Foundation Topics
Virtual LANs
In an Ethernet LAN, a set of devices that receive a broadcast sent by any one of the devices in the same set is called a broadcast domain. On switches that have no concept of virtual LANs (VLAN), a switch simply forwards all broadcasts out all interfaces, except the interface on which it received the frame. As a result, all the interfaces on an individual switch are in the same broadcast domain. Also, if the switch connects to other switches and hubs, the interfaces on those switches and hubs are also in the same broadcast domain.
A VLAN is simply an administratively defined subset of switch ports that are in the same broadcast domain. Ports can be grouped into different VLANs on a single switch, and on multiple interconnected switches as well. By creating multiple VLANs, the switches create multiple broadcast domains. By doing so, a broadcast sent by a device in one VLAN is forwarded to the other devices in that same VLAN; however, the broadcast is not forwarded to devices in the other VLANs.
With VLANs and IP, best practices dictate a one-to-one relationship between VLANs and IP subnets. Simply put, the devices in a single VLAN are typically also in the same single IP subnet. Alternately, it is possible to put multiple subnets in one VLAN, and use secondary IP addresses on routers to route between the VLANs and subnets. Also, although not typically done, you can design a network to use one subnet on multiple VLANs, and use routers with proxy ARP enabled to forward traffic between hosts in those VLANs. (Private VLANs might be considered to consist of one subnet over multiple VLANs as well, as covered later in this chapter.) Ultimately, the CCIE written exams tend to focus more on the best use of technologies, so this book will assume that one subnet sits on one VLAN, unless otherwise stated.
Layer 2 switches forward frames between devices in the same VLAN, but they do not forward frames between two devices in different VLANs. To forward data between two VLANs, a multilayer switch (MLS) or router is needed. Chapter 6, "IP Forwarding (Routing)," covers the details of MLS.
VLAN Configuration
Configuring VLANs in a network of Cisco switches requires just a few simple steps:
- Step 1 Create the VLAN itself.
- Step 2 Associate the correct ports with that VLAN.
The challenge relates to how some background tasks differ depending on how the Cisco VLAN Trunking Protocol (VTP) is configured, and whether normal-range or extended-range VLANs are being used.
Using VLAN Database Mode to Create VLANs
To begin, consider Example 2-1, which shows some of the basic mechanics of VLAN creation in VLAN database configuration mode. VLAN database configuration mode allows the creation of VLANs, basic administrative settings for each VLAN, and verification of VTP configuration information. Only normal-range (VLANs 1–1005) VLANs can be configured in this mode, and the VLAN configuration is stored in a Flash file called vlan.dat.
Example 2-1 demonstrates VLAN database configuration mode, showing the configuration on Switch3 from Figure 2-1. The example shows VLANs 21 and 22 being created.
Figure 2-1 Simple Access and Distribution
Example 2-1. VLAN Creation in VLAN Database Mode–Switch3
! Below, note that FA 0/12 and FA0/24 missing from the list, because they
have! dynamically become trunks, supporting multiple VLANs.
Switch3# show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10,Fa0/11, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22,Fa0/23
! Below, "unsup" means that this 2950 switch does not support FDDI and TR
1002 fddi-default act/unsup
1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup! Below, vlan database moves user to VLAN database configuration mode.
! The vlan 21 command defines the VLAN, as seen in the next command output
! (show current), VLAN 21 is not in the "current" VLAN list.
Switch3# vlan database
Switch3(vlan)# vlan 21VLAN 21 added:
Name: VLAN0021
! The show current command lists the VLANs available to the IOS when the switch
! is in VTP Server mode. The command lists the VLANs in numeric order, with
! VLAN 21 missing.
Switch3(vlan)# show currentVLAN ISL Id: 1
Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: NoVLAN ISL Id: 1002
Name: fddi-default Media Type: FDDI VLAN 802.10 Id: 101002 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No! Lines omitted for brevity
! Next, note that show proposed lists VLAN 21. The vlan 21 command
! creates the definition, but it must be "applied" before it is "current".
Switch3(vlan)# show proposed VLAN ISL Id: 1 Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: NoVLAN ISL Id: 21
Name: VLAN0021 Media Type: Ethernet VLAN 802.10 Id: 100021 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No! Lines omitted for brevity
! Next, you could apply to complete the addition of VLAN 21,
! abort to not make the changes and exit VLAN database mode, or
! reset to not make the changes but stay in VLAN database mode.
Switch3(vlan)# ? VLAN database editing buffer manipulation commands:abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit Apply changes, bump revision number, and exit mode no Negate a command or set its defaultsreset Abandon current changes and reread current database
show Show database information vlan Add, delete, or modify values associated with a single VLAN vtp Perform VTP administrative functions.! The apply command was used, making the addition of VLAN 21 complete.
Switch3(vlan)# applyAPPLY completed.
! A show current now would list VLAN 21.
Switch3(vlan)# vlan 22 name ccie-vlan-22
VLAN 22 added:
Name: ccie-vlan-22
! Above and below, some variations on commands are shown, along with the
! creation of VLAN 22, with name ccie-vlan-22.
! Below, the vlan 22 option is used on show current and show proposed
! detailing the fact that the apply has not been done yet.
Switch3(vlan)# show current 22
VLAN 22 does not exist in current database
Switch3(vlan)# show proposed 22
VLAN ISL Id: 22
! Lines omitted for brevity
! Finally, the user exits VLAN database mode using CTRL-Z, which does
! not inherently apply the change. CTRL-Z actually executes an abort.
Switch3(vlan)# ^Z
Using Configuration Mode to Put Interfaces into VLANs
To make a VLAN operational, the VLAN must be created, and then switch ports must be assigned to the VLAN. Example 2-2 shows how to associate the interfaces with the correct VLANs, once again on Switch3.
Example 2-2. Assigning Interfaces to VLANs–Switch3
! First, the switchport access command assigns the VLAN numbers to the
! respective interfaces.
Switch3# config t Enter configuration commands, one per line. End with CNTL/Z. Switch3(config)# int fa 0/3Switch3(config-if)# switchport access vlan 22
Switch3(config-if)# int fa 0/7Switch3(config-if)# switchport access vlan 21
Switch3(config-if)# ^Z! Below, show vlan brief lists these same two interfaces as now being in
! VLANs 21 and 22, respectively.
Switch3# show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/2321
VLAN0021 active Fa0/722
ccie-vlan-22 active Fa0/3 ! Lines omitted for brevity! While the VLAN configuration is not shown in the running-config at this point,
! the switchport access command that assigns the VLAN for the interface is in the
! configuration, as seen with the show run int fa 0/3 command.
Switch3# show run int fa 0/3
interface FastEthernet0/3switchport access vlan 22
Using Configuration Mode to Create VLANs
At this point, the two new VLANs (21 and 22) have been created on Switch3, and the two interfaces are now in the correct VLANs. However, Cisco IOS switches support a different way to create VLANs, using configuration mode, as shown in Example 2-3.
Example 2-3. Creating VLANs in Configuration Mode–Switch3
! First, VLAN 31 did not exist when the switchport access vlan 31 command was
! issued. As a result, the switch both created the VLAN and put interface fa0/8
! into that VLAN. Then, the vlan 32 global command was used to create a
! VLAN from configuration mode, and the name subcommand was used to assign a
! non-default name.
Switch3# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch3(config)# int fa 0/8Switch3(config-if)# switchport access vlan 31
% Access VLAN does not exist. Creating vlan 31
Switch3(config-if)# exit Switch3(config)# vlan 32 Switch3(config-vlan)# name ccie-vlan-32 Switch3(config-vlan)# ^ZSwitch3# show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/9, Fa0/10, Fa0/11 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23 21 VLAN0021 active Fa0/7 22 ccie-vlan-22 active Fa0/331 VLAN0031 active Fa0/8
32 ccie-vlan-32 active
! Portions omitted for brevity
Example 2-3 shows how the switchport access vlan subcommand creates the VLAN, as needed, and assigns the interface to that VLAN. Note that in Example 2-3, the show vlan brief output lists fa0/8 as being in VLAN 31. Because no ports have been assigned to VLAN 32 as of yet, the final line in Example 2-3 simply does not list any interfaces.
The VLAN creation process is simple but laborious in a large network. If many VLANs exist, and they exist on multiple switches, instead of manually configuring the VLANs on each switch, you can use VTP to distribute the VLAN configuration of a VLAN to the rest of the switches. VTP will be discussed after a brief discussion of private VLANs.
Private VLANs
Engineers may design VLANs with many goals in mind. In many cases today, devices end up in the same VLAN just based on the physical locations of the wiring drops. Security is another motivating factor in VLAN design: devices in different VLANs do not overhear each other's broadcasts. Additionally, the separation of hosts into different VLANs and subnets requires an intervening router or multilayer switch between the subnets, and these types of devices typically provide more robust security features.
Regardless of the design motivations behind grouping devices into VLANs, good design practices typically call for the use of a single IP subnet per VLAN. In some cases, however, the need to increase security by separating devices into many small VLANs conflicts with the design goal of conserving the use of the available IP subnets. The Cisco private VLAN feature addresses this issue. Private VLANs allow a switch to separate ports as if they were on different VLANs, while consuming only a single subnet.
A common place to implement private VLANs is in the multitenant offerings of a service provider (SP). The SP can install a single router and a single switch. Then, the SP attaches devices from multiple customers to the switch. Private VLANs then allow the SP to use only a single subnet for the whole building, separating different customers' switch ports so that they cannot communicate directly, while supporting all customers with a single router and switch.
Conceptually, a private VLAN includes the following general characterizations of how ports communicate:
- Ports that need to communicate with all devices
- Ports that need to communicate with each other, and with shared devices, typically routers
- Ports that need to communicate only with shared devices
To support each category of allowed communications, a single private VLAN features a primary VLAN and one or more secondary VLANs. The ports in the primary VLAN are promiscuous in that they can send and receive frames with any other port, including ports assigned to secondary VLANs. Commonly accessed devices, such as routers and servers, are placed into the primary VLAN. Other ports, such as customer ports in the SP multitenant model, attach to one of the secondary VLANs.
Secondary VLANs are either community VLANs or isolated VLANs. The engineer picks the type based on whether the device is part of a set of ports that should be allowed to send frames back and forth (community VLAN ports), or whether the device port should not be allowed to talk to any other ports besides those on the primary VLAN (isolated VLAN). Table 2-2 summarizes the behavior of private VLAN communications between ports.
Table 2-2. Private VLAN Communications Between Ports
Description of Who Can Talk to Whom |
Primary VLAN Ports |
Community VLAN Ports1 |
Isolated VLAN Ports1 |
Talk to ports in primary VLAN (promiscuous ports) |
Yes |
Yes |
Yes |
Talk to ports in the same secondary VLAN (host ports) |
N/A2 |
Yes |
No |
Talks to ports in another secondary VLAN |
N/A2 |
No |
No |
VLAN Trunking Protocol
VTP advertises VLAN configuration information to neighboring switches so that the VLAN configuration can be made on one switch, with all the other switches in the network learning the VLAN information dynamically. VTP advertises the VLAN ID, VLAN name, and VLAN type for each VLAN. However, VTP does not advertise any information about which ports (interfaces) should be in each VLAN, so the configuration to associate a switch interface with a particular VLAN (using the switchport access vlan command) must still be configured on each individual switch. Also, the existence of the VLAN IDs used for private VLANs is advertised, but the rest of the detailed private VLAN configuration is not advertised by VTP.
Each Cisco switch uses one of three VTP modes, as outlined in Table 2-3.
Table 2-3. VTP Modes and Features*
Function |
Server Mode |
Client Mode |
Transparent Mode |
Originates VTP advertisements |
Yes |
Yes |
No |
Processes received advertisements to update its VLAN configuration |
Yes |
Yes |
No |
Forwards received VTP advertisements |
Yes |
Yes |
Yes |
Saves VLAN configuration in NVRAM or vlan.dat |
Yes |
Yes |
Yes |
Can create, modify, or delete VLANs using configuration commands |
Yes |
No |
Yes |
VTP Process and Revision Numbers
The VTP update process begins when a switch administrator, from a VTP server switch, adds, deletes, or updates the configuration for a VLAN. When the new configuration occurs, the VTP server increments the old VTP revision number by 1, and advertises the entire VLAN configuration database along with the new revision number.
The VTP revision number concept allows switches to know when VLAN database changes have occurred. Upon receiving a VTP update, if the revision number in a received VTP update is larger than a switch's current revision number, it believes that there is a new version of the VLAN database. Figure 2-2 shows an example in which the old VTP revision number was 3, the server adds a new VLAN, incrementing the revision number to 4, and then propagates the VTP database to the other switches.
Figure 2-2 VTP Revision Number Basic Operation
Cisco switches default to use VTP server mode, but they do not start sending VTP updates until the switch has been configured with a VTP domain name. At that point, the server begins to send its VTP updates, with a different database and revision number each time its VLAN configuration changes. However, the VTP clients in Figure 2-2 actually do not have to have the VTP domain name configured. If not configured, the client will assume it should use the VTP domain name in the first received VTP update. However, the client does need one small bit of configuration, namely, the VTP mode, as configured with the vtp mode global configuration command.
VTP clients and servers alike will accept VTP updates from other VTP server switches. When using VTP, for better availability, a switched network using VTP needs at least two VTP server switches. Under normal operations, a VLAN change could be made on one server switch, and the other VTP server (plus all the clients) would learn about the changes to the VLAN database. Once learned, both VTP servers and clients store the VLAN configuration in their respective vlan.dat files in flash memory; they do not store the VLAN configuration in NVRAM.
With multiple VTP servers installed in a LAN, it is possible to accidentally overwrite the VTP configuration in the network. If trunks fail and then changes are made on more than one VTP server, the VTP configuration databases could differ, with different configuration revision numbers. When the formerly-separated parts of the LAN reconnect using trunks, the VTP database with a higher revision number is propagated throughout the VTP domain, replacing some switches' VTP databases. Note also that because VTP clients can actually originate VTP updates, under the right circumstances, a VTP client can update the VTP database on another VTP client or server. See http://www.ciscopress.com/1587201968 and look for downloads, to download a document that describes how a client could update the VLAN database on another VTP client or server. In summary, for a newly-connected VTP server or client to change another switch's VTP database, the following must be true:
- The new link connecting the new switch is trunking.
- The new switch has the same VTP domain name as the other switches.
- The new switch's revision number is larger than that of the existing switches.
- The new switch must have the same password, if configured on the existing switches.
The revision number and VTP domain name can be easily seen with a Sniffer trace; to prevent DoS attacks with VTP, set VTP passwords, which are encoded as message digests (MD5) in the VTP updates. Also, some installations simply use VTP transparent mode on all switches, which prevents switches from ever listening to other switch VTP updates and erroneously deleting their VLAN configuration databases.
VTP Configuration
VTP sends updates out all active trunk interfaces (ISL or 802.1Q). However, with all default settings from Cisco, switches are in server mode, with no VTP domain name configured, and they do not send any VTP updates. Before any switches can learn VLAN information from another switch, at least one switch must have a bare-minimum VTP server configuration—specifically, a domain name.
Example 2-4 shows Switch3 configuring a VTP domain name to become a VTP server and advertise the VLANs it has configured. The example also lists several key VTP show commands. (Note that the example begins with VLANs 21 and 22 configured on Switch3, and all default settings for VTP on all four switches.)
Example 2-4. VTP Configuration and show Command Example
! First, Switch3 is configured with a VTP domain ID of CCIE-domain.
Switch3# conf t Enter configuration commands, one per line. End with CNTL/Z.Switch3(config)# vtp domain CCIE-domain
Changing VTP domain name from NULL to CCIE-domain Switch3(config)# ^Z! Next, on Switch1, the VTP status shows the same revision as Switch3, and it
! learned the VTP domain name CCIE-domain. Note that Switch1 has no VTP-related
! configuration, so it is a VTP server; it learned the VTP domain name from.
! Switch3.
Switch1# sh vtp status
VTP Version : 2Configuration Revision : 2
Maximum VLANs supported locally : 1005 Number of existing VLANs : 7VTP Operating Mode : Server
VTP Domain Name : CCIE-domain
VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x0E 0x07 0x9D 0x9A 0x27 0x10 0x6C 0x0BConfiguration last modified by 10.1.1.3 at 3-1-93 00:02:55
Local updater ID is 10.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)! The show vlan brief command lists the VLANs learned from Switch3.
Switch1# show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/10 Fa0/11, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Gi0/221 VLAN0021 active
22 ccie-vlan-22 active
1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active
Example 2-4 shows examples of a few VTP configuration options. Table 2-4 provides a complete list, along with explanations.
Table 2-4. VTP Configuration Options
Option |
Meaning |
domain |
Sends domain name in VTP updates. Received VTP update is ignored if it does not match a switch's domain name. One VTP domain name per switch is allowed. |
password |
Used to generate an MD5 hash that is included in VTP updates. Received VTP updates are ignored if the passwords on the sending and receiving switch do not match. |
mode |
Sets server, client, or transparent mode on the switch. |
Option |
Meaning |
version |
Sets version 1 or 2. Servers and clients must match version to exchange VLAN configuration data. Transparent mode switches at version 2 forward version 1 or version 2 VTP updates. |
pruning |
Enables VTP pruning, which prevents flooding on a per-VLAN basis to switches that do not have any ports configured as members of that VLAN. |
interface |
Specifies the interface whose IP address is used to identify this switch in VTP updates. |
Normal-Range and Extended-Range VLANs
Some VLAN numbers are considered to be normal, whereas some others are considered to be extended. Normal-range VLANs are VLANs 1–1005, and can be advertised via VTP versions 1 and 2. These VLANs can be configured in VLAN database mode, with the details being stored in the vlan.dat file in Flash.
Extended-range VLANs range from 1006–4094, inclusive. However, these additional VLANs cannot be configured in VLAN database mode, nor stored in the vlan.dat file, nor advertised via VTP. In fact, to configure them, the switch must be in VTP transparent mode. (Also, you should take care to avoid using VLANs 1006–1024 for compatibility with CatOS-based switches.)
Both ISL and 802.1Q support extended-range VLANs today. Originally, ISL began life only supporting normal-range VLANs, using only 10 of the 15 bits reserved in the ISL header to identify the VLAN ID. The later-defined 802.1Q used a 12-bit VLAN ID field, thereby allowing support of the extended range. Following that, Cisco changed ISL to use 12 of its reserved 15 bits in the VLAN ID field, thereby supporting the extended range.
Table 2-5 summarizes VLAN numbers and provides some additional notes.
Table 2-5. Valid VLAN Numbers, Normal and Extended
VLAN Number |
Normal or Extended? |
Can Be Advertised and Pruned by VTP Versions 1 and 2? |
Comments |
0 |
Reserved |
— |
Not available for use |
1 |
Normal |
No |
On Cisco switches, the default VLAN for all access ports; cannot be deleted or changed |
2–1001 |
Normal |
Yes |
|
1002–1005 |
Normal |
No |
Defined specifically for use with FDDI and TR translational bridging |
1006–4094 |
Extended |
No |
Storing VLAN Configuration
Catalyst IOS stores VLAN and VTP configuration in one of two places—either in a Flash file called vlan.dat or in the running configuration. (Remember that the term "Catalyst IOS" refers to a switch that uses IOS, not the Catalyst OS, which is often called CatOS.) IOS chooses the storage location in part based on the VTP mode, and in part based on whether the VLANs are normal-range VLANs or extended-range VLANs. Table 2-6 describes what happens based on what configuration mode is used to configure the VLANs, the VTP mode, and the VLAN range. (Note that VTP clients also store the VLAN configuration in vlan.dat, and they do not understand extended range VLANs.)
Table 2-6. VLAN Configuration and Storage
Function |
When in VTP Server Mode |
When in VTP Transparent Mode |
Normal-range VLANs can be configured from |
Both VLAN database and configuration modes |
Both VLAN database and configuration modes |
Extended-range VLANs can be configured from |
Nowhere—cannot be configured |
Configuration mode only |
VTP and normal-range VLAN configuration commands are stored in |
vlan.dat in Flash |
Both vlan.dat in Flash and running configuration1 |
Extended-range VLAN configuration commands stored in |
Nowhere—extended range not allowed in VTP server mode |
Running configuration only |
Of particular interest for those of you stronger with CatOS configuration skills is that when you erase the startup-config file, and reload the Cisco IOS switch, you do not actually erase the normal-range VLAN and VTP configuration information. To erase the VLAN and VTP configuration, you must use the delete flash:vlan.dat exec command. Also note that if multiple switches are in VTP server mode, if you delete vlan.dat on one switch and then reload it, as soon as the switch comes back up and brings up a trunk, it learns the old VLAN database via a VTP update from the other VTP server.
VLAN Trunking: ISL and 802.1Q
VLAN trunking allows switches, routers, and even PCs with the appropriate NICs to send traffic for multiple VLANs across a single link. In order to know to which VLAN a frame belongs, the sending switch, router, or PC adds a header to the original Ethernet frame, with that header having a field in which to place the VLAN ID of the associated VLAN. This section describes the protocol details for the two trunking protocols, followed by the details of how to configure trunking.
ISL and 802.1Q Concepts
If two devices are to perform trunking, they must agree to use either ISL or 802.1Q, because there are several differences between the two, as summarized in Table 2-7.
Table 2-7. Comparing ISL and 802.1Q
Feature |
ISL |
802.1Q |
VLANs supported |
Normal and extended range1 |
Normal and extended range |
Protocol defined by |
Cisco |
IEEE |
Encapsulates original frame or inserts tag |
Encapsulates |
Inserts tag |
Supports native VLAN |
No |
Yes |
ISL and 802.1Q differ in how they add a header to the Ethernet frame before sending it over a trunk. ISL adds a new 26-byte header, plus a new trailer (to allow for the new FCS value), encapsulating the original frame. This encapsulating header uses the source address (listed as SA in Figure 2-3) of the device doing the trunking, instead of the source MAC of the original frame. ISL uses a multicast destination address (listed as DA in Figure 2-3) of either 0100.0C00.0000 or 0300.0C00.0000.
802.1Q inserts a 4-byte header, called a tag, into the original frame (right after the Source Address field). The original frame's addresses are left intact. Normally, an Ethernet controller would expect to find either an Ethernet Type field or 802.3 Length field right after the Source Address field. With an 802.1Q tag, the first 2 bytes after the Address fields holds a registered Ethernet type value of 0x8100, which implies that the frame includes an 802.1Q header. Because 802.1Q does not actually encapsulate the original frame, it is often called frame tagging. Figure 2-3 shows the contents of the headers used by both ISL and 802.1Q.
Figure 2-3 ISL and 802.1Q Frame Marking Methods
Finally, the last row from Table 2-7 refers to the native VLAN. 802.1Q does not tag frames sent inside the native VLAN. The native VLAN feature allows a switch to attempt to use 802.1Q trunking on an interface, but if the other device does not support trunking, the traffic for that one native VLAN can still be sent over the link. By default, the native VLAN is VLAN 1.
ISL and 802.1Q Configuration
Cisco switches use the Dynamic Trunk Protocol (DTP) to dynamically learn whether the device on the other end of the cable wants to perform trunking and, if so, which trunking protocol to use. DTP learns whether to trunk based on the DTP mode defined for an interface. Cisco switches default to use the DTP desirable mode, which means that the switch initiates sending DTP messages, hoping that the device on the other end of the segment replies with another DTP message. If a reply is received, DTP can detect whether both switches can trunk and, if so, which type of trunking to use. If both switches support both types of trunking, they choose to use ISL. (An upcoming section, "Trunk Configuration Compatibility," covers the different DTP modes and how they work.)
With the DTP mode set to desirable, switches can simply be connected, and they should dynamically form a trunk. You can, however, configure trunking details and verify the results with show commands. Table 2-8 lists some of the key Catalyst IOS commands related to trunking.
Table 2-8. VLAN Trunking–Related Commands
Command |
Function |
switchport | no switchport |
Toggle defining whether to treat the interface as a switch interface (switchport) or as a router interface (no switchport) |
switchport mode |
Sets DTP negotiation parameters |
switchport trunk |
Sets trunking parameters if the interface is trunking |
switchport access |
Sets nontrunking-related parameters if the interface is not trunking |
show interface trunk |
Summary of trunk-related information |
show interface type number trunk |
Lists trunking details for a particular interface |
show interface type number switchport |
Lists nontrunking details for a particular interface |
Figure 2-4 lists several details regarding Switch1's trunking configuration and status, as shown in Example 2-5. R1 is not configured to trunk, so Switch1 will fail to negotiate trunking. Switch2 is a Catalyst 3550, which supports both ISL and 802.1Q, so they will negotiate trunking and use ISL. Switch3 and Switch4 are Catalyst 2950s, which support only 802.1Q; as a result, Switch1 negotiates trunking, but picks 802.1Q as the trunking protocol.
Figure 2-4 Trunking Configuration Reference for Example 2-5
Example 2-5. Trunking Configuration and show Command Example–Switch1
! The administrative mode of dynamic desirable (trunking) and negotiate (trunking
! encapsulation) means that Switch1 attempted to negotiate to trunk, but the
! operational mode of static access means that trunking negotiation failed.
! The reference to "operational trunking encapsulation" of native means that
! no tagging occurs.
Switch1# show int fa 0/1 switchport
Name: Fa0/1 Switchport:Enabled
Administrative Mode:dynamic desirable
Operational Mode:static access
Administrative Trunking Encapsulation:negotiate
Operational Trunking Encapsulation:native
Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Voice VLAN: none (Inactive) Appliance trust: none! Next, the show int gig 0/1 trunk command shows the configured mode
! (desirable), and the current status (N-ISL), meaning negotiated ISL. Note
! that the trunk supports the extended VLAN range as well.
Switch1# show int gig 0/1 trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 desirable n-isl trunking 1
Port Vlans allowed on trunk Gi0/11-4094
Port Vlans allowed and active in management domain Gi0/1 1,21-22 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1,21-22! Next, Switch1 lists all three trunks - the segments connecting to the other
! three switches - along with the type of encapsulation.
Switch1# show int trunk
Port Mode Encapsulation Status Native vlanFa0/12
desirable n-802.1q trunking 1Fa0/24
desirable n-802.1q trunking 1Gi0/1
desirable n-isl trunking 1 Port Vlansallowed
on trunk Fa0/12 1-4094 Fa0/24 1-4094 Gi0/1 1-4094 Port Vlansallowed and active
in management domain Fa0/12 1,21-22 Fa0/24 1,21-22 Gi0/1 1,21-22 Port Vlans inspanning tree forwarding state and not pruned
Fa0/12 1,21-22 Fa0/24 1,21-22 Gi0/1 1,21-22
Allowed, Active, and Pruned VLANs
Although a trunk can support VLANs 1–4094, several mechanisms reduce the actual number of VLANs whose traffic flows over the trunk. First, VLANs can be administratively forbidden from existing over the trunk using the switchport trunk allowed interface subcommand. Also, any allowed VLANs must be configured on the switch before they are considered active on the trunk. Finally, VTP can prune VLANs from the trunk, with the switch simply ceasing to forward frames from that VLAN over the trunk.
The show interface trunk command lists the VLANs that fall into each category, as shown in the last command in Example 2-5. The categories are summarized as follows:
- Allowed VLANs—Each trunk allows all VLANs by default. However, VLANs can be removed or added to the list of allowed VLANs by using the switchport trunk allowed command.
- Allowed and active—To be active, a VLAN must be in the allowed list for the trunk (based on trunk configuration), and the VLAN must exist in the VLAN configuration on the switch. With PVST+, an STP instance is actively running on this trunk for the VLANs in this list.
- Active and not pruned—This list is a subset of the "allowed and active" list, with any VTP-pruned VLANs removed.
Trunk Configuration Compatibility
In most production networks, switch trunks are configured using the same standard throughout the network. For instance, rather than allow DTP to negotiate trunking, many engineers configure trunk interfaces to always trunk (switchport mode trunk) and disable DTP on ports that should not trunk. IOS includes several commands that impact whether a particular segment becomes a trunk. Because many enterprises use a typical standard, it is easy to forget the nuances of how the related commands work. This section covers those small details.
Two IOS configuration commands impact if and when two switches form a trunk. The switchport mode and switchport nonegotiate interface subcommands define whether DTP even attempts to negotiate a trunk, and what rules it uses when the attempt is made. Additionally, the settings on the switch ports on either side of the segment dictate whether a trunk forms or not.
Table 2-9 summarizes the trunk configuration options. The first column suggests the configuration on one switch, with the last column listing the configuration options on the other switch that would result in a working trunk between the two switches.
Table 2-9. Trunking Configuration Options That Lead to a Working Trunk
Configuration Command on One Side1 |
Short Name |
Meaning |
To Trunk, Other Side Must Be |
switchport mode trunk |
Trunk |
Always trunks on this end; sends DTP to help other side choose to trunk |
On, desirable, auto |
switchport mode trunk; switchport nonegotiate |
Nonegotiate |
Always trunks on this end; does not send DTP messages (good when other switch is a non-Cisco switch) |
On |
switchport mode dynamic desirable |
Desirable |
Sends DTP messages, and trunks if negotiation succeeds |
On, desirable, auto |
switchport mode dynamic auto |
Auto |
Replies to DTP messages, and trunks if negotiation succeeds |
On, desirable |
switchport mode access |
Access |
Never trunks; sends DTP to help other side reach same conclusion |
(Never trunks) |
switchport mode access; switchport nonegotiate |
Access (with nonegotiate) |
Never trunks; does not send DTP messages |
(Never trunks) |
Configuring Trunking on Routers
VLAN trunking can be used on routers and hosts as well as on switches. However, routers do not support DTP, so you must manually configure them to support trunking. Additionally, you must manually configure a switch on the other end of the segment to trunk, because the router does not participate in DTP.
The majority of router trunking configurations use subinterfaces, with each subinterface being associated with one VLAN. The subinterface number does not have to match the VLAN ID; rather, the encapsulation command sits under each subinterface, with the associated VLAN ID being part of the encapsulation command. Also, because good design calls for one IP subnet per VLAN, if the router wants to forward IP packets between the VLANs, the router needs to have an IP address associated with each trunking subinterface.
You can configure 802.1Q native VLANs under a subinterface or under the physical interface on a router. If configured under a subinterface, you use the encapsulation dot1q vlan-id
native subcommand, with the inclusion of the native keyword meaning that frames exiting this subinterface should not be tagged. As with other router trunking configurations, the associated IP address would be configured on that same subinterface. Alternately, if not configured on a subinterface, the router assumes that the native VLAN is associated with the physical interface. In this case, the encapsulation command is not needed under the physical interface; the associated IP address, however, would need to be configured under the physical interface.
Example 2-6 shows an example configuration for Router1 in Figure 2-1, both for ISL and 802.1Q. In this case, Router1 needs to forward packets between the subnets on VLANs 21 and 22. The first part of the example shows ISL configuration, with no native VLANs, and therefore only a subinterface being used for each VLAN. The second part of the example shows an alternative 802.1Q configuration, using the option of placing the native VLAN (VLAN 21) configuration on the physical interface.
Example 2-6. Trunking Configuration on Router1
! Note the subinterface on the fa 0/0 interface, with the encapsulation
! command noting the type of trunking, as well as the VLAN number. The
! subinterface does not have to be the VLAN ID. Also note the IP addresses for
! each interface, allowing Router1 to route between VLANs.
interface fastethernet 0/0.1 ip address 10.1.21.1 255.255.255.0 encapsulation isl 21 ! interface fastethernet 0/0.2 ip address 10.1.22.1 255.255.255.0 encapsulation isl 22! Next, an alternative 802.1Q configuration is shown. Note that this 802.1Q configuration
! places the IP address
! for VLAN 21 on the physical interface; the router simply associates the
! physical interface with the native VLAN. Alternatively, a subinterface could be
! used, with the encapsulation dot1q 21 native command specifying that the router
! should treat this VLAN as the native VLAN.
interface fastethernet 0/0
ip address 10.1.21.1 255.255.255.0
! interface fastethernet 0/0.2 ip address 10.1.22.1 255.255.255.0encapsulation dot1q 22
Note also that the router does not have an explicitly defined allowed VLAN list. However, the allowed VLAN list is implied based on the configured VLANs. For instance, in this example, Router1 allows VLAN 1 (because it cannot be deleted), VLAN 21, and VLAN 22. A show interface trunk command on Switch1 would show only 1, 21, and 22 as the allowed VLANs on FA0/1.
802.1Q-in-Q Tunneling
Traditionally, VLANs have not extended beyond the WAN boundary. VLANs in one campus extend to a WAN edge router, but VLAN protocols are not used on the WAN.
Today, several emerging alternatives exist for the passage of VLAN traffic across a WAN, including 802.1Q-in-Q, Ethernet over MPLS (EoMPLS), and VLAN MPLS (VMPLS). While these topics are more applicable to the CCIE Service Provider certification, you should at least know the concept of 802.1 Q-in-Q tunneling.
Also known as Q-in-Q or Layer 2 protocol tunneling, 802.1Q-in-Q allows an SP to preserve 802.1Q VLAN tags across a WAN service. By doing so, VLANs actually span multiple geographically dispersed sites. Figure 2-5 shows the basic idea.
Figure 2-5 Q-in-Q: Basic Operation
The ingress SP switch takes the 802.1Q frame, and then tags each frame entering the interface with an additional 802.1Q header. In this case, all of Customer1's frames are tagged as VLAN 5 as they pass over the WAN; Customer2's frames are tagged with VLAN 6. After removing the tag at egress, the customer switch sees the original 802.1Q frame, and can interpret the VLAN ID correctly. The receiving SP switch (SP-SW2 in this case) can keep the various customers' traffic separate based on the additional VLAN tags.
Using Q-in-Q, an SP can offer VLAN services, even when the customers use overlapping VLAN IDs. Customers get more flexibility for network design options, particularly with metro Ethernet services. Plus, CDP and VTP traffic passes transparently over the Q-in-Q service.
Configuring PPPoE
Although it might seem out of place in this chapter on VLANs and VLAN trunking, Point-to-Point Protocol over Ethernet (PPPoE) fits best here because it's an Ethernet encapsulation protocol. PPPoE is widely used for digital subscriber line (DSL) Internet access because the public telephone network uses ATM for its transport protocol; therefore, Ethernet frames must be encapsulated in a protocol supported over both Ethernet and ATM. PPP is the natural choice. The PPP Client feature permits a Cisco IOS router, rather than an endpoint host, to serve as the client in a network. This permits multiple hosts to connect over a single PPPoE connection.
In a DSL environment, PPP interface IP addresses are derived from an upstream DHCP server using IP Configuration Protocol (IPCP). Therefore, IP address negotiation must be enabled on the router's dialer interface. This is done using the ip address negotiated command in the dialer interface configuration.
Because of the 8-byte PPP header, the MTU for PPPoE is usually set to 1492 bytes so that the entire encapsulated frame fits within the 1500-byte Ethernet frame. A maximum transmission unit (MTU) mismatch prevents a PPPoE connection from coming up. Checking the MTU setting is a good first step when troubleshooting PPPoE connections.
Those familiar with ISDN BRI configuration will recognize the dialer interface configuration and related commands in Example 2-7. The key difference between ISDN BRI configuration and PPPoE is the pppoe-client dial-pool-number command.
Configuring an Ethernet edge router for PPPoE Client mode is the focus of this section. This task requires configuring the Ethernet interface (physical or subinterface) and a corresponding dialer interface. The information in this section applies to Cisco IOS Release 12.2(13)T and later, and 12.3 and 12.4 releases.
Figure 2-6 shows the topology. Example 2-7 shows the configuration steps. The first step is to configure the outside Ethernet interface as a PPPoE client and assign it a dialer interface number. The second step is to configure the corresponding dialer interface. Additional steps, including Network Address Translation (NAT) configuration, are also shown.
Figure 2-6 PPPoE Topology for Example 2-7
Example 2-7. Configuring PPPoE on EdgeRouter
EdgeRouter# conf t EdgeRouter(config)# interface fa0/1 EdgeRouter(config-if)# ip address 192.168.100.1 255.255.255.0 EdgeRouter(config-if)# ip nat inside EdgeRouter(config)# interface fa0/1 EdgeRouter(config-if)# pppoe-client dial-pool-number 1 EdgeRouter(config-if)# exit EdgeRouter(config)# interface dialer1 EdgeRouter(config-if)# mtu 1492 EdgeRouter(config-if)# encapsulation ppp EdgeRouter(config-if)# ip address negotiated EdgeRouter(config-if)# ppp authentication chap !The remaining CHAP commands have been omitted for brevity. EdgeRouter(config-if)# ip nat outside EdgeRouter(config-if)# dialer pool 1 EdgeRouter(config-if)# dialer-group 1 EdgeRouter(config-if)# exit EdgeRouter(config)# dialer-list 1 protocol ip permit EdgeRouter(config)# ip nat inside source list 1 interface dialier1 overload EdgeRouter(config)# access-list 1 permit 192.168.100.0 0.0.0.255 EdgeRouter(config)# ip route 0.0.0.0 0.0.0.0 dialer1
You can verify PPPoE connectivity using the command show pppoe session. Cisco IOS includes debug functionality for PPPoE through the debug pppoe [data | errors | events | packets] command.