2. VirtualLANs (VLANs) and VTP Page 2
rajasekar
Collision vs Broadcast
Collision: A collision occurs when two devices send a packetat the
sametime on the shared network segment.The packets collideand both
devices mustsend the packets again,which reduces network efficiency.
eg: HUB(each porton a hub is in the samecollision domain)
when hostA is trying to reach
host C.from thesame time
hostD is also trying to reach
hostC. HUB will receive both
frames and HUB as no idea
where to send frames as a
resultitsend to all theports,
from this stage collision is
detecting.
Broadcast: Broadcastis a typeof communication,wherethesending
device send a singlecopy of data and thatcopy of data will be delivered to
every device in thenetwork segment. Broadcast is a required type of
communication and wecannotavoid Broadcasts. Eg: arp,dhcp
when host Ais sending an
packet to hostC when switch
receives firsttimethen its send
to all theports onceits learned
the mac-address then itwill
notsend to all theports.
3. VirtualLANs (VLANs) and VTP Page 3
rajasekar
VLAN:(Virtual Local Area Network)
A switch can belogically segmented into separatebroadcastdomains,
using Virtual LANs.On Cisco switches,all interfaces belongto VLAN 1 by
default,and should bededicated forsystemtrafficsuch as CDP,STP,VTP,
and DTP.
EachVLANrepresentsa uniquebroadcastdomain:
• Trafficbetween devices within thesameVLAN is switched.
• Trafficbetween devices in differentVLANs requires a Layer-3 deviceto
communicate.
Broadcasts fromone VLAN will notbe forwarded to anotherVLAN.The
logical separation provided by VLANs is nota Layer-3 function.VLAN tags
are inserted into theLayer-2 header.
Host A and B are in samebroadcastdomain,samelikeas E and F.
when I am trying to ping hostAto hostE itwill notping a switch that
segments a ports into differentbroadcastdomain.Thus,a Layer-3 deviceis
required forthosehosts to communicate.
4. VirtualLANs (VLANs) and VTP Page 4
rajasekar
Advantageofvlan
Broadcast Control – eliminates unnecessary broadcast traffic,
improving network performance and scalability.
Security – logically separates users and departments, allowing
administrators to implement access-lists to control traffic between
VLANs.
Improved manageability VLANs providean easy,flexible,less
costly way to modify logical groups in changing environments..
Vlan membership
VLAN membership are two types:
Static
Dynamic
Static: InastaticVLAN,thenetwork administratorcreatesa VLAN andthen
assigns switch ports to the VLAN. Static VLANs are also called port-
based VLANs.
The association with the VLAN does not change until the administrator
changes the port assignment. End-user devices become the members
of VLAN based on the physical switch port to which they are connected.
Dynamic: A dynamic VLAN, the switch automatically assigns theportto
a VLAN using information from the user device like (mac, ip address etc).
When a device is connected to a switch port theswitch queries a database
to establish VLAN membership. A network administrator must
configure VLAN databaseof a VLANMembership Policy Server (VMPS).
DynamicVLANs supportinstantmovability of end devices.When we move
a device from a port on one switch to a port on another switch, the
dynamicVLANs will automatically configurethemembership of the VLAN.
Static VLAN assignmentis farmore common than dynamic,and will be the
focus of this guide.
5. VirtualLANs (VLANs) and VTP Page 5
rajasekar
VLAN Port Types
Two types of ports:
• Access ports
• Trunk ports
Access link: An access link is a part of only one VLAN, and normally access links
are for end devices. Any device attached to an access link is unaware of
a VLAN membership.
Trunk link: ATrunk link can carry multiple VLAN traffic and normally a trunk link
is used to connect switches to other switches or to routers. To identify
the VLAN that a frame belongs to.
Vlanframes
Frame tagging is used to identify the VLAN thatthe frame belongs to in a
network with multipleVLANs.The VLAN ID is placed on the frame when it
reaches a switch from an access port, which is a member of a VLAN.
That frame can then be forwarded out the trunk link port. Each switch can
see what VLAN the frame belongs to and can forward the frame to
corresponding VLAN access ports or to another VLAN trunk port.
6. VirtualLANs (VLANs) and VTP Page 6
rajasekar
Vlan frames (continued)
If HostAsends a frameto HostB,no frametaggingwill occur
• Theframe never leaves theSwitch A.
• Theframe stays within its own VLAN.
If HostAsends a frameto HostC,which is in a separateVLAN:
• Theframe again neverleaves theswitch.
• BecauseHost C is in a differentVLAN,the frame mustberouted.
If HostAsends a frameto HostD,which is on a separateswitch:
• Theframe is sentoutthetrunk port to Switch B.
• Theframe mustbe tagged as itis sentoutthetrunk port.
The frameis tagged with its VLAN ID - VLAN 10 in this
example.
• When Switch B receives the frame, itwill only forward it out
ports belonging to VLAN 10
7. VirtualLANs (VLANs) and VTP Page 7
rajasekar
FrameTaggingProtocols
Cisco switches supporttwo frame tagging protocols:
• Inter-Switch Link(ISL)
• IEEE 802.1Q
Inter-SwitchLink(ISL)protocol is a Cisco propriety protocoland Inter-Switch Link
(ISL) is available and supported on Cisco products only.
Inter-Switch Link (ISL) protocol primarily is used forEthernetmedia (FastEthernet
orGigabitEthernet).Cisco hasalsoincluded provisionsto carry Token Ring,FDDI,
and ATM.
Inter-Switch Link (ISL) protocol encapsulates the entire Ethernet frame (Fast
Ethernet or Gigabit Ethernet) with a 26-byte header and a 4-byte frame check
sequence (FCS) for a total of 30 bytes of overhead. Inter-Switch Link (ISL) frame
format is shown below.
DA (DestinationAddress):ThedestinationaddressusesthemulticastMACaddress
01-00-0C-00-00-00.The first 40 bits of the DA field signal the receiver that the
packet is in Inter-Switch Link (ISL) format.
• Type: Thetypeof frameencapsulated:Ethernet(0000),Token Ring (0001),FDDI
(0010), and ATM (0011).
• User: The USER field consists of a 4-bitcode. The USER bits are used to extend
themeaningoftheTYPE field.ThedefaultUSER fieldvalueis "0000".ForEthernet
frames, the USER field bits "0" and "1" indicate the priority of the packet as it
passes through the switch.
8. VirtualLANs (VLANs) and VTP Page 8
rajasekar
• SA (Source Address): Sourceaddress of the switch transmitting theInter-Switch
Link (ISL) frame.
• Len: The length of the packet.
• SNAP: Subnetwork Access Protocol (SNAP) and Logical Link Control (LLC). The
AAAA03 SNAP field is a 24-bit constant value of "AAAA03".
• HSA (High Bits of Source Address): The HSA field is a 24-bit value which
represents the upper 3 bytes (the manufacturer ID portion) of the SA field.
• VLAN (DestinationVLANID): Indicates VLAN ID of the packet. VLAN ID is a 15-
bit value that is used to distinguish frames on different VLANs. VLAN ID is also
known as the "color" of the frame.
• BPDU: Indicate whether a BPDU, or CDP or VTP frame
• Index: The port index of the source of the packet.
• Res: Reserved field foradditional information,forinstance,Token Ring orFDDI
Frame Check Sequence field. For Ethernet, this field should be zero.
• Encapsulated Ethernet Frame: The actual Ethernet frame.
• ISL CRC: Four-byte check on the ISL packet to ensure it is not corrupted.
Cisco switches are specifically engineered to support these giant ISL -
tagged frames. Note that this is a key reason why ISL is Cisco-proprietary.
ISL supports a maximum of 1000 VLANs on a trunk port. ISL is also almost
entirely deprecated - most modern Cisco switches no longer support it.
802.1Q trunks
802.1Q trunks support tagged and untagged Ethernet frames. An
untaggedEthernetframeisa standardunalteredEthernetframe.Untagged
Ethernet frames are usually used for native VLAN communication.
If a switch receives untagged Ethernet frames on a trunk port, they are
considered as partof thenativeVLAN and frames froma nativeaccess port
are not tagged when exiting the switch via a native VLAN trunk port.
9. VirtualLANs (VLANs) and VTP Page 9
rajasekar
In a tagged 802.1QEthernet frame, a 4-bytefield is inserted between the
original Ethernetframe Source Address field and the Type or Length field.
FCS is recomputed after the 4-bytetag is inserted. Following figureshows
802.1Q tagged Ethernet frame.
• TPID(Tag Protocol Identifier,16 bits):TPID (Tag Protocol Identifier) is globally
and always have a value of 0x8100 to signify an 802.1Q tag.
• Priority (3bits): ThePriority field is used by 802.1Qto implementLayer2 quality
of service (QoS).
• CFI (CanonicalFormatIdentifier,1 bit):TheCFI (CanonicalFormatIdentifier) bit
is used for compatibility purposes between Ethernet and Token Ring.
•VLAN ID (12 bits):TheVIDfieldis usedto distinguishbetweenVLANsonthelink.
802.1Q supports a maximum of 4096 VLANs on a trunk port.
Recall that ISL encapsulates a frame with an additional headerand trailer.
In contrast, 802.1Q embeds a 4-byte VLAN tag directly into the Layer-2
frame header. Because the Layer-2 header is modified, 802.1Q must
recalculate the frame’s CRC value.
10. VirtualLANs (VLANs) and VTP Page 10
rajasekar
802.1QTunneling(Q-in-Q)
802.1Qtunneling enables serviceproviders to usea singleVLAN to support
customers who havemultipleVLANs,whilepreserving customerVLAN IDs
and keeping trafficin differentcustomerVLANs segregated.
When you configuretunneling,you assigna tunnel portto a VLAN thatyou
dedicate to tunneling,which then becomes a tunnel VLAN.
To keep customertrafficsegregated,each customerrequires a separate
tunnel VLAN,butthatonetunnel VLAN supports all of thecustomer's VLANs.
The customerswitches aretrunk connected,butwith 802.1Qtunneling,the
service providerswitches only useoneserviceproviderVLAN to carry all the
customerVLANs,instead of directly carrying all thecustomerVLANs
Note: Tunnel trafficcarries a second 802.1Qtag only when itis on a trunk
link between service-providernetwork devices,with theoutertag containing
the service-provider-assigned VLAN ID and theinnertag containing the
customer-assigned VLAN IDs.
11. VirtualLANs (VLANs) and VTP Page 11
rajasekar
from this exampleCUSTOMER
switch A B & C haverangeof
vlan (100-400),when thisrange
of vlan enters intwo PROVIDER
switch theouter interfacecaries
singlevlan (3349) called outer
vlan.
NativeVLAN
Normally a Switch port configured as a trunk port send and receive IEEE 802.1q
VLAN tagged Ethernet frames.
If a switch receives untagged Ethernet frames on its Trunk port, they are
forwarded to the VLAN that is configured on the Switch as native VLAN. Both
sides of the trunk link must be configured to be in same native VLAN.
NativeVLANSare only supported on 802.1Qtrunkports.ISL does notsupport
untagged frames,and will always tag frames fromall VLANs.
12. VirtualLANs (VLANs) and VTP Page 12
rajasekar
DTP (Dynamic Trunking Protocol)
It is a Cisco proprietary trunking protocol used for negotiating trunking on a link
between two CiscoSwitches. DynamicTrunkingProtocol(DTP) canalsobeusedfor
negotiating the encapsulation type of either 802.1q or Cisco ISL.
DTP has two modes to dynamically decide whether a port becomes a trunk:
• Desirable– the port will actively attempt to form a trunk with theremote switch.
This is the default setting.
• Auto – the port will passively wait for the remote switch to initiate the trunk.
Trunk ports send out DTP frames every 30 seconds to indicate their configured
mode.
A Trunk will form in the following configurations:
Trunk- Trunk
Trunk -dynamic desirable
Trunk- dynamic auto
dynamic desirable- dynamic desirable
dynamic desirable- dynamic auto
A trunk will neverformif thetwo sides of thetrunk aresetto dynamicauto,as both
ports are waiting for the other to initialize the trunk.
It is best practice to manually configure trunk ports, to avoid DTP negotiation
errors. DTP is also vulnerable to VLAN spoofing attacks.
13. VirtualLANs (VLANs) and VTP Page 13
rajasekar
Vlan configuration
By default,all interfaces belong to VLAN 1.To assign an interfaceto a different
VLAN, that VLAN mustfirstbe created:
To view all created VLANs, and interfaces assigned to each vlan:
Switch#showvlan
The standard rangeof VLAN numbers is 1 – 1005,with VLANs 1002-1005reserved
for legacy Token Ring and FDDI purposes.
The extended range of VLAN number is 1006-4094.
Configurationoptions forVLANIDs1006through4094 arelimitedtoMTU,RSPAN
VLAN, private VLAN, and UNI-ENI VLAN.
The listof VLANs are stored in a database file named vlan.dat.The vlan.dat fileis
usually stored in flash, though on some switch models it is stored in NVRAM
Extended-range VLANs are not saved in the VLAN database.
14. VirtualLANs (VLANs) and VTP Page 14
rajasekar
Configure Vlan
All the interfaces or belong to vlan 1. To change the vlan on interfaces vlan
must first be created. If u want to give a name for the vlan u can give its
optional.
Switch(config)# vlan 10
Switch(config-vlan)# name cisco
First cmd creates vlan for particular port and enters into vlan configuration
mode. Second cmd is used to configure name of the vlan
To remove VLAN:
Switch(config)# no vlan 10
15. VirtualLANs (VLANs) and VTP Page 15
rajasekar
Configure Vlan (continued)
ConfigureAccessmode
The modetells that port is ACCESS orTRUNKso in theaboveimagethatfast
ethernet 0/1 is configured to access port.
ConfigureTrunkmode
16. VirtualLANs (VLANs) and VTP Page 16
rajasekar
To explicitlyallowa subsetof VLANs on a trunk port:
Switch(config)# interfacef0/4
Switch(config-if)# switchporttrunkallowed vlan10,20,21-25
To remove a VLAN fromthe allowedlist:
Switch(config)# interface f0/4
Switch(config-if)# switchport trunkallowed vlanremove 20
To adda specificVLAN back into theallowedlist:
Switch(config)#interface f0/4
Switch(config-if)#switchporttrunkallowed vlan add20
To allowall VLANs exceptfor a specificrange:
Switch(config-if)#switchporttrunk allowed vlanexcept 21-25
To configuretheDTP modeon an interface:
Switch(config)# interface f0/4
Switch(config-if)#switchportmodedynamicdesirable
Switch(config-if)#switchportmodedynamicauto
To allowall VLANs again:
Switch(config-if)# interfacef0/4
Switch(config-if)#switchporttrunk allowed vlanall
To allownativeVLAN:
Switch(config)#interface F0/4
Switch(config-if)# switchportmodetrunk
Switch(config-if)# switchporttrunk nativevlan20
Showcmd:
showvlan
showinterfacesfa0/1 trunk
showinterfacestrunk
17. VirtualLANs (VLANs) and VTP Page 17
rajasekar
VTP (VlanTrunkingProtocol)
VLAN Trunk Protocol reduces administrationin a switched network.When you
configurea newVLAN on one VTP server, the VLAN is distributed through all
switches in thedomain.
This reduces theneed to configurethesameVLAN everywhere. VTP is a Cisco-
proprietary protocol thatis availableon mostof theCisco Catalystseries
products.
VTP requires thatall participating switches joina VTP domain.Switches must
belong to thesame domain to shareVLAN information
VTP version
There are three types of version
VTP version1: It supports thestandard 1 – 1005 VLAN range.VTP version 1 is
also defaulton Catalystswitches.
VTP version2: Itsupports
Token Ring support
VLAN consistency checks
Domain-independenttransparentpassthrough
VTP version3: Itsupports
The extended 1006-4094 VLAN range.
Supportforprivate VLANs.
Improved VTP authentication.
Ability to enableVTP on a per-portbasis.
VTPv1 and v2 are notcompatible.
VTP Version 3 was supported on only limited Cisco switch platforms
18. VirtualLANs (VLANs) and VTP Page 18
rajasekar
VTP Modes:
A switch using VTP mustoperatein oneof three modes:
• Server
• Client
• Transparent
Server In VTP servermode, you can create, modify,and delete VLANs and
specify otherconfigurationparameters,such as VTP version and VTP pruning,
forthe entireVTP domain.VTP servers advertisetheirVLAN configuration to
otherswitches in thesame VTP domain and synchronizetheirVLAN
configurationwith otherswitches based on advertisementsreceived overtrunk
links.
Client VTP clients behavethesameway as VTP servers, butyou cannotcreate,
change,ordelete VLANs on a VTP client.
Transparent AVTP transparentswitch maintainsits own local VLAN
database,and does notdirectly participatein theVTP domain.Atransparent
switch will neveraccept VLAN databaseinformationfromanotherswitch,even
a server. Also,a transparentswitch will neveradvertiseits local VLAN database
to anotherswitch.
VTP messagetypes:
Summary advertisements
Subsetadvertisement
Advertisementrequests
Summary advertisementsItcontains thefollowing data.
Both VTP servers and clients will send outa summary advertisementevery 300
seconds
VTP domain
VTP version
Domain name
Configurationrevisionnumber
Time stamp
MD5 digest
19. VirtualLANs (VLANs) and VTP Page 19
rajasekar
A subsetadvertisement It contain thefollowinginformation:
VTP version
Domain name
Configurationrevision number
VLAN IDs for each VLAN in the database
VLAN-specificinformation,suchas theVLAN nameand MTU
AdvertisementRequests
A switch needs a VTP advertisementrequestin thesesituations:
The switch has been reset.
The VTP domain namehas been changed.
The switch has received a VTP summary advertisementwith a
higherconfigurationrevisionthan its own.
VTP Pruning:
VLAN Trunking Protocol (VTP) is used to
communicateVLAN information between switches in thesameVTP
domain. VLANTrunking Protocol(VTP) pruning is a featurein Cisco
switches,which stops VLAN updateinformationtrafficfrombeing sent
down trunk links if theupdates arenotneeded.
In normal operation a switch needs to flood broadcastframes,multicast
frames, orunicastframes wherethe destination MACaddress is unknown
to all its ports.
If theneighbouring switch doesn’thave any activeports inthe
sourceVLAN, this broadcastis unnecessary and excessiveunwanted
trafficmay create problems on thenetwork.
VLAN Trunking Protocol (VTP) pruning helpsin increasing theavailable
bandwidthby reducing unnecessary flooded traffic.
Broadcastframes,multicastframes,orunicastframes wherethe
destination MACaddress is unknownareforwarded overa trunk
link only if theswitch on thereceiving end of the trunk link has ports in
the source VLAN.
20. VirtualLANs (VLANs) and VTP Page 20
rajasekar
Configuring VTP
By default,a switch is in VTP server mode,. To changetheVTP
Switch(config)#vtp domain MYDOMAINNotethatthedomain nameis case
sensitive.
To configuretheVTP mode:
Switch(config)# vtp modeserver
Switch(config)# vtp modeclient
Switch(config)#vtp mode transparent
The VTP domain can besecured using a password:
Switch(config)#vtp password P@SSWORD!
The password is also casesensitive.All switches participating in theVTP domain
mustbe configured with thesamepassword.Thepassword is hashed into a 16-
byte MD5 digest.
VTP pruning is disabled by defaulton IOS switches.VTP pruningmustbe
enabled on a server, and will be applied globally to theentireVTP domain:
Switch(config)#vtppruning
Both VLAN 1 and the systemVLANs 1002-1005 arenevereligibleforpruning.
To manually specify which VLANsarepruning eligibleon a trunk: