VLAN and VTP

Ref: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-
2_58_se/configuration/guide/2960scg/swvlan.html

What is VLAN?
A VLAN is a switched network that is logically segmented by function, project team, or
application, without regard to the physical locations of the users. VLANs have the same
attributes as physical LANs, but you can group end stations even if they are not physically
located on the same LAN segment. Any switch port can belong to a VLAN, and unicast,
broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN.
Each VLAN is considered a logical network, and packets destined for stations that do not
belong to the VLAN must be forwarded through a router.
VLANs are often associated with IP subnetworks. For example, all the end stations in a
particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is
assigned manually on an interface-by-interface basis. When you assign switch interfaces to
VLANs by using this method, it is known as interface-based, or static, VLAN membership.
Ref: [Cisco.com]

Why use VLAN?

In the exhibit above, two hosts (Sales Person and Manager) are inter-connected on the
same switch. In this scenario, two hosts with different role (or belonging to different
department) are physical connected on the same device/network which allows access
between the hosts.
There are a few security implications below that should to be addressed to ensure the
separation of duties and/or isolation of risk.
1. Virus/Worm infection
2. Data Theft / Hacking
3. Broadcast Traffic

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 1 of 8
VLAN and VTP
Possible solutions
1. Create Physical isolation Connect all hosts in each department to a separate
switch. This solution is expensive as if not all the switch ports are utilised or can
be utilised by other departments.
2. Create VLANs Connect all hosts in each department by assigning switch ports
to a different VLAN group. This will create virtual confinement without having to
acquire physical switches and/or switch ports on a switch are better utilised.

Configuring a normal-range VLAN

You configure VLANs in vlan global configuration command by entering a VLAN ID. Enter a
new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.
Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002
through 1005 are reserved.
VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP
mode is transparent, VTP and VLAN configuration are also saved in the switch running
configuration file.
Ref: [Cisco.com]

Network Topology (Scenario 1 of 3)

Getting Started
Before you begin, ensure the following
1. All hosts are connected to the switch port as shown.
2. Layer 3 Protocol on each host is configured. E.g. Usable IP address in the same
network is assigned on each host. You may use any Private IP address.
3. Verify the network connectivity. E.g. Ping from a host to another host.

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 2 of 8
VLAN and VTP
Switch Configuration - Create a new VLAN

Assign switch ports to a VLAN

You can configure multiple switch ports by using [interface range] command. A static-
access port (via switchport mode access command) can belong to one VLAN and is
manually assigned to that VLAN (via switchport access vlan command).

Or you can configure a single interface using just [interface] command.

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 3 of 8
VLAN and VTP
Verify VLAN configuration
Use [show vlan] or [show vlan brief] command to verify in privileged mode.

Network Topology (Scenario 2 of 3)

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 4 of 8
VLAN and VTP
In this scenario, we have several VLANs across multiple switches. By default, all the switch
ports belong to default VLAN 1. Hence the switch port G0/1 on S1 and S2 switches are part
of VLAN1. For the hosts within [Sales] VLAN on [S1] to be accessible on [S2], the ports
connecting between the switches must be set to [Trunk] port.
Trunk Port
A trunk port is a member of all VLANs by default, but membership can be limited by
configuring the allowed-VLAN list.
Identical VLANs on all switches
All switches must maintain the same VLAN database containing identical VLANs. If a
new VLAN is created on any of the switch, you will have to replicate/repeat the same
procedure on all other switches. In a large network environment, VTP (VLAN Trunk
Protocol) is used to sync VLANs on multiple switches.

Configuring Trunk port

To allow propagation of multiple VLANs across different switches, use [switchport mode
trunk] interface configuration command. There are two network protocol standards used
for VLAN data encapsulation.

Verify Trunk Ports

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 5 of 8
VLAN and VTP
Network Topology (Scenario 3 of 3)

In this scenario, VTP is used to distribute the same VLAN on all the switches. DIST1 switch will
be used as [VTP Server] switch to distribute new VLANs on other switches that are [VTP
Client].

About VTP
Ref: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-
2_52_se/configuration/guide/3560scg/swvtp.html

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by

managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP
minimizes misconfigurations and configuration inconsistencies that can cause several
problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security
violations.

Before you create VLANs, you must decide whether to use VTP in your network. Using VTP,
you can make configuration changes centrally on one or more switches and have those
changes automatically communicated to all the other switches in the network. Without VTP,
you cannot send information about VLANs to other switches.

VTP is designed to work in an environment where updates are made on a single switch and
are sent through VTP to other switches in the domain. It does not work well in a situation
where multiple updates to the VLAN database occur simultaneously on switches in the same
domain, which would result in an inconsistency in the VLAN database.

You can configure a switch to operate in any one of these VTP modes:

ServerIn VTP server mode, you can create, modify, and delete VLANs and specify
other configuration parameters, such as VTP version and VTP pruning, for the entire
VTP domain. VTP servers advertise their VLAN configuration to other switches in
the same VTP domain and synchronize their VLAN configuration with other switches
based on advertisements received over trunk links. VTP server is the default mode.

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 6 of 8
VLAN and VTP
ClientVTP clients behave the same way as VTP servers, but you cannot create,
change, or delete VLANs on a VTP client.
TransparentVTP transparent switches do not participate in VTP. A VTP transparent
switch does not advertise its VLAN configuration and does not synchronize its VLAN
configuration based on received advertisements, but transparent switches do forward
VTP advertisements that they receive out their trunk ports in VTP Version 2.

Getting Started
Before you begin, ensure the following
1. All switch ports connecting between the switches are configured as [Trunk] ports.
2. No new VLANs are created as this will be done later. E.g. Dont create any VLAN on
any switches.

Configuring VTP Client switch

By default, all the switches are operating as VTP Server. In this scenario, DIST1 switch is the
only switch operating as [VTP Server]. For all other switches, it should be configured as [VTP
Client] to sync the VLAN updates from the [VTP Server] switch.
To configure, the switch must belong to the same domain (via vtp domain command)
and using the same password (via vtp password) to authenticate.

Repeat this procedure on all switches except [DIST1] switch. DIST1 switch will be used for
distribution of VLANs on all [VTP Client] switches.

Configuring VTP Server switch

To configure, the switch must belong to the same domain (via vtp domain command)
and using the same password (via vtp password) to authenticate.

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 7 of 8
VLAN and VTP
Verify VTP configuration
Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.

Create VLANs
Now you may create required VLANs on [VTP-Server] switch. Then show VLAN on other
switches.

Lecturer: Simon Htike South Metro TAFE 2016

Email: Simon.Htike@smtafe.wa.edu.au Page 8 of 8