vlan and vtp

Virtual LANs (VLANs) and VTP

Virtual Lan(vlan) & VTP

VLAN : Collision vs Broadcast Vlan Advantage of vlan Vlan membership Vlan port types Vlan frames Frame tag protocol 802.1Q tunnelling Native vlan DTP Vlan configuration

VTP : VTP versions VTP modes VTP advertisement VTP Message types VTP pruning VTP configuration

rajasekar


Collision vs Broadcast

Collision : A collision occurs when two devices send a packet at the same time on the shared network segment. The packets collide and both devices must send the packets again, which reduces network efficiency. eg: HUB(each port on a hub is in the same collision domain)

when host A is trying to reach host C. from the same time host D is also trying to reach host C. HUB will receive both frames and HUB as no idea where to send frames as a result it send to all the ports, from this stage collision

is detecting. Broadcast: Broadcast is a type of communication, where the sending device send a single copy of data and that copy of data will be delivered to every device in the network segment. Broadcast is a required type of communication and we cannot avoid Broadcasts. Eg: arp, dhcp

rajasekar


when host A is sending an packet to host C when switch receives first time then its send to all the ports once its learned the mac-address then it will not send to all the ports.

VLAN: (Virtual Local Area Network) A switch can be logically segmented into separate broadcast domains, using Virtual LANs. On Cisco switches, all interfaces belong to VLAN 1 by default, and should be dedicated for system traffic such as CDP, STP, VTP, and DTP.

Each VLAN represents a unique broadcast domain: • Traffic between devices within the same VLAN is switched. • Traffic between devices in different VLANs requires a Layer-3 device to communicate. Broadcasts from one VLAN will not be forwarded to another VLAN. The logical separation provided by VLANs is not a Layer-3 function. VLAN tags are inserted into the Layer-2 header.

rajasekar


Host A and B are in same broadcast domain, same like as E and F. when I am trying to ping host A to host E it will not ping a switch that segments a ports into different broadcast domain. Thus, a Layer-3 device is required for those hosts to communicate.

Advantage of vlan Broadcast Control – eliminates unnecessary

broadcast traffic, improving network performance and scalability.

Security – logically separates users and departments, allowing administrators to implement access-lists to control traffic between VLANs.

Improved manageability VLANs provide an easy, flexible, less costly way to modify logical groups in changing environments..

Vlan membership

VLAN membership are two types: Static

rajasekar


Dynamic

Static: In a static VLAN, the network administrator creates a VLAN and then assigns switch ports to the VLAN. Static VLANs are also called port-based VLANs. The association with the VLAN does not change until the administrator changes the port assignment. End-user devices become the members of VLAN based on the physical switch port to which they are connected.

Dynamic: A dynamic VLAN, the switch automatically assigns the port to a VLAN using information from the user device like (mac, ip address etc). When a device is connected to a switch port the switch queries a database to establish VLAN membership. A network administrator must configure VLAN database of a VLAN Membership Policy Server (VMPS).

Dynamic VLANs support instant movability of end devices. When we move a device from a port on one switch to a port on another switch, the dynamic VLANs will automatically configure the membership of the VLAN.

Static VLAN assignment is far more common than dynamic, and will be the focus of this guide.

VLAN Port Types Two types of ports: • Access ports • Trunk ports

Access link: An access link is a part of only one VLAN, and normally access links are for end devices. Any device attached to an access link is unaware of a VLAN membership.

Trunk link: A Trunk link can carry multiple VLAN traffic and normally a trunk link is used to connect switches to other

rajasekar


switches or to routers. To identify the VLAN that a frame belongs to.

Vlan frames Frame tagging is used to identify the VLAN that the frame belongs to in a network with multiple VLANs. The VLAN ID is placed on the frame when it reaches a switch from an access port, which is a member of a VLAN.

That frame can then be forwarded out the trunk link port. Each switch can see what VLAN the frame belongs to and can forward the frame to corresponding VLAN access ports or to another VLAN trunk port.

Vlan frames (continued)

rajasekar


If Host A sends a frame to Host B, no frame tagging will occur

• The frame never leaves the Switch A. • The frame stays within its own VLAN.If Host A sends a frame to Host C, which is in a

separate VLAN:

• The frame again never leaves the switch. • Because Host C is in a different VLAN, the frame

must be routed. If Host A sends a frame to Host D, which is on a

separate switch:

• The frame is sent out the trunk port to Switch B.

• The frame must be tagged as it is sent out the trunk port.

The frame is tagged with its VLAN ID - VLAN 10 in this example.

• When Switch B receives the frame, it will only forward it out ports belonging to VLAN 10

rajasekar


Frame Tagging Protocols

Cisco switches support two frame tagging protocols: • Inter-Switch Link (ISL) • IEEE 802.1Q

Inter-Switch Link (ISL) protocol is a Cisco propriety protocol and Inter-Switch Link (ISL) is available and supported on Cisco products only.

Inter-Switch Link (ISL) protocol primarily is used for Ethernet media (Fast Ethernet or Gigabit Ethernet). Cisco has also included provisions to carry Token Ring, FDDI, and ATM.

Inter-Switch Link (ISL) protocol encapsulates the entire Ethernet frame (Fast Ethernet or Gigabit Ethernet) with a 26-byte header and a 4-byte frame check sequence (FCS) for a total of 30 bytes of overhead. Inter-Switch Link (ISL) frame format is shown below.

DA (Destination Address): The destination address uses the multicast MAC address 01-00-0C-00-00-00. The first 40 bits of the DA field signal the receiver that the packet is in Inter-Switch Link (ISL) format.

rajasekar


• Type: The type of frame encapsulated: Ethernet (0000), Token Ring (0001), FDDI (0010), and ATM (0011).

• User: The USER field consists of a 4-bit code. The USER bits are used to extend the meaning of the TYPE field. The default USER field value is "0000". For Ethernet frames, the USER field bits "0" and "1" indicate the priority of the packet as it passes through the switch.

• SA (Source Address): Source address of the switch transmitting the Inter-Switch Link (ISL) frame.

• Len: The length of the packet.

• SNAP: Subnetwork Access Protocol (SNAP) and Logical Link Control (LLC). The AAAA03 SNAP field is a 24-bit constant value of "AAAA03".

• HSA (High Bits of Source Address): The HSA field is a 24-bit value which represents the upper 3 bytes (the manufacturer ID portion) of the SA field.

• VLAN (Destination VLAN ID): Indicates VLAN ID of the packet. VLAN ID is a 15-bit value that is used to distinguish frames on different VLANs. VLAN ID is also known as the "color" of the frame.

• BPDU: Indicate whether a BPDU, or CDP or VTP frame

• Index: The port index of the source of the packet.

• Res: Reserved field for additional information, for instance, Token Ring or FDDI Frame Check Sequence field. For Ethernet, this field should be zero.

• Encapsulated Ethernet Frame: The actual Ethernet frame.

• ISL CRC: Four-byte check on the ISL packet to ensure it is not corrupted.

Cisco switches are specifically engineered to support these giant ISL -tagged frames. Note that this is a key reason why ISL is Cisco-proprietary.

rajasekar


ISL supports a maximum of 1000 VLANs on a trunk port. ISL is also almost entirely deprecated - most modern Cisco switches no longer support it.

802.1Q trunks

802.1Q trunks support tagged and untagged Ethernet frames. An untagged Ethernet frame is a standard unaltered Ethernet frame. Untagged Ethernet frames are usually used for native VLAN communication.

If a switch receives untagged Ethernet frames on a trunk port, they are considered as part of the native VLAN and frames from a native access port are not tagged when exiting the switch via a native VLAN trunk port.

In a tagged 802.1Q Ethernet frame, a 4-byte field is inserted between the original Ethernet frame Source Address field and the Type or Length field. FCS is recomputed after the 4-byte tag is inserted. Following figure shows 802.1Q tagged Ethernet frame.

• TPID (Tag Protocol Identifier, 16 bits): TPID (Tag Protocol Identifier) is globally and always have a value of 0x8100 to signify an 802.1Q tag.

rajasekar


• Priority (3 bits): The Priority field is used by 802.1Q to implement Layer 2 quality of service (QoS).

• CFI (Canonical Format Identifier, 1 bit): The CFI (Canonical Format Identifier) bit is used for compatibility purposes between Ethernet and Token Ring.

• VLAN ID (12 bits): The VID field is used to distinguish between VLANs on the link.

802.1Q supports a maximum of 4096 VLANs on a trunk port.

Recall that ISL encapsulates a frame with an additional header and trailer. In contrast, 802.1Q embeds a 4-byte VLAN tag directly into the Layer-2 frame header. Because the Layer-2 header is modified, 802.1Q must recalculate the frame’s CRC value.

802 . 1Q Tunneling (Q-in-Q)

802.1Q tunneling enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.When you configure tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling, which then becomes a tunnel VLAN. To keep customer traffic segregated, each customer requires a separate tunnel VLAN, but that one tunnel VLAN supports all of the customer's VLANs.

rajasekar


The customer switches are trunk connected, but with 802.1Q tunneling, the service provider switches only use one service provider VLAN to carry all the customer VLANs, instead of directly carrying all the customer VLANsNote : Tunnel traffic carries a second 802.1Q tag only when it is on a trunk link between service-provider network devices, with the outer tag containing the service-provider-assigned VLAN ID and the inner tag containing the customer-assigned VLAN IDs.

from this example CUSTOMER switch A B & C have range of vlan (100-400), when this range of vlan enters intwo PROVIDER switch the outer interface caries single vlan (3349) called

rajasekar


outer vlan.

Native VLAN Normally a Switch port configured as a trunk port send and receive IEEE 802.1q VLAN tagged Ethernet frames.

If a switch receives untagged Ethernet frames on its Trunk port, they are forwarded to the VLAN that is configured on the Switch as native VLAN. Both sides of the trunk link must be configured to be in same native VLAN.

Native VLANS are only supported on 802.1Q trunk ports. ISL does not support untagged frames, and will always tag frames from all VLANs.

DTP (Dynamic Trunking Protocol)

It is a Cisco proprietary trunking protocol used for negotiating trunking on a link between two Cisco Switches. Dynamic Trunking Protocol (DTP) can also be used for negotiating the encapsulation type of either 802.1q or Cisco ISL.

DTP has two modes to dynamically decide whether a port becomes a trunk:

• Desirable – the port will actively attempt to form a trunk with the remote switch. This is the default setting.

rajasekar


• Auto – the port will passively wait for the remote switch to initiate the trunk.

Trunk ports send out DTP frames every 30 seconds to indicate their configured mode.

A Trunk will form in the following configurations:

Trunk- Trunk Trunk -dynamic desirable Trunk- dynamic auto dynamic desirable- dynamic desirable dynamic desirable- dynamic auto

A trunk will never form if the two sides of the trunk are set to dynamic auto, as both ports are waiting for the other to initialize the trunk.

It is best practice to manually configure trunk ports, to avoid DTP negotiation errors. DTP is also vulnerable to VLAN spoofing attacks.

Vlan configuration

By default, all interfaces belong to VLAN 1. To assign an interface to a different VLAN, that VLAN must first be created:To view all created VLANs, and interfaces assigned to each vlan: Switch# show vlan

rajasekar


The standard range of VLAN numbers is 1 – 1005, with VLANs 1002-1005 reserved for legacy Token Ring and FDDI purposes.

The extended range of VLAN number is 1006-4094.

Configuration options for VLAN IDs 1006 through 4094 are limited to MTU, RSPAN VLAN, private VLAN, and UNI-ENI VLAN.

The list of VLANs are stored in a database file named vlan.dat. The vlan.dat file is usually stored in flash, though on some switch models it is stored in NVRAM Extended-range VLANs are not saved in the VLAN database.

Configure Vlan All the interfaces or belong to vlan 1. To change the vlan on interfaces vlan must first be created. If u want to give a name for the vlan u can give its optional.

rajasekar


Switch(config)# vlan 10

Switch(config-vlan)# name cisco

First cmd creates vlan for particular port and enters into vlan configuration mode. Second cmd is used to configure name of the vlan

To remove VLAN:

Switch(config)# no vlan 10

Configure Vlan (continued)Configure Access mode

rajasekar


The mode tells that port is ACCESS or TRUNK so in the above image that fast ethernet 0/1 is configured to access port. Configure Trunk mode

To explicitly allow a subset of VLANs on a trunk port:

rajasekar


Switch(config)# interface f0/4 Switch(config-if)# switchport trunk allowed vlan 10 ,20,21-25To remove a VLAN from the allowed list:

Switch(config)# interface f0/4 Switch(config-if)# switchport trunk allowed vlan remove 20To add a specific VLAN back into the allowed list:

Switch(config)# interface f0/4 Switch(config-if)# switchport trunk allowed vlan add 20To allow all VLANs except for a specific range:

Switch(config-if)# switchport trunk allowed vlan except 21-25To configure the DTP mode on an interface:

Switch(config)# interface f0/4 Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# switchport mode dynamic autoTo allow all VLANs again:

Switch(config-if)# interface f0/4 Switch(config-if)# switchport trunk allowed vlan allTo allow native VLAN:

Switch(config)# interface F0/4 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native vlan 20

rajasekar


Show cmd: show vlan show interfaces fa0/1 trunk show interfaces trunk

VTP (Vlan Trunking Protocol)

VLAN Trunk Protocol reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst series products.VTP requires that all participating switches join a VTP domain. Switches must belong to the same domain to share VLAN information

VTP version There are three types of version VTP version 1: It supports the standard 1 – 1005 VLAN range. VTP version 1 is also default on Catalyst switches.VTP version 2: It supports Token Ring support VLAN consistency checks Domain-independent transparent pass throughVTP version 3: It supports

rajasekar


The extended 1006-4094 VLAN range. Support for private VLANs. Improved VTP authentication. Ability to enable VTP on a per-port basis.

VTPv1 and v2 are not compatible. VTP Version 3 was supported on only limited Cisco switch platforms

VTP Modes:A switch using VTP must operate in one of three modes: • Server • Client • Transparent

Server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.

Client VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.

Transparent A VTP transparent switch maintains its own local VLAN database, and does not directly participate in the VTP domain. A transparent switch will never accept VLAN database information from another switch, even a server.

rajasekar


Also, a transparent switch will never advertise its local VLAN database to another switch.

VTP message types: Summary advertisements Subset advertisement Advertisement requests

Summary advertisements It contains the following data.Both VTP servers and clients will send out a summary advertisement every 300 seconds

VTP domain VTP version Domain name Configuration revision number Time stamp MD5 digest

A subset advertisement It contain the following information: VTP version Domain name Configuration revision number VLAN IDs for each VLAN in the database VLAN-specific information, such as the VLAN

name and MTU

Advertisement Requests A switch needs a VTP advertisement request in these situations:

The switch has been reset. The VTP domain name has been changed. The switch has received a VTP summary

advertisement with a higher configuration revision than its own.

rajasekar


VTP Pruning: VLAN Trunking Protocol (VTP) is used to

communicate VLAN information between switches in the same VTP domain. VLAN Trunking Protocol (VTP) pruning is a feature in Cisco switches, which stops VLAN update information traffic from being sent down trunk links if the updates are not needed.

In normal operation a switch needs to flood broadcast frames, multicast frames, or unicast frames where the destination MAC address is unknown to all its ports.

If the neighbouring switch doesn’t have any active ports in the source VLAN, this broadcast is unnecessary and excessive unwanted traffic may create problems on the network.

VLAN Trunking Protocol (VTP) pruning helps in increasing the available bandwidth by reducing unnecessary flooded traffic.

Broadcast frames, multicast frames, or unicast frames where the destination MAC address is unknown are forwarded over a trunk link only if the switch on the receiving end of the trunk link has ports in the source VLAN.

Configuring VTP By default, a switch is in VTP server mode,. To change the VTP Switch(config)# vtp domain MYDOMAIN Note that the domain name is case sensitive. To configure the VTP mode: Switch(config)# vtp mode server Switch(config)# vtp mode client Switch(config)# vtp mode transparent

The VTP domain can be secured using a password: Switch(config)# vtp password P@SSWORD! The password is also case sensitive. All switches participating in the VTP domain must be configured with the same

rajasekar


password. The password is hashed into a 16-byte MD5 digest.

VTP pruning is disabled by default on IOS switches. VTP pruning must be enabled on a server, and will be applied globally to the entire VTP domain:

Switch(config)# vtp pruning

Both VLAN 1 and the system VLANs 1002-1005 are never eligible for pruning. To manually specify which VLANs are pruning eligible on a trunk:

rajasekar

vlan and vtp

Internet