Cisco CCNP: CCNP Modulo2.2-Implementing VLANs

2.2 Implementing VLANs

2.2.1 VLAN Configuration Modes

VLANs are created in either global configuration or VLAN database mode on most Cisco IOS software-based switches. Global configuration mode is the preferred way of creating and managing VLANs because the user interface is familiar. When a VLAN is created or deleted, the change occurs as soon as the user hits the Enter key on the VLAN configuration line. The commands in this courseware delineate VLAN creation and management using global configuration mode as shown in Figure .

Note:

Global configuration mode can be used to configure VLANs in the range 1 to 1005 and must be used to configure extended-range VLANs (1006 to 4094). The VLAN Trunking Protocol (VTP) configuration revision number is incremented each time a VLAN is created or changed.

Alternatively, VLANs can be created and managed using VLAN database mode.

VLAN database mode is session-oriented. When you add, delete, or modify VLAN parameters, the changes are not applied until you enter the apply or exit command. You can also exit VLAN database mode and not apply the changes by entering the abort command.

To access this mode, the vlan database command is executed from privileged EXEC mode. From this mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005.

Note:

This mode has been deprecated and will be removed in some future release. The move to the global VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach.

2.2.2 Explaining VLAN Access Ports

When an end system is connected to a switch port, it needs to be associated with a VLAN, in accordance with the network design. To associate a device with a VLAN, the switch port to which the device connects is assigned to a single data VLAN and thus becomes an access port. A switch port can become an access port through static or dynamic configuration.

On most switches, VLAN membership results from execution of a specific switchport configuration command. In a local VLAN strategy, the switch port is associated with the same VLAN as the other devices on that same switch or switch cluster.

Attributes and characteristics of access ports:

An access port is associated with a single VLAN.
The VLAN to which the access port is assigned must exist in the VLAN database of the switch; otherwise, the port will be associated with an inactive VLAN that does not forward frames.
Because an access switch port is part of a VLAN or broadcast domain, the port receives broadcasts, multicasts, unicast floods, and so forth that are sent to all ports in the VLAN.
The end device typically has an IP address in a subnet that is common to all other devices on the same access VLAN.

Dynamic Access Port Association

Switch ports can be dynamically associated with a given VLAN based upon the MAC address of the device connecting on that port. This requires that the switch query a VLAN Membership Policy Server (VMPS) to determine which VLAN to associate with a switch port when a specific source MAC address is seen on the switch port.

This might be beneficial with a set of workstations that rove throughout the enterprise. Regardless of what switch or switch port the workstation is connected to, that switch port becomes an access port on a single, specific VLAN. Some security situations may require dynamic VLAN associations. Dynamic VLANs require additional equipment and are not consistent with the ECNM, so they are not discussed in this course.

2.2.3 Describing VLAN Implementation Commands

Figure describes the primary commands used to implement VLANs and to verify their configuration in the

Cisco Catalyst switch IOS interface. Figure describes these commands.

2.2.4 Implementing a VLAN

To create or configure a VLAN and associate switch ports, follow these steps :

Step 1 Create the VLAN. and

Before assigning a switch port to a specific VLAN, the VLAN may need to be created. The following example shows the syntax for creating a VLAN using the Cisco IOS interface.

To create a VLAN or enter VLAN configuration mode, use the vlan command:

Switch(config)#vlan vlan_id

Step 2 Verify the VLAN configuration. and

Execute the show vlan command from privileged EXEC mode. It displays information about a particular VLAN. The fields in the show vlan command output are described in the table.

Step 3 Associate switch ports with the VLAN. and

Switch ports that are to function at Layer 2 and carry traffic for a single VLAN are configured as access switch ports and are assigned an access VLAN.

To configure a Layer 2 switch port as an access port:

Switch(config-if)#switchport mode access

To assign the access port to a specific VLAN:

Switch(config-if)#switchport access vlan vlan_id

Step 4 Verify the switch port configuration.

The following commands are useful for verifying that a switch port is configured as intended:

show interface type slot/port switchport
show running-config interface type slot/port
show vlan

Switch# show running-config interface fastethernet 5/6
Building configuration...
!
Current configuration :33 bytes
interface FastEthernet 5/6
switchport access vlan 200
switchport mode access
end

Step 5 Test VLAN connectivity.

Step 1 Ensure that the connected device has a correctly configured IP address and a subnet mask that places it on the same network as the default gateway.

Step 2 Ping the default gateway.

Step 3 If the ping to the default gateway is successful, the VLAN configuration and the IP address configuration have been verified.

Step 6 Implement switch and VLAN security measures.

When implementing VLANs, you should consider a few measures to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation.

Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)
Disable unused switch ports, depending on the security policy of the organization.

2.3.1 Explaining VLAN Trunks

Multiple VLANs are supported between switches through VLAN trunks. A trunk is a Layer 2 link between switches that are running a specialized trunking protocol. Trunks carry the traffic of multiple VLANs over physical links (multiplexing) and enable the extension of a single Layer 2 VLAN between switches.

If frames from a single VLAN traverse a trunk link, a trunking protocol must mark the frame to identify its associated VLAN as the frame is placed onto the trunk link. The receiving switch then knows the frame’s VLAN of origin and can process the frame accordingly.

On the receiving switch, the VID is removed when the frame is forwarded onto an access link associated with its VLAN.

A special protocol is required to establish a trunk link between two devices. A trunk link may exist between these devices:

Two switches
A switch and a router
A switch and a trunk-capable NIC in a node such as a server

If a single physical link carries traffic for multiple VLANs, each frame must be “marked” with a VID so that it is differentiated from frames coming from other VLANs. This marking or frame identification is accomplished through a trunking protocol. Frame identification uniquely assigns an ID, referred to as a VID, to each frame. Each receiving switch examines this VID to determine the destination VLAN of the frame.

VIDs are only associated with frames traversing a trunk link. When a frame enters or exits the switch on an access link, no VID is present. The ASIC on the switch port assigns the VID to a frame as it is placed on a trunk link, and also strips off the VID if the frame exits an access switch port.

Trunk links should be managed so that they carry only traffic for intended VLANs. This practice keeps unwanted VLAN data traffic from traversing links unnecessarily. Trunk links are used between the access and distribution layers of the campus switch block. These are the trunk protocols used to carry multiple VLANs over a single link :

Inter-Switch Link (ISL): Cisco ISL
802.1Q: IEEE standard trunking protocol

Depending on the trunking protocol, data frames sent across a trunk link are either encapsulated or tagged. The purpose of encapsulating or tagging frames is to provide the receiving switch with a VID to identify the VLAN from which the frame originated. The trunking protocol ISL, a Cisco proprietary protocol, encapsulates frames, while IEEE 802.1Q inserts a tag into the original Layer 2 data frame.

2.3.2 Describing ISL Trunking

ISL is a Cisco proprietary protocol option for configuring Layer 2 trunk links. It is the original standard for trunking between switches and predates IEEE trunking standards. ISL takes original Layer 2 frames and encapsulates them with a new ISL header and trailer.

Because an entirely new header is appended to the original frame, the header offers some features not found in 802.1Q, an alternative trunking protocol.

The following are some features of the ISL protocol:

Supports multiple Layer 2 protocols (Ethernet, Token Ring, FDDI, and ATM).
Supports PVST.
Does not use a native VLAN, so it encapsulates every frame.
Encapsulation process leaves original frames unmodified.

ISL Encapsulation Process

When a switch port is configured as an ISL trunk port, the entire original Layer 2 frame, including the header and FCS trailer, is encapsulated before it traverses the trunk link. Encapsulation places an additional header in the front and a trailer at the end of the original Layer 2 frame. The ISL header contains the VID of the VLAN where the frame originated. At the receiving end, the VID is read, the header and trailer are removed, and the original frame is forwarded like any regular Layer 2 frame on that VLAN.

Only ISL trunk ports can properly receive ISL encapsulated frames. A non-ISL port receiving an ISL frame may consider the frame size to be invalid or may not recognize the fields in the header. The frame is usually dropped and counted as a transmission error when received by a non-ISL port.

ISL Header

The ISL header contains various fields with values that define attributes of the original Layer 2 data within the

encapsulated frame. This information is used for forwarding, media identification, and VLAN identification.

The population of the fields within the ISL header varies, based on the type of VLAN and the media of the link. The ASIC on an Ethernet port encapsulates the frames with a 26-byte ISL header and a 4-byte FCS. This 30-byte ISL encapsulation overhead is consistent among the Layer 2 protocols supported on Cisco Catalyst switches, but the overall size of the frame varies and is limited by the maximum transmission unit (MTU) of the original Layer 2 protocol.

The ISL Ethernet frame header contains these information fields:

DA (destination address): 40-bit destination address. This is a multicast address and is set at 0x01-00-0C-00-00 or 0x03-00-0c-00-00. The first 40 bits of the DA field signal to the receiver that the packet is in ISL format.
Type: 4-bit descriptor of the encapsulated frame types: Ethernet (0000), Token Ring (0001), FDDI (0010), and ATM (0011).
User: 4-bit descriptor used as the Type field extension or to define Ethernet priorities. It is a binary value from 0, the lowest priority, to 3, the highest priority. The default User field value is 0000. For Ethernet frames, the User field bits 0 and 1 indicate the priority of the packet as it passes through the switch.
SA (source address): 48-bit source MAC address of the transmitting Cisco Catalyst switch port.
LEN (length): 16-bit frame-length descriptor minus DA, Type, User, SA, LEN, and CRC.
AAAA03: Standard Subnetwork Access Protocol (SNAP) 802.2 logical link control (LLC) header.
HS (high bits of source address): First 3 bytes of the SA (manufacturer or unique organizational ID).
VID: 15-bit VID. Only the lower 10 bits are used for 1024 VLANs.
BPDU (bridge protocol data unit): 1-bit descriptor identifying whether the frame is a spanning tree BPDU. It also identifies if the encapsulated frame is a Cisco Discovery Protocol (CDP) or VLAN Trunk Protocol (VTP) frame and indicates if the frame should be sent to the control plane of the switch.
INDX (index): 16 bits to indicate the port index of the source of the packet as it exits the switch. It is used for diagnostic purposes only and may be set to any value by other devices. It is a 16-bit value and is ignored in received packets.
RES: 16 bits reserved for Token Ring and FDDI frames.
Encapsulated Ethernet Frame: Encapsulated data packet, including its own CRC value, completely unmodified. The internal frame must have a CRC value that is valid when the ISL encapsulation fields are removed. A receiving switch may strip off the ISL encapsulation fields and use this ENCAP FRAME field as the frame is received (associating the appropriate VLAN and other values with the received frame as indicated for switching purposes).

ISL Trailer

The trailer portion of the ISL encapsulation is an FCS that carries a CRC value calculated on the original frame plus the ISL header as the ISL frame was placed onto the trunk link. The receiving ISL port recalculates this value. If the CRC values do not match, the frame is discarded. If the values match, the switch discards the FCS as a part of removing the ISL encapsulation so that the original frame can be processed. The ISL trailer consists of the 4-byte FCS field: This sequence contains a 32-bit CRC value, which is created by the sending MAC and is recalculated by the receiving MAC to check for damaged frames. The FCS is generated over the DA, SA, LEN, Type, and Data fields. When an ISL header is attached, a new FCS is calculated for the entire ISL packet and added to the end of the frame.

2.3.3 Describing 802.1Q Trunking

Like ISL, 802.1Q is a protocol that allows a single physical link to carry traffic for multiple VLANs. It is the IEEE standard VLAN trunking protocol. Rather than encapsulating the original Layer 2 frame in its entirety, 802.1Q inserts a tag into the original Ethernet header, then recalculates and updates the FCS in the original frame and transmits the frame over the trunk link.

The 802.1Q protocol, often referred to as “dot-1Q,” offers the clear benefit of being the first IEEE standards-based trunking protocol for Ethernet. It allows multiple VLANs to traverse infrastructure equipment where cross vendor links exist.

The 802.1Q protocol has the following features:

Support for Ethernet and Token Ring
Support for 4096 VLANs
Support for Common Spanning Tree (CST), Multiple Spanning Tree Protocol (MSTP), and Rapid Spanning Tree Protocol (RSTP)
Point-to-multipoint topology support
Support for untagged traffic over the trunk link via native VLAN
Extended QoS support
Growing standard for IP telephony links

To identify a frame with a given VLAN, the 802.1Q protocol adds a tag, or a field, to the standard Layer 2 Ethernet data frame. The components of this tag are shown in Figure . Because inserting the tag alters the original frame, the switch must recalculate and alter the FCS value for the original frame before sending it out the 802.1Q trunk port. In contrast, ISL does not modify the original frame at all.

The new 802.1Q Tag field has the following components :

EtherType: Uses EtherType 0x8100 to indicate this is a 802.1Q frame.
PRI: 3 bits; carries priority information for the frame.
Token Ring Encapsulation Flag: Indicates the canonical interpretation of the frame if it is passed from Ethernet to Token Ring. This value is always set to zero for Ethernet switches.
VID: VLAN association of the frame. By default, all normal and extended-range VLANs are supported.

If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is ignored, and the packet is switched at Layer 2 as a standard Ethernet frame. This allows for the placement of Layer 2 intermediate devices, such as other switches or bridges, along the 802.1Q trunk path. To process an 802.1Q tagged frame, a device must allow an MTU of 1522 or higher.

Note:

An Ethernet frame that has a larger MTU than expected (1518 by default for Ethernet) but no larger than 1600 bytes registers as a Layer 2 error frame called a “baby giant.” For ISL, the original frame plus ISL encapsulation can generate a frame as large as 1548 bytes, and 1522 bytes for an 802.1Q tagged frame.

2.3.4 Explaining 802.1Q Native VLANs

When configuring an 802.1Q trunk, a matching native VLAN must be defined on each end of the trunk link. A trunk link is inherently associated with tagging each frame with a VID. The purpose of the native VLAN is to allow frames not tagged with a VID to traverse the trunk link. An 802.1Q native VLAN is defined as one of the following:

VLAN that a port is associated with when not in trunking operational mode
VLAN that is associated with untagged frames that are received on a switch port
VLAN to which Layer 2 frames are forwarded if received untagged on an 802.1Q trunk port

Compare this to ISL, in which no frame may be transported on the trunk link without encapsulation, and any unencapsulated frames received on a trunk port are immediately dropped.

Each physical port has a parameter called a port VID (PVID). Every 802.1Q port is assigned a PVID value equal to the native VID. When a port receives a tagged frame that is to traverse the trunk link, the tag is respected. For all untagged frames, the PVID is considered the tag. This allows the frames to traverse devices that may be unable to read VLAN tag information.

Native VLANs have the following attributes:

A trunk port that supports only one native active VLAN per operational mode. The modes are access and trunk.
By default, on Cisco Catalyst switches, all switch ports and native VLANs for 802.1Q are assigned to VLAN1.
The 802.1Q trunk ports connected to each other via physical or logical segments must all have the same native VLAN configured to operate correctly.
If the native VLAN is misconfigured for trunk ports on the same trunk link, Layer 2 loops can occur due to diverting STP BPDUs from their correct VLAN.

2.3.5 Explaining VLAN Ranges

Each VLAN on the network must have a unique VID. The valid range of user-configurable ISL VLANs is 1 to 1024. The valid range of VLANs specified in the IEEE 802.1Q standard is 1 to 4094.

Figure describes VLAN ranges and their use.

As a best practice, assign extended VLANs starting with 4094 and work downward, because some switches use extended-range VIDs for internal use starting at the low end of the extended range. Refer to "Configuring Extended-Range VLANs" in the software configuration guide associated with your switch platform and software release.

2.3.6 Describing Trunking Configuration Commands

Commands for configuring a trunk vary depending on your switch’s operating system. The commands in Figure are for a Cisco IOS software-based switch.

Figure describes commands for configuring a trunk on a switch that is running Cisco IOS software. A trunk link can be configured statically or dynamically.

Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation.

DTP mode can be configured to turn the protocol off or to instruct it to negotiate a trunk link only under certain conditions, as described in Figure .

The default DTP mode is Cisco IOS and platform dependent. To determine the current DTP mode, use the show dtp interface command. Note that this command is not available on Catalyst 2950 and 3550 switches, but is available on Catalyst 2960 and 3560 switches.

Note:

General best practice is to set the interface to trunk and nonegotiate when a trunk link is required. DTP should be turned off on links where trunking is not intended.

2.3.7 Configuring Trunking

Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as an 802.1Q or an ISL trunking port, follow these steps on each trunk interface.

Step 1 Enter interface configuration mode.

Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration.

Step 3 Select the trunking encapsulation. Note that some switches support only ISL or 802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q.

Step 4 Configure the interface as a Layer 2 trunk.

Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at both ends of an 802.1Q trunk.

Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to certain trunk links. This is best practice with the Enterprise Composite Network Model and leads to the correct operation of VLAN interfaces.

Step 7 Use the no shutdown command on the interface to activate the trunking process.

Step 8 Verify the trunk configuration using show commands.

Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode for the interface is trunk (on), and no DTP messages will be sent on the interface.

Note:

For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be discussed in more detail later.

Figure describes the commands used to configure a switch port as an 802.1Q trunk link.

CAUTION:

Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If there is a native VLAN mismatch, traffic is not transmitted correctly on the trunk.

Use show commands to display port information, switch port information, or trunking information.

The output in Figure shows that DTP has negotiated with the other switch to enable 802.1Q trunking. Also note that the native VLAN has been configured to be VLAN99. It is best practice that the native VLAN is not left as the default of VLAN1 and should be an “unused” VLAN. This will be discussed in more detail later.

In Figure , interface Fast Ethernet 2/1 has been configured as a trunk link for ISL that is permanently on. DTP negotiation is not allowed. The trunk link will carry VLAN traffic for VLANs 1 through 5 and 1002 through 1005. VLANs 2 through 5 are configured on various access ports on the switch, and the trunk links need to carry the frames for these VLANs in addition to the frames for the system VLANs 1 and 1002-1005.

Note:

It is best practice to shut down an interface while configuring trunking attributes so that premature autonegotiation cannot occur.

When configuring the Layer 2 trunk to not use DTP, the following syntax is used so that the trunk mode is set to “on” and no DTP messages are sent on the interface: