Deepdive into VLANs and Trunking

Here within for my own reference is VLAN study notes. VLAN technology is a layer 2 broadcast domain that is ultra powerful.

VLANS

End to End

Vlan’s that span the enterprise. Geographically dispersed. For example, Student VLAN at each end of the campus that traverses multiple switches. VTP modes should be set to client or ~shudder~ server.

Local

Significant to the local switch. Generally confined to a wiring closet. Layer 2 switching is performed at the access layer with routing performed at distribution and core layers. One switch for a room for 20 users who are all in Marketing. Vlan 20 – Marketing would be better placed as a local vlan to this switch than on every switch in the enterprise.

VTP modes should be set to transparent to allow the vlan to stay local.

Saves on unessential traffic through distribution and core layers!

Considerations

  • Grouping users on a common sub-network. ie Staff, Students, Servers, Marketing. Different VLAN’s can help reduce broadcast traffic
  • Security is a fantastic reason for Vlan’s. I may not want the students accessing Marketing’s information.
  • A Voice vlan could be given a different QoS policy opposed to the students.
  • If most of the traffic is destined for devices in the same vlan then there is a reduced impact on routing/inter-vlan routing
  • If you use end to end Vlan’s note that broadcast traffic will traverse trunks. EVEN if there are no switch-ports assigned to that vlan on that switch!
  • Local vlan’s have a smaller failure domain than end to end. Imagine a VTP mishap on end to end.
Healthy VLAN Design Practice
  • Local vlan’s should have 1-3 vlan’s per switch.
  • Blackhole vlan’s should be anything but vlan 1.
  • Avoid VTP with local vlan’s.
  • Only permit control protocols on vlan 1.
  • SSH support on management vlan’s. Block telnet!
Simple VLAN configuration
switch(config)# vlan 10
switch(config-vlan)# name Management
switch(config-vlan)# exit

switch(config)# interface vlan 10
switch(config)# ip address 192.168.10.10 255.255.255.0
switch(config)# no shutdown

The first part of the configuration defines the VLAN in the vlan database. We set a name to identify it. We then enter the switching virtual interface (SVI) for the vlan and we assign a management IP address. No shutdown finally to bring up the Vlan 10 interface.

switch(config)# interface gi0/1
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 10

We select the interface we want to associate to the VLAN. Change the mode to access to allow an end-user device and we set the switchport to reside in vlan 10.

Detail port information can come from issuing the following commands. The output is invaluable in my opinion. What situation do you feel will yield the most value?

switch#show int gi1/0/8 switchport
Name: Gi1/0/8
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Management)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

This verification allows us to confirm which vlan the switch-port is accessing and includes such information as native vlan and port settings. Fantastic command.

Trunks and Trunking

What is a trunk?

Trunks carry multiple vlan’s across a single physical link by using a trunking encapsulation protocol. If a frame from a vlan wants to traverse a trunk link, the encapsulation protocol uses the vlan id (VID) to ID the frame. The destination switch removes the frame and forwards it to the access port!

The two encapsulation protocols are ISL and 802.1q. ISL is Cisco proprietary and 802.1q is IEEE standard. ISL is almost obsolete. The important things to know about it is how it encapsulation the normal ethernet frame. ISL adds a 26 byte header and a 4 byte Frame Check Sequence. In a standard ethernet frame there is a FCS field already.

802.1q is widely supported. I use it. You use it. I think my cat might. 802.1q has a smaller frame overhead and therefore is more efficient. 4 bytes vs 30 bytes per frame. That can add up fast. There is also support for 802.1p fields for QoS. Handy in this day and age.

802.1q Frame Deep Dive

  • Dest: Destination Mac (6 bytes)
  • Src: Source Mac (6 bytes)
  • Tag: 802.1q Shivs this in (4 bytes)
  • Ethertype(TPID): Set to 0x8100 specifies tag to follow
  • PRI: 3-bit QoS 802.1p priority field
  • CFI: 0 = Ethernet 1= Token Ring
  • VLAN ID: 12 bit VLAN field. 4096 – 2 Total Vlans. VID of 0 indicates priority frames. 4095 (FFF) is reserved. 
  • Len/Etype: Specifies length or type (2 bytes)
  • Data: Contents
  • FCS: Frame Check Sequence (4 bytes)
That red that stands out denotes the information that 802.1q shivs in on a normal ethernet frame. Rather small if you are to compare ISL. 802.1q leverages the existing FCS where ISL adds its own.
What is the Native VLAN and why do I need to know what it is?
Switches forward all un tagged frames to its native vlan. Native VLAN at each end must match. If there is a mismatch, CDP will display a native vlan mismatch error.
Trunk Configs
switch(config)# interface gi0/24
switch(config-if)# switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk native vlan 2

switch(config-if)# switchport trunk allowed vlan all
                 ----or----
switch(config-if)# switchport trunk allowed vlan add 1,10,20

Here we have an example trunk config. Look at how it is very similar to the access port. There are quite a few features but if you have read this far you will notice some things we spoke about. Under the interface we set the encapsulation to dot1q, the port mode to trunk, change the default vlan to two (Remember to it at the other end!)

The last two lines are what is known as vlan pruning. We are specifying what vlan’s we would like to traverse out trunks. The first command allows all across this trunk. The second command allows only 1,10,20. You could issue the allowed all command and then remove unwanted vlan’s or add exceptions.

Confirm trunk status and information

 

Verification! The CCNP certification loves this word. You should too.
switch#show int gi1/0/2 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/2     on           802.1q         trunk-inbndl  2
                                      (Po1)

Port        Vlans allowed on trunk
Gi1/0/2     1-4094

Port        Vlans allowed and active in management domain
Gi1/0/2     1,5,10-12,20,24-25,30,40,50,60,100-101,140,148-149,172,200

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/2     1,5,10-12,20,24-25,30,40,50,60,100-101,140,148-149,172,200

Here is the trunk information and the vlan’s which are allowed onto the trunk. Encapsulation is listed here.

 

switch#show int gi1/0/2 switchport
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po1)
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 2 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Again, like the access port, all the juicy information about the switchport in regards to layer 2 switching are kept here. Notice trunking encapsulation is set to 802.1q and the administrative mode is set to trunk.

Happy Days!

1 thought on “Deepdive into VLANs and Trunking”

Leave a Reply

Your email address will not be published. Required fields are marked *


*