RETIRED! Exam
Vlans : VLANs are typically configured on switch ports. However, note that a router is required to switch traffic between VLANs. A switch identifies the VLAN associated with a given frame and forwards the frame to associated ports. Separate VLANs for voice and data traffic improves the privacy and reliability of voice communication. Inter-Switch Link (ISL) is one of the VLAN trunking protocols used for switched VLAN networks. It uses frame tagging to identify the VLAN. ISL encapsulates the original Ethernet frame, and a VLAN-ID is inserted into the ISL header.The switch can be configured to provide two separate VLANs, one each for VOIP traffic and data traffic.
By implementing VLANs,
1. The effective broadcast traffic decreases, since VLANs do not forward the broadcast traffic from one VLAN to another.
2. The security can be improved by implementing a router (A layer 3 device) to route the packets among VLANs.
You use "show vlan" or "show vlan vlan#" command to see the configuration details of VLANs. The command "sh vlan" will display the configuration information for all VLANs, where as the command "sh vlan vlan#" shows only the configuration information pertaining to that vlan. For example, if you want to see the configuration information for vlan2, you give the command "sh vlan 2
The following are the advantages of LAN segmentation using VLANs:
1. Segmentation of broadcast domains using VLANs result in creation of more bandwidth per user.
2. Security is provided by isolating users corresponding to different VLANs. Users belonging to one VLAN will not receive frames meant for some other VLAN.
3. LAN segmentation using VLANs can be done based on job function rather than physical location, if required.
VLAN Trunking Protocols: Inter-Switch Link and 802.1Q are two VLAN Trunking Protocols used with Fast Ethernet, that Cisco supports. LANE is associated with ATM and 802.10 is associated with FDDI. Also, it is important to note that ISL, 802.1Q, and 802.10 use Frame Tagging to identify the VLANs.
| Feature | ISL | 802.1Q |
|---|---|---|
| Supported VLANs | Normal and extended range | Normal and extended range |
| Protocol defined by | Cisco | IEEE |
| Eapsulates original frame or inserts tag | Encapsulates | Inserts tag |
| Native VLAN support | No | Yes |
Inter-switch Link (ISL) is a Cisco proprietary protocol that maintains VLAN information in Ethernet frames by encapsulating the whole Ethernet frame. In the case of ISL, the tag is external to the Ethernet frame, which is the same as encapsulating the Ethernet frame. ISL adds a 26-byte header (containing a 15-bit VLAN identifier) and a 4-byte CRC trailer to the frame. ISL is supported only on Cisco switches and even some newer Cisco switches don't support it any more. ISL cannot be used to connect a Cisco switch to a switch by another vendor like HP and its use is being depreciated even by Cisco in favor of IEEE 802.1q which happens to be the more popular choice among trunking protocols.
IEEE 802.1q is a standard developed by the Institute of Electrical and Electronics Engineers (IEEE) to carry traffic belonging to multiple VLANs across a trunk. In contrast to ISL, 802.1Q does not actually encapsulate the original frame. Instead, it adds a 32-bit field between the source MAC address and the Ether Type/Length fields of the original frame. This 32-bit field carries the information used to deterministically identify the VLAN the Ethernet frame belongs to.
The extra VLAN header used by both ISL and 802.1Q uses the VLAN identifier or VLAN ID field to identify the VLAN the frame belongs to. VLAN ID is a 12-bit field specifying the VLAN to which the frame belongs. The range of hexadecimal values is from 0x000 to 0xFFF for a 12-bit number. The hexadecimal values of 0x000 and 0xFFF are reserved while all other values in the range can be used as VLAN identifiers, allowing up to 4,094 VLANs. Please see the below fig. to understand how IEEE 802.1Q tag is inserted in a regular Ethernet frame.
VLAN port assignments can be configured either of two ways:
Static VLANs: The administrator statically configures VLAN port assignment. VLAN memberships on the switch ports are assigned on a port-by-port basis.
Dynamic VLANs: A VMPS (VLAN Management Policy Server) can dynamically assign VLAN ports. The MAC address of the node is used to determine the VLAN assignment. A separate server or a Catalyst 5000 can function as a VMPS server. When a frame arrives on a dynamic port at the switch, it queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame.
Communication between different VLANs requires a trunk link to forward traffic normally.
For VLAN database to be exchanged between two switches:
1. The VTP domain name should be same,
2. VTP password must be the same,
3. Trunk links should be configured between the switches (switchport mode trunk), and
4. At least one switch should be configured as server and the other switches as server or client to learn vlan database. Server mode is the default on Cisco Catalyst switches.
5. All switches throughout the VTP domain must operate the same VTP version.
6. A Cisco Catalyst switch can belong to only one domain at any given time.
7. VTP messages not intended for a local domain (configured on a Cisco switch) are ignored.
A single physical port on a router can support one or more VLANs by use of sub-interfaces. There is no need to have as many physical ports on a router as that of VLANs. Inter-VLAN communication can occur only if the router is configured with appropriate sub-interfaces.
If there are 4 VLANs (say, VLANs 100,200,300, and 400), in addition to VLAN 1 (management VLAN), 5 sub-interfaces have to be configured on the router interface connecting the switch.
VLAN Trunk Protocol (VTP) : is a layer 2 protocol that maintains VLAN configurations through a common administrative domain. Configurations are made to a VTP server, and are propagated across trunk lines to all switches in the VTP domain. VTP provides auto-intelligence for configuring switches across the network. A VTP advertisement necessarily consists of "Configuration revision number". Every time a VTP server updates its VLAN information, it increments the configuration revision number by one count. VTP clients, use the revision number to enforce the VLAN configuration Update.
VTP is a Layer 2 messaging protocol. It carries configuration information throughout a single domain. VTP operates in one of three modes
1. Server mode: VTP Servers can create, modify, or delete VLANs and other configuration parameters for the specified VLAN domain.
2. Client mode: A VTP client can't create, change, or delete VLANs.
3. Transparent mode: A VTP transparent mode is used when a switch is not required to participate in VTP, but only pass the information to other switches. Transparent switches don't work either as Server or clients.
Configurations made to a single switch, called VTP server, are propagated across the switch fabric under a single domain control. Other switches, configured as VTP clients, learn the configuration information from the server. Cisco switches such as Catalyst 1900, acting as VTP servers save the VLAN configuration information in their non volatile memory (NVRAM), whereas clients keep the information only in running configuration.
There are two different VTP versions. VTP version 1 and VTP version 2. These versions are not intee-operable. Version 1 is the default version. All Cisco switches in a given management domain should be configured in either version 1 or version 2.
Some of the advantages of VTP version 2 are as below:
1. Token Ring support: Supports Token Ring LAN switching and VLANs. If Token Ring is used, this is the version required.
2. Version number auto propagation: In case that all switches are capable of running Version 2, only one switch need to be Version 2 enabled, Version number is automatically propagated to others.
The default VTP configuration parameters for the Catalyst switch are as follows:
1. VTP domain name: None
2. VTP mode: Server
3. VTP password: None
4. VTP pruning: Disabled
5. VTP trap: Disabled
Remember that for successfully transferring VLAN information from one switch to another, the version numbers must be same on both the switches. Similarly, the VTP domain name must also be same on both the switches.
The VTP domain name can be specified manually or learned across a configured trunk line from a server with a domain name configured. By default, the domain name is not set.
If you configure a VTP password, VTP does not function properly unless you assign the same password to each switch in the domain. VTP trap is disabled by default. If you enable this feature, it causes an SNMP message to be generated every time a new VTP message is sent.
To associate a switch with a management VLAN, you need to assign an IP address to the switch. The subnet portion of the switch IP address must match the subnet number of the management VLAN. Note that switches can maintain an IP stack, which enables us to manage the switches either locally, as well as remotely by Telnet.
VTP pruning is a technique that enhances the available network bandwidth by reducing the broadcast, multicast, and flooded unicast messages. These frames are not forwarded to network devices that don't have ports associated with a given VLAN. When VTP pruning is enabled, a switch forwards the flooded traffic across a link to another switch, only if that switch has ports associated with that VLAN. For example, a switch, Switch A sends flooded messages (say belonging to VLAN 7) to Switch B, only if Switch B has ports associated with VLAN 7.
VTP pruning should only be enabled on VTP servers, all the clients in the VTP domain will automatically enable VTP pruning. By default, VLANs 2 - 1001 are pruning eligible, but VLAN 1 can't be pruned because it's an administrative VLAN. Both VTP versions 1 and 2 support pruning.
Domain name set on a switch can be known by viewing the VTP Configuration of the switch, so use "show vtp status" command to check the domain name.
The command syntax for assigning a management domain for a switch is:
Switch#vtp domain <domain-name>
For example, if the domain name is newyork, the command is:
Switch#vtp domain newyork
To verify any configuration change, "show vtp status" privileged executive command can be used. This command displays, among other things, VTP domain name, VTP password if any, VTP pruning mode (enabled or disabled) and the IP address of the device that last modified the configuration.
You need to create a domain while configuring the first switch in a switch network. For subsequent switches, you only need to join the existing domain. The password is required if the domain need to be secured by a password. The command allows you to create a new domain (in case the first switch is being configured) or to join an existing domain (one or more switches have already been assigned a domain).
The following is the sample output from "show vtp status" command
By default, there are no passwords in VTP informational updates, and any switch that has no VTP domain name can join the VTP domain when trunking is enabled. Also any switch that has the same VTP domain name will join and exchange VTP information. This could enable an unwanted switch in your network to manage the VLAN database on each of the switches. To prevent this from occurring, set a VTP password on the switches you want to exchange information.
