cis187 switch 2 vlans part2

8/12/2019 Cis187 Switch 2 Vlans Part2

1/129

VLANs, Trunking, VTP, Port Aggregation

Part 2

CIS 187 Multilayer Switched Networks

CCNP SWITCH

Rick GrazianiSpring 2011


2/129

2

Storing VLAN information

Storage of VLAN information is model dependent.

Cisco: The memory location name where the vlan.dat file is stored varies

from device to device. Refer to the respective product documentation

before you issue the copy command.

VLAN information for 29xx and 35xx switches is automatically stored in

vlan.dat file in flash.

VTP information: Domain Name, Configuration Revision Number

VLAN information (configured or via VTP): VLAN Number, VLAN Name

DLS1(config)# vtp domain West

DLS1(config)# vlan 10DLS1(config-vlan)# name WestSales

DLS1(config-vlan)# vlan 11

DLS1(config-vlan)# name WestEng

vlan.dat


3/129

3

Storing VLAN information

Interface commands are stored in running-config and will need to

be saved to startup-config in NVRAM

DLS1(config)# inter fa 0/1

DLS1(config-if)#switchport mode accessDLS1(config-if)# switchport access vlan 10

DLS1(config-if)# copy running-config startup-config

vlan.dat

running-

config

startup-

config


4/129

4

Storing VLAN information - No longer recommended

DLS1# vlan database

% Warning: It is recommended to configure VLAN from config mode,as VLAN database mode is being deprecated. Please consult user

documentation for configuring VTP/VLAN in config mode.

DLS1(vlan)# exit

APPLY completed.

Exiting....

DLS1#

Note: The vlan databasecommand is no longer recommended by

Cisco.

One less thing we need to remember!


5/129

VLAN TrunkingProtocol


6/129

VLAN Trunking Protocol (VTP)

Cisco-proprietary protocol

Automates the propagation of VLAN information between switches via

trunk links. Minimizes misconfigurations and configuration inconsistencies.

VTP domainsdefine sets of interconnected switches sharing the same

VTP configuration.


7/129

VTP ModesMode Description

Client Cannot create, change, or delete VLANs on command-line interface(CLI).

Forwards advertisements to other switches.

Synchronizes VLAN configuration with latest information received from

other switches in the management domain.

Does not save VLAN configuration in nonvolatile RAM (NVRAM).

Server Can create, modify, and delete VLANs.

Sends and forwards advertisements to other switches.

Synchronizes VLAN configuration with latest information received from

other switches in the management domain.

Saves VLAN configuration in NVRAM.

Transparent Can create, modify, and delete VLANs only on the local switch.

Forwards VTP advertisements received from other switches in the same

management domain.

Does not synchronize its VLAN configuration with information received

from other switches in the management domain.

Saves VLAN configuration in NVRAM.


8/129

VTP Versions

ThreeVTP versions: V1, V2, V3.

Versions are not interoperable

V2 supports token ring VLANs but V1 does not


9/129

9

VTP version 3

Not part of CCNP SWITCH

Only available on CatOS no IOS

With 12.2(33)SXI VTP version 3 will be supported by IOS, closingthe feature gap in this area compared to CAT OS. VTP version 3 will

be available within all IOS feature sets.

Features:

Supports ISL VLAN range from 1 to 1001,

Supports 802.1Q VLAN range up to 4095. Can transfer information regarding Private VLAN (PVLAN)

structures.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/

solution_guide_c78_508010.html
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.htmlhttp://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.htmlhttp://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.htmlhttp://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.html


10/129

VTP Messages


11/129

VTP Message Types

Summary Advertisements Subset Advertisements

Advertisement Requests


12/129

VTP Summary Advertisements

By default, Catalyst switches issue summary advertisements in 5-minuteincrements.

Informs adjacent switches of:

VTP domain name

Configuration revision number

When the switch receives a summary advertisement packet, the switchcompares the VTP domain name to its own VTP domain name.

If the name is different, the switch ignores the packet.

If the name is the same, the switch then compares the configurationrevision to its own revision.

If its own configuration revision is higher or equal, the packet is ignored.

If it is lower, an advertisement request is sent.


13/129

VTP Subset Advertisements

When you add, delete, or change a VLAN:

The VTP server where the changes are made increments the configuration

revision and issues a summary advertisement.

One or more subset advertisements follow the summary advertisement.

Contains a list of VLAN information.


14/129

VTP Advertisement Requests

A switch issues a VTP advertisement request in these situations: The switch has been reset.

The VTP domain name has been changed.

The switch has received a VTP summary advertisement with a

higher configuration revision than its own.

Upon receipt of an advertisement request, a VTP device sends a

summary advertisement.

One or more subset advertisements follow the summary

advertisement.

NOTE Wh dd d l t


15/129

15

VTP Messages

VTP Summary advertisements

By default, sent every five-minutes.

Inform adjacent switches of the current VTP domain nameand the configurationrevision number.

Receiving switch compares the VTP domain nameto its own VTP domain name.

If the name is different, the switch simply ignores the packet.

Same or Different?

If the name is the same, the switch then compares the configuration revisiontoits own revision.

If its own configuration revision is higher or equal, the packet is ignored.

Own Config Rev higher or equal than senders?

Otherwise, it is lower and a VTPAdvertisement Requestis sent.

VTP Domain = Cisco

VTP Mode = Server

Config Rev = 0VLANs = 1

VTP Domain = Cisco

VTP Mode = Server

Config Rev = 2VLANs = 1, 2, 3

Same

No, it is lower

NOTE: Whenever you add, delete, orchange (name) a VLAN on a VTP server,it increments the configuration revisionnumber and a summary advertisement issent.

Summary

Subset


16/129

16

VTP Messages

VTP Subset advertisements

Sent in response to a VTP Advertisement Request

Also, sent whenever there is a change to VLAN information on a VTPserver.

First the server sends a VTP Summary Advertisement

Then the server sends a VTP Subset Advertisement

One or several subset advertisements follow the summaryadvertisement.

A subset advertisement contains a list of VLAN information.

VTP Domain = Cisco

VTP Mode = Server


VTP Domain = Cisco

VTP Mode = Server


22, 3

Summary

Subset

22, 3


17/129

17

VTP Domain = null

VTP Mode = Server

Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Server

Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Server

Config Rev = 0

VLANs = 1

No Trunks

Configured Lets take a look at VTPMessages and Server, Client and

Transparent Switches.

By default all switches are VTP

Servers.


18/129

18

VTP Domain = null

VTP Mode = Server

Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Transparent

Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Client

Config Rev = 0

VLANs = 1

Switch B is now a Client Switch C is now Transparent

VLAN servers maintain a list of all

VLANs in NVRAM.

Client cannot add, delete or

rename VLANs.

Client does not store VLAN

information in NVRAM.

If a client reboots it loses VLAN

information and relying on a VTP

server to restore the information.


19/129

19

VTP Domain = null

VTP Mode = Server

Config Rev = 0

VLANs = 1

VTP Domain = null


Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Client

Config Rev = 0

VLANs = 1

Transparent mode switches musthave their VLANs configured

manually.

Does not participate in VTP or

advertise their VLANs.

Ideal for switches with VLANswhich should be local to that

switch.


20/129

20

VTP Domain = null

VTP Mode = Server

Config Rev = 0

VLANs = 1

VTP Domain = null


Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Client

Config Rev = 0

VLANs = 1

VTP server: Domain Name configured as

Cisco

VLANs 2 and 3 added

Config Rev increased to 2

(one for each VLAN added)

Cisco

2, 3

2


21/129

21

VTP Domain = null


Config Rev = 0

VLANs = 1

VTP Domain = null

VTP Mode = Client

Config Rev = 0

VLANs = 1

VTP works only over trunk links.

Switch A (Server) sends summary

advertisementover trunk links on VLAN 1

Includes Domain and Revision Number

Multicast 01-00-0C-CC-CC-CC

Switch B updates its Domain

Because of the higher revision number in

the Summary, B replies with Advertisement

Request Switch A sends a VTP Subset advertisement

Switch B updates its VLAN configuration

revision number and VLANs. (May be

preceeded by another Summary

advertisement.)

VTP Domain = Cisco

VTP Mode = Server

Config Rev = 2

VLANs = 1, 2, 3

Cisco

1,2, 32


22/129

22

VTP Domain = null


Config Rev = 0

VLANs = 1

VTP Domain = Cisco

VTP Mode = Client

Config Rev = 2

VLANs = 1, 2, 3

VTP advertisements sent to Transparent switch.

(Shown together)

Switch C does not make any changes based on

these advertisements.

Now, lets say Switch C is configured with:

Domain name Cisco

VLANs 2, 3, 4, 5, 6

Even though in same domain, Switch C does

not advertise these VLANs to other switches. The Configuration Revision number remains at

0 even when VLAN configuration is changed.

Transparent switches will relay VTP messages

it receives to other switches if it is in the same

domain or in a null domain (let take a look).

VTP Domain = Cisco

VTP Mode = Server

Config Rev = 2

VLANs = 1, 2, 3

Cisco

1,2, 3, 4, 5, 6


23/129


24/129

Understanding and

Troubleshooting Common VTP

Issues


25/129

25

VTP Domain = West

VTP Mode = Server

Config Rev = 3

VLANs = 1, 20, 21, 22

VTP Domain = WestVTP Mode = Server

Config Rev = 3

VLANs = 1, 10, 11, 12

Both switches are VTP Servers and in the same Domain, but different VLAN

information. Lets see what happens when trunking is enabled between the

switches

We both have the same

Config Rev number so no

changes

We both have the same

Config Rev number so no

changes

, 30

When two switches with same Domain Name and same Configuration

Revision Numbers exchange VTP information:

No change

If Switch A adds a new VLAN, VLAN 30, Config Rev is increased by 1.

Switch A will send VTP information to Switch B who will synchronize itsVLAN information with Switch A, losing current local VLANs

4 4

10, 11, 12, 30


26/129

26

Example: Using DLS1 (Switch A) and DLS2 (Switch B)

DLS1(config)# inter range fa 0/1 - 24

DLS1(config-if-range)# switchport mode dynamic auto


DLS2(config-if-range)# switchport mode dynamic auto

DLS1# show inter trunk

DLS1#

Note: Because Pod2 2690s and 3560s are incorrectly defaulting to dynamic

desirable they will trunk by default, which we do not want in this example.

This was also done on ALS1 and ALS2 to prevent any trunking.


27/129

27

When DLS1 gets a higher Config Rev Number

DLS1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/9, Fa0/13

Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Fa0/19, Fa0/20, Fa0/21Fa0/22, Fa0/23, Fa0/24, Gi0/1

Gi0/2

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

Default VLANs


28/129

28


DLS1#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 1005

Number of existing VLANs : 5

VTP Operating Mode : Server

VTP Domain Name :

VTP Pruning Mode : DisabledVTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 0.0.0.0 (no valid interface found)

DLS1#

Default VTP information:

Configuration Revision Number = 0

Increased by 1 whenever VLAN is added or deleted

VTP Mode = Server

VTP Domain Name = (null)


29/129

29

When DLS1 gets a higher Config Rev NumberDLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2

1002 fddi-default active

1003 token-ring-default active1004 fddinet-default active

1005 trnet-default active

DLS2# show vtp status

VTP Version : 2





VTP Domain Name :

Same on DLS2.


30/129

30



DLS1(config)# vlan 10DLS1(config-vlan)# name WestSales


DLS1(config-vlan)# name WestEng


DLS1(config-vlan)# name WestAdmin

DLS1# show vtp statusVTP Version : 2





VTP Domain Name : West

Add VTP Domain Name and configure VLANs

Configuration Revision changed to 3 (one for each VLAN)

Remember, no trunking (yet)


31/129

31


DLS1# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2

10 WestSales active11 WestEng active

12 WestAdmin active

Verified.


32/129

32



DLS2(config)# vlan 20DLS2(config-vlan)# name WestAcct


DLS2(config-vlan)#WestMngt

DLS2(config-vlan)# name WestMngt


DLS2(config-vlan)# name WestManuf







Now on DLS2: Add VTP Domain Name and configure different VLANs

Configuration Revision changed to 3

Still no trunking


33/129

33


DLS2# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active

22 WestManuf active

Verified.


34/129

34



DLS1(config-if-range)# switchport trunk encap dot1q

DLS1(config-if-range)# switchport mode trunk

DLS1# show inter trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 on 802.1q trunking 1Fa0/12 on 802.1q trunking 1

Trunking configured between DLS1 and DLS2.

VTP messages can now be sent but no changes because

Configuration Revision numbers are the same.


35/129

35



VTP Version : 2







VTP Version : 2






Configuration Revision still 3

Number of existing VLANs (known by each switch) still 8


36/129

36

When DLS1 gets a higher Config Rev NumberDLS1# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

DLS2# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active

22 WestManuf active

Verify that there are no DLS2 VLANs on DLS1.

Verify that there are no DLS1 VLANs on DLS2.


37/129

37


DLS1(config)# vlan 30

DLS1(config-vlan)# name Guest


VTP Version : 2



Number of existing VLANs : 9VTP Operating Mode : Server


VLAN 30 added on DLS1.

Configuration Revision increased by 1 to 4.

DLS1 now has the higher Configuration Revision number between thetwo servers the hi hest in the Domain .


38/129

38


DLS1# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

30 Guest active

Verified.


39/129

39



VTP Version : 2Configuration Revision : 4





DLS2 receives VTP update from DLS1 with higher Configuration

Revision Number.

DLS2 synchronizes its VLAN database with DLS1s informationincluding Configuration Revision Number and VLAN information.


40/129

40


DLS2# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active

22 WestManuf active

DLS2# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2


12 WestAdmin active

30 Guest active

DLS2 lost previous VLANs 20, 21, and 22.

DLS2s VLAN database overwritten with DLS1s information.

Good news: Both Servers both in sync (identical) so any changes will mean the VLAN

Previous VLANS

Current VLANS

syncd with DLS1


41/129

41


DLS2(config)# vlan 20

DLS2(config-vlan)# name WestAcctDLS2(config-vlan)# vlan 21

DLS2(config-vlan)# name WestMngt


DLS2(config-vlan)# name WestManuf







To correct this we need to add the VLANs back to DLS2.

DLS2 will send VTP update to DLS1 so VLAN information will be the

same.


42/129

42


DLS2# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2


12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

Verified.


43/129

43

When DLS1 gets a higher Config Rev NumberDLS1# show vtp status

VTP Version : 2

Configuration Revision : 7Maximum VLANs supported locally : 1005




DLS1# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

DLS1 receives VTP update

and updates VLAN

information including

Configuration Revision

number.

Domain is still in sync.


44/129

44

What happens when Client/Server enters with

higher Configuration Revision number?

Both switches are in the same domain.

Switch C can be Client OR Server

Switch C has Higher Configuration Revision number

Even if Switch C is a Clientwhen enters VTP domain it will overwrite

DLS1s VLAN information because it has higher Configuration Revision

number.

VTP Domain = West

VTP Mode = Client(or Server)

Config Rev = 13

VLANs = 1, 20, 21, 22, 30

VTP Domain = West

VTP Mode = Server

Config Rev = 10

VLANs = 1, 10, 11, 12, 20, 21, 22, 30

13


45/129

45

Client/Server enters with Higher Revision


DLS1(config-if)# switchport mode access

DLS1(config-if)# switchport access vlan 10DLS1(config-if)# exit


DLS1(config-if)# switchport mode access

DLS1(config-if)# switchport access vlan 11

DLS1# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2

10 WestSales active Fa0/1

11 WestEng active Fa0/2

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

Assign VLANs to interfaces. (no specific reason)


46/129

46

DLS1(config)# inter range fa 0/11 -12

DLS1(config-if-range)# shutdown

Shutdown interface so we can modify DLS2 (Switch B)

We will adding the trunk back to simulate a switch being entered intothe network.



47/129

47



VTP Version : 2






DLS2#show vtp status

VTP Version : 2




VTP Operating Mode : ServerVTP Domain Name : West

Right now both switches have same Configuration Revision number,

lets change that.

Note: Configuration Revision numbers not necessarily the same asrevious exam le due to this was done in a different session.


48/129

48


DLS2#show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2


12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

We are going to remove these three VLANs on DLS2 so it has different

VLANs and a higher Configuration Revision Number.

Remember, DLS1 has same VLAN information and also has:

Fa0/1 in VLAN 10

Fa0/2 in VLAN 11


49/129

49


DLS2(config)# no vlan 10



DLS2(config)# vtp mode client

Setting device to VTP CLIENT mode.





VTP Operating Mode : Client


Three VLANs deleted.

Change VTP mode to Client

Configuration Revision updated from 10 to 13


50/129

50


DLS2# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active22 WestManuf active

30 Guest active

Verify VLANs 10, 11, and 12 were deleted.


51/129

51



VTP Version : 2




VTP Operating Mode : ServerVTP Domain Name : West

DLS1 has a lower Configuration Revision number 10.

DLS2s Configuration Revision number is 13.


52/129

52

DLS1(config)# inter range fa 0/11 -12

DLS1(config-if-range)# no shutdown


VTP Version : 2












DLS2 (Switch B) is

brought online (no

shutdown on DLS1).

DLS2 (Client) has

higher Configuration

Revision number 13.

DLS1 (Switch A)

with lower revision

number (10) updates

its VLAN information

to be in sync with

DLS2 including its

Configuration

Revision number to

13.


53/129

53

VTP Revision NumberDLS1# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2



12 WestAdmin active

20 WestAcct active

21 WestMngt active22 WestManuf active

30 Guest active

DLS1# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

Missing VLANs 10, 11, and 12.

Previous VLANS

Current VLANS

syncd with DLS2


54/129

54

Fix itDLS1(config)# vlan 10

DLS1(config-vlan)# name WestSales

DLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEng


DLS1(config-vlan)# name WestAdmin

DLS1# show vlan


---- -------------------------------- --------- -------------------------------


Gi0/1, Gi0/2



12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active

To fix it must reconfigure VLANs on DLS1.

Interfaces Fa0/1 and Fa0/2 brought from inactive to active


55/129

55

DLS2# show vlan


---- -------------------------------- --------- -------------------------------


Fa0/23, Fa0/24, Gi0/1, Gi0/2

10 WestSales active

11 WestEng active

12 WestAdmin active

20 WestAcct active

21 WestMngt active

22 WestManuf active

30 Guest active


VTP VLAN configuration not allowed when device is in CLIENT mode.

DLS2(config)#

DLS2 gets VLANS 10, 11, 12 in VTP update from DLS1.

DLS2 is a Client and can no longer delete (or add) VLANs.

VTP Domain = West

VTP Mode = Client (or Server)

VTP Domain = West

VTP Mode = Server


56/129

56


VTP Version : 2


Maximum VLANs supported locally : 1005Number of existing VLANs : 12




VTP Version : 2






Still in sync!

VTP Mode = Client(or Server)

Config Rev = 16

VLANs = 1, 10, 11, 12, 20, 21, 22, 30

VTP Mode = Server

Config Rev = 16

VLANs = 1, 10, 11, 12, 20, 21, 22, 30


57/129

57

How to make sure switch has Lower Config Rev: VTP Mode

Setting a switch to Transparent mode reset the configuration to 0.

Then set it back to Client or Server.

VTP Domain = West

VTP Mode = Client

Config Rev = 16

VLANs = 1

VTP Domain = West

VTP Mode = Server

Config Rev = 10

VLANs = 1, 10, 11, 12, 20, 21, 22, 30

0

TransparentClient

1, 10, 11, 12, 20, 21, 22, 3010

DLS2(config)# vtp mode ?client Set the device to client mode.

server Set the device to server mode.

transparent Set the device to transparent mode.

DLS2(config)#

Not all VTP Messages shown


58/129

58

How to make sure switch has Lower Config Rev: VTP Domain

Changing the Domain Name on a switch will reset the configuration to 0.

Then set it back to the correct Domain Name.

VTP Domain = West

VTP Mode = Client

Config Rev = 16

VLANs = 1

VTP Domain = West

VTP Mode = Server

Config Rev = 16

VLANs = 1, 10, 11, 12, 20, 21, 22, 30

0

EastWest

1, 10, 11, 12, 20, 21, 22, 3016


Changing VTP domain name from East to West

Not all VTP Messages shown


59/129

VTP Pruning


60/129

VTP Pruning

Prevents flooded traffic from propagating to switches that do not have

members in specific VLANs.

VTP pruning uses VLAN advertisements to determine when a trunk connectionis flooding traffic needlessly.


61/129

61

VTP Pruning

How would VLANs affect the ARP broadcast?

Host C and Host D would not receive the ARP Request.

But broadcast would be transmitted across all trunk links.

If VTP pruning is enabled, ALS1 would not send broadcasts for VLAN 120 to

DLS1 or DLS2 (dashed lines).

VTP pruning increases the available bandwidth by restricting flooded traffic to

those trunk links that traffic must use to access the appropriate network devices.

XX

No access ports

on VLAN 120

No access ports

on VLAN 120


62/129

62

VTP Pruning is disabled by default


VTP Version : 2Configuration Revision : 2




VTP Domain Name : Cabrillo

VTP Pruning Mode : Disabled

VTP V2 Mode : DisabledVTP Traps Generation : Disabled

MD5 digest : 0xAB 0x0C 0xEB 0xDE 0x6A 0x890x0C 0xAD


Local updater ID is 10.1.1.101 on interface Vl1 (lowest numberedVLAN interface found)

DLS1#


63/129

63

It is easy to configure

DLS1(config)# vtp pruning

DLS1(config)# end


VTP Version : 2




VTP Operating Mode : ServerVTP Domain Name : Cabrillo

VTP Pruning Mode : Enabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xAB 0x0C 0xEB 0xDE 0x6A 0x890x0C 0xAD


Local updater ID is 10.1.1.101 on interface Vl1 (lowest numberedVLAN interface found)

DLS1#

Enable VTP pruning on all switches.


64/129

VTP Authentication

VTP domains can be secured by using the VTP password feature.

Passwords and domain name must be the same otherwise, a switch

will not become a member of the VTP domain.

Cisco switches use MD5 to encode passwords in 16-byte words.

Propagated inside VTP summary advertisements.

Case-sensitive and can be 8 to 64 characters in length.

VTP authentication is a recommended practice.

Default: No VTP password

Switch(config)# vtp passwordpassword_string


65/129

VTP Troubleshooting

Check that switches are interconnected by active trunk links.

Check that the trunking protocol matches on opposite ends of atrunk link.

Check VTP domain name (case-sensitive) and password.

Check the VTP mode of the switches.

Check the VTP versions of the switches.


66/129

Default, Native and

Management VLANs

FLAN:

Predecessor to

the VLAN


67/129


68/129

68

Native VLAN

By default all traffic is carried across VLAN 1.

VLAN 1 is: The default VLAN(all user traffic)

Native VLAN: No trunking encapsulation even if configured as a trunk.

VLAN for CDP, VTP, PAgP (Port Aggregation Protocol), LACP(Link

Aggregation Control Protocol), and DTP

A topic that causes considerable confusion is the native VLAN.

VLAN 1

Native VLAN

Un-tagged (If trunking there is no802.1Q or ISL encapsulation)

CDP, VTP, PAgP, LACP, DTP

Default VLAN


69/129

69

Native VLAN

The IEEE committee that defined 802.1Q decided to support a

native VLAN for backwards compatibility:

Allows 802.1Q capable ports to talk to old 802.3 ports directly by

sending and receiving untagged traffic.

Loss of identification also means a loss of classification.

You should avoid using VLAN 1 (or whatever your Native

VLAN is) for data traffic, so it can be classified for QoS.

We will see examples later with IP Telephony.

Note: We have not yet

discussed routing

between these VLANS.

(But we will!)

Common VLAN

configuration


70/129

70

Best Practices

Native VLAN

Can be modified to be a VLAN other than VLAN 1.

Must be the same on both ends, both switches.

Should not be used for user VLAN or Management VLAN. Control traffic (CDP, VTP, PAgP, DTP) still transmitted over VLAN 1.

If Native VLAN is other than VLAN 1 then control traffic is sent tagged.

It is fine to leave VLAN 1 as the Native VLAN but should only carry controltraffic and not user or management traffic.

Note: Router uses subinterfaces for trunking and the native VLAN isconfigured using the native option. (Discussed later)


71/129

71

Best Practices

Management VLAN

The Management VLAN is the VLAN used to reach (ping, telnet)devices.

Switch(config)#hostname DLS2

DLS2(config)#interface vlan 99

DLS2(config-if)#ip address 10.0.99.1 255.255.255.0


72/129

72

Best Practices

Garbage VLAN

This is the VLAN you can assign to all switch ports until it is assigned toa user or management VLAN.

A way of isolating or managing all non-business traffic.

You may wish to limit this VLAN as an access port and not include this

VLAN across trunk links.

DLS2(config)#interface range fa 0/1 - 24

DLS2(config-if)#switchport mode access

DLS2(config-if)# switchport access vlan 222

B t P ti


73/129

73

Best Practices

Limiting VLANs on a trunk

You can manually configure which VLANs should be allowed on a trunk.

If you remove VLAN 1 from a trunk port, the interface continues to send

and receive management traffic, CDP, PAgP, LACP, DTP and VTP in

VLAN 1.

Sometimes done to reduce the risk of VLAN 1 STP loops or storms

usually due to misconfiguration. (CCIE stuff)

DLS2(config)#interface fa 0/11

DLS2(config-if)#switchport trunk allowed vlan 1, 10-99

DLS2(config-if)#switchport trunk allowed vlan remove 20

B t P ti


74/129

74

Best Practices

Looking at a complete configuration for a trunk link

DLS2(config)#interface fa 0/11

DLS2(config-if)#switchport trunk encapsulation dot1q

DLS2(config-if)#switchport mode trunk

DLS2(config-if)#switchport trunk native vlan 2

DLS2(config-if)#switchport trunk allowed vlan 1, 10-99

DLS2(config-if)#switchport trunk allowed vlan remove 20


75/129

Private VLAN

P i t VLAN


76/129

76

Private VLANs

Private VLANs (pVLAN) provide isolation between ports within the same

VLAN.

pVLANs require VTP switches to be in transparent mode.

pVLANs can go across trunks.

Community

VLAN A Ports

Community

VLAN B Ports

Isolated VLAN

C Ports

Promiscuous Ports

VTP Transparent

P i t VLAN


77/129

77

Private VLANs

pVlans:

Provide security

Reduce the number of IP subnets

Service providers use pVLANs to deploy hosting services and network

access where all devices reside in the same subnet but only

communicate to a default gateway, servers or another network.

Same subnet but

different pVLANs

Promiscuous Ports

P i t VLAN


78/129

78

Private VLANs

pVlans consist of two supporting VLANs:

Primary VLAN

High-level VLAN

Can have many secondary VLANs

Secondary VLANs belong to same subnet as Primary VLAN

Secondary VLAN

Child to a Primary

End devices belong to a secondary VLAN

Secondary VLANs

Primary VLANs Promiscuous Ports

P i t VLAN


79/129

79

Private VLANs

Two types of secondary VLANs

Community VLANs

These ports communicate with other ports in the same

community and promiscuous ports

Isolated VLANs

These ports can only communicate with promiscuous ports.

Community VLANs

Isolated

VLANs

Promiscuous Ports

Private VLANs


80/129

80

Community VLANs ports communicate with other ports in the same community

and promiscuous ports.

What devices can Community VLAN APCs communicate with?

What devices can Community VLAN BPCs communicate with?

Isolated VLANs ports can only communicate with promiscuous ports.

What devices can Isolated VLAN CPCs communicate with?

Community

VLAN A Ports

Community

VLAN B Ports

Isolated VLAN

C Ports

Promiscuous Ports

Private VLANs

Configuring pVLANs: Creating the pVLANs


81/129

81

Configuring pVLANs: Creating the pVLANs

Switch(config)# vlan 100

Switch(config-vlan)#private-vlan primarySwitch(config)# vlan 200

Switch(config-vlan)#private-vlan community




Switch(config-vlan)#private-vlan isolated


Switch(config-vlan)#private-vlan association 200,201,300

Switch(config)# interface vlan 100

Switch(config-if)#private-vlan mapping add 200,201,300

Configure Primary VLAN

Configure Secondary VLANs (two community, one isolated)

Associate secondary VLANs to primary VLAN

Map secondary VLANs to Layer 3 VLAN interface of primary VLAN to

allow Layer 3 switching (later).

Secondary

VLANs

Primary VLANs

Private VLANs


82/129

82

CommunityVLAN A Ports

Community

VLAN B Ports

Isolated VLANC Ports

Promiscuous Ports

Private VLANs


Switch(config-vlan)#private-vlan primary











VLAN 100

VLAN 200VLAN 201

VLAN 300

Configuring pVLANs: Port


83/129

83

g g p

AssociationSwitch(config)# interface range fa 0/1 5

Switch(config-if)# switchport mode private-vlan promiscuous

Switch(config-if)# exit

Switch(config)# interface range fa 0/10 12

Switch(config-if)# switchport mode private-vlan host

Switch(config-if)# switchport private-vlan host-association 100 200



Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 201






Configure access ports for promiscuous mode.

Configure access ports for community pVLANs.

Configure access ports for isolated pVLANs.

Primary Secondary

Configuring


84/129

84


Switch(config-vlan)#private-vlan primary



Switch(config)# vlan 201Switch(config-vlan)#private-vlan community







Configuring

pVLANs - Review


85/129

85

Switch(config)# interface range fa 0/15

Switch(config-if)# switchport mode private-vlan promiscuous






Switch(config)# interface range fa 0/1518








Primary Secondary

VLAN 200

VLAN 201

VLAN 300


86/129

Port Aggregation (EtherChannel)


CCNP SWITCH

Rick Graziani

Spring 2010


87/129

Configuring Link

Aggregation withEtherchannel

Spanning Tree and EtherChannel


88/129

88

Spanning Tree and EtherChannel

Spanning Tree only allows a single link between switches to prevent

bridging loops.

Ciscos EtherChannel technology allows for the scaling of link

bandwidth by aggregating or bundling parallel links. Treated as a single, logical link.

Access or Trunk link

Allows you to expand the links capacity without having to

purchase new hardware (modules, devices).

Etherchannel Bundle

EtherChannel


89/129

89

EtherChannel

EtherChannel allows for two to eight links.

Fast Ethernet (FE) Fast EtherChannel Up to 1600 Mbps

Gigabit Ethernet (GE) Gigabit EtherChannel Up to 16 Gbps

10-Gigabit Ethernet (10GE) 10 Gigabit EtherChannel Up to 160

Gbps

This does not mean the total bandwidth of the bundle equals the sum of

the links.

The load is not always distributed evenly (coming).

EtherChannel


90/129

90

EtherChannel

The Cisco Catalyst family of switches supports two types of link

aggregation:

Port Aggregation Protocol (PAgP) - Cisco proprietary

Default when port channel is created (coming)

Link Aggregation Control Protocol (LACP) - Industry standard802.3ad-based protocol

EtherChannel provides redundancy.

If one link fails traffic is automatically moved to an active link.

Transparent to end user.

LACP (coming) also allows for standby links (coming).


91/129

Distribution of Traffic and Load Balancing


92/129

92

Distribution of Traffic and Load Balancing

Load is not balanced equally across links. EtherChannel uses a hashing algorithm.

Single input is used (such as Source IP address), the hash will

only look at the bits associated with this input. (coming)

Two inputs are used (such as Source IP address and

Destination IP address), the hash will perform an exclusive OR(XOR) operation on both inputs. (coming!)

Both of these will compute a binary number that selects a link

number in the bundle to carry the frame. (coming!!!)

Load Balancing


93/129

93

Load Balancing

Lets take a brief look at how this works.

We will focus on the 2, 4 and 8 link possibilities as this is easier to

understand and the only options that provide more ideal load balancing.

A 2 linkEtherChannel bundle requires a 1-bit index using an XOR.

If the index is 0, link 0 is selected

If the index is 1, link 1 is selected

A 4 linkEtherChannel bundle requires a 2-bit indexusing an XOR.

4 possible links: 00, 01, 10, 11

An 8 linkEtherChannel bundle requires a 3-bit indexusing an XOR.

8 possible links: 000, 001, 010, 011, 100, 101, 110, 111

Boolean Operations - XOR


94/129

94

Boolean Operations XOR

XOR (Exclusive OR) operation

0 = FALSE 1 = TRUE

If both bits have the same value (both 0, both 1), the XOR will result in a 0

Otherwise, if they differ (one is a 0 and the other a 1) the result will be 1.

One and ONLY one input value can be TRUE for output to be TRUE

Rick is going to surf the Hook XOR Liquor Stores at noon

I cannot surf BOTH spots. If I did this would not be TRUE.

XOR = TRUETRUE False


95/129

Load Balancing


96/129

96

Load Balancing

Example: 2 LinkEtherChannel.

Packet sent from 172.16.1.1 to 10.10.10.16 The chosen hashuses Source IPand Destination IPaddress

At most there can only be 8 links in bundle, so only the last 3rightmost bits(least-significant) of the addresses will ever need tobe indexed or examined.

3 bits will give us 8 choices (8 links max in a bundle)

172.16.1.1=> 00000001 10.10.10.46=> 00101110

In our example we have 2 linksin the EtherChannel (1 bit index):

The XOR is performed only on the rightmost bit1 XOR0

1 XOR 0= 1

Link 1is used

0

1

Load Balancing


97/129

97

Load Balancing

Example: 2 LinkEtherChannel.

Our hashused the Source IPand Destination IPaddress The XOR on the rightmost bit of ourSource IPand Destination IP

address could result in Link 0 or Link 1 being used.

Depends on the last bit of each address!

172.16.1.1=> 00000001 10.10.10.46=> 00101110

If XOR of the two bits result in 0, then link 0 is used.

If XOR of the two bits result in 1, then link 1 is used.

0

1

Load Balancing


98/129

98

Load Balancing

Example: 4 Link EtherChannel

Packet sent from 172.16.1.1 to 10.10.10.16 Our hashused the Source IPand Destination IPaddress

172.16.1.1=> 00000001 10.10.10.46=> 00101110

If there are 4 linksin the EtherChannel (2 bit index):

The XOR is performed only on 2 rightmost bits01 XOR10

Each bit is computed separately 01 XOR 10= 11

1 XOR 0= 1

0 XOR 1= 1

Link 3(112) is used

0

3

Load Balancing


99/129

99

Load Balancing

Example: 8 Link EtherChannel

Packet sent from 172.16.1.1 to 10.10.10.16

Our hashused the Source IPand Destination IPaddress 172.16.1.1=> 00000001 10.10.10.46=> 00101110

If there are 8 linksin the EtherChannel (3 bit index):

The XOR is performed only on the 3 rightmost bits001 XOR110

Each bit is computed separately

001 XOR 110= 111

1 XOR 0= 1

0 XOR 1= 1

0 XOR 1= 1

Link 7(1112

) is used

0

7

For more information


100/129

100

For more information

For information about load balancing the number of links other than

2, 4 or 8:

Understanding EtherChannel Load Balancing and

Redundancy on Catalyst Switches http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech

_note09186a0080094714.shtml
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml


101/129

Configuring EtherChannel

Configuring EtherChannel Load Balancing


102/129

102

Configuring EtherChannel Load Balancing

Switch(config)#port-channel load-balancemethod

The load balancing method is configured in global configuration

mode.

Load Balancing


103/129

103

Load BalancingSwitch(config)#port-channel load-balance ?

dst-ip Dst IP Addr bits

dst-mac Dst Mac Addr bits

src-dst-ip Src XOR Dst IP Addr XOR

src-dst-mac Src XOR Dst Mac Addr XOR

src-ip Src IP Addr bits

src-mac Src Mac Addr bits

6500 and 4500 switches also allow hash input to be based on:

dst-port (destination port)

src-dst-port(source and destination ports)

Dafaults for 29xx and 35xx (this may vary so check documentation)

Layer 2 switching (switched port) is src-mac (coming)

Layer 3 switching (routed port) is src-dst-ip (coming)

For non-IP trafficthe switch will distribute frames based on MAC

addresses.

Multicasts and broadcastssent over one link in the EtherChannel are not

sent back over other links in the EtherChannel.

Hash

Operat ion

default

Load Balancing

Switch(config)#port-channel load-balance ?dst-ip Dst IP Addr bits

dst-mac Dst Mac Addr bits

src-dst-ip Src XOR Dst IP Addr XOR


104/129

104

oad a a c g

Switch(config)#port-channel load-balance src-dst-ip

Normally, the default Source IP and Destination IP addresses will result in a

fair statistical distribution of frames.

This is because of the random nature of multiple Source and Destination IP

addresses.

However, if a single servers destination IP addressis receiving most of

the traffic this may cause one link to be overused in a two linkEtherChannel.

Two links in a four link EtherChannel

Four links in an eight link EtherChannel.

Use only Source IP addressorinclude MAC addressesto create a more

balanced load across the bundle.

src-dst-mac Src XOR Dst Mac Addr XOR

src-ip Src IP Addr bits

src-mac Src Mac Addr bits

EtherChannel Protocols


105/129

105

The Cisco Catalyst family of switches supports both:

Port Aggregation Protocol (PAgP) - Cisco proprietary

Default when port channel is created (coming)

Link Aggregation Control Protocol (LACP) - Industry standard

802.3ad-based protocol

Not many differences. When a Cisco switch is connected to a non-Cisco switch use LACP.

Must be the same on both ends!

PAgP PAgPLACP LACP

EtherChannel Protocols


106/129

106

DLS1(config)# interface range fa 0/1 - 4

DLS1(config-if-range)# channel-protocol ?

lacp Prepare interface for LACP protocol

pagp Prepare interface for PAgP protocol

DLS1(config-if-range)# channel-protocol pagp

PAgP requres identical static VLANs or trunking encapsulation with

same allowed VLANs.

If the VLAN, speed or duplex on a port in the bundle is changed

PAgP automatically reconfigures the rest of the ports in that bundle.

Fa0/1

Fa0/4


107/129

No PAgP or LACP negotiation


108/129

108

g g



DLS1(config-if-range)# channel-group 1 mode ?

active Enable LACP unconditionally

auto Enable PAgP only if a PAgP device is detected

desirable Enable PAgP unconditionally

on Enable Etherchannel only

passive Enable LACP only if a LACP device is detected

onForces port to channel without PAgP negotiation.

Both ends must be on.

All ports channeling

You can use channel-group # mode onwhen the connecting device does

not support PAgP and you need to set up the channel unconditionally.

on on

EtherChannel


109/129

PAgP modes


110/129

110

g









An interface in automode can form an EtherChannel with another interfacein desirablemode.

Auto(default, passive) - Waits to be asked to form a channel.

An interface in automode cannotform an EtherChannel with another

interface that is also in automode because neither interface starts PAgP

negotiation.

auto

EtherChannel

desirable


111/129

LACP modes


112/129

112


DLS1(config-if-range)# channel-protocol lacp







An interface in the activemode can form an EtherChannel with anotherinterface that is in the activeor passivemode.

active

active

EtherChannel

passive

LACP modes


113/129

113









An interface in the passivemode can form an EtherChannel with anotherinterface that is in the activemode.

An interface in the passivemode cannotform an EtherChannel with

another interface that is also in the passivemode because neither interface

starts LACP negotiation.

passive

EtherChannel

active

Forming EtherChannels


114/129

114

EtherChannel

on on

PAgP Negotiated EtherChannel

desirable desirable

auto

LACP Negotiated EtherChannel

active active

passive

Configuring PAgP


115/129

115

DLS1(config)#port-channel load-balance dst-ip


DLS1(config-if-range)# switchport trunk encapsulation dot1q



DLS1(config-if-range)# channel-group 1 mode desirable

Notice: Load balancing does not have to match but usually it does.

DTP on DLS2 is dyanmic auto (result is trunk with DLS1)

PAgP configured on both ends

DLS2(config)#port-channel load-balance src-dst-ip

DLS2(config)# interface range fa 0/11 - 12DLS2(config-if-range)# switchport trunk encapsulation dot1q


DLS2(config-if-range)# channel-group 1 mode auto

VerifyingWe will discuss the significance of the Port-channel

interface with MLS.


116/129

116

DLS1#show run

!

port-channel load-balance dst-ip

!

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/1

! ...




channel-group 1 mode desirable

!

interface FastEthernet0/12switchport trunk encapsulation dot1q


channel-group 1 mode desirable

DLS2#show run

!

port-channel load-balance src-dst-ip

!



!

!


! ...



channel-group 1 mode auto

!

!

interface FastEthernet0/12switchport trunk encapsulation dot1q

channel-group 1 mode auto

Verifying


117/129

117

DLS1# show etherchannel protocol

Group: 1----------

Protocol: PAgP

DLS1# show etherchannel load-balance

EtherChannel Load-Balancing Operational State (dst-ip):

Non-IP: Destination MAC address

IPv4: Destination IP address


DLS1# DLS1(config)#port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12



DLS1# show etherchannel summary

Flags: D - down P - in port-channel


118/129

118

g p

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-------------------------------

1 Po1(SU) PAgP Fa0/11(P) Fa0/12(P)




DLS1# show etherchannel port

Group: 1



DLS1( fi if )# h l t l


119/129

119

----------

Port: Fa0/11

------------

Port state = Up Mstr In-Bndl

Channel group = 1 Mode = Desirable-Sl Gcchange = 0

Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1

Port index = 0 Load = 0x00 Protocol = PAgP

Flags: S - Device is sending Slow hello. C - Device is in Consistent state.

Timers: H - Hello timer is running. Q - Quit timer is running.

Local information:

Hello Partner PAgP Learning Group

Port Flags State Timers Interval Count Priority Method Ifindex

Fa0/11 SC

Partner's information:

Partner Partner Partner Partner GroupPort Name Device ID Port Age Flags Cap.

Fa0/11 DLS2 001b.8fc8.0080

Age of the port in the current state: 00d:00h:35m:29s

Port: Fa0/12

------------

...



Can help determine if the load balancing is being

distributed equally across the links

Configuring LACP


120/129

120


DLS1(config)# lacp system-priority 11111


DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunk


DLS1(config-if-range)# channel-group 1 mode active

DLS1(config-if-range)# lacp port-priority 99





Port Priority - (Optional for LACP)

LACP uses the port priority to decide which ports should be put in standby mode.

Not typically used (more with hardware limitation).

Ports with lower priority are active, rest are standby. (Default is 32,768)

System Priority - (Optional for LACP)

Valid values are 1 through 65535.

Higher numbers have lower priority. (Default is 32768, switch MAC is tiebreaker)

Recommended only when some ports are in standby.

Fa0/13-14 has a

higher port priority

so these will

become the

standby links

should something

happen to any of

the active links.Default port-priority = 32,768

Configuring LACP: DLS1 and DLS2


121/129

121

DLS2(config)#port-channel load-balance src-dst-ip


DLS2(config-if-range)# switchport trunk encapsulation dot1qDLS2(config-if-range)# channel-protocol lacp

DLS2(config-if-range)# channel-group 1 mode passive







DLS1(config)# lacp system-priority 11111












Verifying (only showing DLS1)


122/129

122

DLS1#show run

!

port-channel load-balance dst-ip

!




!




lacp port-priority 99

channel-group 1 mode active

!


switchport trunk encapsulation dot1qswitchport mode trunk

lacp port-priority 99


!





!





Verifying


123/129

123

DLS1# show etherchannel protocol

Group: 1----------

Protocol: LACP

DLS1# show etherchannel load-balance

EtherChannel Load-Balancing Operational State (dst-ip):

Non-IP: Destination MAC address








Verifying


124/129

124

DLS1# show etherchannel summary

Flags: D - down P - in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------1 Po1(SU) LACP Fa0/11(P) Fa0/12(P) Fa0/13(H)

Fa0/14(H)

DLS1#

Odds and Ends (FYI)


125/129

125

Trunk ports send and receive PAgP and LACP protocol data units

(PDUs) on the lowest numbered VLAN.

Spanning tree sends packets over the first interface in the

EtherChannel.

For more information on Configuring EtherChannel

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/soft

ware/release/12.1_13_ea1/configuration/guide/swethchl.html

Troubleshooting Trunk Links
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.html


126/129

Ensure that the Layer 2 interface mode configured on both ends ofthe link is valid.

The trunk mode should be trunkor desirablefor at least one side of

the trunk.

Ensure that the trunk encapsulation type configured on both ends of

the link is valid and compatible. On IEEE 802.1Q trunks, make sure the native VLAN is the same on

both ends of the trunk.

When using DTP, ensure that both ends of the link are in the same

VTP domain.

Chapter 2 Summary


127/129

A VLAN is a logical grouping of switch ports independent of physical location. Local

VLANs are now recommended over end-to-end VLAN implementations.

A trunk is a Layer 2 point-to-point link between networking devices carry the traffic of

multiple VLANs.

ISL and 802.1Q are the two trunking protocols that can connect two switches.

VTP is used to distribute and synchronize information about VLANs configured

throughout a switched network.

VTP pruning helps to stop flooding of unnecessary traffic on trunk links.

Device communication within the same VLAN can be fine-tuned using pVLANs. A

pVLAN is associated to a primary VLAN, and then mapped to one or several ports. A

primary VLAN can map to one isolated and several community VLANs. pVLANs can

span across several switches using regular 802.1q trunks or pVLAN trunks.

Use EtherChannel by aggregating individual, similar links between switches.

EtherChannel can be dynamically configured between switches using either the Cisco-

proprietary PAgP or the IEEE 802.3ad LACP. EtherChannel load balances traffic over all

the links in the bundle. The method that is chosen directly impacts the efficiency of this

load-balancing mechanism.

Best Practices for VLAN Design


128/129

One to three VLANs per access module and limit those VLANs to a couple

of access switches and the distribution switches.

Avoid using VLAN 1 as the "blackhole" for all unused ports. Use a dedicatedVLAN separate from VLAN 1 to assign all the unused ports.

Separate the voice VLANs, data VLANs, the management VLAN, the native

VLAN, blackhole VLANs, and the default VLAN (VLAN 1).

Avoid VTP when using local VLANs; use manually allowed VLANs on

trunks. For trunk ports, turn off Dynamic Trunking Protocol (DTP) and configure

trunking. Use IEEE 802.1Q rather than ISL because it has better support for

QoS and is a standard protocol.

Manually configure access ports that are not specifically intended for a trunk

link.

Prevent all data traffic from VLAN 1; only permit control protocols to run on

VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.).

Avoid using Telnet because of security risks; enable SSH support on

management VLANs.


129/129

VLANs, Trunking, VTP, Port Aggregation

Part 2


CCNP SWITCH

Rick Graziani

Spring 2011

cis187 switch 2 vlans part2

Documents