Scribd
Upload
2 views

Lessons-2_Implementing VLAN Technologies in a Campus Network

Chapter 3 focuses on implementing VLAN technologies in campus networks, covering VLAN segmentation, implementation, security, and troubleshooting. It explains the purpose of VLANs, how to configure switches for VLANs and trunking, and best practices for security in VLAN environments. Additionally, it discusses the VLAN Trunking Protocol (VTP) and its modes for managing VLAN configurations across multiple switches.

Uploaded by

Hoàng Fan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
2 views

Lessons-2_Implementing VLAN Technologies in a Campus Network

Chapter 3 focuses on implementing VLAN technologies in campus networks, covering VLAN segmentation, implementation, security, and troubleshooting. It explains the purpose of VLANs, how to configure switches for VLANs and trunking, and best practices for security in VLAN environments. Additionally, it discusses the VLAN Trunking Protocol (VTP) and its modes for managing VLAN configurations across multiple switches.

Uploaded by

Hoàng Fan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 45

Chapter 3:

Implementing VLAN
Technologies in a
Campus Network

Switched Networks

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 3
3.1 VLAN Segmentation
3.2 VLAN Implementation
3.3 VLAN Security and Design
3.4 Summary

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Chapter 3: Objectives
 Explain the purpose of VLANs in a switched network.
 Analyze how a switch forwards frames based on VLAN configuration
in a multi-switched environment.
 Configure a switch port to be assigned to a VLAN based on
requirements.
 Configure a trunk port on a LAN switch.
 Configure Dynamic Trunk Protocol (DTP).
 Troubleshoot VLAN and trunk configurations in a switched network.
 Configure security features to mitigate attacks in a VLAN-segmented
environment.
 Explain security best practices for a VLAN-segmented environment.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
3.1 VLAN Segmentation

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Overview of VLANs
VLAN Definitions
 A VLAN is a logical partition of a Layer 2 network.
 Multiple partitions can be created, allowing for multiple VLANs to
co-exist.
 Each VLAN is a broadcast domain, usually with its own IP network.
 VLANs are mutually isolated and packets can only pass between
them via a router.
 The partitioning of the Layer 2 network takes place inside a Layer
2 device, usually via a switch.
 The hosts grouped within a VLAN are unaware of the VLAN’s
existence.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Virtual Local Area Network (VLAN)

 A VLAN is a logical group of end devices.


 Broadcasts are contained within VLANs.
 Modern design has 1 VLAN = 1 IP subnet.
 Trunks connect switches so as to transport multiple VLANs.
 Layer 3 devices interconnect VLANs.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
End-to-End VLANs

 Each VLAN is distributed geographically throughout the network.


 Users are grouped into each VLAN regardless of the physical location
 Theoretically easing network management.
 As a user moves throughout a campus, the VLAN membership for that
user remains the same.
 Switches are configured for:
• VTP server or client mode.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Local VLANs

 Create local VLANs with physical boundaries in mind rather than job functions of
the users.
 Local VLANs exist between the access and distribution layers.
 Traffic from a local VLAN is routed at the distribution and core levels.
 Switches are configured in VTP transparent mode.
 One to three VLANs per access layer switch recommended.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
VLAN Support on Catalyst Switches
Catalyst Switch Max VLANs VLAN ID Range

2940 4 1 - 1005

2950/2955 250 1 - 4094

2960 255 1 - 4094

2970/3550/3560/3750 1055 1 - 4094

2848G/2980G/4000/4500 4094 1 - 4094

6500 4094 1 - 4094

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
VLAN Ranges on Catalyst Switches
VLAN Range Range Usage Popagated via VTP?

0, 4095 Reserved For system use only. You cannot see n/a
or use these.

1 Normal Cisco default. You can use this Yes


VLAN, but you cannot delete it.

2 – 1001 Normal For Ethernet VLANs. You can create, Yes


use, and delete these.

1002 – 1005 Normal Cisco defaults for FDDI and Token Yes
Ring. You cannot delete these.

1006 – 1024 Reserved For system use only. You cannot see n/a
or use these.

1025 - 4094 Reserved For Ethernet VLANs only. VTP v 3 only. Not
supported in VTP v1
or v2. Requires VTP
transparent mode for
configuration.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Overview of VLANs
Types of VLANs (cont.)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
VLANs in a Multi-Switched Environment
VLAN Trunks
 A VLAN trunk carries more than one VLAN.
 A VLAN trunk is usually established between switches so same-
VLAN devices can communicate, even if physically connected to
different switches.
 A VLAN trunk is not associated to any VLANs; neither is the trunk
ports used to establish the trunk link.
 Cisco IOS supports IEEE802.1q, a popular VLAN trunk protocol.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
VLAN Trunking
 Trunks carry the traffic for multiple VLANs across a single
physical link (multiplexing).
 Extends Layer 2 operations across an entire network.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
VLAN Trunking with Inter-Switch Link (ISL)

ISL is Cisco-proprietary trunking protocol.


ISL is nearly obsolete.
ISL encapsulates Ethernet frames, adding 30 bytes of overhead.
ISL is supported on non-access-layer Cisco switches.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
VLAN Trunking with IEEE 802.1Q

 802.1Q is a widely supported industry-standard protocol.


 Smaller frame overhead than ISL.
 Overhead is 4 bytes.
 Has the 802.1p field for QoS support.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
VLANs in a Multi-Switched Environment
Native VLANs and 802.1Q Tagging
 Frames that belong to the native VLAN are not tagged.
 Frames received untagged remain untagged and are placed in the
native VLAN when forwarded.
 If there are no ports associated to the native VLAN and no other
trunk links, an untagged frame is dropped.
 In Cisco switches, the native VLAN is VLAN 1, by default.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
3.2 VLAN Implementations

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
VLAN Assignment
VLAN Ranges on Catalyst Switches
 Cisco Catalyst 2960 and 3560 Series switches support over 4,000
VLANs.
 VLANs are split into two categories:
• Normal range VLANs
• VLAN numbers from 1 to 1,005
• Configurations stored in the vlan.dat (in the flash memory)
• VTP can only learn and store normal range VLANs
• Extended Range VLANs
• VLAN numbers from 1,006 to 4,096
• Configurations stored in the running configuration (NVRAM)
• VTP does not learn extended range VLANs

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
VLAN Assignment
Creating a VLAN

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
VLAN Assignment
Assigning Ports to VLANs

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
VLAN Assignment
Assigning Ports to VLANs (cont.)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
VLAN Assignment
Changing VLAN Port Membership

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
VLAN Assignment
Changing VLAN Port Membership (cont.)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
VLAN Assignment
Deleting VLANs

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
VLAN Assignment
Verifying VLAN Information

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
VLAN Assignment
Verifying VLAN Information (cont.)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
VLAN Assignment
Configuring IEEE 802.1q Trunk Links

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
VLAN Assignment
Resetting the Trunk To Default State

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
VLAN Assignment
Resetting the Trunk To Default State (cont.)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
VLAN Assignment
Verifying Trunk Configuration

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Dynamic Trunking Protocol
Introduction to DTP
 Switch ports can be manually configured to form trunks.
 Switch ports can also be configured to negotiate and establish a
trunk link with a connected peer.
 The Dynamic Trunking Protocol (DTP) manages trunk negotiation.
 DTP is a Cisco proprietary protocol and is enabled, by default, in
Cisco Catalyst 2960 and 3560 switches.
 If the port on the neighbor switch is configured in a trunk mode that
supports DTP, it manages the negotiation.
 The default DTP configuration for Cisco Catalyst 2960 and 3560
switches is dynamic auto.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Dynamic Trunking Protocol
Negotiated Interface Modes
 Cisco Catalyst 2960 and 3560 support the following trunk modes:
• Switchport mode dynamic auto
• Switchport mode dynamic desirable
• Switchport mode trunk
• Switchport nonegotiate

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Troubleshooting VLANs and Trunks
IP Addressing Issues with VLAN
 It is a common practice to associate a VLAN with an IP network.
 Because different IP networks only communicate through a router,
all devices within a VLAN must be part of the same IP network to
communicate.
 The figure displays that PC1 cannot communicate to the server
because it has a wrong IP address configured.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Troubleshooting VLANs and Trunks
Missing VLANs
 If all the IP addresses mismatches have been solved, but the
device still cannot connect, check if the VLAN exists in the switch.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Troubleshooting VLANs and Trunks
Introduction to Troubleshooting Trunks

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Troubleshooting VLANs and Trunks
Common Problems with Trunks
 Trunking issues are usually associated with incorrect configurations.
 The most common type of trunk configuration errors are:
1. Native VLAN mismatches
2. Trunk mode mismatches
3. Allowed VLANs on trunks
 If a trunk problem is detected, the best practice guidelines
recommend to troubleshoot in the order shown above.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Troubleshooting VLANs and Trunks
Trunk Mode Mismatches
 If a port on a trunk link is configured with a trunk mode that is
incompatible with the neighboring trunk port, a trunk link fails to
form between the two switches.
 Use the show interfaces trunk command to check the status of the
trunk ports on the switches.
 To fix the problem, configure the interfaces with proper trunk modes.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Troubleshooting VLANs and Trunks
Incorrect VLAN List
 VLANs must be allowed in the trunk before their frames can be
transmitted across the link.
 Use the switchport trunk allowed vlan command to specify which
VLANs are allowed in a trunk link.
 Use the show interfaces trunk command to ensure the correct
VLANs are permitted in a trunk.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
3.3 VTP (VLAN Trunking
Protocol)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
0

VTP (VLAN Trunking Protocol)

 Configuring VLANs without VTP.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
1

VTP (VLAN Trunking Protocol)


 VLAN Trunk Protocol (VTP) reduces
administration in a switched network.
 VLAN information can be configured on a
VTP server, which is then distributed
through all switches in the domain.
Do not have to configure on each switch
individually.
Cisco-proprietary

 http://www.cisco.com/warp/public/473/vtp_f
lash/ VTP
Message

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
2

VTP (VLAN Trunking Protocol) Modes


 Server
Can create, modify, and delete VLANs
Configure VTP version and VTP pruning (next week).
Advertise their VLAN configuration to other switches in the same VTP
domain
DLS1(config)#
VTP advertisements sent/received vtp mode
over trunk links. ?
client
Default mode. Set the device to client mode.
 Client server Set the device to server mode.
transparent Set the device to transparent mode.
Behave the same way as VTP servers, but you cannot create, change, or
DLS1(config)#
delete VLANs on a VTP client.
 Transparent
Does not participate in VTP.
Does not advertise its VLAN configuration.
Does not synchronize its VLAN configuration based on received
advertisements
Does forward VTP advertisements that they receive out their trunk ports in
VTP Version 2.
 Off (CatOS switches only)
Behaves the same as in VTP transparent mode with the exception that
VTP advertisements are not forwarded.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
3

VTP – Verifying the VTP Mode


DLS1# show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59
0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 10.1.1.101 on interface Vl1 (lowest numbered
VLAN interface found)
DLS1#

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
4

Configure the VTP domain name on DLS1


DLS1(config)# vtp domain SWLAB Domain is case
Changing VTP domain name from NULL to SWLAB sensitive.

 Will the other switches receive the domain name in a VTP update?
 We will see in a moment.
 Hint: Switches transmit VTP messages only over 802.1Q and ISL trunks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45

You might also like