Cis187 Switch 2 Vlans Part2
-
Upload
tran-thanh-tung -
Category
Documents
-
view
224 -
download
0
Transcript of Cis187 Switch 2 Vlans Part2
-
8/12/2019 Cis187 Switch 2 Vlans Part2
1/129
VLANs, Trunking, VTP, Port Aggregation
Part 2
CIS 187 Multilayer Switched Networks
CCNP SWITCH
Rick GrazianiSpring 2011
-
8/12/2019 Cis187 Switch 2 Vlans Part2
2/129
2
Storing VLAN information
Storage of VLAN information is model dependent.
Cisco: The memory location name where the vlan.dat file is stored varies
from device to device. Refer to the respective product documentation
before you issue the copy command.
VLAN information for 29xx and 35xx switches is automatically stored in
vlan.dat file in flash.
VTP information: Domain Name, Configuration Revision Number
VLAN information (configured or via VTP): VLAN Number, VLAN Name
DLS1(config)# vtp domain West
DLS1(config)# vlan 10DLS1(config-vlan)# name WestSales
DLS1(config-vlan)# vlan 11
DLS1(config-vlan)# name WestEng
vlan.dat
-
8/12/2019 Cis187 Switch 2 Vlans Part2
3/129
3
Storing VLAN information
Interface commands are stored in running-config and will need to
be saved to startup-config in NVRAM
DLS1(config)# inter fa 0/1
DLS1(config-if)#switchport mode accessDLS1(config-if)# switchport access vlan 10
DLS1(config-if)# copy running-config startup-config
vlan.dat
running-
config
startup-
config
-
8/12/2019 Cis187 Switch 2 Vlans Part2
4/129
4
Storing VLAN information - No longer recommended
DLS1# vlan database
% Warning: It is recommended to configure VLAN from config mode,as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
DLS1(vlan)# exit
APPLY completed.
Exiting....
DLS1#
Note: The vlan databasecommand is no longer recommended by
Cisco.
One less thing we need to remember!
-
8/12/2019 Cis187 Switch 2 Vlans Part2
5/129
VLAN TrunkingProtocol
-
8/12/2019 Cis187 Switch 2 Vlans Part2
6/129
VLAN Trunking Protocol (VTP)
Cisco-proprietary protocol
Automates the propagation of VLAN information between switches via
trunk links. Minimizes misconfigurations and configuration inconsistencies.
VTP domainsdefine sets of interconnected switches sharing the same
VTP configuration.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
7/129
VTP ModesMode Description
Client Cannot create, change, or delete VLANs on command-line interface(CLI).
Forwards advertisements to other switches.
Synchronizes VLAN configuration with latest information received from
other switches in the management domain.
Does not save VLAN configuration in nonvolatile RAM (NVRAM).
Server Can create, modify, and delete VLANs.
Sends and forwards advertisements to other switches.
Synchronizes VLAN configuration with latest information received from
other switches in the management domain.
Saves VLAN configuration in NVRAM.
Transparent Can create, modify, and delete VLANs only on the local switch.
Forwards VTP advertisements received from other switches in the same
management domain.
Does not synchronize its VLAN configuration with information received
from other switches in the management domain.
Saves VLAN configuration in NVRAM.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
8/129
VTP Versions
ThreeVTP versions: V1, V2, V3.
Versions are not interoperable
V2 supports token ring VLANs but V1 does not
-
8/12/2019 Cis187 Switch 2 Vlans Part2
9/129
9
VTP version 3
Not part of CCNP SWITCH
Only available on CatOS no IOS
With 12.2(33)SXI VTP version 3 will be supported by IOS, closingthe feature gap in this area compared to CAT OS. VTP version 3 will
be available within all IOS feature sets.
Features:
Supports ISL VLAN range from 1 to 1001,
Supports 802.1Q VLAN range up to 4095. Can transfer information regarding Private VLAN (PVLAN)
structures.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/
solution_guide_c78_508010.html
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.htmlhttp://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.htmlhttp://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.htmlhttp://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/solution_guide_c78_508010.html -
8/12/2019 Cis187 Switch 2 Vlans Part2
10/129
VTP Messages
-
8/12/2019 Cis187 Switch 2 Vlans Part2
11/129
VTP Message Types
Summary Advertisements Subset Advertisements
Advertisement Requests
-
8/12/2019 Cis187 Switch 2 Vlans Part2
12/129
VTP Summary Advertisements
By default, Catalyst switches issue summary advertisements in 5-minuteincrements.
Informs adjacent switches of:
VTP domain name
Configuration revision number
When the switch receives a summary advertisement packet, the switchcompares the VTP domain name to its own VTP domain name.
If the name is different, the switch ignores the packet.
If the name is the same, the switch then compares the configurationrevision to its own revision.
If its own configuration revision is higher or equal, the packet is ignored.
If it is lower, an advertisement request is sent.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
13/129
VTP Subset Advertisements
When you add, delete, or change a VLAN:
The VTP server where the changes are made increments the configuration
revision and issues a summary advertisement.
One or more subset advertisements follow the summary advertisement.
Contains a list of VLAN information.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
14/129
VTP Advertisement Requests
A switch issues a VTP advertisement request in these situations: The switch has been reset.
The VTP domain name has been changed.
The switch has received a VTP summary advertisement with a
higher configuration revision than its own.
Upon receipt of an advertisement request, a VTP device sends a
summary advertisement.
One or more subset advertisements follow the summary
advertisement.
NOTE Wh dd d l t
-
8/12/2019 Cis187 Switch 2 Vlans Part2
15/129
15
VTP Messages
VTP Summary advertisements
By default, sent every five-minutes.
Inform adjacent switches of the current VTP domain nameand the configurationrevision number.
Receiving switch compares the VTP domain nameto its own VTP domain name.
If the name is different, the switch simply ignores the packet.
Same or Different?
If the name is the same, the switch then compares the configuration revisiontoits own revision.
If its own configuration revision is higher or equal, the packet is ignored.
Own Config Rev higher or equal than senders?
Otherwise, it is lower and a VTPAdvertisement Requestis sent.
VTP Domain = Cisco
VTP Mode = Server
Config Rev = 0VLANs = 1
VTP Domain = Cisco
VTP Mode = Server
Config Rev = 2VLANs = 1, 2, 3
Same
No, it is lower
NOTE: Whenever you add, delete, orchange (name) a VLAN on a VTP server,it increments the configuration revisionnumber and a summary advertisement issent.
Summary
Subset
-
8/12/2019 Cis187 Switch 2 Vlans Part2
16/129
16
VTP Messages
VTP Subset advertisements
Sent in response to a VTP Advertisement Request
Also, sent whenever there is a change to VLAN information on a VTPserver.
First the server sends a VTP Summary Advertisement
Then the server sends a VTP Subset Advertisement
One or several subset advertisements follow the summaryadvertisement.
A subset advertisement contains a list of VLAN information.
VTP Domain = Cisco
VTP Mode = Server
Config Rev = 0VLANs = 1
VTP Domain = Cisco
VTP Mode = Server
Config Rev = 0VLANs = 1
22, 3
Summary
Subset
22, 3
-
8/12/2019 Cis187 Switch 2 Vlans Part2
17/129
17
VTP Domain = null
VTP Mode = Server
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Server
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Server
Config Rev = 0
VLANs = 1
No Trunks
Configured Lets take a look at VTPMessages and Server, Client and
Transparent Switches.
By default all switches are VTP
Servers.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
18/129
18
VTP Domain = null
VTP Mode = Server
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Transparent
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Client
Config Rev = 0
VLANs = 1
Switch B is now a Client Switch C is now Transparent
VLAN servers maintain a list of all
VLANs in NVRAM.
Client cannot add, delete or
rename VLANs.
Client does not store VLAN
information in NVRAM.
If a client reboots it loses VLAN
information and relying on a VTP
server to restore the information.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
19/129
19
VTP Domain = null
VTP Mode = Server
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Transparent
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Client
Config Rev = 0
VLANs = 1
Transparent mode switches musthave their VLANs configured
manually.
Does not participate in VTP or
advertise their VLANs.
Ideal for switches with VLANswhich should be local to that
switch.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
20/129
20
VTP Domain = null
VTP Mode = Server
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Transparent
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Client
Config Rev = 0
VLANs = 1
VTP server: Domain Name configured as
Cisco
VLANs 2 and 3 added
Config Rev increased to 2
(one for each VLAN added)
Cisco
2, 3
2
-
8/12/2019 Cis187 Switch 2 Vlans Part2
21/129
21
VTP Domain = null
VTP Mode = Transparent
Config Rev = 0
VLANs = 1
VTP Domain = null
VTP Mode = Client
Config Rev = 0
VLANs = 1
VTP works only over trunk links.
Switch A (Server) sends summary
advertisementover trunk links on VLAN 1
Includes Domain and Revision Number
Multicast 01-00-0C-CC-CC-CC
Switch B updates its Domain
Because of the higher revision number in
the Summary, B replies with Advertisement
Request Switch A sends a VTP Subset advertisement
Switch B updates its VLAN configuration
revision number and VLANs. (May be
preceeded by another Summary
advertisement.)
VTP Domain = Cisco
VTP Mode = Server
Config Rev = 2
VLANs = 1, 2, 3
Cisco
1,2, 32
-
8/12/2019 Cis187 Switch 2 Vlans Part2
22/129
22
VTP Domain = null
VTP Mode = Transparent
Config Rev = 0
VLANs = 1
VTP Domain = Cisco
VTP Mode = Client
Config Rev = 2
VLANs = 1, 2, 3
VTP advertisements sent to Transparent switch.
(Shown together)
Switch C does not make any changes based on
these advertisements.
Now, lets say Switch C is configured with:
Domain name Cisco
VLANs 2, 3, 4, 5, 6
Even though in same domain, Switch C does
not advertise these VLANs to other switches. The Configuration Revision number remains at
0 even when VLAN configuration is changed.
Transparent switches will relay VTP messages
it receives to other switches if it is in the same
domain or in a null domain (let take a look).
VTP Domain = Cisco
VTP Mode = Server
Config Rev = 2
VLANs = 1, 2, 3
Cisco
1,2, 3, 4, 5, 6
-
8/12/2019 Cis187 Switch 2 Vlans Part2
23/129
-
8/12/2019 Cis187 Switch 2 Vlans Part2
24/129
Understanding and
Troubleshooting Common VTP
Issues
-
8/12/2019 Cis187 Switch 2 Vlans Part2
25/129
25
VTP Domain = West
VTP Mode = Server
Config Rev = 3
VLANs = 1, 20, 21, 22
VTP Domain = WestVTP Mode = Server
Config Rev = 3
VLANs = 1, 10, 11, 12
Both switches are VTP Servers and in the same Domain, but different VLAN
information. Lets see what happens when trunking is enabled between the
switches
We both have the same
Config Rev number so no
changes
We both have the same
Config Rev number so no
changes
, 30
When two switches with same Domain Name and same Configuration
Revision Numbers exchange VTP information:
No change
If Switch A adds a new VLAN, VLAN 30, Config Rev is increased by 1.
Switch A will send VTP information to Switch B who will synchronize itsVLAN information with Switch A, losing current local VLANs
4 4
10, 11, 12, 30
-
8/12/2019 Cis187 Switch 2 Vlans Part2
26/129
26
Example: Using DLS1 (Switch A) and DLS2 (Switch B)
DLS1(config)# inter range fa 0/1 - 24
DLS1(config-if-range)# switchport mode dynamic auto
DLS2(config)# inter range fa 0/1 - 24
DLS2(config-if-range)# switchport mode dynamic auto
DLS1# show inter trunk
DLS1#
Note: Because Pod2 2690s and 3560s are incorrectly defaulting to dynamic
desirable they will trunk by default, which we do not want in this example.
This was also done on ALS1 and ALS2 to prevent any trunking.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
27/129
27
When DLS1 gets a higher Config Rev Number
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/9, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Default VLANs
-
8/12/2019 Cis187 Switch 2 Vlans Part2
28/129
28
When DLS1 gets a higher Config Rev Number
DLS1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : DisabledVTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
DLS1#
Default VTP information:
Configuration Revision Number = 0
Increased by 1 whenever VLAN is added or deleted
VTP Mode = Server
VTP Domain Name = (null)
-
8/12/2019 Cis187 Switch 2 Vlans Part2
29/129
29
When DLS1 gets a higher Config Rev NumberDLS2# show vlan
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Gi0/1, Gi0/2
1002 fddi-default active
1003 token-ring-default active1004 fddinet-default active
1005 trnet-default active
DLS2# show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
Same on DLS2.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
30/129
30
When DLS1 gets a higher Config Rev Number
DLS1(config)# vtp domain West
DLS1(config)# vlan 10DLS1(config-vlan)# name WestSales
DLS1(config-vlan)# vlan 11
DLS1(config-vlan)# name WestEng
DLS1(config-vlan)# vlan 12
DLS1(config-vlan)# name WestAdmin
DLS1# show vtp statusVTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : West
Add VTP Domain Name and configure VLANs
Configuration Revision changed to 3 (one for each VLAN)
Remember, no trunking (yet)
-
8/12/2019 Cis187 Switch 2 Vlans Part2
31/129
31
When DLS1 gets a higher Config Rev Number
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Gi0/1, Gi0/2
10 WestSales active11 WestEng active
12 WestAdmin active
Verified.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
32/129
32
When DLS1 gets a higher Config Rev Number
DLS2(config)# vtp domain West
DLS2(config)# vlan 20DLS2(config-vlan)# name WestAcct
DLS2(config-vlan)# vlan 21
DLS2(config-vlan)#WestMngt
DLS2(config-vlan)# name WestMngt
DLS2(config-vlan)# vlan 22
DLS2(config-vlan)# name WestManuf
DLS2# show vtp statusVTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : West
Now on DLS2: Add VTP Domain Name and configure different VLANs
Configuration Revision changed to 3
Still no trunking
-
8/12/2019 Cis187 Switch 2 Vlans Part2
33/129
33
When DLS1 gets a higher Config Rev Number
DLS2# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Gi0/1, Gi0/2
20 WestAcct active
21 WestMngt active
22 WestManuf active
Verified.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
34/129
34
When DLS1 gets a higher Config Rev Number
DLS1(config)# inter range fa 0/11 - 12
DLS1(config-if-range)# switchport trunk encap dot1q
DLS1(config-if-range)# switchport mode trunk
DLS1# show inter trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 on 802.1q trunking 1Fa0/12 on 802.1q trunking 1
Trunking configured between DLS1 and DLS2.
VTP messages can now be sent but no changes because
Configuration Revision numbers are the same.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
35/129
35
When DLS1 gets a higher Config Rev Number
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : West
DLS2# show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : West
Configuration Revision still 3
Number of existing VLANs (known by each switch) still 8
-
8/12/2019 Cis187 Switch 2 Vlans Part2
36/129
36
When DLS1 gets a higher Config Rev NumberDLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 WestSales active
11 WestEng active
12 WestAdmin active
DLS2# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
20 WestAcct active
21 WestMngt active
22 WestManuf active
Verify that there are no DLS2 VLANs on DLS1.
Verify that there are no DLS1 VLANs on DLS2.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
37/129
37
When DLS1 gets a higher Config Rev Number
DLS1(config)# vlan 30
DLS1(config-vlan)# name Guest
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9VTP Operating Mode : Server
VTP Domain Name : West
VLAN 30 added on DLS1.
Configuration Revision increased by 1 to 4.
DLS1 now has the higher Configuration Revision number between thetwo servers the hi hest in the Domain .
-
8/12/2019 Cis187 Switch 2 Vlans Part2
38/129
38
When DLS1 gets a higher Config Rev Number
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 WestSales active
11 WestEng active
12 WestAdmin active
30 Guest active
Verified.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
39/129
39
When DLS1 gets a higher Config Rev Number
DLS2# show vtp status
VTP Version : 2Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : West
DLS2 receives VTP update from DLS1 with higher Configuration
Revision Number.
DLS2 synchronizes its VLAN database with DLS1s informationincluding Configuration Revision Number and VLAN information.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
40/129
40
When DLS1 gets a higher Config Rev Number
DLS2# show vlan
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
20 WestAcct active
21 WestMngt active
22 WestManuf active
DLS2# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 WestSales active11 WestEng active
12 WestAdmin active
30 Guest active
DLS2 lost previous VLANs 20, 21, and 22.
DLS2s VLAN database overwritten with DLS1s information.
Good news: Both Servers both in sync (identical) so any changes will mean the VLAN
Previous VLANS
Current VLANS
syncd with DLS1
-
8/12/2019 Cis187 Switch 2 Vlans Part2
41/129
41
When DLS1 gets a higher Config Rev Number
DLS2(config)# vlan 20
DLS2(config-vlan)# name WestAcctDLS2(config-vlan)# vlan 21
DLS2(config-vlan)# name WestMngt
DLS2(config-vlan)# vlan 22
DLS2(config-vlan)# name WestManuf
DLS2# show vtp statusVTP Version : 2
Configuration Revision : 7
Maximum VLANs supported locally : 1005
Number of existing VLANs : 12
VTP Operating Mode : Server
VTP Domain Name : West
To correct this we need to add the VLANs back to DLS2.
DLS2 will send VTP update to DLS1 so VLAN information will be the
same.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
42/129
42
When DLS1 gets a higher Config Rev Number
DLS2# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 WestSales active11 WestEng active
12 WestAdmin active
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
Verified.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
43/129
43
When DLS1 gets a higher Config Rev NumberDLS1# show vtp status
VTP Version : 2
Configuration Revision : 7Maximum VLANs supported locally : 1005
Number of existing VLANs : 12
VTP Operating Mode : Server
VTP Domain Name : West
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 WestSales active
11 WestEng active
12 WestAdmin active
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
DLS1 receives VTP update
and updates VLAN
information including
Configuration Revision
number.
Domain is still in sync.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
44/129
44
What happens when Client/Server enters with
higher Configuration Revision number?
Both switches are in the same domain.
Switch C can be Client OR Server
Switch C has Higher Configuration Revision number
Even if Switch C is a Clientwhen enters VTP domain it will overwrite
DLS1s VLAN information because it has higher Configuration Revision
number.
VTP Domain = West
VTP Mode = Client(or Server)
Config Rev = 13
VLANs = 1, 20, 21, 22, 30
VTP Domain = West
VTP Mode = Server
Config Rev = 10
VLANs = 1, 10, 11, 12, 20, 21, 22, 30
13
-
8/12/2019 Cis187 Switch 2 Vlans Part2
45/129
45
Client/Server enters with Higher Revision
DLS1(config)# inter fa 0/1
DLS1(config-if)# switchport mode access
DLS1(config-if)# switchport access vlan 10DLS1(config-if)# exit
DLS1(config)# inter fa 0/2
DLS1(config-if)# switchport mode access
DLS1(config-if)# switchport access vlan 11
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Gi0/1, Gi0/2
10 WestSales active Fa0/1
11 WestEng active Fa0/2
12 WestAdmin active
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
Assign VLANs to interfaces. (no specific reason)
-
8/12/2019 Cis187 Switch 2 Vlans Part2
46/129
46
DLS1(config)# inter range fa 0/11 -12
DLS1(config-if-range)# shutdown
Shutdown interface so we can modify DLS2 (Switch B)
We will adding the trunk back to simulate a switch being entered intothe network.
Client/Server enters with Higher Revision
-
8/12/2019 Cis187 Switch 2 Vlans Part2
47/129
47
Client/Server enters with Higher Revision
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs : 12
VTP Operating Mode : Server
VTP Domain Name : West
DLS2#show vtp status
VTP Version : 2
Configuration Revision : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs : 12
VTP Operating Mode : ServerVTP Domain Name : West
Right now both switches have same Configuration Revision number,
lets change that.
Note: Configuration Revision numbers not necessarily the same asrevious exam le due to this was done in a different session.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
48/129
48
Client/Server enters with Higher Revision
DLS2#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Gi0/1, Gi0/2
10 WestSales active11 WestEng active
12 WestAdmin active
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
We are going to remove these three VLANs on DLS2 so it has different
VLANs and a higher Configuration Revision Number.
Remember, DLS1 has same VLAN information and also has:
Fa0/1 in VLAN 10
Fa0/2 in VLAN 11
-
8/12/2019 Cis187 Switch 2 Vlans Part2
49/129
49
Client/Server enters with Higher Revision
DLS2(config)# no vlan 10
DLS2(config)# no vlan 11
DLS2(config)# no vlan 12
DLS2(config)# vtp mode client
Setting device to VTP CLIENT mode.
DLS2# show vtp statusVTP Version : 2
Configuration Revision : 13
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Client
VTP Domain Name : West
Three VLANs deleted.
Change VTP mode to Client
Configuration Revision updated from 10 to 13
-
8/12/2019 Cis187 Switch 2 Vlans Part2
50/129
50
Client/Server enters with Higher Revision
DLS2# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Gi0/1, Gi0/2
20 WestAcct active
21 WestMngt active22 WestManuf active
30 Guest active
Verify VLANs 10, 11, and 12 were deleted.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
51/129
51
Client/Server enters with Higher Revision
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs : 12
VTP Operating Mode : ServerVTP Domain Name : West
DLS1 has a lower Configuration Revision number 10.
DLS2s Configuration Revision number is 13.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
52/129
52
DLS1(config)# inter range fa 0/11 -12
DLS1(config-if-range)# no shutdown
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 13
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : West
DLS2# show vtp statusVTP Version : 2
Configuration Revision : 13
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Client
VTP Domain Name : West
DLS2 (Switch B) is
brought online (no
shutdown on DLS1).
DLS2 (Client) has
higher Configuration
Revision number 13.
DLS1 (Switch A)
with lower revision
number (10) updates
its VLAN information
to be in sync with
DLS2 including its
Configuration
Revision number to
13.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
53/129
53
VTP Revision NumberDLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Gi0/1, Gi0/2
10 WestSales active Fa0/1
11 WestEng active Fa0/2
12 WestAdmin active
20 WestAcct active
21 WestMngt active22 WestManuf active
30 Guest active
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Gi0/1, Gi0/2
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
Missing VLANs 10, 11, and 12.
Previous VLANS
Current VLANS
syncd with DLS2
-
8/12/2019 Cis187 Switch 2 Vlans Part2
54/129
54
Fix itDLS1(config)# vlan 10
DLS1(config-vlan)# name WestSales
DLS1(config-vlan)# vlan 11DLS1(config-vlan)# name WestEng
DLS1(config-vlan)# vlan 12
DLS1(config-vlan)# name WestAdmin
DLS1# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Gi0/1, Gi0/2
10 WestSales active Fa0/1
11 WestEng active Fa0/2
12 WestAdmin active
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
To fix it must reconfigure VLANs on DLS1.
Interfaces Fa0/1 and Fa0/2 brought from inactive to active
-
8/12/2019 Cis187 Switch 2 Vlans Part2
55/129
55
DLS2# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 WestSales active
11 WestEng active
12 WestAdmin active
20 WestAcct active
21 WestMngt active
22 WestManuf active
30 Guest active
DLS2(config)# no vlan 10
VTP VLAN configuration not allowed when device is in CLIENT mode.
DLS2(config)#
DLS2 gets VLANS 10, 11, 12 in VTP update from DLS1.
DLS2 is a Client and can no longer delete (or add) VLANs.
VTP Domain = West
VTP Mode = Client (or Server)
VTP Domain = West
VTP Mode = Server
-
8/12/2019 Cis187 Switch 2 Vlans Part2
56/129
56
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 16
Maximum VLANs supported locally : 1005Number of existing VLANs : 12
VTP Operating Mode : Server
VTP Domain Name : West
DLS2# show vtp status
VTP Version : 2
Configuration Revision : 16
Maximum VLANs supported locally : 1005
Number of existing VLANs : 12
VTP Operating Mode : Client
VTP Domain Name : West
Still in sync!
VTP Mode = Client(or Server)
Config Rev = 16
VLANs = 1, 10, 11, 12, 20, 21, 22, 30
VTP Mode = Server
Config Rev = 16
VLANs = 1, 10, 11, 12, 20, 21, 22, 30
-
8/12/2019 Cis187 Switch 2 Vlans Part2
57/129
57
How to make sure switch has Lower Config Rev: VTP Mode
Setting a switch to Transparent mode reset the configuration to 0.
Then set it back to Client or Server.
VTP Domain = West
VTP Mode = Client
Config Rev = 16
VLANs = 1
VTP Domain = West
VTP Mode = Server
Config Rev = 10
VLANs = 1, 10, 11, 12, 20, 21, 22, 30
0
TransparentClient
1, 10, 11, 12, 20, 21, 22, 3010
DLS2(config)# vtp mode ?client Set the device to client mode.
server Set the device to server mode.
transparent Set the device to transparent mode.
DLS2(config)#
Not all VTP Messages shown
-
8/12/2019 Cis187 Switch 2 Vlans Part2
58/129
58
How to make sure switch has Lower Config Rev: VTP Domain
Changing the Domain Name on a switch will reset the configuration to 0.
Then set it back to the correct Domain Name.
VTP Domain = West
VTP Mode = Client
Config Rev = 16
VLANs = 1
VTP Domain = West
VTP Mode = Server
Config Rev = 16
VLANs = 1, 10, 11, 12, 20, 21, 22, 30
0
EastWest
1, 10, 11, 12, 20, 21, 22, 3016
DLS2(config)# vtp domain West
Changing VTP domain name from East to West
Not all VTP Messages shown
-
8/12/2019 Cis187 Switch 2 Vlans Part2
59/129
VTP Pruning
-
8/12/2019 Cis187 Switch 2 Vlans Part2
60/129
VTP Pruning
Prevents flooded traffic from propagating to switches that do not have
members in specific VLANs.
VTP pruning uses VLAN advertisements to determine when a trunk connectionis flooding traffic needlessly.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
61/129
61
VTP Pruning
How would VLANs affect the ARP broadcast?
Host C and Host D would not receive the ARP Request.
But broadcast would be transmitted across all trunk links.
If VTP pruning is enabled, ALS1 would not send broadcasts for VLAN 120 to
DLS1 or DLS2 (dashed lines).
VTP pruning increases the available bandwidth by restricting flooded traffic to
those trunk links that traffic must use to access the appropriate network devices.
XX
No access ports
on VLAN 120
No access ports
on VLAN 120
-
8/12/2019 Cis187 Switch 2 Vlans Part2
62/129
62
VTP Pruning is disabled by default
DLS1# show vtp status
VTP Version : 2Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : Cabrillo
VTP Pruning Mode : Disabled
VTP V2 Mode : DisabledVTP Traps Generation : Disabled
MD5 digest : 0xAB 0x0C 0xEB 0xDE 0x6A 0x890x0C 0xAD
Configuration last modified by 10.1.1.101 at 3-1-93 00:17:55
Local updater ID is 10.1.1.101 on interface Vl1 (lowest numberedVLAN interface found)
DLS1#
-
8/12/2019 Cis187 Switch 2 Vlans Part2
63/129
63
It is easy to configure
DLS1(config)# vtp pruning
DLS1(config)# end
DLS1# show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : ServerVTP Domain Name : Cabrillo
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xAB 0x0C 0xEB 0xDE 0x6A 0x890x0C 0xAD
Configuration last modified by 10.1.1.101 at 3-1-93 00:17:55
Local updater ID is 10.1.1.101 on interface Vl1 (lowest numberedVLAN interface found)
DLS1#
Enable VTP pruning on all switches.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
64/129
VTP Authentication
VTP domains can be secured by using the VTP password feature.
Passwords and domain name must be the same otherwise, a switch
will not become a member of the VTP domain.
Cisco switches use MD5 to encode passwords in 16-byte words.
Propagated inside VTP summary advertisements.
Case-sensitive and can be 8 to 64 characters in length.
VTP authentication is a recommended practice.
Default: No VTP password
Switch(config)# vtp passwordpassword_string
-
8/12/2019 Cis187 Switch 2 Vlans Part2
65/129
VTP Troubleshooting
Check that switches are interconnected by active trunk links.
Check that the trunking protocol matches on opposite ends of atrunk link.
Check VTP domain name (case-sensitive) and password.
Check the VTP mode of the switches.
Check the VTP versions of the switches.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
66/129
Default, Native and
Management VLANs
FLAN:
Predecessor to
the VLAN
-
8/12/2019 Cis187 Switch 2 Vlans Part2
67/129
-
8/12/2019 Cis187 Switch 2 Vlans Part2
68/129
68
Native VLAN
By default all traffic is carried across VLAN 1.
VLAN 1 is: The default VLAN(all user traffic)
Native VLAN: No trunking encapsulation even if configured as a trunk.
VLAN for CDP, VTP, PAgP (Port Aggregation Protocol), LACP(Link
Aggregation Control Protocol), and DTP
A topic that causes considerable confusion is the native VLAN.
VLAN 1
Native VLAN
Un-tagged (If trunking there is no802.1Q or ISL encapsulation)
CDP, VTP, PAgP, LACP, DTP
Default VLAN
-
8/12/2019 Cis187 Switch 2 Vlans Part2
69/129
69
Native VLAN
The IEEE committee that defined 802.1Q decided to support a
native VLAN for backwards compatibility:
Allows 802.1Q capable ports to talk to old 802.3 ports directly by
sending and receiving untagged traffic.
Loss of identification also means a loss of classification.
You should avoid using VLAN 1 (or whatever your Native
VLAN is) for data traffic, so it can be classified for QoS.
We will see examples later with IP Telephony.
Note: We have not yet
discussed routing
between these VLANS.
(But we will!)
Common VLAN
configuration
-
8/12/2019 Cis187 Switch 2 Vlans Part2
70/129
70
Best Practices
Native VLAN
Can be modified to be a VLAN other than VLAN 1.
Must be the same on both ends, both switches.
Should not be used for user VLAN or Management VLAN. Control traffic (CDP, VTP, PAgP, DTP) still transmitted over VLAN 1.
If Native VLAN is other than VLAN 1 then control traffic is sent tagged.
It is fine to leave VLAN 1 as the Native VLAN but should only carry controltraffic and not user or management traffic.
Note: Router uses subinterfaces for trunking and the native VLAN isconfigured using the native option. (Discussed later)
-
8/12/2019 Cis187 Switch 2 Vlans Part2
71/129
71
Best Practices
Management VLAN
The Management VLAN is the VLAN used to reach (ping, telnet)devices.
Switch(config)#hostname DLS2
DLS2(config)#interface vlan 99
DLS2(config-if)#ip address 10.0.99.1 255.255.255.0
-
8/12/2019 Cis187 Switch 2 Vlans Part2
72/129
72
Best Practices
Garbage VLAN
This is the VLAN you can assign to all switch ports until it is assigned toa user or management VLAN.
A way of isolating or managing all non-business traffic.
You may wish to limit this VLAN as an access port and not include this
VLAN across trunk links.
DLS2(config)#interface range fa 0/1 - 24
DLS2(config-if)#switchport mode access
DLS2(config-if)# switchport access vlan 222
B t P ti
-
8/12/2019 Cis187 Switch 2 Vlans Part2
73/129
73
Best Practices
Limiting VLANs on a trunk
You can manually configure which VLANs should be allowed on a trunk.
If you remove VLAN 1 from a trunk port, the interface continues to send
and receive management traffic, CDP, PAgP, LACP, DTP and VTP in
VLAN 1.
Sometimes done to reduce the risk of VLAN 1 STP loops or storms
usually due to misconfiguration. (CCIE stuff)
DLS2(config)#interface fa 0/11
DLS2(config-if)#switchport trunk allowed vlan 1, 10-99
DLS2(config-if)#switchport trunk allowed vlan remove 20
B t P ti
-
8/12/2019 Cis187 Switch 2 Vlans Part2
74/129
74
Best Practices
Looking at a complete configuration for a trunk link
DLS2(config)#interface fa 0/11
DLS2(config-if)#switchport trunk encapsulation dot1q
DLS2(config-if)#switchport mode trunk
DLS2(config-if)#switchport trunk native vlan 2
DLS2(config-if)#switchport trunk allowed vlan 1, 10-99
DLS2(config-if)#switchport trunk allowed vlan remove 20
-
8/12/2019 Cis187 Switch 2 Vlans Part2
75/129
Private VLAN
P i t VLAN
-
8/12/2019 Cis187 Switch 2 Vlans Part2
76/129
76
Private VLANs
Private VLANs (pVLAN) provide isolation between ports within the same
VLAN.
pVLANs require VTP switches to be in transparent mode.
pVLANs can go across trunks.
Community
VLAN A Ports
Community
VLAN B Ports
Isolated VLAN
C Ports
Promiscuous Ports
VTP Transparent
P i t VLAN
-
8/12/2019 Cis187 Switch 2 Vlans Part2
77/129
77
Private VLANs
pVlans:
Provide security
Reduce the number of IP subnets
Service providers use pVLANs to deploy hosting services and network
access where all devices reside in the same subnet but only
communicate to a default gateway, servers or another network.
Same subnet but
different pVLANs
Promiscuous Ports
P i t VLAN
-
8/12/2019 Cis187 Switch 2 Vlans Part2
78/129
78
Private VLANs
pVlans consist of two supporting VLANs:
Primary VLAN
High-level VLAN
Can have many secondary VLANs
Secondary VLANs belong to same subnet as Primary VLAN
Secondary VLAN
Child to a Primary
End devices belong to a secondary VLAN
Secondary VLANs
Primary VLANs Promiscuous Ports
P i t VLAN
-
8/12/2019 Cis187 Switch 2 Vlans Part2
79/129
79
Private VLANs
Two types of secondary VLANs
Community VLANs
These ports communicate with other ports in the same
community and promiscuous ports
Isolated VLANs
These ports can only communicate with promiscuous ports.
Community VLANs
Isolated
VLANs
Promiscuous Ports
Private VLANs
-
8/12/2019 Cis187 Switch 2 Vlans Part2
80/129
80
Community VLANs ports communicate with other ports in the same community
and promiscuous ports.
What devices can Community VLAN APCs communicate with?
What devices can Community VLAN BPCs communicate with?
Isolated VLANs ports can only communicate with promiscuous ports.
What devices can Isolated VLAN CPCs communicate with?
Community
VLAN A Ports
Community
VLAN B Ports
Isolated VLAN
C Ports
Promiscuous Ports
Private VLANs
Configuring pVLANs: Creating the pVLANs
-
8/12/2019 Cis187 Switch 2 Vlans Part2
81/129
81
Configuring pVLANs: Creating the pVLANs
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan primarySwitch(config)# vlan 200
Switch(config-vlan)#private-vlan community
Switch(config)# vlan 201
Switch(config-vlan)#private-vlan community
Switch(config)# vlan 300
Switch(config-vlan)#private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan association 200,201,300
Switch(config)# interface vlan 100
Switch(config-if)#private-vlan mapping add 200,201,300
Configure Primary VLAN
Configure Secondary VLANs (two community, one isolated)
Associate secondary VLANs to primary VLAN
Map secondary VLANs to Layer 3 VLAN interface of primary VLAN to
allow Layer 3 switching (later).
Secondary
VLANs
Primary VLANs
Private VLANs
-
8/12/2019 Cis187 Switch 2 Vlans Part2
82/129
82
CommunityVLAN A Ports
Community
VLAN B Ports
Isolated VLANC Ports
Promiscuous Ports
Private VLANs
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan primary
Switch(config)# vlan 200
Switch(config-vlan)#private-vlan community
Switch(config)# vlan 201
Switch(config-vlan)#private-vlan community
Switch(config)# vlan 300
Switch(config-vlan)#private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan association 200,201,300
Switch(config)# interface vlan 100
Switch(config-if)#private-vlan mapping add 200,201,300
VLAN 100
VLAN 200VLAN 201
VLAN 300
Configuring pVLANs: Port
-
8/12/2019 Cis187 Switch 2 Vlans Part2
83/129
83
g g p
AssociationSwitch(config)# interface range fa 0/1 5
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# exit
Switch(config)# interface range fa 0/10 12
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 200
Switch(config-if)# exit
Switch(config)# interface range fa 0/15 18
Switch(config-if)# switchport mode private-vlan hostSwitch(config-if)# switchport private-vlan host-association 100 201
Switch(config-if)# exit
Switch(config)# interface range fa 0/20 25
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 300
Switch(config-if)# exit
Configure access ports for promiscuous mode.
Configure access ports for community pVLANs.
Configure access ports for isolated pVLANs.
Primary Secondary
Configuring
-
8/12/2019 Cis187 Switch 2 Vlans Part2
84/129
84
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan primary
Switch(config)# vlan 200
Switch(config-vlan)#private-vlan community
Switch(config)# vlan 201Switch(config-vlan)#private-vlan community
Switch(config)# vlan 300
Switch(config-vlan)#private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan association 200,201,300
Switch(config)# interface vlan 100
Switch(config-if)#private-vlan mapping add 200,201,300
Configuring
pVLANs - Review
-
8/12/2019 Cis187 Switch 2 Vlans Part2
85/129
85
Switch(config)# interface range fa 0/15
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# exit
Switch(config)# interface range fa 0/10 12
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 200
Switch(config-if)# exit
Switch(config)# interface range fa 0/1518
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 201
Switch(config-if)# exit
Switch(config)# interface range fa 0/20 25
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 300
Switch(config-if)# exit
Primary Secondary
VLAN 200
VLAN 201
VLAN 300
-
8/12/2019 Cis187 Switch 2 Vlans Part2
86/129
Port Aggregation (EtherChannel)
CIS 187 Multilayer Switched Networks
CCNP SWITCH
Rick Graziani
Spring 2010
-
8/12/2019 Cis187 Switch 2 Vlans Part2
87/129
Configuring Link
Aggregation withEtherchannel
Spanning Tree and EtherChannel
-
8/12/2019 Cis187 Switch 2 Vlans Part2
88/129
88
Spanning Tree and EtherChannel
Spanning Tree only allows a single link between switches to prevent
bridging loops.
Ciscos EtherChannel technology allows for the scaling of link
bandwidth by aggregating or bundling parallel links. Treated as a single, logical link.
Access or Trunk link
Allows you to expand the links capacity without having to
purchase new hardware (modules, devices).
Etherchannel Bundle
EtherChannel
-
8/12/2019 Cis187 Switch 2 Vlans Part2
89/129
89
EtherChannel
EtherChannel allows for two to eight links.
Fast Ethernet (FE) Fast EtherChannel Up to 1600 Mbps
Gigabit Ethernet (GE) Gigabit EtherChannel Up to 16 Gbps
10-Gigabit Ethernet (10GE) 10 Gigabit EtherChannel Up to 160
Gbps
This does not mean the total bandwidth of the bundle equals the sum of
the links.
The load is not always distributed evenly (coming).
EtherChannel
-
8/12/2019 Cis187 Switch 2 Vlans Part2
90/129
90
EtherChannel
The Cisco Catalyst family of switches supports two types of link
aggregation:
Port Aggregation Protocol (PAgP) - Cisco proprietary
Default when port channel is created (coming)
Link Aggregation Control Protocol (LACP) - Industry standard802.3ad-based protocol
EtherChannel provides redundancy.
If one link fails traffic is automatically moved to an active link.
Transparent to end user.
LACP (coming) also allows for standby links (coming).
-
8/12/2019 Cis187 Switch 2 Vlans Part2
91/129
Distribution of Traffic and Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
92/129
92
Distribution of Traffic and Load Balancing
Load is not balanced equally across links. EtherChannel uses a hashing algorithm.
Single input is used (such as Source IP address), the hash will
only look at the bits associated with this input. (coming)
Two inputs are used (such as Source IP address and
Destination IP address), the hash will perform an exclusive OR(XOR) operation on both inputs. (coming!)
Both of these will compute a binary number that selects a link
number in the bundle to carry the frame. (coming!!!)
Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
93/129
93
Load Balancing
Lets take a brief look at how this works.
We will focus on the 2, 4 and 8 link possibilities as this is easier to
understand and the only options that provide more ideal load balancing.
A 2 linkEtherChannel bundle requires a 1-bit index using an XOR.
If the index is 0, link 0 is selected
If the index is 1, link 1 is selected
A 4 linkEtherChannel bundle requires a 2-bit indexusing an XOR.
4 possible links: 00, 01, 10, 11
An 8 linkEtherChannel bundle requires a 3-bit indexusing an XOR.
8 possible links: 000, 001, 010, 011, 100, 101, 110, 111
Boolean Operations - XOR
-
8/12/2019 Cis187 Switch 2 Vlans Part2
94/129
94
Boolean Operations XOR
XOR (Exclusive OR) operation
0 = FALSE 1 = TRUE
If both bits have the same value (both 0, both 1), the XOR will result in a 0
Otherwise, if they differ (one is a 0 and the other a 1) the result will be 1.
One and ONLY one input value can be TRUE for output to be TRUE
Rick is going to surf the Hook XOR Liquor Stores at noon
I cannot surf BOTH spots. If I did this would not be TRUE.
XOR = TRUETRUE False
-
8/12/2019 Cis187 Switch 2 Vlans Part2
95/129
Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
96/129
96
Load Balancing
Example: 2 LinkEtherChannel.
Packet sent from 172.16.1.1 to 10.10.10.16 The chosen hashuses Source IPand Destination IPaddress
At most there can only be 8 links in bundle, so only the last 3rightmost bits(least-significant) of the addresses will ever need tobe indexed or examined.
3 bits will give us 8 choices (8 links max in a bundle)
172.16.1.1=> 00000001 10.10.10.46=> 00101110
In our example we have 2 linksin the EtherChannel (1 bit index):
The XOR is performed only on the rightmost bit1 XOR0
1 XOR 0= 1
Link 1is used
0
1
Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
97/129
97
Load Balancing
Example: 2 LinkEtherChannel.
Our hashused the Source IPand Destination IPaddress The XOR on the rightmost bit of ourSource IPand Destination IP
address could result in Link 0 or Link 1 being used.
Depends on the last bit of each address!
172.16.1.1=> 00000001 10.10.10.46=> 00101110
If XOR of the two bits result in 0, then link 0 is used.
If XOR of the two bits result in 1, then link 1 is used.
0
1
Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
98/129
98
Load Balancing
Example: 4 Link EtherChannel
Packet sent from 172.16.1.1 to 10.10.10.16 Our hashused the Source IPand Destination IPaddress
172.16.1.1=> 00000001 10.10.10.46=> 00101110
If there are 4 linksin the EtherChannel (2 bit index):
The XOR is performed only on 2 rightmost bits01 XOR10
Each bit is computed separately 01 XOR 10= 11
1 XOR 0= 1
0 XOR 1= 1
Link 3(112) is used
0
3
Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
99/129
99
Load Balancing
Example: 8 Link EtherChannel
Packet sent from 172.16.1.1 to 10.10.10.16
Our hashused the Source IPand Destination IPaddress 172.16.1.1=> 00000001 10.10.10.46=> 00101110
If there are 8 linksin the EtherChannel (3 bit index):
The XOR is performed only on the 3 rightmost bits001 XOR110
Each bit is computed separately
001 XOR 110= 111
1 XOR 0= 1
0 XOR 1= 1
0 XOR 1= 1
Link 7(1112
) is used
0
7
For more information
-
8/12/2019 Cis187 Switch 2 Vlans Part2
100/129
100
For more information
For information about load balancing the number of links other than
2, 4 or 8:
Understanding EtherChannel Load Balancing and
Redundancy on Catalyst Switches http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech
_note09186a0080094714.shtml
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml -
8/12/2019 Cis187 Switch 2 Vlans Part2
101/129
Configuring EtherChannel
Configuring EtherChannel Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
102/129
102
Configuring EtherChannel Load Balancing
Switch(config)#port-channel load-balancemethod
The load balancing method is configured in global configuration
mode.
Load Balancing
-
8/12/2019 Cis187 Switch 2 Vlans Part2
103/129
103
Load BalancingSwitch(config)#port-channel load-balance ?
dst-ip Dst IP Addr bits
dst-mac Dst Mac Addr bits
src-dst-ip Src XOR Dst IP Addr XOR
src-dst-mac Src XOR Dst Mac Addr XOR
src-ip Src IP Addr bits
src-mac Src Mac Addr bits
6500 and 4500 switches also allow hash input to be based on:
dst-port (destination port)
src-dst-port(source and destination ports)
Dafaults for 29xx and 35xx (this may vary so check documentation)
Layer 2 switching (switched port) is src-mac (coming)
Layer 3 switching (routed port) is src-dst-ip (coming)
For non-IP trafficthe switch will distribute frames based on MAC
addresses.
Multicasts and broadcastssent over one link in the EtherChannel are not
sent back over other links in the EtherChannel.
Hash
Operat ion
default
Load Balancing
Switch(config)#port-channel load-balance ?dst-ip Dst IP Addr bits
dst-mac Dst Mac Addr bits
src-dst-ip Src XOR Dst IP Addr XOR
-
8/12/2019 Cis187 Switch 2 Vlans Part2
104/129
104
oad a a c g
Switch(config)#port-channel load-balance src-dst-ip
Normally, the default Source IP and Destination IP addresses will result in a
fair statistical distribution of frames.
This is because of the random nature of multiple Source and Destination IP
addresses.
However, if a single servers destination IP addressis receiving most of
the traffic this may cause one link to be overused in a two linkEtherChannel.
Two links in a four link EtherChannel
Four links in an eight link EtherChannel.
Use only Source IP addressorinclude MAC addressesto create a more
balanced load across the bundle.
src-dst-mac Src XOR Dst Mac Addr XOR
src-ip Src IP Addr bits
src-mac Src Mac Addr bits
EtherChannel Protocols
-
8/12/2019 Cis187 Switch 2 Vlans Part2
105/129
105
The Cisco Catalyst family of switches supports both:
Port Aggregation Protocol (PAgP) - Cisco proprietary
Default when port channel is created (coming)
Link Aggregation Control Protocol (LACP) - Industry standard
802.3ad-based protocol
Not many differences. When a Cisco switch is connected to a non-Cisco switch use LACP.
Must be the same on both ends!
PAgP PAgPLACP LACP
EtherChannel Protocols
-
8/12/2019 Cis187 Switch 2 Vlans Part2
106/129
106
DLS1(config)# interface range fa 0/1 - 4
DLS1(config-if-range)# channel-protocol ?
lacp Prepare interface for LACP protocol
pagp Prepare interface for PAgP protocol
DLS1(config-if-range)# channel-protocol pagp
PAgP requres identical static VLANs or trunking encapsulation with
same allowed VLANs.
If the VLAN, speed or duplex on a port in the bundle is changed
PAgP automatically reconfigures the rest of the ports in that bundle.
Fa0/1
Fa0/4
-
8/12/2019 Cis187 Switch 2 Vlans Part2
107/129
No PAgP or LACP negotiation
-
8/12/2019 Cis187 Switch 2 Vlans Part2
108/129
108
g g
DLS1(config)# interface range fa 0/1 - 4
DLS1(config-if-range)# channel-protocol pagp
DLS1(config-if-range)# channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
onForces port to channel without PAgP negotiation.
Both ends must be on.
All ports channeling
You can use channel-group # mode onwhen the connecting device does
not support PAgP and you need to set up the channel unconditionally.
on on
EtherChannel
-
8/12/2019 Cis187 Switch 2 Vlans Part2
109/129
PAgP modes
-
8/12/2019 Cis187 Switch 2 Vlans Part2
110/129
110
g
DLS1(config)# interface range fa 0/1 - 4
DLS1(config-if-range)# channel-protocol pagp
DLS1(config-if-range)# channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
An interface in automode can form an EtherChannel with another interfacein desirablemode.
Auto(default, passive) - Waits to be asked to form a channel.
An interface in automode cannotform an EtherChannel with another
interface that is also in automode because neither interface starts PAgP
negotiation.
auto
EtherChannel
desirable
-
8/12/2019 Cis187 Switch 2 Vlans Part2
111/129
LACP modes
-
8/12/2019 Cis187 Switch 2 Vlans Part2
112/129
112
DLS1(config)# interface range fa 0/1 - 4
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
An interface in the activemode can form an EtherChannel with anotherinterface that is in the activeor passivemode.
active
active
EtherChannel
passive
LACP modes
-
8/12/2019 Cis187 Switch 2 Vlans Part2
113/129
113
DLS1(config)# interface range fa 0/1 - 4
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
An interface in the passivemode can form an EtherChannel with anotherinterface that is in the activemode.
An interface in the passivemode cannotform an EtherChannel with
another interface that is also in the passivemode because neither interface
starts LACP negotiation.
passive
EtherChannel
active
Forming EtherChannels
-
8/12/2019 Cis187 Switch 2 Vlans Part2
114/129
114
EtherChannel
on on
PAgP Negotiated EtherChannel
desirable desirable
auto
LACP Negotiated EtherChannel
active active
passive
Configuring PAgP
-
8/12/2019 Cis187 Switch 2 Vlans Part2
115/129
115
DLS1(config)#port-channel load-balance dst-ip
DLS1(config)# interface range fa 0/11 - 12
DLS1(config-if-range)# switchport trunk encapsulation dot1q
DLS1(config-if-range)# switchport mode trunk
DLS1(config-if-range)# channel-protocol pagp
DLS1(config-if-range)# channel-group 1 mode desirable
Notice: Load balancing does not have to match but usually it does.
DTP on DLS2 is dyanmic auto (result is trunk with DLS1)
PAgP configured on both ends
DLS2(config)#port-channel load-balance src-dst-ip
DLS2(config)# interface range fa 0/11 - 12DLS2(config-if-range)# switchport trunk encapsulation dot1q
DLS2(config-if-range)# channel-protocol pagp
DLS2(config-if-range)# channel-group 1 mode auto
VerifyingWe will discuss the significance of the Port-channel
interface with MLS.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
116/129
116
DLS1#show run
!
port-channel load-balance dst-ip
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/1
! ...
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
!
interface FastEthernet0/12switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
DLS2#show run
!
port-channel load-balance src-dst-ip
!
interface Port-channel1
switchport trunk encapsulation dot1q
!
!
interface FastEthernet0/1
! ...
interface FastEthernet0/11
switchport trunk encapsulation dot1q
channel-group 1 mode auto
!
!
interface FastEthernet0/12switchport trunk encapsulation dot1q
channel-group 1 mode auto
Verifying
-
8/12/2019 Cis187 Switch 2 Vlans Part2
117/129
117
DLS1# show etherchannel protocol
Group: 1----------
Protocol: PAgP
DLS1# show etherchannel load-balance
EtherChannel Load-Balancing Operational State (dst-ip):
Non-IP: Destination MAC address
IPv4: Destination IP address
IPv6: Destination IP address
DLS1# DLS1(config)#port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12
DLS1(config-if-range)# channel-protocol pagp
DLS1(config-if-range)# channel-group 1 mode desirable
DLS1# show etherchannel summary
Flags: D - down P - in port-channel
-
8/12/2019 Cis187 Switch 2 Vlans Part2
118/129
118
g p
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-------------------------------
1 Po1(SU) PAgP Fa0/11(P) Fa0/12(P)
DLS1# DLS1(config)#port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12
DLS1(config-if-range)# channel-protocol pagp
DLS1(config-if-range)# channel-group 1 mode desirable
DLS1# show etherchannel port
Group: 1
DLS1(config)#port-channel load-balance dst-ip
DLS1(config)# interface range fa 0/11 - 12
DLS1( fi if )# h l t l
-
8/12/2019 Cis187 Switch 2 Vlans Part2
119/129
119
----------
Port: Fa0/11
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = Desirable-Sl Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = PAgP
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
Timers: H - Hello timer is running. Q - Quit timer is running.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Fa0/11 SC
Partner's information:
Partner Partner Partner Partner GroupPort Name Device ID Port Age Flags Cap.
Fa0/11 DLS2 001b.8fc8.0080
Age of the port in the current state: 00d:00h:35m:29s
Port: Fa0/12
------------
...
DLS1(config-if-range)# channel-protocol pagp
DLS1(config-if-range)# channel-group 1 mode desirable
Can help determine if the load balancing is being
distributed equally across the links
Configuring LACP
-
8/12/2019 Cis187 Switch 2 Vlans Part2
120/129
120
DLS1(config)#port-channel load-balance dst-ip
DLS1(config)# lacp system-priority 11111
DLS1(config)# interface range fa 0/11 - 12
DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunk
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode active
DLS1(config-if-range)# lacp port-priority 99
DLS1(config)# interface range fa 0/13 - 14
DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunk
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode active
Port Priority - (Optional for LACP)
LACP uses the port priority to decide which ports should be put in standby mode.
Not typically used (more with hardware limitation).
Ports with lower priority are active, rest are standby. (Default is 32,768)
System Priority - (Optional for LACP)
Valid values are 1 through 65535.
Higher numbers have lower priority. (Default is 32768, switch MAC is tiebreaker)
Recommended only when some ports are in standby.
Fa0/13-14 has a
higher port priority
so these will
become the
standby links
should something
happen to any of
the active links.Default port-priority = 32,768
Configuring LACP: DLS1 and DLS2
-
8/12/2019 Cis187 Switch 2 Vlans Part2
121/129
121
DLS2(config)#port-channel load-balance src-dst-ip
DLS2(config)# interface range fa 0/11 - 12
DLS2(config-if-range)# switchport trunk encapsulation dot1qDLS2(config-if-range)# channel-protocol lacp
DLS2(config-if-range)# channel-group 1 mode passive
DLS1(config)# interface range fa 0/13 - 14
DLS2(config-if-range)# switchport trunk encapsulation dot1q
DLS2(config-if-range)# switchport mode trunk
DLS2(config-if-range)# channel-protocol lacp
DLS2(config-if-range)# channel-group 1 mode active
DLS1(config)#port-channel load-balance dst-ip
DLS1(config)# lacp system-priority 11111
DLS1(config)# interface range fa 0/11 - 12
DLS1(config-if-range)# switchport trunk encapsulation dot1q
DLS1(config-if-range)# switchport mode trunk
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode active
DLS1(config-if-range)# lacp port-priority 99
DLS1(config)# interface range fa 0/13 - 14
DLS1(config-if-range)# switchport trunk encapsulation dot1q
DLS1(config-if-range)# switchport mode trunk
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode active
Verifying (only showing DLS1)
-
8/12/2019 Cis187 Switch 2 Vlans Part2
122/129
122
DLS1#show run
!
port-channel load-balance dst-ip
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
lacp port-priority 99
channel-group 1 mode active
!
interface FastEthernet0/12
switchport trunk encapsulation dot1qswitchport mode trunk
lacp port-priority 99
channel-group 1 mode active
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
Verifying
-
8/12/2019 Cis187 Switch 2 Vlans Part2
123/129
123
DLS1# show etherchannel protocol
Group: 1----------
Protocol: LACP
DLS1# show etherchannel load-balance
EtherChannel Load-Balancing Operational State (dst-ip):
Non-IP: Destination MAC address
IPv4: Destination IP address
IPv6: Destination IP address
DLS1# DLS1(config)#port-channel load-balance dst-ipDLS1(config)# interface range fa 0/11 - 12
DLS1(config-if-range)# switchport trunk encapsulation dot1qDLS1(config-if-range)# switchport mode trunk
DLS1(config-if-range)# channel-protocol lacp
DLS1(config-if-range)# channel-group 1 mode active
DLS1(config-if-range)# lacp port-priority 99
Verifying
-
8/12/2019 Cis187 Switch 2 Vlans Part2
124/129
124
DLS1# show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------1 Po1(SU) LACP Fa0/11(P) Fa0/12(P) Fa0/13(H)
Fa0/14(H)
DLS1#
Odds and Ends (FYI)
-
8/12/2019 Cis187 Switch 2 Vlans Part2
125/129
125
Trunk ports send and receive PAgP and LACP protocol data units
(PDUs) on the lowest numbered VLAN.
Spanning tree sends packets over the first interface in the
EtherChannel.
For more information on Configuring EtherChannel
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/soft
ware/release/12.1_13_ea1/configuration/guide/swethchl.html
Troubleshooting Trunk Links
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.html -
8/12/2019 Cis187 Switch 2 Vlans Part2
126/129
Ensure that the Layer 2 interface mode configured on both ends ofthe link is valid.
The trunk mode should be trunkor desirablefor at least one side of
the trunk.
Ensure that the trunk encapsulation type configured on both ends of
the link is valid and compatible. On IEEE 802.1Q trunks, make sure the native VLAN is the same on
both ends of the trunk.
When using DTP, ensure that both ends of the link are in the same
VTP domain.
Chapter 2 Summary
-
8/12/2019 Cis187 Switch 2 Vlans Part2
127/129
A VLAN is a logical grouping of switch ports independent of physical location. Local
VLANs are now recommended over end-to-end VLAN implementations.
A trunk is a Layer 2 point-to-point link between networking devices carry the traffic of
multiple VLANs.
ISL and 802.1Q are the two trunking protocols that can connect two switches.
VTP is used to distribute and synchronize information about VLANs configured
throughout a switched network.
VTP pruning helps to stop flooding of unnecessary traffic on trunk links.
Device communication within the same VLAN can be fine-tuned using pVLANs. A
pVLAN is associated to a primary VLAN, and then mapped to one or several ports. A
primary VLAN can map to one isolated and several community VLANs. pVLANs can
span across several switches using regular 802.1q trunks or pVLAN trunks.
Use EtherChannel by aggregating individual, similar links between switches.
EtherChannel can be dynamically configured between switches using either the Cisco-
proprietary PAgP or the IEEE 802.3ad LACP. EtherChannel load balances traffic over all
the links in the bundle. The method that is chosen directly impacts the efficiency of this
load-balancing mechanism.
Best Practices for VLAN Design
-
8/12/2019 Cis187 Switch 2 Vlans Part2
128/129
One to three VLANs per access module and limit those VLANs to a couple
of access switches and the distribution switches.
Avoid using VLAN 1 as the "blackhole" for all unused ports. Use a dedicatedVLAN separate from VLAN 1 to assign all the unused ports.
Separate the voice VLANs, data VLANs, the management VLAN, the native
VLAN, blackhole VLANs, and the default VLAN (VLAN 1).
Avoid VTP when using local VLANs; use manually allowed VLANs on
trunks. For trunk ports, turn off Dynamic Trunking Protocol (DTP) and configure
trunking. Use IEEE 802.1Q rather than ISL because it has better support for
QoS and is a standard protocol.
Manually configure access ports that are not specifically intended for a trunk
link.
Prevent all data traffic from VLAN 1; only permit control protocols to run on
VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, etc.).
Avoid using Telnet because of security risks; enable SSH support on
management VLANs.
-
8/12/2019 Cis187 Switch 2 Vlans Part2
129/129
VLANs, Trunking, VTP, Port Aggregation
Part 2
CIS 187 Multilayer Switched Networks
CCNP SWITCH
Rick Graziani
Spring 2011