Ex3 Chapter 3 - VLANs, DTP

VLAN is a logically separate IP subnetwork.  This allows multiple networks to exist on a switch and provide security that they are not able to communicate with each other. 
A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain (all nodes can reach each other by  a message to all recipients simultaneously at OSI Layer 2), regardless of their physical location.

The following are requirements necessary for two computers to exist on the same VLAN and switch.
1.  Both computers must be assigned and IP address from the same subnetwork.
2.  Both computers must be connected to a port on a switch that is a member of the same VLAN.

VLAN Benefits
•  Security
•  Cost reduction
•  Higher performance
•  Broadcast storm mitigation
•  Improved IT staff efficiency
•  Simpler project or application management

VLAN Rules
•  Should be used in small, medium, and enterprise size businesses
•  VLAN IDs between 1 -1005
•  IDs 1002-1005 are reserved for Token Ring and FDDI
•  IDs 1 and 1002-1005 are automatically created and cannot be removed
•  vlan.dat is where VLAN configurations are stored
•  VTP – VLAN Trunking Protocol helps manage VLANs between switches

- Move the management VLAN to something other than default (which is VLAN 1),
- shutdown all unused ports in the catalyst switch.
Extended VLAN Rules

•  For customer who need more VLANs can use 1006-4094
•  Fewer VLAN features supported
•  VTP does not support extended
•  Saved in running config

At most you can have 255 configured VLANs.  Cisco Catalyst switches can now piggyback up to 9 switches that will mimic one switch.  Since you can purchase up to 48 ports on a switch you would then have a virtual switch of 48*9 = 432 ports available.

Types of VLANs
  1. Default – all switches come with VLAN 1 setup as the default VLAN.
    At the initial boot up of the switch, ALL switch ports are acces ports (untagged) and become a member of the default VLAN, which makes them all part of the same broadcast domain. This allows any network device connected to any of the switch port to communicate with other devices on other switch ports.
    Both CDP and STP use this VLAN to communicate and all ports are assigned to this VLAN initially.  Best practice says to move all ports to another VLAN therefore creating a new default VLAN.  You cannot change or delete VLAN 1 and it will always be used by CDP and STP, but you can associate all the ports to a new default VLAN,
  2. Data – also known as user VLAN (carry only user-generated traffic),
  3. Native – is assigned to an 802.1Q trunk port.  This is used to pass multiple VLANs and untagged data to other switches.  802.1Q supports Legacy networks that do not have VLAN tagged traffic.  You should not assign VLAN 1 as your native VLAN.
  4. Management – is your VLAN that you add your intermediary network devices to.  This allows for easy and secure management.  Again you should not use VLAN 1 as your VLAN of choice. 
  5. Voice – it is very important to separate data VLANs from Voice VLANs.
    Voice requires the following:
    a.  assured bandwidth to guarantee quality
    b.  transmission priority over other traffic
    c.  ability to be routed around congested areas of the network
    d.  delay of less than 150ms across the network
Native VLANs and  802.1q Trunking

Tagged frame on native VLAN:
   - dropped by the switch
   - devices should not tag control traffic destined for the native VLAN
Untagged frame on native VLAN:
   - have their PVID (VLAN ID) changed to value of the configured native VLAN
   - remains untagged
   - are forwarded to the configured native VLAN (the default native VLAN is VLAN 1)

To modify default native VLAN
sw1(config-if)# switchport trunk native vlan 5
Now all traffic belonging to VLAN 5 will be transmitted untagged through the trunk interface, and all incoming untagged traffic to the trunk interface will be marked as belonging VLAN 5 (by default is VLAN 1).

Trunks are connections between the switches that allow the switches to exchange information for all VLANS. 
By default, a trunk port (or tagged - switch port type 1) belongs to all VLANs,
as opposed to an access port (or untagged - switch port type 2), which can only belong to a single VLAN.
If the switch supports both ISL and 802.1Q VLAN encapsulation, the trunks must specify which method is being used.

Cisco IP Phone
The Cisco IP Phone is a switch with 3 10/100 ports.

Port 1 connects to the switch or other VoIP device.
Port 2 is an internal interface that carries IP phone traffic.
Port 3 (access port) connects to PC or other device.

Port 2 tags the IP phone data as voice, while Port 3 leaves PC data untagged.  The port connected to the IP Phone when tagged as voice acts as a trunk for both types of data coming from the phone.

Network Traffic Types
  1. IP Telephony Traffic
    a.  Signaling – used to setup, maintain progress, and bring down calls
    b.  Voice – the actual voice data packets
  2. Network Management and Control Traffic (CDP, SNMP,…) 
  3. IP Multicast (Cisco IP / TV Broadcasts) 
  4. Normal Data – files, storage, print services, email, database access, shared applications
  5. Scavenger Class – P2P apps, gaming apps, and entertainment video apps
Cisco switchports are layer 2 physical connections.  You must assign them to a VLAN. 
Ports support the following type of VLANs.
  • Static VLAN – manual configuration and VLAN assignment
  • Dynamic VLAN – not widely used and will not be used in this course.  It uses a VLAN Membership Policy Server to associate MAC addresses with a VLAN.  If a user moves to another port it automatically associates the new port with the VMPS VLAN configuration.
  • Voice VLAN – a port is configured to be voice port so that you can connect an IP phone to it.  First you need to configure a VLAN for voice and a VLAN for data.  When the phone is first plugged into the configured voice switchport the switch sends CDP information to the phone telling it what the voice VLAN and data VLAN are so that it can appropriately tag the data.  Your network must be configured to prioritize voice traffic.

The following are commands used to ensure successful voice traffic.
Priority: mls qos trust cos
Switchport VLAN access voice: switchport voice vlan 150
Switchport VLAN access data: switchport access vlan 20

Broadcast Domains
When a switch receives a broadcast from a specific VLAN it will only forward it out ports that are a member of the same VLAN.

Switch Virtual Interface needs to be setup on all switches that will be remotely managed. 
This allows and IP address to be assigned to a virtual interface.  The SVI is assigned the default LAN, which should be your management LAN and not VLAN 1.

Layer 3 switches allow routing to occur between VLANs, something that a router usually is responsible for.  The routing occurs at the SVI.

VLAN Trunk
A trunk is a point-to-point link between two network devices that carries more than one VLAN.  Cisco supports IEEE 802.1Q as its trunking method.  A trunk is not a member of

802.1Q is an encapsulation method that encapsulates a frame on a switch when it is about to travel over a trunk line.  Switches are layer 2 devices that only deal with MAC addresses and no VLAN information at the trunk port a frame has information encapsulated around it and removed when it arrives on the other end of the trunk.

A legacy protocol from Cisco is ISL, this should no longer be used as a trunking protocol. 
You should only use 802.1Q.

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (802.1Q) to be used.

Some Cisco switches and routers do not support DTP and DTP is not required for trunking.  If two Cisco devices are configured for DTP and one device has a port configured as a trunk line then the other end will dynamically configure itself to be a trunk port also.  DTP supports both ISL and 802.1Q but is not supported on non-Cisco devices.
Trunking Modes (in conjunction with DTP)
  1. Trunk – local switchport set as trunk switchport mode trunk, periodically this port sends out DTP messages and possibly receives DTP messages from remote device.  No matter what the message received is it is unconditionally in a trunk state.
  2. Dynamic Auto (default) – switchport mode dynamic auto, periodically this port sends out DTP messages advertising it’s state as auto.  If the remote port is set as trunk or desirable then local port becomes trunk, else it’s not a trunk (including when both are set to auto). 
  3. Dynamic Desirable – switchport mode dynamic desirable, periodically this port sends out DTP messages.  If the remote port is set as on, auto, or desirable then the ports will become a trunk.
  4. Turn Off DTP – switchport nonegotiate, shuts off DTP and port is set as unconditional trunk, this should be used when connecting to non-Cisco switches. 
Configure DTP
switch(config)# interface fa 0/1
! Makes the interface actively attempt to convert the link to a trunk link
switch(config-if)# switchport mode dynamic desirable

switch(config-if)# switchport mode dynamic auto

! Disables DTP (stop generating DTP frames)
switch(config-if)# switchport

! Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link.
switch(config-if)# switchport mode
show dtp interface
TIP: The default mode is dependent on the platform. For the 2960, the default mode is dynamic auto.
TIP: On a 2960 switch, the default for all ports is to be an access port. However, with the default DTP mode being dynamic auto, an access port can be converted into a trunk port if that port receives DTP information from the other side of the link if that side is set to trunk or desirable. It is therefore recommended to hard-code all access ports as access ports with the switchport mode access command.

This way, DTP information will not inadvertently change an access port to a trunk port. Any port set with the switchport mode access command ignores any DTP requests to convert the link. 

Switchport Options
SW-4500(config-if)#switchport ?   
  access         Set access mode characteristics of the interface
  block          Disable forwarding of unknown uni/multi cast addresses
  host           Set port host
  mode           Set trunking mode of the interface
  nonegotiate    Device will not engage in negotiation protocol on this interface
  port-security  Security related command
  priority       Set appliance 802.1p priority
  private-vlan   Set the private VLAN configuration
  trunk          Set trunking characteristics of the interface
  voice          Voice appliance attributes

SW-4500(config-if)#switchport mode ?
  access        Set trunking mode to ACCESS unconditionally
  dot1q-tunnel  set trunking mode to TUNNEL unconditionally
  dynamic       Set trunking mode to dynamically negotiate access or trunk mode
  private-vlan  Set the mode to private-vlan host or promiscuous
  trunk         Set trunking mode to TRUNK unconditionally

Configuring VLANs

Add a VLAN
config t
 vlan vlan_id
  name optional_name
Useful Commands
show vlan
show vlan brief
show vlan name student
show vlan 20

switch# show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                                 active    Fa0/6, Fa0/7, Fa0/8, Fa0/9,
                                                              Fa0/10, Fa0/11, Fa0/12, Fa0/13,
                                                              Fa0/14, Fa0/15, Fa0/16, Fa0/17, 
                                                               Fa0/18, Fa0/19, Fa0/20, Fa0/21,
                                                               Fa0/22, Fa0/23, Fa0/24
2    test                                       active    Fa0/1, Fa0/2
10   VLAN0010                         active    Fa0/4, Fa0/5
15   VLAN0015                         active    Fa0/3
Assign a Port to a VLAN
config t
 int fa0/1
  switchport mode access
  switchport access vlan 20
Deleting Entire VLAN Database
delete flash:vlan.dat
Configure a Port to be a Trunk
config t
 int fa0/1
  switchport mode trunk

The following are problems that arise with VLANs.
•  Native VLAN mismatches (security risk)
•  Trunk mode mismatches (causes loss of network connectivity)
•  VLANs and IP subnets
•  Allowed VLANs on trunks  (causes  unexpected traffic or no traffic to be sent over the trunk)

# show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi4/5       on           802.1q         trunking      1
Gi6/3       on           802.1q         trunking      1
Po60        on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi4/5       199
Gi6/3       69,199,768
# show interfaces gi 4/5 trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi4/5       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi4/5       199
Port        Vlans allowed and active in management domain
Gi4/5       199
Port        Vlans in spanning tree forwarding state and not pruned
Gi4/5       199
show interfaces gi 4/5 switchport 
Name: Gi4/5
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 199
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

sh  dtp interface gi 4/5 
DTP information for GigabitEthernet4/5:
  TOS/TAS/TNS:                              TRUNK/ON/TRUNK
  TOT/TAT/TNT:                              802.1Q/802.1Q/802.1Q
  Neighbor address 1:                       000000000000
  Neighbor address 2:                       000000000000
  Hello timer expiration (sec/state):       16/RUNNING
  Access timer expiration (sec/state):      never/STOPPED
  Negotiation timer expiration (sec/state): never/STOPPED
  Multidrop timer expiration (sec/state):   never/STOPPED
  FSM state:                                S6:TRUNK
  # times multi & trunk                     0
  Enabled:                                  yes
  In STP:                                   no

  0 packets received (0 good)
  0 packets dropped
      0 nonegotiate, 0 bad version, 0 domain mismatches,
      0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
  1508851 packets output (1508851 good)
      1508851 native, 0 software encap isl, 0 isl hardware native
  0 output errors
  0 trunk timeouts
  7 link ups, last link up on Fri Oct 19 2012, 16:11:51
  52 link downs, last link down on Fri Oct 19 2012, 16:11:41

Adding a VLAN to a trunk line
config t
 int fa0/1 (trunk port)
   switchport access trunk allowed vlan add
or reconfigure entire list
config t
 int fa0/1
  switchport trunk allowed vlan 10,20,99

No comments :

Post a Comment