82063703-En-Switch-v6-Ch02 - Chapter 2 Implementing VLANs...

Unformatted text preview: Chapter 2: Implementing VLANs in Campus Networks CCNP SWITCH: Implementing IP Switching SWITCH v6 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 1 Chapter 2 Objectives  Design and plan VLANs, trunks, and addressing to meet business requirements, technical requirements, and constraints.  Configure VLANs and VLAN trunks in the campus network to support business and technical requirements.  Configure VTP in the campus network to support business and technical requirements.  Describe private VLANs and configure private VLANs in the campus network to support business and technical requirements.  Configure and verify an EtherChannel in a Layer 2 topology that contains bridging loops. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 2 Virtual Local Area Network (VLAN)      A VLAN is a logical group of end devices. Broadcasts are contained within VLANs. Modern design has 1 VLAN = 1 IP subnet. Trunks connect switches so as to transport multiple VLANs. Layer 3 devices interconnect VLANs. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 3 End-to-End VLANs  Each VLAN is distributed geographically throughout the network.  Users are grouped into each VLAN regardless of the physical location, theoretically easing network management.  As a user moves throughout a campus, the VLAN membership for that user remains the same.  Switches are configured for VTP server or client mode. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 4 Local VLANs  Create local VLANs with physical boundaries in mind rather than job functions of the users.  Local VLANs exist between the access and distribution layers.  Traffic from a local VLAN is routed at the distribution and core levels.  Switches are configured in VTP transparent mode.  Spanning tree is used only to prevent inadvertent loops in the wiring closet.  One to three VLANs per access layer switch recommended. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 5 VLANs in Enterprise Campus Design  VLANs used at the access layer should extend no further than their associated distribution switch.  Traffic is routed from the local VLAN as it is passed from the distribution layer into the core.  Blocks can contain one to three VLANs each.  STP is limited to access and distribution switches.  DHCP is used to assign IP addresses to users. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 6 Best Practices for VLAN Design  One to three VLANs per access module and limit those VLANs to a couple of access switches and the distribution switches.  Avoid using VLAN 1 as the "blackhole" for all unused ports. Use a dedicated VLAN separate from VLAN 1 to assign all the unused ports.  Separate the voice VLANs, data VLANs, the management VLAN, the native VLAN, blackhole VLANs, and the default VLAN (VLAN 1).  Avoid VTP when using local VLANs; use manually allowed VLANs on trunks.  For trunk ports, turn off Dynamic Trunking Protocol (DTP) and configure trunking. Use IEEE 802.1Q rather than ISL because it has better support for QoS and is a standard protocol.  Manually configure access ports that are not specifically intended for a trunk link.  Prevent all data traffic from VLAN 1; only permit control protocols to run on VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.).  Avoid using Telnet because of security risks; enable SSH support on management VLANs. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 7 VLAN Support on Catalyst Switches Catalyst Switch Max VLANs VLAN ID Range 2940 4 1 - 1005 2950/2955 250 1 - 4094 2960 255 1 - 4094 2970/3550/3560/3750 1055 1 - 4094 2848G/2980G/4000/4500 4094 1 - 4094 6500 4094 1 - 4094 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 8 VLAN Ranges on Catalyst Switches VLAN Range Range Usage Popagated via VTP? 0, 4095 Reserved For system use only. You cannot see or use these. n/a 1 Normal Cisco default. You can use this VLAN, but you cannot delete it. Yes 2 ± 1001 Normal For Ethernet VLANs. You can create, use, and delete these. Yes 1002 ± 1005 Normal Cisco defaults for FDDI and Token Ring. You cannot delete these. Yes 1006 ± 1024 Reserved For system use only. You cannot see or use these. n/a 1025 - 4094 Reserved For Ethernet VLANs only. VTP v 3 only. Not supported in VTP v1 or v2. Requires VTP transparent mode for configuration. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 9 Clearing switches Switch# delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch# Switch# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Switch# Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 10 10 Configure Hostname and VLAN 1 Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# hostname DLS1 DLS1(config)# interface vlan 1 DLS1(config-if)# ip address 10.1.1.101 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# end DLS1#  Configure hostname  Configure VLAN 1  Default: Management VLAN is VLAN 1  Configure DLS1, DLS2, ALS1 and ALS2 switches on Packet Tracer  Hostname  VLAN 1 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 11 Configuration: Create a VLAN  To create a new VLAN in global configuration mode. Switch(config)# vlan vlan-id  vlan-id is 2-1001 or 1025-4094 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 12 Configuration: Name a VLAN  To name a VLAN in VLAN configuration mode. Switch(config-vlan)# name vlan-name  vlan-name is a descriptor for the VLAN.  Naming a VLAN is optional. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 13 Example: Creating and Naming a VLAN  Enter global configuration mode: Switch# configure terminal  Create a new VLAN with a particular ID number: Switch(config)# vlan vlan-id  (Optional.) Name the VLAN: Switch(config-vlan)# name vlan-name Switch# configure terminal Switch(config)# vlan 5 Switch(config-vlan)# name Engineering Switch(config-vlan)# exit Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 14 Configuration: Disable Trunk Negotiation on a Port  To disable trunk negotiation on a switch port. Switch(config-if)# switchport mode access  This command is optional but is recommended for security purposes. An access port does not need to negotiate trunk formation. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 15 Configuration: Macro for Access Port  To configure an optional macro for switch access ports. Switch(config-if)# switchport host  This command optimizes a Layer 2 port for a host connection.  This macro sets the port mode to access, enables spanning-tree portfast, and disables EtherChannel. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 16 Configuration: Assign Port to VLAN  To assign a port to a VLAN in interface configuration mode. Switch(config-if)# switchport access vlan vlan-id  vlan-id is a previously created VLAN. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 17 Example: Assigning a Port to a VLAN  Enter interface configuration mode: Switch(config)# interface interface-id  Configure a description for the device(s) connected to the port: Switch(config-if)# description string  Assign port to VLAN: Switch(config-if)# switchport access vlan vlan-id  Enable the interface: Switch(config-if)# no shutdown  Return to Privileged EXEC mode Switch(config-if)# end  Configure access port macro: Switch(config-if)# switchport host Switch(config)# interface FastEthernet 5/6 Switch(config-if)# description PC A Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled Switch(config-if)# switchport access vlan 200 Switch(config-if)# no shutdown Switch(config-if)# end Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 18 Verification: VLAN Configuration  The show vlan command and its derivatives are the most useful commands for displaying information related to VLANs. The following two forms have the same output. Switch# show vlan id 3 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------3 VLAN0003 VLAN Type SAID active MTU Fa0/1 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----3 enet 100003 1500 - - - - - 0 0 Switch# show vlan name VLAN0003 VLAN Name Status Ports ---- -------------------------------- --------- --------------------3 VLAN0003 active Fa0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----3 enet 100003 1500 0 0 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 19 Verification: Interface Configuration  The show running-config command has an interface keyword option to allow for interface-specific output. Switch# show running-config interface FastEthernet 5/6 Building configuration... ! Current configuration :33 bytes interface FastEthernet 5/6 switchport access vlan 200 switchport mode access switchport host end Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 20 Verification: Switch Port Configuration  One of the most useful commands for showing VLAN configuration information specific to a switch port is the show interfaces interface_id switchport command. Switch# show interfaces f0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 20 (VLAN0020) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: 150 (VLAN0150) <output omitted> Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 21 Verification: MAC Address Information  You can view MAC address information specific to an interface and an associated VLAN. Switch# show mac-address-table interface GigabitEthernet 0/1 vlan 1 Mac Address Table -----------------------------------------Vlan Mac Address Type Ports --------------------1 0008.2199.2bc1 DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 1 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 22 Implementing Trunking in a Campus Network Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 23 VLAN Trunking  Trunks carry the traffic for multiple VLANs across a single physical link (multiplexing). Trunking is used to extend Layer 2 operations across an entire network.  The host on the left in VLAN 2 can communicate with the host on the right in VLAN 2 via the trunk link; over the same trunk link, the hosts on VLAN 1 can communicate simultaneously. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 24 VLAN Trunking with Inter-Switch Link (ISL)  ISL is Cisco-proprietary trunking protocol.  ISL is nearly obsolete.  ISL encapsulates Ethernet frames, adding 30 bytes of overhead.  ISL is supported on non-access-layer Cisco switches. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 25 VLAN Trunking with IEEE 802.1Q  802.1Q is a widely supported industry-standard protocol.  IEEE 802.1Q has smaller frame overhead than ISL. 802.1Q overhead is 4 bytes.  802.1Q has the 802.1p field for QoS support. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 26 Native VLAN with IEEE 802.1Q  The 802.1Q standard specifies how the switch should handle untagged frames sent or received on an 802.1Q trunk port.  An 802.1Q trunk port is assigned a default PVID, which is associated with all untagged traffic on the port. All traffic with a null VLAN ID is assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. All other traffic is sent with a VLAN tag.  Proactively configuring both ends of an 802.1Q trunk link with a native VLAN distinct from all other VLANs is recommended. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 27 Dynamic Trunking Protocol (DTP)  Access - Puts the interface into permanent non-trunking mode and negotiates to convert the link into a non-trunk link. The interface becomes a non-trunk interface even if the neighboring interface does not agree to the change.  Trunk - Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link. The interface becomes a trunk interface even if the neighboring interface does not agree to the change.  Nonegotiate - Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames. You must configure the neighboring interface manually as a trunk interface to establish a trunk link. Use this mode when connecting to a device that does not support DTP.  Dynamic desirable - Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.  Dynamic auto - Makes the interface willing to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. This is the default mode for all Ethernet interfaces in Cisco IOS. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 28 Design with VLAN Trunks  Trunks interconnect access layer switches.  Trunks connect access layer switches to distribution layer switches.  Layer 3 links interconnect core and distribution layer switches.  Access layer switches are configured in a spanning-tree, loop-free, V-shaped topology. If one distribution link fails, HSRP or VRRP provide an alternative default gateway.  Recommended: turn off DTP and manually prune VLANs on trunks. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 29 Configuring an Interface for Trunking  Select the encapsulation type: Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}  Configure the interface as a Layer 2 trunk: Switch(config-if)# switchport mode {dynamic {auto | desirable} | trunk}  Specify the native VLAN: Switch(config-if)# switchport trunk native vlan vlan-id  Configure the allowable VLANs for this trunk: Switch(config-if)# switchport trunk allowed vlan {add | except | all | remove} vlan-id[,vlan-id[,vlan-id[,...]]] Switch(config)# interface FastEthernet 5/8 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate Switch(config-if)# switchport trunk allowed vlan 1-100 Switch(config-if)# no shutdown Switch(config-if)# end optional Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 30 Verifying Trunk Configuration Switch# show running-config interface f5/8 Building configuration... Current configuration: ! interface FastEthernet5/8 switchport mode dynamic desirable switchport trunk encapsulation dot1q end Switch# show interfaces f5/8 switchport Name: Fa5/8 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Enabled Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Switch# show interfaces f5/8 trunk Port Mode Encapsulation Fa5/8 desirable n-802.1q Port Fa5/8 Status trunking Native vlan 1 Vlans allowed on trunk 1-1005 Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 31 Troubleshooting Trunk Links  Ensure that the Layer 2 interface mode configured on both ends of the link is valid. The trunk mode should be trunk or desirable for at least one side of the trunk.  Ensure that the trunk encapsulation type configured on both ends of the link is valid and compatible.  On IEEE 802.1Q trunks, make sure the native VLAN is the same on both ends of the trunk.  When using DTP, ensure that both ends of the link are in the same VTP domain. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 32 VLAN Trunking Protocol Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 33 VLAN Trunking Protocol (VTP)  VTP is a Cisco-proprietary protocol that automates the propagation of VLAN information between switches via trunk links. This minimizes misconfigurations and configuration inconsistencies.  VTP does not configure switch ports for VLAN membership.  Three types of VTP messages are sent via Layer 2 multicast on VLAN 1.  VTP domains define sets of interconnected switches sharing the same VTP configuration. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 34 VTP Modes Mode Description Client ‡ Cannot create, change, or delete VLANs on command-line interface (CLI). ‡ Forwards advertisements to other switches. ‡ Synchronizes VLAN configuration with latest information received from other switches in the management domain. ‡ Does not save VLAN configuration in nonvolatile RAM (NVRAM). Server ‡ Can create, modify, and delete VLANs. ‡ Sends and forwards advertisements to other switches. ‡ Synchronizes VLAN configuration with latest information received from other switches in the management domain. ‡ Saves VLAN configuration in NVRAM. Transparent ‡ Can create, modify, and delete VLANs only on the local switch. ‡ Forwards VTP advertisements received from other switches in the same management domain. ‡ Does not synchronize its VLAN configuration with information received from other switches in the management domain. ‡ Saves VLAN configuration in NVRAM. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 35 VTP Operation Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 36 VTP Pruning  VTP pruning prevents flooded traffic from propagating to switches that do not have members in specific VLANs.  VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly. Switches 1 and 4 in the figure support ports statically configured in the Red VLAN.  The broadcast traffic from Station A is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links indicated on Switches 2 and 4. Chapter 2 © 2007 ± 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 37 VTP Versions  Three VTP versions: V1, V2, V3.  Versions are not interoperable (e.g., V2 supports token ring VLANs but V1 does not).  Unrecognized Type-Length-Value (TLV) configuration changes are propagated by V2 servers and clients and these unrecognized TLVs can be stored in NVRAM.  V1 transparent switches inspect VTP messages for the domain name and version and forward a message only if the version and domain name match. V2 transparent switches forward VTP messages in transparent mode without checking versions.  V2 performs VLAN consistency checks (VLAN names and values) only when you enter new information through the CLI or via SNMP. V2 does not perform checks when new information is obtained from a VTP message or when information is read from NVRAM. If the MD5 hash on a received VTP message is correct, V2 accepts the VTP message information. Chapter 2 ©...
View Full Document