VLAN technologies
1.1.c i Access ports
Access Ports can be configured in two ways:
- Static: The VLAN ID is assigned statically to the port.
- Dynamic: The VLAN ID is assigned based on eg. the MAC address of the connected host. A policy server (like Cisco ISE) is needed for this.
“Access Ports” CLI configuration commands:
## Configuring an interface for access mode and set its VLAN ID
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan <vlan-id>
“Access Ports” CLI show commands:
## Showing all VLANs and their associated ports in detail
Switch# show vlan
## Showing all VLANs and their associated ports in brief
Switch# show vlan brief
## Showing a specific VLAN and its associated ports
Switch# show vlan id <vlan-id>
1.1.c ii Trunk ports (802.1Q)
General information on “Trunk ports (802.1Q)":
- A trunk port is a single port which transports the data of several VLANs.
- By default, a trunk allows all VLANs to pass
- The native VLAN of a trunk is 1 by default (must match on both sides)
- 802.1q is a industry standard protocol by the IEEE
- 802.1q is also called dot1q
- 802.1q adds no overhead to native VLAN packets
- 802.1q has a total overhead of 4 bytes for all non-native VLAN packets because it adds a 4 byte header (tag)
- 802.1q adds the tag to the ethernet header after the SA (source address)
The 802.1q tag consists of the following fields:
- Type: 16 bits. Used to identify it as 802.1q tagged frame.
- Priority: 3 bits. Used for traffic prioritization (also known as CoS field).
- Flag: 1 bit. State of the MAC address (1 = noncanonical, 0 = canonical).
- VLAN ID: 12 bits. The ID of the corresponding VLAN.
“Trunk ports (802.1Q)” CLI configuration commands:
## Configuring an interface for trunk mode
## Important: The encapsulation command is only needed on older platforms where ISL is still configurable!
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
“Trunk ports (802.1Q)” CLI show commands:
## Showing all trunk interfaces inlcuding detailed information
Switch# show interfaces trunk
1.1.c DTP (not on blueprint)
General information on “DTP”:
- Dynamic Trunking Protocol
- Cisco proprietary protocol
- Point-to-Point protocol
- Native VLAN is used for exchanging DTP frames
- The default mode depends on the switch model
- If the switch sends a DTP frame and doesn’t receive anything back, it goes into access mode
- Important: Setting the switchport to access mode disables DTP, setting to trunk doesn’t disable DTP!
“DTP” timers default values:
- Message time: 30 seconds
- Timeout: 300 seconds
“DTP” modes:
- Dynamic Desirable: Actively trunking (tries to establish a trunk)
- Dynamic Auto: Passively trunking (only establishes a trunk if other side does the active initiating)
- Nonegotiate: Disable DTP
“DTP” port configuration combination results:
| Dynamic Desirable | Dynamic Auto | Trunk | Access | |
|---|---|---|---|---|
| Dynamic Desirable | Trunk | Trunk | Trunk | Access |
| Dynamic Auto | Trunk | Access | Trunk | Access |
| Trunk | Trunk | Trunk | Trunk | Limited connectivity |
| Access | Access | Access | Limited connectivity | Access |
“DTP” CLI configuration commands:
## Configuring DTP on an interface for active trunking (dynamic desirable)
Switch(config-if)# switchport mode dynamic desirable
## Configuring DTP on an interface for passive trunking (dynamic auto)
Switch(config-if)# switchport mode dynamic auto
## Configuring an interface for static trunk mode
Switch(config-if)# switchport mode trunk
## Configuring an interface for static access mode
Switch(config-if)# switchport mode access
## Disable DTP on an interface completely
Switch(config-if)# switchport nonegotiate
1.1.c iii Native VLAN
General Information on “Native VLAN”:
- The native VLAN is 1 by default
- Normally every VLAN on a trunk line is tagged except for the native VLAN which transports untagged traffic
- It’s best practice to change the native VLAN on a trunk from 1 to something else
- The native VLAN is mainly used to carry control traffic like CDP, VTP, DTP, …
- Even if the native VLAN is changed, control traffic still uses VLAN 1 (except for DTP, which “follows” the native VLAN)
- Pruning the native VLAN or VLAN 1 of a trunk is possible and doesn’t affect control traffic
- Important: The native VLAN can and should be tagged for security reasons (VLAN hopping)!
“Native VLAN” CLI configuration commands:
## Modifying the native VLAN of a trunk interface
Switch(config-if)# switchport trunk native vlan <vlan-id>
## Configuring tagging for the native VLAN
Switch(config)# vlan dot1q tag native
1.1.c iv Manual VLAN pruning
General information on “Manual VLAN pruning”:
- By default, all existing VLANs are allowed to traverse on a trunk port
- This behavior can be modified by removing (“pruning”) specific VLANs
- There are two ways of pruning:
- Manual pruning: Used when VTP is not configured or in transparent mode
- VTP pruning: Used when VTP is used in server/client mode
“Manual VLAN pruning” CLI configuration commands:
## Allowing only specific VLANs on a trunk interface
Switch(config-if)# switchport trunk allowed vlan <vlan-ids>
## Adding VLANs to the list of allowed VLANs on a trunk interface
Switch(config-if)# switchport trunk allowed vlan add <vlan-ids>
## Removing VLANs from the list of allowed VLANs on a trunk interface
Switch(config-if)# switchport trunk allowed vlan remove <vlan-ids>
## Allowing all VLANs except specific ones on a trunk interfaces
Switch(config-if)# switchport trunk allowed vlan except <vlan-ids>
## Allowing all VLANs on a trunk interfaces
Switch(config-if)# switchport trunk allowed vlan all
## Allowing no VLANs on a trunk interfaces
Switch(config-if)# switchport trunk allowed vlan none
“Manual VLAN pruning” CLI show commands:
## Showing all trunk interfaces inlcuding detailed information
Switch# show interfaces trunk
1.1.c v VLAN database
Normal Range (1 - 1001):
- Stored in the vlan.dat file (resists in flash memory)
- When VTP mode is set to transparent, also stored in the startup/running configuration
Extended Range (1006 - 4094):
- Stored in the running/startup configuration
1.1.c vi Normal range and extended range VLANs
VLAN ranges:
- VLAN 1 - 1001: Normal range
- VLAN 1002 - 1005: Reserved for legacy technologies (Token ring, …)
- VLAN 1006 - 4094: Extended range
VLAN states:
- Active:
- Locally and globally significant, propagated through VTP
- Traffic will be forwarded
- Suspended:
- Locally and globally significant, propagated through VTP
- No traffic will be forwarded
- Shutdown:
- Locally significant, not propagated through VTP
- No traffic will be forwarded
Cisco best practice:
- One subnet per VLAN
- VLAN shouldn’t reach beyond distribution layer in a three-tier architecture
“Normal range and extended range VLANs” CLI configuration commands:
## Configuring a new VLAN
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# name <vlan-name>
## Activating/Suspending a VLAN
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# state [active | suspend]
## Shutting down a VLAN
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# shutdown
“Normal range and extended range VLANs” CLI show commands:
## Showing all VLANs and their associated ports in detail
Switch# show vlan
## Showing all VLANs and their associated ports in brief
Switch# show vlan brief
## Showing a specific VLAN and its associated ports
Switch# show vlan id <vlan-id>
1.1.c vii Voice VLAN
Benefits of using a dedicated “voice VLAN”:
- Voice traffic is separated from the data traffic
- The voice VLAN is dedicated to carry voice traffic only
- The VVID allows the highest QoS available which results in much reduced delay and jitter
- When a voice and data VLAN is used, the access ports acts like a trunk port
“Voice VLAN” configuration types:
- default (Voice VLAN): A dedicated VLAN will be used for voice traffic
- dot1p: VLAN 0 will be used for voice traffic and gets prioritized (802.1p w/ Level 5)
- untagged: The native VLAN 1 will be used for voice traffic
- none: No other VLAN will be used and data gets transmitted over the access ports defined VLAN
“Voice VLAN” configuration specialties:
- PortFast is automatically enabled on a voice VLAN port
- PortFast doesn’t get automatically reverted when removing the voice VLAN from the port
“Voice VLAN default” CLI configuration/show commands:
## Configuring a dedicated Voice VLAN on a port
Switch(config-if)# switchport voice vlan <vlan-id>
## Showing output of a dedicated Voice VLAN port (example uses Voice VLAN 20)
Switch# show interface <if> switchport
[...]
Access Mode VLAN: 10 (10-data)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 20 (20-voice)
[...]
“Voice VLAN dot1p” CLI configuration/show commands:
## Configuring dot1p Voice VLAN on a port
Switch(config-if)# switchport voice vlan dot1p
## Showing output of a dot1p Voice VLAN port
Switch# show interface <if> switchport
[...]
Access Mode VLAN: 10 (10-data)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: dot1p
[...]
“Voice VLAN untagged” CLI configuration/show commands:
## Configuring an untagged Voice VLAN on a port
Switch(config-if)# switchport voice vlan untagged
## Showing output of an untagged Voice VLAN port
Switch# show interface <if> switchport
[...]
Access Mode VLAN: 10 (10-data)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: untagged
[...]
1.1.c Internal VLAN (not on blueprint)
General Information on “Internal VLAN”:
- When creating a routed (L3) interface on a switch, a VLAN is dedicated to that port
- The switch uses a VLAN from the extended range (1006 - 4094)
- The default internal VLAN usage is ascending
“Internal VLAN” CLI configuration commands:
## Modifying the internal VLAN allocation policy
Switch(config)# vlan internal allocation policy [ascending | descending]
“Internal VLAN” CLI show commands:
## Showing current internal VLAN allocation policy
Switch# show vlan internal usage
1.1.c viii VTP
VLAN Trunking Protocol
Reasons to use “VTP”:
- Automatic propagation/configuration of VLANs across all switches within a VTP domain
- This results in much more efficient VLAN administration (less time, less misconfigurations, …)
Default settings for “VTP”:
- VTP Version: 1
- VTP Domain: null (not set)
- VTP Password: null (not set)
- VTP Mode: Server
- VTP Pruning: Off (switch dependent)
“VTP” Modes:
- Server: Create, modify and delete VLANs
- Client: Unable to modify anything VLAN-related, receives advertisements from server, can relay VTP advertisements
- Transparent: Not participating in the VTP domain, VLANs managed locally, can forward VTP advertisements from servers (v1 inspects VTP domain name, v2/v3 doesn’t inspect VTP domain name)
- Off (v3 only): Completely disables VTP on the switch
Reset “VTP” revision:
- Revision number resists in the NVRAM and will be still the same after a reboot
- Solution 1: Change VTP domain to nonexistent one and the back to original one
- Solution 2: Change VTP mode from server to transparent and back to server
“VTP” message types:
- Each message type is a multicast frame
- Advertisements from servers with higher revision number always overwrites all data on clients (if in the same VTP domain)
- 4 types of messages:
- Summary advertisement:
- Sent every 5 minutes
- Generated by servers and clients
- Contains all general information like VTP domain name, revision number, ID of last updater, timestamp of last update, MD5 hash of VLAN database, VTP password (if configured)
- Subset advertisement:
- Follows the summary advertisement after a configuration change
- Can be one or several messages depending of the VLAN database size
- Contains the VTP domain name, revision number and all VLAN database information
- Advertisement request:
- Sent out by VTP clients to request lacking information
- Upon receiving, the VTP server responds with a summary advertisement and one or more subset advertisements
- Join:
- Sent every 6 seconds
- Generated by servers and clients
- Generated only when VTP pruning is enabled
- Contain a bit field for each VLAN that indicates if it’s used (joined) or not (pruned)
- Summary advertisement:
“VTP” configuration considerations:
- Settings like VTP version, domain and password must match in order to participate in the VTP process
- VTP domain can be globally only changed when it’s NULL (empty), after that it must be changed manually on every switch
- Each switch sends out 1 VTP advertisement after boot up (even VTP clients)
- VTP advertisements are multicast and only sent out over properly established trunk links
- VTP domains are case-sensitive
- Configuration is not shown in the running-config when the VTP mode is server or client
“VTP” and VLAN ranges:
- VTPv1 and VTPv2 only support the extended VLAN range when the switch is in transparent mode
“VTP” version feature overview:
| Version 1 | Version 2 | Version 3 | |
|---|---|---|---|
| VLAN Range | Normal | Normal | Normal + Extended |
| Private VLAN Support | No | No | Yes |
| Modes |
|
|
|
| Additional features | - |
|
|
“VTP” problem (“superior-revision-wipeout-issue”):
- Problem: When a new switch joins the VTP domain, is in server or client mode and has a higher configuration revision number than any other switches it wipes the configuration of the whole VTP domain. This happens because each switch (servers and clients) send out one (1) VPT advertisement after boot up.
- Solution: VTP version 3 doesn’t have this issue because there can only be one primary server in the whole VTP domain who can make VLAN changes.
“VTP” v3:
- VTP Domain must be set first
- VTP version must be set after
- Switch in server mode can always be promoted to primary server, client cannot
- Secret password needs to be 32 characters
- Only primary server can make changes (resolves the “superior-revision-wipeout-issue” from VTPv2)
- Primary server status is revoked after a reload
“VTP” pruning:
- With VTP pruning a trunk line only allows those VLANs effectively used by the target switch
- Example: Switch 1 has VLAN 10, 20 and 30 configured. Switch 2 only has Access Ports in VLAN 20. The result is VLAN 10 and 30 will be pruned (removed) from the trunk line but not from the VLAN database of the switch itself.
- The advantages are decreased bandwidth and decreased broadcast domain size
- Pruning doesn’t work for the extended range (1006-4094)
- Important: The native VLAN can’t be pruned by VTP (but manually)!
“VTP” CLI configuration commands:
## =================
## VTP CONFIGURATION
## =================
## Configuring the VTP mode
Switch(config)# vtp mode <vtp-mode>
## Configuring the VTP domain
Switch(config)# vtp domain <vtp-domain>
## Configuring the VTP password
Switch(config)# vtp password <vtp-password>
## Configuring the VTP version
Switch(config)# vtp version <vtp-version>
## Disabling/Enabling VTP pruning
Switch(config)# [no] vtp pruning
## ===========================
## VTP CONFIGURATION (V3 ONLY)
## ===========================
## Configuring the VTP password (hidden mode)
Switch(config)# vtp password <vtp-password> hidden
## Configuring the VTP password (secret mode)
Switch(config)# vtp password <vtp-password> secret
## ===========
## VTP PRUNING
## ===========
## Only allowing specific VLANs to-be-pruned on a trunk interface
Switch(config-if)# switchport trunk pruning vlan <vlan-ids>
## Adding VLANs to the list of to-be-pruned VLANs on a trunk interface
Switch(config-if)# switchport trunk pruning vlan add <vlan-ids>
## Removing VLANs from the list of to-be-pruned VLANs on a trunk interface
Switch(config-if)# switchport trunk pruning vlan remove <vlan-ids>
## Allowing all VLANs except specific ones to-be-pruned on a trunk interfaces
Switch(config-if)# switchport trunk pruning vlan except <vlan-ids>
## Allowing no VLANs to-be-pruned on a trunk interfaces
Switch(config-if)# switchport trunk pruning vlan none
“VTP” CLI show commands:
## Showing configured VTP parameters
Switch# show vtp status
## ==========
## VTPv3 only
## ==========
## Making this device the primary VTP server for VLANs
Switch# vtp primary
## Making this device the primary VTP server for VLANs (same outcome as command above)
Switch# vtp primary vlan
## Making this device the primary VTP server for MST
Switch# vtp primary mst