what is a vlan

8/12/2019 WHAT IS A VLAN

1/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page

VLANSWHAT IS A VLAN

A Virtual LAN (VLAN) has two important concepts:

Logical segmentation of a switched network

One broadcast domain

A VLAN is a switched network that is logically segmented by functions pro!ect teams or applicationwithout regard to the physical location of users" #or e$ample se%eral end stations might be grouped aa department such as &ngineering or Accounting ha%ing the same attributes as a LAN e%en thougthey are not all on the same physical LAN segment"

'o accomplish this logical grouping a VLANcapable switching de%ice must be used" &ach switch pocan be assigned to a VLAN" Ports in a VLAN share broadcast traffic and belong to the same broadcasdomain" roadcast traffic in one VLAN is not transmitted outside that VLAN" 'his segmentatioimpro%es the o%erall performance of the network"

'he following figure shows an e$ample of VLANs segmented into logically defined networks"

VLANs pro%ide the following benefits:

*educed administration costs associated with mo%es adds and changes

+ontrolled broadcast acti%ity and better network security

Le%eraging e$isting in%estments

#le$ible and scalable segmentation

+ompanies continuously reorgani,e as they try to impro%e producti%ity" 'hese mo%es adds anchanges are one of the greatest e$penses in managing a network" VLANs pro%ide an effecti%mechanism to control these changes and reduce much of the cost of hub and router reconfiguration" a group of VLAN users mo%e but remain in the same VLAN connected to a switch port their networ


2/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pageaddresses do not change" *outer configuration is left intact/ a simple mo%e for a user from one locatioto another does not create any configuration changes in the router if the user stays in the same VLAN"

0imilar to routers VLANs offer an effecti%e mechanism for setting up firewalls in a switch fabricprotecting the network against broadcast problems that are potentially dangerous and maintaining athe performance benefits of switching" 1ou can create these firewalls by assigning switch ports or user

to specific VLAN groups in single switches and across multiple connected switches which will increassecurity easily and ine$pensi%ely by segmenting the network into distinct broadcast groups" roadcatraffic in one VLAN is not transmitted outside that VLAN" 'his type of configuration substantialreduces o%erall broadcast traffic frees bandwidth for real user traffic and lowers the o%era%ulnerability of the network to broadcast storms"

1ou can le%erage e$isting hub in%estments by assigning each hub segment connected to a switch poto a VLAN" All the stations that share a hub segment are assigned to the same VLAN" -f an indi%iduastation must be reassigned to another VLAN the station is relocated to the appropriate correspondinhub module" 'he interconnected switch fabric handles communication between the switching ports anautomatically determines the appropriate recei%ing segments"

1ou can also assign VLANs based on the application type and the amount of applications broadcasts1ou can place users sharing a broadcastintensi%e application in the same VLAN group and distributthe application across the

VLAN OPERATION

-n this section you will learn about the following topics: VLAN components

'ypes of VLANs

-nterVLAN communication

VLAN standardi,ation

Switchesthe Core of VLANs


3/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page0witches are a primary component of VLAN communication" 'hey perform critical VLAN functions bacting as the entry point for endstation de%ices into the switched fabric facilitating communicatioacross the organi,ation and pro%iding the intelligence to group users ports or logical addresses intcommon communities of interest" &ach switch has the intelligence to make filtering and forwardindecisions by frame based on VLAN metrics defined by network managers and to communicate thinformation to other switches and routers within the network"

'he criteria used to define the logical grouping of nodes into a VLAN is based on a techni3ue known aframe tagging" 'here are two types of frame tagging4implicit and e$plicit" -mplicit tagging enables packet to belong to a VLAN based on the 5edia Access +ontrol (5A+) address protocol the recei%inport of a switch or another parameter into which nodes can be logically grouped" &$plicit tagginre3uires the addition of a field into a frame or packet header that ser%es to classify the VLAassociation of the frame" #rame tagging functions at Layer 2 and re3uires little processing oadministrati%e o%erhead"

Routers

#or interVLAN communication you must use routers that e$tend VLAN communications betweeworkgroups" *outers pro%ide policybased control broadcast management and route processing andistribution" 'hey also pro%ide the communication between VLANs and VLAN access to shareresources such as ser%ers and hosts" *outers connect to other parts of the network that are eithelogically segmented into subnets or re3uire access to remote sites across widearea links+onsolidating the o%erall number of physical router ports re3uired for communication between VLANsrouters use highspeed backbone connections o%er #ast &thernet #iber 6istributed 6ata -nterfac(#66-) or Asynchronous 'ransfer 5ode (A'5) for higher throughput between switches and routers"

Interoperabiit! with Pre"ious! Instae# LAN S!ste$s

VLANs pro%ide system compatibility with pre%iously installed systems such as shared hubs anstackable de%ices" Although many of these de%ices are being replaced with newer switchintechnologies pre%iously installed concentrators still perform useful functions" 7ith VLANs you caconfigure de%ices such as shared hubs as a part of the VLAN architecture and can share traffic an

network resources that directly attach to switching ports with VLAN designations"

Transport Protocos that Carr! VLAN Traffic Across Share# LAN an# AT% &ac'bones

'he VLAN transport enables information e$change between interconnected switches and routerresiding on the corporate backbone" 'ransport capabilities remo%e physical boundaries increasfle$ibility of a VLAN solution and pro%ide mechanisms for interoperability between backbone systemcomponents" 'he backbone acts as the aggregation point for large %olumes of traffic" -t also carrieenduser VLAN information and identification between switches routers and directly attached ser%er7ithin the backbone highbandwidth highcapacity links carry the traffic throughout the enterprise


4/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page'hree highbandwidth options include #ast &thernet #iber9+opper 6istributed 6ata -nterface(#66-s9+66-s) and A'5"

VLAN %ana(e$ent

Network management solutions offer centrali,ed control configuration and traffic managemenfunctions"

&ach VLAN is of a particular type and has its own ma$imum transmission unit (5') si,e" 'wo typeof VLANs are defined:

&thernet9; 'oken *ing switch or module"


5/54


6/54


CREATING VLAN

'he common VLAN configuration options implemented today are as follows:

y port group

y 5A+ address y network layer information

y -P multicast groups

VLAN membership is defined by assigning a specific VLAN to a port or a group of ports" 0till the moscommon way of defining VLAN membership this type does not allow multiple VLANs to be assigned tthe same switch port or group of ports" 'he main disad%antage of defining VLANs by port is that thnetwork manager must reconfigure VLAN membership when a user mo%es from one port to another"

VLANs are defined based on the source 5A+ address of the hosts connected to the switch porVLANs based on 5A+ addresses enable users to mo%e to a different physical location on the networand ha%e their workstation automatically retain its VLAN membership because 5A+layer addresseare hardwired into the workstations network interface card (N-+)"

VLANs are defined based on information contained in the network layer header of the packet such athe protocol type or the network layer address" A ma!or ad%antage of defining a VLAN based on Laye8 information is that it enables partitioning by protocol type" Also there is no need to reconfigure eac

workstationDs network address when a user mo%es to a new location"

VLAN membership is defined based on -P multicast groups" All workstations that !oin an -P multicasgroup are members of the same VLAN" 'he fundamental concept of VLANs as broadcast domain stapplies here" 'he main ad%antage of multicast group based VLANs is the high degree of fle$ibility duto the dynamic nature of the VLANs because workstations can !oin different multicast groups adifferent times"

Cisco Cata!st )*** VLAN Architecture
http://k/lst/module5/mod5_cat5kvlan.htmlhttp://k/lst/module5/mod5_cat5kvlan.html


7/54


'he +isco +atalyst =


8/54


ISL

'he -nter0witch Link or -0L is a +iscoproprietary protocol used to interconnect two VLANcapab#ast &thernet switches using the &thernet 5A+ and &thernet media and maintaining VLAN informatioas traffic goes between switches" 'he -0L protocol is essentially a packettagging protocol that containa standard &thernet frame and the VLAN information associated with that frame" 0ome additionainformation is also present in the frame" An -0L trunk is like a continuation of the switching backplane"

Although the -0L link was originally designed to connect #ast &thernet de%ices together using fulduple$ .


9/54


IEEE -*./0*

-&&& ;


10/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pageprotocols should ha%e similar performance characteristics as in a traditional bridged en%ironment" -

A'5 LAN& en%ironments the A'5 switch handles traffic that belongs to the same emulated LA(&LAN) and routers handle inter&LAN traffic"

1ou will learn more about LAN& in module .= F+onfiguring A'5 LAN&"F

1ou learned about the 0panning'ree Protocol in an earlier module" +isco VLAN architecture uses oninstance of spanning tree for each VLAN" 7ith the release of the +atalyst =


11/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page'he +atalyst =


12/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page%ANA1IN1 VLAN SWITCHES

SN%P

An 0N5Pmanaged network consists of the following ma!or components: 0N5Pmanaged de%ices

0N5P agents

Network management systems (N50s)

5anaged de%ices are hardware de%ices such as computers repeaters switches routers and terminser%ers that are connected to networks"

Agents are software modules that reside in 0N5P managed de%ices" 'hey collect and stormanagement information such as the number of error packets recei%ed by a network element"

Network management stations sometimes called consoles e$ecute management applications thamonitor and control network managed de%ices" Physically N50s are usually engineering workstationcaliber computers with fast +Ps memory and abundant disk space" At least one N50 must b

present in each managed en%ironment"

ecause 0N5P is a distributedmanagement protocol a system can operate e$clusi%ely as an N50 oan agent or it can perform the functions of both"

A managed ob!ect is a characteristic of something that can be managed" #or e$ample a list of currentacti%e '+P sessions in a particular host computer is a managed ob!ect" 5anaged ob!ects differ from%ariables which are particular ob!ect instances"

0N5Pmanaged de%ices are monitored and controlled using the following operations: rea# operation 2(et3 4'he rea#command is used by an N50 to monitor the managed de%ice

by e$amining the different %ariables maintained by the managed de%ices" write operation 2set34'he writecommand is used by the N50 to control the managed de%ice

by changing the %alues of %ariables stored in them" trap operation4'he trapcommand is used by the managed de%ices to asynchronously repo

e%ents to the N50"

'ra%ersal operations are used by the N50 to determine the %ariables supported by a managed de%icand to se3uentially gather information in %ariable tables such as a routing table"

Protoco Operations

'he protocol operations of 0N5P in%ol%e the issuance of re3uests by the N50 and return of responseby the managed de%ices"

'he following fi%e protocol operations are supported by 0N5P:

1et4'he Ket operation is used by the N50 to retrie%e the %alue of one or more ob!ec

instances from an agent" -f the responding agent cannot pro%ide %alues for all the ob!einstances in a list it does not pro%ide any %alues"

1etNe4t4'he KetNe$t operation is used by the N50 to retrie%e the %alue of the ne$t ob!ec

instance in a table or list within an agent" Set 'he 0et operation is used by the N50 to set the %alues of ob!ect instances within an agen

.


13/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page Trap4'he 'rap operation is used by agents to asynchronously inform the N50 of a significan

e%ent such as power failures e$cess temperatures and so on" 1etResponse4'he Ket*esponse operation is used to send responses from the agent to th

N50"

'he Ketulk*e3uest operation enhancement was added in 0N5P%2 to reduce the number of protoc

e$changes re3uired to retrie%e a large amount of information within the gi%en constraints on thmessage si,e"

RE%OTE %ONITORIN1

'he *emote 5onitoring (*5ON) standard pro%ides a powerful distributed management architecture foperforming traffic analysis troubleshooting trend reporting and proacti%e network management"

-n traditional sharedmedia internetworks an *5ON probe is generally attached to each segment thupro%iding %isibility into all network acti%ity" Howe%er todayCs highperformance switched internetworkre3uire new *5ON instrumentation solutions due to the dramatically increased number of segment

and new technologies such as %irtual LANs (VLANs) and #ast &thernet -nter0witch Links (-0Ls)"

'he *5ON standards can be deployed as a distributed architecture where agents (either embedded oin standalone probes) communicate with a central station (N50 or the management console) %0N5P"

'he *5ON standard (*#+ .G=G) organi,es monitoring functions into nine groups to support &thernetopologies and adds a tenth group in *#+ .=.8 for parameters uni3ue to 'oken *ing" #ast &thernelink monitoring is pro%ided in the framework of the *#+ .G=G standard and #iber 6istributed 6at-nterface (#66-) ring monitoring is pro%ided in the framework of both *#+s .G=G and .=.8"

*5ON supports information in nine *5ON groups of monitoring elements each pro%iding specific setof data to meet common network monitoring re3uirements as listed below" Vendors do not ha%e tsupport all the groups within the 5-" Also some *5ON groups re3uire the support of other *5Ogroups to function properly"

R%ON 1roup 5unction Ee$ents

0tatistics+ontains statistics for eachmonitored interface on a de%ice"

Packets dropped and sent broadcast andmulticast packets cyclic redundancy check(+*+) errors runts giants fragments

!abbers collisions and counters for %arious

packet si,es"

History0tores periodic statistical samples fora network"

0ample period number of samples anditems sampled"

Alarm

'akes statistical samples from%ariables and generates an alarme%ent if the preconfigured thresholdsare e$ceeded"

Alarm table alarm type inter%al and startand stop thresholds"

*e3uires the implementation of the e%entgroup"

Host +ontains statistics associated withthe hosts disco%ered in the network"

Host address packets and bytes transmittedand recei%ed broadcast multicast and error

.


14/54


packets"

Host'opN

Prepares tables describing hosts thattop a list ordered by one of theirstatistics" 'he sample ratebasedstatistics are collected o%er aninter%al specified by the N50"

0tatistics hosts sample startandstopperiods rate base and duration"

5atri$+ollects statistics for eachcon%ersation between sets of twoaddresses"

0ource and destination address pairs andpackets bytes and error for each pair"

#ilters

5atches packets by filter e3uationand the matched packets form a datastream that might be captured ormight generate e%ents"

itfilter type filter e$pression andconditional e$pression to other filters"

Packet +apture&nables packets to be captured afterthey flow through a channel"

uffersi,e for captured packets full statusand number of captured packets"

&%ents+ontrols the generation andnotification of e%ents from thisde%ice"

&%ent type description last time e%ent sent"

*5ON alarms statistics history and host9con%ersation groups are now usable for proacti%emonitoring and maintaining network a%ailability based on 5edia Access +ontrol (5A+) layer traffic" 'h*5ON2 5- is an e$tension of *5ON and adds support for an additional nine groups" *5ONenables network administrators to continue their deployment of standardsbased monitoring solutions tsupport missioncritical ser%erbased applications"

'he following is a list of groups added in *5ON2:

Protocol directory (protocol6ir)

Protocol distribution (protocol6ist)

Address map (address5ap) Networklayer host (nlHost)

Network layer matri$ (nl5atri$)

Applicationlayer host (alHost)

Applicationlayer matri$ (al5atri$)

ser history collection (usrHistory)

Probe configuration (probe+onfig)

'o continuously monitor traffic conditions in a switched network it is important to populate the *5O0tatistics History Alarms and &%ents groups (called mini*5ON) on a perport basis" 7ith these foukey groups implemented in the embedded agent continuous realtime and historical traffic statistics ara%ailable" 'he highspeed links between switches are the new backbones of switched internetworks+ontinuous monitoring of these links is essential for managing network traffic flows and effecti%etroubleshooting problems"

VLAN %onitorin(-n a switched internetwork en%ironment users and computing resources are entities within VLANs" 'troubleshoot problems in this en%ironment diagnostic tools must often look beyond a single port oswitch and pro%ide aggregation and analysis of network traffic by VLAN" 'herefore it is necessary t

.


15/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pageimplement critical -0Ls and identify traffic by VLAN switch and port in order to aggregate and analy,traffic effecti%ely"

'he *5ON2 specification dri%es *5ON standards beyond the 5A+ layer to the network anapplication layers" 7ith *5ON2based agents9probes all *5ON groups map into all the ma!onetworklayer protocols such as -P -nternetwork Packet &$change (-PI) 6&+net Apple'alk anya

V-N&0 and Open 0ystem -nterconnection (O0-) gi%ing a complete endtoend %iew of network traffic'his setup enables administrators to analy,e and troubleshoot networked applications such as wetraffic Net7are Notes email database access Network #ile 0ystem (N#0) and others"

1ou can use a network analy,er or an *5ON probe such as a 0niffer Network Analy,er to monitor thacti%ity in any network" 7hen connecting a network analy,er or *5ON probe to a sharedmedia hubyou see most of the traffic on the network"

-n a switched network howe%er packets are forwarded only to the specified ports" 'his setup limits thability of an analy,er to capturing broadcasts multicasts or packets with unresol%ed hardwar

addresses" 0o it is important to place the analy,er or *5ON probe in a strategic location such abetween a file ser%er or router and a LAN switch"

1ou can install a sharedmedia hub between a switch and a file ser%er to pro%ide an access point to network analy,er" 'his setup allows you to determine if the data connection between a user and the filser%er is working properly" 1ou can further impro%e your monitoring capability with a matri$ switch tcapture data on multiple connections

.


16/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageCISCO6s NETWOR7 %ANA1E%ENT STRATE18

'o maintain the le%el of %isibility familiar to customers in traditional sharedmedia networks +isco hade%eloped the following strategy for monitoring switched #ast &thernet internetworks:

&mbed *5ON agent technology into workgroup and backbone switches to gain %isibility into th

acti%ity on each switch port or segment" Pro%ide 0witched Port Analy,er (0PAN) functionality on +isco switches"

+onnect +isco 0witchProbe> de%ices or any e$isting network analy,er to the 0PAN port on

switch" se these standalone probes with network management software to monitor critical #as

&thernet links"

+atalyst> =


17/54


7hen you install +70- on an N50 workstation it disco%ers your network based on the configure

domain name and displays a map of your network in the +70- 5ap window" 'he network disco%ery done through the +isco 6isco%ery Protocol (+6P)"

'he network map displays the physical state of your network including +isco switches routers anlinks" Vlan6irector software displays the VLANs in your network including VLAN 'runk Protocol (V'Pdomains and the current spanningtree configuration" -t also ser%es as a launch point for +70applications and allows you to display reports about your network status"

CiscoView

+iscoView is a network de%ice management software application utili,ing a graphical user interfac(K-) that pro%ides dynamic status statistics and comprehensi%e configuration information for +iscswitched internetworking products (switches routers concentrators and adapters)"

+iscoView graphically displays a physical %iew of +isco de%ices" Additionally this networmanagement tool pro%ides monitoring functions and offers basic troubleshooting" sing +iscoViewusers can easily understand the tremendous %olume of management data a%ailable for internetworkinde%ices" +iscoView organi,es this information into graphical de%ice representations presented in clear consistent format"

+iscoView can be integrated with se%eral of the leading 0N5Pbased network management platformspro%iding a cohesi%e %iew of your network" Alternati%ely it can be run on N-I workstations as a fulfunctional independent management application" -t is also included within +isco7orks"

.


18/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageVan,irector Softwa

Vlan6irector is a K-based application that helps to define communities of interests and the VLANacross all +isco switching platforms" 'he Vlan6irector application also automatically constructs thLAN topology using information gathered from the switches running +6P thereby facilitating thassociations of switch connection in the corporate network"

1ou can create %irtual LANs by first defining a workgroup such as 5arketing and then using the Krepresentation of switches to drag the appropriate ports into the VLAN" Vlan6irector can theautomatically4or with the guidance of the network administrator4configure the switched trunks thainterconnect the VLANs" -n this manner VLAN interconnection is completely transparent to the networadministrator as are the actual LAN or Asynchronous 'ransfer 5ode (A'5) technologies being used tinterconnect the VLANs"

'he trunking functions of the Vlandirector software also support simple rulebased options so thatrunking recommendations or decisions can be based on a%ailable bandwidth redundancy options oshorter switched paths"

Traffic,irector Software

'he 'raffic6irector application deli%ers datalink statistics and alarms traffic flow analysis and histortracking tools so that you can collect trend flow analysis of traffic flow patterns in your switchenetwork" +oupling these functions with the host traffic flow features in the 'raffic6irector applicatioallows you to determine which systems are using more bandwidth than others and to track informatioflow" 'his ability helps you to make sensible decisions when considering whether to deli%er switchebandwidth to specific systems or whether the system must be migrated to a higherperformance LAor switched technology"

'raffic6irector software also supports packet capture and decoding capabilities that allow you to collenetwork data for troubleshooting purposes" 'he console applications support multiple filtering an

decoding mechanisms that allow you to %iew network traffic as you would on a popular networanaly,er"

Postcapture filters help you sift through the many captured packets to find the specific data you need'hese filtering schemes can also be used to perform an unattended capture of network traffic from thswitch" 'he console allows you to define a capture trigger that starts packetcapturing on the networmaking it easier and more con%enient to set FtrapsF for potential network problems"

At$,irector Software

'he Atm6irector application gi%es users the ability to disco%er the A'5 topology and map the de%ice

within the topology map/ perform an endtoend path trace analysis across %irtual circuits/ check on thconfiguration of LAN &mulation (LAN&) including the synchroni,ation of databases across redundanLAN& +onfiguration 0er%ers (L&+0s)/ and graphically configure Pri%ate NetworkNetwork -nterfac(PNN-) settings on a perde%ice basis"

Atm6irector software allows the disco%ery of an A'5 network that consists of +isco Light0tream .


19/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page'he Atm6irector application displays all disco%ered de%ices on a topology map interacts with adisco%ered de%ices %ia pulldown menus or for 3uick na%igation %ia icons monitors the status odisco%ered de%ices"

Atm6irector software allows you to set up soft permanent %irtual channel (0PV+) connections and sopermanent %irtual path (0PVP) connections display A'5VLAN topology and configuration information

identify problems and monitor performance" 1ou can also use Atm6irector software to display PNNtopology information configure PNN- nodes monitor link status and in%oke the +iscoView applicatiofor each de%ice on the topology map"

9serTrac'in(

'he ser'racking application enables you to access and modify information about enduser nodes the +70- and VLAN 5embership Policy 0er%er (V5P0) databases in a network" 7ith ser'rackinyou can 3uery the +70- database using up to two search criteria including username -P address an5A+ address" ser'racking allows you to display the results of 3ueries in a table in which you cacustomi,e modify add and delete port mappings and update the V5P0 ser%ers"

1ou can also use ser'racking to manage the scheduling of network information ac3uisition" V5P0 ia ser%er process that supports dynamic ports" 6ynamic ports enable enduser nodes to remain on thsame VLAN after being mo%ed and plugged into another physical port without the inter%ention omanual port reconfiguration"

Pre%iously you learned about the +isco 6isco%ery Protocol (+6P)" +6P is media and protocoindependent and runs on all +iscomanufactured e3uipment including routers bridges access ancommunication ser%ers and switches"

7ith +6P network management applications can retrie%e the de%ice type and 0N5P agent address oneighboring de%ices by sending 0N5P 3ueries to neighboring de%ices" +6P allows +isco networmanagement applications to dynamically disco%er +isco de%ices that are neighbors of alreadyknowde%ices in particular neighbors running lowerlayer transparent protocols"

+6P runs on all media that support 0ubnetwork Access Protocol including LAN and #rame *elay+6P runs o%er the data link layer only not the network layer" 'herefore two systems that suppodifferent networklayer protocols can learn about each other" +ached +6P information is a%ailable tnetwork management applications" +isco de%ices ne%er forward a +6P packet" 7hen new informatiois recei%ed old information is discarded"

'he 0witched Port Analy,er (0PAN) is an embedded management feature supported on the +atalys=


20/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pageduple$ #ast &thernet 0witchProbe VLAN trunk links can be tapped for access to data streams in botdirections at line rate for a comprehensi%e %iew of all -0LVLAN traffic"

1ou can monitor a single port or VLAN using a dedicated analy,er such as a Network Keneral 0niffeor *5ON probe such as a +isco 0witchProbe de%ice" 'he 'raffic6irector management application caaccess +isco 0witchProbe de%ices and the +atalyst =


21/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page%ANA1IN1 CISCO )*** CATAL8ST SWITCHES

You can manage the Catalyst 5000 series switches using in-band or out-of-band management.

1ou can use the following methods for inband management of the +atalyst switch: +onsole port on the 0uper%isor &ngine module Network connection ('elnet or 0N5P) to the switch

Although it is not commonly done, it is possible to use the console port to set up in-band management by way o

Telnet or S!". #t is far more common, howe$er, to ma%e a networ% connection using a line module.

You can use the following methods for out-of-band management of the Catalyst switch&

0erial port

0erial Line -nternet Protocol (0L-P) ('elnet or 0N5P)

The console port on the Catalyst 5000 series switches pro$ides for serial management by using a direct termin

connection for out-of-band management, as shown in the following diagram.

The console port on the Super$isor 'ngine # and ## modules is an '#A(T#A-)*), data communications e+uipmen

C', /-)5 receptacle. /oth data set ready S and data carrier detect C are acti$e when the system running. The e+uest To Send TS signal trac%s the state of the Clear To Send CTS input. The console po

does not support modem control or hardware flow control.

To use the serial interface, connect a terminal that supports a fi1ed format of 2300 baud, 4 bits, stop bit, and n

parity to the serial port by means of a straight-through '#A(T#A-)*) cable. The '#A(T#A-)*) was %nown arecommended standard S-)*) before its acceptance as a standard by the 'lectronics #ndustry Association '#A

and Telecommunications #ndustries Association T#A.

2


22/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageTo connect to the console port on the Super$isor 'ngine ### module, you must use a cable with an 6-7connector. #n addition to the 6-75-to-6-75 cable, you will need either an 6-75-to-/-2 or 6-75-to-/-)

female date terminal e+uipment T' adapter.

Connecting a terminal to the console port of the Catalyst 5000 gi$es you access to the command line interfac

C8# of the switch. You can use the C8# to configure the Catalyst switches before connecting other networ

de$ices. /ac%plane utili9ation information for the Catalyst 5000 series switch is a$ailable from the C8# witelease ).. "rior to elease )., bac%plane utili9ation information was a$ailable only $ia S!" or by physic

e1amination of the utili9ation meter on the front panel of the etwor% !anagement "rocessor !".

You can manage the Catalyst 5000 series switches using the C8# through a terminal attached to the console poon the Super$isor 'ngine or by attaching a modem and using S8#".

The Catalyst 5000 series switches support out-of-band management through the use of a modem attached to th

console port. This out-of-band connection wor%s in con:unction with S8#". S8#" is a $ersion of #" that runs o$

serial lin%s, enabling #" communications o$er the administrati$e interface.

You can use the out-of-band connection to&

&stablish a 'elnet session that pro%ides access to the +atalyst =


23/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageESTA&LISHIN1 CO%%9NICATION WITH A SWITCH

To communicate with a switch and configure the switch parameters, you must connect a data terminal or a "Crunning a terminal emulation program and connect it to the console port located on the Super$isor 'ngine modul

The console port is an asynchronous serial port, and any de$ices connected to this port must be capable o

asynchronous transmission. Asynchronous de$ices are the most common type of serial de$ice. =or e1ample, mo

modems are asynchronous de$ices.

The console port is the local out-of-band console terminal connection to the switch. The console port enable

you to use the C8# to perform the following functions&

+onfigure the switch and monitor network statistics and errors

+onfigure 0N5P agent parameters

6ownload software updates to the switch

6istribute software images in #lash memory to other de%ices remotely using network ports

'he 0uper%isor &ngine module console port is a data communications e3uipment (6+&) receptacle7hen connecting a terminal to the 0uper%isor &ngine --- console port connect the terminal using a thinflat *?=to*?= cable and an *?=to6@ or *?=to62= adapter" 7hen connecting terminal to the 0uper%isor &ngine - and -- console port use a straightthrough cable with a male 62data terminal e3uipment (6'&) connector on the network end to connect to a 6'& de%ice" 7heconnecting a serial de%ice consider the cable as an e$tension of the switch for an e$ternal connectiontherefore use a nullmodem cable to connect the switch to a remote 6+& de%ice such as a modem odata ser%ice unit (60)"

/efore connecting the console port, chec% the documentation for your terminal to determine its baud rate an

other settings. The baud rate of the terminal must match the default baud rate 2300 baud of the console port. >s

the following settings on the terminal and then turn on power to the console terminal&

@E


24/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page"ower-up diagnostics are performed by each line module. The time re+uired to complete the test is dependent othe line module type. System iagnostics sysdiag ta%es se$eral minutes to complete, based on the total numbe

of ports in the chassis.

uring the power-up se+uence, the following tests are performed&

Port loopback on all ports is checked" 6ata paths and interfaces between line modules are checked"

ackplane is checked"

&A*L90A-N' options are %erified"

0ome L&6s may go on and remain on or go out and go on again for a short time" Other L&6s such athe link L&6 will stay on during the entire boot process" -f an interface is already configured the L&6may stay on as they detect traffic on the line" 7ait until the system boot is complete before attemptinto %erify the switching module L&6 indications"


25/54


At the end of the system boot process, you are instructed to enter a password with the following prompt.

nter -asswor#At t,e -asswor# -rom-t/ -ress Ret0rn.Sen#ing RARP re0est wit, a##ress %%%%3$c2344

Sen#ing 3oot- re0est wit, a##ress %%%%3$c234453ot, )ines are re-eate# se+era) times6(onso)e7

There are two modes of operation, both password protected& normal and pri$ileged. You can use normal-modecommands for e$eryday system monitoring. You must use pri$ileged commands for system configuration and

basic troubleshooting.

After the boot se+uence has finished, if you don@t see any prompt, you may want to press the eturn or 'nter %e

two or more times.


26/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pagestart connecting de$ices to the ports of a 8A switch, you must configure some basic parameters of the switcsuch as gi$ing the switch an #" address. To help you understand the purpose of configuring these parameters an

gi$e you some practice in actually configuring them, in the ne1t section you will use C#!-S' to practice some o

the basic switch configuration tas%s

CON5I19RATION O5 S8STE% PARA%ETERS

The following configuration and troubleshooting tas%s are normally completed on a Catalyst 5000 series switch tconfigure the system parameters&

+onfiguring system information

+onfiguring system time prompt and password

+onfiguring the sc< interface and default gateway

+onfiguring 0N5P parameters including community strings and traps

+onfiguring *5ON

sing showcommands for initial system troubleshooting

1ou will use +-50& to complete the +onfiguration Labs at the end of this tutorial" As the skillsand knowledge you learn in this tutorial are critical to a successful completion of the +onfiguration Labplease complete this tutorial before you start the simulator"

The Catalyst 5000 series switch supports the following three command options&

set4'o configure or modify the system configuration

show4'o %iew the current system configuration or statistics

cear4'o clear or allow the o%erwriting of certain configuration settings

Though the Catalyst 5000 series switch supports a complete set of switch commands, in the interest of pro$iding

methodical learning e1perience, the simulator supports only a specified set of these commands in eachConfiguration 8ab.

The system information includes the contact name and, possibly, the phone number for the system, the location othe switch, and the name of the switch. This information is important, especially if there are switches at multiple

locations that are managed by many people.

The system time must be set correctly, especially if the switch is connected to other switches and routers in the

networ%. The correct time of networ% failures, error messages, or traps may help with a +uic% diagnosis of thecause of the problems. #f the networ% has multiple switches, you can configure each switch with a meaningful

prompt to help identify the switch you are configuring or troubleshooting.

You already learned that there are two le$els of passwords on the Catalyst 5000 series switch. #t is important tosecure access to the switches in a networ%. 'nsure the security of the networ% by assigning proper passwords and

writing them down in a safe place for your reference.

The set interfacecommand is used to assign #" networ% address, subnet mas% and broadcast address for the

2


27/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageCatalyst interfaces. The same set interfacecommand is used to assign slip and destination addresses for the slipinterfaces. #t can also be used to administrati$ely bring the interfaces up or down. There are two configurable

networ% interfaces to a Catalyst 5000 series switch& in-band sc0 and Serial 8ine #nternet "rotocol S8#" sl0.

After you assign an #" address to sc0, the Catalyst 5000 becomes accessible through 'thernet and =#interfaces. The sc0 interface is up by default. You only need to use the set interface sc0 upcommand after you

administrati$ely bring the interface down.

#n the Configuration 8ab, you will configure the sc0 interface type when assigning the Catalyst 5000 series switc

#" address.

#f there is a need to configure the S8#" interface, you can use this interface type when configuring a S8#"connection on the switch. The S8#" connection sl0 and the console port connection sc0 cannot use the consol

port at the same time. se 0 for local, and for remote. The default configuration routes the local networ%through the sc0 interface with metric 0 as soon as sc0 is configured.

You will also use the set ip routecommand to configure a default #" gateway. A default #" gateway routes #"

pac%ets that ha$e unresol$ed destination #" addresses. Setting the default gateway #" address tells the switch how

to connect to a de$ice not on the local networ%.

You can define up to three default #" gateways with Catalyst 5000 series switch software elease 7..

efining multiple default #" gateways pro$ides redundancy. #f the primary default #" gateway fails, the Catalyst

5000 series switch uses the secondary default #" gateways in the order in which they were configured.

S!", an application-layer protocol, facilitates the e1change of !anagement #nformation /ases !#/s betweenetwor% de$ices. S!" community strings authenticate access to the !#/ and function as embedded

passwords. The S!" community strings passwords are used for transmission of S!" data between

de$ices and are accessible to the networ% management station. =or an S!" message to be processed, thecommunity string must match one of the following three community-string modes configured in the switch&

*eadonly4'his mode gi%es read access to all ob!ects in the 5- e$cept the community strings

but does not allow write access *eadwrite4'his mode gi%es read and write access to all ob!ects in the 5- but does not allow

access to the community strings *eadwrite all4'his mode gi%es read and write access to all ob!ects in the 5- including the

community strings

2


28/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page+onfigure the 0N5P community strings on the switch to be managed using an 0N5P networkmanagement workstation" 'he switch sends a trap to the recei%er (such as an 0N5P manager orworkstation) under %arious conditions such as when a port or module goes up or down whentemperature limitations are e$ceeded when authentication failures occur or when power supply errorsoccur"

The set snmp trapcommand enters the #" address of the recei$ing station into the trap recei$er table, which canhold up to ten addresses.


29/54


Though the following information is not included in the Configuration 8ab, you may find it useful in managing otroubleshooting the switch.

Switch ,oes Not &oot

?n initial power-on, if the switch fails to boot up, chec% the following&

+heck the switch hardware and make sure that the 0uper%isor &ngine is seated properly"

-f any of the poweron diagnostics failed write down the information"

Passwor# Reco"er!

#f the password for a Catalyst 5000 series switch is lost or forgotten, you will be able to access the switch byrestarting it and pressing the 'nter %ey during the first *0 seconds of the restart process.

To reco$er a lost password on the Catalyst 5000, use the following steps&

." 5ake sure that you are connected to the console port of the switch"2" *eboot the switch and immediatly start pressing the &nter key until you get a prompt"8" &nter the enabecommand and press the &nter key"?" 7hen the switch prompts for a password !ust press the &nter key"=" Now enter the set passwor#or set enabepasscommand depending on which password you

need to reco%er"E" At the password prompt press the &nter key for the old password and when prompted for a new

password enter the new password and then confirm the new password"

&OOTP Confi(uration

The #" address for a switch can be set using the /??T" protocol. You can configure a /??T" ser$er with the!edia Access Control !AC and #" addresses of the switch. se the configure networcommand to download a configuration file from the networ% and e1ecute eachcommand in that file. The following e1ample shows how to download the configuration file called system5.cfg

from the 2).)).7.7) host&

2


30/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page(onso)e7 5ena3)e6 con4ig0re 1?2.122.1:.2 system'.c4g

You can use the downloadcommand to copy a software image from a specified host to the =lash memory of a

designated module. >se the uploadcommand to copy a software image from a designated module to a specified

host. The Catalyst 5000 switch supports two ways to download and upload new code&

'#'P network connections through any network port

Mermit serial transfer through the console port

Only the first method applies to the A'5 module" 'he download command downloads code to the#lash memory" +atalyst =


31/54


CON5I19RIN1 LAN SWITCH PORTS

/efore connecting networ% de$ices to a 8A switch, you must configure the parameters for the ports on a 8A

switch, including the port speed, port priority, port transmission mode, and other port parameters.

The transmission speed of the standard 'thernet ports is 0 !bps. ;owe$er, the =ast 'thernet modules support aspeed of 00 !bps. epending on the type of modules, some =ast 'thernet modules operate at both the 0- and00-!bps speeds. Switching modules supporting speeds up to 000 !bps are also being introduced into the

mar%etplace now.

As you learned earlier, 'thernet ports could be designed to operate either in half- or full-duple1 modes.emember that when switch ports are configured to operate in full-duple1 mode on dedicated lin%s or between

switches, the bandwidth supported by that lin% is doubled.

The Catalyst 5000 series switch 'thernet and =ast 'thernet switching modules share the following features&

Porttoport wirespeed packet transfer

5ediarate performance across the ."2Kbps backplane

Half or fullduple$ operation on dedicated switch ports

6edicated applicationspecific integrated circuit (A0-+) on each port with embedded *emote5onitoring (*5ON) and standard &thernet 5anagement -nformation ase (5-) .@2M bufferson each interface to accommodate FburstyF traffic

+onnecti%ity from switched &thernet and #ast &thernet to #iber 6istributed 6ata -nterface (#66and Asynchronous 'ransfer 5ode (A'5) backbones

Hotswappable capability

#or additional information on all commands discussed in this module refer to the Catalyst 5000 SeriesCommand Reference publication"

An 'thernet port on the Catalyst 5000 series switch can connect to a single wor%station or ser$er, or to a hub

through which wor%stations or ser$ers connect to the networ%. "orts on a typical 'thernet hub are all connected t

a common bac%plane within the hub, and the bandwidth of the networ% is shared by all de$ices attached to the

hub.

#f two stations establish a session that uses a significant le$el of bandwidth, the networ% performance of all other

stations attached to the hub is degraded. To reduce degradation, the Catalyst 5000 series switch treats each port a

an indi$idual segment, and when stations on different ports need to communicate, it switches frames from oneport to the other at wire speed. Switching ensures that each session recei$es the full 0-!bps bandwidth.

8


32/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page-n this module you will be learn to configure the following port parameters on the #ast &ther+hannelswitching module on the +atalyst =sethe set port namecommand to set the port name for the Catalyst 5000 series switch modules.

Confi(urin( Port Priorit! Le"eYou can configure the priority le$el of each port to be normal or high. The priority le$el determines a port@s

priority to access the switching bus. se the

set port le!elcommand to set the port priority for the Catalyst 5000 series switch modules.

The default port priority for 'thernet switching modules is normal.

Settin( the Port Spee#You can configure the port speed for 0(00/aseTE ports on the 0(00-!bps =ast 'thernet switching module,

desired.


33/54


34/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pagemo#@n0m-ort@n0m7ena3)eC#isa3)e7 sage set s-antree -ort4ast

(onso)e7 5ena3)e6 set s-antree -ort4ast 12 ena3)e

(a0tion S-antree -ort 4ast start s,o0)# on)y 3e ena3)e# on -orts connecte# to a sing)e,ost. (onnecting ,03s/ concentrators/ switc,es/ 3ri#ges/ etc.. to a 4ast start -ort canca0se tem-orary s-anning tree )oo-s. se wit, ca0tion.

S-antree -ort 12 4ast start ena3)e#.

Confi(uration of Port Securit! 5eature!edia Access Control !AC address security allows the Catalyst 5000 series switch to bloc% input to an

'thernet or =ast 'thernet port when the !AC address of a station attempting to access the port is different from

the configured !AC address.

Secure port filtering does not apply to trun% ports where the source addresses change fre+uently.

The set port securit#command allows you to set the !AC address of a specified port as the gi$en address. #f the

!AC address is not gi$en, the address is learned. After the address is learned, it remains unchanged until thesystem relearns it when you reenter the command. The !AC address is stored in non$olatile random-accessmemory BA! and maintained e$en after the reset.

Confi(uration E4a$pe(onso)e7 set -ort sec0rity 91 ena3)e

Port 91 -ort sec0rity ena3)e# wit, t,e )earne# mac a##ress.

(onso)e7 set -ort sec0rity 91 ena3)e %1E%2E%9E%E%'E%$

Port 91 -ort sec0rity ena3)e# wit, %1E%2E%9E%E%'E%$ as t,e sec0re mac a##ress.


35/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageThe set spantree uplinfastcommand when enabled affects all B8As on a Catalyst 5000 series switch.

You cannot configure the >plin%=ast feature on an indi$idual B8A.

The following e1ample shows how to enable and $erify the =ast >plin% Switcho$er feature with a station-update

rate of 70 pac%ets per 00 milliseconds&

(onso)e7 5ena3)e6 set s-antree 0-)inF4ast ena3)e rate %VLANs 1E1%%% 3ri#ge -riority set to ?1'2.!,e -ort cost an# -ort+)ancost o4 a)) -orts increase# 3y 9%%%.Station 0-#ate rate set to % -acFets1%%ms.0-)inF4ast t0rne# on 4or 3ri#ge.

>se the set spantree port!lancostcommand to assign a lower cost to a set of B8As on a port. #f you do notspecify the B8As, the command acts on the B8As specified in prior instances of this command. #f you do not

specify a cost, the port!lancost$alue is set to one less than the current portcost$alue for the port.

plin%=ast is enabled, the bridge priority of all B8As is set to 725), and the path cost of all port

and B8A trun%s is increased by *000. plin%=ast is disabled, the bridge priorities of all B8As and path

costs of all ports are set to default $alues.

Confi(uration of SPAN Port 2Port %onitorin(3"re$iously, you learned about the importance of using !? "robes for troubleshooting and managing switched

networ%s. You can connect a networ% analy9er or an !? "robe such as Cisco@s Switch"robeH to a port on theCatalyst 5000 series switch to mirror traffic from another port or a B8A to this port. This port is %nown as the

Switched "ort Analy9er S"A port.


36/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageTRO9&LESHOOTIN1 TIPS

You can use the following commands for troubleshooting some of the problems you may encounter whenconfiguring the port parameters&

show $o#ue

show port show port channe

show $ac

'he show $o#uecommand displays the module type model serial number status module 5A+address and hardware firmware and software %ersion numbers" -f the status is not FokF you knowthere is a problem with the module" Verify that the %ersion of hardware firmware and software used bythe module supports the feature you want to configure in the switch"

The show portcommand displays a wealth of information about the port including name, B8A, status, priority

le$el, transmission type, and speed of the port. The display also includes all the port errors, including alignment,

frame chec% se+uence =CS, transmit, and recei$e errors.

The show port channelcommand is useful in troubleshooting the =ast 'therChannel modules. The command

displays the status connected or not connected, channel mode on, off, auto, desirable, and the channeling statuindicating whether it is an 'therChannel lin% or not. The display also shows information about the port and de$ic

the channel is connected to.

The show maccommand is useful in troubleshooting the !AC counters. The command displays important

counters associated with the port.

The Configuration 8abs build on the configuration completed in the pre$ious e1ercisesF therefore, you should

complete the tutorials in the order presented.

8


37/54


*+, VLAN ,+R-.

B8As allow ports on the same or different switches to be grouped so that traffic is confined to members of thatgroup only. This feature restricts broadcast, unicast, and multicast traffic flooding to ports included only in a

certain B8A. You can set up B8As for an entire management domain from a single Catalyst 5000 series

switch.

'he VLANs on a +atalyst =


38/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page VTP transparent4A switch configured in the V'P transparent mode does not participate in

V'P/ howe%er it will pass on the V'P ad%ertisements" A VLAN defined on the switch is onlylocal to the switch and is stored in NV*A5"

V'P ser%ers and clients transmit information through trunks to other attached switches and recei%eupdates from those trunks" sing V'P ser%ers the global VLAN information can be modified through

the V'P 5anagement -nformation ase (5-) or the +L-"

The ad$ertisement frames are sent to a multicast address so that they can be recei$ed by all neighboring de$ices,

but they are not forwarded by normal bridging procedures. All switches in the same management domain learn

about any new B8As configured in the transmitting switch.

>sing periodic ad$ertisements, BT" trac%s configuration changes and communicates them to other switches in th

networ%. The configuration is updated and propagated to the other switches by a higher BT"-ad$ertisement

re$ision number. The switch ignores BT" ad$ertisements with a lower re$ision number.


39/54


The BT" pruning feature detects when a switch does not need the traffic for a particular B8A and restrictsflooded traffic to only those trun% lin%s that the traffic must use to access the appropriate networ% de$ices. BT"

pruning enhances networ% bandwidth use by reducing unnecessary flooded traffic, which includes broadcast,

multicast, un%nown, and flooded unicast pac%ets.

Confi(urin( VTP Prunin(

/y default, BT" pruning is disabled in a management domain. The pruning enable option of the set !tp

command enables pruning in the entire management domain. !a%e sure that all de$ices in the management

domain support BT" pruning before enabling it. BT" pruning, e$en if enabled, does not ta%e effect on a B8Athat is not pruning-eligible. /y default, B8A is not pruning-eligible, while B8As ) through 000 are

pruning-eligible.

To enable pruning eligibility, the set !tp pruneeligiblecommand is used.

conso)e7 set +t- -r0nee)igi3)e 12%/1'%

V)ans E'/?E??/12%/1'%/2%1E1%%% e)igi3)e 4or -r0ning on t,is #e+ice.

This command specifies B8As )0 and 50 as eligible for pruning. #t also displays all pruning-eligible B8As

To disable pruning eligibility, the clear !tp pruneeligiblecommand is used.

conso)e7 c)ear +t- -r0nee)igi3)e 2/9/$E8/1%%E2%%

V)ans 1E9/$E8/1%%E2%% wi)) not 3e -r0ne# on t,is #e+ice.

"runing eligibility resides on the local de$ice only.

,8NA%IC VLAN %E%&ERSHIP

You can configure the B8A membership for a port to be static or dynamic. ynamic ports are assigned to aB8A based on the source !edia Access Control !AC address of the hosts connected to that port. ?ne

ad$antage of dynamic ports is that you can mo$e a de$ice from a port on one switch to a port on another switch i

the networ% without changing the B8A assignment.

To configure dynamic port B8A membership, the following tas%s ha$e to be completed&

+onfigure the VLAN 5embership Policy 0er%er (V5P0)

+onfigure dynamic ports on clients

The B!"S has a database of !AC-address-to-B8A mappings necessary for setting up dynamic ports.

After you enable B!"S by entering the set !mps state enablecommand, the configuration information isdownloaded from a Tri$ial =ile Transfer "rotocol T=T" ser$er. After the B!"S successfully downloads the

ASC## configuration file, it parses the file and builds a database and begins to accept re+uests from clients.

8


40/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageThe B!"S opens a >ser atagram "rotocol >" soc%et to communicate with clients and listen to clientre+uests. As shown in the following figure, upon recei$ing a $alid re+uest from a client, the B!"S searches its

database for a !AC-address-to-B8A mapping.

#f the assigned B8A is restricted to a group of ports, the B!"S $erifies the re+uesting port against this group. #

the B8A is legal on this port, the B8A name is passed in the response. #f the B8A is illegal on that port and

the B!"S is not in secure mode, it sends an access denied-response. #f the B!"S is in secure mode, it sends aport shutdown response.

#f the B8A from the table does not match the current B8A on the port and there are acti$e hosts on the port,

the B!"S sends an access denied or a port shutdown response based on the secure mode of the B!"S.

You can configure a fallbac% B8A name into the B!"S. #f the re+uested !AC address is not in the table, theB!"S sends the fallbac% B8A name in response. #f you do not configure a fallbac% B8A and the !AC

address does not e1ist in the table, the B!"S sends an access denied response. #f the B!"S is in secure mode,

it sends a port shutdown response.

>pon subse+uent resets of the Catalyst 5000 series switches, the configuration information is downloadedautomatically from a T=T" ser$er, and the B!"S is enabled.

ynamic ports wor% in con:unction with the B!"S. You must configure the B!"S before configuring dynamic

ports. The B!"S must be acti$e and accessible to the Catalyst 5000 series switch.

?n the current Catalyst 5000 series switch hardware platform, a dynamic nontrun%ing port can belong to onlyone B8A at a time. >pon lin%-up, a dynamic port is isolated from its static B8A. The source !AC address

from the first pac%et of a new host on the dynamic port is sent to the B!"S, which pro$ides the B8A number t

which this port must be assigned.

!ultiple hosts !AC addresses can be acti$e on a dynamic port, pro$ided they are all in the same B8A.


41/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page 1ou must define the V5P0 domain in the file" -t corresponds to the V'P domain name of the

switch" 'he mode defines the V5P0 to be either in open or secure mode" 'he fallback VLAN isassigned to the 5A+ addresses not defined in the database"

F5A+ addressesF define the 5A+ address and the corresponding VLAN table" 'he keyword++NONE++specifies that the 5A+ address should be denied connecti%ity" A port is identified bythe -P address of the switch and the module9port number of the port in the form

modnum9portnum" FPort groupF defines a logical group of ports" 'he keyword a+portsspecifies all the ports in the

specified switch" FVLAN groupF defines a logical group of VLANs" 'hese logical groups define the VLAN port

policies in the ne$t section" FVLAN port policiesF define the ports associated with a restricted VLAN" 1ou can configure a

restricted VLAN by defining the set of dynamic ports on which it can e$ist" 'he V5P0 parser is a linebased parser" 0tart each entry in the file on a new line" *anges are

not allowed for the port numbers"

A sample B!"S configuration file is shown below&

G+m-s #omain #omainEname7

G !,e VMPS #omain m0st 3e #e4ine#.G+m-s mo#e H o-en C sec0re IG !,e #e4a0)t mo#e is o-en.G+m-s 4a))3acF +)anEname7G+m-s noE#omainEre H a))ow C #eny IGG !,e #e4a0)t +a)0e is a))ow.+m-s #omain JB+m-s mo#e o-en+m-s 4a))3acF #e4a0)t+m-s noE#omainEre #eny

GGGMA( A##ressesG+m-sEmacEa##rsGG a##ress a##r7 +)anEname +)an@name7Ga##ress %%12.2299.'' +)anEname ,ar#warea##ress %%%%.$'%?.a%8% +)anEname ,ar#warea##ress aa33.cc##.ee44 +)anEname reena##ress 1229.'$:8.?a3c +)anEname &ecSta44a##ress 4e#c.3a?8.:$' +)anEname EENONEE

a##ress 4e#c.3a29.12' +)anEname P0r-)eGGPort ro0-sGG+m-sE-ortEgro0- gro0-Ename7G #e+ice #e+iceEi#7 H -ort -ortEname7 C a))E-orts IG+m-sE-ortEgro0- Jiring()oset1#e+ice 1?8.?2.9%.92 -ort 92#e+ice 1:2.2%.2$.11 -ort 28+m-sE-ortEgro0- &ec0ti+e Row#e+ice 1?8..2'.222 -ort 12#e+ice 1?8..2'.222 -ort 19#e+ice 1?8..2'.229 a))E-orts

?


42/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageGGGVLAN gro0-sGG+m-sE+)anEgro0- gro0-Ename7G +)anEname +)anEname7G+m-sE+)anEgro0- ngineering

+)anEname ,ar#ware+)anEname so4twareGGGVLAN -ort Po)iciesGG+m-sE-ortE-o)icies H+)anEname +)an@name7 C +)anEgro0- gro0-Ename7 IG H -ortEgro0- gro0-Ename7 C #e+ice #e+iceEi#7 -ort -ortEname7 IG+m-sE-ortE-o)icies +)anEgro0- ngineering-ortEgro0- Jiring()oset1+m-sE-ortE-o)icies +)anEname reen#e+ice 1?8.?2.9%.92 -ort 8

+m-sE-ortE-o)icies +)anEname P0r-)e#e+ice 1?8..2'.22 -ort 12-ortEgro0- &ec0ti+e Row

STP PARA%ETERS

s is determined by the set spantree

hellocommand which is set to ) seconds by default. #f a Catalyst 5000 switch does not recei$e a /"> in the

time period defined by the set spantree ma"agecommand )0 seconds by default, then the bloc%ed port

transitions to listening state, then learning state, and finally to forwarding state. As it transitions, the Catalyst 500switch waits for the time period specified by the set spantree fwddela#command 5 seconds by default in eac

of these intermediate states. Therefore, a bloc%ed spanning-tree port mo$es into the forwarding state if it does not

recei$e /">s from its neighbor within appro1imately 50 seconds.

The show spantree VLAN2command displays the Spanning-Tree "rotocol information for the B8A specified

Since each B8A has its own spanning tree, these spanning-tree parameters are configurable for each B8A.;owe$er, unless you ha$e a specific need to change the Spanning Tree "rotocol parameters, use of the default

settings for the abo$e parameters is recommended.

Thespantree root,port!lanpri, andport!lancostparameters are discussed in a later tutorial.

?


43/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageLAN SWITCH TR9N7S

A trun% is a point-to-point connection that carries traffic for multiple $irtual 8As B8As between two 8Aswitches or between a 8A switch and a router. #f two 8A switches are connected using regular 'thernet ports

0- or 00-!bps, the lin% will allow the de$ices connected to the switches to communicate only if both de$ices

are in the same B8A. ;owe$er, if the same lin% is configured as a trun%, it will be able to carry traffic for

multiple B8As.

The following different types of trun%s are used in networ% en$ironments&

+iscoCs -0L trunks

-&&& ;sing #S8 or B8A trun%s, you can connect switches to each other and to routers using high-speed interfaceThe Catalyst 5000 series switches can multiple1 up to 000 B8As between switches and routers by using #S

on =ast 'thernet, 8A' on AT!, or 40).0 on =iber istributed ata #nterface =#. You can use an

combination of these trun% technologies to form enterprise-wide B8As and choose between low-cost copper anlong-distance fiber connections for your trun%s.

The following diagram shows how two Catalyst switches connected with #S8 trun%s carry traffic for multipl

B8As&

The ynamic #S8 #S8 protocol dynamically configures trun% ports between #S8-capable Catalyst switchesF it

?


44/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pagesynchroni9es two interconnected =ast 'thernet interfaces into becoming #S8 trun%s and minimi9es B8A trun%configuration procedures because only one end of a lin% must be configured as a trun% or nontrun%.

>sing spanning-tree port-B8A priorities, you can load share B8A traffic o$er parallel trun% ports so that

traffic from some B8As tra$els o$er one trun%, while traffic from other B8As tra$els o$er the other trun%.

This configuration allows traffic to be carried o$er both trun%s simultaneously rather than %eeping one trun% inbloc%ing mode, reducing the total traffic carried o$er each trun% while still maintaining a fault-tolerant

configuration.

The following figure shows a parallel trun% configuration between two Catalyst 5000 series switches, using the

=ast 'thernet uplin% ports on the Super$isor 'ngine.

/y default, the port-B8A priorities for both trun%s are e+ual a $alue of *). Therefore, the Spanning-Tree"rotocol bloc%s port () Trun% ) for each B8A on Switch top to pre$ent forwarding loops. Trun% ) is not

used to forward traffic unless Trun% fails.

Confi(uration of VLAN+Traffic Loa# Sharin(The following section shows how to configure the Catalyst 5000 series switches so that traffic from multiple

B8As is load balanced o$er the parallel trun%s.

To configure load sharing of B8A traffic, you can di$ide the configured B8As into two groups. You might

want traffic from half of the B8As to go o$er one trun% lin% and half o$er the other, or if one B8A has hea$ietraffic than the others, you can ha$e traffic from that B8A go o$er one trun% and traffic from the other B8As

go o$er the other trun% lin%.

?


45/54


The top Catalyst 5500 Switch in the figure is connected to the bottom Catalyst switch Switch ) $ia its

Super$isor 'ngine =ast 'thernet ports. You decide that you want B8As * and 7 to use Trun% in the figure as

their primary lin% and you want B8As 2 and 0 to use Trun% ) as their primary lin%.

To effect this configuration, on Trun% , raise the priority of B8A * and 7 from the default of *) to a lowernumberIsay, 3. o this by entering the following command on bothswitches&

(onso)e7 5ena3)e6 set s-antree -ort+)an-ri 11 1$ 9EPort 11 +)ans 1E2/ 'E1%%' 0sing -ort-ri 92Port 11 +)ans 9E 0sing -ort-ri 1$

e1t, on Trun% ), raise the priority of B8As 2 and 0 from the default of *) to 3. o this by entering thefollowing command on both switches&

(onso)e7 5ena3)e6 set s-antree -ort+)an-ri 12 1$ ?E1%Port 12 +)ans 1E8/ 11E1%%' 0sing -ort-ri 92

Port 12 +)ans ?E1%/ 0sing -ort-ri 1$

The configuration needs to be performed on the switch closest to the spanning-tree root bridge. /ecausespanning-tree topologies change without warning, it is best to configure both switches with the same

configuration, :ust to be safe.

ow, B8A traffic from B8As * and 7 will normally tra$el on the lin% shown on the left. B8A traffic from

B8As 2 and 0 will normally tra$el on the lin% shown on the right. Should either lin% fail, the traffic thatnormally tra$els on that lin% will tra$el on the other lin% instead

CON5I19RATION O5 ISL TR9N7S

Any =ast 'thernet port can be configured as a trun%.


46/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageYou can configure any =ast 'thernet port on a Catalyst 5000 series switch to be a trun% port. Trun%s carry th

traffic of multiple B8As and allow you to e1tend B8As from one Catalyst switch to another.


47/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pageset trun 3mod_num/port_num4 (on1off1desirable1auto1nonegotiate) (vlans)

on40et the trunk to onto make the port a trunk port and offto make the port a nontrunk por'he onoption places the port into a permanent -0L trunking mode" 7hen a port is configured tbe a trunk the range of allowed VLANs on the trunk is ..


48/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pagesecondary root switch to handle traffic for some specified B8As. This scenario allows you to load balance theB8A traffic on trun%s that connect these switches.

The following networ% diagram shows the configuration changes that you will ma%e in the Configuration 8ab&

The Catalyst switch is the root for handling traffic for B8As , , and 2 between the Catalyst 5500 and the

Catalyst *)00 and )4)0 switches. The Catalyst switch is also the secondary root switch for handling traffic fromB8As 4 and 0. The re$erse is true for the Catalyst ) switch. #f the Catalyst switch fails for some reason, the

Catalyst ) switch will handle the B8A traffic for which the Catalyst ) switch is the secondary.

To modify the B8A traffic that could be carried by a trun%, you can use the set trun mod$num%port$num

!lan$rangecommand.

Confi(urin( Root an# Secon#ar! Root Switches

The set spantree root command reduces the bridge priority the $alue associated with the switch from thdefault *),34 to a significantly lower $alue, allowing the switch to become the root switch. The set spantre

rootcommand is used to set the primary or secondary root for specific B8As or for all B8As of the switch.

se the set spantree root secondar# command to configure a switch as the secondary root switch. Th

command reduces the bridge priority to 3,*47, ma%ing it the probable candidate to become the root switch if thprimary root switch fails. You can run this command on more than one switch to create multiple bac%up switchein case the primary root switch fails.

#n this module, you will learn to configure one of the Catalyst switches as the root for certain B8As and as th

secondary for certain other B8As using the set spantree root (secondar#) (!lan$list)command.

The show spantreecommand is used to display the spanning-tree information for a B8A.

?


49/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) PageCON5I19RIN1 RO9TE SWITCH %O,9LE 2RS% IN CAT)***3

#n a pre$ious module, you learned about the operation and benefits of Birtual 8As B8As. #n this module,you will learn about the operation of the route switch module S! on a CatalystH 5000 series switch and how

to configure the S! for inter-B8A #" routing. You will also learn about the ;ot Standby outer "rotocol

;S", which pro$ides fault tolerance and enhanced routing performance for #" networ%s.

#n the Configuration 8ab, you will use the Cisco #nteracti$e !entor simulation en$ironment C#!-S' toconfigure an #nter-Switch 8in% #S8 trun% between the Catalyst 5500 switch and a Cisco 7500 router for inter-

B8A #" routing. Then you will disconnect the #S8 trun% between the Catalyst switch and the Cisco 7500 router

and configure the S! for inter-B8A communication and for ;S".

>pon completion of the module, you will be able to&

6escribe the purpose and use of the *05"

6escribe the operation of an *05"

&stablish a session to the *05 from the switch console" +onfigure the *05 for interVLAN -P routing"

+onfigure H0*P on the *05"

#n a pre$ious module, you learned about the operation and benefits of Birtual 8As B8As. /y definition,

B8As perform traffic separation within a shared networ% en$ironment.


50/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page=rom the perspecti$e of the Catalyst 5000 series switch, the S! appears as a module with a single trun%ed portand one !edia Access Control !AC address.

The S! wor%s only with the Super$isor 'ngine ## or ### on a Catalyst switch. The following software $ersions

are recommended for the operation of the S! module on a Catalyst switch&

+atalyst =


51/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page -nterface number that the routing code uses for routing

&ach VLAN that the *05 is routing appears as a separate %irtual interface" 'herefore the configuratiofile of the *05 has an interface description for each VLAN" 'he most common configuration is onesubnet per VLAN interface/ in other words the subnet address is the primary -P address for theinterface" 0econdary addressing can be used on a VLAN interface as on any other router interface"

The !AC addresses a$ailable to the S! are assigned as follows&

VLAN < (+HANN&L


52/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page;S" allows two or more ;S"-configured routers to use the !AC address and #" networ% address of a $irtualrouter. The $irtual router does not physically e1istIinstead, it represents the common target for routers that are

configured to pro$ide bac%up to each other. 'ach actual router is configured with the !AC address and the #"

networ% address of the $irtual router. ?ne of these de$ices is selected by the protocol to be the acti$e router. Theacti$e router recei$es and routes pac%ets destined for the group@s !AC address.

;S" detects when the designated acti$e router fails, at which point a selected standby router assumes control ofthe hot-standby group@s !AC and #" addresses. A new standby router is also selected at that time.

e$ices that are running ;S" send and recei$e multicast >ser atagram "rotocol >"-based hello pac%ets to

detect router failure and to designate acti$e and standby routers.


53/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Page &nable a routing protocol for -P and associate networks with the routing protocol"

+onfigure H0*P for faulttolerant routing" ('his step is optional")

The $irtual routing interface has no e1ternal attributes, such as media type or speed. #t is always displayed as a

$irtual 'thernet interface, regardless of the media type of the ports in the B8A on the switch associated with tha

routing interface.


54/54

Copy Right: Muhammad Shakir Hussain (ADE-PTCL) Pageshow ip route show interface show runnin(+confi( show stan#b!

=

what is a vlan

Documents