Route My World!

The following topics will be covered in this post:

• VLAN
• VLAN Trunking

VLAN

• Virtual LAN (VLAN) is a swiched network of hosts or end devices with a common set of requirements without regard to the physical locations of the users.
• VLANs have the same attributes as physical LANs but end devices can be grouped on the same LAN segment regardless of location.
• VLANs segment the network into its own separate Layer 2 broadcast domain.
  • Switches filter broadcast packets from all ports or devices that don’t belong to the same VLAN.
• VLANs are slightly different from a physical subnet:
  • A physical subnet consists of devices on a physical cable segment.
  • A logical subnet consists of devices that communicate with each other regardless of physical location – VLANs.

End-to-End and Local VLANs

• End-to-end VLANs
  • Also called campus-wide VLANs.
  • Span throughout the entire switch fabric of a network.
  • They may span several wiring closests or even buildings.
  • End-to-end VLANs group users according to common requirements.
  • In this design the 80/20 rule is utilized – that is, 80% of traffic stays within the local workgroup, whereas 20% is destined to remote resources (which is typically routed).
  • Beacuse all VLANs must be available at each access-layer switch, VLAN trunking must be used to carry all VLANs between the access- and distribution-layer switches.
• Local VLANs 
  • Local to a specific domain, such as Building Access switches and their respective Building Distribution submodule.
  • Range in size from a single switch in a wiring closet to an entire building.
  • Design moves toward an 20/80 rule where 20% of traffic is local and 80% is destined to a remote resource across the core layer.
  • Results in traffic crossing a Layer 3 router or multilayer switch to reach network resources – but still allows the network to provide secure and consistent method of data delivery.
  • Typically used in the Building Access submodule.
  • A typical VLAN organization configures the minimum number of VLANs on a single access switch within a wiring closet, rather than having VLANs from multiple departments configured on the same switch.
  • The goal of local VLANs is not to extend the VLANs beyond the Building Distribution submodule.
  • Local VLANs provide users with the same level of performance regardless of their location because Layer 3 devices also switch and route at wire rate due to hardware-switching.

End-to-end VLANs are not recommended in an enterprise network, unless there is a good reason. In an end-to-end VLAN, broadcast traffic is carried over from one end of the network to the other, creating the possibility for a broadcast storm or Layer 2 bridging loop to spread across the whole extent of a VLAN. This can exhaust the bandwidth of distribution- and core-layer links, as well as switch CPU resources. Now the storm or loop has disrupted users on the end-to-end VLAN, in addition to users on other VLANs that might be crossing the core. When such a problem occurs, troubleshooting becomes more difficult. In other words, the risks of end-to-end VLANs outweigh the convenience and benefits.

Static and Dynamic VLANs

• Static VLANs
  • Constitutes switch ports that are manually assigned to a particular VLAN.
  • End devices become members of a particular VLAN base on what port on the switch they are plugged into.
  • They can be configured via a VLAN-management application or the command line.
  • Each port receives a Port VLAN ID (PVID) that associates it with a VLAN number.
  • Works well where adds, moves, and changes are rare.
  • The port-to-VLAN membership is normally handled in hardware (ASICs) where it provides good performance because all port mappings are done at the hardware level, with no complex table lookups needed.
• Dynamic VLANs
  • Provide membership base on the MAC address of an end device.
  • Configuration is accomplished by using a VLAN membership Policy Server (VMPS).
    • VMPS contains a database that maps MAC addresses to VLAN assignments. 
    • The switch assigns a VLAN to a host based on information in the MAC address-to-VLAN mapping on the VMPS.
  • It is dynamic because when a host moves from one switch to another in the network, the switch will dynamically assign that particular host to the right VLAN.
  • A dynamic port belongs to only one VLAN at a time. Multiple hosts maybe on the same port but they must all belong to the same VLAN.

VLAN Ranges

Configuration

There are two methods to configure a VLAN:

1. Global configuration mode – relatively newer method that allows configuration of extended VLAN ranges.
2. VLAN database configuration mode – supports only the configuration of VLANs in normal range (1 – 1005).

Create VLAN in global configuration mode:

Switch#configure terminal
Switch(config)#vlan 100
Switch(config-vlan)#name Accounting

Create VLAN in database configuration mode:

Switch#vlan database
Switch(vlan)#vlan 100
VLAN 100 added:
     Name: VLAN0100
Switch(vlan)#vlan 100 name Accounting
Swtich(vlan)#exit
APPLY completed.
Exiting….

• Cisco recommends using global configuration mode to define VLANs.
• The VLAN database command mode is session oriented. When you add, delete, or modify VLAN parameters, the switch does not appy the changes until you exit the session by entering apply or exit command. Using the abort command will not apply the changes made to the VTP database.
  • The gloabl configuration command has been deemed an obsolete method.

Delete a VLAN

Switch#config t
Switch(config)#no vlan 100
Switch(config)#end

•  After a VLAN is deleted, the ports that belong to tha VLAN becomes inactive until it is assigned to another VLAN. Ports in inactive state do not forward traffic.

Assign a port to a VLAN

Switch#config t
Switch(config)#interface fa1/0
Switch(config-if)#description Host A
Switch(config-if)#switchport
Switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 100
Switch(config-if)#no shut
Switch(config-if)#end

•  The switchport command with no keywords configures interfaces as Layer 2 interfaces on Layer 3 switches.
• The switchport host command effectively configures a port for a host device.
  • This feature is a macro for enabling Spanning Tree PortFast and disabling EtherChanneling of a per-port basis.
• The switchport mode access command specifies the port as an access port. 
• The switchport access vlan command places a port in a particular VLAN.

VLAN Verification

• sh vlan id 
  • Displays information about a VLAN identified by VLAN number.

• sh vlan name
  • Displays information about a VLAN by name in Cisco IOS.

• sh running-config interface
  • Displays the current configuration of a particular interface.

• sh interface switchport
  • Shows detailed information about a specific swithcport

VLAN Trunking

• An access switchport can only support one VLAN. However, multiple IP subnets can exist on that single VLAN.
  • For example, a shared hub connected to one switch port with hosts plugged into the hub – one with IP 192.168.1.1/24 and the other with 192.168.2.1/24.
• A trunk port however, supports more than one VLAN on a single switch port.
  • Trunk ports carry traffic for multiple VLANs across a single physical link.
  • It can be used to connect to another switch (to extend Layer 2 operations across an entire network, such as end-to-end VLANs) or connect a switch to a router (for example, router-on-a-stick)
  • A trunk link is not assigned to a specific VLAN. Rather, one or many VLANs can be transported on a single trunk link.
• Cisco supports trunking on Fast Ethernet and Gigabit Ethernet links, as well as aggregated Fast and Gigabit Etherchannel links.

Trunking Protocols

• In order for a switch to distinguish between traffic belonging to different traffic, there are two trunking protocols that are used to identify or tag the frames.
  • Inter-switch Link (ISL)
  • IEEE 802.1Q
• When a VLAN frame is transmitted over a trunk link, a unique identifier is placed in the frame header. A switch that receives the frame examines the identifier to determine which VLAN it belongs.
  • the identifier is removed by the receving switch.
  • If the frames traverses another trunk link, the forwarding swich adds back the VLAN identifier into the frame header.

Inter-switch Link Protocol (ISL)

• Cisco-proprietary.
• High-end routers and appliances support ISL.
  • Later Cisco Catalyst switches no longer support ISL.
• Non-ISL devices receiving an ISL-encapsulated frame may consider them transmission errors if the header plus data frame exceeds the MTU size
• Devices that do not support ISL simply drops the frame.

• The ISL frame has a header that is 26 bytes and an additional 4 bytes for the ISL FCS header. 30 bytes is added to the original frame.
• Notice in the diagram that it contains two header fields.
  • The original header field stays the same from its original frame. The second is generated by the ISL trunk port.
• The ISL encapsulation leaves the original frame un-modified.
• The source VLAN is identified with a 15-bit VLAN ID field in the header (see image above).
• Although primarily used for Ethernet media, ISL can be used to carry Token Ring, FDDI, and ATM frames over Ethernet ISL by using the 3-bit Type field in the ISL header.
• Because tagging information is added at the beginning and end of each frame, ISL is sometimes referred to as double tagging.

IEEE 802.1Q Protocol

• As opposed to ISL, this method of frame identification is standardized.
• Instead of encapsulating the frame with a header and trailer, 802.1Q inserts the tagging information inside the frame and modifies several fields. For this reason, it is typically called single tagging or internal tagging.

• 802.1Q inserts a 4-byte tag just right after the source field. The fields in the tag are as follows:
  • Tag Protocol Identifier (TPID) - 2-byte field that has value of 0×8100.
  • Tag Control Information (TCI) – the other 2-bytes. Broken down as:
    • PRI – a 3-bit priority field used to implement class-of-service (CoS) functions in the accompanying 802.1Q/802.1p prioritization standard.
    • Canonical Format Indicator (CFI) – 1-bit field that indicates the frame format (0 for Ethernet and 1 for Token-ring). Also known as canonical format, or little-endian or big-endian format.
    • VLAN ID – 12-bit VLAN field.
• 802.1Q uses an internal tagging mechanism that modifies the original frame (note the “X” on the original FCS field), recalculates the CRC value for the entire frame with the tag, and inserts the new CRC vlaue in a new FCS.
  • In comparison, ISL encapsulates the entire frame and adds a second FCS and does not modify the original frame FCS.

Baby Giants

• Note that both ISL and 802.1Q taggin methods add to the lenthg of an Ethernet frame.
  • ISL adds 30 bytes to each frame for a total of 1548 bytes on each ethernet frame.
  • 802.1Q adds 4 bytes for a total of 1522 bytes per frame.
• Because Ethernet frames cannot exceed 1518 bytes, the additional VLAN tagging information can cause the frame to become too large.
  • Frames that are larger than 1500 bytes (but smaller than 2000 bytes) are called baby giants.
• Switches usually report these frames as Ethernet errors or oversize frames.
• To properly handle and forward baby giants, Catalyst switches use proprietary hardware with the ISL encapsulation method. In the case of 802.1Q encapsulation, switches can comply with the IEEE 802.3ac standard, which extends the maximum frame length to 1522 bytes.

Native VLAN

• 802.1Q trunks define a native VLAN for frames that are not tagged by default.
• Switches transmit any Layer 2 frames from a native VLAN on the trunk port untagged.
• The receiving switch forwards all untagged packets to its native VLAN.
• The native VLAN is the default VLAN configuration of the port.
• When the port is not trunking, the access VLAN configuration defines the native VLAN.
• In the case of Cisco switches, the default VLAN is VLAN 1 and is configurable.
• Two devices that are trunking has to have the same native VLAN configuration on both sides of the link.
  • Misconfiguration may cause Layer 2 loops or blackholes.
  • CPD issues a “VLAN mismatch” console error message if native VLANs don’t match.
• Tagged or not, a switch will forward Layer 2 frames received on an 802.1Q trunk port.
  • ISL drops unencapsulated frames. All frames, including native VLAN are encapsulated.

Dynamic Trunking Protocol (DTP)

• Cisco-proprietary point-to-point protocol that negotiates a common trunking mode between two switches.
• DTP negotiates the operational mode of directly connected switch ports to a trunk port and selects an appropriate trunking protocol.
• DTP should be disabled if a switch has a trunk link connected to a non-trunking router or firewall interface because those devices cannot participate in DTP negotiation.
  • A trunk link can be negotiated between two switches only if both switches belong to the same VLAN Trunking Protocol (VTP) management domain or if one or both switches have not defined their VTP domain (that is, the NULL domain).
  • If the two switches are in different VTP domains and trunking is desired between them, you must set the trunk links to on mode or nonegotiate mode. This setting forces the trunk to be established.

 VLAN Trunk Configuration

Switch(config)# interface type mod/port
Switch(config-if)# switchport

• The switchport command puts the port in Layer 2 mode.

Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}

• The switchport trunk encapsulation command configures the type of enccapsulation for the port:
  • isl – VLANs are tagged by encapsulating each frame with the Cisco ISL protocol.
  • dot1q – VLANs are tagged in each frame using the IEEE 802.1Q standard protocol. The native VLAN is sent normally and is untagged.
  • negotiate – The default configuration, negotiates the encapsulation to select either ISL or 802.1Q, whichever both ends of the trunk support. If both ends support both types, ISL is used.

Switch(config-if)# switchport trunk native vlan vlan-id

• The swichport trunk native vlan command is used to define the untagged or native VLAN as vlan-id (1 to 4094).
• By default, 802.1Q trunks use VLAN 1 as the native VLAN.
• ISL trunks has no effect on this command because ISL does not support untagged VLANs.

Switch(config-if)# switchport trunk allowed vlan {vlan-list | all | {add | except | remove} vlan-list}

• The switchport trunk allowed vlan command defines which VLANs can be trunked over the link.
• By default a switch transports all active VLANs (1 to 4094) over a trunk link.
• There are times that trunk links should not carry all VLANs. Because trunk links are also part of the VLAN, it and broadcast traffic are forwarded to every switch port on the VLAN. If the VLAN does not exist past the far end of the trunk link, there is no reason to propagate broadcast accross the trunk.
• The following are some parameters:
  • vlan-list – An explicit list of VLAN numbers, separated by commas or dashes.
  • all – All active VLANs (from 1 to 4094) will be allowed
  • add vlan-list – A list of VLAN numbers will be added to the already configured list; this is a shortcut to keep from typing a long list of numbers.
  • except vlan-list – All VLANs (1 to 4094) will be allowed, except for the VLAN numbers listed; this is a shortcut to keep from typing a long list of numbers.
  • remove vlan-list – A list of VLAN numbers will be removed from the already configured list; this is a shortcut to keep from typing a long list of numbers.

Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}

• The switchport mode command sets the trunking mode to any of the following:
  • trunk – Sets the port in permanent trunking mode.
  • dynamic desirable (default setting) – The port attemtps to actively convert the link to trunking mode. It “asks” the other end of the trunk link to bring up a trunk. If the far-end switch prot is configured as trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully.
  • dynamic auto – The port turns into a trunk link only if the far-end of the switch actively requests it. If both ends are dynamic auto, the trunk does not form. If the other end of the switch is trunking mode or dynamic desirable mode, trunking is negotiated.

Example: Configure a Port for ISL Trunking

Switch#conf t
Switch(config)#interface FastEthernet 0/48
Switch(config-if)#switchport
Switch(config-if)#switchport trunk encapsulation isl
Switch(config-if)#switchport mode trunk

Example: Configure a Port for 802.1Q Trunking

Switch#conf t
Switch(config)#interface FastEthernet 0/48
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode dynamic desirable
Switch(config-if)#switchport trunk allowed vlan 1 – 100
Switch(config-if)#no shut

Verification Commands

• sh running-config interface fa0/48
  • Displays port information for trunking.
• sh int fa 0/48 switchport
  • Displays switchport information for trunking
• sh int fa 0/48 trunk
  • Displays trunk information for a particular port

References:

1. Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(9)EA1 – Creating and Maintaining VLANs
2. Inter-Switch Link and IEEE 802.1Q Frame Format – Cisco Systems, Inc.

This entry is not an authoritative guide. These are merely notes and rehash of the primary text materials and resources that I use. For a thorough guide of the BCMSN course, consider purchasing Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide) (4th Edition) by Richard Froom, Balaji Sivasubramanian, and Erum Frahim and CCNP BCMSN Official Exam Certification Guide (4th Edition) by Dave Hucaby ; as well as following the links on the reference section of this entry.