operational trunk link is formed and which type it becomes.

Consider that with the default switchport mode set to dynamic auto and with DTP enabled, if another switch is connected and is set to switchport mode trunk, the switch automatically converts the link to a trunk. This could have security implications, because it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port.

Following is an explanation of the three examples illustrated in Figure .

Example A

If both ends of the link are set to switchport mode auto, the link does not become a trunk, and the ports remain as access ports.

Switch1#show interface fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

Example B

If one end of the link is set to switchport mode dynamic desirable and the other end of the link is set to switchport mode access, both ports remain as access ports.

Switch1#show interface fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

Switch2#show interfaces g1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off

Example C

If one end of the link is set to switchport mode trunk and switchport nonegotiate and the other end of the link is set to switchport mode auto, a mismatch occurs, because the left-hand switch is not sending any DTP frames. The port that is set to switchport mode auto on the right-hand switch defaults to being an access port.

Switch1#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

Switch2#show interfaces g1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

2.5.4 Resolving Trunk Link Problems



Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a point-to-point protocol. When using DTP to configure trunks, ensure that both ends of the link are in the same VTP domain.

Because DTP is a Cisco proprietary protocol, some internetworking devices do not support DTP frames, which could cause misconfigurations. To avoid this potential problem, you should turn off DTP for interfaces that are connected to devices that do not support DTP.

Use the following commands to configure ports in the appropriate mode:

  • If you do not intend to trunk across the links, use the switchport mode access interface configuration command to disable trunking.

  • To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.

  • Use the switchport trunk encapsulation isl or switchport trunk encapsulation dot1q interface to select the encapsulation type on the trunk port.

Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring the interface to trunk and nonegotiate.



2.5.5 Common Problems with VTP Configuration

Some unexpected results can occur after VTP configuration and .

The configuration revision number is used when determining if a switch should keep its existing VLAN database or overwrite it with the VTP update sent by another switch in the same domain with the same password. Therefore, when a switch is added to a network, it is important that it does not inject spurious information into the domain.

Following is an example of a VTP client overwriting a VTP server when correct procedures were not followed.

The VTP server, Switch1, is currently at configuration revision 1 and knows of six VLANs.

Switch1#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : building1
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x0B 0xED 0x6C 0xE2 0x16 0xE9 0x3D 0x3C
Configuration last modified by 172.16.1.111 at 3-1-93 00:29:26
Local updater ID is 172.16.1.111 on interface Vl1 (lowest numbered VLAN interface found)

The new switch, Switch2, has not yet been connected to the network. It is a VTP client with a configuration revision of 2 and knows of seven VLANs.

Switch2#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 250
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : building1
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x2A 0x2B 0xF1 0x2C 0x90 0x5D 0xB2
Configuration last modified by 172.16.1.11 at 3-1-93 00:34:17

The link between Switch1 and Switch2 is now connected and the VTP client overwrites the VTP server because of the higher configuration revision number.

Switch1#
00:43:47: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

Switch1#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : building1
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x2A 0x2B 0xF1 0x2C 0x90 0x5D 0xB2
Configuration last modified by 172.16.1.11 at 3-1-93 00:34:17
Local updater ID is 172.16.1.111 on interface Vl1 (lowest numbered VLAN interface found)

To avoid a VTP domain from being overwritten always add a new switch either in VTP transparent mode or as a VTP client with a revision number that is lower than the revision number in the existing VTP domain.



2.5.6 Best Practice for VTP Configuration

Following is a list of general best practices with regard to configuring VTP in the enterprise composite network model:

  • Plan boundaries for the VTP domain. Not all switches in the network need information on all VLANs in the network. In the enterprise composite model, the VTP domain should be restricted to redundant distribution switches and the access switches that they serve.

  • Have only one or two switches specifically configured as VTP servers and the remainder as clients.

  • Configure a password so that no switch can join the VTP domain with a domain name only (which can be derived dynamically).

  • Manually configure the VTP domain name on all switches that are installed in the network so that the mode can be specified and the default server mode on all switches can be overwritten.

  • When you are setting up a new domain, configure VTP client switches first so that they participate passively. Then configure servers to update client devices.

  • In an existing domain, if you are performing VTP cleanup, configure passwords on servers first. Clients may need to maintain current VLAN information until the server contains a complete VLAN database. After the VLAN database on the server is verified as complete, client passwords can be configured to be the same as the servers. Clients will then accept updates from the server.



2.6 VLAN Lab Exercises

2.6.1 Lab 2-0 Clearing a Switch

Lab Activity

Lab Exercise: Lab 2-0a Clearing a Switch

The purpose of this lab is to clear a switch and prepare it for a new lab.


Lab Activity

Lab Exercise: Lab 2-0b Clearing a Switch Connected to a Larger Network

The purpose of this lab is to clear a switch that is connected to other switches and prepare it for a new lab.


Note:

It is required that the student study the commands covered in the module using the labs and the Command Reference. Not all required commands are covered in sufficient detail in the text alone. Successful completion of this course requires a thorough knowledge of command syntax and application.
The Command Reference can be found on the Cisco.com website at the following URL:
http://www.cisco.com/en/US/products/ ps6441/prod_command_ reference_list.html





2.6.2 Lab 2-1 Catalyst 2960 and 3560 Series Static VLANS, VLAN Trunking, and VTP Domain and Modes

Lab Activity

Lab Exercise: Lab 2-1 Catalyst 2960 and 3560 Series Static VLANS, VLAN Trunking, and VTP Domain and Modes

Set up a VTP domain, create and maintain VLANs, and use Inter-Switch Link (ISL) and 802.1Q trunking on Cisco Catalyst 2960 and 3560 series Ethernet switches using command-line interface (CLI) mode.

Summary


This module examined the function of VLANs and how they are implemented in a switched campus network. Depending on its configuration as an access or trunk port, each switch port can be associated with one or many VLANs. The ISL and 802.1Q protocols are used to establish trunk links carrying traffic for multiple VLANs. Trunk links between switches can also carry VTP information, which allows VLAN names and descriptions contained in a VLAN database to be shared between switches.

Publicado por en No hay comentarios:
Etiquetas:

CCNP-Modulo2.4

2.4 Propagating VLAN Configurations with VLAN Trunking Protocol

2.4.1 Explaining VTP Domains



In an enterprise network with many interconnected switches, maintaining a consistent list of VLANs across those switches can be administratively cumbersome and potentially error prone. The VLAN Trunking Protocol (VTP) is designed to automate this administrative task.

Switches that share common VLAN information are organized into logical groups called VTP management domains. The VLAN information within a VTP domain is propagated through trunk links and is updated via the VTP, allowing all switches within a particular domain to maintain identical VLAN databases.

Only “global” VLAN information regarding VLAN number, name, and description is exchanged. Information on how ports are assigned to VLANs on a given switch is kept local to the switch and is not part of a VTP advertisement.

These are the attributes of a VTP Domain:

  • A switch may be in only one VTP domain.

  • A VTP domain may be as small as only one switch.

  • VTP updates are exchanged only with other switches in the same domain.

  • The way VLAN information is exchanged between switches in the same domain depends upon the VTP mode of the switch.

  • By default, a Catalyst switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link, or until a management domain is configured.


2.4.2 Describing VTP


VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the additions, deletions, and name changes of VLANs on all switches in a VTP domain. Switches sharing a single VTP domain exchange VTP updates to distribute and synchronize VLAN information.

VTP runs over trunk links, allowing interconnected switches to distribute and synchronize a single list of configured VLANs. This process reduces the manual configuration required at each switch; VLANs can be created on one switch and then propagated to others.



VTP has the following attributes:

  • It is a Cisco proprietary protocol.

  • Advertises VLANs 1 through 1005 only.

  • Updates are exchanged only across trunk links.

  • Each switch operates in a given VTP mode that determines how updates are sent from and received by that switch.



Currently, Catalyst switches run VTP versions 1, 2, and 3. Version 2 is the most common, although within version 2, the default operating mode of the switch is version 1.



Version 2 provides these features:

  • Support for Token Ring switches

  • Consistency checks on new VTP and VLAN configuration parameters

  • Propagation of VTP updates that have an unrecognized type, length, or value

  • Forwarding of VTP updates from transparent mode switches without checking the version number

VTP version 3 is now available on some switches that use the Cisco Catalyst operating system. When enabled, VTP version 3 provides these enhancements to previous VTP versions:

  • Support for extended VLANs

  • Support for the creation and advertising of private VLANs

  • Support for VLAN instances and MST mapping propagation instances

  • Improved server authentication

  • Protection from the wrong database accidentally being inserted into a VTP domain

  • Interaction with VTP versions 1 and 2

  • Ability to be configured on a per-port basis

CAUTION:

VTP versions 1 and 2 are not interoperable on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every switch in the VTP domain supports version 2.

There are some guidelines to using VTP within the Campus Infrastructure module:

  • The VTP domain is restricted to building switch blocks.

  • VTP keeps VLAN information consistent between the Building Distribution layer and Building Access layer switches.

  • VLAN configuration errors or failures are confined to the distribution and access layer switch blocks.

  • Knowledge of all VLANs does not need to exist on all switches within the Campus Infrastructure module. Use of VTP is optional, and in high-availability environments it is best practice to set all switches to ignore VTP updates.

CAUTION:

VLANs deleted on one switch may be deleted on all switches in the VTP domain, and thus all ports are removed from that VLAN. Delete VLANs with caution on a switch participating in a VTP domain with other switches.


2.4.3 VTP Modes


VTP can be configured on each switch to operate in one of three modes: server, client, or transparent.


The default mode is server. The mode determines if VLANs can be created on the switch and how the switch participates in sending and receiving VTP advertisements. The number of VLANs that can be configured on a switch varies by mode.

Figure describes the features of the VTP client, server, and transparent modes.

CAUTION:

Before adding a VTP client or server to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number. If you add a switch in server or client mode that has a revision number that is higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain. To reset the VTP revision number on the switch that is being added, either modify the VTP domain name or set the VTP mode to transparent.


2.4.4 Describing VTP Pruning


VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly.

By default, a trunk connection carries traffic for all VLANs in the VTP management domain. Commonly, some switches in an enterprise network do not have local ports configured in each VLAN. In Figure , only switches 1 and 4 support ports statically configured in the red VLAN.

VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices. VLAN1 is always ineligible for pruning; traffic from VLAN1 cannot be pruned.

Figure shows a switched network without VTP pruning enabled on the left. Port 1 on switch 1 and port 2 on switch 4 are assigned to the red VLAN. A broadcast is sent from the host connected to switch 1. Switch 1 floods the broadcast, and every network device in the network receives it, even though switches 3, 5, and 6 have no ports in the red VLAN. With VTP pruning enabled, the broadcast traffic from station A is not forwarded to switches 3, 5, and 6 because traffic for the red VLAN has been pruned on the links indicated on switches 2 and 4.

Note:
You can implement VTP pruning only on VTP servers, not on clients. Consider VTP pruning support to minimize traffic on trunk links.
Note:
A switch runs an instance of spanning tree for each VLAN that it is aware of, even if no ports are active or if VTP pruning is enabled. VTP pruning prevents unnecessary flooded traffic but does not eliminate the switch knowledge of pruned VLANs.

2.4.5 Describing VTP Operation



Switches within a VTP management domain synchronize their VLAN databases by sending and receiving VTP advertisements over trunk links. VTP advertisements are flooded throughout a management domain by switches running in specific modes of operation. Advertisements are sent every 5 minutes or whenever there is a change in VLAN configuration. VTP advertisements are transmitted over VLAN1, using a Layer 2 multicast frame. VLAN advertisements are not propagated from a switch until a management domain name is specified or learned.

Figure shows the general order of VLAN synchronization over VTP.

One of the most critical components of VTP is the configuration revision number. When initially configured, the VTP configuration revision number is set to 0. Each time a VTP server modifies its VLAN information, it increments the VTP configuration revision number by one. It then sends out a VTP advertisement referencing the new configuration revision number. If the configuration revision number being advertised is higher than the number stored on other switches in the VTP domain, they overwrite their VLAN configurations with the new information.

CAUTION:

Because of the overwrite process, if all VLANs on a VTP server are deleted, the VTP server sends an advertisement with a higher revision number. The receiving devices in the VTP domain accept the advertisement and delete those VLANs as well.

Three types of VTP advertisements are exchanged between switches:

  • Summary advertisements: An update sent by VTP servers every 300 seconds or when a VLAN database change occurs. Among other things, this advertisement lists the management domain, VTP version, domain name, configuration revision number, time stamp, and number of subset advertisements. If the advertisement results from a VLAN database change, one or more subset advertisements will follow.

  • Subset advertisements: An update that follows a summary advertisement resulting from a change in the VLAN database. A subset advertisement cites the specific change that was made to a specific VLAN entry in the VLAN database. One subset advertisement is sent for each VID that encountered a change.

  • Advertisement requests from clients: An update sent by a switch requesting information to update its VLAN database. If a client hears a VTP summary advertisement with a configuration revision number higher than its own, the switch may send an advertisement request. A switch operating in VTP server mode then responds with summary and subset advertisements.

Note:
VTP advertisements are associated with VLAN database information only, not with VLAN information configured on specific switch ports. Likewise, on a receiving switch, the receipt of new VLAN information does not change the VLAN associations of trunk or access ports on that switch.

2.4.6 Describing VTP Configuration Commands



The vtp configuration command is used to configure VTP characteristics for a switch. All switches in the same VTP domain share the same VTP domain name and password, if one is configured. It is a good idea to set the VTP mode to “client” if switches are being added to an existing switched network.

The show vtp commands are used to verify the current VTP parameter values.



Figure describes the commands that are used to configure VTP.


2.4.7 Configuring a VTP Management Domain



Default VTP configuration values depend on the switch model and the software version. The default values for the Catalyst 2900, 4000, and 6000 series switches are as follows:

  • VTP domain name: None

  • VTP mode: Server

  • VTP password: None

  • VTP trap: Disabled (Simple Network Management Protocol [SNMP] traps communicating VTP status)

The VTP domain name can be specified or learned from VTP updates received from other switches. By default, the domain name is not set.

A password can be set for the VTP management domain. The password must be the same for all switches in the domain in order for the VLAN database to be synchronized among switches.



The steps for configuring VTP vary per design and switch mode, but the general steps for configuring a switch are as follows :



Step 1 Establish a design specifying which switches are server, client, or transparent, and what the boundaries are for the VTP domain.


Step 2 Verify the current VLAN information on any switch that will be configured as server.


Step 3 Specify the VTP password (optional).


Step 4 Specify the version number, if other than the default.


Step 5 Specify the VTP domain name (case-sensitive).


Step 6 Configure the VTP mode.


Step 7 Verify the configuration.


Step 8 Verify that updates are being sent from or received by the switch as intended.

Figure describes the commands used to configure a switch to become part of a VTP domain. Follow these steps from privileged EXEC mode.



Use the show vtp status command to verify the VTP configuration.

When initially configuring switches in a VTP domain, pay close attention to the configuration revision number. Check to see that it increments only when changes are made at intended VTP servers.

In Figure , “Configuration last modified by 10.1.1.1” specifies the IP address of the switch that last updated the VLAN database of this switch.

Note:
In this example, VTP version 2 is available (as shown by the “VTP Version” line of the output), but not enabled (as shown by the “VTP V2 Mode”).

Use the show vtp counters command to display statistics about VTP operation.

Output from this command verifies if VTP updates are being sent and received by the switch, and it records the number of updates that have been seen.



2.4.8 Adding New Switches to an Existing VTP Domain

The configuration revision number is used when determining if a switch should keep its existing VLAN database or overwrite it with the VTP update sent by another switch in the same domain with the same password. Therefore, when a switch is added to a network, it is important that it does not inject spurious information into the domain.


CAUTION:

This overwrite occurs whether the switch is a VTP client or server. A VTP client can erase VLAN information on a VTP server. One indication that information has been erased is when many of the ports in the network go into inactive state because the ports are now assigned to a nonexistent VLAN. An example of a VTP client overwriting a VTP server will be shown later.



Figure describes the procedure for adding a new switch to a network. For VLAN stability, it is critical to add a switch in this manner.

Publicado por en No hay comentarios:

CCNP Modulo2.2-Implementing VLANs

2.2 Implementing VLANs


2.2.1 VLAN Configuration Modes



VLANs are created in either global configuration or VLAN database mode on most Cisco IOS software-based switches. Global configuration mode is the preferred way of creating and managing VLANs because the user interface is familiar. When a VLAN is created or deleted, the change occurs as soon as the user hits the Enter key on the VLAN configuration line. The commands in this courseware delineate VLAN creation and management using global configuration mode as shown in Figure .


Note:
Global configuration mode can be used to configure VLANs in the range 1 to 1005 and must be used to configure extended-range VLANs (1006 to 4094). The VLAN Trunking Protocol (VTP) configuration revision number is incremented each time a VLAN is created or changed.

Alternatively, VLANs can be created and managed using VLAN database mode.

VLAN database mode is session-oriented. When you add, delete, or modify VLAN parameters, the changes are not applied until you enter the apply or exit command. You can also exit VLAN database mode and not apply the changes by entering the abort command.

To access this mode, the vlan database command is executed from privileged EXEC mode. From this mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005.

Note:
This mode has been deprecated and will be removed in some future release. The move to the global VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach.


2.2.2 Explaining VLAN Access Ports



When an end system is connected to a switch port, it needs to be associated with a VLAN, in accordance with the network design. To associate a device with a VLAN, the switch port to which the device connects is assigned to a single data VLAN and thus becomes an access port. A switch port can become an access port through static or dynamic configuration.

On most switches, VLAN membership results from execution of a specific switchport configuration command. In a local VLAN strategy, the switch port is associated with the same VLAN as the other devices on that same switch or switch cluster.

Attributes and characteristics of access ports:

  • An access port is associated with a single VLAN.

  • The VLAN to which the access port is assigned must exist in the VLAN database of the switch; otherwise, the port will be associated with an inactive VLAN that does not forward frames.

  • Because an access switch port is part of a VLAN or broadcast domain, the port receives broadcasts, multicasts, unicast floods, and so forth that are sent to all ports in the VLAN.

  • The end device typically has an IP address in a subnet that is common to all other devices on the same access VLAN.

Dynamic Access Port Association

Switch ports can be dynamically associated with a given VLAN based upon the MAC address of the device connecting on that port. This requires that the switch query a VLAN Membership Policy Server (VMPS) to determine which VLAN to associate with a switch port when a specific source MAC address is seen on the switch port.

This might be beneficial with a set of workstations that rove throughout the enterprise. Regardless of what switch or switch port the workstation is connected to, that switch port becomes an access port on a single, specific VLAN. Some security situations may require dynamic VLAN associations. Dynamic VLANs require additional equipment and are not consistent with the ECNM, so they are not discussed in this course.



2.2.3 Describing VLAN Implementation Commands



Figure describes the primary commands used to implement VLANs and to verify their configuration in the



Cisco Catalyst switch IOS interface. Figure describes these commands.


2.2.4 Implementing a VLAN

To create or configure a VLAN and associate switch ports, follow these steps :


Step 1 Create the VLAN. and



Before assigning a switch port to a specific VLAN, the VLAN may need to be created. The following example shows the syntax for creating a VLAN using the Cisco IOS interface.

To create a VLAN or enter VLAN configuration mode, use the vlan command:

Switch(config)#vlan vlan_id

Step 2 Verify the VLAN configuration. and



Execute the show vlan command from privileged EXEC mode. It displays information about a particular VLAN. The fields in the show vlan command output are described in the table.



Step 3 Associate switch ports with the VLAN. and

Switch ports that are to function at Layer 2 and carry traffic for a single VLAN are configured as access switch ports and are assigned an access VLAN.

To configure a Layer 2 switch port as an access port:

Switch(config-if)#switchport mode access

To assign the access port to a specific VLAN:

Switch(config-if)#switchport access vlan vlan_id

Step 4 Verify the switch port configuration.

The following commands are useful for verifying that a switch port is configured as intended:

show interface type slot/port switchport
show running-config interface type slot/port
show vlan
Switch# show running-config interface fastethernet 5/6
Building configuration...
!
Current configuration :33 bytes
interface FastEthernet 5/6
switchport access vlan 200
switchport mode access
end

Step 5 Test VLAN connectivity.

Step 1 Ensure that the connected device has a correctly configured IP address and a subnet mask that places it on the same network as the default gateway.
Step 2 Ping the default gateway.
Step 3 If the ping to the default gateway is successful, the VLAN configuration and the IP address configuration have been verified.

Step 6 Implement switch and VLAN security measures.

When implementing VLANs, you should consider a few measures to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation.

  • Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)

  • Disable unused switch ports, depending on the security policy of the organization.


2.3.1 Explaining VLAN Trunks


Multiple VLANs are supported between switches through VLAN trunks. A trunk is a Layer 2 link between switches that are running a specialized trunking protocol. Trunks carry the traffic of multiple VLANs over physical links (multiplexing) and enable the extension of a single Layer 2 VLAN between switches.


If frames from a single VLAN traverse a trunk link, a trunking protocol must mark the frame to identify its associated VLAN as the frame is placed onto the trunk link. The receiving switch then knows the frame’s VLAN of origin and can process the frame accordingly.



On the receiving switch, the VID is removed when the frame is forwarded onto an access link associated with its VLAN.

A special protocol is required to establish a trunk link between two devices. A trunk link may exist between these devices:

  • Two switches

  • A switch and a router

  • A switch and a trunk-capable NIC in a node such as a server

If a single physical link carries traffic for multiple VLANs, each frame must be “marked” with a VID so that it is differentiated from frames coming from other VLANs. This marking or frame identification is accomplished through a trunking protocol. Frame identification uniquely assigns an ID, referred to as a VID, to each frame. Each receiving switch examines this VID to determine the destination VLAN of the frame.

VIDs are only associated with frames traversing a trunk link. When a frame enters or exits the switch on an access link, no VID is present. The ASIC on the switch port assigns the VID to a frame as it is placed on a trunk link, and also strips off the VID if the frame exits an access switch port.

Trunk links should be managed so that they carry only traffic for intended VLANs. This practice keeps unwanted VLAN data traffic from traversing links unnecessarily. Trunk links are used between the access and distribution layers of the campus switch block. These are the trunk protocols used to carry multiple VLANs over a single link :

  • Inter-Switch Link (ISL): Cisco ISL

  • 802.1Q: IEEE standard trunking protocol


Depending on the trunking protocol, data frames sent across a trunk link are either encapsulated or tagged. The purpose of encapsulating or tagging frames is to provide the receiving switch with a VID to identify the VLAN from which the frame originated. The trunking protocol ISL, a Cisco proprietary protocol, encapsulates frames, while IEEE 802.1Q inserts a tag into the original Layer 2 data frame.



2.3.2 Describing ISL Trunking


ISL is a Cisco proprietary protocol option for configuring Layer 2 trunk links. It is the original standard for trunking between switches and predates IEEE trunking standards. ISL takes original Layer 2 frames and encapsulates them with a new ISL header and trailer.



Because an entirely new header is appended to the original frame, the header offers some features not found in 802.1Q, an alternative trunking protocol.

The following are some features of the ISL protocol:

  • Supports multiple Layer 2 protocols (Ethernet, Token Ring, FDDI, and ATM).

  • Supports PVST.

  • Does not use a native VLAN, so it encapsulates every frame.

  • Encapsulation process leaves original frames unmodified.

ISL Encapsulation Process

When a switch port is configured as an ISL trunk port, the entire original Layer 2 frame, including the header and FCS trailer, is encapsulated before it traverses the trunk link. Encapsulation places an additional header in the front and a trailer at the end of the original Layer 2 frame. The ISL header contains the VID of the VLAN where the frame originated. At the receiving end, the VID is read, the header and trailer are removed, and the original frame is forwarded like any regular Layer 2 frame on that VLAN.

Only ISL trunk ports can properly receive ISL encapsulated frames. A non-ISL port receiving an ISL frame may consider the frame size to be invalid or may not recognize the fields in the header. The frame is usually dropped and counted as a transmission error when received by a non-ISL port.



ISL Header

The ISL header contains various fields with values that define attributes of the original Layer 2 data within the

encapsulated frame. This information is used for forwarding, media identification, and VLAN identification.



The population of the fields within the ISL header varies, based on the type of VLAN and the media of the link. The ASIC on an Ethernet port encapsulates the frames with a 26-byte ISL header and a 4-byte FCS. This 30-byte ISL encapsulation overhead is consistent among the Layer 2 protocols supported on Cisco Catalyst switches, but the overall size of the frame varies and is limited by the maximum transmission unit (MTU) of the original Layer 2 protocol.

The ISL Ethernet frame header contains these information fields:

  • DA (destination address): 40-bit destination address. This is a multicast address and is set at 0x01-00-0C-00-00 or 0x03-00-0c-00-00. The first 40 bits of the DA field signal to the receiver that the packet is in ISL format.

  • Type: 4-bit descriptor of the encapsulated frame types: Ethernet (0000), Token Ring (0001), FDDI (0010), and ATM (0011).

  • User: 4-bit descriptor used as the Type field extension or to define Ethernet priorities. It is a binary value from 0, the lowest priority, to 3, the highest priority. The default User field value is 0000. For Ethernet frames, the User field bits 0 and 1 indicate the priority of the packet as it passes through the switch.

  • SA (source address): 48-bit source MAC address of the transmitting Cisco Catalyst switch port.

  • LEN (length): 16-bit frame-length descriptor minus DA, Type, User, SA, LEN, and CRC.

  • AAAA03: Standard Subnetwork Access Protocol (SNAP) 802.2 logical link control (LLC) header.

  • HS (high bits of source address): First 3 bytes of the SA (manufacturer or unique organizational ID).

  • VID: 15-bit VID. Only the lower 10 bits are used for 1024 VLANs.

  • BPDU (bridge protocol data unit): 1-bit descriptor identifying whether the frame is a spanning tree BPDU. It also identifies if the encapsulated frame is a Cisco Discovery Protocol (CDP) or VLAN Trunk Protocol (VTP) frame and indicates if the frame should be sent to the control plane of the switch.

  • INDX (index): 16 bits to indicate the port index of the source of the packet as it exits the switch. It is used for diagnostic purposes only and may be set to any value by other devices. It is a 16-bit value and is ignored in received packets.

  • RES: 16 bits reserved for Token Ring and FDDI frames.

  • Encapsulated Ethernet Frame: Encapsulated data packet, including its own CRC value, completely unmodified. The internal frame must have a CRC value that is valid when the ISL encapsulation fields are removed. A receiving switch may strip off the ISL encapsulation fields and use this ENCAP FRAME field as the frame is received (associating the appropriate VLAN and other values with the received frame as indicated for switching purposes).

ISL Trailer

The trailer portion of the ISL encapsulation is an FCS that carries a CRC value calculated on the original frame plus the ISL header as the ISL frame was placed onto the trunk link. The receiving ISL port recalculates this value. If the CRC values do not match, the frame is discarded. If the values match, the switch discards the FCS as a part of removing the ISL encapsulation so that the original frame can be processed. The ISL trailer consists of the 4-byte FCS field: This sequence contains a 32-bit CRC value, which is created by the sending MAC and is recalculated by the receiving MAC to check for damaged frames. The FCS is generated over the DA, SA, LEN, Type, and Data fields. When an ISL header is attached, a new FCS is calculated for the entire ISL packet and added to the end of the frame.



2.3.3 Describing 802.1Q Trunking


Like ISL, 802.1Q is a protocol that allows a single physical link to carry traffic for multiple VLANs. It is the IEEE standard VLAN trunking protocol. Rather than encapsulating the original Layer 2 frame in its entirety, 802.1Q inserts a tag into the original Ethernet header, then recalculates and updates the FCS in the original frame and transmits the frame over the trunk link.



The 802.1Q protocol, often referred to as “dot-1Q,” offers the clear benefit of being the first IEEE standards-based trunking protocol for Ethernet. It allows multiple VLANs to traverse infrastructure equipment where cross vendor links exist.

The 802.1Q protocol has the following features:

  • Support for Ethernet and Token Ring

  • Support for 4096 VLANs

  • Support for Common Spanning Tree (CST), Multiple Spanning Tree Protocol (MSTP), and Rapid Spanning Tree Protocol (RSTP)

  • Point-to-multipoint topology support

  • Support for untagged traffic over the trunk link via native VLAN

  • Extended QoS support

  • Growing standard for IP telephony links

To identify a frame with a given VLAN, the 802.1Q protocol adds a tag, or a field, to the standard Layer 2 Ethernet data frame. The components of this tag are shown in Figure . Because inserting the tag alters the original frame, the switch must recalculate and alter the FCS value for the original frame before sending it out the 802.1Q trunk port. In contrast, ISL does not modify the original frame at all.

The new 802.1Q Tag field has the following components :

  • EtherType: Uses EtherType 0x8100 to indicate this is a 802.1Q frame.

  • PRI: 3 bits; carries priority information for the frame.

  • Token Ring Encapsulation Flag: Indicates the canonical interpretation of the frame if it is passed from Ethernet to Token Ring. This value is always set to zero for Ethernet switches.

  • VID: VLAN association of the frame. By default, all normal and extended-range VLANs are supported.



If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is ignored, and the packet is switched at Layer 2 as a standard Ethernet frame. This allows for the placement of Layer 2 intermediate devices, such as other switches or bridges, along the 802.1Q trunk path. To process an 802.1Q tagged frame, a device must allow an MTU of 1522 or higher.

Note:
An Ethernet frame that has a larger MTU than expected (1518 by default for Ethernet) but no larger than 1600 bytes registers as a Layer 2 error frame called a “baby giant.” For ISL, the original frame plus ISL encapsulation can generate a frame as large as 1548 bytes, and 1522 bytes for an 802.1Q tagged frame.



2.3.4 Explaining 802.1Q Native VLANs



When configuring an 802.1Q trunk, a matching native VLAN must be defined on each end of the trunk link. A trunk link is inherently associated with tagging each frame with a VID. The purpose of the native VLAN is to allow frames not tagged with a VID to traverse the trunk link. An 802.1Q native VLAN is defined as one of the following:

  • VLAN that a port is associated with when not in trunking operational mode

  • VLAN that is associated with untagged frames that are received on a switch port

  • VLAN to which Layer 2 frames are forwarded if received untagged on an 802.1Q trunk port

Compare this to ISL, in which no frame may be transported on the trunk link without encapsulation, and any unencapsulated frames received on a trunk port are immediately dropped.

Each physical port has a parameter called a port VID (PVID). Every 802.1Q port is assigned a PVID value equal to the native VID. When a port receives a tagged frame that is to traverse the trunk link, the tag is respected. For all untagged frames, the PVID is considered the tag. This allows the frames to traverse devices that may be unable to read VLAN tag information.



Native VLANs have the following attributes:

  • A trunk port that supports only one native active VLAN per operational mode. The modes are access and trunk.

  • By default, on Cisco Catalyst switches, all switch ports and native VLANs for 802.1Q are assigned to VLAN1.

  • The 802.1Q trunk ports connected to each other via physical or logical segments must all have the same native VLAN configured to operate correctly.

  • If the native VLAN is misconfigured for trunk ports on the same trunk link, Layer 2 loops can occur due to diverting STP BPDUs from their correct VLAN.



2.3.5 Explaining VLAN Ranges



Each VLAN on the network must have a unique VID. The valid range of user-configurable ISL VLANs is 1 to 1024. The valid range of VLANs specified in the IEEE 802.1Q standard is 1 to 4094.

Figure describes VLAN ranges and their use.

As a best practice, assign extended VLANs starting with 4094 and work downward, because some switches use extended-range VIDs for internal use starting at the low end of the extended range. Refer to "Configuring Extended-Range VLANs" in the software configuration guide associated with your switch platform and software release.



2.3.6 Describing Trunking Configuration Commands

Commands for configuring a trunk vary depending on your switch’s operating system. The commands in Figure are for a Cisco IOS software-based switch.



Figure describes commands for configuring a trunk on a switch that is running Cisco IOS software. A trunk link can be configured statically or dynamically.

Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation.

DTP mode can be configured to turn the protocol off or to instruct it to negotiate a trunk link only under certain conditions, as described in Figure .



The default DTP mode is Cisco IOS and platform dependent. To determine the current DTP mode, use the show dtp interface command. Note that this command is not available on Catalyst 2950 and 3550 switches, but is available on Catalyst 2960 and 3560 switches.

Note:
General best practice is to set the interface to trunk and nonegotiate when a trunk link is required. DTP should be turned off on links where trunking is not intended.

2.3.7 Configuring Trunking


Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as an 802.1Q or an ISL trunking port, follow these steps on each trunk interface.



Step 1 Enter interface configuration mode.

Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration.

Step 3 Select the trunking encapsulation. Note that some switches support only ISL or 802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q.

Step 4 Configure the interface as a Layer 2 trunk.

Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at both ends of an 802.1Q trunk.

Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to certain trunk links. This is best practice with the Enterprise Composite Network Model and leads to the correct operation of VLAN interfaces.

Step 7 Use the no shutdown command on the interface to activate the trunking process.

Step 8 Verify the trunk configuration using show commands.

Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode for the interface is trunk (on), and no DTP messages will be sent on the interface.

Note:
For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be discussed in more detail later.

Figure describes the commands used to configure a switch port as an 802.1Q trunk link.


CAUTION:

Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If there is a native VLAN mismatch, traffic is not transmitted correctly on the trunk.



Use show commands to display port information, switch port information, or trunking information.



The output in Figure shows that DTP has negotiated with the other switch to enable 802.1Q trunking. Also note that the native VLAN has been configured to be VLAN99. It is best practice that the native VLAN is not left as the default of VLAN1 and should be an “unused” VLAN. This will be discussed in more detail later.



In Figure , interface Fast Ethernet 2/1 has been configured as a trunk link for ISL that is permanently on. DTP negotiation is not allowed. The trunk link will carry VLAN traffic for VLANs 1 through 5 and 1002 through 1005. VLANs 2 through 5 are configured on various access ports on the switch, and the trunk links need to carry the frames for these VLANs in addition to the frames for the system VLANs 1 and 1002-1005.



Note:
It is best practice to shut down an interface while configuring trunking attributes so that premature autonegotiation cannot occur.

When configuring the Layer 2 trunk to not use DTP, the following syntax is used so that the trunk mode is set to “on” and no DTP messages are sent on the interface:

  • Enter the shutdown command in the interface mode.

  • Enter the switchport trunk encapsulation command.

  • Enter the switchport mode trunk command.

  • Enter the switchport nonegotiate command.

  • Enter the no shutdown command.

Use show commands to display port information, switch port information, or trunking information.

Publicado por en No hay comentarios:
Suscribirse a: Entradas (Atom)