Chapter 8: Implementing Ethernet Virtual LANs

Most common reasons for choosing to create smaller broadcast domains (VLANs):

1. To reduce CPU overhead on each device, improving host performance, by reducing the number of devices that receive each broadcast frame 2. To reduce security risks by reducing the number of hosts that receive copies of frames that the switches flood (broadcasts, multicasts, and unknown unicasts) 3. To improve security for hosts through the application of different security policies per VLAN 4. To create more flexible designs that group users by department, or by groups that work together, instead of by physical location 5. To solve problems more quickly, because the failure domain for many problems is the same set of devices as those in the same broadcast domain 6. To reduce the workload for the Spanning Tree Protocol (STP) by limiting a VLAN to a single access switch

VTP

A Cisco-proprietary messaging protocol used between Cisco switches to communicate configuration information about the existence of VLANs, including the VLAN ID and VLAN name.

Access interface

A LAN network design term that refers to a switch interface connected to end-user devices, configured so that it does not use VLAN trunking.

Static access interface

A LAN network design term, synonymous with the term access interface, but emphasizing that the port is assigned to one VLAN as a result of static configuration rather than through some dynamic process.

Layer 3 switch

A LAN switch that can also perform Layer 3 routing functions. The name comes from the fact that this device makes forwarding decisions based on logic from multiple OSI layers (Layers 2 and 3).

Voice VLAN

A VLAN defined for use by IP Phones, with the Cisco switch notifying the phone about the voice VLAN ID so that the phone can use 802.1Q frames to support traffic for the phone and the attached PC (which uses a data VLAN).

Data VLAN

A VLAN used by typical data devices connected to an Ethernet, like PCs and servers. Used in comparison to a voice VLAN.

7. In a switch that disables VTP, an engineer configures the commands vlan 30 and shutdown vlan 30. Which answers should be true about this switch? (Choose two answers.) a. The show vlan brief command should list VLAN 30. b. The show running-config command should list VLAN 30. c. The switch should forward frames that arrive in access ports in VLAN 30. d. The switch should forward frames that arrive in trunk ports tagged with VLAN 30.

A and B. On switches that do not use VTP (by using VTP modes off or transparent), the switch lists all VLAN configuration in the configuration file (making one answer correct). Also, the show vlan brief command lists all defined VLANs, regardless of VTP mode and regardless of shutdown state. As a result, the two answers that mention commands are correct. The two incorrect answers are incorrect because VLAN 30 has been shut down, which means the switch will not forward frames in that VLAN, regardless of whether they arrive on access or trunk ports.

5. A switch has just arrived from Cisco. The switch has never been configured with any VLANs, but VTP has been disabled. An engineer configures the vlan 22 and name Hannahs-VLAN commands and then exits configuration mode. Which of the following are true? (Choose two answers.) a. VLAN 22 is listed in the output of the show vlan brief command. b. VLAN 22 is listed in the output of the show running-config command. c. VLAN 22 is not created by this process. d. VLAN 22 does not exist in that switch until at least one interface is assigned to that VLAN.

A and B. The configured VTP setting of VTP transparent mode means that the switch can configure VLANs, so the VLAN is configured. In addition, the VLAN configuration details, including the VLAN name, show up as part of the running-config file.

4. Imagine that you are told that switch 1 is configured with the dynamic auto parameter for trunking on its Fa0/5 interface, which is connected to switch 2. You have to configure switch 2. Which of the following settings for trunking could allow trunking to work? (Choose two answers.) a. on b. dynamic auto c. dynamic desirable d. access e. None of the other answers are correct.

A and C. The dynamic auto setting means that the switch can negotiate trunking, but it can only respond to negotiation messages, and it cannot initiate the negotiation process. So, the other switch must be configured to trunk or to initiate the negotiation process (based on being configured with the dynamic desirable option).

VLAN

A group of devices, connected to one or more switches, with the devices grouped into a single broadcast domain through switch configuration. VLANs allow switch administrators to separate the devices connected to the switches into separate VLANs without requiring separate physical switches, gaining design advantages of separating the traffic without the expense of buying additional hardware.

Default VLAN

A reference to the default setting of 1 (meaning VLAN ID 1) on the switchport access vlan vlan-id interface subcommand on Cisco switches, meaning that by default, a port will be assigned to VLAN 1 if acting as an access port.

Trunk interface

A switch interface configured so that it operates using VLAN trunking (either 802.1Q or ISL).

6. Which of the following commands identify switch interfaces as being trunking interfaces: interfaces that currently operate as VLAN trunks? (Choose two answers.) a. show interfaces b. show interfaces switchport c. show interfaces trunk d. show trunks

B and C. The show interfaces switchport command lists both the administrative and operational status of each port. When a switch considers a port to be trunking, this command lists an operational trunking state of "trunk." The show interfaces trunk command lists a set of interfaces—the interfaces that are currently operating as trunks. So, both of these commands identify interfaces that are operational trunks.

3. Switch SW1 sends a frame to switch SW2 using 802.1Q trunking. Which of the answers describes how SW1 changes or adds to the Ethernet frame before forwarding the frame to SW2? a. Inserts a 4-byte header and does change the MAC addresses b. Inserts a 4-byte header and does not change the MAC addresses c. Encapsulates the original frame behind an entirely new Ethernet header d. None of the other answers are correct

B. 802.1Q defines a 4-byte header, inserted after the original frame's destination and source MAC address fields. The insertion of this header does not change the original frame's source or destination address. The header itself holds a 12-bit VLAN ID field, which identifies the VLAN associated with the frame.

1. In a LAN, which of the following terms best equates to the term VLAN? a. Collision domain b. Broadcast domain c. Subnet d. Single switch d. Trunk

B. A VLAN is a set of devices in the same Layer 2 broadcast domain. A subnet often includes the exact same set of devices, but it is a Layer 3 concept. A collision domain refers to a set of Ethernet devices, but with different rules than VLAN rules for determining which devices are in the same collision domain.

8. The show interfaces g0/1 trunk command provides three lists of VLAN IDs. Which items would limit the VLANs that appear in the first of the three lists of VLANs? a. A shutdown vlan 30 global command b. A switchport trunk allowed vlan interface subcommand c. An STP choice to block on G0/1 d. A no vlan 30 global command

B. The first list of VLAN IDs includes all VLANs (1-4094) except those overtly removed per the details in any switchport trunk allowed vlan interface subcommands on the trunk interface. If no such commands are configured, the first list in the output will include 1-4094. The two incorrect answers that mention VLAN 30 both list conditions that change the second of two lists of VLANs in the command output, while STP's choice to block an interface would impact the third list.

A LAN includes all devices on the same ___ .

Broadcast domain

2. Imagine a switch with three configured VLANs. How many IP subnets are required, assuming that all hosts in all VLANs want to use TCP/IP? a. 0 b. 1 c. 2 d. 3 e. You cannot tell from the information provided.

D. Although a subnet and a VLAN are not equivalent concepts, the devices in one VLAN are typically in the same IP subnet and vice versa.

show vlan [vlan]

Displays VLAN information

vlan vlan-id

Global config command that both creates the VLAN and puts the CLI into VLAN configuration mode

vtp mode {server | client | transparent | off}

Global config command that defines the VTP mode

[no] shutdown vlan vlan-id

Global config command that has the same effect as the [no] shutdown VLAN mode subcommands

Trunk

In campus LANs, an Ethernet segment over which the devices add a VLAN header that identifies the VLAN in which the frame exists.

switchport mode {access | dynamic {auto | desirable} | trunk}

Interface subcommand that configures the trunking administrative mode on the interface

switchport trunk allowed vlan {add | all | except | remove} vlan-list

Interface subcommand that defines the list of allowed VLANs

switchport trunk native vlan vlan-id

Interface subcommand that defines the native VLAN for a trunk port

switchport voice vlan vlan-id

Interface subcommand that defines the voice VLAN on a port, meaning that the switch uses 802.1Q tagging for frames in this VLAN

switchport trunk encapsulation {dot1q | isl | negotiate}

Interface subcommand that defines which type of trunking to use, assuming that trunking is configured or negotiated

switchport nonegotiate

Interface subcommand that disables the negotiation of VLAN trunking

switchport access vlan vlan-id

Interface subcommand that statically configures the interface into that one VLAN

show vtp status

Lists VTP configuration and status information

show interfaces interface-id trunk

Lists information about all operational trunks (but no other interfaces), including the list of VLANs that can be forwarded over the trunk

show interfaces interface-id switchport

Lists information about any interface regarding administrative settings and operational state

show vlan [brief | id vlan-id | name vlan-name | summary]

Lists information about the VLAN

VTP transparent mode

One of three VTP operational modes. Switches in transparent mode can configure VLANs, but they do not tell other switches about the changes, and they do not learn about VLAN changes from other switches.

Troubleshooting steps for VLANs and trunks

Step 1. Confirm that all VLANs are both defined and active. Step 2. Check the allowed VLAN lists on both ends of each trunk to ensure that all VLANs intended to be used are included. Step 3. Check for incorrect trunk configuration settings that result in one switch operating as a trunk, with the neighboring switch not operating as a trunk. Step 4. Check the native VLAN settings on both ends of the trunk to ensure the settings match.

Steps to configure a VLAN

Step 1. To configure a new VLAN, follow these steps: a. From configuration mode, use the vlan vlan-id command in global configuration mode to create the VLAN and to move the user into VLAN configuration mode. b. (Optional) Use the name name command in VLAN configuration mode to list a name for the VLAN. If not configured, the VLAN name is VLANZZZZ, where ZZZZ is the four-digit decimal VLAN ID. Step 2. For each access interface, follow these steps: a. Use the interface type number command in global configuration mode to move into interface configuration mode for each desired interface. b. Use the switchport access vlan id-number command in interface configuration mode to specify the VLAN number associated with that interface. c. (Optional) Use the switchport mode access command in interface configuration mode to make this port always operate in access mode (that is, to not trunk).

Steps to configure a voice vlan

Step 1. Use the vlan vlan-id command in global configuration mode to create the data and voice VLANs if they do not already exist on the switch. Step 2. Configure the data VLAN like an access VLAN, as usual: a. Use the interface type number command global configuration mode to move into interface configuration mode. b. Use the switchport access vlan id-number command in interface configuration mode to define the data VLAN. c. Use the switchport mode access command in interface configuration mode to make this port always operate in access mode (that is, to not trunk). Step 3. Use the switchport voice vlan id-number command in interface configuration mode to set the voice VLAN ID.

802.1Q

The IEEE standardized protocol for VLAN trunking, which also includes RSTP details.

trunking administrative mode

The configured trunking setting on a Cisco switch interface, as configured with the switchport mode command.

Trunking operational mode

The current behavior of a Cisco switch interface for VLAN trunking.

Native VLAN

The one VLAN ID on any 802.1Q VLAN trunk for which the trunk forwards frames without an 802.1Q header.

[no] shutdown

VLAN mode subcommand that enables (no shutdown) or disables (shutdown) the VLAN

name vlan-name

VLAN subcommand that names the VLAN

Switch SW1 sends a frame to switch SW2 using 802.1Q trunking. Which of the answers describes how SW1 changes or adds to the Ethernet frame before forwarding the frame to SW2? a. Inserts a 4-byte header and does not change the MAC addresses b. None of the other answers are correct c. Inserts a 4-byte header and does change the MAC addresses d. Encapsulates the original frame behind an entirely new Ethernet header

a. 802.1Q defines a 4-byte header, inserted after the original frame's destination and source MAC address fields. The insertion of this header does not change the original frame's source or destination address. The header itself holds a 12-bit VLAN ID field, which identifies the VLAN associated with the frame.

Interface fa0/1 begins with all default interface configuration. Which answers list a single interface subcommand that would cause the switch to not longer attempt to dynamically form a trunk with a neighboring switch? a. The switchport mode access subcommand. b. The switchport nonegotiate subcommand. c. The switchport mode trunk subcommand. d. The vlan 10 access subcommand. Select 2 answers

a., b., A switch port stops attempting to use Dynamic Trunking Protocol (DTP) to negotiate trunking in two cases (matching the two correct answers.) The configuration can disable DTP using the switchport nonegotiate subcommand. Additionally, setting the administrative trunking mode to access, using the switchport mode access subcommand, also disables DTP. One incorrect answer lists the command switchport mode trunk. This command statically enables trunking, but it leaves DTP enabled to allow negotiation with the neighboring switch. One incorrect answer lists an invalid command: vlan 10 access.

Two switches are connected using a crossover cable. Using the combinations of configurations for the switchport mode mode interface subcommand (one on each end of the crossover cable on each switch), which of the following are accurate? a. dynamic desirable and dynamic auto will end up in a trunk being formed. b. dynamic auto and dynamic auto will end up in a dynamic trunk being negotiated. c. access and trunk would end up in a negotiated trunk. d. trunk and dynamic auto will end up in a trunk being formed. Select 2 answers

a., b., Because the desirable side will request the trunk, and the auto side will agree, dynamic desirable and dynamic auto will end up in a trunk being formed. Trunk and dynamic auto will end up in a trunk being formed. When configured as a trunk, DTP is still enabled and will request a trunk to the other side, which is configured as auto and will agree to the trunk. If one side is configured as a trunk and the other is configured as an access port, a trunk will not be negotiated on both sides, and there will be limited connectivity. If both sides are dynamic auto, a trunk will not be negotiated. If both switches are configured as access ports for a specific VLAN, that VLAN will be supported on that link.

Which of the following are characteristics of 802.1Q? a. Supported by IP Phones b. Supported by 2960 switches c. Cisco proprietary d. Does not encapsulate a normal Ethernet frame before forwarding, but instead inserts a header after the destination and source MAC addresses e. Uses the concept of a native VLAN f. Encapsulates a normal Ethernet frame before forwarding it over a trunk Select 4 answers

a., b., d., e. This question examines the characteristics of 802.1Q, and also uses facts about the older proprietary ISL in the distractor answers. 802.1Q does: - Add a header before sending a frame over a trunk. When adding a header, adds the header between the original frame's source address and type fields (whereas ISL encapsulates the original frame). - Uses a concept of a native VLAN, in which frames are not tagged - that is, no additional 802.1Q header is inserted (whereas ISL has no equivalent idea). - Is defined by the IEEE 802.1 committee (while ISL is Cisco proprietary). - Is supported by Cisco IP phones and Cisco 2960 switches (and many other switches today), while most Cisco switches no longer support ISL.

Imagine that you are told that switch 1 is configured with the dynamic auto parameter for trunking on its Fa0/5 interface, which is connected to switch 2. You have to configure switch 2. Which of the following settings for trunking could allow trunking to work? (Choose two answers.) a. trunk b. None of the other answers are correct. c. dynamic desirable d. access e. dynamic auto Select 2 answers

a., c. The dynamic auto setting means that the switch can negotiate trunking, but it can only respond to negotiation messages, and it cannot initiate the negotiation process. So, the other switch must be configured to trunk or to initiate the negotiation process (based on being configured with the dynamic desirable option).

In a switch that disables VTP, an engineer configures the commands vlan 30 and shutdown vlan 30. Which answers should be true about this switch? (Choose two answers.) a. The show running-config command should list VLAN 30. b. The switch should forward frames that arrive in trunk ports tagged with VLAN 30. c. The show vlan brief command should list VLAN 30. d. The switch should forward frames that arrive in access ports in VLAN 30. Select 2 answers

a., c., On switches that do not use VTP (by using VTP modes off or transparent), the switch lists all VLAN configuration in the configuration file (making one answer correct). Also, the show vlan brief command lists all defined VLANs, regardless of VTP mode and regardless of shutdown state. As a result, the two answers that mention commands are correct. The two incorrect answers are incorrect because VLAN 30 has been shut down, which means the switch will not forward frames in that VLAN, regardless of whether they arrive on access or trunk ports.

In a LAN, which of the following terms best equates to the term VLAN? a. Subnet b. Single switch c. Broadcast domain d. Collision domain d. Trunk

b. A VLAN is a set of devices in the same Layer 2 broadcast domain. A subnet often includes the exact same set of devices, but it is a Layer 3 concept. A collision domain refers to a set of Ethernet devices, but with different rules than VLAN rules for determining which devices are in the same collision domain.

One of the key differences between ISL and 802.1q is the concept of a native VLAN. Which of the following is true about the native VLAN and its use in ISL and 802.1Q? a. 802.1Q tags frames for the native VLAN as if they were in reserved VLAN 999 b. 802.1Q does not tag (add) a trunking header to frames if they are a part of the native VLAN c. ISL does not encapsulate frames if they are a part of the native VLAN d. ISL encapsulates frames for the native VLAN as if they were in reserved VLAN 999

b. ISL does not use a concept of a native VLAN at all. With 802.1q, frames in the native VLAN, or VLAN 1 are not tagged with an 802.1Q header at all. So, when a switch receives a frame in a port that is trunking, and that frame has no 802.1Q header, the receiving switch assumes the frame is part of that trunk's native VLAN.

A switch has just arrived from Cisco. The switch has never been configured with any VLANs, but VTP has been disabled. An engineer configures thevlan 22 and name Hannahs-VLAN commands and then exits configuration mode. Which of the following are true? (Choose two answers.) a. VLAN 22 does not exist in that switch until at least one interface is assigned to that VLAN. b. VLAN 22 is listed in the output of the show running-config command. c. VLAN 22 is not created by this process. d. VLAN 22 is listed in the output of the show vlan brief command. Select 2 answers

b., d. The configured VTP setting of VTP transparent mode means that the switch can configure VLANs, so the VLAN is configured. In addition, the VLAN configuration details, including the VLAN name, show up as part of the running-config file.

Imagine a switch with three configured VLANs. How many IP subnets are required, assuming that all hosts in all VLANs want to use TCP/IP? a. You cannot tell from the information provided. b. 0 c. 3 d. 2 e. 1

c. Although a subnet and a VLAN are not equivalent concepts, the devices in one VLAN are typically in the same IP subnet and vice versa.

The show interfaces g0/1 trunk command provides three lists of VLAN IDs. Which items would limit the VLANs that appear in the first of the three lists of VLANs? a. A shutdown vlan 30 global command b. A no vlan 30 global command c. An STP choice to block on G0/1 d. A switchport trunk allowed vlan interface subcommand

c. The first list of VLAN IDs includes all VLANs (1-4094) except those overtly removed per the details in any switchport trunk allowed vlan interface subcommands on the trunk interface. If no such commands are configured, the first list in the output will include 1-4094. The two incorrect answers that mention VLAN 30 both list conditions that change the second of two lists of VLANs in the command output, while STP's choice to block an interface would impact the third list.

Which command administratively disables trunking on a 2960XR switch interface, such that the switch cannot use a trunking protocol on the interface? Assume that all commands shown in the answers are used in interface configuration mode. a. The no switchport trunk command b. The switchport trunk disable command c. The switchport mode access command d. The no switchport mode trunk command e. The switchport access vlan x command f. The switchport mode off command

c. The switchport mode access command tells the switch not to attempt to dynamically form a trunk and not to use trunking on the interface. Theno switchport mode trunk command tells the switch to revert to the default setting for trunk negotiation. The default on most Cisco Catalyst switches, including those in the various 2960 series switches, is dynamic auto, which tells the switch to react to any received negotiation messages. One incorrect answer mentions the no switchport mode trunk command, which tells the switch to revert to the default setting for trunk negotiation. The default on most Cisco access switches is switchport mode dynamic auto, which tells the switch to react to any received negotiation messages. So the switch port would negotiate trunking if the neighboring switch requested it. Another incorrect answer lists the switchport access vlan x command. This command defines the VLAN to statically assign to the port if it acts as an access port, but the command does not prevent the switch from attempting to negotiate trunking on the port. The remaining incorrect answers show commands that do not exist in Cisco switches.

Which of the following commands identify switch interfaces as being trunking interfaces: interfaces that currently operate as VLAN trunks? (Choose two answers.) a. show trunks b. show interfaces c. show interfaces trunk d. show interfaces switchport Select 2 answers

c., d., The show interfaces switchport command lists both the administrative and operational status of each port. When a switch considers a port to be trunking, this command lists an operational trunking state of "trunk." The show interfaces trunk command lists a set of interfaces—the interfaces that are currently operating as trunks. So, both of these commands identify interfaces that are operational trunks.

Which types of Layer 2 frames will be forwarded to all other ports in the same VLAN as the port where the frame was received? a. IPv4 frames b. IPv6 frames c. Broadcast frames d. Unicast frames whose destination MAC address is not currently in the MAC address table e. Unicast frames whose destination MAC address is currently in the MAC address table Select 2 answers.

c., d., When a switch receives a frame destined for a unicast Layer 2 address, and the switch doesn't have that unicast address in its MAC address table (it doesn't know which port the address is connected to), the switch will err on the side of caution and forward the frame to all other ports in the same VLAN, based on the VLAN that the incoming frame belonged to. Broadcast frames will get the same treatment as the unknown unicast frame and be sent to all other ports in the same VLAN. Unicast frames, which are in the switch's MAC address table, will be forwarded only to the port within the same VLAN, where that destination address is connected to the switch. IPv4 and IPv6 refer to Layer 3 IP addresses and are not involved with the switch's Layer 2 forwarding logic.

Which Cisco IOS command can be used to display which VLANs are supported over a specific configured switch trunk? a. show interfaces switchport trunk b. show trunk c. show switchport trunk d. show interfaces trunk

d. Both the show interfaces trunk and the show interfaces interface switchport commands can be used to display the VLANs that are allowed over a trunk.

Two Cisco 2960 switches begin with default configuration and are then connected with a cable. Which answers describe the method with the least number of steps that results in the two switches using 802.1Q trunking? a. Connect any Fast Ethernet port on one switch to any Fast Ethernet port on the other switch by using a crossover cable. b. Connect any Fast Ethernet port on one switch to the same number Fast Ethernet port on the other switch (for example, fa0/1 and fa0/1) by using a crossover cable. c. Cisco 2960 switches do not support 802.1Q trunking, so none of these steps is required. d. Connect the switches using a crossover cable on two Fastethernet ports, and then configure trunking on both switches by using the switchport mode trunk interface subcommand e. Connect the switches using a crossover cable on two Fastethernet ports, and then configure trunking on just one of the two switches using the switchport mode trunk interface subcommand.

e. By default, two Cisco 2960 switches that have a crossover cable connected will not automatically form an 802.1Q trunk because of the default trunking setting of dynamic auto. To create a trunk, one of the two switches can be configured to trunk (switchport mode trunk) or to initiate the negotiation of trunking (switchport mode dynamic desirable).

What is true about the command switchport nonegotiate? a. This is on by default. b. It is used on a router to prevent VLAN hopping. c. Using this command prevents a switchport from being a trunk port. d. This will cause DTP packets to be sent, preventing a trunk from being negotiated. e. If connected to a switch that uses dynamic desirable, the neighboring switch will not trunk.

e. Cisco Catalyst switches use a default setting of no switchport nonegotiate, which enables DTP. The switchport nonegotiate interface subcommand disables DTP. Note that routers do not use this command. The question essentially asks what happens when DTP is disabled on a switch port. If connected to a switch that uses dynamic desirable or dynamic auto, the neighboring switch will not trunk, because those settings require the use of DTP. However, even with DTP disabled due to a switchport nonegotiate command, both switches on a link can trunk. For example, if both switches use the switchport mode trunk command, they will trunk, regardless of whether DTP is enabled or disabled.