Chapter 11. Implementing Ethernet Virtual LANs
A LAN Design, with Data in VLAN 10 and Phones in VLAN 11
SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# vlan 10 SW1(config-vlan)# vlan 11 SW1(config-vlan)# interface range FastEthernet0/1 - 4 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 10 SW1(config-if)# switchport voice vlan 11 SW1(config-if)#^Z SW1# The following list details the configuration steps for easier review and study: Step 1. Use the vlan vlan-id command in global configuration mode to create the data and voice VLANs if they do not already exist on the switch. Step 2. Configure the data VLAN like an access VLAN, as usual: A. Use the interface type number command global configuration mode to move into interface configuration mode. B. Use the switchport access vlan id-number command in interface configuration mode to define the data VLAN. C. Use the switchport mode access command in interface configuration mode to make this port always operate in access mode (that is, to not trunk). Step 3. Use the switchport voice vlan id-number command in interface configuration mode to set the voice VLAN ID.
Creating VLANs and Assigning Access VLANs to an Interface
Step 1. To configure a new VLAN, follow these steps: A. From configuration mode, use the vlan vlan-id command in global configuration mode to create the VLAN and to move the user into VLAN configuration mode. B. (Optional) Use the name name command in VLAN configuration mode to list a name for the VLAN. If not configured, the VLAN name is VLANZZZZ, where ZZZZ is the four-digit decimal VLAN ID. Step 2. For each access interface (each interface that does not trunk, but instead belongs to a single VLAN), follow these steps: A. Use the interface type number command in global configuration mode to move into interface configuration mode for each desired interface. B. Use the switchport access vlan id-number command in interface configuration mode to specify the VLAN number associated with that interface. C. (Optional) Use the switchport mode access command in interface configuration mode to make this port always operate in access mode (that is, to not trunk). SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# vlan 2 SW1(config-vlan)# name Freds-vlan SW1(config-vlan)# exit SW1(config)# interface range fastethernet 0/13 - 14 SW1(config-if)# switchport access vlan 2 SW1(config-if)# switchport mode access SW1(config-if)# end
IMPORTANT!!!!!!!!!!!!!!!!
The default administrative mode for ports set to trunk is dynamic auto. With ports on each end set to dynamic auto(THE DEFAULT!), neither port will begin the negotiation process and the link will not trunk. You must change on of the ports to use "switchport mode trunk" or "switchport mode dynamic desirable" running the "show interfaces trunk" command with both trunk switchports using default configuration will not list any output.
VLAN trunking
VLAN trunking causes the switches to use a process called VLAN tagging, by which the sending switch adds another header to the frame before sending it over the trunk. This extra trunking header includes a VLAN identifier (VLAN ID) field so that the sending switch can associate the frame with a particular VLAN ID, and the receiving switch can then know in what VLAN each frame belongs.
VLAN Tagging Concepts
VLAN trunking creates one link between switches that supports as many VLANs as you need. As a VLAN trunk, the switches treat the link as if it were a part of all the VLANs.
VLAN Trunking Protocol (VTP)
VTP is a Cisco proprietary tool on Cisco switches that advertises each VLAN configured in one switch (with the vlan number command) so that all the other switches in the campus learn about that VLAN. all examples in this book use switches that have either been set to use VTP transparent mode (with the vtp mode transparent global command) or to disable it (with the vtp mode off global command). check the VTP status with the show vtp status command. If your switch uses VTP server or client mode, you will find: The server switches can configure VLANs in the standard range only (1-1005). The client switches cannot configure VLANs. Both servers and clients may be learning new VLANs from other switches, and seeing their VLANs deleted by other switches, because of VTP. The show running-config command does not list any vlan commands.
Trunking configuration between two Cisco switches can be very simple if you just statically configure trunking
add one interface subcommand for the switch interface on each side of the link (switchport mode trunk), and you would create a VLAN trunk that supported all the VLANs known to each switch.
Cisco switches break the range of VLAN IDs (1-4094) into two ranges
the normal range and the extended range. All switches can use normal-range VLANs with values from 1 to 1005. Only some switches can use extended-range VLANs with VLAN IDs from 1006 to 4094
For a Cisco switch to forward frames in a particular VLAN:
the switch must be configured to believe that the VLAN exists. In addition, the switch must have nontrunking interfaces (called access interfaces) assigned to the VLAN, and/or trunks that support the VLAN.
Name the two commands and what to look for in their output to verify voice vlan configuration:
1. Show interfaces switchport SW1# show interfaces FastEthernet 0/4 switchport Name: Fa0/4 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (VLAN0010) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: 11 (VLAN0011)◀️ ! The rest of the output is omitted for brevity 2. show interfaces(int id)trunk SW1# show interfaces trunk SW1# show interfaces F0/4 trunk Port Mode Encapsulation Status Native vlan Fa0/4 off 802.1q not-trunking 1 Port Vlans allowed on trunk Fa0/4 10-11 ◀️ Port Vlans allowed and active in management domain Fa0/4 10-11
several options for dynamically negotiating various trunking settings
1.The type of trunking: IEEE 802.1Q, ISL, or negotiate which one to use: Switches that support both types of trunking use the switchport trunk encapsulation {dot1q | isl | negotiate} interface subcommand to either configure the type or allow DTP to negotiate the type. 2.The administrative mode: Whether to always trunk, always not trunk, or negotiate: The administrative mode refers to the configuration setting for whether trunking should be used. Each interface also has an operational mode, which refers to what is currently happening on the interface, and might have been chosen by DTP's negotiation with the other device. Cisco switches use the switchport mode interface subcommand to define the administrative trunking mode. Trunking Administrative Mode Options with the switchport mode Command
native VLAN
802.1Q also defines one special VLAN ID on each trunk as the native VLAN (defaulting to use VLAN 1). By definition, 802.1Q simply does not add an 802.1Q header to frames in the native VLAN. When the switch on the other side of the trunk receives a frame that does not have an 802.1Q header, the receiving switch knows that the frame is part of the native VLAN. Note that because of this behavior, both switches must agree on which VLAN is the native VLAN.
The 802.1Q and ISL VLAN Trunking Protocols
802.1Q inserts an extra 4-byte 802.1Q VLAN header into the original frame's Ethernet header. As for the fields in the 802.1Q header, only the 12-bit VLAN ID field inside the 802.1Q header matters for topics discussed in this book. This 12-bit field supports a theoretical maximum of (4096) VLANs, but in practice it supports a maximum of 4094. (Both 802.1Q and ISL use 12 bits to tag the VLAN ID, with two reserved values [0 and 4095].)
Expected Trunking Operational Mode Based on the Configured Administrative Modes
Cisco recommends disabling trunk negotiation on most ports for better security. The majority of switch ports on most switches will be used to connect to users. As a matter of habit, you can disable DTP negotiations altogether using the switchport nonegotiate interface subcommand.
Summary: IP Telephony Ports on Switches
Configure these ports like a normal access port to begin: Configure it as a static access port and assign it an access VLAN. Add one more command to define the voice VLAN (switchport voice vlan vlan-id). Look for the mention of the voice VLAN ID, but no other new facts, in the output of the show interfaces type number switchport command. Look for both the voice and data (access) VLAN IDs in the output of the show interfaces type number trunk command. Do not expect to see the port listed in the list of operational trunks as listed by the show interfaces trunk command.
Cisco best practices for IP telephony design tell us to put the phones in one VLAN, and the PCs in a different VLAN. To make that happen, the switch port acts a little like an access link (for the PC's traffic), and a little like a trunk (for the phone's traffic). The configuration defines two VLANs on that port, as follows:
Data VLAN: Same idea and configuration as the access VLAN on an access port, but defined as the VLAN on that link for forwarding the traffic for the device connected to the phone on the desk (typically the user's PC). Voice VLAN: The VLAN defined on the link for forwarding the phone's traffic. Traffic in this VLAN is typically tagged with an 802.1Q header.