Implementing VLANs and

Trunks
Medium-Sized Switched Network Construction
 Issues in a Poorly Designed Network

 Unbounded failure domains

 Large broadcast domains
 Large amount of unknown
MAC unicast traffic
 Unbounded multicast traffic
 Management and
support challenges
 Possible security
vulnerabilities
 VLAN = Broadcast Domain = Logical Network (Subnet)

VLAN Overview

 Segmentation
 Flexibility
 Security
Designing VLANs for an Organization

 VLAN design must take into consideration the implementation

of a hierarchical network addressing scheme.
 The benefits of hierarchical addressing are:
– Ease of management and troubleshooting
– Minimization of errors
– Reduced number of routing table entries
Guidelines for Applying IP
Address Space

 Allocate one IP subnet per VLAN.

 Allocate IP address spaces in contiguous blocks.
 Network Traffic Types
Traffic types to consider
when designating VLANs:
 Network management
 IP telephony
 IP Multicast
 Normal data
 Scavenger class
 Advantages of Voice VLANs
 Phones segmented in
separate logical networks
 Privides network
segmentation
and control
 Allows administrators
to create and
enforce QoS
 Lets administrators
add and enforce
security policies
VLAN Operation
VLAN Membership Modes
802.1Q Trunking
802.1Q Frame
Understanding Native VLANs
Cisco’s VTP Features
 VTP Modes  Create VLANs
 Modify VLANs
 Delete VLANs
 Sends and forwards
advertisements
 Synchronizes

 Cannot create,  Create local VLANs only

change, or delete  Modify local VLANs only
VLANs  Delete local VLANs only
 Sends and  Forwards advertisements
forwards
 Does not
advertisements
synchronize
 Synchronizes
VTP Operation
 VTP advertisements are sent as multicast frames.
 VTP servers and clients are synchronized to the
latest revision number.
 VTP advertisements are sent every 5 minutes or
when there is a change.
VTP Pruning
Configuring VLANs and Trunks

1. Configure and verify VTP.

2. Configure and verify 802.1Q trunks.
3. Create or modify a VLAN on the VTP server switch.
4. Assign switch ports to a VLAN and verify.
5. Execute adds, moves, and changes.
6. Save the VLAN configuration.
VTP Configuration Guidelines
 VTP defaults for the Cisco Catalyst switch:
– VTP domain name: None
– VTP mode: Server mode
– VTP pruning: Enabled or disabled (model specific)
– VTP password: Null
– VTP version: Version 1
 A new switch can automatically become part of a domain once it
receives an advertisement from a server.
 A VTP client can overwrite a VTP server database if the client has
a higher revision number.
 A domain name cannot be removed after it is assigned; it can
only be reassigned.
Creating a VTP Domain

SwitchX# configure terminal

SwitchX(config)# vtp mode [ server | client | transparent ]
SwitchX(config)# vtp domain domain-name
SwitchX(config)# vtp password password
SwitchX(config)# vtp pruning
SwitchX(config)# end
 VTP Configuration and Verification
Example

SwitchX(config)# vtp domain ICND

Changing VTP domain name to ICND
SwitchX(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SwitchX(config)# end

SwitchX# show vtp status

VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 17
VTP Operating Mode : Transparent
VTP Domain Name : ICND
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7D 0x6E 0x5E 0x3D 0xAF 0xA0 0x2F 0xAA
Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05
SwitchX#
802.1Q Trunking Issues
 Make sure that the native
VLAN for an 802.1Q trunk
is the same on both ends
of the trunk link.
 Note that native VLAN
frames are untagged.
 A trunk port cannot be a
secure port.
 All 802.1Q trunking ports
in an EtherChannel group
must have the same
configuration.
 Configuring 802.1Q Trunking

SwitchX(config-if)#
switchport mode {access | dynamic {auto | desirable} | trunk}
 Configures the trunking characteristics of the port

SwitchX(config-if)#
switchport mode trunk
 Configures the port as a VLAN trunk
Verifying a Trunk
SwitchX# show interfaces interface [switchport | trunk]

SwitchX# show interfaces fa0/11 switchport

Name: Fa0/11
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
. . .

SwitchX# show interfaces fa0/11 trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/11 1-4094

Port Vlans allowed and active in management domain

Fa0/11 1-13
VLAN Creation Guidelines

 The maximum number of VLANs is switch-dependent.

 Most Cisco Catalyst desktop switches support 128 separate
spanning-tree instances, one per VLAN.
 VLAN 1 is the factory default Ethernet VLAN.
 Cisco Discovery Protocol and VTP advertisements are sent on
VLAN 1.
 The Cisco Catalyst switch IP address is in the management
VLAN (VLAN 1 by default).
 If using VTP, the switch must be in VTP server or transparent
mode to add or delete VLANs.
Adding a VLAN

SwitchX# configure terminal

SwitchX(config)# vlan 2
SwitchX(config-vlan)# name switchlab99
 Verifying a VLAN

SwitchX# show vlan [brief | id vlan-id || name vlan-name]

SwitchX# show vlan id 2

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
2 switchlab99 active Fa0/2, Fa0/12

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2 enet 100002 1500 - - - - - 0 0

. . .
SwitchX#
Assigning Switch Ports to a VLAN

SwitchX(config-if)#
switchport access [vlan vlan# | dynamic]

SwitchX# configure terminal

SwitchX(config)# interface range fastethernet 0/2 - 4
SwitchX(config-if)# switchport access vlan 2

SwitchX# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- ----------------------
1 default active Fa0/1
2 switchlab99 active Fa0/2, Fa0/3, Fa0/4
 Verifying VLAN Membership

SwitchX# show vlan brief

SwitchX# show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1
2 switchlab99 active Fa0/2, Fa0/3, Fa0/4
3 vlan3 active
4 vlan4 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Verifying VLAN Membership (Cont.)

SwitchX(config-if)#
show interfaces interface switchport

SwitchX# show interfaces fa0/2 switchport

Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 2 (switchlab99)
Trunking Native Mode VLAN: 1 (default)
--- output omitted ----
Executing Adds, Moves, and Changes
for VLANs

 When using VTP, the switch must be in VTP server or transparent

mode to add, change, or delete VLANs.
 When you make VLAN changes from a switch in VTP server
mode, the change is propagated to other switches in the VTP
domain.
 Changing VLANs typically implies changing IP networks.
 After a port is reassigned to a new VLAN, that port is
automatically removed from its previous VLAN.
 When you delete a VLAN, any ports in that VLAN that are not
moved to an active VLAN will be unable to communicate with
other stations.
Summary

 A poorly designed network has increased support costs, reduced

service availability, and limited support for new applications and
solutions.
 VLANs provide segmentation and organizational flexibility.
 Ethernet trunks carry the traffic of multiple VLANs over a single
link and allow you to extend VLANs across an entire network.
 VTP is a Layer 2 messaging protocol that maintains VLAN
configuration consistency.
Improving Performance and
Spanning Tree
Medium-Sized Switched Network Construction
 Interconnection Technologies

Technology Use
Fast Ethernet Connects end-user devices to
the access layer switch
Gigabit Ethernet Connects access switch to
distribution switch and high
use servers to switches
10-Gigabit Provides high-speed switch to
Ethernet switch links, backbones
EtherChannel Provides high-speed switch to
switch links, backbones with
redundancy
 Determining Equipment and
Cabling Needs

Each link provides adequate

bandwidth for the total aggregate
traffic over that link.
 Advantages of EtherChannel
(Link Aggregation)

 Logical aggregation of similar

links between switches
 Load-shares across links
 Viewed as one logical port
to STP
 Redundancy
STP(Spanning Tree Protocol
802.1d)
Radia
Perlman

Radia Perlman
Redundant Topology

 Redundant topology eliminates single points of failure.

 Redundant topology causes broadcast storms, multiple
frame copies, and MAC address table instability problems.
Broadcast Frames

 Station D sends a broadcast frame.

 Broadcast frames are flooded to all ports
except the originating port.
Broadcast Storms

 Host X sends a broadcast.

 Switches continue to propagate
broadcast traffic over and over.
Multiple Frame Copies

 Host X sends a unicast frame to router Y.

 The MAC address of router Y has not been
learned by either switch.
 Router Y will receive two copies of the same frame.
MAC Database Instability

 Host X sends a unicast frame to router Y.

 The MAC address of router Y has not been learned by either switch.
 Switches A and B learn the MAC address of host X on port 1.
 The frame to router Y is flooded.
 Switches A and B incorrectly learn the MAC address of host X on port 2.
Loop Resolution with STP

 Provides a loop-free redundant network topology

by placing certain ports in the blocking state
 Published in the IEEE 802.1D specification
 Enhanced with the Cisco PVST+ implementation
Spanning-Tree Operation

 One root bridge per broadcast domain.

 One root port per nonroot bridge.
 One designated port per segment.
 Nondesignated ports are unused.
STP Root Bridge Selection

 BPDU (default = sent every 2 seconds)

 Root bridge = bridge with the lowest bridge ID

 Bridge ID = Bridge MAC

Priority Address
Spanning-Tree Port States

Spanning tree transits each port through several different states:

Describing PortFast

PortFast is configured on access ports, not trunk ports.

Configuring and Verifying PortFast
SwitchX(config-if)#
spanning-tree portfast
 Configures PortFast on an interface

OR

SwitchX(config)#
spanning-tree portfast default
 Enables PortFast on all non-trunking interfaces

SwitchX#
show running-config interface interface
 Verifies that PortFast has been configured on an interface
Spanning-Tree Operation Example
Spanning-Tree Path Cost

Cost (Revised IEEE Cost (Previous IEEE

Link Speed
Specification) Specification)
10 Gb/s 2 1

1 Gb/s 4 1

100 Mb/s 19 10
10 Mb/s 100 100
Spanning-Tree Recalculation
Per VLAN Spanning Tree Plus (PVST+)
PVST+ Extended Bridge ID

Bridge ID without the

extended system ID

Extended bridge ID
with system ID

System ID = VLAN
Rapid Spanning Tree Protocol
 Default Spanning-Tree
Configuration

 Cisco Catalyst switches support three types of STPs:

– PVST+
– PVRST+
– MSTP
 The default STP for Cisco Catalyst switches is PVST+ :
– A separate STP instance for each VLAN
– One root bridge for all VLANs
– No load sharing
PVRST+ Configuration Guidelines

1. Enable PVRST+.
2. Designate and configure a switch to be the root bridge.
3. Designate and configure a switch to be the secondary
root bridge.
4. Verify the configuration.
 PVRST+ Implementation
Commands
SwitchX(config)#
spanning-tree mode rapid-pvst
 Configures PVRST+

SwitchX#
show spanning-tree vlan vlan# [detail]
 Verifies the spanning-tree configuration

SwitchX#
debug spanning-tree pvst+
 Displays PVST+ event debug messages
Verifying PVRST+

SwitchX# show spanning-tree vlan 30

VLAN0030
Spanning tree enabled protocol rstp
Root ID Priority 24606
Address 00d0.047b.2800
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)
Address 00d0.047b.2800
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
-------- ----- --- --- -------- ----
Gi1/1 Desg FWD 4 128.1 P2p
Gi1/2 Desg FWD 4 128.2 P2p
Gi5/1 Desg FWD 4 128.257 P2p

The spanning-tree mode is set to PVRST.

Configuring the Root and
Secondary Bridges
Configuring the Root and
Secondary Bridges: SwitchA
SwitchA(config)#
spanning-tree vlan 1 root primary
 This command forces this switch to be the root for VLAN 1.

SwitchA(config)#
spanning-tree vlan 2 root secondary
 This command configures this switch to be the secondary root
for VLAN 2.

OR
SwitchA(config)#
spanning-tree vlan x priority priority
 This command statically configures the priority (increments of 4096).
 Configuring the Root and
Secondary Bridges: SwitchB
SwitchB(config)#
spanning-tree vlan 2 root primary
 This command forces the switch to be the root for VLAN 2.

SwitchB(config)#
spanning-tree vlan 1 root secondary
 This command configures the switch to be the secondary root VLAN 1.

OR

SwitchB(config)#
spanning-tree vlan # priority priority
 This command statically configures the priority (increments of 4096).
Summary

 A redundant switched topology includes multihomed switches and

EtherChannel.
 A redundant switched topology causes looping issues such as
broadcast storms.
 The 802.1D STP establishes a loop-free network.
 The original STP has been enhanced by PVST+ and RSTP.
Routing Between VLANs
Medium-Sized Switched Network Construction
VLAN-to-VLAN Overview

 Network layer devices combine multiple broadcast domains.

Dividing a Physical Interface into
Subinterfaces

 Physical interfaces can be divided into multiple subinterfaces.

Routing Between VLANs with 802.1Q
Trunks and native VLAN

interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0
interface fastethernet 0/0.2
ip address 10.2.2.1 255.255.255.0
encapsulation dot1q 2
Summary

 Inter-VLAN routing using a router on a stick utilizes an external

router to pass traffic between VLANs.
 A router on a stick is configured with a subinterface for each
VLAN and 802.1Q trunk encapsulation.
Securing the Expanded
Network
Medium-Sized Switched Network Construction
Overview of Switch Security
Recommended Practices:
New Switch Equipment

 Consider or establish organizational security policies.

 Secure switch devices:
– Secure switch access.
– Secure switch protocols.
– Mitigate compromises through switches.
Recommended Practices:
Switch Security

 Secure switch access:

– Set system passwords.
– Secure physical access to the console.
– Secure access via Telnet.
– Use SSH when possible.
– Disable HTTP.
– Configure system warning banners.
– Disable unneeded services.
– Use syslog if available.
Recommended Practices:
Switch Security (Cont.)

 Secure switch protocols:

– Trim Cisco Discovery Protocol and use only as needed.
– Secure spanning tree.
 Mitigate compromises through a switch:
– Take precautions for trunk links.
– Minimize physical port access.
– Establish standard access-port configuration for both unused
and used ports.
Port Security

Port security restricts port access by MAC address.

802.1X Port-Based Authentication

Network access through the switch requires authentication.

 Visual Objective 2-1: Configuring
Expanded Switched Networks
Subnet VLAN Devices
10.1.1.0 1 Core Switches, CoreRouter, SwitchX
10.2.2.0 2 CoreRouter, RouterA
10.3.3.0 3 CoreRouter, RouterB
10.4.4.0 4 CoreRouter, RouterC
10.5.5.0 5 CoreRouter, RouterD
10.6.6.0 6 CoreRouter, RouterE
10.7.7.0 7 CoreRouter, RouterF
10.8.8.0 8 CoreRouter, RouterG
10.9.9.0 9 CoreRouter, RouterH
Summary

 Follow recommended practices for securing your switched

topology by using passwords, deactivating unused ports,
configuring authentication, and using port security.
 To secure a switch device, you must secure access to the switch
and the protocols that the switch uses.
Troubleshooting Switched
Networks
Medium-Sized Switched Network Construction
Switches Troubleshooting

General troubleshooting suggestions:

 Become familiar with normal switch operation.
 Have an accurate physical and logical map of the network.
 Have a plan.
 Do not assume a component is working without verifying it first.
Troubleshooting Port Connectivity
Troubleshooting VLANs and Trunks
Troubleshooting VTP
Troubleshooting VTP (Cont.)

Verify these settings if Catalyst switches do not exchange

VTP information :
 All ports that interconnect switches are configured as trunks.
 VLANs are active in all server switches.
 There is at least one VTP server switch.
 The VTP domain name, and password, if assigned, match on all
switches (case-sensitive).
 The switches all run the same version of VTP.
 Verify the domain name and VTP version on transparent
switches.
 Be aware that extended-range VLANs do not propagate for
VTPv1 and VTPv2.
Troubleshooting Spanning Tree
 Visual Objective 2-2:
Troubleshooting Switched Networks
WG Switch Router
fa0/0

A 10.1.1.10 10.2.2.12
B 10.1.1.20 10.3.3.12
C 10.1.1.30 10.4.4.12
D 10.1.1.40 10.5.5.12
E 10.1.1.50 10.6.6.12
F 10.1.1.60 10.7.7.12
G 10.1.1.70 10.8.8.12
H 10.1.1.80 10.9.9.12
Summary

 Effective switched-network troubleshooting begins by

understanding what makes a network function correctly.
 Hardware issues and port configuration errors can cause port
connectivity issues.
 Native VLAN mismatches and trunk mode mismatches can
prevent a trunk link from being established.
 Understanding how VTP works is the best defense when
troubleshooting VTP problems.
 One of the primary objectives when dealing with an STP failure is
to break the loop and restore connectivity as soon as possible.
Module Summary

 When expanding a company network, VLANs, VTP, and trunking

provide a switched network infrastructure with segmentation,
flexibility, and security.
 The STP and its successor RSTP resolve bridging loops that are
an inherent part of redundant switched networks.
 One way to do inter-VLAN routing is to configure a “router on a
stick” using subinterfaces and 802.1Q trunking.
 Troubleshooting a switched network requires knowing the
characteristics of the underlying protocols, such as VTP,
PVRST+, and 802.1Q.