Vlan Ccna

VLAN (Virtual LAN)
VLANs can be pcs, departments, project teams, or applications, perhaps on multiple LAN
segments, that are not constrained by their physical location and can communicate as if they
were on a common LAN.
By default switches break up collision domains and routers break up broadcast domains
VLANs break up broadcast domains in a pure switched internetwork.
Each VLAN is a broadcast domain so it must have its own subnet number.
You can assign each switch port to a VLAN. Ports in a VLAN share broadcast traffic. Ports
that do not belong to that VLAN do not share the broadcast traffic.
Why not just subnet my network?

A common question is why not just subnet the network instead of using VLAN’s? Each VLAN
should be in its own subnet. The benefit that a VLAN provides over a subnetted network is
that devices in different physical locations, not going back to the same router, can be on the
same network. The limitation of subnetting a network with a router is that all devices on that
subnet must be connected to the same switch and that switch must be connected to a port on
the router.
VLAN Advantages
VLANs define broadcast domains without the constraint of physical location. For example,
instead of making all of the users on the third floor part of the same broadcast domain, you
use VLANs to make all of the users in the HR department part of the same broadcast domain.
The benefits of doing this are many. Firstly, these users might be spread throughout different
floors on a building, so a VLAN would allow you to make all of these users part of the same
broadcast domain. To that end, this can also be viewed as a security feature - since all HR
users are part of the same broadcast domain, you could later use policies such as access
lists to control which areas of the network these users have access to, or which users have
access to the HR broadcast domain. Furthermore, if the HR department's server were placed
on the same VLAN, HR users would be able to access their server without the need for traffic
to cross routers not efficient and may potentially impact other parts of the network.
Types of VLAN Membership
VLAN Membership by Port Group (Static VLANs)

VLANs are defined on a switch on a port-by-port basis. We might make ports 1-6 part of
VLAN 1 and ports 7-12 part of VLAN 2. A VLAN isn't limited to a single switch. Trunk links are
used to interconnect switches a VLAN might have 3 ports on one switch and 7 ports on
another.
Assigning VLANs purely by port group does not allow multiple VLANs on the same segment
(or switch port). The disadvantage of defining VLANs by port is that you must reconfigure
VLAN membership when a user moves from one port to another.
Question
Which approach to assigning VLAN membership maximizes forwarding performance?
A. membership by MAC address
B. membership by logical address
C. membership by protocol
D. membership by port
E. membership by operating system
Answer D
membership by port
Membership by MAC Address (Dynamic VLANs)
VLANs configured by using MAC addresses can recognize when a station has been moved to
another port on a switch. VLAN management software can then automatically reconfigure that
station into its appropriate VLAN without the need to change the station's MAC or IP address.
The drawbacks of MAC address–based VLAN solutions is the requirement that large numbers
of users must initially be configured to be in at least one VLAN.
Fortunately the VMPS Vlan Management Policy Server can be used to set up a database of
MAC addresses to VLANs which can then be map VLANs to MACs dynamically.
Question
Which piece of information is used by a VLAN Management Policy Server to dynamically
assign a port to a VLAN?
A. Source IP address
B. Source hostname
C. Source MAC address
D. Source port
Answer C
The source MAC address of the sending station is used to assign a port to a specific VLAN.
A is incorrect because the source IP address is irrelevant to the server.

B is incorrect, as the hostname of the source device is not used to assign VLANs.
D is incorrect because the source port of the traffic is not a consideration when assigning
VLANs.
Layer 3–Based VLANs
VLANs based on layer 3 information take into account the subnet address for TCP/IP
networks in determining VLAN membership, no route calculation is undertaken, RIP or OSPF
protocols are not employed. Therefore, from the point of view of a switch employing layer 3–
based VLANs, connectivity within any given VLAN is still seen as a flat, bridged topology
however routing is still necessary to provide connectivity between distinct VLANs. There are
several advantages to defining VLANs at layer 3. First, it enables partitioning by protocol type.
This may be an attractive option for network managers who are dedicated to a service- or
application-based VLAN strategy. Second, users can physically move their workstations
without having to reconfigure each workstation’s network address—a benefit primarily for
TCP/IP users. Third, defining VLANs at layer 3 can eliminate the need for frame tagging in
order to communicate VLAN membership between switches, reducing transport overhead.
One of the disadvantages of defining VLANs at layer 3 (vs. MAC- or port-based VLANs) can
be performance. Inspecting layer 3 addresses in packets is more time consuming than
looking at MAC addresses in frames.
Inter-VLAN Communication
A VLAN is simply a special type of broadcast domain it is defined on a switch port basis rather
than on traditional physical boundaries. Recall that when a host in one broadcast domain
wishes to communicate with another a router must be involved. This holds true for VLANs.
A Layer 3 switch is generally a Layer 2 switching device that also includes the ability to act as
a router. If a switch includes Layer 3 capabilities it can be configured to route traffic between
VLANs defined in the switch, without the need for packets to ever leave the switch. However,
if a switch only includes Layer 2 functionality, an external router must be configured to route
traffic between the VLANs. In some cases, it's entirely possible that a packet will leave switch
port 1, be forwarded to an external router, and then be routed right back to port 2 on the
originating switch. For this reason, many companies have decided to implement Layer 3
switches strategically throughout their network.
Extending VLANs Between Switches

Access links/ports
Access links allow only traffic from a single VLAN. Switches remove any VLAN info from the
frame before its forwarded to an access link, access link devices cannot communicate outside
their VLAN unless the packet goes through a router.
Below we have connected a link between two switches each of these ports are members of
VLAN 1 on each switch. By default, without any additional configuration, these ports will act
as a trunk link, but will only pass traffic for the VLAN 1 While an access link does the job for a
single VLAN environment, multiple access links would be required if you wanted traffic from
multiple VLANs to be passed between switches.
Having multiple access links between the same pair of switches would be a big waste.
Obviously traffic for multiple VLANs needs to be transferred across a single trunk link.
Trunk Links
Trunk links are required to pass VLAN information between switches. A trunk port is by
default a member of all the VLANs that exist on the switch and carry traffic for all those
VLANs between the switches. To distinguish between the traffic flows a trunk port must tag
the frames with the VLAN information as they pass between the switches. Trunking is a
function that must be enabled on both sides of a link.
If two switches are connected together both switch ports must be configured for trunking and
they must both be configured with the same tagging mechanism (ISL or 802.1Q referred to as
"dot1q".)
There are two trunking protocols that enable VLAN Tagging on Cisco
switches.
ISL and IEEE 802.1Q (dot1q).
For traffic from multiple VLANs to traverse a link connecting two switches we need to
configure VLAN tagging on the ports that supply the link.
So we should choose either InterSwitch Link (ISL) or 802.1q.

ISL is a Cisco proprietary VLAN tagging method,
802.1q is an open standard.
When interconnecting two Cisco switches, ISL is usually the best choice, but if you need to
interconnect switches of different types (a Cisco switch and an Avaya switch, for example use
802.1q)
Configuring Trunk Links on a Switch
Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk encapsulation dot1q
OR

Switch(config-if)#switchport trunk encapsulation isl
Show interface trunk displays which ports are trunk ports and which trunk
encapsulation is used.
To check the status of a trunk, use the show interface trunk command.
This output shows that ports fast 0/11 and 0/12 are trunking and are in the default mode of
dynamic desirable, they're running IEEE 802.1Q encapsulation, and all VLANs are allowed to
send traffic across the trunk.
Question
When a switch port is used as a VLAN trunk, which of the following trunk modes are valid?
A. Blocking
B. Auto
C. Desirable
D. On
E. Transparent
F. Learning
Answer B, C, D
A trunk port can be configured as 5 modes on, off, desirable, auto or nonegotiate.
Question
Which commands when used together would create an 802.1Q link? (Select two)
A. Switch(vlan)#mode trunk
B. Switch(config)#switchport access mode trunk
C. Switch(config-if)#switchport mode trunk
D. Switch(config-if)#switchport trunk encapsulation dot1q
E. Switch(config)#switchport access mode 1
F. Switch(vlan)#trunk encapsulation dot1q
Answer C, D
1st set the switchport mode to trunk and then configure the encapsulation. Note there is a clue
in the question to create a trunk on an interface you have to be in interface configuration
mode.
InterSwitch Link (ISL)
ISL will only function on ports with a speed of 100 Mbps or greater we cannot use ISL in with
a 10 Mbps port. The ports on either end of the link need to be configured for ISL.
Essentially, what ISL does is tag a frame as it leaves a switch with information about the
VLAN that the frame belongs to. ISL VLAN info is added to a frame only if the frame is
forwarded out of a trunk link. The ISL encapsulation is removed from the frame if the frame is
forwarded out an access link.
IEEE 802.1Q Inserts a field into the frame to identify the VLAN. One of the issues with VLAN
tagging is that by adding information to an Ethernet frame, the size of the frame can move
beyond the Ethernet maximum of 1518 bytes, to 1522 bytes. Because of this, all non-ISL
ports will see frames larger than 1518 bytes as giants and as such, invalid. This is the reason
why a port needs to be configured for ISL in order for it to understand this different frame
format.
To route traffic between VLANs in a non-ISL environment we need to connect the router to a
port on each VLAN.
A better strategy here would be to configure ISL tagging on one of the router's Fast Ethernet
interfaces, and then configure ISL on the connected switch port. This configuration, also
known as a "router on a stick", would allow the router to process the traffic of multiple VLANs,
and route traffic between them.
A router-on-a-stick is a network configuration that uses a single router interface as a
gateway for more than one network segment. You literally take a single Ethernet interface,
put it on multiple VLANs, and set up the IP address.
Here’s how it works: The router is plugged into a port on a switch that is configured as a trunk
that carries all the important VLANs. The router is configured with Ethernet sub-interfaces one
for each VLAN.
The router will be connected to a switch via a FastEthernet port (or higher). The router port
cannot be a regular Ethernet port, since the router port will need the ability to send and
receive data at the same time.
The configuration of the interface is where things get interesting. For our three VLANs that will
be using router-on-a-stick to communicate. Here is the VLAN information
VLAN 10: 10.10.10.0 /24

VLAN 20: 20.20.20.0 /24
VLAN 30: 30.30.30.0 /24
The port on the switch connected to the router's FastEthernet port must be in trunking mode,
here we’ll choose the trunking protocol as ISL (Cisco-proprietary).
The FE port on the router will not have an IP address. The use of router-on-a-stick mandates
the use of logical subinterfaces. One subinterface must be given an IP address in VLAN 10,
one in VLAN 20 and the other will have an IP address in VLAN 30.
The Router config for inter-VLAN communication.
(config)#interface fastethernet 3/1

(config-if)#no ip address
(config-if)#interface FastEthernet 3/1.10

(config-subif)#ip address 10.10.10.1 255.255.255.0
(config-subif)#encapsulation isl 10


And that's it! Your hosts in VLAN 10, 20 and 30 should now be able to communicate.
Question
If I have VLAN 3, and VLAN 4 configured on a Cisco Switch, and I would like to have pcs on
VLAN 3 communicate with pcs on VLAN 4. Which of the following will allow this inter-VLAN
communication to take place?
A. It takes place through any Cisco router.

B. It takes place through a Cisco router than can run ISL.
C. It takes place through a router, but this disables all the router's Security and filtering
functionality for the VLANs.
D. For nonroutable protocols, (e.g., NetBEUI) the router provides communications between
VLAN domains.
E. Inter-VLAN communications is not possible because each VLAN is a separate broadcast
domain.
Answer B
Explanation
In a switched environment, packets are switched only between ports designated to be within
the same "broadcast domain". VLANs perform network portioning and traffic separation at
Layer 2. So, inter-VLAN communication cannot occur without a Layer 3 device such as a
router, because network layer (Layer 3) devices are responsible for communicating between
multiple broadcast domains. Note that, at Layer 2, an interface uses ISL to communicate with
a switch.
Incorrect Answers
A. The router requires ISL.
C. The router does not change the security settings.
D. The router will not route a nonroutable protocol into the VLAN.
E. Without a router inter-VLAN communication is impossible.
dot1q Example
It is recommended that the sub-interface value is the same as the VLAN.
Rtr(config)#interface fastethernet 0/1.1

Rtr(config-subif)#description VLAN 1
Rtr(config-subif)#encapsulation dot1q 1
Rtr(config-subif)#ip address 10.1.0.1 25.255.0.0

Rtr(config-subif)#description Management VLAN 10

Rtr(config-subif)#description Management VLAN 20
Switch(config)#interface fastethernet 0/0

Router(config)#interface fastethernet port-number. subinterface-number

The port-number identifies the physical interface
subinterface-number identifies the virtual interface.
Define the VLAN encapsulation.

Router(config-if)#encapsulation dot1q vlan-number
The vlan-number identifies the VLAN for which the subinterface will carry traffic.
Assign an IP address to the interface.

Router(config-if)#ip address ip-address subnet-mask
Inter-VLAN Routing
If we plugged devices into each VLAN port they can only talk to other devices in the same
VLAN. We need to enable inter-VLAN communication.
Using a router, to support ISL or 802.1Q on a Fast Ethernet interface we divide each VLan
into subinterfaces. We set the interface to trunk with the encapsulation command.
Router#config t
Router(config)#int f0/0.1
Router(config-subif)#encapsulation dot1Q ?
<1-4094 > VLAN ID
The subinterface number is only locally significant so it doesn’t matter which numbers are
used but its best to use the same subinterface number as VLAN number.
Inter-VLAN Routing on an External Router ISL Trunk Link
ISL VLAN info is added to a frame only if the frame is forwarded out of a trunk link. The ISL
encapsulation is removed from the frame if the frame is forwarded out an access link.
Configuration on the Router

The major interface of a router using ISL cannot have an ip address.
(config)#interface fastethernet 0/0

(config-if)#no ip address
(config-if)#interface fastethernet 0/0.10

(config-if)#interface fastethernet 0/0.20

Configuration on the Switch

Inter-VLAN Routing on an External Router 802.1Q Trunk Link
Configuration on the Router
The trunks major interface can have an ip address, if it doesn’t use no shutdown command.
Rtr(config)#interface fastethernet 0/0

Rtr(config-if)#no shutdown

Rtr(config-subif)#encapsulation dot1q native


The encapsulation dot1q [vlan-id] command enables 802.1Q on a Cisco router.

The native VLAN in 802.1Q does not carry a tag.
With dot1q the trunks major interface can have an ip address.
Remember that the major interface of a router using ISL cannot have an ip address.
Configuration on the Switch

Example
VLAN Memberships
Manual / Static
With manual VLAN configuration, the initial setup and all subsequent moves/changes are
controlled by the network administrator. This enables a high degree of control and is the most
secure. However, in larger enterprise networks, manual configuration is not practical and
defeats one of the primary benefits of VLANs: elimination of the time taken to administer
moves and changes, although moving users manually with VLANs may be easier than
moving users across router subnets.
Automatic / Dynamic
A dynamic VLAN determines host assignment automatically using the VLAN management
application. The administrator can enter and assign all the MAC addresses into its VMPS
database and configure the switch to assign VLANs dynamically whenever a host is plugged
into the switch. Cisco admins can use the VLAN Management Policy Server (VMPS) service
to setup a database of MAC addresses that can be used for dynamic assignment of VLANs a
VMPS database maps MAC addresses to VLANs.
switchport
You only use the switchport command on switches—not routers. It can put a port into trunk
mode, into a certain VLAN, or even to set port security.
Its most common use is to configure an interface to connect to an access device (e.g.,
workstation, server, printer, etc.) e.g.
Switch(config-if)#switchport mode access
You can also use this command to put a port in a certain VLAN
Switch(config-if)#switchport access vlan 101
To change trunking protocol

Configuring VLAN’s
After you have created VLANs verify them with a show vlan command
show vlan
S1#show vlan
Remember that a VLAN is used until it is assigned to a switch port and all ports are set to the
default VLAN1 unless set otherwise. Here all ports are in VLAN1. Port 1 and 2 aren’t showing
up? This is because they are trunk ports!
Trunk ports don’t show up in the VLAN database.

You have to use the show interface trunk command to see trunked ports.
S3750-1#show interface trunk
Port Mode Encapsulation Status Native vlan

Fa1/0/13 desirable n-isl trunking 1
Assigning Switch Ports to VLANs on a Switch
We configure a port to belong to a VLAN by assign a membership mode that specifies the
traffic the port carries.
Let’s say we wanted to create VLAN’s 5 and 10. We want to put ports 2 & 3 in VLAN 5
(Marketing) and ports 4 and 5 in VLAN 10 (Human Resources). On a Cisco 2950 switch,
here’s how .
We need to. Create the new VLAN’s and put each port in the proper VLAN.
CAT1#config t
Enter configuaration commands one per line. End with CNTRL/Z
CAT1(config)#vlan 5
CAT1(config-vlan)#name marketing
CAT1(config-vlan)#exit
CAT1(config)#vlan 10
CAT1(config-vlan)#name humanresources
CAT1(config-vlan)#exit
CAT1(config)#interface FastEthernet 0/2
CAT1(config-if)#switchport mode access
CAT1(config-if)#switchport access vlan 5
CAT1(config-if)#exit
CAT1(config)#interface fastEternet 0/3
CAT1(config)#
At this point, only ports 2 and 3 should be able to communicate with each other and ports 4 &
5 should be able to communicate. That is because each of these is in its own VLAN. For the
device on port 2 to communicate with the device on port 4, you would have to configure a
trunk port to a router so that it can strip off the VLAN information, route the packet, and add
back the VLAN information.
Question
When a new trunk link is configured on an IOS based switch, which VLANs are allowed over
the link?
A. By default all defined VLANs are allowed on the trunk.

B. Each single VLAN or VLAN range must be specified with the switchport mode cmd.
C. Each single VLAN or VLAN range must be specified with the vtp domain cmd.
D. Each single VLAN or VLAN range must be specified with the vlan database cmd.
Answer A
By default all VLANs are allowed over a trunk at all times. This is true for every Cisco IOS
switch.
Assigning a range of access ports to VLAN
Configuring Trunk Ports
Switch#config t
Switch(config)#int f0/12
Switch(config-if)#^Z
Switch#
switchport mode trunk
Puts the interface into permanent trunking mode and converts the neighbouring link into a
trunk link. The interface becomes a trunk interface even if the neighboring interface isn’t a
trunk interface.
switchport mode access
To disable trunking on an interface use the switchport mode access command

Switch#config t
Switch(config)#int f0/12
Switch(config-if)#switchport mode access
Switch(config-if)#^Z
Switch#
We can verify our configuration with the show running-config command.

Switch#show running-config
!
interface FastEthernet0/2
switchport access vlan 2
no ip address
!
no ip address
!
no ip address
!
interport FastEthernet0/12
switchport mode trunk
no ip address
Trunking with the 3560 Switch
The 3560 can run both the ISL and 802.1Q trunking encapsulation
Core#conf t
Core(config-if)#switchport trunk encapsulation dotq
Core(config-if)#switchport mode trunk
Core#conf t
Core(config-if)#switchport trunk encapsulation isl
Core(config-if)#switchport mode trunk
Removing VLANs from a Trunk

We can remove VLANs from the allowed list to prevent traffic from certain VLANs from
traversing a trunked link
S1#config t
S1(config)#int f0/1
S1(config-if)#switchport trunk allowed vlan remove 4
To remove a range of VLANs

S1(config-if)#switchport trunk allowed vlan remove 4-8
To set the trunk back to default

S1(config-if)#switchport trunk allowed vlan all
One more example, port trunking is the process by which ports are designated as uplink ports
to carry traffic from multiple VLANs across the same physical cable. In the following example,
we enable trunking on an E0/1 to carry specific traffic from VLANs 1 through 99.
Router# configure terminal

Router(config)#interface E0/1
Router(config-if)#switchport access vlan 100
Router(config-if)#switchport trunk encapsulation dot1q
Router(config-if)#switchport trunk allowed vlan 1-99
Router(config-if)#switchport mode trunk
Router(config-if)#^Z
This configuration will carry traffic for vlans 1-99 across E0/1.
Setting the trunk encapsulation type is only available on switches that support multiple
encapsulation types. Ensure that spanning-tree is on in order to prevent loops.
Another Example
This router has 3 VLANs each with 2 hosts. The router is connected to the switch using
subinterfaces the switch port connecting to the router is the trunk port, the other switch ports
connecting to the clients and hub are access ports.
The configuration on the Switch is
Given the logical networks
VLAN 1 192.168.10.16/28
VLAN 2 192.168.10.32/28
VLAN 3 192.168.10.48/28
Example
What are the router and switch configurations based on the ip addresses that one host in
each Vlan has been given?
Switch configuration
Router configuration since the hosts don’t list a subnet mask

The number of host in each Vlan will give us the block size.
VLAN1 has 85 hosts and VLAN2 has 115 hosts
calculating the subnet mask
max number of hosts = 115
2^7 - 2 = 126, 2^6 - 2 = 62
therefore 7 bits needed for hosts

32 - 7 = 25 bits for the network address or /25 mask
11111111.11111111.11111111.10000000
255.255.255.128
Subnets will be 0 and 128

The 0 subnet VLAN1 host range 1-126,
128 subnet VLAN2 host range 129-254
So the router configuration will be.
We used the 1st address in the host range for VLAN1 and the last address in the range for
VLAN2 but any address in the range would work.
To set the ip address of the switch

Example
Here are two VLANs by looking at the router configuration whats the ip address, mask, and
default gateway of Host A? Use the last ip address in the range for HostA’s address.
Answer
Both subnets are using a /28 or 255.255.255.240 mask, this is a block size of 16
256 – 240 = 16
The routers address for VLAN1 is subnet 128. The next subnet is 144, so the broadcast
address of VLAN1 is 143, the valid host range 129 – 142.
So the host address would be

VLAN Trunking Protocol VTP
VTP allows switches to advertise VLAN information and create a consistent view of
the switched network across all switches of the same VTP domain. When a VLAN is
created on one switch in a VTP server, all other VTP devices in the domain are
notified of that VLAN's existence. VTP servers will know about every VLAN, even
VLANs that have no members on that switch.
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by

managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP
minimizes inconsistencies such as duplicate VLAN names, incorrect VLAN-type
specifications, and security violations.
Switches have 3 VTP modes
Server – add, modify, delete VLANs
Client – process VLAN changes and forward VTP messages
Transparent – forward VTP messages only
Switch VTP Modes
VTP Server
Maintains the VLAN database. VLANs can be created, deleted and edited on the server for
the entire VTP domain
VTP servers advertise their VLAN configuration to other switches in the same VTP domain
and synchronize their VLAN configuration with other switches based on advertisements
received over trunk links. VTP server is the default mode for all Catalyst Switches.
You need at least one server in your VTP domain to propagate VLAN information
through out the domain. VTP traffic is sent over the management VLAN (VLAN1), so all
VLAN trunks must be configured to pass VLAN1.
VLAN information is stored in NVRAM (flash). VTP Servers keep VLAN configuration
information upon reboot.
VTP Client Mode

Maintains the database but does not store the information in NVRAM and doesn’t retain
VLAN information upon reboot, they obtain this information from a VTP server
In Client mode switches receive information from VTP switch servers, they send and receive
updates but VLANs cannot be created, deleted and edited on clients.
Transparent
VTP transparent switches do not participate in the VTP domain.
The VTP switches in transparent mode ignore VTP messages but will forward VTP
advertisements that they receive out their trunk ports to other switches.
VLANs can be created, deleted and edited, but are local to the switch only they keep their
own database and are not advertised to the other switches in the VTP domain.
Local VLAN information is stored in NVRAM.
Server Transparent Client
Saved in NVRAM Saved in NVRAM Not saved
For switches running VTP to successfully exchange VLAN information, three things have to
happen.
1. The VTP domain name must match. This is case-sensitive. "CISCO" and "cisco" are two
different domains.
2. To distribute information about a newly-created VLAN, the switch upon which that VLAN is
created must be in Server mode.
3. Before you create VLANs, you must decide whether to use VTP in your network. With VTP,
you can make configuration changes centrally on a single switch and have those changes
automatically communicated to all the other switches in the network.
Benefits of VTP
Consistent VLAN configuration across all switches in the network.

LAN trunking over mixed networks, such as Ethernet to ATM LANE or even FDDI.
Accurate tracking and monitoring of VLANs
Dynamic reporting of added VLANs
Understanding VTP Pruning
VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such
as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases
available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to
access the appropriate network devices.
Below is a switched network without VTP pruning enabled. Port 1 on Switch 1 and port 2 on
Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to
Switch 1. Switch 1 floods the broadcast and every switch in the network receives it, even
though Switches 3, 5, and 6 have no ports in the Red VLAN.
Flooding Traffic without VTP Pruning
The same switched network with VTP pruning enabled.
Enabling VTP pruning on a VTP server enables pruning for the entire management domain.
By default, VLANs 2 through 1000 are pruning-eligible. VTP pruning does not prune traffic
from VLAN 1.
To make a VLAN pruning ineligible, enter the clear vtp pruneeligible command. To make a
VLAN pruning eligible again, enter the set vtp pruneeligible command.
The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for
the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on
Switch 4).
VTP Advertisements
VTP Configuration Revision Numbers
Most VLAN Trunking Protocol (VTP) deployments are going to have two or more VTP
servers, so when one VTP server sends a summary advertisement, how does the receiving
VTP server know if that ad has the latest information?
Every VTP summary advertisement has a configuration revision number that is incremented
by one when it updates its own VTP database. That same number is placed into the outgoing
VTP summary advertisement. If the receiving switch's own VTP configuration revision
number is lower than that of the incoming advertisement, the incoming ad's information
is considered to be more recent and is accepted.
Ifthe incoming ad's revision number is lower than that of the receiving switch, the incoming
advertisement is considered out-of-date and is therefore ignored.
Configuring Inter-Switch Communication, VTP
VTP - VLAN Trunk Protocol manages all configured VLANS across a switched network.
All Cisco switches are configured to be VTP servers by default !
To configure VTP first configure the domain name and then VTP information.
The core principle of VTP is that interconnected switches are configured to belong to the
same VTP domain (sometimes referred to as a VLAN management domain). The VTP
domain is a logical group of switches that will share VLAN information. Each switch can only
belong to a single VTP domain. The switches in a VTP domain must be adjacent, and the
links connecting the switches must be configured for trunk mode.
When a switch is configured as a VTP server, you must define a VTP domain before you can
create VLANs.
Configuring the Domain
Use the vtp global configuration mode command. In the following example I set the switch to
a vtp server, the VTP domain to Cisco2 and the VTP password to cantona.
1900(config)#vtp ?
client VTP client
domain Set VTP domain name
password Set VTP password
pruning VTP pruning
server VTP server
1900(config)#vtp server
1900(config)#vtp domain Cisco2
1900(config)#vtp password cantona
Show vtp status
After we configure the VTP information we can verify it with the show vtp status command
VTP can be configured in global or VLAN configuration mode.
VLAN configuration mode is accessed by entering vlan database

privileged EXEC command
Configuration on the 2950 switch

Switch(config)vtp mode ?
client set the device to client mode
server set the device to server mode
transparent set the device to transparent mode
Switch(config)vtp mode server

Device mode already VTP SERVER
Switch(config)vtp domain London

Changing the VTP domain name from NULL to London
Switch(config)#
Verifying
SwitchA#show vtp status

VTP version 2
Configuration Revision 1
Maximum VLANs supported locally 64
Number of existing VLANs 7
VTP Domain Name London
VTP Pruning Mode Disabled
Another Example
Setting the S1 switch to VTP Server the VTP domain to Lammle and VTP password to Todd.
Note all switches are set to VTP server mode by default, also the vtp status output shows the
maximum number of VLANs supported locally is only 255.
Lets add the Core and S2 switches to the Lammle VTP domain remember this VTP domain
name is case sensitive.
VTP Pruning
Consider two switches are trunking, and each has ports in ten VLANs. Of all those VLANs,
the switches only have two in common.
The switches both have ports in VLANs 10 and 11, but have no other common VLANs. By
default, broadcast and multicast traffic destined for any VLAN will cross the trunk, resulting in
a lot of unnecessary traffic crossing the link.
This default behaviour can be stopped by enabling VTP pruning. With VTP pruning enabled
on these switches, a VLAN’s broadcasts will be sent across the trunk only when there are
ports belonging to that particular VLAN on the opposite switch. Broadcasts for VLANs 10 and
11 will go across the trunk, but not for the other VLANs.
You would think that VTP pruning is on by default, but it's not.
vtp pruning
To turn it on, run vtp pruning and verify with show vtp status.
SW1(config)#vtp pruning
Pruning switched on
SW1#show vtp status

VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : CCNA
VTP Pruning Mode : Enabled
When VTP pruning is enabled on a server it is enabled for the entire domain
By using the show interface trunk command
show interface trunk
Enabling Pruning
S1#config t
S1(config)#int f0/1
S1(config-if)#switchport trunk pruning vlan 3-4
Troubleshooting VTP
Switch A and B aren’t sharing VLAN information both are in VTP server mode but that’s not
the problem all switches can be servers and share VLAN information, the problem is that they
are in two different VTP domains so will never share the same VTP information.
Another Problem
We are trying to create a new VLAN on Switch C and we are receiving an error!
The reason for this is because we are in VTP client mode, VTP clients cannot create, delete,
add or change VLANs as they only keep the VTP database in RAM which isn’t saved to
NVRAM.
Another problem
Here switch B isn’t receiving VLAN information from Switch A.
Switch B isn’t receiving VLAN information from Switch A because Switch B has a higher
revision number.
To resolve this change the domain name on Switch B to something else then back to
Globalnet this will reset the revision number to zero.
Question
How many VTP domains can a switch be configured in?
A. 1
B. 64
C. 255
D. Unlimited
Answer A
Question
A switch can be in only a single VTP domain.
Which of the following statements is true when VTP is configured on a switched network that
incorporates VLANs?
A. VTP is only compatible with the 802.1Q standard.
B. VTP adds to the complexity of managing a switched network.
C. All VTP hello packets are routed through VLAN 1 interfaces.
D. Changes made to the network can be communicated to all switches dynamically.
Answer D
Hands on Lab http://www.chinaitlab.com/labto/6500/10.htm
Catalyst> enable
Step 1 Name the VTP domain KNet.
Catalyst> enable set vtp domain KNet

VTP domain KNet modified
Step 2 Set the password for the VTP domain using todd
Catalyst> enable set vtp password todd

Generating MD5 secret for the password…
Step 3 Set the switch to server mode
Catalyst> enable set vtp mode server

Step 4 Create and name VLAN 10 as Accounting then place module 3 port 1 in VLAN 10
Catalyst> enable set vlan 10 name Accounting

Vlan 10 configuration successful
Catalyst> enable set vlan 10 3/1
VLAN 10 modified
VLAN 1 modified
VLAN Mod/Ports
---- ---------------
10 3/1
15/1
Step 5 Create and name VLAN 20 as Marketing then place module 3 port 2 in VLAN 20
Catalyst> enable set vlan 20 name Marketing

Vlan 20 configuration successful
Catalyst> enable set vlan 20 3/2
VLAN 20 modified
VLAN 1 modified
VLAN Mod/Ports
---- ---------------
20 3/2
15/1
Step 6 Enter the privileged mode then enter the global configuration mode.
RouterA>enable
Router#
RouterA# configure terminal

Enter configuration commands, one per line End with CNTRL/Z
RouterA(config)#
Step 7 Enter the interface configuration mode for VLAN 10, then configure this interface with
an IP address of 10.0.10.1 255.255.255.0
Activate this interface

RouterA(config)#interface vlan 10
RouterA(config-if)#ip address 10.0.10.1 255.255.255.0
RouterA(config-if)#no shutdown
Step 8 Enter the interface configuration mode for VLAN 20, then configure this interface with
an IP address of 10.0.20.1 255.255.255.0
Activate this interface

RouterA(config)#interface vlan 20
RouterA(config-if)#ip address 10.0.20.1 255.255.255.0
RouterA(config-if)#no shutdown
Step 9 Enter the global configuration mode then enable RIP routing

RouterA(config)#router rip
RouterA(config-router)#
Step 10 Assign a network interface (10.0.0.0) to the RIP process then exit the router
configuration mode

RouterA(config)#router rip
RouterA(config-router)#network 10.0.0.0
RouterA(config-router)#end
Step 11 View the other RIP routes within this network
Show ip route
Gateway of last resort is 11.1.1.15 to network 0.0.0.0

C 127.0.0.0/8 is directly connected
C 10.0.10.0/24 is directly connected, VLAN10
C 10.0.20.0/24 is directly connected, VLAN20
Telephony, Voice VLANs
The Cisco ip phone inserts a 802.1p priority field in 802.Q tag.
You can configure the switch to either trust or override the traffic priority assigned by an ip
phone
A Cisco phone has 3 ports one connects to the Cisco switch, one to a pc and one internal to
the phone.
We configure access ports on a switch connected to an ip phone to use one VLAN for voice
traffic and another VLAN for data traffic from the pc attached to the phone.
Access ports on the switch send Cisco Discovery Protocol packets CDP’s that tell the ip
phone to send voice traffic
To the voice VLAN tagged with a layer 2 CoS priority

To the access VLAN tagged with a layer 2 Cos priority value
To the access VLAN un tagged (no CoS priority value)
Access ports also send CDPs that tell the ip phone to configure the phone access port to be
in trusted or untrusted mode:
Trusted mode, all traffic received on the ip phone access port passes through unchanged
Untrusted mode, all traffic in 802.1Q or 802.1p frames received on the ip phone access port
receives a layer 2 CoS value. (default is 0)
The Voice VLAN
The voice VLAN is disabled by default

To enable it use the interface command switchport voice vlan
To return the port to its default setting use the no switchport voice vlan command
mls qos trust cos classifies incoming traffic by using the CoS value, untagged packets
use the ports default CoS value.
Notice how we added two access VLANs to the same port we can only do this if one is a data
VLAN the other a voice VLAN.
Using the CNA (Cisco Network Assistant) to Configure VLANs and Inter-
VLAN Routing
Connect to the 2960 Switch S1 which already has 3 VLANs we are going to add a voice
VLAN.
Click Configure > Switching > VLANs
This screen shows the status of our ports. Ports 1 & 2 are trunked dynamically since there set
to dynamic auto by default they’ll automatically become trunk links with the Core switch. Port
3 is a member of VLAN 3 the VLAN access port.
Highlight port 1 > Click Modify. This enables you to configure the port with different
administrative modes, encapsulations plus set the VLANs allowed on the trunk port and set
VTP pruning.
The Configure VLANs tab on the VLANs screen
From here we can see the configured VLANs and are able to modify add and delete them.
Remember this is only done on a VTP server) Click Create.
The Create VLAN box appears.

We clicked Create and added a new VLAN named Todd. Ok.
To Create a voice VLAN click, Voice VLAN under Configure
We highlighted port 4 where my phone is connected and clicked Modify and created a new
voice VLAN (Voice VLAN 10) and clicked OK.
Now to configure inter-VLAN routing using the 3560 switch.
Connect to the Core 3560 switch. Under Configure click Routing > Enable/Disable then select
Enable IP Routing and it will automatically add the configured default gateway. Ok.
Now click Inter-VLAN Routing Wizard and Next.
Click Next again.

Choose the VLANs you want to provide inter-VLAN communication between add new subnets
and subnet masks for each separate VLAN and click Next.
Ensure the default route of the switch is correct here it is the default gateway. Next.
Sit back and watch the router auto-configure itself!
There’s a separate logical interface for each VLAN. Finish with Next and the configuration is
uploaded to the running-config.
#show running-config
All our hosts/phones should now be able to communicate freely between VLANs.
Using Smartport with the 2960
Configuring the phone the easy way using the CNA >
Connect to the 2960 and click Smartports >
Highlight the port the phone is plugged into here its port 4 >
Right Click and choose IP Phone+Desktop >
Choose the access VLAN (VLAN 3) which the pc is using and the Voice VLAN 10
Ok.
Now we can connect both a pc and a phone to the same port and they will run in separate
VLANs (3 & 10)

Vlan Ccna

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Vlan Ccna

Hochgeladen von

Copyright:

Verfügbare Formate

VLAN (Virtual LAN)

Why not just subnet my network?

VLAN Membership by Port Group (Static VLANs)

Membership by MAC Address (Dynamic VLANs)

A is incorrect because the source IP address is irrelevant to the server.

Layer 3–Based VLANs

Extending VLANs Between Switches

ISL and IEEE 802.1Q (dot1q).

So we should choose either InterSwitch Link (ISL) or 802.1q.

Configuring Trunk Links on a Switch

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport mode trunk

InterSwitch Link (ISL)

VLAN 10: 10.10.10.0 /24

(config)#interface fastethernet 3/1

(config-if)#interface FastEthernet 3/1.10

(config-if)#interface FastEthernet 3/1.20

(config-if)#interface FastEthernet 3/1.30

A. It takes place through any Cisco router.

It is recommended that the sub-interface value is the same as the VLAN.

Rtr(config)#interface fastethernet 0/1.1

Rtr(config)#interface fastethernet 0/1.10

Rtr(config)#interface fastethernet 0/1.20

Switch(config)#interface fastethernet 0/0

Router(config)#interface fastethernet port-number. subinterface-number

Define the VLAN encapsulation.

Assign an IP address to the interface.

<1-4094 > VLAN ID

Configuration on the Router

(config)#interface fastethernet 0/0

(config-if)#interface fastethernet 0/0.10

(config-if)#interface fastethernet 0/0.20

Configuration on the Switch

Configuration on the Router

Rtr(config)#interface fastethernet 0/0

Rtr(config)#interface fastethernet 0/0.1

Rtr(config)#interface fastethernet 0/0.10

Rtr(config)#interface fastethernet 0/0.20

The encapsulation dot1q [vlan-id] command enables 802.1Q on a Cisco router.

Configuration on the Switch

To change trunking protocol

Trunk ports don’t show up in the VLAN database.

S3750-1#show interface trunk

Port Mode Encapsulation Status Native vlan

A. By default all defined VLANs are allowed on the trunk.

switchport mode trunk

switchport mode access

To disable trunking on an interface use the switchport mode access command

We can verify our configuration with the show running-config command.

Trunking with the 3560 Switch

Removing VLANs from a Trunk

To remove a range of VLANs

To set the trunk back to default

Router# configure terminal

The configuration on the Switch is

Given the logical networks

Router configuration since the hosts don’t list a subnet mask

calculating the subnet mask

max number of hosts = 115

2^7 - 2 = 126, 2^6 - 2 = 62

therefore 7 bits needed for hosts

Subnets will be 0 and 128

So the router configuration will be.