You are on page 1of 79

Chapter 2: Implementing VLANs in Campus Networks

CCNP SWITCH: Implementing IP Switching

SWITCH v6 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

1

Chapter 2 Objectives 
Design and plan VLANs, trunks, and addressing to meet business requirements, technical requirements, and constraints.  Configure VLANs and VLAN trunks in the campus network to support business and technical requirements.  Configure VTP in the campus network to support business and technical requirements.  Describe private VLANs and configure private VLANs in the campus network to support business and technical requirements.  Configure and verify an EtherChannel in a Layer 2 topology that contains bridging loops.

Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

2

Virtual Local Area Network (VLAN) 

   

A VLAN is a logical group of end devices. Broadcasts are contained within VLANs. Modern design has 1 VLAN = 1 IP subnet. Trunks connect switches so as to transport multiple VLANs. Layer 3 devices interconnect VLANs.
3

Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

All rights reserved. Cisco Public 4 . theoretically easing network management. Inc.  Users are grouped into each VLAN regardless of the physical location. Chapter 2 © 2007 ± 2010.End-to-End VLANs  Each VLAN is distributed geographically throughout the network. the VLAN membership for that user remains the same.  As a user moves throughout a campus. Cisco Systems.  Switches are configured for VTP server or client mode.

 Local VLANs exist between the access and distribution layers. Cisco Systems. Chapter 2 © 2007 ± 2010. Cisco Public 5 . All rights reserved.  One to three VLANs per access layer switch recommended.  Traffic from a local VLAN is routed at the distribution and core levels.  Spanning tree is used only to prevent inadvertent loops in the wiring closet.  Switches are configured in VTP transparent mode. Inc.Local VLANs  Create local VLANs with physical boundaries in mind rather than job functions of the users.

Chapter 2 © 2007 ± 2010.VLANs in Enterprise Campus Design  VLANs used at the access layer should extend no further than their associated distribution switch. Cisco Systems.  STP is limited to access and distribution switches. All rights reserved.  Traffic is routed from the local VLAN as it is passed from the distribution layer into the core. Inc.  Blocks can contain one to three VLANs each. Cisco Public 6 .  DHCP is used to assign IP addresses to users.

1Q rather than ISL because it has better support for QoS and is a standard protocol. All rights reserved.).  For trunk ports. enable SSH support on management VLANs.  Manually configure access ports that are not specifically intended for a trunk link. PAgP. Cisco Systems. turn off Dynamic Trunking Protocol (DTP) and configure trunking. use manually allowed VLANs on trunks. Inc. STP BPDUs.  Avoid using VLAN 1 as the "blackhole" for all unused ports. blackhole VLANs. the native VLAN.  Avoid VTP when using local VLANs. LACP. data VLANs.  Avoid using Telnet because of security risks. the management VLAN. Cisco Public 7 .  Separate the voice VLANs. Use a dedicated VLAN separate from VLAN 1 to assign all the unused ports. CDP. Use IEEE 802.Best Practices for VLAN Design  One to three VLANs per access module and limit those VLANs to a couple of access switches and the distribution switches. and the default VLAN (VLAN 1). VTP. Chapter 2 © 2007 ± 2010. etc.  Prevent all data traffic from VLAN 1. only permit control protocols to run on VLAN 1 (DTP.

All rights reserved.4094 1 . Cisco Systems. Cisco Public 8 .4094 1 .4094 1 .VLAN Support on Catalyst Switches Catalyst Switch 2940 2950/2955 2960 2970/3550/3560/3750 2848G/2980G/4000/4500 6500 Max VLANs 4 250 255 1055 4094 4094 VLAN ID Range 1 . Inc.4094 1 .4094 Chapter 2 © 2007 ± 2010.1005 1 .

Cisco defaults for FDDI and Token Ring. Requires VTP transparent mode for configuration. Cisco Public 9 . For system use only.VLAN Ranges on Catalyst Switches VLAN Range 0. You can create. All rights reserved. For Ethernet VLANs only. Cisco Systems. Cisco default. For Ethernet VLANs. You cannot see or use these. use. Not supported in VTP v1 or v2. You cannot see or use these. You can use this VLAN. Inc. Chapter 2 © 2007 ± 2010. Popagated via VTP? n/a Yes Yes Yes n/a VTP v 3 only. and delete these. You cannot delete these. 4095 1 2 ± 1001 1002 ± 1005 1006 ± 1024 1025 . but you cannot delete it.4094 Range Reserved Normal Normal Normal Reserved Reserved Usage For system use only.

Inc.dat]? Delete flash:vlan.dat? [confirm] Switch# Switch# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Switch# Chapter 2 © 2007 ± 2010.Clearing switches Switch# delete vlan. Cisco Systems. Cisco Public 10 10 . All rights reserved.dat Delete filename [vlan.

255.Configure Hostname and VLAN 1 Switch# configure terminal Enter configuration commands. Cisco Systems. ALS1 and ALS2 switches on Packet Tracer  Hostname  VLAN 1 Chapter 2 © 2007 ± 2010. Cisco Public 11 .0 DLS1(config-if)# no shutdown DLS1(config)# end DLS1#  Configure hostname  Configure VLAN 1  Default: Management VLAN is VLAN 1  Configure DLS1. Inc.1. End with CNTL/Z.1.255. All rights reserved. one per line. DLS2.101 255. Switch(config)# hostname DLS1 DLS1(config)# interface vlan 1 DLS1(config-if)# ip address 10.

All rights reserved. Inc. Cisco Systems. Cisco Public 12 . Switch(config)# vlan vlan-id  vlan-id is 2-1001 or 1025-4094 Chapter 2 © 2007 ± 2010.Configuration: Create a VLAN  To create a new VLAN in global configuration mode.

Cisco Public 13 . All rights reserved. Cisco Systems. Chapter 2 © 2007 ± 2010.Configuration: Name a VLAN  To name a VLAN in VLAN configuration mode.  Naming a VLAN is optional. Inc. Switch(config-vlan)# name vlan-name  vlan-name is a descriptor for the VLAN.

All rights reserved. Cisco Systems.) Name the VLAN: Switch(config-vlan)# name vlan-name Switch# configure terminal Switch(config)# vlan 5 Switch(config-vlan)# name Engineering Switch(config-vlan)# exit Chapter 2 © 2007 ± 2010.Example: Creating and Naming a VLAN  Enter global configuration mode: Switch# configure terminal  Create a new VLAN with a particular ID number: Switch(config)# vlan vlan-id  (Optional. Cisco Public 14 . Inc.

An access port does not need to negotiate trunk formation. Inc. Chapter 2 © 2007 ± 2010. All rights reserved. Cisco Systems. Switch(config-if)# switchport mode access  This command is optional but is recommended for security purposes. Cisco Public 15 .Configuration: Disable Trunk Negotiation on a Port  To disable trunk negotiation on a switch port.

Switch(config-if)# switchport host  This command optimizes a Layer 2 port for a host connection.Configuration: Macro for Access Port  To configure an optional macro for switch access ports. Chapter 2 © 2007 ± 2010. All rights reserved. Cisco Systems. enables spanning-tree portfast. Inc. Cisco Public 16 . and disables EtherChannel.  This macro sets the port mode to access.

All rights reserved. Inc. Switch(config-if)# switchport access vlan vlan-id  vlan-id is a previously created VLAN.Configuration: Assign Port to VLAN  To assign a port to a VLAN in interface configuration mode. Chapter 2 © 2007 ± 2010. Cisco Public 17 . Cisco Systems.

Inc. Cisco Public 18 .Example: Assigning a Port to a VLAN  Enter interface configuration mode: Switch(config)# interface interface-id  Assign port to VLAN: Switch(config-if)# switchport access vlan vlan-id  Enable the interface: Switch(config-if)# no shutdown  Configure a description for the device(s) connected to the port: Switch(config-if)# description string  Return to Privileged EXEC mode Switch(config-if)# end  Configure access port macro: Switch(config-if)# switchport host Switch(config)# interface FastEthernet 5/6 Switch(config-if)# description PC A Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled Switch(config-if)# switchport access vlan 200 Switch(config-if)# no shutdown Switch(config-if)# end Chapter 2 © 2007 ± 2010. Cisco Systems. All rights reserved.

---.-----3 enet 100003 1500 0 0 Chapter 2 © 2007 ± 2010. All rights reserved.--------.-----. Cisco Systems.-------.----.-------------------------------.---------. Cisco Public 19 .-------.---------.-----3 enet 100003 1500 0 0 Switch# show vlan name VLAN0003 VLAN Name Status Ports ---.-----.--------.-----.-----.------------------------------3 VLAN0003 SAID MTU active Fa0/1 BrdgMode Trans1 Trans2 VLAN Type Parent RingNo BridgeNo Stp ---. The following two forms have the same output.-------.-------------------------------.----.----.----.Verification: VLAN Configuration  The show vlan command and its derivatives are the most useful commands for displaying information related to VLANs.-----.-----.---. Switch# show vlan id 3 VLAN Name Status Ports ---.-------. Inc.--------------------3 VLAN0003 active Fa0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---.

All rights reserved.Verification: Interface Configuration  The show running-config command has an interface keyword option to allow for interface-specific output. ! Current configuration :33 bytes interface FastEthernet 5/6 switchport access vlan 200 switchport mode access switchport host end Chapter 2 © 2007 ± 2010.. Cisco Public 20 . Inc. Cisco Systems. Switch# show running-config interface FastEthernet 5/6 Building configuration..

All rights reserved. Switch# show interfaces f0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 20 (VLAN0020) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: 150 (VLAN0150) <output omitted> Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Chapter 2 © 2007 ± 2010. Cisco Public 21 .Verification: Switch Port Configuration  One of the most useful commands for showing VLAN configuration information specific to a switch port is the show interfaces interface_id switchport command. Cisco Systems. Inc.

2199. Cisco Systems. All rights reserved. Cisco Public 22 .2bc1 DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 1 Chapter 2 © 2007 ± 2010.Verification: MAC Address Information  You can view MAC address information specific to an interface and an associated VLAN. Switch# show mac-address-table interface GigabitEthernet 0/1 vlan 1 Mac Address Table -----------------------------------------Vlan Mac Address Type Ports --------------------1 0008. Inc.

Inc.Implementing Trunking in a Campus Network Chapter 2 © 2007 ± 2010. Cisco Systems. Cisco Public 23 . All rights reserved.

All rights reserved. Chapter 2 © 2007 ± 2010. Cisco Systems. Inc. the hosts on VLAN 1 can communicate simultaneously. Cisco Public 24 .  The host on the left in VLAN 2 can communicate with the host on the right in VLAN 2 via the trunk link. Trunking is used to extend Layer 2 operations across an entire network.VLAN Trunking  Trunks carry the traffic for multiple VLANs across a single physical link (multiplexing). over the same trunk link.

All rights reserved. Cisco Systems. Cisco Public 25 . Chapter 2 © 2007 ± 2010.  ISL encapsulates Ethernet frames. Inc.  ISL is supported on non-access-layer Cisco switches. adding 30 bytes of overhead.VLAN Trunking with Inter-Switch Link (ISL)  ISL is Cisco-proprietary trunking protocol.  ISL is nearly obsolete.

1p field for QoS support.1Q  802.  802. 802.  IEEE 802.1Q overhead is 4 bytes.1Q has the 802. Cisco Systems. Chapter 2 © 2007 ± 2010.1Q has smaller frame overhead than ISL.1Q is a widely supported industry-standard protocol.VLAN Trunking with IEEE 802. Cisco Public 26 . Inc. All rights reserved.

All traffic with a null VLAN ID is assumed to belong to the port default PVID. Chapter 2 © 2007 ± 2010.1Q trunk port is assigned a default PVID. Cisco Public 27 . A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. Cisco Systems.1Q trunk port.1Q trunk link with a native VLAN distinct from all other VLANs is recommended.  Proactively configuring both ends of an 802.1Q standard specifies how the switch should handle untagged frames sent or received on an 802. which is associated with all untagged traffic on the port.1Q  The 802. All rights reserved. All other traffic is sent with a VLAN tag.  An 802. Inc.Native VLAN with IEEE 802.

Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames. Use this mode when connecting to a device that does not support DTP.   Chapter 2 © 2007 ± 2010. The interface becomes a trunk interface if the neighboring interface is set to trunk. Nonegotiate . You must configure the neighboring interface manually as a trunk interface to establish a trunk link. Dynamic auto .Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link. Trunk . Inc. All rights reserved. Dynamic desirable . The interface becomes a trunk interface even if the neighboring interface does not agree to the change.Puts the interface into permanent non-trunking mode and negotiates to convert the link into a non-trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. Cisco Systems.Makes the interface willing to convert the link to a trunk link. This is the default mode for all Ethernet interfaces in Cisco IOS. Cisco Public 28 . The interface becomes a non-trunk interface even if the neighboring interface does not agree to the change. or auto mode.Makes the interface actively attempt to convert the link to a trunk link.Dynamic Trunking Protocol (DTP)    Access . desirable.

 Layer 3 links interconnect core and distribution layer switches.Design with VLAN Trunks  Trunks interconnect access layer switches.  Trunks connect access layer switches to distribution layer switches. Cisco Systems. All rights reserved. V-shaped topology.  Access layer switches are configured in a spanning-tree.  Recommended: turn off DTP and manually prune VLANs on trunks. If one distribution link fails. Inc. HSRP or VRRP provide an alternative default gateway. loop-free. Chapter 2 © 2007 ± 2010. Cisco Public 29 .

Cisco Systems.Configuring an Interface for Trunking  Select the encapsulation type: Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}  Configure the interface as a Layer 2 trunk: Switch(config-if)# switchport mode {dynamic {auto | desirable} | trunk}  Specify the native VLAN: Switch(config-if)# switchport trunk native vlan vlan-id  Configure the allowable VLANs for this trunk: Switch(config-if)# switchport trunk allowed vlan {add | except | all | remove} vlan-id[. All rights reserved..]]] Switch(config)# interface FastEthernet 5/8 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate Switch(config-if)# switchport trunk allowed vlan 1-100 Switch(config-if)# no shutdown Switch(config-if)# end optional Chapter 2 © 2007 ± 2010. Inc..vlan-id[.vlan-id[. Cisco Public 30 ..

Verifying Trunk Configuration Switch# show running-config interface f5/8 Building configuration.. Cisco Public 31 . Inc.1q Port Fa5/8 Vlans allowed on trunk 1-1005 Status trunking Native vlan 1 Chapter 2 © 2007 ± 2010.. All rights reserved. Cisco Systems. Current configuration: ! interface FastEthernet5/8 switchport mode dynamic desirable switchport trunk encapsulation dot1q end Switch# show interfaces f5/8 switchport Name: Fa5/8 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Enabled Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Switch# show interfaces f5/8 trunk Port Mode Encapsulation Fa5/8 desirable n-802.

Cisco Public 32 .  On IEEE 802. make sure the native VLAN is the same on both ends of the trunk. Inc. Chapter 2 © 2007 ± 2010.1Q trunks. The trunk mode should be trunk or desirable for at least one side of the trunk. All rights reserved.  Ensure that the trunk encapsulation type configured on both ends of the link is valid and compatible. ensure that both ends of the link are in the same VTP domain.Troubleshooting Trunk Links  Ensure that the Layer 2 interface mode configured on both ends of the link is valid.  When using DTP. Cisco Systems.

All rights reserved. Cisco Systems.VLAN Trunking Protocol Chapter 2 © 2007 ± 2010. Inc. Cisco Public 33 .

All rights reserved. This minimizes misconfigurations and configuration inconsistencies. Chapter 2 © 2007 ± 2010.  Three types of VTP messages are sent via Layer 2 multicast on VLAN 1. Cisco Public 34 .  VTP does not configure switch ports for VLAN membership.VLAN Trunking Protocol (VTP)  VTP is a Cisco-proprietary protocol that automates the propagation of VLAN information between switches via trunk links.  VTP domains define sets of interconnected switches sharing the same VTP configuration. Inc. Cisco Systems.

‡ Does not save VLAN configuration in nonvolatile RAM (NVRAM). modify. Inc. Server Transparent Chapter 2 © 2007 ± 2010. All rights reserved.VTP Modes Mode Client Description ‡ Cannot create. ‡ Forwards advertisements to other switches. ‡ Saves VLAN configuration in NVRAM. ‡ Synchronizes VLAN configuration with latest information received from other switches in the management domain. ‡ Does not synchronize its VLAN configuration with information received from other switches in the management domain. Cisco Public 35 . and delete VLANs. modify. ‡ Saves VLAN configuration in NVRAM. ‡ Can create. ‡ Synchronizes VLAN configuration with latest information received from other switches in the management domain. ‡ Can create. ‡ Forwards VTP advertisements received from other switches in the same management domain. ‡ Sends and forwards advertisements to other switches. or delete VLANs on command-line interface (CLI). Cisco Systems. and delete VLANs only on the local switch. change.

Inc. All rights reserved. Cisco Public 36 . Cisco Systems.VTP Operation Chapter 2 © 2007 ± 2010.

5. Cisco Public 37 . All rights reserved.  The broadcast traffic from Station A is not forwarded to Switches 3. Inc.  VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly. Switches 1 and 4 in the figure support ports statically configured in the Red VLAN. Cisco Systems. and 6 because traffic for the Red VLAN has been pruned on the links indicated on Switches 2 and 4.VTP Pruning  VTP pruning prevents flooded traffic from propagating to switches that do not have members in specific VLANs. Chapter 2 © 2007 ± 2010.

Cisco Public 38 .  V2 performs VLAN consistency checks (VLAN names and values) only when you enter new information through the CLI or via SNMP. Chapter 2 © 2007 ± 2010. V2 does not perform checks when new information is obtained from a VTP message or when information is read from NVRAM. V2 supports token ring VLANs but V1 does not).g. V2 accepts the VTP message information.. If the MD5 hash on a received VTP message is correct. V3.  Unrecognized Type-Length-Value (TLV) configuration changes are propagated by V2 servers and clients and these unrecognized TLVs can be stored in NVRAM.  Versions are not interoperable (e.VTP Versions  Three VTP versions: V1. All rights reserved.  V1 transparent switches inspect VTP messages for the domain name and version and forward a message only if the version and domain name match. Inc. V2. Cisco Systems. V2 transparent switches forward VTP messages in transparent mode without checking versions.

Inc. All rights reserved. Cisco Public 39 . Cisco Systems.VTP Message Types  Summary Advertisements  Subset Advertisements  Advertisement Requests Chapter 2 © 2007 ± 2010.

Summary advertisements inform adjacent switches of the current VTP domain name and the configuration revision number. Inc. the switch then compares the configuration revision to its own revision. Chapter 2 © 2007 ± 2010. the switch compares the VTP domain name to its own VTP domain name. Cisco Systems. If it is lower. an advertisement request is sent. the switch ignores the packet. If its own configuration revision is higher or equal. If the name is different. Catalyst switches issue summary advertisements in 5minute increments. Cisco Public 40 .  When the switch receives a summary advertisement packet. If the name is the same. All rights reserved. the packet is ignored.VTP Summary Advertisements  By default.

or change a VLAN. If there are several VLANs. Cisco Systems. One or several subset advertisements follow the summary advertisement. Chapter 2 © 2007 ± 2010. the VTP server where the changes are made increments the configuration revision and issues a summary advertisement. Cisco Public 41 .  A subset advertisement contains a list of VLAN information. more than one subset advertisement can be required to advertise all the VLANs. delete. Inc. All rights reserved.VTP Subset Advertisements  When you add.

more than one subset advertisement can be required to advertise all the VLANs. Chapter 2 © 2007 ± 2010. the VTP server where the changes are made increments the configuration revision and issues a summary advertisement. If there are several VLANs. All rights reserved. or change a VLAN. One or several subset advertisements follow the summary advertisement.VTP Subset Advertisements  When you add. Inc. Cisco Systems.  A subset advertisement contains a list of VLAN information. Cisco Public 42 . delete.

Cisco Systems. Cisco Public 43 . Chapter 2 © 2007 ± 2010. Inc. All rights reserved.VTP Advertisement Requests  A switch issues a VTP advertisement request in these situations: ‡ The switch has been reset. a VTP device sends a summary advertisement. ‡ The VTP domain name has been changed.  Upon receipt of an advertisement request.  One or more subset advertisements follow the summary advertisement. ‡ The switch has received a VTP summary advertisement with a higher configuration revision than its own.

The switch does not automatically set the password parameter. Cisco Systems. otherwise.  By default. In VTP. a Catalyst switch does not have a VTP password. unlike other parameters that are set automatically when a VTP advertisement is received. All rights reserved. passwords are case-sensitive and can be 8 to 64 characters in length. a switch will not become a member of the VTP domain. Cisco switches use MD5 to encode passwords in 16-byte words. Chapter 2 © 2007 ± 2010. Cisco Public 44 . It is important to make sure that all the switches in the VTP domain have the same password and domain name. The use of VTP authentication is a recommended practice.VTP Authentication  VTP domains can be secured by using the VTP password feature. These passwords propagate inside VTP summary advertisements. Inc.

Configure the VTP mode as server: Switch(config)# vtp mode server  Step 3. Configure the domain name: Switch(config)# vtp domain domain_name  Step 4.) Enable VTP pruning in the management domain: Switch(config)# vtp pruning Chapter 2 © 2007 ± 2010. Enter global configuration mode: Switch# configure terminal  Step 2. All rights reserved.) Specify a VTP password: Switch(config)# vtp password password_string  Step 6.) Enable VTP version 2: Switch(config)# vtp version 2  Step 5. (Optional. Cisco Public 45 . (Optional. Cisco Systems. Inc.Configuring VTP  Step 1. (Optional.

All rights reserved.VTP Configuration Example  This example creates a VTP server with domain name Modular_Form. password genus. Switch# configure terminal Switch(config)# vtp mode server Setting device to VTP SERVER mode. Inc. Cisco Systems. and pruning enabled. Cisco Public 46 . Switch(config)# vtp domain Modular_Form Switch(config)# vtp password genus Switch(config)# vtp pruning Switch(config)# end Chapter 2 © 2007 ± 2010.

and the VTP pruning mode. Inc. the VTP domain name. Switch# show vtp status VTP Version : 2 Configuration Revision : 247 Maximum VLANs supported locally : 1005 Number of existing VLANs : 33 VTP Operating Mode : Server VTP Domain Name : Modular_Form VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0. Cisco Public 47 .0. Cisco Systems.Verifying VTP Configuration (1)  The most useful command for verifying VTP configuration is the show vtp status command. the VTP operating mode. the number of VLANs supported locally.0. The output displayed includes the VTP version. All rights reserved.0 at 8-12-99 15:04:4 Chapter 2 © 2007 ± 2010. the VTP configuration revision number.

If there are any problems regarding the VTP operation. Switch# show vtp counters VTP statistics: Summary advertisements received : 7 Subset advertisements received : 5 Request advertisements received : 0 Summary advertisements transmitted : 997 Subset advertisements transmitted : 13 Request advertisements transmitted : 3 Number of config revision errors : 0 Number of config digest errors : 0 Number of V1 summary errors : 0 VTP pruning statistics: Trunk Join Transmitted device -----. Cisco Public 48 . this command helps look for VTP message type updates.---------------Fa5/8 43071 Join Received ------------42766 Summary advts received from non-pruning-capable ----------------5 Chapter 2 © 2007 ± 2010. Inc. All rights reserved.Verifying VTP Configuration (2)  Use the show vtp counters command to display statistics about VTP operation. Cisco Systems.

Chapter 2 © 2007 ± 2010.  Check the VTP mode of the switches. Cisco Systems. Cisco Public 49 . Inc.VTP Troubleshooting  Check that switches are interconnected by active trunk links.  Check VTP domain name (case-sensitive) and password.  Check that the trunking protocol matches on opposite ends of a trunk link. All rights reserved.  Check the VTP versions of the switches.

Inc. Cisco Systems. Cisco Public 50 . All rights reserved.Private VLANs Chapter 2 © 2007 ± 2010.

in a single Demilitarized Zone (DMZ) segment or VLAN. Cisco Public 51 . Chapter 2 © 2007 ± 2010. it becomes more important to provide traffic isolation between devices. Inc. in addition to their own servers. even though all ports remain in the same VLAN. Cisco Systems. even though they might exist on the same Layer 3 segment and VLAN.Motivation for Private VLANs  Service providers often have devices from multiple clients. As security issues abound. All rights reserved.  Most Cisco IOS-based switches implement private VLANs to keep some switch ports shared and some switch ports isolated.

All rights reserved. Cisco Systems. Cisco Public 52 .pVLAN Port Types  Isolated  Promiscuous  Community Chapter 2 © 2007 ± 2010. Inc.

All rights reserved. Cisco Public 53 . Inc.pVLAN Structure Supporting VLANs     Primary Private VLAN Secondary Private VLAN Community Private VLAN Isolated Private VLAN Chapter 2 © 2007 ± 2010. Cisco Systems.

All rights reserved. Step 2. Create the primary pVLAN.  Step 8.  Step 7. Associate the isolated port or community port with the primary-secondary pVLAN pair. Configure an interface as an isolated or community port. Set VTP mode to transparent. Cisco Public 54 .Steps     Step 1. Map the promiscuous port to the primary-secondary pVLAN pair.Configuring pVLANs . Cisco Systems. but more than one community pVLAN can be mapped to a primary pVLAN.  Step 5. ‡ Only one isolated pVLAN can be mapped to a primary pVLAN. Configure an interface as a promiscuous port. Inc.  Step 6. Associate the secondary pVLAN with the primary pVLAN. Create the secondary pVLANs. Step 4. Step 3. Chapter 2 © 2007 ± 2010.

Inc.Commands Switch(config)# vlan pvlan-id Switch(config-vlan)# private-vlan {community | isolated | primary} Switch(config-vlan)# exit Switch(config)# vlan primary-vlan-id Switch(config-vlan)# private-vlan association {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list} Switch(config-vlan)# interface vlan primary-vlan-id Switch(config-if)# private-vlan mapping {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list} Switch(config-if)# interface type slot/port Switch(config-if)# switchport Switch(config-if)# switchport mode private-vlan {host | promiscuous} Switch(config-if)# switchport private-vlan host-association primary-vlanid secondary-vlan-id Switch(config-if)# switchport private-vlan mapping primary-vlan-id {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlanlist} Chapter 2 © 2007 ± 2010. Cisco Public 55 . Cisco Systems.Configuring pVLANs . All rights reserved.

Cisco Systems.Verifying pVLAN Configuration  The two most useful commands for this purpose are show interface switchport and show vlan privatevlan. Switch# show vlan private-vlan Primary Secondary Type ------. Cisco Public 56 .---------------------100 200 community 100 300 isolated Interfaces ----------------- Switch# show interfaces FastEthernet 5/2 switchport Name: Fa5/2 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 100 (VLAN0200) 300 (VLAN0300) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Chapter 2 © 2007 ± 2010. Inc. All rights reserved.

All servers and their connecting router are in the same subnet. In addition to that.  DNS servers are redundant copies. Cisco Public 57 . All rights reserved. the SMTP server should not be reachable from the Web or the DNS servers. one web server and one SMTP server. The web server needs to be accessible from the Internet but not from the SMTP server. Cisco Systems. Inc. so they need to communicate with each other to update their entries and to the Internet. they also need to communicate with the Internet.pVLAN Scenario 1: Single Switch  A corporate DMZ contains two DNS servers. but for security purposes. Chapter 2 © 2007 ± 2010.  The Web Server and the SMTP server need to communicate with the Internet.

Cisco Public 58 .2 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 202 Switch(config-if)# interface range fastethernet 0/3 . Cisco Systems.202 Switch(config-vlan)# interface fastethernet 0/24 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 100 201. All rights reserved.pVLAN Configuration for Scenario 1 Switch(config)# vtp transparent Switch(config)# vlan 201 Switch(config-vlan)# private-vlan isolated Switch(config)# vlan 202 Switch(config-vlan)# private-vlan community Switch(config-vlan)# vlan 100 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# private-vlan association 201. Inc.4 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 201 Chapter 2 © 2007 ± 2010.202 Switch(config-if)# interface range fastethernet 0/1 .

 Configure pVLANs on all switches on the path.pVLAN Scenario 2: Multiple Switches  A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch just like any other VLAN. the switches SWA and SWB have the same pVLANs on two different switches and are connected through the trunk link. Chapter 2 © 2007 ± 2010. Cisco Systems.  A feature of pVLANs across multiple switches is that traffic from an isolated port in one switch does not reach an isolated port on another switch. which includes devices that have no pVLAN ports to maintain the security of your pVLAN configuration.  As shown in the figure. All rights reserved. Cisco Public 59 . and avoid using other VLANs configured as pVLANs. Inc.

pVLAN Configuration for Scenario 2  To configure a Layer 2 interface as a Private VLAN trunk port. allow VLANs with the command Switch(config-if)# switchport private-vlan trunk allowed vlan vlan_list  Configure the native VLAN with following command Switch(config-if)# switchport private-vlan trunk native vlan vlan_id Switch(config)# interface fastethernet 5/2 Switch(config-if)# switchport mode private-vlan trunk secondary Switch(config-if)# switchport private-vlan trunk native vlan 10 Switch(config-if)# switchport private-vlan trunk allowed vlan 10. use the interface command: Switch(config-if)# switchport private-vlan association trunk primary_vlan_ID secondary_vlan_ID  If the port is set to promiscuous. 3. use the mapping command: Switch(config-if)# switchport private-vlan mapping primary_vlan_ID secondary_vlan_list  Once the trunk is configured.301302 Switch(config-if)# switchport private-vlan association trunk 3 301 Switch(config-if)# switchport private-vlan association trunk 3 302 Chapter 2 © 2007 ± 2010. All rights reserved. Cisco Systems. Cisco Public 60 . Inc.

pVLAN Verification for Scenario 2 Switch# show interfaces fastethernet 5/2 switchport Name: Fa5/2 Switchport: Enabled Administrative Mode: private-vlan trunk secondary Operational Mode: private-vlan trunk secondary Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: 10 Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: 3 (VLAN0003) 301 (VLAN0301) Administrative private-vlan trunk mappings: none Operational private-vlan: none Operational Normal VLANs: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Chapter 2 © 2007 ± 2010. Cisco Public 61 . Inc. Cisco Systems. All rights reserved.

Cisco Systems. Switch(config-if)# switchport protected Chapter 2 © 2007 ± 2010. Inc. Cisco Public 62 . and there is no isolation provided between two protected ports located on different switches. all traffic passing between protected ports must be forwarded through an L3 device. All rights reserved.  Traffic cannot be forwarded between protected ports at L2.pVLAN Edge (Protected Port) Feature  The PVLAN edge (protected port) feature has only local significance to the switch (unlike pVLANs).  A protected port does not forward any traffic to any other port that is also a protected port on the same switch.

Cisco Systems. All rights reserved. Cisco Public 63 .Configuring Link Aggregation with Etherchannel Chapter 2 © 2007 ± 2010. Inc.

Cisco Public 64 . All rights reserved. Chapter 2 © 2007 ± 2010.  Usually EtherChannel is used for trunk links.  Configuration applied to port channel interface affects all physical interfaces assigned to the port channel.EtherChannel Technology  Up to 8 physical links can be bundled into a single logical EtherChannel link.  Load balancing takes place between the physical links in an EtherChannel. Cisco Systems.  EtherChannels can be L2 or L3 interfaces. Inc.

EtherChannel Management Protocols 
Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that aids in the automatic creation of Fast EtherChannel links.
‡ When an EtherChannel link is configured using PAgP, PAgP packets are sent between Fast EtherChannel-capable ports to negotiate the forming of a channel.
‡ When PAgP identifies matched Ethernet links, it groups the links into an EtherChannel. Spanning tree adds the EtherChannel as a single bridge port. 

Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that also enables several physical ports to be bundled together to form an EtherChannel.
‡ LACP enables a switch to negotiate an automatic bundle by sending LACP packets to the peer. ‡ It performs a similar function as PAgP with Cisco EtherChannel. ‡ Because LACP is an IEEE standard, you can use it to facilitate EtherChannels in mixed-switch environments. In a Cisco environment, both protocols are supported.

Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

65

PAgP Modes

Mode Auto Desirable

Purpose Places an interface in a passive negotiating state in which the interface responds to the PAgP packets that it receives but does not initiate PAgP negotiation (default). Places an interface in an active negotiating state in which the interface initiates negotiations with other interfaces by sending PAgP packets. Interfaces configured in the ³on´ mode do not exchange PAgP packets. Forces the interface to channel without PAgP. If a switch is connected to a partner that is PAgP-capable, configure the switch interface for non-silent operation. The non-silent keyword is always used with the auto or desirable mode. If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent setting is for connections to file servers or packet analyzers; this setting enables PAgP to operate, to attach the interface to a channel group, and to use the interface for transmission.
© 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

On Non-silent

Chapter 2

66

LACP Modes

Mode Passive

Purpose Places a port in a passive negotiating state. In this state, the port responds to the LACP packets that it receives but does not initiate LACP packet negotiation (default). Places a port in an active negotiating state. In this state, the port initiates negotiations with other ports by sending LACP packets. Forces the interface to the channel without PAgP or LACP.
© 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

Active On
Chapter 2

67

Cisco Systems. Cisco Public 68 . Specify the channeling protocol to be used. When this configuration is complete. Create the port-channel interface. A good practice is to start by shutting down these interfaces. Inc. This command is not applicable to all Catalyst platforms. you can configure additional parameters. Specify the port-channel interface. if necessary. Using the range commands enables you to select several interfaces and configure them all together. The physical interfaces will inherit these parameters. Specify the interfaces that will compose the EtherChannel group.Configuring EtherChannel  Step 1. You can also specify the channeling protocol at Step 3: Switch(config-if-range)# channel-protocol {pagp | lacp}  Step 3. you can reenable the physical ports in the EtherChannel bundle: Switch(config)# interface port-channel number Switch(config-if)# interface parameters Chapter 2 © 2007 ± 2010. and assign the specified interfaces to it: Switch(config-if-range)# channel-group number mode {active | on | {auto [non-silent]} | {desirable [non-silent]} | passive  Step 4. When in the interface configuration mode. so that incomplete configuration will not start to create activity on the link: Switch(config)# interface range interface_type [interface_range]  Step 2. All rights reserved.

Example: EtherChannel Configuration Switch(config)# interface fastethernet 0/23 Switch(config-if)# channel-group 2 mode active Switch(config)# interface fastethernet 0/24 Switch(config-if)# channel-group 2 mode active Switch(config)# interface port-channel 2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native VLAN 99 Switch(config-if)# switchport trunk allowed VLAN 2. Inc.99 Remote Switch configuration RSwitch(config)# interface fastethernet 0/23 RSwitch(config-if)# channel-group 5 mode on RSwitch(config)# interface fastethernet 0/24 RSwitch(config-if)# channel-group 5 mode on RSwitch(config)# interface port-channel 5 RSwitch(config-if)# switchport mode trunk RSwitch(config-if)# switchport trunk native VLAN 99 Chapter 2 © 2007 ± 2010. Cisco Public 69 . All rights reserved. Cisco Systems.3.

Cisco Systems.  The protocol for this EtherChannel is LACP. Inc.Verifying EtherChannel (1)  You can use several commands to verify an EtherChannel configuration. Switch# show interfaces fa0/24 etherchannel Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl Channel group = 1 Mode = Active Gcchange = Port-channel = null GC = Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Chapter 2 © 2007 ± 2010.  Interface FastEthernet 0/24 below is part of EtherChannel bundle 1. the show interfaces interface_id etherchannel command provides information on the role of the interface in the EtherChannel. Cisco Public 70 . All rights reserved. On any physical interface member of an EtherChannel bundle.

All rights reserved. Cisco Systems. Switch# show etherchannel 1 port-channel Port-channels in the group: --------------------------Port-channel: Po7 (Primary Aggregator) Age of the Port-channel = 195d:03h:10m:44s Logical slot/port = 0/1 Number of ports = 2 Port state = Port-channel Ag-Inuse Protocol = LACP Ports in the Port-channel: Index Load Port EC state No of bits ------+------+--------+--------------+----------0 55 fa0/23 Active 4 1 45 fa0/24 Active 4 Chapter 2 © 2007 ± 2010.Verifying EtherChannel (2)  The show etherchannel number port-channel command can be used to display information about a specific port-channel.This is why the port-channel is said to be in use.  Below Port-channel 1 consists of two physical ports.  It is properly connected to another switch with a compatible configuration. Fa0/23 and Fa0/24. Inc. Cisco Public 71 .  It uses LACP in active mode.

unsuitable for bundling w .stand-alone s .bundled in port-channel I .Layer3 S . the switch has three EtherChannels configured: Groups 2 and 7 use LACP and Group 9 uses PAgP. All rights reserved. Each EtherChannel has the member interfaces listed. the show etherchannel summary command is useful for displaying one-line information per port-channel.Layer2 U .waiting to be aggregated d . Switch# show etherchannel summary Flags: D . Cisco Systems.Hot-standby (LACP only) R .down P . minimum links not met u .  As shown below.failed to allocate aggregator M . Inc.Verifying EtherChannel (3)  When several port-channel interfaces are configured on the same device.default port Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------2 Po2(SU) LACP g0/49(P) g0/50(P) g0/51(P) g0/52(P) 7 Po7(SU) LACP g0/47(P) g0/48(P) 9 Po9(SU) PAgP g0/8(P) g0/9(P) Chapter 2 © 2007 ± 2010. Cisco Public 72 . All three groups are Layer 2 EtherChannels and are all in use (SU next to the port-channel number).in use f .suspended H .not in use.

. Inc. Current configuration : 154 bytes interface GigabitEthernet0/48 switchport access vlan 41 switchport trunk encapsulation dot1q switchport mode trunk channel-group 7 mode active Switch# show running-config interface port-channel 7 Building configuration. Cisco Systems..Verifying EtherChannel (4)  The show running-config interface interface_id command displays sections of your configuration relevant to EtherChannel. Switch# show running-config interface g0/48 Building configuration. Current configuration : 92 bytes interface Port-channel7 switchport trunk encapsulation dot1q switchport mode trunk Chapter 2 © 2007 ± 2010. The interface argument can be physical or logical.. Cisco Public 73 .. All rights reserved.

Cisco Public 74 . Cisco Systems.EtherChannel Load Balancing Chapter 2 © 2007 ± 2010. Inc. All rights reserved.

 It was observed that with source-destination IP load balancing.  This rule is applied to IPv4 and IPv6 traffic. Cisco Systems. whereas the non-IP loadbalancing mechanism uses source and destination MAC address pairs. the balancing ends up more like 70-30 on the links! Switch(config)# port-channel load-balance src-dst-ip Switch(config)# exit Switch# show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address Chapter 2 © 2007 ± 2010.EtherChannel Load Balancing Example  Here the EtherChannel load-balancing mechanism is configured to use source and destination IP address pairs. All rights reserved. Cisco Public 75 . Inc.

All rights reserved. A primary VLAN can map to one isolated and several community VLANs.  VTP is used to distribute and synchronize information about VLANs configured throughout a switched network. EtherChannel load balances traffic over all the links in the bundle. and then mapped to one or several ports. Cisco Systems. Chapter 2 © 2007 ± 2010.1q trunks or pVLAN trunks.1Q are the two trunking protocols that can connect two switches.  ISL and 802. pVLANs can span across several switches using regular 802. Cisco Public 76 . A pVLAN is associated to a primary VLAN. similar links between switches.3ad LACP.  VTP pruning helps to stop flooding of unnecessary traffic on trunk links. The method that is chosen directly impacts the efficiency of this load-balancing mechanism. Inc.  Device communication within the same VLAN can be fine-tuned using pVLANs. Local VLANs are now recommended over end-to-end VLAN implementations.  Use EtherChannel by aggregating individual.  A trunk is a Layer 2 point-to-point link between networking devices carry the traffic of multiple VLANs.Chapter 2 Summary  A VLAN is a logical grouping of switch ports independent of physical location. EtherChannel can be dynamically configured between switches using either the Ciscoproprietary PAgP or the IEEE 802.

and VTP Domains Configuring EtherChannel Chapter 2 © 2007 ± 2010. VLAN Trunking. Inc. Cisco Systems. All rights reserved.Chapter 2 Labs  Lab 2-1  Lab 2-2 Static VLANS. Cisco Public 77 .

Resources  Catalyst 3560 Switch Command Reference www.2_52_se/command/reference/3560cr. All rights reserved.cisco.com/en/US/docs/switches/lan/catalyst3560/softw are/release/12.html Chapter 2 © 2007 ± 2010. Cisco Public 78 . Cisco Systems. Inc.

Cisco Public 79 . Cisco Systems.Chapter 2 © 2007 ± 2010. All rights reserved. Inc.