Professional Documents
Culture Documents
CCCCNNPA Semester3
Semes t eBrC 3M S N
Module 2
VLANs and VTP
www.hanoictt.com
Overview
www.hanoictt.com
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
VLAN Basics
VLAN Basics
Cisco recommends the use of local or geographic VLANs that segment the network based on
www.hanoictt.com
IP subnets. In Figure , each wiring closet switch is on its own VLAN or subnet and traffic
between each switch is routed by the router.
A VLAN can be thought of as a broadcast domain that exists within a defined set of switches.
Ports on a switch can be grouped into VLANs in order to limit unicast, multicast, and broadcast
traffic flooding. Flooded traffic originating from a particular VLAN is only flooded out ports
belonging to that VLAN, including trunk ports.
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
VLAN Basics
Any switch port can belong to a VLAN. Unicast, broadcast, and multicast packets are
forwarded and flooded only to stations in the same VLAN.
Each VLAN is a logical network, and packets destined for stations that do not belong to
the same VLAN must be forwarded through a router or routing device. Each VLAN can
also run a separate instance of the Spanning-Tree Protocol (STP). The technology that
allows Cisco switches to support an independent implementation of STP for each VLAN
is called Per-VLAN spanning tree (PVST).
Virtual LANs are essentially Layer 2 constructs, and IP subnets are Layer 3 constructs.
In a campus LAN employing VLANs, a one-to-one relationship often exists between
VLANs and IP subnets.
www.hanoictt.com
In fact, these problems are not constrained to a single LAN segment. These problems
can occur in multisegment environments interconnected with routers.
www.hanoictt.com
If the accounting department resides on two isolated segments, then packets from one
segment must cross the engineering network in order to reach the other accounting
segment. When they cross the engineering segment, it is possible for that information
to be intercepted and misused.
When VLANs are implemented with switched network devices, another level of
www.hanoictt.com
protection is added to the network. Switches bridge traffic within a VLAN. When a
station transmits, the frame goes to the intended destination. As long as it is a known
unicast frame, the switch does not distribute the frame to all users in the VLAN.
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
VLANs form broadcast domains. Broadcasts and multicasts are not propagated
between VLANs unless the intermediary network devices are specifically configured to
do so.
Each interface on a switch behaves like a port on a legacy bridge. Bridges filter traffic
for the source segment. If a frame needs to cross the bridge, the bridge forwards the
frame to the correct interface. If the bridge or switch does not know the destination
port, it floods the frame to all ports in the broadcast domain (VLAN) except the source
port.
By assigning ports on a switch to different VLANs, it is possible to limit the number of
switch ports out which flooded data gets sent.
www.hanoictt.com
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
VLAN Security
To safeguard the Accounting departments data, filters in the routers attached to the
engineering segment can include ACLs allowing the accounting traffic to pass through
www.hanoictt.com
Frames for non-IP protocols can be filtered based on their MAC addresses, using
Ethernet ACEs.
Router ACLs
Router ACLs are applied to Switched Virtual Interfaces (SVIs), which are Layer 3
VLAN interfaces. Router ACLs are also applied to physical Layer 3 interfaces and to
www.hanoictt.com
VLAN ACLs
VLAN maps can filter all traffic received by the switch. VLAN maps are applied to all
packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN
maps are used strictly for security packet filtering. Unlike router ACLs, VLAN maps are
not defined by direction (input or output).
VLAN maps can be configured to match Layer 3 addresses for IP traffic. All non-IP
protocols are filtered through MAC addresses and Ethertype using MAC VLAN maps.
www.hanoictt.com
IP traffic is not access controlled by MAC VLAN maps. VLAN maps can only be
enforced on packets going through the switch. They cannot be enforced on traffic
between hosts on a hub or on another switch connected to the switch on which the
VLAN map is applied.
Standard ACL
Extended ACL
Switch#show access-list
Extended IP access list 106 permit ip any 172.20.128.64 0.0.0.31
Switch#configure terminal
Switch(config)#interface gigabitethernet0/3
Switch(config-if)#ip access-group 106 in
The show fm command will display feature manager information for the
interface or the VLAN. It is also used to determine what label was used in the
hardware for the interface or VLAN configuration.
The show fm label command will display which of the configured ACL
features fit into hardware.
VLAN boundaries
VLANs are classified as local (geographic) or end-to-end (campus-wide).
Alternatively, VLANs are classified as either port-based (static) or dynamic.
www.hanoictt.com
End-to-end VLANs
Backbone links in a switched LAN
should be faster than access level
links.
VLANs can exist either as end-to-end networks (campus-wide) or they can exist
inside of a limited geographic (local) boundaries. An end-to-end VLAN network
comprises the following characteristics:
Users are grouped into VLANs independent of physical location and dependent
www.hanoictt.com
Local VLANs
Note: If an access layer
switch only has users that
belong to a single VLAN, it is
not necessary to configure
those interfaces for the
specific VLAN.
However, some network
administrators assign these
interfaces to their proper
VLAN in case the switch has
other VLANs configured on it
in the future.
With the Campus-wide VLAN model, users that are in the same department
would be in the same VLAN regardless of the location of the VLAN in the
network.
In the Local VLAN model, users in the same department are only in the same
www.hanoictt.com
VLAN if their access layer switches are connected to the same distribution layer
switch.
If the access layer switch is connected to a different distribution layer switch, the
users are assigned a different VLAN ID, and subnet address, regardless of the
users' department.
The network administrator typically performs the VLAN assignment. The port
configuration is static and cannot be automatically changed to another VLAN
without manual reconfiguration.
After a port has been assigned to a VLAN, the port cannot send to or receive
from devices in another VLAN without the intervention of a Layer 3 device.
This approach is quite simple, fast, and easy to manage in that there are no
complex lookup tables required for VLAN segmentation. If port-to-VLAN
association is done with an application-specific integrated circuit (ASIC), the
performance is very good. An ASIC allows the port-to-VLAN mapping to be done
at the hardware level.
www.hanoictt.com
Dynamic VLANs
Dynamic VLANs are created through the use of software packages such as
CiscoWorks 2000. With a VLAN Management Policy Server (VMPS), an
administrator can assign switch ports to VLANs dynamically based on information
such as the source MAC address of the device connected to the port or the
username used to log onto that device. As a device enters the network, the device
queries a database for VLAN membership.
www.hanoictt.com
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
Dynamic VLANs
When VMPS is enabled, a MAC address-to-VLAN mapping database
downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS
begins to accept client requests. If the switch is power cycled or reset, the
VMPS database downloads from the TFTP server automatically and VMPS is
reenabled.
When the VMPS server receives a valid request from a client, it searches its
database
for a MAC address-to-VLAN mapping.
If a VLAN in the database does not match the current VLAN on the port and
active hosts are on the port, VMPS sends an access-denied or a port-shutdown
response based on the secure mode of the VMPS.
Deleting VLANs
Caution: When a VLAN is deleted, any ports assigned to that VLAN become
inactive. They remain associated with the deleted VLAN until they are
assigned to a new VLAN. Use caution when deleting VLANs. It is possible to
cause a major loss of connectivity by accidentally eliminating a VLAN that
still has active users on it
www.hanoictt.com
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
VMPS operation
With VLAN Membership Policy Server (VMPS), switch ports can be assigned to
VLANs dynamically, based on the source MAC address or user ID of the device
connected to the port.
When VMPS is enabled, a MAC address-to-VLAN mapping database downloads
from a Trivial File Transfer Protocol (TFTP) server to the VMPS server (a Catalyst
switch). The VMPS server then begins accepting client requests.
The VMPS client communicates with a VMPS server through the VLAN Query
www.hanoictt.com
Protocol (VQP). When the VMPS receives a VQP request from a client switch, it
searches its database for a MAC-address-to-VLAN mapping.
The server response is based on this mapping and whether or not the server is in
secure mode. Secure mode determines whether the server shuts down the port when
a VLAN is not allowed on it or just denies the port access to the VLAN.
While this is rarely done, a VMPS database file can be created from scratch using
these rules:
Begin the configuration file with the word "VMPS", to prevent other types of
configuration files from incorrectly being read by the VMPS server.
Define the VMPS domain.
Define the security mode as either open (the default) or secure mode.
Define a fallback VLAN. (optional)
Define the MAC address-to-VLAN name mappings.
Define port groups to which VMPS will be applied, using groups, individual ports,
or the all-ports keyword.
Define VLAN groups to which VLAN port policies will be applied.
Define VLAN port policies to associate ports with a restricted VLAN.
www.hanoictt.com
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
To create a VMPS database, first determine the MAC addresses of the hosts
that will be assigned to VLANs dynamically and determine the VMPS mode
Then map out the port-groups, VLAN-groups, port-policies, and fallback
VLAN. Next, create an ASCII text file that contains the MAC address-to-
www.hanoictt.com
VLAN mappings and policies. Lastly, move the ASCII text file to a TFTP
server so it can be downloaded to the switch that will act as the VMPS
server.
Use the show vmps command to verify the VMPS server entry. This command did
not become available on some IOS-based switch platforms until IOS Release 12.1(6).
Static switch ports run in either the access or trunk mode. In the access mode, the
port belongs to one and only one VLAN. An access port is a switch port that connects
to an end-user device or a server;
www.hanoictt.com
A trunk link differs from an access link in that it is capable of supporting multiple
VLANs. The VLANs are multiplexed over the link with a trunking protocol. Trunks can
extend VLANs across an entire network. A trunk link can be configured to transport all
VLANs or a restricted set of VLANs. Catalyst switches support trunk links on Fast
Ethernet, Gigabit Ethernet, and 10Gigabit Ethernet ports.
By default, the switchport mode trunk command will trunk all VLANs.
www.hanoictt.com
In 802.1Q trunking, all VLAN packets are tagged on the trunk link to indicate the
VLAN to which they belong. Frames belonging to the Native VLAN are sent
untagged on the trunk link. The Native VLAN contains ports not assigned to other
VLANs that by default belong to VLAN 1. VLAN 1 is the Native VLAN by default, but
VLANs other than VLAN 1 may be designated as the Native VLAN.
By default, a Cisco IOS-based switch trunk port sends to and receives traffic from all
VLANs in the VLAN database. All VLANs, 1 to 1005, are allowed on each trunk, but
some of those VLANs can be removed from the list of allowed VLANs, preventing
traffic from those VLANs from passing over the trunk.
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
Trunk mode
If both switches are set to trunk mode, then the link is a trunking link. By default, all
VLANs will be transmitted across this trunk.
SwitchA(config)#inter fa 0/1
SwitchA(config-if)#switchport mode trunk
SwitchB(config)#inter fa 0/1
www.hanoictt.com
Note: Switches such as the Catalyst 3550 that are capable of either 802.1Q or ISL
trunking encapsulation, the switchport trunk encapsulation [dot1q | isl |
negotiate] interface command must be used prior to the switchport mode trunk
command.
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
DTP combinations
www.hanoictt.com
Verifying DTP
The show interface
switchport command can
be used to verify DTP
information and status:
Administrative Mode
Operational Mode
Administrative Trunking
Encapsulation
Negotiation of Trunking
standard 802.10 frame (FDDI). The VLAN information is written to the Security
Association Identifier (SAID) portion of the 802.10 frame. This method is typically
used to transport VLANs across FDDI backbones.
LAN Emulation (LANE) is an ATM Forum standard that can be used for
transporting VLANs over Asynchronous Transfer Mode (ATM) networks.
Inter-Switch Link
Inter-Switch Link
www.hanoictt.com
IEEE 802.1Q uses an internal tagging process that does modify the Ethernet frame. This
internal tagging process is what allows IEEE 802.1Q tagging to work on both access and
trunk links, because the frame appears to be a standard Ethernet frame. As opposed to the
30 bytes added by ISL, 802.1Q inserts only an additional 4 bytes into the Ethernet frame.
The IEEE 802.1Q header contains the following:
A 4-byte tag header containing a tag protocol identifier (TPID) and tag control
information (TCI)
www.hanoictt.com
A 2-byte TPID with a fixed value of 0x8100 that indicates that the frame carries the
802.1Q/802.1p tag information.
A TCI containing the following elements:
Three-bit user priority
One-bit canonical format indicator (CFI)
Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
FDDI interfaces that support 802.10 make selective forwarding decisions within
a network domain based on a VLAN identifier. This VLAN identifier is the user-
configurable 4-byte IEEE 802.10 Security Association Identifier (SAID). The
SAID identifies traffic as belonging to a particular VLAN.
www.hanoictt.com
LAN emulation
ATM LAN Emulation (LANE) is a
standard defined by the ATM Forum that
gives two stations attached via ATM the
same capabilities they normally would
have with legacy LANs, such as Ethernet
and Token Ring.
As the name suggests, the function of
the LANE protocol is to emulate a LAN
on top of an ATM network. Specifically,
the LANE protocol defines mechanisms
for emulating either an IEEE 802.3
Ethernet or an 802.5 Token Ring LAN.
It is important to note that LANE does not attempt to emulate the access method of the
specific LAN concerned (that is, carrier sense multiple access collision detect [CSMA/CD]
for Ethernet or token passing for IEEE 802.5).
www.hanoictt.com
Management domain
Configuration revision number
Known VLANs and their specific parameters
VTP operation
A VTP domain is made up of one or more interconnected devices that share the same
VTP domain name. A switch can be configured to be in one VTP domain only. Global
VLAN information is propagated across the network by way of connected switch trunk
ports.
When transmitting VTP messages to other switches in the network, the VTP message
is encapsulated in a trunking protocol frame such as ISL or IEEE 802.1Q. The VTP
header varies, depending upon the type of VTP message, but generally, four items are
found in all VTP messages:
VTP protocol version Either Version 1 or 2
www.hanoictt.com
VTP operation
In order to use VTP, VTP domain name must be assigned to each switch. VTP domain
names are case sensitive. VTP information remains in the VLAN management domain.
The following are conditions for a VTP domain:
www.hanoictt.com
Each Catalyst switch in a domain must have the same VTP domain name, whether
learned or configured.
The Catalyst switches must be adjacent, meaning that all switches in the VTP domain
form a contiguous tree in which every switch is connected to every other switch in the
domain via the tree.
Trunking must be enabled between all Catalyst switches.
VTP modes
Server
By default, a Catalyst switch is in the VTP server mode and in the no management
domain state until the switch receives an advertisement for a domain over a trunk link
or a VLAN management domain is configured.
A critical parameter governing VTP function is the VTP configuration revision number.
This 32-bit number indicates the particular revision of a VTP configuration. A
configuration revision number starts at 0 and increments by 1 with each modification
until it reaches 4294927295, at which point it recycles back to 0 and starts incrementing
again.
Client
www.hanoictt.com
The VTP client maintains a full list of all VLANs within the VTP domain, but it does not
store the information in NVRAM.
Transparent
VTP transparent switches do not participate in VTP. A VTP transparent switch does not
advertise its VLAN configuration, and does not synchronize its VLAN configuration
based on received advertisements.
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
Delete the VLAN database, erase the startup configuration, and power cycle the switch.
This will avoid potential problems resulting from residual VLAN configurations or adding a
switch with a higher VTP configuration revision number that could result in the propagation
of incorrect VLAN information.
From the privileged mode, issue the delete vlan.dat and erase startup-config
commands, then power cycle the switch.
It is also highly recommended that you use secure mode in your VTP domain. Assigning a
password to the domain will accomplish this.
This will prevent unauthorized switches from participating in the VTP domain.
www.hanoictt.com
From the privileged mode or VLAN configuration mode, use the vtp password password
command.
VTP advertisements
Periodic VTP advertisements
are sent out each trunk port
with the multicast destination
MAC address 01-00-0C-CC-
CC-CC. VTP advertisements
contain the following
configuration information:
9VLAN IDs (ISL and 802.1Q)
9Emulated LAN names (ATM
LANE)
9802.10 SAID values (FDDI)
9VTP domain name
9VTP configuration revision
number
9VLAN configuration,
www.hanoictt.com
VTP advertisements
VTP packets can be encapsulated into an ISL frame. The VTP headers format varies,
depending on the type of VTP message. However, all packets contain the following fields
in the header:
VTP protocol version: 1 or 2
VTP message type
Management domain length
Management domain name
Two different versions of VTP can run in the management domain, VTP Version 1 and
VTP Version 2. The two versions are not interoperable in the same VTP domain.
The major difference between the two versions is version 2 introduces support for
Token Ring VLANs.
If all switches in a VTP domain can run VTP Version 2, version 2 only needs to be
enabled on one VTP server switch.
The version number is propagated to the other VTP Version 2-capable switches in the
VTP domain. Version 2 should not be enabled unless every switch in the VTP domain
supports version 2.
Some general guidelines for choosing the VTP mode of a switch are as follows:
1. If this is the first switch in the management domain and additional switches will be
added, set the mode to server.
2. If there are any other switches in the management domain, set the switch mode to
client to prevent the new switch from accidentally propagating the incorrect information
to your existing network.
3. If a new switch needs to be set up as a VTP server, change the mode of the switch
to server after it has learned the correct VLAN information from the network while in
client mode.
4. If the switch is not going to share VLAN information with any other switch on the
network, set the switch to transparent mode.
To set the correct mode of a Cisco IOS- To set the correct mode of a Cisco IOS-
based switch in global configuration mode based switch in VLAN configuration mode
www.hanoictt.com
The default behavior of a switch is to propagate broadcast and unknown packets across the
network.
www.hanoictt.com
VTP pruning increases bandwidth efficiency by reducing unnecessary flooding of traffic, such
as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available
bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the
appropriate network devices. By default, VTP pruning is disabled.
In a switched network that does not have VTP pruning enabled, broadcasts will be sent to
switches that do not need to receive them.
Enabling VTP pruning on a VTP server enables pruning for the entire management domain.
VTP pruning takes effect several seconds after it is enabled. By default, VLANs 2 through 1000 or
2 through 1001 are pruning eligible, depending upon the platform. VTP pruning does not prune
www.hanoictt.com
traffic from VLANs that are pruning ineligible. VLAN 1 is always pruning ineligible and VLAN 1
cannot be removed from a trunk.
However, the VLAN 1 disable on trunk feature available on Catalyst 4000, 5000, and 6000
family switches enables the pruning of user traffic, but not protocol traffic such as CDP and VTP,
for VLAN 1 from a trunk. Use the vtp pruning command to make VLANs pruning eligible on a
Cisco IOS-based switch.
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
VTP pruning.
Summary
Concepts covered in this chapter include:
VLANs solve many of the issues found in Layer 2 environments.
These issues include broadcast control, isolation of problem
components in the network, security, and load balancing through the
use of a Layer 3 protocol between VLANs.
VLAN identification allows different VLANs to be carried on the
same physical link, called a trunk link. Four major trunking
technologies exist: ISL, IEEE 802.1Q, IEEE 802.10, and ATM LANE.
ISL encapsulates Ethernet frames, and IEEE 802.1Q embeds a tag in
the Ethernet header.
The VLAN Trunking Protocol (VTP) provides support for dynamic
reporting of the addition, deletion, and renaming of VLANs across the
switch fabric.
VTP pruning permits the dynamic pruning of unnecessary VLAN
traffic within the management domain.
www.hanoictt.com
HANOICTT NETWORKING ACADEMY
CCNA
P SSeem
meesstteerr13 - B C M S N
www.hanoictt.com