CCNA2 LS CH3
DTP offers four switch port modes
Access, trunk, dynamic auto, and dynamic desirable.
VLAN leaking.
An access port might accept frames from VLANs different from the VLAN to which it is assigned.
Deleting VLANs
Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN.
Cost reduction
Cost savings result from reduced need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
Negotiated Interface Modes
Ethernet interfaces on Catalyst 2960 and Catalyst 3560 Series switches support different trunking modes with the help of DTP: - switchport mode access - switchport mode dynamic auto - switchport mode dynamic desirable - switchport mode trunk - switchport nonegotiate Configure trunk links statically whenever possible. The default DTP mode is dependent on the Cisco IOS Software version and on the platform. To determine the current DTP mode, issue the show dtp interface command.
Controlling Broadcast Domains with Network with VLANs
Faculty devices are assigned to VLAN 10 and student devices are assigned to VLAN 20. When a broadcast frame is sent from the faculty computer, PC1, to switch S2, the switch forwards that broadcast frame only to those switch ports configured to support VLAN 10. When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host in a particular VLAN are restricted to the devices that are in that VLAN.
Caveat Catalyst switch
For a Catalyst switch, the erase startup-config command must accompany the delete vlan.dat command prior to reload to restore the switch to its factory default condition.
Types of VLANs
There are a number of distinct types of VLANs used in modern networks. Some VLAN types are defined by traffic classes. Other types of VLANs are defined by the specific function that they serve. - Default VLAN - Data VLAN - Naitive VLAN - Management VLAN
There are several types of VLANs:
- Default VLAN - Management VLAN - Native VLAN - User/Data VLANs - Black Hole VLAN - Voice VLAN
Extended Range VLANs
- Enable service providers to extend their infrastructure to a greater number of customers. - Some global enterprises could be large enough to need extended range VLAN IDs. - Are identified by a VLAN ID between 1006 and 4094. - Configurations are not written to the vlan.dat file. Support fewer VLAN features than normal range VLANs. - Are, by default, saved in the running configuration file. - VTP does not learn extended range VLANs.
Benefits of VLANs
- Improved Security - Reduced Cost - Better Performance - Smaller Broadcast - Domains - IT Efficiency - Management Efficiency
Normal Range VLANs
- Used in small- and medium-sized business and enterprise networks. - Identified by a VLAN ID between 1 and 1005. IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. - IDs 1 and 1002 to 1005 are automatically created and cannot be removed. - Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch. - The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches, can only learn and store normal range VLANs.
A double-tagging VLAN hopping attack follows three steps:
1. The attacker sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the attacker, which is the same as the native VLAN of the trunk port. The assumption is that the switch processes the frame received from the attacker as if it were on a trunk port or a port with a voice VLAN (a switch should not receive a tagged Ethernet frame on an access port). For the purposes of this example, assume that the native VLAN is VLAN 10. The inner tag is the victim VLAN; in this case, VLAN 20. 2. The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out on all VLAN 10 ports after stripping the VLAN 10 tag. On the trunk port, the VLAN 10 tag is stripped, and the packet is not retagged because it is part of the native VLAN. At this point, the VLAN 20 tag is still intact and has not been inspected by the first switch. 3. The second switch looks only at the inner 802.1Q tag that the attacker sent and sees that the frame is destined for VLAN 20, the target VLAN. The second switch sends the frame on to the victim port or floods it, depending on whether there is an existing MAC address table entry for the victim host.
Data VLAN
A data VLAN is a VLAN that is configured to carry user-generated traffic. A VLAN carrying voice or management traffic would not be a data VLAN. It is common practice to separate voice and management traffic from data traffic. A data VLAN is sometimes referred to as a user VLAN. Data VLANs are used to separate the network into groups of users or devices
Trunking caveat
A link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements, and to come up in and stay in trunk port mode. The F0/3 ports on switches S1 and S3 are set to dynamic auto, so the negotiation results in the access mode state. This creates an inactive trunk link. When configuring a port to be in trunk mode, using the switchport mode trunk command. There is no ambiguity about which state the trunk is in; it is always on. With this configuration, it is easy to remember which state the trunk ports are in; if the port is supposed to be a trunk, the mode is set to trunk. ****A general best practice is to set the interface to trunk and nonegotiate when a trunk link is required. On links where trunking is not intended, DTP should be turned off.****
Management VLAN
A management VLAN is any VLAN configured to access the management capabilities of a switch. VLAN 1 is the management VLAN by default. To create the management VLAN, the switch virtual interface (SVI) of that VLAN is assigned an IP address and subnet mask, allowing the switch to be managed via HTTP, Telnet, SSH, or SNMP. Because the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, VLAN 1 would be a bad choice for the management VLAN.
Native VLAN
A native VLAN is assigned to an 802.1Q trunk port. Tagged traffic refers to traffic that has a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs. The 802.1Q trunk port places untagged traffic on the native VLAN, which by default is VLAN 1. It is a best practice to configure the native VLAN as an unused VLAN, distinct from VLAN 1 and other VLANs.
Voice VLANs
A separate VLAN is needed to support Voice over IP (VoIP). VoIP traffic requires: - Assured bandwidth to ensure voice quality. - Transmission priority over other types of network traffic. - Ability to be routed around congested areas on the network. - Delay of less than 150 ms across the network. To meet these requirements, the entire network has to be designed to support VoIP. The details of how to configure a network to support VoIP are beyond the scope of this course, but it is useful to summarize how a voice VLAN works between a switch, a Cisco IP phone, and a computer.
VLAN Trunks
A trunk is a point-to-point link between two network devices that carries more than one VLAN. A VLAN trunk extends VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces. VLAN trunks allow all VLAN traffic to propagate between switches, so that devices which are in the same VLAN, but connected to different switches, can communicate without the intervention of a router. A VLAN trunk does not belong to a specific VLAN; rather, it is a conduit for multiple VLANs between switches and routers. A trunk could also be used between a network device and server or other device that is equipped with an appropriate 802.1Q-capable NIC. By default, on a Cisco Catalyst switch, all VLANs are supported on a trunk port. A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically). To enable trunk links, configure the ports on either end of the physical link with parallel sets of commands.
Switch spoofing
A type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches.
Verifying VLAN Information
After a VLAN is configured, VLAN configurations can be validated using Cisco IOS show commands. Figure 1 displays the show vlan and show interfaces command options. In the example in Figure 2, the show vlan name student command produces output that is not easily interpreted. The preferable option is to use the show vlan brief command. The show vlan summary command displays the count of all configured VLANs. The output in Figure 2 shows seven VLANs. The show interfaces vlan vlan-id command displays details that are beyond the scope of this course. The important information appears on the second line in Figure 3, indicating that VLAN 20 is up. Use the Syntax Checker in Figure 4 to display the VLAN and switch port information, and verify VLAN assignments and m
Assigning Ports to VLANs
After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only one VLAN at a time; one exception to this rule is that of a port connected to an IP phone, in which case, there are two VLANs associated with the port: one for voice and one for data. The switchport mode access command is optional, but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.
Default VLAN
All switch ports become a part of the default VLAN after the initial boot up of a switch loading the default configuration. Switch ports that participate in the default VLAN are part of the same broadcast domain. This allows any device connected to any switch port to communicate with other devices on other switch ports.
Introduction to DTP
An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices. DTP is a Cisco proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. Switches from other vendors do not support DTP. DTP manages trunk negotiation only if the port on the neighbor switch is configured in a trunk mode that supports DTP. Some internetworking devices might forward DTP frames improperly, which can cause misconfigurations. To avoid this, turn off DTP on interfaces on a Cisco switch connected to devices that do not support DTP.
Double-Tagging Attack
Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link. ****The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.****
Trunk ports
Are the links between switches that support the transmission of traffic associated with more than one VLAN. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic), as well as traffic that does not come from a VLAN (untagged traffic).
VLAN mismatch
CDP displays a notification of a native VLAN mismatch on a trunk link with this message: *Mar 1 06:45:26.232: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (2), with S2 FastEthernet0/1 (99). Connectivity issues occur in the network if a native VLAN mismatch exists. Data traffic for VLANs, other than the two native VLANs configured, successfully propagates across the trunk link, but data associated with either of the native VLANs does not successfully propagate across the trunk link. As shown in Figure 2, Native VLAN mismatch issues do not keep the trunk from forming. To solve the native VLAN mismatch, configure the native VLAN to be the same VLAN on both sides of the link.
#no switchport access vlan
Command is entered to clear interface. A port can easily have its VLAN membership changed. It is not necessary to first remove a port from a VLAN to change its VLAN membership. When an access port has its VLAN membership reassigned to another existing VLAN, the new VLAN membership simply replaces the previous VLAN membership. In Figure 4, port F0/11 is assigned to VLAN 20
virtual local area network (VLAN)
Created on a Layer 2 switch to reduce the size of broadcast domains, similar to a Layer 3 device. VLANs are commonly incorporated into network design making it easier for a network to support the goals of an organization. While VLANs are primarily used within switched local area networks, modern implementations of VLANs allow them to span MANs and WANs. - VLANs provide segmentation and organizational flexibility. - A group of devices within a VLAN communicate as if they were attached to the same wire. - VLANs are based on logical connections, instead of physical connections. - VLANs allow an administrator to segment networks based on factors such as function, project team, or application, without regard for the physical location of the user or device. - VLANs improve network performance by separating large broadcast domains into smaller ones. - If a device in one VLAN sends a broadcast Ethernet frame, all devices in the VLAN receive the frame, but devices in other VLANs do not. - VLANs enable the implementation of access and security policies according to specific groupings of users. Each switch port can be assigned to only one VLAN (with the exception of a port connected to an IP phone or to another switch).
VLAN Ranges on Catalyst Switches
Different Cisco Catalyst switches support various numbers of VLANs. The number of supported VLANs is large enough to accommodate the needs of most organizations. Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1,006 to 4,094.
Shrink broadcast domains
Dividing a network into VLANs reduces the number of devices in the broadcast domain.
Better performance
Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
VLAN design
Each VLAN in a switched network corresponds to an IP network; therefore, VLAN design must take into consideration the implementation of a hierarchical network-addressing scheme.
IP Addressing Issues with VLAN
Each VLAN must correspond to a unique IP subnet. If two devices in the same VLAN have different subnet addresses, they cannot communicate. This is a common problem, and it is easy to solve by identifying the incorrect configuration and changing the subnet address to the correct one. A check of the IP configuration settings of PC1 shown in Figure 2 reveals the most common error in configuring VLANs: an incorrectly configured IP address.
VLAN hopping
Enables traffic from one VLAN to be seen by another VLAN.
Verifying Trunk Configuration
Figure 1 displays the configuration of switch port F0/1 on switch S1. The configuration is verified with the show interfaces interface-ID switchport command. The top highlighted area shows that port F0/1 has its administrative mode set to trunk. The port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99. Further down in the output, the bottom highlighted area shows that all VLANs are enabled on the trunk. Use the Syntax Checker in Figure 2 to configure a trunk supporting all VLANs on interface F0/1, with native VLAN 99. Verify the trunk configuration with the show interfaces f0/1 switchport command.
Resetting the Trunk to Default State
Figure 1 shows the commands to remove the allowed VLANs and reset the native VLAN of the trunk. When reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN. Figure 2 shows the commands used to reset all trunking characteristics of a trunking interface to the default settings. The show interfaces f0/1 switchport command reveals that the trunk has been reconfigured to a default state. In Figure 3, the sample output shows the commands used to remove the trunk feature from the F0/1 switch port on switch S1. The show interfaces f0/1 switchport command reveals that the F0/1 interface is now in static access mode.
Incorrect VLAN List
For traffic from a VLAN to be transmitted across a trunk, it must be allowed on the trunk. To do so, use the switchport trunk allowed vlan vlan-id command. Check the trunk ports on switch using the #show interfaces trunk command Examine the interface and check against the configurations. Reconfigure using the # using the switchport trunk allowed vlan . The show interfaces trunk command is an excellent tool for revealing common trunking problems.
Security
Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches.
Missing VLANs
If there is still no connection between devices in a VLAN, but IP addressing issues have been ruled out, you have to troubleshoot: Step 1. Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned. Step 2. If the VLAN to which the port is assigned is deleted, the port becomes inactive. Use the show vlan or show interfaces switchport command. To display the MAC address table, use the show mac-address-table command. The example in Figure 2 shows MAC addresses that were learned on the F0/1 interface. It can be seen that MAC address 000c.296a.a21c was learned on interface F0/1 in VLAN 10. If this number is not the expected VLAN number, change the port VLAN membership using the switchport access vlan command. Each port in a switch belongs to a VLAN. If the VLAN to which the port belongs is deleted, the port becomes inactive. All ports belonging to the VLAN that was deleted are unable to communicate with the rest of the network. Use the show interface f0/1 switchport command to check whether the port is inactive. If the port is inactive, it is not functional until the missing VLAN is created using the vlan vlan_id command.
VLAN Design Guidelines
It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1. This is usually done by configuring all unused ports to a black hole VLAN that is not used for anything on the network. All used ports are associated with VLANs distinct from VLAN 1 and distinct from the black hole VLAN. It is also a good practice to shut down unused switch ports to prevent unauthorized access. A good security practice is to separate management and user data traffic. The management VLAN, which is VLAN 1 by default, should be changed to a separate, distinct VLAN. To communicate remotely with a Cisco switch for management purposes, the switch must have an IP address configured on the management VLAN. Users in other VLANs would not be able to establish remote access sessions to the switch unless they were routed into the management VLAN, providing an additional layer of security. Also, the switch should be configured to accept only encrypted SSH sessions for remote management. A recommended security practice is to change the native VLAN to a different VLAN than VLAN 1. The native VLAN should also be distinct from all user VLANs. Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. DTP A general guideline is to disable autonegotiation. As a port security best practice, do not use the dynamic auto or dynamic desirable switch port modes. It is good practice to use separate VLANs for IP telephony and data traffic.
Improved IT staff efficiency
LANs make it easier to manage the network because users with similar network requirements share the same VLAN. When a new switch is provisioned, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name.
switchport mode dynamic auto
Makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default switchport mode for all Ethernet interfaces is dynamic auto.
switchport mode dynamic desirable
Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. This is the default switchport mode on older switches, such as the Catalyst 2950 and 3550 Series switches.
Send voice traffic to the switch
On the switch, the access is configured to send Cisco Discovery Protocol (CDP) packets that instruct an attached IP phone to send voice traffic to the switch in one of three ways, depending on the type of traffic: In a voice VLAN tagged with a Layer 2 class of service (CoS) priority value. In an access VLAN tagged with a Layer 2 CoS priority value. In an access VLAN, untagged (no Layer 2 CoS priority value).
Trunk mode mismatches
One trunk port is configured in a mode that is not compatible for trunking on the corresponding peer port. This configuration error causes the trunk link to stop working.
switchport nonegotiate
Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.
switchport mode access
Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface, regardless of whether the neighboring interface is a trunk interface.
switchport mode trunk
Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface.
Voice VLAN Tagging
Recall that to support VoIP, a separate voice VLAN is required. An access port that is used to connect a Cisco IP phone can be configured to use two separate VLANs: one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. The link between the switch and the IP phone acts as a trunk to carry both voice VLAN traffic and data VLAN traffic.
Native VLANs and 802.1Q Tagging - Tagged Frames on the Native VLAN
Some devices that support trunking, add a VLAN tag to native VLAN traffic. Control traffic sent on the native VLAN should not be tagged. If an 802.1Q trunk port receives a tagged frame with the VLAN ID the same as the native VLAN, it drops the frame. Consequently, when configuring a switch port on a Cisco switch, configure devices so that they do not send tagged frames on the native VLAN. Devices from other vendors that support tagged frames on the native VLAN include IP phones, servers, routers, and non-Cisco switches.
Predict DTP behaviour
TR = Trunk AC = Access DA = Dynamic Auto DD - Dynamic Desirable DA<>TR = TRUNK DA<>DA = ACCESS DD<>DD = TRUNK DD<>TR = TRUNK DD<>DA = TRUNK
Integrated three-port 10/100 switch
The Cisco IP Phone contains an integrated three-port 10/100 switch. The ports provide dedicated connections to these devices: - Port 1 connects to the switch or other VoIP device. - Port 2 is an internal 10/100 interface that carries the IP phone traffic. - Port 3 (access port) connects to a PC or other device.
VLAN Tag Field Details
The VLAN tag field consists of a Type field, a Priority field, a Canonical Format Identifier field, and VLAN ID field: Type - A 2-byte value called the tag protocol ID (TPID) value. For Ethernet, it is set to hexadecimal 0x8100. User priority - A 3-bit value that supports level or service implementation. Canonical Format Identifier (CFI) - A 1-bit identifier that enables Token Ring frames to be carried across Ethernet links. VLAN ID (VID) - A 12-bit VLAN identification number that supports up to 4096 VLAN IDs. After the switch inserts the Type and tag control information fields, it recalculates the FCS values and inserts the new FCS into the frame.
switch spoofing attack
The attacker takes advantage of the fact that the default configuration of the switch port is dynamic auto. The network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating 802.1Q and DTP messages. By tricking a switch into thinking that another switch is attempting to form a trunk, an attacker can gain access to all the VLANs allowed on the trunk port.
VLAN 1
The default VLAN for Cisco switches is VLAN 1. In the figure, the show vlan brief command was issued on a switch running the default configuration. Notice that all ports are assigned to VLAN 1 by default.
Allowed VLANs on trunks
The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk.
Dynamic Trunking Protocol (DTP)
The port enters into a Dynamic Trunking Protocol (DTP) negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change. DTP is described in the next topic. In this course, the switchport mode trunk command is the only method implemented for trunk configuration.
Tagging Ethernet Frames for VLAN Identification
The standard Ethernet frame header does not contain information about the VLAN to which the frame belongs; thus, when Ethernet frames are placed on a trunk, information about the VLANs to which they belong must be added. This process, called tagging, is accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q standard. The 802.1Q header includes a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs. When the switch receives a frame on a port configured in access mode and assigned a VLAN, the switch inserts a VLAN tag in the frame header, recalculates the FCS, and sends the tagged frame out of a trunk port.
#switchport access vlan
The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch.
Switch Spoofing Attack
There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them. ****The best way to prevent a basic switch spoofing attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP, and manually enable trunking.****
Changing VLAN Port Membership
There are a number of ways to change VLAN port membership. Figure 1 shows the syntax for changing a switch port to VLAN 1 membership with the no switchport access vlan interface configuration mode command.
Configuring IEEE 802.1Q Trunk Links
To configure a switch port on one end of a trunk link, use the switchport mode trunk command. With this command, the interface changes to permanent trunking mode.
Introduction to Troubleshooting Trunks
To troubleshoot issues when a trunk is not forming or when VLAN leaking is occurring, proceed as follows: Step 1. Use the show interfaces trunk command to check whether the local and peer native VLANs match. If the native VLAN does not match on both sides, VLAN leaking occurs. Step 2. Use the show interfaces trunk command to check whether a trunk has been established between switches. Statically configure trunk links whenever possible. Cisco Catalyst switch ports use DTP by default and attempt to negotiate a trunk link. To display the status of the trunk, the native VLAN used on that trunk link, and verify trunk establishment, use the show interfaces trunk command. The example in Figure 2 shows that the native VLAN on one side of the trunk link was changed to VLAN 2. If one end of the trunk is configured as native VLAN 99 and the other end is configured as native VLAN 2, a frame sent from VLAN 99 on one side is received on VLAN 2 on the other side. VLAN 99 leaks into the VLAN 2 segment.
Native VLAN mismatches
Trunk ports are configured with different native VLANs. This configuration error generates console notifications, and can cause inter-VLAN routing issues, among other problems. This poses a security risk.
Common Problems with Trunks
Trunking issues are usually associated with incorrect configurations. When configuring VLANs and trunks on a switched infrastructure, the following types of configuration errors are the most common: - Native VLAN mismatches - Trunk mode mismatches - Allowed VLANs on trunks If an issue with a trunk is discovered and if the cause is unknown, start troubleshooting by examining the trunks for a native VLAN mismatch. If that is not the cause, check for trunk mode mismatches, and finally check for the allowed VLAN list on the trunk. The next two pages examine how to fix the common problems with trunks.
#switchport trunk allowed vlan vlan-list
Use the Cisco IOS switchport trunk allowed vlan vlan-list command to specify the list of VLANs to be allowed on the trunk lin
#interface range
Use the interface range command to simultaneously configure multiple interfaces.
#show vlan brief
Use the show vlan brief command to display the contents of the vlan.dat file.
Simpler project and application management
VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier; an example of such an application is an e-learning development platform for faculty.
Native VLANs and 802.1Q Tagging - Untagged Frames on the Native VLAN
When a Cisco switch trunk port receives untagged frames (which are unusual in a well-designed network), it forwards those frames to the native VLAN. If there are no devices associated with the native VLAN (which is not unusual) and there are no other trunk ports (which is not unusual), then the frame is dropped. When configuring an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value. For example, if VLAN 99 is configured as the native VLAN, the PVID is 99 and all untagged traffic is forwarded to VLAN 99. If the native VLAN has not been reconfigured, the PVID value is set to VLAN 1.
Trunk Mode Mismatches
When a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches. When a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches. Examine the modes on both ends if the trunk. To resolve the issue, reconfigure the trunk mode. After the configuration change, the output of the show interfaces command indicates that the port on switch is now in trunking mode.
Port VLAN ID (PVID)
When configuring an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID.
Creating a VLAN
When configuring normal range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat. In config t mode, use #VLAN <name> to add a VLAN to a switch and give it a name. Naming each VLAN is considered a best practice in switch configuration. In addition to entering a single VLAN ID, a series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command. For example, use the following command to create VLANs 100, 102, 105, 106, and 107:
PVLAN Edge
also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch. The PVLAN Edge feature has the following characteristics: A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port, except for control traffic. Data traffic cannot be forwarded between protected ports at Layer 2. Forwarding behavior between a protected port and a nonprotected port proceeds as usual. Protected ports must be manually configured. To configure the PVLAN Edge feature, enter the switchport protected command in interface configuration mode To disable protected port, use the no switchport protected interface configuration mode command. To verify the configuration of the PVLAN Edge feature, use the show interfaces interface-id switchport privileged EXEC mode command.
#no vlan vlan-id
global configuration mode command is used to remove VLAN # from the switch.
Hierarchical network addressing
means that IP network numbers are applied to network segments or VLANs in an orderly fashion that takes the network as a whole into consideration. Blocks of contiguous network addresses are reserved for and configured on devices in a specific area of the network.
To enable trunking from a Cisco switch to a device that does not support DTP
use the switchport mode trunk and switchport nonegotiate interface configuration mode commands. This causes the interface to become a trunk, but not generate DTP frames.
