A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain (all nodes can reach each other by a message to all recipients simultaneously at OSI Layer 2), regardless of their physical location.
The following are requirements necessary for two computers to exist on the same VLAN and switch.
1. Both computers must be assigned and IP address from the same subnetwork.
2. Both computers must be connected to a port on a switch that is a member of the same VLAN.
• Cost reduction
• Higher performance
• Broadcast storm mitigation
• Improved IT staff efficiency
• Simpler project or application management
• Should be used in small, medium, and enterprise size businesses
• VLAN IDs between 1 -1005
• IDs 1002-1005 are reserved for Token Ring and FDDI
• IDs 1 and 1002-1005 are automatically created and cannot be removed
• vlan.dat is where VLAN configurations are stored
• VTP – VLAN Trunking Protocol helps manage VLANs between switches
- Move the management VLAN to something other than default (which is VLAN 1),
- shutdown all unused ports in the catalyst switch.
Extended VLAN Rules
• For customer who need more VLANs can use 1006-4094
• Fewer VLAN features supported
• VTP does not support extended
• Saved in running config
At most you can have 255 configured VLANs. Cisco Catalyst switches can now piggyback up to 9 switches that will mimic one switch. Since you can purchase up to 48 ports on a switch you would then have a virtual switch of 48*9 = 432 ports available.
Types of VLANs
- Default – all switches come with VLAN 1 setup as the default VLAN.
At the initial boot up of the switch, ALL switch ports are acces ports (untagged) and become a member of the default VLAN, which makes them all part of the same broadcast domain. This allows any network device connected to any of the switch port to communicate with other devices on other switch ports.
Both CDP and STP use this VLAN to communicate and all ports are assigned to this VLAN initially. Best practice says to move all ports to another VLAN therefore creating a new default VLAN. You cannot change or delete VLAN 1 and it will always be used by CDP and STP, but you can associate all the ports to a new default VLAN,
- Data – also known as user VLAN (carry only user-generated traffic),
- Native – is assigned to an 802.1Q trunk port. This is used to pass multiple VLANs and untagged data to other switches. 802.1Q supports Legacy networks that do not have VLAN tagged traffic. You should not assign VLAN 1 as your native VLAN.
- Management – is your VLAN that you add your intermediary network devices to. This allows for easy and secure management. Again you should not use VLAN 1 as your VLAN of choice.
- Voice – it is very important to separate data VLANs from Voice VLANs.
Voice requires the following:
a. assured bandwidth to guarantee quality
b. transmission priority over other traffic
c. ability to be routed around congested areas of the network
d. delay of less than 150ms across the network
Tagged frame on native VLAN:
- dropped by the switch
- devices should not tag control traffic destined for the native VLAN
Untagged frame on native VLAN:
- have their PVID (VLAN ID) changed to value of the configured native VLAN
- remains untagged
- are forwarded to the configured native VLAN (the default native VLAN is VLAN 1)
To modify default native VLAN
sw1(config-if)# switchport trunk native vlan 5Now all traffic belonging to VLAN 5 will be transmitted untagged through the trunk interface, and all incoming untagged traffic to the trunk interface will be marked as belonging VLAN 5 (by default is VLAN 1).
Cisco IP Phone
The Cisco IP Phone is a switch with 3 10/100 ports.
Port 1 connects to the switch or other VoIP device.
Port 2 is an internal interface that carries IP phone traffic.
Port 3 (access port) connects to PC or other device.
Port 2 tags the IP phone data as voice, while Port 3 leaves PC data untagged. The port connected to the IP Phone when tagged as voice acts as a trunk for both types of data coming from the phone.
Network Traffic Types
- IP Telephony Traffic
a. Signaling – used to setup, maintain progress, and bring down calls
b. Voice – the actual voice data packets
- Network Management and Control Traffic (CDP, SNMP,…)
- IP Multicast (Cisco IP / TV Broadcasts)
- Normal Data – files, storage, print services, email, database access, shared applications
- Scavenger Class – P2P apps, gaming apps, and entertainment video apps
Cisco switchports are layer 2 physical connections. You must assign them to a VLAN.
Ports support the following type of VLANs.
- Static VLAN – manual configuration and VLAN assignment
- Dynamic VLAN – not widely used and will not be used in this course. It uses a VLAN Membership Policy Server to associate MAC addresses with a VLAN. If a user moves to another port it automatically associates the new port with the VMPS VLAN configuration.
- Voice VLAN – a port is configured to be voice port so that you can connect an IP phone to it. First you need to configure a VLAN for voice and a VLAN for data. When the phone is first plugged into the configured voice switchport the switch sends CDP information to the phone telling it what the voice VLAN and data VLAN are so that it can appropriately tag the data. Your network must be configured to prioritize voice traffic.
The following are commands used to ensure successful voice traffic.
Priority: mls qos trust cos
Switchport VLAN access voice: switchport voice vlan 150
Switchport VLAN access data: switchport access vlan 20
When a switch receives a broadcast from a specific VLAN it will only forward it out ports that are a member of the same VLAN.
Switch Virtual Interface needs to be setup on all switches that will be remotely managed.
This allows and IP address to be assigned to a virtual interface. The SVI is assigned the default LAN, which should be your management LAN and not VLAN 1.
Layer 3 switches allow routing to occur between VLANs, something that a router usually is responsible for. The routing occurs at the SVI.
A trunk is a point-to-point link between two network devices that carries more than one VLAN. Cisco supports IEEE 802.1Q as its trunking method. A trunk is not a member of
802.1Q is an encapsulation method that encapsulates a frame on a switch when it is about to travel over a trunk line. Switches are layer 2 devices that only deal with MAC addresses and no VLAN information at the trunk port a frame has information encapsulated around it and removed when it arrives on the other end of the trunk.
A legacy protocol from Cisco is ISL, this should no longer be used as a trunking protocol.
You should only use 802.1Q.
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (802.1Q) to be used.
Some Cisco switches and routers do not support DTP and DTP is not required for trunking. If two Cisco devices are configured for DTP and one device has a port configured as a trunk line then the other end will dynamically configure itself to be a trunk port also. DTP supports both ISL and 802.1Q but is not supported on non-Cisco devices.
Trunking Modes (in conjunction with DTP)
- Trunk – local switchport set as trunk switchport mode trunk, periodically this port sends out DTP messages and possibly receives DTP messages from remote device. No matter what the message received is it is unconditionally in a trunk state.
- Dynamic Auto (default) – switchport mode dynamic auto, periodically this port sends out DTP messages advertising it’s state as auto. If the remote port is set as trunk or desirable then local port becomes trunk, else it’s not a trunk (including when both are set to auto).
- Dynamic Desirable – switchport mode dynamic desirable, periodically this port sends out DTP messages. If the remote port is set as on, auto, or desirable then the ports will become a trunk.
- Turn Off DTP – switchport nonegotiate, shuts off DTP and port is set as unconditional trunk, this should be used when connecting to non-Cisco switches.
switch(config)# interface fa 0/1TIP: The default mode is dependent on the platform. For the 2960, the default mode is dynamic auto.
! Makes the interface actively attempt to convert the link to a trunk link
switch(config-if)# switchport mode dynamic desirable
switch(config-if)# switchport mode dynamic auto
! Disables DTP (stop generating DTP frames)
switch(config-if)# switchport nonegotiate
! Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link.
switch(config-if)# switchport mode trunkshow dtp interface
TIP: On a 2960 switch, the default for all ports is to be an access port. However, with the default DTP mode being dynamic auto, an access port can be converted into a trunk port if that port receives DTP information from the other side of the link if that side is set to trunk or desirable. It is therefore recommended to hard-code all access ports as access ports with the switchport mode access command.
This way, DTP information will not inadvertently change an access port to a trunk port. Any port set with the switchport mode access command ignores any DTP requests to convert the link.
access Set access mode characteristics of the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
SW-4500(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set the mode to private-vlan host or promiscuous
trunk Set trunking mode to TRUNK unconditionally
Add a VLAN
config tUseful Commands
show vlanAssign a Port to a VLAN
show vlan brief
show vlan name student
show vlan 20
switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16, Fa0/17,
Fa0/18, Fa0/19, Fa0/20, Fa0/21,
Fa0/22, Fa0/23, Fa0/24
2 test active Fa0/1, Fa0/2
10 VLAN0010 active Fa0/4, Fa0/5
15 VLAN0015 active Fa0/3
config tDeleting Entire VLAN Database
switchport mode access
switchport access vlan 20
delete flash:vlan.datConfigure a Port to be a Trunk
switchport mode trunk
The following are problems that arise with VLANs.
• Native VLAN mismatches (security risk)
• Trunk mode mismatches (causes loss of network connectivity)
• VLANs and IP subnets
• Allowed VLANs on trunks (causes unexpected traffic or no traffic to be sent over the trunk)
# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi4/5 on 802.1q trunking 1
Gi6/3 on 802.1q trunking 1
Po60 on 802.1q trunking 1
Port Vlans allowed on trunk
# show interfaces gi 4/5 trunk
Port Mode Encapsulation Status Native vlan
Gi4/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Port Vlans allowed and active in management domain
Port Vlans in spanning tree forwarding state and not pruned
# show interfaces gi 4/5 switchport
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 199
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
# sh dtp interface gi 4/5
DTP information for GigabitEthernet4/5:
Neighbor address 1: 000000000000
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): 16/RUNNING
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S6:TRUNK
# times multi & trunk 0
In STP: no
0 packets received (0 good)
0 packets dropped
0 nonegotiate, 0 bad version, 0 domain mismatches,
0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
1508851 packets output (1508851 good)
1508851 native, 0 software encap isl, 0 isl hardware native
0 output errors
0 trunk timeouts
7 link ups, last link up on Fri Oct 19 2012, 16:11:51
52 link downs, last link down on Fri Oct 19 2012, 16:11:41
Adding a VLAN to a trunk line
config tor reconfigure entire list
int fa0/1 (trunk port)
switchport access trunk allowed vlan add
switchport trunk allowed vlan 10,20,99