ccnp switch implementiong vlan trunk

Cisco certification training

Instructor:- ASHOK TAMBE

Contac us :- 9930157345 ashok tambe

Training for

CCNA,CCNP,

CCNA SECURITY

CCIP,

MPLS, BGP, IPV6

NETWORK+, SEURITY+

Instructor:- ASHOK TAMBE

Cisco certification training

Copyright© 2013 NETworkingWANschool

CCNP SWITCH 300-113

https://www.facebook.com/Networkingwanschool


CCNP SWITCH 300-113

ASHOK TAMBE

Implementing Trunking in Cisco Campus Network

Copyright© 2013 NETworkingWANschool Instructor:- ASHOK TAMBE

CCNP SWITCH 300-113

Trunks carry the traffic for multiple VLANs across a single physical link

(multiplexing). Trunking is used to extend Layer 2 operations across an

entire network, such as end-to-end VLANs, as shown in Figure

The host in VLAN 2 can communicate with the host in VLAN 2 in the

other switch over the single trunk link, the same as a host in VLAN 1 can

communicate with a host in another switch in VLAN 1.



CCNP SWITCH 300-113


• Definition of a VLAN Trunk

–A trunk is a point-to-point link between one or more Ethernet

switch interfaces and another networking device, such as a router

or a switch.

–Ethernet trunks carry the traffic of multiple VLANs over a single

link.

–A VLAN trunk allows you to extend the VLANs across an entire

network.

–Cisco supports IEEE 802.1Q for coordinating trunks on Fast

Ethernet and Gigabit Ethernet interfaces. (for Cisco and Non-

Cisco devices)

–inter-switch link (ISL) (Cisco proprietary)

• A VLAN trunk does not belong to a specific VLAN, rather it is a conduit

for VLANs between switches and routers.


CCNP SWITCH 300-113

What Problem Does a Trunk Solve?

• In the figure 1, you see the standard topology used in this chapter, except

instead of the VLAN trunk that you are used to seeing between switches S1 and

S2, there is a separate link for each subnet.

–There are four separate links connecting switches S1 and S2, leaving

three fewer ports to allocate to end-user devices.

–Each time a new subnetwork is considered, a new link is needed for each

switch in the network.

• In the figure 2, the network topology shows a VLAN trunk connecting switches

S1 and S2 with a single physical link. figure 1 figure 2


CCNP SWITCH 300-113 Trunking protocol

To allow a switchport that connect two switches to carry more than one

VLAN, it must be configure as a trunk.

If frames from a single VLAN traverse a trunk link, a trunking protocol

must mark the frame to identify its associated VLAN as the frame is

placed onto the trunk link.

The receiving switch then knows the frame’s VLAN origin and can

process the frame accordingly.

On the receiving switch, the VLAN ID (VID) is removed when the frame

is forwarded onto an access link associated with its VLAN.

A Trunk in Action

4) Switch S3 receives these frames and strips off the VLAN IDs and forwards them as untagged frames to PC4 on VLAN 10 and PC6 on VLAN 30.

2) Switch S2 tags these frames with the appropriate VLAN ID and then forwards the frames over the trunk to switch S1.

3) Switch S1 reads the VLAN ID on the frames and broadcasts them to each port configured to support VLAN 10 and VLAN 30.

1) In the figure, PC1 on VLAN 10 and PC3 on VLAN 30 send broadcast frames to switch S2.


CCNP SWITCH 300-113 Trunking protocol

The cisco switches support following two trunking protocols

• Inter-Switch Link (ISL): A Cisco proprietary trunking encapsulation

• IEEE 802.1Q: An industry-standard trunking method

Because ISL protocol is obsolete, this course focuses only on 802.1Q

Today only 802.1Q is used. However, legacy networks may

still use ISL, and it is useful to learn about each type of trunk

port. An 802.1Q trunk port supports simultaneous tagged and

untagged traffic. An 802.1Q trunk port is assigned a default PVID, and all

untagged traffic travels on the port default PVID.

All untagged traffic and tagged traffic with a null VLAN ID are

assumed to belong to the port default PVID.

A packet with a VLAN ID equal to the outgoing port default PVID

is sent untagged. All other traffic is sent with a VLAN tag.

802.1q will NOT perform any operations on frames that are

forwarded out access ports.


CCNP SWITCH 300-113 802.1Q Frame Tagging

• Significantly less overhead than the ISL.

• As opposed to the 30 bytes added by ISL, 802.1Q inserts only

an additional 4 bytes into the Ethernet frame.

• The 802.1Q tag is inserted by the switch before sending across

the trunk.

• The switch removes the 802.1Q tag before sending it out a non

trunk link.



The 802.1Q Ethernet frame header contains the following fields:

• Dest: Destination MAC address (6 bytes)

• Src: Source MAC address (6 bytes)

• Tag: Inserted 802.1Q tag (4 bytes, detailed here):

• EtherType(TPID): Set to 0x8100 to specify that the 802.1Q tag follows.

• PRI: 3-bit 802.1p priority field.

• CFI: Canonical Format Identifier; is always set to 0 for Ethernet switches and to 1 for

Token Ring-type networks.

• VLAN ID: 12-bit VLAN field. Of the 4096 possible VLAN IDs, the maximum number of

possible VLAN configurations is 4094. A VLAN ID of 0 indicates priority frames, and value

4095 (FFF) is reserved. CFI, PRI, and VLAN ID are represented as Tag Control information

(TCI) fields.

• Len/Etype: 2-byte field specifying length (802.3) or type (Ethernet II).

• Data: Data itself.

• FCS: Frame check sequence (4 bytes).



IEEE 802.1Q uses an internal tagging mechanism that modifies the original frame ,

recalculates the CRC value for the entire frame with the tag, and inserts the new

CRC value in a new FCS.

ISL, in comparison, wraps the original frame and adds a second FCS that is built

only on the header information but does not modify the original frame FCS.

IEEE 802.1p redefined the three most significant bits in the 802.1Q tag to allow for

prioritization of the Layer 2 frame.

If a non-802.1Q-enabled device or an access port receives an 802.1Q

frame, the tag data is ignored and the packet is switched at Layer 2 as a

standard Ethernet frame. This allows for the placement of Layer 2

intermediate devices, such as unmanaged switches or bridges, along the

802.1Q trunk path

To process an 802.1Q tagged frame, a device must enable a maximum

transmission unit (MTU) of 1522 or higher.

Baby giants are frames that are larger than the standard MTU of 1500 bytes

but less than 2000 bytes. Because ISL and 802.1Q tagged frames increase

the MTU beyond 1500 bytes, switches consider both frames as baby giants.

ISL-encapsulated packets over Ethernet have an MTU of 1548 bytes, whereas

802.1Q has an MTU of 1522 bytes.


CCNP SWITCH 300-113

802.1Q Frame Tagging

Ethernet frame size before tagging & after tagging


CCNP SWITCH 300-113 Understanding Native VLAN in 802.1Q Trunking

802.1Q trunks define a native VLAN for frames that are not tagged by default.

Switches transmit any Layer 2 frames from a native VLAN on the trunk port

untagged, as shown in Figure

The receiving switch forwards all untagged packets to its native VLAN.

The native VLAN is the default VLAN configuration of the port. When the port is not

trunking, the access VLAN configuration defines the native VLAN.

In the case of Cisco switches, the default native VLAN is VLAN 1, and you can

configure any other VLAN as the native VLAN.


CCNP SWITCH 300-113 Understanding Native VLAN in 802.1Q Trunking

In an ISL trunk port, all received packets are expected to be

encapsulated with an ISL header, and all transmitted packets

are sent with an ISL header.

Native (non-tagged) frames received from an ISL trunk

port are dropped.

ISL is no longer a recommended trunk port mode, and it is

not supported on a number of Cisco switches


CCNP SWITCH 300-113

It is important that the 802.1Q trunk port between two devices have the same native

VLAN configuration on both sides of the link. If there is a native VLAN mismatch on

an 802.1Q link, CDP (if used and functioning) issues a Native VLAN Mismatch error.

On select versions of Cisco IOS Software, CDP might not be transmitted or will be

automatically turned off if VLAN1 is disabled on the trunk.

In addition, if there is a native VLAN mismatch on either side of an 802.1Q link,

Layer 2 loops might occur because VLAN1 STP bridge protocol data units (BPDU)

are sent to the IEEE STP MAC address (0180.c200.0000) untagged.


CCNP SWITCH 300-113

Trunking operation

• Trunking protocols were developed to effectively manage the transfer of frames from different VLANs on a single physical link.

• The trunking protocols establish agreement for the distribution of frames to the associated ports at both ends of the trunk.

• Trunk links may carry traffic for all VLANs or only specific VLANs.

• VLAN tagging information is added by the switch before it is sent across the trunk and removed by the switch before it is sent down a non-trunk link.

or 802.1Q


CCNP SWITCH 300-113

VLANs and trunking

• It is important to understand that a trunk link does not belong to a specific VLAN.

• The responsibility of a trunk link is to act as a conduit for VLANs between switches and routers (or switches and switches).

Trunk Link

Non-Trunk Links

Non-Trunk Links


CCNP SWITCH 300-113

• Trunks can be configured statically or via DTP.

• DTP provides the ability to negotiate the trunking method.


CCNP SWITCH 300-113

Configuring Trunking

• These commands will be explained in the following slides.

Note: On switches that

support both 802.1Q and ISL, the switchport trunk

encapsulation command

must be done BEFORE the switchport mode trunk

command.


CCNP SWITCH 300-113 Configuring Trunking

Switch(config-if)switchport trunk encapsulation [dot1q|isl]

• This command configures VLAN tagging on an interface if the switch supports multiple trunking protocols.

• The two options are:

– dot1q – IEEE 802.1Q

– isl – ISL

• The tagging must be the same on both ends.



• If SwitchA can only be a 802.1.Q trunk and SwitchB can only be an ISL trunk, these two switches will not be able to form a trunk.

SwitchA(config-if)switchport mode trunk

SwitchB(config-if)switchport mode trunk

No Trunk

802.1Q only ISL only



• If SwitchA can only be a 802.1.Q trunk and SwitchB can be either ISL or 8021.Q trunk, configure SwitchB to be 802.1Q.

• On switches that support both 802.1Q and ISL, the switchport trunk encapsulation command must be done BEFORE the switchport mode trunk command.

SwitchA(config-if)switchport mode trunk

SwitchB(config-if)switchport mode trunk encapsulation dot1q

SwitchB(config-if)switchport mode trunk

Trunk

802.1Q

only Both ISL and 802.1Q


CCNP SWITCH 300-113 Understanding DTP

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other vendors do not support DTP.

–DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port.

–DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. DTP supports both ISL and 802.1Q trunks.

–Cisco old switches and routers do not support DTP.

• Ethernet trunk interfaces support several different trunking modes.

– Access

– Dynamic desirable (default mode on Catalyst 2950 and 3550)

– Dynamic auto

– Trunk

– Non-negotiate

– dotq-tunnel (Not an option on the Catalyst 2950.)

• Using these different trunking modes, an interface can be set to trunking or nontrunking or even able to negotiate trunking with the neighboring interface.

• To automatically negotiate trunking, the interfaces must be in the same VTP domain. (VTP is discussed in the next section.)

• Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Cisco proprietary Point-to-Point Protocol.

• These various modes are configured using the switchport mode interface command


CCNP SWITCH 300-113 Understanding DTP

• These various modes are configured using the switchport mode interface command.

• We have already discussed the two “non-dynamic” options:

Switch(config-if)switchport mode access

Switch(config-if)switchport mode trunk

• These options set the interface to non-trunking (access) or trunking (trunk)


CCNP SWITCH 300-113

• All of these DTP modes and their various combinations can be somewhat confusing.

• Looking at some of the basic combinations can help clarify this.


CCNP SWITCH 300-113

• By default, Ethernet interfaces on most Cisco switches are set to dynamic

desirable mode. (Catalyst 2950 and 3550 switches.)

• Desirable mode will create a trunk link if the neighboring interface is set to

desirable, trunk, or auto mode.

• Because both interfaces by default are in desirable mode, this means a link

between two Cisco switches will automatically become a trunk link unless

configured otherwise.


CCNP SWITCH 300-113

Default:

dynamic desirable

• By default, all ports are configured as switchport mode dynamic

desirable, which means that if the port is connected to another switch with

an port configured with the same default mode (or desirable or auto), this link

will become a trunking link.

This link will become a trunking link unless one of the ports is

configured with as an access link, I.e. switchport mode access


CCNP SWITCH 300-113

29

• This figure shows the various DTP trunking modes and the results of the different combinations.

• Selecting the right combination on the two ends of the link is important, as some combinations should not be used as they will have “unexpected results”.

• One combination that could result in traffic being blocked from transmitting the link is if one interface is in access mode and the neighboring interface is in trunk mode.


CCNP SWITCH 300-113

Due to vulnerability associate with DTP always turn off DTP

negotiation using command switchport nonegotiate . & statically

configure trunk using command switchport mode trunk


CCNP SWITCH 300-113

Describing Trunking Configuration Commands (cont.)

The default DTP mode is Cisco IOS and platform dependent. To determine the current DTP mode, use the show dtp interface command.

–Note that this command is not available on Catalyst 2950 and 3550 switches, but is available on Catalyst 2960 and 3560 switches.

–General best practice is to set the interface to trunk and nonegotiate when a trunk link is required. DTP should be turned off on links where trunking is not intended.


CCNP SWITCH 300-113

Configure an 802.1Q Trunk

• To configure a trunk on a switch port, use the switchport mode trunk command.

–When you enter trunk mode, the interface changes to permanent trunking mode, and the port enters into a DTP negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change.

• The Cisco IOS command syntax (switchport trunk native) to specify a native VLAN other than VLAN 1 is shown in the figure.

–In the example, you configure VLAN 99 as the native VLAN.

• The command syntax (switchport trunk allowed vlan & switchport trunk allow vlan add) used to allow a list of VLANs on the trunk is shown.

–On this trunk port, allow VLANs 1,5,3,8,99

• The example configures port F0/11 on switch S1 as the trunk port. It reconfigures the native VLAN as VLAN 99 and adds 1,5,3,8,99 as allowed VLANs on port F0/11.


CCNP SWITCH 300-113

Switch(config)#interface fastethernet 0/11

Switch(config-if)#shutdown

Switch(config-if)#switchport trunk encapsulation dot1q

Switch(config-if)#switchport trunk allowed vlan 1,5,3,8,99

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk native vlan 99

Switch(config-if)#switchport nonegotiate

Switch(config-if)#no shutdown


CCNP SWITCH 300-113 Verifying the 802.1Q Configuration

Switch#show running- config interface {fastethernet

| gigabitethernet} slot/port

Switch#show interfaces [fastethernet |

gigabitethernet] slot/port [ switchport | trunk ]

Switch#show interfaces fastEthernet 0/11 switchport

Name: fa5/8

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 99 (trunk_only)

Trunking VLANs Enabled: 1,5,3,8,99

Pruning VLANs Enabled: 2-1001

. . .


CCNP SWITCH 300-113 Verifying the 802.1Q Configuration

Switch#show running-config interface fastethernet 0/11

Building configuration...

Current configuration:

!

interface FastEthernet0/11

switchport mode dynamic desirable

switchport trunk encapsulation dot1q

Switch#show interfaces fastethernet 0/11 trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 desirable 802.1q trunking 99

Port Vlans allowed on trunk

Fa0/11 1,5,3,8,99

Port Vlans allowed and active in management domain

Fa0/11 1,5,3,8,99

Port Vlans in spanning tree forwarding state and not pruned

Fa0/11 1,5,3,8,99


CCNP SWITCH 300-113

ASHOK TAMBE

• The most common problem:

–Native VLAN mismatches - Trunk ports are configured with

different native VLANs,

• For example, if one port has defined VLAN 99 as the

native VLAN and the other trunk port has defined VLAN

100 as the native VLAN.

• This configuration error generates console notifications,

causes control and management traffic to be misdirected

and, as you have learned, poses a security risk.

–Trunk mode mismatches - One trunk port is configured with

trunk mode "off" and the other with trunk mode "on".

• This configuration error causes the trunk link to stop

working.

–Allowed VLANs on trunks - The list of allowed VLANs on a

trunk has not been updated with the current VLAN trunking

requirements.

• In this situation, unexpected traffic or no traffic is being

sent over the trunk.

Common Problems with Trunks


CCNP SWITCH 300-113

ASHOK TAMBE

1. Native VLAN Mismatches • You are a network administrator and you get a call

that the person using computer PC4 cannot connect to the internal web server, WEB/TFTP server in the figure. You learn that a new technician was recently configuring switch S3. The topology diagram seems correct, so why is there a problem?

• As soon as you connect to switch S3, the error message shown in the top highlighted area in the figure appears in your console window.

–You take a look at the interface using the show interfaces f0/3 switchport command. You notice that the native VLAN, has been set to VLAN 100 and it is inactive. –You need to reconfigure the native VLAN on the Fast Ethernet F0/3 trunk port to be VLAN 99.

• The screen output for the computer PC4 shows that connectivity has been restored to the WEB/TFTP server found at IP address 172.17.10.30.


CCNP SWITCH 300-113

ASHOK TAMBE

2. Trunk Mode Mismatches

• In this scenario, the same problem arises: the person using

computer PC4 cannot connect to the internal web server. Why is

there a problem?

• The first thing you do is check the status of the trunk ports on

switch S1 using the show interfaces trunk command.

–It reveals in the figure that there is not a trunk on interface F0/3 on

switch S1.

–You examine the F0/3 interface to learn that the switch port is in

dynamic auto mode for S1 and S3.

• You need to reconfigure the trunk mode of the Fast Ethernet F0/3

ports on switches S1 and S3.

–The top right output from switch S3 shows the commands used to

reconfigure the port and the results of the show interfaces trunk

command, revealing that interface F0/3 has been reconfigured as a

trunk.

• The output from computer PC4 indicates that PC4 has regained

connectivity to the WEB/TFTP server found at IP address

172.17.10.30.


CCNP SWITCH 300-113

ASHOK TAMBE

3. Incorrect VLAN List • In the figure, VLAN 20 (Student) and computer PC5

have been added to the network. –The documentation has been updated to show that the VLANs allowed on the trunk are 10, 20, and 99.

• In this scenario, the person using computer PC5 cannot connect to the student e-mail server shown in the figure.

• Check the trunk ports on switch S1 using the show interfaces trunk command.

–The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10, 20, and 99. –An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 only allow VLANs 10 and 99. \

• You need to reconfigure the F0/1 and the F0/3 ports on switch S1 using the switchport trunk allowed vlan 10,20,99 command.

–The show interfaces trunk command is an excellent tool for revealing common trunking problems.

• The bottom figure indicates that PC5 has regained connectivity to the student e-mail server found at IP address 172.17.20.10.


CCNP SWITCH 300-113

ASHOK TAMBE

4. VLAN and IP Subnets

• As you have learned, each VLAN must correspond to a

unique IP subnet. If two devices in the same VLAN have

different subnet addresses, they cannot communicate.

• In this scenario, the person using computer PC1 cannot

connect to the student web server shown in the figure.

• In the figure, a check of the IP configuration settings of

PC1 reveals the most common error in configuring

VLANs:

–an incorrectly configured IP subnet.

–The PC1 computer is configured with an IP address of

172.172.10.21, but it should have been configured with

172.17.10.21.

• The bottom screen capture reveals that PC1 has regained

connectivity to the WEB/TFTP server found at IP address

172.17.10.30.


CCNP SWITCH 300-113 SWITCH Lab: Trunking

Objective

Assign the PCs to their own virtual LAN (VLAN), and learn how to provide connectivity

between devices across a switched LAN using trunking. For this lab, your network

design will include two PC workstations, P1PC1 and P2PC2, and four switches,

P1ASW1, P1DSW1, P2ASW2, and P2DSW2. P1ASW1 and P2ASW2 are Access layer

switches. P1DSW1 and P2DSW2 are Distribution layer switches. The Access and

Distribution layers are two of the three layers in the Cisco three-layer hierarchical

network model, which also includes the Core layer.

Lab Topology


CCNP SWITCH 300-113

Lab Tasks

Task 1: Establish 802.1Q Trunking

Enable 802.1Q trunking between the DSW and ASW switches and between the two DSW switches.

The console password has been set to cisco for all devices in this lab.

1. On each ASW, assign to VLAN 1 all the ports that connect to the DSWs.

2. On each DSW, assign to VLAN 1 all the ports that connect to the ASWs.

3. On each DSW, assign to VLAN 1 all the ports that connect to the other DSW.

4. On each ASW, turn on trunking for each port that connects to the DSWs. The ASWs are 2900

series switches, which use 802.1Q trunking by default.

5. On each DSW, turn on trunking for each port that connects to the ASWs. The DSWs are 3500

series switches; configure these switches to use 802.1Q trunking.

6. On each DSW, enable trunking for each port that connects to its neighboring DSW. Use 802.1Q

trunking.

7. Issue the show interfaces interface-id switchport command to verify the trunk confi guration.

8. Configure all trunk ports to carry only VLANs 1, 99, and 1002–1005.

9. Issue the show interfaces interface-id switchport command to verify that VLANs 1, 99, and 1002–

1005 are allowed on all trunk ports.

ccnp switch implementiong vlan trunk

Documents

vlan trunk

single vlan

associated vlan

vlan ids

specific vlan

switch s2

ashok tambe ccnp switch

single trunk link