Download - VLAN VTP CCNA
VLAN (Virtual LAN)
VLANs can be pcs, departments, project teams, or applications, perhaps on multiple LAN segments, that are not constrained by their physical location and can communicate as if they were on a common LAN.
By default switches break up collision domains and routers break up broadcast domains VLANs break up broadcast domains in a pure switched internetwork.
Each VLAN is a broadcast domain so it must have its own subnet number.
You can assign each switch port to a VLAN. Ports in a VLAN share broadcast traffic. Ports that do not belong to that VLAN do not share the broadcast traffic.
Why not just subnet my network?A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.
VLAN Advantages VLANs define broadcast domains without the constraint of physical location. For example, instead of making all of the users on the third floor part of the same broadcast domain, you use VLANs to make all of the users in the HR department part of the same broadcast domain. The benefits of doing this are many. Firstly, these users might be spread throughout different floors on a building, so a VLAN would allow you to make all of these users part of the same broadcast domain. To that end, this can also be viewed as a security feature - since all HR users are part of the same broadcast domain, you could later use policies such as access lists to control which areas of the network these users have access to, or which users have access to the HR broadcast domain. Furthermore, if the HR department's server were placed on the same VLAN, HR users would be able to access their server without the need for traffic to cross routers not efficient and may potentially impact other parts of the network.
Types of VLAN Membership
VLAN Membership by Port Group (Static VLANs)VLANs are defined on a switch on a port-by-port basis. We might make ports 1-6 part of VLAN 1 and ports 7-12 part of VLAN 2. A VLAN isn't limited to a single switch. Trunk links are used to interconnect switches a VLAN might have 3 ports on one switch and 7 ports on another.
Assigning VLANs purely by port group does not allow multiple VLANs on the same segment (or switch port). The disadvantage of defining VLANs by port is that you must reconfigure VLAN membership when a user moves from one port to another.
QuestionWhich approach to assigning VLAN membership maximizes forwarding performance?A. membership by MAC addressB. membership by logical addressC. membership by protocolD. membership by portE. membership by operating system
Answer D
membership by port
Membership by MAC Address (Dynamic VLANs)
VLANs configured by using MAC addresses can recognize when a station has been moved to another port on a switch. VLAN management software can then automatically reconfigure that station into its appropriate VLAN without the need to change the station's MAC or IP address.
The drawbacks of MAC address–based VLAN solutions is the requirement that large numbers of users must initially be configured to be in at least one VLAN.Fortunately the VMPS Vlan Management Policy Server can be used to set up a database of MAC addresses to VLANs which can then be map VLANs to MACs dynamically. QuestionWhich piece of information is used by a VLAN Management Policy Server to dynamically assign a port to a VLAN?
A. Source IP addressB. Source hostnameC. Source MAC addressD. Source port
Answer C
The source MAC address of the sending station is used to assign a port to a specific VLAN.
A is incorrect because the source IP address is irrelevant to the server. B is incorrect, as the hostname of the source device is not used to assign VLANs. D is incorrect because the source port of the traffic is not a consideration when assigning VLANs.
Layer 3–Based VLANs
VLANs based on layer 3 information take into account the subnet address for TCP/IP networks in determining VLAN membership, no route calculation is undertaken, RIP or OSPF protocols are not employed. Therefore, from the point of view of a switch employing layer 3–based VLANs, connectivity within any given VLAN is still seen as a flat, bridged topology however routing is still necessary to provide connectivity between distinct VLANs. There are several advantages to defining VLANs at layer 3. First, it enables partitioning by protocol type. This may be an attractive option for network managers who are dedicated to a service- or application-based VLAN strategy. Second, users can physically move their workstations without having to reconfigure each workstation’s network address—a benefit primarily for TCP/IP users. Third, defining VLANs at layer 3 can eliminate the need for frame tagging in order to communicate VLAN membership between switches, reducing transport overhead. One of the disadvantages of defining VLANs at layer 3 (vs. MAC- or port-based VLANs) can be performance. Inspecting layer 3 addresses in packets is more time consuming than looking at MAC addresses in frames.
Inter-VLAN Communication
A VLAN is simply a special type of broadcast domain it is defined on a switch port basis rather than on traditional physical boundaries. Recall that when a host in one broadcast domain wishes to communicate with another a router must be involved. This holds true for VLANs.
A Layer 3 switch is generally a Layer 2 switching device that also includes the ability to act as a router. If a switch includes Layer 3 capabilities it can be configured to route traffic between VLANs defined in the switch, without the need for packets to ever leave the switch. However,
if a switch only includes Layer 2 functionality, an external router must be configured to route traffic between the VLANs. In some cases, it's entirely possible that a packet will leave switch port 1, be forwarded to an external router, and then be routed right back to port 2 on the originating switch. For this reason, many companies have decided to implement Layer 3 switches strategically throughout their network.
Extending VLANs Between Switches
Access links/ports
Access links allow only traffic from a single VLAN. Switches remove any VLAN info from the frame before its forwarded to an access link, access link devices cannot communicate outside their VLAN unless the packet goes through a router.
Below we have connected a link between two switches each of these ports are members of VLAN 1 on each switch. By default, without any additional configuration, these ports will act as a trunk link, but will only pass traffic for the VLAN 1 While an access link does the job for a single VLAN environment, multiple access links would be required if you wanted traffic from multiple VLANs to be passed between switches.
Having multiple access links between the same pair of switches would be a big waste. Obviously traffic for multiple VLANs needs to be transferred across a single trunk link.
Trunk Links
Trunk links are required to pass VLAN information between switches. A trunk port is by default a member of all the VLANs that exist on the switch and carry traffic for all those VLANs between the switches. To distinguish between the traffic flows a trunk port must tag the frames with the VLAN information as they pass between the switches. Trunking is a function that must be enabled on both sides of a link.
If two switches are connected together both switch ports must be configured for trunking and they must both be configured with the same tagging mechanism (ISL or 802.1Q referred to as "dot1q".)
There are two trunking protocols that enable VLAN Tagging on Cisco switches.
ISL and 802.1Q (dot1q).
For traffic from multiple VLANs to traverse a link connecting two switches we need to configure VLAN tagging on the ports that supply the link.
So we should choose either InterSwitch Link (ISL) or 802.1q.ISL is a Cisco proprietary VLAN tagging method, 802.1q is an open standard.
When interconnecting two Cisco switches, ISL is usually the best choice, but if you need to interconnect switches of different types (a Cisco switch and an Avaya switch, for example use 802.1q)
Configuring Trunk Links on a Switch
Switch(config-if)#switchport mode trunkSwitch(config-if)#switchport trunk encapsulation dot1q
OR
Switch(config-if)#switchport mode trunkSwitch(config-if)#switchport trunk encapsulation isl
Show interface trunk displays which ports are trunk ports and which trunk encapsulation is used.
To check the status of a trunk, use the show interface trunk command.
This output shows that ports fast 0/11 and 0/12 are trunking and are in the default mode of dynamic desirable, they're running IEEE 802.1Q encapsulation, and all VLANs are allowed to send traffic across the trunk.
QuestionWhich commands when used together would create an 802.1Q link? (Select two)
A. Switch(vlan)#mode trunkB. Switch(config)#switchport access mode trunkC. Switch(config-if)#switchport mode trunkD. Switch(config-if)#switchport trunk encapsulation dot1qE. Switch(config)#switchport access mode 1F. Switch(vlan)#trunk encapsulation dot1q
Answer C, D
1st set the switchport mode to trunk and then configure the encapsulation. Note there is a clue in the question to create a trunk on an interface you have to be in interface configuration mode.
InterSwitch Link (ISL)
ISL will only function on ports with a speed of 100 Mbps or greater we cannot use ISL in with a 10 Mbps port. The ports on both ends of the link need to be configured for ISL.
ISL tags a frame as it leaves a switch with VLAN information. ISL VLAN info is added to a frame only if the frame is forwarded out of a trunk link.
The ISL encapsulation is removed if the frame is forwarded out an access link.
IEEE 802.1Q Inserts a field into the frame to identify the VLAN. One of the issues with VLAN tagging is that by adding information to an Ethernet frame, the size of the frame can move beyond the Ethernet maximum of 1518 bytes, to 1522 bytes. Because of this, all non-ISL ports will see frames larger than 1518 bytes as giants and as such, invalid. This is the reason why a port needs to be configured for ISL in order for it to understand this different frame format.
To route traffic between VLANs in a non-ISL environment we need to connect the router to a port on each VLAN.
A better strategy here would be to configure ISL tagging on one of the router's Fast Ethernet interfaces, and then configure ISL on the connected switch port. This configuration, also known as a "router on a stick", would allow the router to process the traffic of multiple VLANs, and route traffic between them.
A router-on-a-stick is a network configuration that uses a single router interface as a gateway for more than one network segment. You literally take a single Ethernet interface, put it on multiple VLANs, and set up the IP address.
Here’s how it works: The router is plugged into a port on a switch that is configured as a trunk that carries all the important VLANs. The router is configured with Ethernet sub-interfaces one for each VLAN.
The router will be connected to a switch via a FastEthernet port (or higher). The router port cannot be a regular Ethernet port, since the router port will need the ability to send and receive data at the same time.
The configuration of the interface is where things get interesting. For our three VLANs that will be using router-on-a-stick to communicate. Here is the VLAN information
VLAN 10: 10.10.10.0 /24VLAN 20: 20.20.20.0 /24VLAN 30: 30.30.30.0 /24
The port on the switch connected to the router's FastEthernet port must be in trunking mode, here we’ll choose the trunking protocol as ISL (Cisco-proprietary).
The FE port on the router will not have an IP address. The use of router-on-a-stick mandates the use of logical subinterfaces. One subinterface must be given an IP address in VLAN 10, one in VLAN 20 and the other will have an IP address in VLAN 30.
The Router config for inter-VLAN communication.
(config)#interface fastethernet 3/1(config-if)#no ip address
(config-if)#interface FastEthernet 3/1.10(config-subif)#ip address 10.10.10.1 255.255.255.0(config-subif)#encapsulation isl 10
(config-if)#interface FastEthernet 3/1.20(config-subif)#ip address 20.20.20.1 255.255.255.0(config-subif)#encapsulation isl 20
(config-if)#interface FastEthernet 3/1.30(config-subif)#ip address 30.30.30.1 255.255.255.0(config-subif)#encapsulation isl 30
And that's it! Your hosts in VLAN 10, 20 and 30 should now be able to communicate.
QuestionIf I have VLAN 3, and VLAN 4 configured on a Cisco Switch, and I would like to have pcs on VLAN 3 communicate with pcs on VLAN 4. Which of the following will allow this inter-VLAN communication to take place?
A. It takes place through any Cisco router. B. It takes place through a Cisco router than can run ISL. C. It takes place through a router, but this disables all the router's Security and filtering functionality for the VLANs. D. For nonroutable protocols, (e.g., NetBEUI) the router provides communications between VLAN domains. E. Inter-VLAN communications is not possible because each VLAN is a separate broadcast domain.
Answer B
ExplanationIn a switched environment, packets are switched only between ports designated to be within the same "broadcast domain". VLANs perform network portioning and traffic separation at Layer 2. So, inter-VLAN communication cannot occur without a Layer 3 device such as a router, because network layer (Layer 3) devices are responsible for communicating between multiple broadcast domains. Note that, at Layer 2, an interface uses ISL to communicate with a switch.
Incorrect AnswersA. The router requires ISL. C. The router does not change the security settings. D. The router will not route a nonroutable protocol into the VLAN. E. Without a router inter-VLAN communication is impossible.
dot1q Example
It is recommended that the sub-interface value is the same as the VLAN.
Router(config)#interface fastethernet port-number. subinterface-numberThe port-number identifies the physical interfacesubinterface-number identifies the virtual interface.
Define the VLAN encapsulation. Router(config-if)#encapsulation dot1q vlan-numberThe vlan-number identifies the VLAN for which the subinterface will carry traffic.
Assign an IP address to the interface.Router(config-if)#ip address ip-address subnet-mask
Inter-VLAN RoutingIf we plugged devices into each VLAN port they can only talk to other devices in the same VLAN. We need to enable inter-VLAN communication.
Using a router, to support ISL or 802.1Q on a Fast Ethernet interface we divide each VLan into subinterfaces. We set the interface to trunk with the encapsulation command.
Router#config tRouter(config)#int f0/0.1Router(config-subif)#encapsulation dot1Q ?
<1-4094 > VLAN ID
The subinterface number is only locally significant so it doesn’t matter which numbers are used but its best to use the same subinterface number as VLAN number.
Inter-VLAN Routing on an External Router ISL Trunk Link
ISL VLAN info is added to a frame only if the frame is forwarded out of a trunk link. The ISL encapsulation is removed from the frame if the frame is forwarded out an access link.
Configuration on the RouterThe major interface of a router using ISL cannot have an ip address.
(config)#interface fastethernet 0/0 (config-if)#no ip address (config-if)#interface fastethernet 0/0.10(config-subif)#encapsulation isl 10(config-subif)#ip address 10.10.1.1 255.255.255.0
(config-if)#interface fastethernet 0/0.20(config-subif)#encapsulation isl 20(config-subif)#ip address 10.20.1.1 255.255.255.0
Configuration on the SwitchSwitch(config)#interface fastethernet 0/0Switch(config-if)#switchport trunk encapsulation islSwitch(config-if)#switchport mode trunk
Inter-VLAN Routing on an External Router 802.1Q Trunk Link
Configuration on the Router
The trunks major interface can have an ip address, if it doesn’t use no shutdown command.
Rtr(config)#interface fastethernet 0/0Rtr(config-if)#no shutdown
Rtr(config)#interface fastethernet 0/0.1Rtr(config-subif)#description VLAN 1Rtr(config-subif)#encapsulation dot1q nativeRtr(config-subif)#ip address 10.1.1.1 255.255.255.0
Rtr(config)#interface fastethernet 0/0.10Rtr(config-subif)#description VLAN 10 Rtr(config-subif)#encapsulation dot1q 10Rtr(config-subif)#ip address 10.10.1.1 255.255.255.0
Rtr(config)#interface fastethernet 0/0.20Rtr(config-subif)#description VLAN 20Rtr(config-subif)#encapsulation dot1q 20Rtr(config-subif)#ip address 10.20.1.1 255.255.255.0
The encapsulation dot1q [vlan-id] command enables 802.1Q on a Cisco router.The native VLAN in 802.1Q does not carry a tag.With dot1q the trunks major interface can have an ip address.Remember that the major interface of a router using ISL cannot have an ip address.
Configuration on the SwitchSwitch(config)#interface fastethernet 0/0Switch(config-if)#switchport trunk encapsulation dot1qSwitch(config-if)#switchport mode trunk
Example
VLAN Memberships
Manual / Static
With manual VLAN configuration, the initial setup and all subsequent moves/changes are controlled by the network administrator. This enables a high degree of control and is the most secure. However, in larger enterprise networks, manual configuration is not practical and defeats one of the primary benefits of VLANs: elimination of the time taken to administer moves and changes, although moving users manually with VLANs may be easier than moving users across router subnets.
Automatic / Dynamic
A dynamic VLAN determines host assignment automatically using the VLAN management application. The administrator can enter and assign all the MAC addresses into its VMPS database and configure the switch to assign VLANs dynamically whenever a host is plugged into the switch. Cisco admins can use the VLAN Management Policy Server (VMPS) service to setup a database of MAC addresses that can be used for dynamic assignment of VLANs a VMPS database maps MAC addresses to VLANs.
QuestionWhen a switch port is used as a VLAN trunk, which of the following trunk modes are valid?
A. BlockingB. AutoC. DesirableD. OnE. TransparentF. Learning
Answer B, C, DA trunk port can be configured as 5 modes on, off, desirable, auto or nonegotiate.
switchportYou only use the switchport command on switches—not routers. It can put a port into trunk mode, into a certain VLAN, or even to set port security.
Its most common use is to configure an interface to connect to an access device (e.g., workstation, server, printer, etc.) e.g.Switch(config-if)#switchport mode access
You can also use this command to put a port in a certain VLANSwitch(config-if)#switchport access vlan 101
To change trunking protocolSwitch(config-if)#switchport trunk encapsulation isl
Creating VLAN’s on the Switch
S1#config tS1(config)#vlan 2S1(config-vlan)#name SalesS1(config-vlan)#vlan 3S1(config-vlan)#name MarketingS1(config-vlan)#vlan 4S1(config-vlan)#name accountingS1(config-vlan)#^Z
After you have created VLANs verify them with a show vlan command
show vlan
S1#show vlan
Remember that a VLAN is used until it is assigned to a switch port and all ports are set to the default VLAN1 unless set otherwise. Here all ports are in VLAN1. Port 1 and 2 aren’t showing up? This is because they are trunk ports!
Trunk ports don’t show up in the VLAN database. You have to use the show interface trunk command to see trunked ports.
S3750-1#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/13 desirable n-isl trunking 1 Fa1/0/14 desirable n-isl trunking 1 Fa1/0/15 desirable n-isl trunking 1
Assigning Switch Ports to VLANs on a Switch
We configure a port to belong to a VLAN by assign a membership mode that specifies the traffic the port carries.
Let’s say we wanted to create VLAN’s 5 and 10. We want to put ports 2 & 3 in VLAN 5 (Marketing) and ports 4 and 5 in VLAN 10 (Human Resources). On a Cisco 2950 switch, here’s how .
We need to. Create the new VLAN’s and put each port in the proper VLAN.
CAT1#config tEnter configuaration commands one per line. End with CNTRL/ZCAT1(config)#vlan 5 CAT1(config-vlan)#name marketingCAT1(config-vlan)#exitCAT1(config)#vlan 10CAT1(config-vlan)#name humanresourcesCAT1(config-vlan)#exitCAT1(config)#interface FastEthernet 0/2CAT1(config-if)#switchport mode access
CAT1(config-if)#switchport access vlan 5CAT1(config-if)#exitCAT1(config)#interface fastEternet 0/3CAT1(config-if)#switchport mode accessCAT1(config-if)#switchport access vlan 5CAT1(config-if)#exitCAT1(config)#interface fastEternet 0/4CAT1(config-if)#switchport mode accessCAT1(config-if)#switchport access vlan 10CAT1(config-if)#exitCAT1(config)#interface fastEternet 0/5CAT1(config-if)#switchport mode accessCAT1(config-if)#switchport access vlan 10CAT1(config-if)#exitCAT1(config)#
At this point, only ports 2 and 3 should be able to communicate with each other and ports 4 & 5 should be able to communicate. That is because each of these is in its own VLAN. For the device on port 2 to communicate with the device on port 4, you would have to configure a trunk port to a router so that it can strip off the VLAN information, route the packet, and add back the VLAN information.
QuestionWhen a new trunk link is configured on an IOS based switch, which VLANs are allowed over the link?
A. By default all defined VLANs are allowed on the trunk.B. Each single VLAN or VLAN range must be specified with the switchport mode cmd.C. Each single VLAN or VLAN range must be specified with the vtp domain cmd.D. Each single VLAN or VLAN range must be specified with the vlan database cmd.
Answer A
By default all VLANs are allowed over a trunk at all times. This is true for every Cisco IOS switch.
Assigning a range of access ports to VLAN
Configuring Trunk Ports
Switch#config tSwitch(config)#int f0/12Switch(config-if)#switchport mode trunkSwitch(config-if)#^ZSwitch#
switchport mode trunk
Puts the interface into permanent trunking mode and converts the neighbouring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface isn’t a trunk interface.
switchport mode access
To disable trunking on an interface use the switchport mode access command
Switch#config tSwitch(config)#int f0/12Switch(config-if)#switchport mode accessSwitch(config-if)#^ZSwitch#
We can verify our configuration with the show running-config command.Switch#show running-config !interface FastEthernet0/2switchport access vlan 2no ip address!interface FastEthernet0/3switchport access vlan 3no ip address!interface FastEthernet0/4switchport access vlan 4no ip address!interport FastEthernet0/12switchport mode trunkno ip address
Trunking with the 3560 Switch
The 3560 can run both the ISL and 802.1Q trunking encapsulation
Core#conf tCore(config-if)#switchport trunk encapsulation dotqCore(config-if)#switchport mode trunk
Core#conf tCore(config-if)#switchport trunk encapsulation islCore(config-if)#switchport mode trunk
Removing VLANs from a Trunk
We can remove VLANs from the allowed list to prevent traffic from certain VLANs from traversing a trunked link
S1#config tS1(config)#int f0/1S1(config-if)#switchport trunk allowed vlan remove 4
To remove a range of VLANs S1(config-if)#switchport trunk allowed vlan remove 4-8
To set the trunk back to defaultS1(config-if)#switchport trunk allowed vlan all
One more example, port trunking is the process by which ports are designated as uplink ports to carry traffic from multiple VLANs across the same physical cable. In the following example, we enable trunking on an E0/1 to carry specific traffic from VLANs 1 through 99.
Router# configure terminalRouter(config)#interface E0/1Router(config-if)#switchport access vlan 100Router(config-if)#switchport trunk encapsulation dot1qRouter(config-if)#switchport trunk allowed vlan 1-99Router(config-if)#switchport mode trunkRouter(config-if)#^Z
This configuration will carry traffic for vlans 1-99 across E0/1. Setting the trunk encapsulation type is only available on switches that support multiple encapsulation types. Ensure that spanning-tree is on in order to prevent loops.
Another Example
This router has 3 VLANs each with 2 hosts. The router is connected to the switch using subinterfaces the switch port connecting to the router is the trunk port, the other switch ports connecting to the clients and hub are access ports.
The configuration on the Switch is
Given the logical networks
VLAN 1 192.168.10.16/28VLAN 2 192.168.10.32/28VLAN 3 192.168.10.48/28
Example
What are the router and switch configurations based on the ip addresses that one host in each Vlan has been given?
Switch configuration
Router configuration since the hosts don’t list a subnet mask The number of host in each Vlan will give us the block size.VLAN1 has 85 hosts and VLAN2 has 115 hosts
calculating the subnet mask
max number of hosts = 115
2^7 - 2 = 126, 2^6 - 2 = 62
therefore 7 bits needed for hosts32 - 7 = 25 bits for the network address or /25 mask
11111111.11111111.11111111.10000000255.255.255.128
Subnets will be 0 and 128 The 0 subnet VLAN1 host range 1-126, 128 subnet VLAN2 host range 129-254
So the router configuration will be.
We used the 1st address in the host range for VLAN1 and the last address in the range for VLAN2 but any address in the range would work.
To set the ip address of the switch
ExampleHere are two VLANs by looking at the router configuration whats the ip address, mask, and default gateway of Host A? Use the last ip address in the range for HostA’s address.
Answer
Both subnets are using a /28 or 255.255.255.240 mask, this is a block size of 16256 – 240 = 16The routers address for VLAN1 is subnet 128. The next subnet is 144, so the broadcast address of VLAN1 is 143, the valid host range 129 – 142.
So the host address would be
VLAN Trunking Protocol VTP
VTP allows switches to advertise VLAN information and create a consistent view of the switched network across all switches of the same VTP domain. When a VLAN is created on one switch in a VTP server, all other VTP devices in the domain are notified of that VLAN's existence. VTP servers will know about every VLAN, even VLANs that have no members on that switch.
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes inconsistencies such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Switches have 3 VTP modes
Server – add, modify, delete VLANs
Client – process VLAN changes and forward VTP messages
Transparent – forward VTP messages only
Switch VTP Modes
VTP Server Maintains the VLAN database. VLANs can be created, deleted and edited on the server for the entire VTP domain
VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP server is the default mode for all Catalyst Switches.
You need at least one server in your VTP domain to propagate VLAN information through out the domain. VTP traffic is sent over the management VLAN (VLAN1), so all VLAN trunks must be configured to pass VLAN1.
VLAN information is stored in NVRAM (flash). VTP Servers keep VLAN configuration information upon reboot.
VTP Client ModeMaintains the database but does not store the information in NVRAM and doesn’t retain VLAN information upon reboot, they obtain this information from a VTP server
In Client mode switches receive information from VTP switch servers, they send and receive updates but VLANs cannot be created, deleted and edited on clients.
Transparent VTP transparent switches do not participate in the VTP domain.The VTP switches in transparent mode ignore VTP messages but will forward VTP advertisements that they receive out their trunk ports to other switches.
VLANs can be created, deleted and edited, but are local to the switch only they keep their own database and are not advertised to the other switches in the VTP domain. Local VLAN information is stored in NVRAM.
Server Transparent Client
Saved in NVRAM Saved in NVRAM Not saved
For switches running VTP to successfully exchange VLAN information, three things have to happen.
1. The VTP domain name must match. This is case-sensitive. "CISCO" and "cisco" are two different domains.
2. To distribute information about a newly-created VLAN, the switch upon which that VLAN is created must be in Server mode.
3. Before you create VLANs, you must decide whether to use VTP in your network. With VTP, you can make configuration changes centrally on a single switch and have those changes automatically communicated to all the other switches in the network.
Benefits of VTP
Consistent VLAN configuration across all switches in the network. LAN trunking over mixed networks, such as Ethernet to ATM LANE or even FDDI. Accurate tracking and monitoring of VLANs Dynamic reporting of added VLANs
Understanding VTP Pruning
VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.
Below is a switched network without VTP pruning enabled. Port 1 on Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to Switch 1. Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN.
Flooding Traffic without VTP Pruning
The same switched network with VTP pruning enabled.
Enabling VTP pruning on a VTP server enables pruning for the entire management domain. By default, VLANs 2 through 1000 are pruning-eligible. VTP pruning does not prune traffic from VLAN 1.
To make a VLAN pruning ineligible, enter the clear vtp pruneeligible command. To make a VLAN pruning eligible again, enter the set vtp pruneeligible command.
The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on Switch 4).
VTP Advertisements
VTP Configuration Revision Numbers
Most VLAN Trunking Protocol (VTP) deployments are going to have two or more VTP servers, so when one VTP server sends a summary advertisement, how does the receiving VTP server know if that ad has the latest information?
Every VTP summary advertisement has a configuration revision number that is incremented by one when it updates its own VTP database. That same number is placed into the outgoing VTP summary advertisement. If the receiving switch's own VTP configuration revision
number is lower than that of the incoming advertisement, the incoming ad's information is considered to be more recent and is accepted.
Ifthe incoming ad's revision number is lower than that of the receiving switch, the incoming advertisement is considered out-of-date and is therefore ignored.
Configuring Inter-Switch Communication, VTP
VTP - VLAN Trunk Protocol manages all configured VLANS across a switched network.
All Cisco switches are configured to be VTP servers by default !
To configure VTP first configure the domain name and then VTP information.
The core principle of VTP is that interconnected switches are configured to belong to the same VTP domain (sometimes referred to as a VLAN management domain). The VTP domain is a logical group of switches that will share VLAN information.
Each switch can only belong to a single VTP domain. The switches in a VTP domain must be adjacent, and the links connecting the switches must be configured for trunk mode.
When a switch is configured as a VTP server, you must define a VTP domain before you can create VLANs.
Configuring the Domain
Use the vtp global configuration mode command. In the following example I set the switch to a vtp server, the VTP domain to Cisco2 and the VTP password to cantona. 1900(config)#vtp ?client VTP clientdomain Set VTP domain namepassword Set VTP passwordpruning VTP pruningserver VTP server1900(config)#vtp server1900(config)#vtp domain Cisco21900(config)#vtp password cantona
Show vtp statusAfter we configure the VTP information we can verify it with the show vtp status command
VTP can be configured in global or VLAN configuration mode.
VLAN configuration mode is accessed by entering vlan database privileged EXEC command
Configuration on the 2950 switch
Switch(config)vtp mode ?client set the device to client modeserver set the device to server modetransparent set the device to transparent mode
Switch(config)vtp mode serverDevice mode already VTP SERVER
Switch(config)vtp domain LondonChanging the VTP domain name from NULL to LondonSwitch(config)#
Verifying
SwitchA#show vtp statusVTP version 2Configuration Revision 1Maximum VLANs supported locally 64Number of existing VLANs 7VTP Domain Name LondonVTP Pruning Mode Disabled
Another Example
Setting the S1 switch to VTP Server the VTP domain to Lammle and VTP password to Todd.
Note all switches are set to VTP server mode by default, also the vtp status output shows the maximum number of VLANs supported locally is only 255.
Lets add the Core and S2 switches to the Lammle VTP domain remember this VTP domain name is case sensitive.
VTP Pruning
Consider two switches are trunking, and each has ports in ten VLANs. Of all those VLANs, the switches only have two in common.
The switches both have ports in VLANs 10 and 11, but have no other common VLANs. By default, broadcast and multicast traffic destined for any VLAN will cross the trunk, resulting in a lot of unnecessary traffic crossing the link.
This default behaviour can be stopped by enabling VTP pruning. With VTP pruning enabled on these switches, a VLAN’s broadcasts will be sent across the trunk only when there are ports belonging to that particular VLAN on the opposite switch. Broadcasts for VLANs 10 and 11 will go across the trunk, but not for the other VLANs.
You would think that VTP pruning is on by default, but it's not.
vtp pruning
To turn it on, run vtp pruning and verify with show vtp status.
SW1(config)#vtp pruningPruning switched on
SW1#show vtp statusVTP Version : 2Configuration Revision : 3Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ServerVTP Domain Name : CCNAVTP Pruning Mode : Enabled
When VTP pruning is enabled on a server it is enabled for the entire domainBy using the show interface trunk command
show interface trunk
Enabling Pruning
S1#config tS1(config)#int f0/1S1(config-if)#switchport trunk pruning vlan 3-4
Troubleshooting VTP
Switch A and B aren’t sharing VLAN information both are in VTP server mode but that’s not the problem all switches can be servers and share VLAN information, the problem is that they are in two different VTP domains so will never share the same VTP information.
Another Problem
We are trying to create a new VLAN on Switch C and we are receiving an error!
The reason for this is because we are in VTP client mode, VTP clients cannot create, delete, add or change VLANs as they only keep the VTP database in RAM which isn’t saved to NVRAM.
Another problem
Here switch B isn’t receiving VLAN information from Switch A.
Switch B isn’t receiving VLAN information from Switch A because Switch B has a higher revision number.
To resolve this change the domain name on Switch B to something else then back to Globalnet this will reset the revision number to zero.
QuestionHow many VTP domains can a switch be configured in?
A. 1B. 64C. 255D. Unlimited
Answer A
QuestionA switch can be in only a single VTP domain.
Which of the following statements is true when VTP is configured on a switched network that incorporates VLANs? A. VTP is only compatible with the 802.1Q standard. B. VTP adds to the complexity of managing a switched network. C. All VTP hello packets are routed through VLAN 1 interfaces. D. Changes made to the network can be communicated to all switches dynamically.
Answer D
QuestionYou are an administrator and a junior tells you he was unable to add VLAN 50 to a Catalyst switch in the network.
You enter the show vtp status
What commands must be issued on this switch to add VLAN 50 to the database? Choose two
A. (config-if)#switchport access vlan 50B. (vlan)#vtp serverC. (config)#config-revision 20D. (config)#vlan 50 name TechE. (vlan)#vlan 50F. (vlan)#switchport trunk vlan 50
Answer B, E
ExplanationVTP operates in server, client, and transparent modes.VTP servers can create, modify, and delete VLANs for the VTP domain this is propagated to the VTP clients and servers in the domain.E. Creates vlan 50
Question
The switch that generated this output has 24 ports. Why are some ports missing from VLAN?
A. The missing ports are in VLAN 86B. The missing ports are administratively disabledC. The missing ports are not participating in spanning treeD. The missing ports are configured as trunk ports.E. The missing ports have a status problem such as a speed or duplex mismatch
Answer D
The show vlan command displays the VLAN information and ports in all VLANs. This command displays only the ports in access mode. The missing ports must be configured as trunks.
Hands on Lab http://www.chinaitlab.com/labto/6500/10.htm
Catalyst> enableStep 1 Name the VTP domain KNet.
Catalyst> enable set vtp domain KNetVTP domain KNet modified
Step 2 Set the password for the VTP domain using todd
Catalyst> enable set vtp password toddGenerating MD5 secret for the password…VTP domain KNet modified
Step 3 Set the switch to server mode
Catalyst> enable set vtp mode serverVTP domain KNet modified
Step 4 Create and name VLAN 10 as Accounting then place module 3 port 1 in VLAN 10
Catalyst> enable set vlan 10 name AccountingVlan 10 configuration successfulCatalyst> enable set vlan 10 3/1VLAN 10 modifiedVLAN 1 modifiedVLAN Mod/Ports---- ---------------10 3/1
15/1
Step 5 Create and name VLAN 20 as Marketing then place module 3 port 2 in VLAN 20
Catalyst> enable set vlan 20 name MarketingVlan 20 configuration successfulCatalyst> enable set vlan 20 3/2
VLAN 20 modifiedVLAN 1 modifiedVLAN Mod/Ports---- ---------------20 3/2
15/1
Step 6 Enter the privileged mode then enter the global configuration mode.
RouterA>enableRouter#
RouterA#configure terminalEnter configuration commands, one per line End with CNTRL/ZRouterA(config)#
Step 7 Enter the interface configuration mode for VLAN 10, then configure this interface with an IP address of 10.0.10.1 255.255.255.0Activate this interface
RouterA#configure terminalEnter configuration commands, one per line End with CNTRL/ZRouterA(config)#interface vlan 10RouterA(config-if)#ip address 10.0.10.1 255.255.255.0RouterA(config-if)#no shutdown
Step 8 Enter the interface configuration mode for VLAN 20, then configure this interface with an IP address of 10.0.20.1 255.255.255.0Activate this interface
RouterA#configure terminalEnter configuration commands, one per line End with CNTRL/ZRouterA(config)#interface vlan 20RouterA(config-if)#ip address 10.0.20.1 255.255.255.0RouterA(config-if)#no shutdown
Step 9 Enter the global configuration mode then enable RIP routing
RouterA#configure terminalEnter configuration commands, one per line End with CNTRL/ZRouterA(config)#router ripRouterA(config-router)#
Step 10 Assign a network interface (10.0.0.0) to the RIP process then exit the router configuration mode
RouterA#configure terminalEnter configuration commands, one per line End with CNTRL/ZRouterA(config)#router ripRouterA(config-router)#network 10.0.0.0RouterA(config-router)#end
Step 11 View the other RIP routes within this network
Show ip route
Gateway of last resort is 11.1.1.15 to network 0.0.0.0 C 127.0.0.0/8 is directly connectedC 10.0.10.0/24 is directly connected, VLAN10C 10.0.20.0/24 is directly connected, VLAN20
Telephony, Voice VLANs
The Cisco ip phone inserts a 802.1p priority field in 802.Q tag.You can configure the switch to either trust or override the traffic priority assigned by an ip phone
A Cisco phone has 3 ports one connects to the Cisco switch, one to a pc and one internal to the phone.
We configure access ports on a switch connected to an ip phone to use one VLAN for voice traffic and another VLAN for data traffic from the pc attached to the phone.
Access ports on the switch send Cisco Discovery Protocol packets CDP’s that tell the ip phone to send voice traffic
To the voice VLAN tagged with a layer 2 CoS priorityTo the access VLAN tagged with a layer 2 Cos priority valueTo the access VLAN un tagged (no CoS priority value)
Access ports also send CDPs that tell the ip phone to configure the phone access port to be in trusted or untrusted mode:
Trusted mode, all traffic received on the ip phone access port passes through unchangedUntrusted mode, all traffic in 802.1Q or 802.1p frames received on the ip phone access port receives a layer 2 CoS value. (default is 0)
The Voice VLAN
The voice VLAN is disabled by defaultTo enable it use the interface command switchport voice vlan To return the port to its default setting use the no switchport voice vlan command
mls qos trust cos classifies incoming traffic by using the CoS value, untagged packets use the ports default CoS value.
Notice how we added two access VLANs to the same port we can only do this if one is a data VLAN the other a voice VLAN.
Using the CNA (Cisco Network Assistant) to Configure VLANs and Inter-VLAN Routing
Connect to the 2960 Switch S1 which already has 3 VLANs we are going to add a voice VLAN.Click Configure > Switching > VLANs
This screen shows the status of our ports. Ports 1 & 2 are trunked dynamically since there set to dynamic auto by default they’ll automatically become trunk links with the Core switch. Port 3 is a member of VLAN 3 the VLAN access port.
Highlight port 1 > Click Modify. This enables you to configure the port with different administrative modes, encapsulations plus set the VLANs allowed on the trunk port and set VTP pruning.
The Configure VLANs tab on the VLANs screen
From here we can see the configured VLANs and are able to modify add and delete them.Remember this is only done on a VTP server) Click Create.
The Create VLAN box appears.
We clicked Create and added a new VLAN named Todd. Ok.
To Create a voice VLAN click, Voice VLAN under Configure
We highlighted port 4 where my phone is connected and clicked Modify and created a new voice VLAN (Voice VLAN 10) and clicked OK.
Now to configure inter-VLAN routing using the 3560 switch.
Connect to the Core 3560 switch. Under Configure click Routing > Enable/Disable then select Enable IP Routing and it will automatically add the configured default gateway. Ok.
Now click Inter-VLAN Routing Wizard and Next.
Click Next again.
Choose the VLANs you want to provide inter-VLAN communication between add new subnets and subnet masks for each separate VLAN and click Next.
Ensure the default route of the switch is correct here it is the default gateway. Next.
Sit back and watch the router auto-configure itself!
There’s a separate logical interface for each VLAN. Finish with Next and the configuration is uploaded to the running-config.
#show running-config
All our hosts/phones should now be able to communicate freely between VLANs.
Using Smartport with the 2960
Configuring the phone the easy way using the CNA > Connect to the 2960 and click Smartports > Highlight the port the phone is plugged into here its port 4 > Right Click and choose IP Phone+Desktop >Choose the access VLAN (VLAN 3) which the pc is using and the Voice VLAN 10Ok.
Now we can connect both a pc and a phone to the same port and they will run in separate VLANs (3 & 10)