You are on page 1of 79

Chapter 2: Implementing VLANs in Campus Networks

CCNP SWITCH: Implementing IP Switching

SWITCH v6 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

1

Chapter 2 Objectives 
Design and plan VLANs, trunks, and addressing to meet business requirements, technical requirements, and constraints.  Configure VLANs and VLAN trunks in the campus network to support business and technical requirements.  Configure VTP in the campus network to support business and technical requirements.  Describe private VLANs and configure private VLANs in the campus network to support business and technical requirements.  Configure and verify an EtherChannel in a Layer 2 topology that contains bridging loops.

Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

2

Virtual Local Area Network (VLAN) 

   

A VLAN is a logical group of end devices. Broadcasts are contained within VLANs. Modern design has 1 VLAN = 1 IP subnet. Trunks connect switches so as to transport multiple VLANs. Layer 3 devices interconnect VLANs.
3

Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

Chapter 2 © 2007 ± 2010. Cisco Public 4 . Inc. Cisco Systems.End-to-End VLANs  Each VLAN is distributed geographically throughout the network.  Users are grouped into each VLAN regardless of the physical location. the VLAN membership for that user remains the same.  As a user moves throughout a campus. theoretically easing network management.  Switches are configured for VTP server or client mode. All rights reserved.

 Switches are configured in VTP transparent mode.  Local VLANs exist between the access and distribution layers.  One to three VLANs per access layer switch recommended. All rights reserved. Inc. Cisco Public 5 .  Spanning tree is used only to prevent inadvertent loops in the wiring closet. Chapter 2 © 2007 ± 2010. Cisco Systems.Local VLANs  Create local VLANs with physical boundaries in mind rather than job functions of the users.  Traffic from a local VLAN is routed at the distribution and core levels.

Inc. Chapter 2 © 2007 ± 2010. Cisco Public 6 .  DHCP is used to assign IP addresses to users.  STP is limited to access and distribution switches.  Blocks can contain one to three VLANs each.  Traffic is routed from the local VLAN as it is passed from the distribution layer into the core. All rights reserved. Cisco Systems.VLANs in Enterprise Campus Design  VLANs used at the access layer should extend no further than their associated distribution switch.

 Avoid using VLAN 1 as the "blackhole" for all unused ports. blackhole VLANs.  Avoid using Telnet because of security risks. data VLANs. etc.1Q rather than ISL because it has better support for QoS and is a standard protocol. only permit control protocols to run on VLAN 1 (DTP.Best Practices for VLAN Design  One to three VLANs per access module and limit those VLANs to a couple of access switches and the distribution switches. and the default VLAN (VLAN 1).  Separate the voice VLANs.  Manually configure access ports that are not specifically intended for a trunk link. LACP. Chapter 2 © 2007 ± 2010.). VTP. Cisco Systems. the management VLAN. Use a dedicated VLAN separate from VLAN 1 to assign all the unused ports. Use IEEE 802. PAgP. turn off Dynamic Trunking Protocol (DTP) and configure trunking. All rights reserved. the native VLAN.  For trunk ports. CDP.  Prevent all data traffic from VLAN 1. use manually allowed VLANs on trunks. STP BPDUs. Cisco Public 7 . Inc.  Avoid VTP when using local VLANs. enable SSH support on management VLANs.

4094 1 .4094 1 .4094 Chapter 2 © 2007 ± 2010. Cisco Public 8 .4094 1 .1005 1 .4094 1 . All rights reserved. Inc. Cisco Systems.VLAN Support on Catalyst Switches Catalyst Switch 2940 2950/2955 2960 2970/3550/3560/3750 2848G/2980G/4000/4500 6500 Max VLANs 4 250 255 1055 4094 4094 VLAN ID Range 1 .

For Ethernet VLANs.VLAN Ranges on Catalyst Switches VLAN Range 0. You can use this VLAN. Popagated via VTP? n/a Yes Yes Yes n/a VTP v 3 only. and delete these. Cisco Public 9 . Requires VTP transparent mode for configuration. You cannot see or use these. All rights reserved. Cisco Systems. 4095 1 2 ± 1001 1002 ± 1005 1006 ± 1024 1025 . Inc. You can create.4094 Range Reserved Normal Normal Normal Reserved Reserved Usage For system use only. You cannot see or use these. use. Cisco default. Chapter 2 © 2007 ± 2010. You cannot delete these. Not supported in VTP v1 or v2. Cisco defaults for FDDI and Token Ring. For system use only. For Ethernet VLANs only. but you cannot delete it.

Cisco Public 10 10 . All rights reserved.dat Delete filename [vlan. Cisco Systems.dat]? Delete flash:vlan. Inc.dat? [confirm] Switch# Switch# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Switch# Chapter 2 © 2007 ± 2010.Clearing switches Switch# delete vlan.

one per line.255. DLS2.101 255.0 DLS1(config-if)# no shutdown DLS1(config)# end DLS1#  Configure hostname  Configure VLAN 1  Default: Management VLAN is VLAN 1  Configure DLS1. Inc.Configure Hostname and VLAN 1 Switch# configure terminal Enter configuration commands. Switch(config)# hostname DLS1 DLS1(config)# interface vlan 1 DLS1(config-if)# ip address 10. End with CNTL/Z.255. Cisco Public 11 . Cisco Systems.1.1. All rights reserved. ALS1 and ALS2 switches on Packet Tracer  Hostname  VLAN 1 Chapter 2 © 2007 ± 2010.

Cisco Systems. All rights reserved. Switch(config)# vlan vlan-id  vlan-id is 2-1001 or 1025-4094 Chapter 2 © 2007 ± 2010. Inc.Configuration: Create a VLAN  To create a new VLAN in global configuration mode. Cisco Public 12 .

 Naming a VLAN is optional. Inc. Chapter 2 © 2007 ± 2010. Cisco Public 13 . All rights reserved. Switch(config-vlan)# name vlan-name  vlan-name is a descriptor for the VLAN.Configuration: Name a VLAN  To name a VLAN in VLAN configuration mode. Cisco Systems.

Example: Creating and Naming a VLAN  Enter global configuration mode: Switch# configure terminal  Create a new VLAN with a particular ID number: Switch(config)# vlan vlan-id  (Optional.) Name the VLAN: Switch(config-vlan)# name vlan-name Switch# configure terminal Switch(config)# vlan 5 Switch(config-vlan)# name Engineering Switch(config-vlan)# exit Chapter 2 © 2007 ± 2010. Inc. Cisco Public 14 . All rights reserved. Cisco Systems.

Chapter 2 © 2007 ± 2010. An access port does not need to negotiate trunk formation.Configuration: Disable Trunk Negotiation on a Port  To disable trunk negotiation on a switch port. All rights reserved. Cisco Systems. Inc. Cisco Public 15 . Switch(config-if)# switchport mode access  This command is optional but is recommended for security purposes.

Configuration: Macro for Access Port  To configure an optional macro for switch access ports. Cisco Systems. Inc. Cisco Public 16 . All rights reserved. and disables EtherChannel.  This macro sets the port mode to access. Switch(config-if)# switchport host  This command optimizes a Layer 2 port for a host connection. Chapter 2 © 2007 ± 2010. enables spanning-tree portfast.

Chapter 2 © 2007 ± 2010. Switch(config-if)# switchport access vlan vlan-id  vlan-id is a previously created VLAN. Cisco Public 17 . Cisco Systems. All rights reserved. Inc.Configuration: Assign Port to VLAN  To assign a port to a VLAN in interface configuration mode.

Cisco Public 18 . All rights reserved. Inc.Example: Assigning a Port to a VLAN  Enter interface configuration mode: Switch(config)# interface interface-id  Assign port to VLAN: Switch(config-if)# switchport access vlan vlan-id  Enable the interface: Switch(config-if)# no shutdown  Configure a description for the device(s) connected to the port: Switch(config-if)# description string  Return to Privileged EXEC mode Switch(config-if)# end  Configure access port macro: Switch(config-if)# switchport host Switch(config)# interface FastEthernet 5/6 Switch(config-if)# description PC A Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled Switch(config-if)# switchport access vlan 200 Switch(config-if)# no shutdown Switch(config-if)# end Chapter 2 © 2007 ± 2010. Cisco Systems.

-----3 enet 100003 1500 0 0 Switch# show vlan name VLAN0003 VLAN Name Status Ports ---. Cisco Public 19 .----.-----3 enet 100003 1500 0 0 Chapter 2 © 2007 ± 2010.-----.----.-------------------------------.---.--------.-------. Switch# show vlan id 3 VLAN Name Status Ports ---.---------.-----. The following two forms have the same output.-------.-------.-------------------------------.-----. Inc.------------------------------3 VLAN0003 SAID MTU active Fa0/1 BrdgMode Trans1 Trans2 VLAN Type Parent RingNo BridgeNo Stp ---. Cisco Systems.--------.--------------------3 VLAN0003 active Fa0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---.-------. All rights reserved.-----.---.Verification: VLAN Configuration  The show vlan command and its derivatives are the most useful commands for displaying information related to VLANs.---------.----.----.-----.-----.

Verification: Interface Configuration  The show running-config command has an interface keyword option to allow for interface-specific output. Inc. Cisco Systems. All rights reserved.. Switch# show running-config interface FastEthernet 5/6 Building configuration.. Cisco Public 20 . ! Current configuration :33 bytes interface FastEthernet 5/6 switchport access vlan 200 switchport mode access switchport host end Chapter 2 © 2007 ± 2010.

Switch# show interfaces f0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 20 (VLAN0020) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: 150 (VLAN0150) <output omitted> Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Chapter 2 © 2007 ± 2010. Cisco Systems. Cisco Public 21 . Inc. All rights reserved.Verification: Switch Port Configuration  One of the most useful commands for showing VLAN configuration information specific to a switch port is the show interfaces interface_id switchport command.

Inc.Verification: MAC Address Information  You can view MAC address information specific to an interface and an associated VLAN. Switch# show mac-address-table interface GigabitEthernet 0/1 vlan 1 Mac Address Table -----------------------------------------Vlan Mac Address Type Ports --------------------1 0008.2bc1 DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 1 Chapter 2 © 2007 ± 2010. Cisco Public 22 . All rights reserved. Cisco Systems.2199.

Implementing Trunking in a Campus Network Chapter 2 © 2007 ± 2010. All rights reserved. Cisco Public 23 . Cisco Systems. Inc.

 The host on the left in VLAN 2 can communicate with the host on the right in VLAN 2 via the trunk link. All rights reserved. Chapter 2 © 2007 ± 2010. Cisco Public 24 . Cisco Systems. the hosts on VLAN 1 can communicate simultaneously. Trunking is used to extend Layer 2 operations across an entire network.VLAN Trunking  Trunks carry the traffic for multiple VLANs across a single physical link (multiplexing). over the same trunk link. Inc.

 ISL is nearly obsolete.  ISL encapsulates Ethernet frames. Chapter 2 © 2007 ± 2010. Inc.  ISL is supported on non-access-layer Cisco switches. All rights reserved. Cisco Public 25 . Cisco Systems.VLAN Trunking with Inter-Switch Link (ISL)  ISL is Cisco-proprietary trunking protocol. adding 30 bytes of overhead.

Chapter 2 © 2007 ± 2010.1p field for QoS support. Cisco Public 26 .1Q  802.1Q is a widely supported industry-standard protocol.1Q overhead is 4 bytes.VLAN Trunking with IEEE 802. 802. Inc.1Q has the 802. All rights reserved.1Q has smaller frame overhead than ISL.  802.  IEEE 802. Cisco Systems.

Native VLAN with IEEE 802. Chapter 2 © 2007 ± 2010.  An 802.  Proactively configuring both ends of an 802. which is associated with all untagged traffic on the port. Cisco Public 27 . All other traffic is sent with a VLAN tag. Cisco Systems.1Q trunk port. All traffic with a null VLAN ID is assumed to belong to the port default PVID. All rights reserved.1Q trunk link with a native VLAN distinct from all other VLANs is recommended.1Q standard specifies how the switch should handle untagged frames sent or received on an 802. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged.1Q  The 802.1Q trunk port is assigned a default PVID. Inc.

This is the default mode for all Ethernet interfaces in Cisco IOS.Makes the interface willing to convert the link to a trunk link. or auto mode. Dynamic desirable . Trunk . The interface becomes a non-trunk interface even if the neighboring interface does not agree to the change. Dynamic auto .Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames. The interface becomes a trunk interface if the neighboring interface is set to trunk.Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link.Puts the interface into permanent non-trunking mode and negotiates to convert the link into a non-trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. Inc.Makes the interface actively attempt to convert the link to a trunk link. All rights reserved. The interface becomes a trunk interface even if the neighboring interface does not agree to the change. You must configure the neighboring interface manually as a trunk interface to establish a trunk link. desirable. Nonegotiate .   Chapter 2 © 2007 ± 2010. Use this mode when connecting to a device that does not support DTP. Cisco Public 28 .Dynamic Trunking Protocol (DTP)    Access . Cisco Systems.

If one distribution link fails. HSRP or VRRP provide an alternative default gateway. Cisco Systems.  Trunks connect access layer switches to distribution layer switches.Design with VLAN Trunks  Trunks interconnect access layer switches. All rights reserved. Inc. V-shaped topology.  Layer 3 links interconnect core and distribution layer switches.  Recommended: turn off DTP and manually prune VLANs on trunks. loop-free. Cisco Public 29 . Chapter 2 © 2007 ± 2010.  Access layer switches are configured in a spanning-tree.

Configuring an Interface for Trunking  Select the encapsulation type: Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}  Configure the interface as a Layer 2 trunk: Switch(config-if)# switchport mode {dynamic {auto | desirable} | trunk}  Specify the native VLAN: Switch(config-if)# switchport trunk native vlan vlan-id  Configure the allowable VLANs for this trunk: Switch(config-if)# switchport trunk allowed vlan {add | except | all | remove} vlan-id[.vlan-id[. Inc. All rights reserved. Cisco Public 30 .vlan-id[...]]] Switch(config)# interface FastEthernet 5/8 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate Switch(config-if)# switchport trunk allowed vlan 1-100 Switch(config-if)# no shutdown Switch(config-if)# end optional Chapter 2 © 2007 ± 2010. Cisco Systems..

Inc..Verifying Trunk Configuration Switch# show running-config interface f5/8 Building configuration.. Cisco Systems. All rights reserved. Cisco Public 31 .1q Port Fa5/8 Vlans allowed on trunk 1-1005 Status trunking Native vlan 1 Chapter 2 © 2007 ± 2010. Current configuration: ! interface FastEthernet5/8 switchport mode dynamic desirable switchport trunk encapsulation dot1q end Switch# show interfaces f5/8 switchport Name: Fa5/8 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Enabled Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Switch# show interfaces f5/8 trunk Port Mode Encapsulation Fa5/8 desirable n-802.

Chapter 2 © 2007 ± 2010.  On IEEE 802. ensure that both ends of the link are in the same VTP domain.1Q trunks. make sure the native VLAN is the same on both ends of the trunk. Cisco Systems. The trunk mode should be trunk or desirable for at least one side of the trunk.  Ensure that the trunk encapsulation type configured on both ends of the link is valid and compatible. Cisco Public 32 . All rights reserved. Inc.  When using DTP.Troubleshooting Trunk Links  Ensure that the Layer 2 interface mode configured on both ends of the link is valid.

Cisco Public 33 . Cisco Systems. All rights reserved. Inc.VLAN Trunking Protocol Chapter 2 © 2007 ± 2010.

 VTP domains define sets of interconnected switches sharing the same VTP configuration. This minimizes misconfigurations and configuration inconsistencies.  VTP does not configure switch ports for VLAN membership. All rights reserved. Chapter 2 © 2007 ± 2010. Inc. Cisco Systems. Cisco Public 34 .VLAN Trunking Protocol (VTP)  VTP is a Cisco-proprietary protocol that automates the propagation of VLAN information between switches via trunk links.  Three types of VTP messages are sent via Layer 2 multicast on VLAN 1.

change. modify. ‡ Synchronizes VLAN configuration with latest information received from other switches in the management domain. and delete VLANs. ‡ Synchronizes VLAN configuration with latest information received from other switches in the management domain. ‡ Can create. ‡ Sends and forwards advertisements to other switches. modify. Server Transparent Chapter 2 © 2007 ± 2010. ‡ Saves VLAN configuration in NVRAM. Cisco Systems. ‡ Forwards advertisements to other switches. or delete VLANs on command-line interface (CLI). ‡ Does not synchronize its VLAN configuration with information received from other switches in the management domain. ‡ Can create. ‡ Does not save VLAN configuration in nonvolatile RAM (NVRAM).VTP Modes Mode Client Description ‡ Cannot create. Cisco Public 35 . and delete VLANs only on the local switch. ‡ Forwards VTP advertisements received from other switches in the same management domain. ‡ Saves VLAN configuration in NVRAM. Inc. All rights reserved.

Cisco Public 36 . All rights reserved. Cisco Systems. Inc.VTP Operation Chapter 2 © 2007 ± 2010.

 The broadcast traffic from Station A is not forwarded to Switches 3. Cisco Systems. 5.  VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly. and 6 because traffic for the Red VLAN has been pruned on the links indicated on Switches 2 and 4. Switches 1 and 4 in the figure support ports statically configured in the Red VLAN. Cisco Public 37 . Inc. Chapter 2 © 2007 ± 2010.VTP Pruning  VTP pruning prevents flooded traffic from propagating to switches that do not have members in specific VLANs. All rights reserved.

V2 supports token ring VLANs but V1 does not). Cisco Systems. If the MD5 hash on a received VTP message is correct.  Unrecognized Type-Length-Value (TLV) configuration changes are propagated by V2 servers and clients and these unrecognized TLVs can be stored in NVRAM. V3. Cisco Public 38 . V2.. V2 transparent switches forward VTP messages in transparent mode without checking versions. Chapter 2 © 2007 ± 2010. V2 accepts the VTP message information. All rights reserved.g.VTP Versions  Three VTP versions: V1. Inc. V2 does not perform checks when new information is obtained from a VTP message or when information is read from NVRAM.  Versions are not interoperable (e.  V2 performs VLAN consistency checks (VLAN names and values) only when you enter new information through the CLI or via SNMP.  V1 transparent switches inspect VTP messages for the domain name and version and forward a message only if the version and domain name match.

Inc.VTP Message Types  Summary Advertisements  Subset Advertisements  Advertisement Requests Chapter 2 © 2007 ± 2010. Cisco Systems. Cisco Public 39 . All rights reserved.

Inc. Chapter 2 © 2007 ± 2010. Cisco Public 40 . the switch compares the VTP domain name to its own VTP domain name. an advertisement request is sent. the packet is ignored. Summary advertisements inform adjacent switches of the current VTP domain name and the configuration revision number.  When the switch receives a summary advertisement packet. All rights reserved. the switch ignores the packet. If its own configuration revision is higher or equal. If the name is different.VTP Summary Advertisements  By default. Cisco Systems. Catalyst switches issue summary advertisements in 5minute increments. If the name is the same. If it is lower. the switch then compares the configuration revision to its own revision.

more than one subset advertisement can be required to advertise all the VLANs. the VTP server where the changes are made increments the configuration revision and issues a summary advertisement.VTP Subset Advertisements  When you add.  A subset advertisement contains a list of VLAN information. Inc. One or several subset advertisements follow the summary advertisement. All rights reserved. Cisco Public 41 . or change a VLAN. delete. If there are several VLANs. Chapter 2 © 2007 ± 2010. Cisco Systems.

All rights reserved. the VTP server where the changes are made increments the configuration revision and issues a summary advertisement. more than one subset advertisement can be required to advertise all the VLANs.VTP Subset Advertisements  When you add. Inc. One or several subset advertisements follow the summary advertisement. delete. Cisco Systems. Cisco Public 42 . If there are several VLANs. Chapter 2 © 2007 ± 2010.  A subset advertisement contains a list of VLAN information. or change a VLAN.

‡ The VTP domain name has been changed. Cisco Public 43 . a VTP device sends a summary advertisement. All rights reserved. Chapter 2 © 2007 ± 2010.  One or more subset advertisements follow the summary advertisement. Inc. Cisco Systems.VTP Advertisement Requests  A switch issues a VTP advertisement request in these situations: ‡ The switch has been reset. ‡ The switch has received a VTP summary advertisement with a higher configuration revision than its own.  Upon receipt of an advertisement request.

Cisco Public 44 . passwords are case-sensitive and can be 8 to 64 characters in length. Inc. All rights reserved. In VTP. a switch will not become a member of the VTP domain. The switch does not automatically set the password parameter. These passwords propagate inside VTP summary advertisements. The use of VTP authentication is a recommended practice. It is important to make sure that all the switches in the VTP domain have the same password and domain name.  By default. a Catalyst switch does not have a VTP password. Cisco Systems. unlike other parameters that are set automatically when a VTP advertisement is received. otherwise. Cisco switches use MD5 to encode passwords in 16-byte words. Chapter 2 © 2007 ± 2010.VTP Authentication  VTP domains can be secured by using the VTP password feature.

Cisco Systems. Cisco Public 45 . (Optional. Enter global configuration mode: Switch# configure terminal  Step 2. (Optional. Configure the VTP mode as server: Switch(config)# vtp mode server  Step 3. All rights reserved.) Enable VTP version 2: Switch(config)# vtp version 2  Step 5.) Enable VTP pruning in the management domain: Switch(config)# vtp pruning Chapter 2 © 2007 ± 2010. (Optional.Configuring VTP  Step 1.) Specify a VTP password: Switch(config)# vtp password password_string  Step 6. Inc. Configure the domain name: Switch(config)# vtp domain domain_name  Step 4.

Inc. Switch(config)# vtp domain Modular_Form Switch(config)# vtp password genus Switch(config)# vtp pruning Switch(config)# end Chapter 2 © 2007 ± 2010. password genus. Cisco Public 46 . All rights reserved. Cisco Systems. and pruning enabled.VTP Configuration Example  This example creates a VTP server with domain name Modular_Form. Switch# configure terminal Switch(config)# vtp mode server Setting device to VTP SERVER mode.

and the VTP pruning mode. the VTP configuration revision number. the VTP operating mode.0. All rights reserved. the VTP domain name. Switch# show vtp status VTP Version : 2 Configuration Revision : 247 Maximum VLANs supported locally : 1005 Number of existing VLANs : 33 VTP Operating Mode : Server VTP Domain Name : Modular_Form VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0.Verifying VTP Configuration (1)  The most useful command for verifying VTP configuration is the show vtp status command. the number of VLANs supported locally.0 at 8-12-99 15:04:4 Chapter 2 © 2007 ± 2010.0. The output displayed includes the VTP version. Cisco Systems. Cisco Public 47 . Inc.

If there are any problems regarding the VTP operation. Inc.Verifying VTP Configuration (2)  Use the show vtp counters command to display statistics about VTP operation. this command helps look for VTP message type updates. Cisco Systems. All rights reserved. Switch# show vtp counters VTP statistics: Summary advertisements received : 7 Subset advertisements received : 5 Request advertisements received : 0 Summary advertisements transmitted : 997 Subset advertisements transmitted : 13 Request advertisements transmitted : 3 Number of config revision errors : 0 Number of config digest errors : 0 Number of V1 summary errors : 0 VTP pruning statistics: Trunk Join Transmitted device -----.---------------Fa5/8 43071 Join Received ------------42766 Summary advts received from non-pruning-capable ----------------5 Chapter 2 © 2007 ± 2010. Cisco Public 48 .

 Check the VTP mode of the switches. Chapter 2 © 2007 ± 2010.  Check the VTP versions of the switches.VTP Troubleshooting  Check that switches are interconnected by active trunk links.  Check that the trunking protocol matches on opposite ends of a trunk link. Cisco Systems. All rights reserved.  Check VTP domain name (case-sensitive) and password. Cisco Public 49 . Inc.

Cisco Systems. All rights reserved.Private VLANs Chapter 2 © 2007 ± 2010. Inc. Cisco Public 50 .

even though all ports remain in the same VLAN. Cisco Systems. in a single Demilitarized Zone (DMZ) segment or VLAN. Inc.Motivation for Private VLANs  Service providers often have devices from multiple clients.  Most Cisco IOS-based switches implement private VLANs to keep some switch ports shared and some switch ports isolated. it becomes more important to provide traffic isolation between devices. Cisco Public 51 . in addition to their own servers. As security issues abound. Chapter 2 © 2007 ± 2010. All rights reserved. even though they might exist on the same Layer 3 segment and VLAN.

Inc.pVLAN Port Types  Isolated  Promiscuous  Community Chapter 2 © 2007 ± 2010. All rights reserved. Cisco Public 52 . Cisco Systems.

Cisco Public 53 . Cisco Systems. All rights reserved.pVLAN Structure Supporting VLANs     Primary Private VLAN Secondary Private VLAN Community Private VLAN Isolated Private VLAN Chapter 2 © 2007 ± 2010. Inc.

 Step 8.Steps     Step 1. All rights reserved. but more than one community pVLAN can be mapped to a primary pVLAN. Step 3. Step 2. Create the primary pVLAN. Create the secondary pVLANs. Associate the secondary pVLAN with the primary pVLAN. Cisco Public 54 .  Step 6. Step 4.  Step 7. Chapter 2 © 2007 ± 2010. ‡ Only one isolated pVLAN can be mapped to a primary pVLAN. Configure an interface as a promiscuous port. Inc. Map the promiscuous port to the primary-secondary pVLAN pair. Configure an interface as an isolated or community port. Set VTP mode to transparent. Cisco Systems.Configuring pVLANs .  Step 5. Associate the isolated port or community port with the primary-secondary pVLAN pair.

Commands Switch(config)# vlan pvlan-id Switch(config-vlan)# private-vlan {community | isolated | primary} Switch(config-vlan)# exit Switch(config)# vlan primary-vlan-id Switch(config-vlan)# private-vlan association {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list} Switch(config-vlan)# interface vlan primary-vlan-id Switch(config-if)# private-vlan mapping {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list} Switch(config-if)# interface type slot/port Switch(config-if)# switchport Switch(config-if)# switchport mode private-vlan {host | promiscuous} Switch(config-if)# switchport private-vlan host-association primary-vlanid secondary-vlan-id Switch(config-if)# switchport private-vlan mapping primary-vlan-id {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlanlist} Chapter 2 © 2007 ± 2010. Inc. All rights reserved.Configuring pVLANs . Cisco Systems. Cisco Public 55 .

---------------------100 200 community 100 300 isolated Interfaces ----------------- Switch# show interfaces FastEthernet 5/2 switchport Name: Fa5/2 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 100 (VLAN0200) 300 (VLAN0300) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Chapter 2 © 2007 ± 2010. Switch# show vlan private-vlan Primary Secondary Type ------. All rights reserved.Verifying pVLAN Configuration  The two most useful commands for this purpose are show interface switchport and show vlan privatevlan. Inc. Cisco Systems. Cisco Public 56 .

Chapter 2 © 2007 ± 2010. they also need to communicate with the Internet. The web server needs to be accessible from the Internet but not from the SMTP server.  DNS servers are redundant copies. In addition to that. but for security purposes. one web server and one SMTP server. so they need to communicate with each other to update their entries and to the Internet. Cisco Systems. All servers and their connecting router are in the same subnet.  The Web Server and the SMTP server need to communicate with the Internet.pVLAN Scenario 1: Single Switch  A corporate DMZ contains two DNS servers. Inc. the SMTP server should not be reachable from the Web or the DNS servers. All rights reserved. Cisco Public 57 .

Cisco Public 58 . Inc.pVLAN Configuration for Scenario 1 Switch(config)# vtp transparent Switch(config)# vlan 201 Switch(config-vlan)# private-vlan isolated Switch(config)# vlan 202 Switch(config-vlan)# private-vlan community Switch(config-vlan)# vlan 100 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# private-vlan association 201.2 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 202 Switch(config-if)# interface range fastethernet 0/3 . All rights reserved.4 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 201 Chapter 2 © 2007 ± 2010.202 Switch(config-if)# interface range fastethernet 0/1 . Cisco Systems.202 Switch(config-vlan)# interface fastethernet 0/24 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 100 201.

Cisco Public 59 . which includes devices that have no pVLAN ports to maintain the security of your pVLAN configuration.  As shown in the figure.  Configure pVLANs on all switches on the path. Chapter 2 © 2007 ± 2010. Cisco Systems.  A feature of pVLANs across multiple switches is that traffic from an isolated port in one switch does not reach an isolated port on another switch. and avoid using other VLANs configured as pVLANs. All rights reserved. Inc. the switches SWA and SWB have the same pVLANs on two different switches and are connected through the trunk link.pVLAN Scenario 2: Multiple Switches  A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch just like any other VLAN.

use the interface command: Switch(config-if)# switchport private-vlan association trunk primary_vlan_ID secondary_vlan_ID  If the port is set to promiscuous.pVLAN Configuration for Scenario 2  To configure a Layer 2 interface as a Private VLAN trunk port.301302 Switch(config-if)# switchport private-vlan association trunk 3 301 Switch(config-if)# switchport private-vlan association trunk 3 302 Chapter 2 © 2007 ± 2010. allow VLANs with the command Switch(config-if)# switchport private-vlan trunk allowed vlan vlan_list  Configure the native VLAN with following command Switch(config-if)# switchport private-vlan trunk native vlan vlan_id Switch(config)# interface fastethernet 5/2 Switch(config-if)# switchport mode private-vlan trunk secondary Switch(config-if)# switchport private-vlan trunk native vlan 10 Switch(config-if)# switchport private-vlan trunk allowed vlan 10. use the mapping command: Switch(config-if)# switchport private-vlan mapping primary_vlan_ID secondary_vlan_list  Once the trunk is configured. Cisco Public 60 . All rights reserved. Cisco Systems. 3. Inc.

Cisco Public 61 . All rights reserved. Cisco Systems.pVLAN Verification for Scenario 2 Switch# show interfaces fastethernet 5/2 switchport Name: Fa5/2 Switchport: Enabled Administrative Mode: private-vlan trunk secondary Operational Mode: private-vlan trunk secondary Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: 10 Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: 3 (VLAN0003) 301 (VLAN0301) Administrative private-vlan trunk mappings: none Operational private-vlan: none Operational Normal VLANs: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Chapter 2 © 2007 ± 2010. Inc.

Inc. all traffic passing between protected ports must be forwarded through an L3 device.  A protected port does not forward any traffic to any other port that is also a protected port on the same switch. Cisco Public 62 . and there is no isolation provided between two protected ports located on different switches. Switch(config-if)# switchport protected Chapter 2 © 2007 ± 2010.pVLAN Edge (Protected Port) Feature  The PVLAN edge (protected port) feature has only local significance to the switch (unlike pVLANs). All rights reserved.  Traffic cannot be forwarded between protected ports at L2. Cisco Systems.

Configuring Link Aggregation with Etherchannel Chapter 2 © 2007 ± 2010. Cisco Public 63 . Inc. All rights reserved. Cisco Systems.

 EtherChannels can be L2 or L3 interfaces. All rights reserved.EtherChannel Technology  Up to 8 physical links can be bundled into a single logical EtherChannel link. Chapter 2 © 2007 ± 2010.  Usually EtherChannel is used for trunk links.  Configuration applied to port channel interface affects all physical interfaces assigned to the port channel. Inc.  Load balancing takes place between the physical links in an EtherChannel. Cisco Public 64 . Cisco Systems.

EtherChannel Management Protocols 
Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that aids in the automatic creation of Fast EtherChannel links.
‡ When an EtherChannel link is configured using PAgP, PAgP packets are sent between Fast EtherChannel-capable ports to negotiate the forming of a channel.
‡ When PAgP identifies matched Ethernet links, it groups the links into an EtherChannel. Spanning tree adds the EtherChannel as a single bridge port. 

Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that also enables several physical ports to be bundled together to form an EtherChannel.
‡ LACP enables a switch to negotiate an automatic bundle by sending LACP packets to the peer. ‡ It performs a similar function as PAgP with Cisco EtherChannel. ‡ Because LACP is an IEEE standard, you can use it to facilitate EtherChannels in mixed-switch environments. In a Cisco environment, both protocols are supported.

Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

65

PAgP Modes

Mode Auto Desirable

Purpose Places an interface in a passive negotiating state in which the interface responds to the PAgP packets that it receives but does not initiate PAgP negotiation (default). Places an interface in an active negotiating state in which the interface initiates negotiations with other interfaces by sending PAgP packets. Interfaces configured in the ³on´ mode do not exchange PAgP packets. Forces the interface to channel without PAgP. If a switch is connected to a partner that is PAgP-capable, configure the switch interface for non-silent operation. The non-silent keyword is always used with the auto or desirable mode. If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent setting is for connections to file servers or packet analyzers; this setting enables PAgP to operate, to attach the interface to a channel group, and to use the interface for transmission.
© 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

On Non-silent

Chapter 2

66

LACP Modes

Mode Passive

Purpose Places a port in a passive negotiating state. In this state, the port responds to the LACP packets that it receives but does not initiate LACP packet negotiation (default). Places a port in an active negotiating state. In this state, the port initiates negotiations with other ports by sending LACP packets. Forces the interface to the channel without PAgP or LACP.
© 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

Active On
Chapter 2

67

Configuring EtherChannel  Step 1. Specify the port-channel interface. and assign the specified interfaces to it: Switch(config-if-range)# channel-group number mode {active | on | {auto [non-silent]} | {desirable [non-silent]} | passive  Step 4. Create the port-channel interface. A good practice is to start by shutting down these interfaces. You can also specify the channeling protocol at Step 3: Switch(config-if-range)# channel-protocol {pagp | lacp}  Step 3. Inc. Specify the channeling protocol to be used. When this configuration is complete. When in the interface configuration mode. All rights reserved. Using the range commands enables you to select several interfaces and configure them all together. The physical interfaces will inherit these parameters. Cisco Public 68 . if necessary. you can reenable the physical ports in the EtherChannel bundle: Switch(config)# interface port-channel number Switch(config-if)# interface parameters Chapter 2 © 2007 ± 2010. so that incomplete configuration will not start to create activity on the link: Switch(config)# interface range interface_type [interface_range]  Step 2. Specify the interfaces that will compose the EtherChannel group. Cisco Systems. This command is not applicable to all Catalyst platforms. you can configure additional parameters.

3.Example: EtherChannel Configuration Switch(config)# interface fastethernet 0/23 Switch(config-if)# channel-group 2 mode active Switch(config)# interface fastethernet 0/24 Switch(config-if)# channel-group 2 mode active Switch(config)# interface port-channel 2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native VLAN 99 Switch(config-if)# switchport trunk allowed VLAN 2.99 Remote Switch configuration RSwitch(config)# interface fastethernet 0/23 RSwitch(config-if)# channel-group 5 mode on RSwitch(config)# interface fastethernet 0/24 RSwitch(config-if)# channel-group 5 mode on RSwitch(config)# interface port-channel 5 RSwitch(config-if)# switchport mode trunk RSwitch(config-if)# switchport trunk native VLAN 99 Chapter 2 © 2007 ± 2010. Cisco Systems. Inc. All rights reserved. Cisco Public 69 .

Cisco Public 70 . the show interfaces interface_id etherchannel command provides information on the role of the interface in the EtherChannel. All rights reserved. On any physical interface member of an EtherChannel bundle. Cisco Systems. Switch# show interfaces fa0/24 etherchannel Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl Channel group = 1 Mode = Active Gcchange = Port-channel = null GC = Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Chapter 2 © 2007 ± 2010.  The protocol for this EtherChannel is LACP.  Interface FastEthernet 0/24 below is part of EtherChannel bundle 1. Inc.Verifying EtherChannel (1)  You can use several commands to verify an EtherChannel configuration.

All rights reserved. Switch# show etherchannel 1 port-channel Port-channels in the group: --------------------------Port-channel: Po7 (Primary Aggregator) Age of the Port-channel = 195d:03h:10m:44s Logical slot/port = 0/1 Number of ports = 2 Port state = Port-channel Ag-Inuse Protocol = LACP Ports in the Port-channel: Index Load Port EC state No of bits ------+------+--------+--------------+----------0 55 fa0/23 Active 4 1 45 fa0/24 Active 4 Chapter 2 © 2007 ± 2010. Inc. Cisco Systems.Verifying EtherChannel (2)  The show etherchannel number port-channel command can be used to display information about a specific port-channel. Fa0/23 and Fa0/24.  Below Port-channel 1 consists of two physical ports.  It uses LACP in active mode.  It is properly connected to another switch with a compatible configuration.This is why the port-channel is said to be in use. Cisco Public 71 .

failed to allocate aggregator M .waiting to be aggregated d .stand-alone s .Verifying EtherChannel (3)  When several port-channel interfaces are configured on the same device. Switch# show etherchannel summary Flags: D . All rights reserved. Cisco Systems.Layer2 U . minimum links not met u . All three groups are Layer 2 EtherChannels and are all in use (SU next to the port-channel number).unsuitable for bundling w . the show etherchannel summary command is useful for displaying one-line information per port-channel.default port Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------2 Po2(SU) LACP g0/49(P) g0/50(P) g0/51(P) g0/52(P) 7 Po7(SU) LACP g0/47(P) g0/48(P) 9 Po9(SU) PAgP g0/8(P) g0/9(P) Chapter 2 © 2007 ± 2010.suspended H .Hot-standby (LACP only) R .bundled in port-channel I .down P .  As shown below. Inc. the switch has three EtherChannels configured: Groups 2 and 7 use LACP and Group 9 uses PAgP.in use f . Cisco Public 72 . Each EtherChannel has the member interfaces listed.Layer3 S .not in use.

All rights reserved. Inc.. The interface argument can be physical or logical... Cisco Public 73 . Current configuration : 154 bytes interface GigabitEthernet0/48 switchport access vlan 41 switchport trunk encapsulation dot1q switchport mode trunk channel-group 7 mode active Switch# show running-config interface port-channel 7 Building configuration. Cisco Systems. Switch# show running-config interface g0/48 Building configuration.Verifying EtherChannel (4)  The show running-config interface interface_id command displays sections of your configuration relevant to EtherChannel. Current configuration : 92 bytes interface Port-channel7 switchport trunk encapsulation dot1q switchport mode trunk Chapter 2 © 2007 ± 2010..

Inc. Cisco Systems.EtherChannel Load Balancing Chapter 2 © 2007 ± 2010. All rights reserved. Cisco Public 74 .

Inc. whereas the non-IP loadbalancing mechanism uses source and destination MAC address pairs. Cisco Public 75 .  It was observed that with source-destination IP load balancing.  This rule is applied to IPv4 and IPv6 traffic. the balancing ends up more like 70-30 on the links! Switch(config)# port-channel load-balance src-dst-ip Switch(config)# exit Switch# show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address Chapter 2 © 2007 ± 2010.EtherChannel Load Balancing Example  Here the EtherChannel load-balancing mechanism is configured to use source and destination IP address pairs. Cisco Systems. All rights reserved.

 VTP pruning helps to stop flooding of unnecessary traffic on trunk links.3ad LACP. EtherChannel can be dynamically configured between switches using either the Ciscoproprietary PAgP or the IEEE 802. EtherChannel load balances traffic over all the links in the bundle. similar links between switches. All rights reserved. Chapter 2 © 2007 ± 2010.  VTP is used to distribute and synchronize information about VLANs configured throughout a switched network. Local VLANs are now recommended over end-to-end VLAN implementations. The method that is chosen directly impacts the efficiency of this load-balancing mechanism. Cisco Public 76 . and then mapped to one or several ports.  A trunk is a Layer 2 point-to-point link between networking devices carry the traffic of multiple VLANs. pVLANs can span across several switches using regular 802.1Q are the two trunking protocols that can connect two switches.Chapter 2 Summary  A VLAN is a logical grouping of switch ports independent of physical location.  ISL and 802.  Device communication within the same VLAN can be fine-tuned using pVLANs. A primary VLAN can map to one isolated and several community VLANs.1q trunks or pVLAN trunks. Inc.  Use EtherChannel by aggregating individual. A pVLAN is associated to a primary VLAN. Cisco Systems.

Cisco Public 77 . Inc.Chapter 2 Labs  Lab 2-1  Lab 2-2 Static VLANS. and VTP Domains Configuring EtherChannel Chapter 2 © 2007 ± 2010. VLAN Trunking. All rights reserved. Cisco Systems.

2_52_se/command/reference/3560cr.html Chapter 2 © 2007 ± 2010.Resources  Catalyst 3560 Switch Command Reference www. Cisco Systems. All rights reserved. Cisco Public 78 .cisco.com/en/US/docs/switches/lan/catalyst3560/softw are/release/12. Inc.

All rights reserved. Cisco Systems. Cisco Public 79 . Inc.Chapter 2 © 2007 ± 2010.