How to verify and configure VLANs & trunking
VLAN is known as the devices working on more than one LANs which are configured to communicate as they are connected to the same wire, when in actual they are located on different segments of LAN. As VLAN are based on the logical connections instead of physical, these are highly flexible. VLANs describe broadcast domains for layer 2 network. Broadcast domain is known as the set of all the devices that will receive frames coming from any of the devices available in the set.
Configure and Verify VLAN:
Configuring VLAN in Database Mode
When the switch is in transparent or VTP server mode, you are able to configure VLAN in VLAN database mode. When configuring in the database mode, the VLAN is stored in vlan.dat file instead of startup-config or running-config files. In order to show the VLAN configuration, press "show running config vlan" command. VLANs that can be configured have unique IDs ranging from 1-4094. Database mode will support the configuration of IDs ranging from 1-1001, but not more than 1006. In order to create a VLAN, you have to enter the VLAN command using an unused ID. To verify if a specific ID is working, you have to enter "show vlan id". For modification of a VLAN, enter the command vlan to know about the existing VLAN.
The access ports transport network traffic from and to particular VLAN provided to it. Unlike the trunk port, access ports will not deliver the exclusive identifying tags as the intended VLAN is pre assigned. Mostly, the access ports will have only a single set up of VLAN on interface and carries the traffic for only single VLAN. If for the access port the VLAN is not configured, interface will carry the traffic using the default VLAN only, which is mostly VLAN1. Ethernet interfaces can also be configured as either trunk ports or access ports; however, they are not able to function as both types at the same time of the port. Access ports are the most common kind of links for any VLAN switch. All the network hosts are connected to the access ports of the switch for gaining access of local network.
For effective functionality of these access ports, these ports must be configured as the host ports. Whenever the access ports are set as host ports, it automatically sets as the access port while the channel grouping is disabled. End stations however can only be configured as the host ports. If the ports are configured as the hosts, you receive an error message. When the access ports receive packet with 802.1Q tagging in the header instead of the access VLAN value, it avoids the packet with not even knowing its MAC source address. When the access port is provided assigned to the private VLAN, all the access ports linked with that specific access VLAN also attains the broadcast traffic designed for primary VLAN in private VLAN.
It is possible to change the membership of access port in a VLAN by providing a new VLAN. It is important that a VLAN should be created before it is selected as the VLAN access port. If the access VLAN in access port is changed to a VLAN which is not designated yet, the system will shutdown the specific access.
Trunking is the point to point connection between more than one Ethernet switch and some other network devices like switch or a router. Gigabit and fast Ethernet trunks carry the traffic of a range of VLANs over one link, and then you can extend VLANs across the entire network.
There are two kinds of trunking encapsulations on Ethernet interfaces:
- ISL- Inter switch link
- 802.1Q is standard encapsulation
VTP is designed to ensure that every switch in VTP domain is aware of all the available VLANs. However, in some cases the VTP creates unwanted traffic. All unwanted broadcasts and unicasts in VLAN are then flooded over the entire VLAN. All the network switches receive every broadcast, even about the cases where few or no users are connected to the VLAN. For this purpose the VTP pruning is designed which eliminated the unwanted traffic.
VTPv1 and VTPv2 features:
- Transparent mode - The VTPv1 transparent mode is similar to the VTP version before propagating packets of VTP to the other switches. On the other hand the VTPv2 transparent mode relays packets of VTP without analyzing the version and domain name of VTP which implies that the VTPv1 packets can be relayed by the intermediate VTPv2 transparent mode. This function provides support for different domains across the transparent domain.
- Consistency checks - VTPv2 performs the consistency checks upon VLAN and VTP parameters entered via web-based Cluster Management Suite and SNMP software to avoid errors that are associated to VLAN numbers and names from being broadcasted to the other domain switches. However, these consistency checks are usually not performed on VTP messages which are received on the trunk links, also the VLAN database data and configuration that is collected from NVRAM. VTPv2 will also forward VTP messages till the MD5 digest on the data is correct.
(TLV) support - VTPv2 and VTPv1 broadcasts instead of dropping the VTP advertisements with the unrecognized TLVs which cannot be understood or parse. It also stores them in the vlan.dat while it is in the VTP mode. This feature is useful when all the devices are not at the similar release version.
VTPv2 and VTPv1 have mostly similar features. There is usually no such reason to enable the VTPv2 unless the token ring VLAN in the campus network exists.
VTPv3 offers the following features over the previous VTP versions:
- Support for the extended VLANs is provided through VTPv3 that ranges from 1006-4094. However, once VTPv3 is configured with extended VLANs, it cannot go back to VTPv2 or VTPv1.
- It provides foundation for the detailed VLAN configuration advertisement.
- Provides better password security with secret and hidden options.
- It provides security against the at automatic unintended database synchronization on the introduction of the new switches. In VTPv3, only a particular device known as the primary server is allowed to upgrade to other switches.
- It also provides the ability to spread the other and VLAN database like mapping table.
Normal VLAN configuration:
Normal range of VLANS is 1 to 1005. If the VLAN switch is in VTP transparent or VTP server mode, you can modify, remove or add configurations for the VLANs ranging from 2-1001 in VLAN database. The VLAN IDs ranging from 1 and 1002 to 1005 are created automatically and are permanent.
In the VTP versions 2 and 1, switch should be in the VTP transparent mode while you create the extended range VLAN. There range varies. If the switch in not the transparent mode, the extension will not take place.
You can design these parameters while you create a fresh normal range VLAN or change the existing VLAN in VLAN database.
- VLAN name
- VLAN ID
- VLAN state (suspended or active)
- MTU for VLAN
- Security Association identifier
- Parent VLAN
- Ring number
- Token Ring
- TrCRF VLAN
- TrBRF VLAN
These are the VLAN database.
Through version 2 and version 1 VTP, while the switch is in transparent mode, you are able to create the extended range VLAN ranging from 1006-4094. The extended range in supported by VLAN in transparent or server mode. Extended range VLANs allow service providers to increase their infrastructure to a great number of clients. The extended range VLAN IDS are permitted for any switch port command which allows VLAN ID.
With the help of version 2 and version 1, the extended range of VLAN configuration is not saved in the VLAN database, but as the mode of VTP is transparent, they are saved in the switch which is running configuration file, as for you to save the configuration in startup configuration by using he command copy running config startup config EXEC. Create in version 3, the extended range VLANs are saved in VLAN database.
The extended VLANs include VLAN IDs from the range of 1006-4094. You are able to delete or create extended VLANs by using CLE in the config-vlan submode. The entire extended VLAN is created with the primary type, right for the device. Configurable VLAN parameters consist of MTU size, RSPAN and private VLAN. The other extended VLAN parameters utilize the default values.
To properly deliver and spread the trunk port traffic with multiple VLANs, the device uses 802.1Q encapsulation method. This method instead of frame header uses tag. The tag includes information related to the particular VLAN which the packet and frame belongs to. This encapsulation method allows the packets encapsulated for multiple VLANS to pass through the same port and manage traffic division between VLANs. The encapsulated VLAN also allows trunk to shift end to end traffic via network on similar VLAN.
Native 802.1Q VLANs
For extra security to traffic that is passing through the dot1q trunk port, the vlan dot1q native VLAN command was initiated. This feature is designed to provide a way to make sure of the safety of all the packets passing through 802.1Q trunk port. Also, it prevents the reception of the untagged packets on 802.1Q trunk port.
Without the help of this feature, all the tagged frames received on the 802.1Q trunk port are allowed till they fall within the allowed list of VLAN and their stored tags. Native VLAN IDs tag the untagged frames of the trunk port prior to further processing. Only those frames of which VLAN tags are within the permitted range for that dot1q port are received. If VLAN tag matches a native VLAN frame on the port that tag is stripped off with the frame sent to untagged.
When a switch port is regared/configured as trunk, it will tag frames with the correct VLAN number. Frames of VLAN1 by default belong to the native VLAN and are passed through the untagged trunk. The IEEE committee which explained the 802.1Q decided that due to the backward compatibility, it was recommended to support native VLAN. Native VLAN in short is used for the untagged traffic being received on 802.1Q port. This is desirable as it allows the 802.1q ports to communicate with old 802.3 ports directly through receiving and sending untagged traffic. However, in other cases it can be very disadvantageous as packets linked with native VLAN will lose their tags. Due to this reason, loss of classification and means of identification, the use of this feature should be avoided. There are also a very few reasons why native VLAN may be needed. Native VLAN can be changed to any VLAN other than the VLAN1.
The excessive and unwanted traffic within the network is one of the major issues associated with layer 2 architecture. Manual pruning is implemented on the switches to trim VLANs from flooding switches which do not have hosts for that specific VLAN. It is also important to know that though pruning prevents some unwanted traffic from circulating across the network, it does not always simplify the problem of spanning tree topologies. Trunk port by defaults allows all the VLANs pass through the trunk.
VTP pruning is regarded as a global command which affects all the switches available in the VTP domain. This only needs configuration on a single switch. All the default VLANs are eligible to prune, meaning that all VLANs are able to be pruned. To block the specific VLANs from the mechanism of pruning, use clear vtp pruneligible command. Manual pruning requires the configuration of switch for filtering specific VLANs on the trunk. In VTP pruning, the trunks dynamically prune and allow VLANs based on the VTP join messages. Usually, manual pruning will be configured on the trunks that will not consist of any hosts linked with filtered VLAN. The pruning also puts an impact on the spanning tree topology.