Two membership methods exist on Cisco Catalyst switches:
- Static VLAN configuration
- Dynamic VLAN assignment
Static VLANs
Static VLANs offer port-based membership, in which switch ports are assigned to specific VLANs.
End-user devices become members in a VLAN based on the physical switch port to which they are connected.
Switch ports are assigned to VLANs by the manual intervention of the network administrator, hence the static nature.
Note: By default, all switch ports are assigned to VLAN 1, are set to be a VLAN type of Ethernet, and have a maximum transmission unit (MTU) size of 1500 bytes.
First, the VLAN must be created on the switch, if it does not already exist.
Then, the VLAN must be assigned to specific switch ports. VLANs always are referenced by a VLAN number, which can range from 1 to 1005.
VLANs 1 and 1002 through 1005 automatically are created and are set aside for special uses.
Catalyst IOS switches also can support extended-range VLANs, in which the VLAN number can be 1 to 4094, for compatibility with the IEEE 802.1Q standard.
The extended range is enabled only when the switch is configured for VTP transparent mode with the vtp mode transparent global configuration command.
To configure static VLANs, begin by defining the VLAN with the following command in global configuration mode:
Switch(config)# vlan vlan-num
Switch(config-vlan)# name vlan-name
To delete a VLAN from the switch configuration, you can use the no vlan vlan-num command.
Next, you should assign one or more switch ports to the VLAN. Use the following configuration commands:
Switch(config)# interface type module/number
Switch(config-if)# switchport
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-num
Note: The initial switchport command configures the port for Layer 2 operation. By default, every Catalyst IOS switch port is ready for Layer 3 operation.
Using our topology, let's start by configuring AS1. First, we should look at the default VLAN configuration:
AS1#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Note: Due to some limitations of GNS3 and the NM-16ESW EtherSwitch cards, the usual "show vlan" command is not available. Instead, we will use "show vlan-switch".
Other limitations are listed at: http://www.gns3.net/documentation/gns3/switching-simulation-in-gns3/
Only vlan database mode is possible (not the newer global configuration mode as described by the above syntax).
Note: Extended documentation about features and configuration guides of the NM-16ESM EtherSwitch cards can be found at: http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_enet_switch_net_external_docbase_0900e4b18090920b_4container_external_docbase_0900e4b18096f791.html#wp1047027
So, to create VLANs, we will use the vlan database mode:
AS1#vlan database
AS1(vlan)#vlan ?
<1-1005> ISL VLAN index
AS1(vlan)#vlan 2 ?
are Maximum number of All Route Explorer hops for this VLAN
backupcrf Backup CRF mode of the VLAN
bridge Bridging characteristics of the VLAN
media Media type of the VLAN
mtu VLAN Maximum Transmission Unit
name Ascii name of the VLAN
parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
ring Ring number of FDDI or Token Ring type VLANs
said IEEE 802.10 SAID
state Operational state of the VLAN
ste Maximum number of Spanning Tree Explorer hops for this VLAN
stp Spanning tree characteristics of the VLAN
tb-vlan1 ID number of the first translational VLAN for this VLAN (or zero
if none)
tb-vlan2 ID number of the second translational VLAN for this VLAN (or zero
if none)
<cr>
AS1(vlan)#vlan 2 name VL002
VLAN 2 added:
Name: VL002
AS1(vlan)#vlan 3 name VL003
VLAN 3 added:
Name: VL003
AS1(vlan)#vlan 4 name VL004
VLAN 4 added:
Name: VL004
AS1(vlan)#exit
APPLY completed.
Exiting....
The results:
AS1#show vlan-switch brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
2 VL002 active
3 VL003 active
4 VL004 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Now, let's assign some ports to the newly created VLANs.
AS1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES unset up down
FastEthernet1/1 unassigned YES unset up down
FastEthernet1/2 unassigned YES unset up up
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up up
FastEthernet1/5 unassigned YES unset up up
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up up
Vlan1 unassigned YES NVRAM up up
AS1(config)#interface fastEthernet 1/2
AS1(config-if)#switchport
AS1(config-if)#switchport mode access
AS1(config-if)#switchport access vlan 2
AS1(config)#interface range fastEthernet 1/3 - 9
AS1(config-if-range)#switchport
AS1(config-if-range)#switchport mode access
AS1(config-if-range)#switchport access vlan 3
AS1(config)#define interface-range PORTS-10-15 fastEthernet 1/10 - 15
AS1(config)#interface range macro PORTS-10-15
AS1(config-if-range)#switchport
AS1(config-if-range)#switchport mode access
AS1(config-if-range)#switchport access vlan 4
Checking the configuration:
AS1#show vlan-switch brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1
2 VL002 active Fa1/2
3 VL003 active Fa1/3, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9
4 VL004 active Fa1/10, Fa1/11, Fa1/12, Fa1/13
Fa1/14, Fa1/15
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Dynamic VLANs
Dynamic VLANs provide membership based on the MAC address of an end-user device.
When a device is connected to a switch port, the switch must, in effect, query a database to establish VLAN membership.
A network administrator also must assign the user’s MAC address to a VLAN in the database of a VLAN Membership Policy Server (VMPS).
Note: Dynamic VLANs are not covered in the CCNP SWITCH exam.
VLANs can be scaled in the switch block by using two basic methods:
A. End-to-end VLANs
End-to-end VLANs, also called campus-wide VLANs, span the entire switch fabric of a network. They are positioned to support maximum flexibility and mobility of end devices.
They follow the 80/20 rule: 80 percent of user traffic stays within the local workgroup, whereas 20 percent is destined for a remote resource.
B. Local VLANs
Because most enterprise networks have moved toward the 20/80 rule (where server and intranet/Internet resources are centralized), end-to-end VLANs have become cumbersome and difficult to maintain.
VLAN Trunks
A trunk link can transport more than one VLAN through a single switch port.
Trunk links are most beneficial when switches are connected to other switches or switches are connected to routers. A trunk link is not assigned to a specific VLAN.
Frame identification, or tagging, assigns a unique user-defined ID to each frame transported on a trunk link.
VLAN identification can be performed using two methods, each using a different frame identifier mechanism:
- Inter-Switch Link (ISL) protocol
- IEEE 802.1Q protocol
Inter-Switch Link Protocol
When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte header and a 4-byte trailer to the frame.
The source VLAN is identified with a 15-bit VLAN ID field in the header.
The trailer contains a cyclic redundancy check (CRC) value to ensure the data integrity of the new encapsulated frame.
Note: ISL has been discontinued on Cisco switches.
IEEE 802.1Q Protocol
Instead of encapsulating each frame with a VLAN ID header and trailer, 802.1Q embeds its tagging information within the Layer 2 frame, by inserting a 4-byte tag just after the source Address field.
The last 12 bits are used as a VLAN identifier (VID) to indicate the source VLAN for the frame.
802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN are not encapsulated with any tagging information.
Dynamic Trunking Protocol (DTP)
Trunks can be configured either manually or automatically (DTP).
Cisco has implemented a proprietary, point-to-point protocol called Dynamic Trunking Protocol (DTP) that negotiates a common trunking mode between two switches.
Note: By default, all switch ports in Layer 2 mode are nontrunking and operate as access links.
Note: By default, an 802.1Q trunk uses VLAN 1 as the native VLAN.
Note: By default, a switch transports all active VLANs (1 to 4094) over a trunk link.
Use the following commands to create a VLAN trunk link:
Switch(config)# interface type mod/port
Switch(config-if)# switchport
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan {vlan-list | all | {add | except | remove} vlan-list}
Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}
In the switchport mode command, you can set the trunking mode to any of the following:
- trunk: This setting places the port in permanent trunking mode. DTP is still operational, so if the far-end switch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking will be negotiated successfully.
- dynamic desirable (the default): The port actively attempts to convert the link into trunking mode. If the far-end switch port is configured to trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully.
- dynamic auto: The port can be converted into a trunk link, but only if the far-end switch actively requests it.
Note: If you decide to configure both ends of a trunk link as a fixed trunk, you can disable DTP completely by using the switchport nonegotiate command.
Trunking status verification command: show interfaces fastEthernet 1/0 trunk
In our topology, let's use AS1 and DS1 for establishing a trunk link between them.
We already have VLANs 2, 3 and 4 configured on AS1, so let's do the same on DS1.
DS1(vlan)#vlan 2 name VL002
VLAN 2 added:
Name: VL002
DS1(vlan)#vlan 3 name VL003
VLAN 3 added:
Name: VL003
DS1(vlan)#vlan 4 name VL004
VLAN 4 added:
Name: VL004
DS1(vlan)#exit
APPLY completed.
Exiting....
The link between AS1 and DS1 is made through the Fa1/2 interface at both ends.
Now, let's create an 802.1q trunk with VLAN 2 as native and set all VLANs except VLAN 4 as allowed on this trunk.
The trunking mode should not be any type of dynamic mode and neither end should attempt any DTP negotiation.
AS1(config)#interface fastEthernet 1/2
AS1(config-if)#switchport
AS1(config-if)#switchport trunk encapsulation dot1q
AS1(config-if)#switchport trunk native vlan 2
AS1(config-if)#switchport trunk allowed vlan except 4
AS1(config-if)#switchport mode trunk (only trunk mode is supported in GNS3)
AS1(config-if)#
*Mar 1 01:15:11.911: %DTP-5-TRUNKPORTON: Port Fa1/2 has become dot1q trunk
AS1(config-if)#switchport nonegotiate (this command is not supported in GNS3)
DS1(config)#interface fastEthernet 1/2
DS1(config-if)#switchport
DS1(config-if)#switchport trunk encapsulation dot1q
DS1(config-if)#switchport trunk native vlan 2
DS1(config-if)#switchport trunk allowed vlan except 4
DS1(config-if)#switchport mode trunk
DS1(config-if)#
*Mar 1 01:18:07.699: %DTP-5-TRUNKPORTON: Port Fa1/2 has become dot1q trunk
DS1(config-if)#switchport nonegotiate
Verifying the config on AS1 (same on DS1):
AS1#show interfaces fastEthernet 1/2 trunk
Port Mode Encapsulation Status Native vlan
Fa1/2 on 802.1q trunking 2
Port Vlans allowed on trunk
Fa1/2 1-3,5-1005
Port Vlans allowed and active in management domain
Fa1/2 1-3
Port Vlans in spanning tree forwarding state and not pruned
Fa1/2 1-3
AS1#show interfaces fastEthernet 1/2 switchport
Name: Fa1/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 2 (VL002)
Trunking VLANs Enabled: 1-3,5-1005
Trunking VLANs Active: 1-3
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
For a trunk, these parameters must be agreeable on both ends before the trunk can operate correctly:
- Trunking mode (unconditional trunking, negotiated, or non-negotiated).
- Trunk encapsulation (ISL, IEEE 802.1Q, or negotiated through DTP).
- Native VLAN. You can bring up a trunk with different native VLANs on each end; however, both switches will log error messages about the mismatch.
- Allowed VLANs.
Note: If when modifying the vlan database you encounter the following error you can erase the flash to resolve this issue:
AS1#vlan database
AS1(vlan)#no vlan 2
Deleting VLAN 2...
AS1(vlan)#no vlan 3
Deleting VLAN 3...
AS1(vlan)#no vlan 4
Deleting VLAN 4...
AS1(vlan)#exit
% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device
% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit
AS1(vlan)#abort
Aborting....
AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
AS1#vlan database
AS1(vlan)#no vlan 2
Deleting VLAN 2...
AS1(vlan)#no vlan 3
Deleting VLAN 3...
AS1(vlan)#no vlan 4
Deleting VLAN 4...
AS1(vlan)#exit
APPLY completed.
Exiting....
Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this vlan and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml
No comments:
Post a Comment