VLANs, VTP, and VLAN Trunking

The second new Newsletter article discusses VLANs, VTP, and VLAN Trunking. Originally developed as a security technique for isolating groups of users on the same wire, VLANs have many more applications than first thought. They will be found doing useful things in most networks. VTP is a Cisco-proprietary mechanism that reduces the operational workload of making changes to VLANs. Though CCNA candidates need to know the basics of these techniques, most of the information is designed to help candidates working towards higher level certifications. VLANs, VTP, and VLAN Trunking VLANs and Cisco Models VTP VTP Version VTP Pruning Configuring VLAN Membership VTP Configuration If you want VTP to work... Global Configuration Mode VTP Configuration in VLAN Configuration Mode

VLANs, VTP, and VLAN Trunking

Originally developed as a security technique, for isolating groups of users on the same wire, Virtual Local Area Networks (VLANs) have many more applications than first thought. VLANs will be found doing useful things in most networks. In his Ethernet Switching II tutorial, Dan Farkas has a great way to remember the role of anything virtual... "with terms like "virtual LANs" being flung around, it's important to keep our definitions straight.

If If If If

you you you you

can see something and it's there, then it's real. can't see something but it's there, then it's transparent. can see something but it's not there, then it's virtual. can't see something and it's not there then it's missing!

"So a virtual LAN is a LAN that looks like it's there but really isn't. A VLAN is a virtual wire, a virtual hub that spans across multiple switches. VLANs are broadcast domains. There is a oneto-one correspondence between VLANs and IP subnets. In fact, in my classes I let my students use the terms VLAN, subnet, and broadcast domain interchangeably."

VLANs and Cisco Models

VLANs themselves are what you see individually at edge LAN switch ports, to which hosts connect. In general, when you interconnect more than one modern switch, the ports interconnecting them run a trunking protocol. Trunking protocols allow traffic from different VLANs to share a physical link. A single non-trunked switch still can contain VLANs, with different ports assigned to different VLANs. The process of getting a packet from the edge port to a trunk involves tagging each frame with information that lets switches know what VLAN it belongs to. They are not the panacea for almost every problem, as once believed. At one time, there was truth to the axiom "switch [i.e., bridge at layer 2] when you can, route when you must." With current technology, there isn't a significant amount of performance difference between L2 and L3 decision making. L3 switches are routers, and distinguishing between them sometimes is no more than a matter of sales emphasis. Dan observes a point that you will run across in discussion of Cisco models including the Enterprise Composite Network Model, SAFE model and hierarchical design model. "Now with these hierarchical layers we can build blocks that we will use to build the rest of our network. Most of our end users will be in what we call switch blocks. The switch blocks define users into different VLANs and subnets based on whatever our network policy is. A policy could be based on departments. Or it could be based on project groups with in a company. Or it could be set up to keep people named Howard isolated from the rest of the network. The switch blocks contain both access layer and distribution layer devices. The VLANs in a switch block will not leave that block, but will be routed to the core block. The core block only has a core layer and connects the distribution layers of different blocks.

Other types of blocks include server Realistically, you do tend to see certain differences blocks (where server farms would in the way functions are packaged into commercial be),WAN blocks (that connect to the products. Products marketed as L3 switches tend to Internet or private WAN links), remote access blocks (where an access server have lower per-port cost and higher per-port might be used as an access layer device density for Ethernet ports than "routers". Routers to allow for dial in users) andPSTN tend to have better per-port economics for WAN blocks (if you are using Voice over data ports, and often have more processing power for technologies). Each block has it own such non-forwarding tasks as quality of service VLANs and IP subnets, and maybe its enforcement. own policy. VLANs should not cross block boundaries. Table 21. Port Membership Modes defined for IOS VLAN switching Port type Staticaccess VLAN relationships Configured manually to belong to only 1 VLAN. VTP requirements Not required. For VTP to work for this switch there must be at least one trunk port on the local switch connected to a trunk port on another switch. Cisco recommends but does not require VTP on trunk ports. VTP simplifies configuration, especially of complex switched network, but does impact bandwidth and switch processing. It can be used for trunk performance tuning by adjusting the VTP pruning-eligible list. VTP is required; both on the switch with the dynamic access port and the VMPS.

802.1Q trunk

By default, trunk ports are in every VLAN, including the extended range VLANs. You may restrict the VLANs that can traverse this trunk by defining those in the allowedVLAN list, which typically is an advanced performance tuning method. Ports are assigned dynamically to a single normal-range VLAN, based on the first frame MAC address. You must have a VMP server to do this assignment, a function

Dynamic access

that does not run on the 2950. If the switch has trunk ports, its dynamic access ports can only connect to end stations, not other switches. Voice VLAN This port is actually on a Cisco IP phone, and presents a data and an auxiliary voice VLAN to the switch port.

VTP
VLAN Trunking Protocol (VTP) is a Cisco-proprietary mechanism that reduces the operational workload of making changes to VLANs. VTP travels over trunks, so any participating switch must have at least one trunk port. VTP can improve overall performance by preventing the propagation of VLAN traffic to switches with no port in the VLAN, reducing trunk bandwidth ands switch processing. It can also prevent certain configuration errors and inconsistencies. The way in which you configure VLANs, assuming you have more than one switch interconnected by trunks, will depend on whether or not VTP will be part of your network, so the decision to use it has to come early in the design process. We will consider the factors that go into that decision now, but defer the details of VTP configuration until after we go through basic VLAN configuration. Table 22. Default VTP Database Information VTP domain name VTP mode Null. Server.

VTP version 2 enable state Version 2 is disabled. VTP password VTP pruning None. Disabled.

Since a non-null domain name, if nothing else, is needed for VTP operation, you will have to do at least some configuration to make it work. Table 23. VTP Switch Modes VTP Mode server Description The default mode for VTP-enabled switches. This lets you configure and reconfigure on one switch and have the information propagate to all other switches in the domain. If changes are made on more than one server, the servers dynamically synchronize as long as the options are compatible. Configurations will be saved in NVRAM. Be aware that server mode requires more NVRAM and RAM than other modes. Clients do not let you make changes, although they will propagate changes to other VTP switches. They do not save the learned configuration in NVRAM. Remember that you must have at least on server in a domain, or nothing can be configured.

client

transparent VTP transparent mode causes a switch to pass VTP messages, but not be affected by them. You still can create, delete and modify VLANs in this mode, but the

information configured on the switch will not propagate via VTP. VTP mode and domain information is saved in NVRAM. Transparent mode is the only mode you can use to create extended-range VLANs. When VTP is running, it propagates the information in Table 24. Table 24. Information in VTP Messages Global VTP domain name VTP configuration revision number Update identity and update timestamp MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. Frame format Per-VLAN VLAN ID Name Type State Type-specific information

VTP Version
There are three versions of VTP. VTP Version 3 is very new and will be available only in the latest IOS versions. Remember that all VTP is off by default. When you enable VTP, it will run as Version 1 unless you configure:

Which version should you use? See Table 25 for the additional features supported by Version 2. Version 1 is adequate for most systems that do not contain Token Ring. Many of the Version 2 features impose tighter management control on VTP, which could very well help avoid problems if you are merging VTP systems. Only Versions 1 and 2 are listed in the CCNA blueprint. Table 25. VTP Version 2 Functionality differences with Version 1 VTP Functionality Support/Processing in Version 2 Token Ring Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay Function (TrCRF) VLAN are supported

Unrecognized Type- In V2, a server will propagate TLVs even those it does not understand. It Length-Value (TLV) also saves them in NVRAM when the switch is in VTP server mode. This could be useful if not all devices are at the same version or release level. Version-Dependent Version 1 supports multiple domains while Version 2 supports only 1. Transparent Mode Normal behavior for V1 would be to forward messages only if they match the destination domain name and version. VTPv2 does not do this check before forwarding. Consistency Checks VTPv1 does more consistency checking on messages, which can add overhead. As long as the MD5 digest on a message is correct, VTPv2 will forward it. VTPv2 will consistency-check new configuration information added through the configuration editor, Cluster Management Software or SNMP.

VTPv3 introduces more features beyond the scope of this article, but perhaps the most important enhancement is that it will support the extended range of all VLAN identifier values.

VTP Pruning
VTP pruning is an important function in reducing VTP overhead on trunks, often more than offsetting the increased overhead induced by VTP itself. You avoid consuming trunk bandwidth and switch processing for messages the receiving switch will only discard. Pruning recognizes when a downstream destination switch will actually be able to use certain VTP messages, and will flood them downstream only when they will be relevant to the destination. The term "spanning tree" is especially apropos, because this function prunes branches of the tree that don't need to receive any sap from the trunk of the tree -- I mean, any frames from the conceptual all-VLAN trunk. As opposed to garden pruning where you amputate the branches, VTP pruning can reattach branches when the relevant switches do include ports that include the previously pruned VLANs. This feature is off by default in both VTPv1 and VTPv2. When it is enabled, only the information for VLANs in the pruning-eligible list can be pruned. The contents of this list depend on software image and any manual configuration. With the Standard image and default behavior, VLANs 2-1001 are pruning-eligible. VLANs 1 and the range 1002-1005 can never be eligible for pruning. Extended range (ID > 1500) can be pruned only when running EMI software in all switches in the domain.

Figure 16. Example of VLAN Pruning's Benefit VTP does consume RAM and sometimes NVRAM. It also is not intended to affect switches in VTP transparent mode. If any of your switches are in VTP transparent mode, you have to make adjustments to avoid incompatibilities. One such adjustment is turning off VTP pruning (i.e., not all VTP, just pruning) for the entire switched system. Alternatively, you can make sure that the transparent switches do not see pruning, by adjusting the pruning-eligible list of directly connected non-transparent switches. You adjust the list such that no VLAN on the

trunk to .the transparent switch can be pruned by the switch at the other end of the trunk from the transparent switch. On this trunk, you must not make any VLAN present eligible for pruning. As long as the upstream switch(es) and their trunks do not run VTP pruning, it is perfectly acceptable to prune on their upstream trunks.

Figure 17. VLAN Pruning upstream of a transparent switch The command for VTP pruning is:

Configuring VLAN Membership

First, you need to know how many, and what VLAN numbers, can run on a given switch and software image. While the release notes for a given release is definitive, Table 26 gives the basic rules for the 2950 switch, which is the fairly simple switch that is the knowledge target for the CCNA. SMI software generally supports only a small number of VLANs in the "normal range" of VLAN identifiers. Formally, this range is 1 to 1005, but certain identifiers have special significance. If you use the EMI image, you can support the extended range of VLANs 1005-4096, but VTP cannot learn about these in Version 1 or 2. Using the extended range, in practice, means that you will have to run the switch in VTP transparent mode, greatly limiting the functionality available through VTP, unless you use VTPv3. VTPv3 is not in the current CCNA blueprint. Table 26. VLAN identifiers with special significance VLAN ID 1 Purpose Management (and default) VLAN. Should always be available to a switch.

1002-1005 Reserved for (obsolescent) Token Ring and FDDI VLANs 1006-4096 Extended range, not stored in the VTP database

VTP Configuration
LLike most IOS functions, you configure VTP through the configuration editor. You have two choices in the way you configure VTP. You can configure it in global mode, where you set parameters in the VTP database. You can also configure it in VLAN configuration mode, which is more fine-grained. Remember that the stored configuration and the VTP database are not always the same; the VTP database can contain dynamically learned information. Specifying a new filename simply renames the place where dynamic information will be stored. The vla changes single VLANs, while the v level n t level applies to all standard-range VLANs. As opposed to most other configuration editor changes, the commands do not take effect immediately, but only after you complete the module and commit the changes (Table 27). Table 27. VTP Configuration Module Commands Command Meaning abort apply exits the mode without applying the changes and without resetting. The existing database remains valid. applies the database changes, increments the database revision number, and propagates the information. The switch remains in VLAN configuration mode so you can configure a different VLAN. You can't use this command if the switch is in client mode. applies the database changes, increments the database revision number, and propagates the information. The switch returns to global configuration mode. negates a command or set its defaults. You can code n n v v or o o exits the mode and resets the database

exit

no reset

Be aware of some startup behavior that may result from configuration mismatches (Table 28). Table 28. VTP Special Behavior on Startup Switch is in transparent mode. VLAN database and the VTP domain name from the VLAN database matches those defined the startup configuration file VTP and VLAN configurations in the startup configuration file are used, but other information stored in the database is ignored. The VLAN database revision number remains unchanged in the VLAN database.

VTP mode or domain name in the startup The domain name and VTP mode and configuration configuration do not match the VLAN for the standard range use the information from the database database. Certain parameters always need to be set globally. The first step is to define the domain name, which can be 1 to 32 characters long. Every client or server in the same domain must

have the same domain name. Switches in VTP transparent mode do not need the domain name, because they pass messages without checking the domain name. Some VTP parameters, such as the password whether to enable Version 2, and whether to use pruning, are optional, but still can be set with global commands.

If you want VTP to work...

While domain names are mandatory, VTP Never configure a domain without at passwords are optional strings, 8 to 64 characters least a VTP server. If all the switches are long. If you configure a VTP password, it must be in client mode, there is no way to change the same in all switches of a domain. A switch the configuration. without the right password will not accept VTP advertisements, or learn the domain name, until the correct password is configured into it.

Global Configuration Mode

If you want to use VTP transparent mode, you must use global configuration mode. Global configuration is the only way to establish the domain name, database file and switch mode if the switch is in transparent mode.

If you do a cp followed by a reloa o y , the restarted switch behavior will be as defined in Table 28. Note d that there are some variations based on IOS version, principally if the switch software image is IOS 12.1(9) EA1 or a later version. If your configuration was stored with an earlier IOS, there may be different behavior. See the appropriate release notes. For the actual configuration,

If you can, it's generally most flexible to have all your switches in server mode. The nice thing is that if a switch is configured as a server, you can make changes on it and have them propagate through the domain. One reason you cannot is if extended-range VLANs are in the switch configuration -- you can't change to server when the switch is running extended VLANs. Another reason you may not be able to make every switch a server is that server mode requires more RAM and NVRAM. To set server mode, enter server mode and configure:

VTP Configuration in VLAN Configuration Mode

To configure parameters for individual VLANs, use VLAN configuration mode. Global commands such as the domain would normally have been set already, at the global level. Many options of this command are not relevant at the CCNA level. They tend to be associated with non-Ethernet use, or with operation in a mixed environment containing Ethernet and other media such as Token Ring. See the Command Reference for all options. The relevant command is:

http://www.certificationzone.com/cisco/newsletter/SL/nla_11-30-04_newage.html