Here within for my own reference is VLAN study notes. VLAN technology is a layer 2 broadcast domain that is ultra powerful.
End to End
Vlan’s that span the enterprise. Geographically dispersed. For example, Student VLAN at each end of the campus that traverses multiple switches. VTP modes should be set to client or ~shudder~ server.
Significant to the local switch. Generally confined to a wiring closet. Layer 2 switching is performed at the access layer with routing performed at distribution and core layers. One switch for a room for 20 users who are all in Marketing. Vlan 20 – Marketing would be better placed as a local vlan to this switch than on every switch in the enterprise.
VTP modes should be set to transparent to allow the vlan to stay local.
Saves on unessential traffic through distribution and core layers!
- Grouping users on a common sub-network. ie Staff, Students, Servers, Marketing. Different VLAN’s can help reduce broadcast traffic
- Security is a fantastic reason for Vlan’s. I may not want the students accessing Marketing’s information.
- A Voice vlan could be given a different QoS policy opposed to the students.
- If most of the traffic is destined for devices in the same vlan then there is a reduced impact on routing/inter-vlan routing
- If you use end to end Vlan’s note that broadcast traffic will traverse trunks. EVEN if there are no switch-ports assigned to that vlan on that switch!
- Local vlan’s have a smaller failure domain than end to end. Imagine a VTP mishap on end to end.
- Local vlan’s should have 1-3 vlan’s per switch.
- Blackhole vlan’s should be anything but vlan 1.
- Avoid VTP with local vlan’s.
- Only permit control protocols on vlan 1.
- SSH support on management vlan’s. Block telnet!
switch(config)# vlan 10 switch(config-vlan)# name Management switch(config-vlan)# exit switch(config)# interface vlan 10 switch(config)# ip address 192.168.10.10 255.255.255.0 switch(config)# no shutdown
The first part of the configuration defines the VLAN in the vlan database. We set a name to identify it. We then enter the switching virtual interface (SVI) for the vlan and we assign a management IP address. No shutdown finally to bring up the Vlan 10 interface.
switch(config)# interface gi0/1 switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 10
We select the interface we want to associate to the VLAN. Change the mode to access to allow an end-user device and we set the switchport to reside in vlan 10.
Detail port information can come from issuing the following commands. The output is invaluable in my opinion. What situation do you feel will yield the most value?
switch#show int gi1/0/8 switchport Name: Gi1/0/8 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (Management) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none
This verification allows us to confirm which vlan the switch-port is accessing and includes such information as native vlan and port settings. Fantastic command.
Trunks and Trunking
What is a trunk?
Trunks carry multiple vlan’s across a single physical link by using a trunking encapsulation protocol. If a frame from a vlan wants to traverse a trunk link, the encapsulation protocol uses the vlan id (VID) to ID the frame. The destination switch removes the frame and forwards it to the access port!
The two encapsulation protocols are ISL and 802.1q. ISL is Cisco proprietary and 802.1q is IEEE standard. ISL is almost obsolete. The important things to know about it is how it encapsulation the normal ethernet frame. ISL adds a 26 byte header and a 4 byte Frame Check Sequence. In a standard ethernet frame there is a FCS field already.
802.1q is widely supported. I use it. You use it. I think my cat might. 802.1q has a smaller frame overhead and therefore is more efficient. 4 bytes vs 30 bytes per frame. That can add up fast. There is also support for 802.1p fields for QoS. Handy in this day and age.
802.1q Frame Deep Dive
- Dest: Destination Mac (6 bytes)
- Src: Source Mac (6 bytes)
- Tag: 802.1q Shivs this in (4 bytes)
- Ethertype(TPID): Set to 0x8100 specifies tag to follow
- PRI: 3-bit QoS 802.1p priority field
- CFI: 0 = Ethernet 1= Token Ring
- VLAN ID: 12 bit VLAN field. 4096 – 2 Total Vlans. VID of 0 indicates priority frames. 4095 (FFF) is reserved.
- Len/Etype: Specifies length or type (2 bytes)
- Data: Contents
- FCS: Frame Check Sequence (4 bytes)
switch(config)# interface gi0/24 switch(config-if)# switchport trunk encapsulation dot1q switch(config-if)# switchport mode trunk switch(config-if)# switchport trunk native vlan 2switch(config-if)# switchport trunk allowed vlan all ----or---- switch(config-if)# switchport trunk allowed vlan add 1,10,20
Here we have an example trunk config. Look at how it is very similar to the access port. There are quite a few features but if you have read this far you will notice some things we spoke about. Under the interface we set the encapsulation to dot1q, the port mode to trunk, change the default vlan to two (Remember to it at the other end!)
The last two lines are what is known as vlan pruning. We are specifying what vlan’s we would like to traverse out trunks. The first command allows all across this trunk. The second command allows only 1,10,20. You could issue the allowed all command and then remove unwanted vlan’s or add exceptions.
Confirm trunk status and information
switch#show int gi1/0/2 trunk Port Mode Encapsulation Status Native vlan Gi1/0/2 on 802.1q trunk-inbndl 2 (Po1) Port Vlans allowed on trunk Gi1/0/2 1-4094 Port Vlans allowed and active in management domain Gi1/0/2 1,5,10-12,20,24-25,30,40,50,60,100-101,140,148-149,172,200 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/2 1,5,10-12,20,24-25,30,40,50,60,100-101,140,148-149,172,200
Here is the trunk information and the vlan’s which are allowed onto the trunk. Encapsulation is listed here.
switch#show int gi1/0/2 switchport Name: Gi1/0/2 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk (member of bundle Po1) Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 2 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none
Again, like the access port, all the juicy information about the switchport in regards to layer 2 switching are kept here. Notice trunking encapsulation is set to 802.1q and the administrative mode is set to trunk.