martes, 30 de junio de 2009

CCNP-Modulo2.5

2.5 Correcting Common VLAN Configuration Errors


2.5.1 Describing Issues with 802.1Q Native VLANs


Figure shows a frequent configuration error. The native VLAN configured on each end of an 802.1Q trunk must be the same. Remember that a switch receiving an untagged frame assigns it to the native VLAN of the trunk. If one end is configured for native VLAN 1 and the other to native VLAN 2, a frame sent in VLAN 1 on one side is received on VLAN 2 on the other. VLAN 1 and 2 have been segmented and merged. There is no reason this should be required, and connectivity issues will occur in the network.

Cisco switches use Cisco Discovery Protocol (CDP) to warn of a native VLAN mismatch.

In Figure , the PCs connected to the hub are sending untagged frames. Because the frames are untagged, they become part of VLAN 1 on the left-hand switch and part of VLAN 2 on the right-hand switch.

Figure describes the mitigation of 802.1Q native VLAN issues.



2.5.2 Resolving Issues with 802.1Q Native VLANs


Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link:

  • The native VLAN interface configurations must match at both ends of the link or the trunk may not form.

  • By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a trunk should be set to a specific VID that is not used for normal operations elsewhere on the network.

Switch(config-if)#switchport trunk native vlan vlan-id
  • If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning) issues a “native VLAN mismatch” error.

  • On select versions of Cisco IOS software, CDP may not be transmitted or automatically turns off if VLAN1 is disabled on the trunk.

  • If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address (0180.c200.0000) untagged.

  • When troubleshooting VLANs, note that a link can have one native VLAN association when in access mode, and another native VLAN association when in trunk mode.

2.5.3 Describing Trunk Link Problems


The trunking mode, the trunk encapsulation type, the VTP domain, and the hardware capabilities of two connected ports determine whether an operational trunk link is formed and which type it becomes.

Consider that with the default switchport mode set to dynamic auto and with DTP enabled, if another switch is connected and is set to switchport mode trunk, the switch automatically converts the link to a trunk. This could have security implications, because it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port.

Following is an explanation of the three examples illustrated in Figure .

Example A

If both ends of the link are set to switchport mode auto, the link does not become a trunk, and the ports remain as access ports.

Switch1#show interface fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

Example B

If one end of the link is set to switchport mode dynamic desirable and the other end of the link is set to switchport mode access, both ports remain as access ports.

Switch1#show interface fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

Switch2#show interfaces g1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off

Example C

If one end of the link is set to switchport mode trunk and switchport nonegotiate and the other end of the link is set to switchport mode auto, a mismatch occurs, because the left-hand switch is not sending any DTP frames. The port that is set to switchport mode auto on the right-hand switch defaults to being an access port.

Switch1#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

Switch2#show interfaces g1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

2.5.4 Resolving Trunk Link Problems



Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a point-to-point protocol. When using DTP to configure trunks, ensure that both ends of the link are in the same VTP domain.

Because DTP is a Cisco proprietary protocol, some internetworking devices do not support DTP frames, which could cause misconfigurations. To avoid this potential problem, you should turn off DTP for interfaces that are connected to devices that do not support DTP.

Use the following commands to configure ports in the appropriate mode:

  • If you do not intend to trunk across the links, use the switchport mode access interface configuration command to disable trunking.

  • To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.

  • Use the switchport trunk encapsulation isl or switchport trunk encapsulation dot1q interface to select the encapsulation type on the trunk port.

Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring the interface to trunk and nonegotiate.



2.5.5 Common Problems with VTP Configuration

Some unexpected results can occur after VTP configuration and .

The configuration revision number is used when determining if a switch should keep its existing VLAN database or overwrite it with the VTP update sent by another switch in the same domain with the same password. Therefore, when a switch is added to a network, it is important that it does not inject spurious information into the domain.

Following is an example of a VTP client overwriting a VTP server when correct procedures were not followed.

The VTP server, Switch1, is currently at configuration revision 1 and knows of six VLANs.

Switch1#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : building1
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x0B 0xED 0x6C 0xE2 0x16 0xE9 0x3D 0x3C
Configuration last modified by 172.16.1.111 at 3-1-93 00:29:26
Local updater ID is 172.16.1.111 on interface Vl1 (lowest numbered VLAN interface found)

The new switch, Switch2, has not yet been connected to the network. It is a VTP client with a configuration revision of 2 and knows of seven VLANs.

Switch2#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 250
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : building1
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x2A 0x2B 0xF1 0x2C 0x90 0x5D 0xB2
Configuration last modified by 172.16.1.11 at 3-1-93 00:34:17

The link between Switch1 and Switch2 is now connected and the VTP client overwrites the VTP server because of the higher configuration revision number.

Switch1#
00:43:47: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

Switch1#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : building1
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x2A 0x2B 0xF1 0x2C 0x90 0x5D 0xB2
Configuration last modified by 172.16.1.11 at 3-1-93 00:34:17
Local updater ID is 172.16.1.111 on interface Vl1 (lowest numbered VLAN interface found)

To avoid a VTP domain from being overwritten always add a new switch either in VTP transparent mode or as a VTP client with a revision number that is lower than the revision number in the existing VTP domain.



2.5.6 Best Practice for VTP Configuration

Following is a list of general best practices with regard to configuring VTP in the enterprise composite network model:

  • Plan boundaries for the VTP domain. Not all switches in the network need information on all VLANs in the network. In the enterprise composite model, the VTP domain should be restricted to redundant distribution switches and the access switches that they serve.

  • Have only one or two switches specifically configured as VTP servers and the remainder as clients.

  • Configure a password so that no switch can join the VTP domain with a domain name only (which can be derived dynamically).

  • Manually configure the VTP domain name on all switches that are installed in the network so that the mode can be specified and the default server mode on all switches can be overwritten.

  • When you are setting up a new domain, configure VTP client switches first so that they participate passively. Then configure servers to update client devices.

  • In an existing domain, if you are performing VTP cleanup, configure passwords on servers first. Clients may need to maintain current VLAN information until the server contains a complete VLAN database. After the VLAN database on the server is verified as complete, client passwords can be configured to be the same as the servers. Clients will then accept updates from the server.



2.6 VLAN Lab Exercises

2.6.1 Lab 2-0 Clearing a Switch

L
ab Activity

Lab Exercise: Lab 2-0a Clearing a Switch

The purpose of this lab is to clear a switch and prepare it for a new lab.


L
ab Activity

Lab Exercise: Lab 2-0b Clearing a Switch Connected to a Larger Network

The purpose of this lab is to clear a switch that is connected to other switches and prepare it for a new lab.


Note:

It is required that the student study the commands covered in the module using the labs and the Command Reference. Not all required commands are covered in sufficient detail in the text alone. Successful completion of this course requires a thorough knowledge of command syntax and application.
The Command Reference can be found on the Cisco.com website at the following URL:
http://www.cisco.com/en/US/products/ ps6441/prod_command_ reference_list.html





2.6.2 Lab 2-1 Catalyst 2960 and 3560 Series Static VLANS, VLAN Trunking, and VTP Domain and Modes

Lab Activity

Lab Exercise: Lab 2-1 Catalyst 2960 and 3560 Series Static VLANS, VLAN Trunking, and VTP Domain and Modes

Set up a VTP domain, create and maintain VLANs, and use Inter-Switch Link (ISL) and 802.1Q trunking on Cisco Catalyst 2960 and 3560 series Ethernet switches using command-line interface (CLI) mode.

Summary


This module examined the function of VLANs and how they are implemented in a switched campus network. Depending on its configuration as an access or trunk port, each switch port can be associated with one or many VLANs. The ISL and 802.1Q protocols are used to establish trunk links carrying traffic for multiple VLANs. Trunk links between switches can also carry VTP information, which allows VLAN names and descriptions contained in a VLAN database to be shared between switches.

No hay comentarios:

Publicar un comentario