# Virtual LANs and VLAN Trunking

Using VLAN Database Mode to Create VLANs

Only normal-range VLANs (1-1005) can be configured and stored in a flash file called vlan.dat.

Switch# vlan database
Switch(vlan)# vlan 10 name ccie
Switch(vlan)# show current ! proposed or difference
Switch(vlan)# show proposed
Switch(vlan)# apply ! reset or abort

Private VLANs

A private VLAN has a primary VLAN and one or more secondary VLANs.
The ports in the primary VLAN are promiscuous.
Secondary VLANs are community VLANs or isolated VLANs.

VLAN Trunking Protocol

VTP advertises the VLAN ID, VLAN name and VLAN media type (Ethernet, FDDI, Token Ring).

VTP Modes: Server (default mode), Client, Transparent and off (only in CatOS).

Originates VTP advertisements: server and client
Processes received advertisements to update its VLAN configuration: server and client
Forwards received VTP advertisements: server, client and transparent
Saves VLAN configuration in NVRAM or vlan.dat: server, client and transparent
Can create, modify or delete VLANs using configuration commands: server and transparent

VTP Process

VTP server needs a VTP domain name before to start sending VTP updates.
A VTP client without a VTP domain will assume the VTP domain in the first received VTP update.
VTP configuration is stored in vlan.dat (flash memory).

VTP updates are propagated throughout trunk ports.

If md5 is configured then the VTP advertisement carries the validation (hash) of the VTP update.

VTP Configuration

Server and client switches must match the same VTP version.
Transparent switches at version 2 forward version 1 (default version) or 2 VTP updates.

Pruning (disabled by default) prevents flooding on a per-VLAN basis. When pruning is enabled on a VTP server, pruning is enable for the entire VTP domain. VLANs 1, 1002-1005 and 1006-4094 (extended-range) are pruning-ineligible.

Normal-Range and extended-range VLANs

Normal-range VLANs (1-1005) can be configured in VLAN database mode with the details stored in vlan.dat (flash memory).
Extended-range VLANs (1006-4096) cannot be configured in VLAN database mode, nor stored in vlan.dat, nor advertised via VTP. In fact, to configure then, the switch must be in VTP transparent mode.

Storing VLAN configuration

Normal-range VLANs can be configured from VLAN database mode or configuration mode (server and transparent).
Extended-range VLANs can only be configured from configuration mode (transparent).
VTP and normal-range VLAN configuration are stored in vlan.dat (server and transparent) and NVRAM (transparent). If VTP mode or domain name in vlan.dat file and startup-config file differ, the switch uses only the vlan.dat file for VLAN configuration.
Extended-range VLAN configuration are only stored in NVRAM (transparent).

ISL and 802.1Q Concepts

Support normal and extended range (ISL, 802.1Q)
ISL is a protocol defined by Cisco. 802.1Q by IEEE.
ISL encapsulates the original frame. 802.1Q inserts a tag.
ISL does not support native VLAN but 802.1Q does.

ISL adds a new 26 byte header and a 4 byte trailer (new CRC).
This header uses the source address of the device doing the trunk and a multicast destination address (0100.0C00.0000 or 0300.0C00.0000).

802.1Q inserts a 4 byte tag (Etype and Tag), right after the source address, and a new calculated FCS.
With an 802.1Q tag, the first 2 bytes are a registered Ethernet type (0x8100) and the last 2 bytes contain the priority and VLAN-ID.

ISL and 802.1Q Configuration

Switches default to use the DTP desirable mode.
If both switches support both types of trunking, they negotiate to use ISL.

Allowed, Active and Pruned VLANs

Allowed VLANs are those allowed by using the switchport trunk allowed command.
Allowed and active are those VLANs configured on the switch.
Active and pruned are those with any VTP-pruned VLANs removed.

Trunk Configuration Compatibility

trunk = switchport mode trunk
trunk+DTP = switchport mode trunk; switchport nonegotiate
desirable = switchport mode dynamic desirable
auto = switchport mode dynamic auto
access = switchport mode access
access+DTP = switchport mode access; switchport nonegotiate

trunk  trunk+DTP  desirable   auto    access   access+DTP
trunk       trunk  trunk      fail        fail    fail     fail
trunk+DTP   trunk  trunk      trunk       trunk   fail     fail
desirable   fail   trunk      trunk       trunk   access   access
auto        fail   trunk      trunk       access  access   access
access      fail   fail       access      access  access   access
access+DTP  fail   fail       access      access  access   access

isl = switchport trunk encapsulation isl
dot1q = switchport trunk encapsulation dot1q
negotiate = switchport trunk encapsulation negotiate

isl   dot1q   negotiate
isl       isl   fail    isl
dot1q     fail  dot1q   dot1q
negotiate isl   dot1q   isl->dot1q

Configuring Trunking on Routers

Routers and hosts do not support DTP.

ISL configuration:

Router(config)# interface fa0/1.1
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Router(config-if)# encapsulation isl 11
Router(config)# interface fa0/1.2
Router(config-if)# ip address 10.1.2.1 255.255.255.0
Router(config-if)# encapsulation isl 12

802.1Q configuration:

Router(config)# interface fa0/2
Router(config-if)# description native_vlan_1
Router(config-if)# ip address 10.2.0.1 255.255.255.0
Router(config)# interface fa0/2.1
Router(config-if)# ip address 10.2.1.1 255.255.255.0
Router(config-if)# encapsulation dot1q 21 ! [native]
Router(config)# interface fa0/2.2
Router(config-if)# ip address 10.2.2.1 255.255.255.0
Router(config-if)# encapsulation dot1q 22

802.1Q-in-Q Tunneling

SwitchSP1(config)# interface fa0/1
SwitchSP1(config-if)# description to_SwitchCustomer1
SwitchSP1(config-if)# switchport access vlan 10
SwitchSP1(config-if)# switchport mode dot1q-tunnel
SwitchSP1(config-if)# no l2protocol-tunnel cdp ! enables cdp, stp and vtp
SwitchSP1(config)# interface fa0/2
SwitchSP1(config-if)# description to_SwitchCustomer2
SwitchSP1(config-if)# switchport access vlan 20
SwitchSP1(config-if)# switchport mode dot1q-tunnel
SwitchSP1(config-if)# no l2protocol-tunnel cdp ! enables cdp, stp and vtp
SwitchSP1(config)# interface fa0/3
SwitchSP1(config-if)# description to_SwitchSP2
SwitchSP1(config-if)# switchport mode trunk
SwitchSP1(config-if)# switchport trunk encapsulation dot1q

SwitchSP2(config)# interface fa0/1
SwitchSP2(config-if)# description to_SwitchCustomer1
SwitchSP2(config-if)# switchport access vlan 10
SwitchSP2(config-if)# switchport mode dot1q-tunnel
SwitchSP2(config-if)# no l2protocol-tunnel cdp ! enables cdp, stp and vtp
SwitchSP2(config)# interface fa0/2
SwitchSP2(config-if)# description to_SwitchCustomer2
SwitchSP2(config-if)# switchport access vlan 20
SwitchSP2(config-if)# switchport mode dot1q-tunnel
SwitchSP2(config-if)# no l2protocol-tunnel cdp ! enables cdp, stp and vtp
SwitchSP2(config)# interface fa0/3
SwitchSP2(config-if)# description to_SwitchSP1
SwitchSP2(config-if)# switchport mode trunk
SwitchSP2(config-if)# switchport trunk encapsulation dot1q

Configuring PPPoE

ISP(config)# ip local pool MyPool 10.0.0.2 10.0.0.254
ISP(config)# bba-group pppoe MyGroup
ISP(config-bba-group)# virtual-template 1
ISP(config-bba-group)# sessions per-mac limit 2
ISP(config)# interface virtual-template 1
ISP(config-if)# ip address 10.0.0.1 255.255.255.0
ISP(config-if)# peer default ip address pool MyPool
ISP(config-if)# ppp authentication chap callin
ISP(config)# interface f0/0
ISP(config-if)# no ip address
ISP(config-if)# pppoe enable group MyGroup
ISP(config-if)# no shutdown
ISP(config)# username CPE password MyPassword

CPE(config)# interface dialer1
CPE(config-if)# dialer pool 1
CPE(config-if)# dialer-group 1
CPE(config-if)# encapsulation ppp
CPE(config-if)# ip address negotiated
CPE(config-if)# ppp chap password MyPassword
CPE(config-if)# mtu 1492
CPE(config)# interface f0/0
CPE(config-if)# no ip address
CPE(config-if)# pppoe enable
CPE(config-if)# pppoe-client dial-pool-number 1
CPE(config-if)# no shutdown
CPE(config)# dialer-list 1 protocol ip permit

No comments: