VLAN Trunks

A. Connecting VLAN Trunks With ISL

The main purpose of a trunk is to save physical interfaces.

While trunks carry traffic for may different VLANs, they are able to keep them seperate by tagging each frame with the unique identification number for the appropriate VLAN.

Because of the VLAN tagging scheme, Layer 2 frames cannot pass from one VLAN to another. So, without a router, there is no way to interconnect the VLANs.

Router on a stick (or one-armed router): A router is connected to a trunk to allow routing between the different VLANs. The router routes its packets back out onto the same physical interface that it received them through.

interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
interface FastEthernet0/0.1
 encapsulation isl 1
 ip address 172.25.1.5 255.255.255.0
interface FastEthernet0/0.3
 encapsulation isl 574
 ip address 10.22.1.2 255.255.255.0

1. ISL is Cisco Proprietary.

2. No special configuration is necessary on the physical interface.

3. You need to create one subinterface on this physical interface for each different VLAN.

4. Each VLAN represents a different Layer 3 network, so you need to give each of the subinterfaces IP addresses from the corresponding IP subnets.

5. ISL supports VLAN ID numbers 1 – 1000.

B. Connecting VLAN Trunks With 802.1Q

interface FastEthernet1/0
 no ip address
 speed 100
 full-duplex
interface FastEthernet1/0.1
 encapsulation dot1q 1 native
 ip address 172.25.1.47 255.255.255.0
interface FastEthernet1/0.3
 encapsulation dot1q 548
 ip address 10.21.1.1 255.255.255.0

1. 802.1Q is an IEEE open standard.

2. The native VLAN is the master VLAN assigned to the interface and it must match the native VLAN configured on the switch.

3. The native VLAN is the only VLAN whose frames do not contain an 802.1Q VLAN tag in their Layer 2 frame headers.

4. There can only be one native VLAN at a time. It’s NOT safe to assume that VLAN number 1 will always be the native VLAN even though the default natvie VLAN on many switches is VLAN number 1.

5. 802.1Q supports VLAN ID numbers 1 – 4095.

VLAN Trunking Protocol

VTP allows VLAN configurations to be managed on a single switch. The changes propagated to every switch in the VTP domain.

1. A switch can only be in one VTP domain.

2. VTP domain is null by default.

3. Switches with mismatched VTP domains will not negotiate trunk protocols.

4. Changes are made on VTP servers, propagated to VTP clients and any other VTP servers in the domain. VTP transparent switch receives and forwards VTP updates, but does not update its configuration. VLANs cannot be locally configured on a switch in client mode.

5. Some switches default to VTP server, while others default to VTP transparent.

6. VTP updates called summary advertisements which contains the revision numbers. It’s followed by subset advertisements which contains specific VLAN information.

7. When a switch receives a VTP update:

a. compare the VTP domain name

b. compare revision number

(1) If the revision number is lower than or equal to it’s own revision number, the update is ignored.

(2) If the update has a higher revision number, the switch sends an advertisement request.
=> The response: another summary advertisement, followed by subset advertisement.

8. When a switch’s VTP domain is null, if it receives a VTP advertisement over a trunk link, it’ll inherit the VTP domain and VLAN configuration from the switch on the other end of the trunk.  This will happen only over manully configured trunks, as DTP negotiations cannot take place unless a VTP domain is configured.
*On some swithces, such as Cisco 6500, the null domain will be overwirtten if a VTP advertisement is received over a trunk link, and the switch will inherit the VTP domain from the advertisement.

VTP Pruning prevents traffic originating from a particular VLAN from being sent to switches on which that VLAN is not active.

1. VTP can create a problem when excess traffic is sent across trunks needlessly.

On a busy VLAN, broadcast can amount to a significant percentge of traffic which is being needlessly sent over the entire network, and is taking up valuable bandwidth on the inter-switch trunks.

2. Pruning is not designed to work with switches in VTP transparent mode.

3. VTP pruning must be enabled or disabled throughout the entire VTP domain. Failure to configure VTP pruning properly can result in instability in the network.

Dangers of VTP:

1. In smaller networks that are very stable, VTP should NOT be used.

2. E-commerce website should not use VTP.

3. In larger, more dynamic environments where VTP is of use, proper procedures must be followed to ensure that unintended problems do not occur.

4. Connecting rogue switches to a production network should not be allowed without change-control procedure being followed.

Configuring VTP:

1. VTP domain:

IOS(config)#vtp domain LAB

2. VTP mode:

IOS(config)#vtp mode transparent

3. VTP Password:

IOS(config)#vtp password cisco

4. VTP Pruning:

a. Enable VTP pruning:

IOS(config)#vtp pruning
Pruning switched on

IOS#sh int f0/15 switchport

Name: Fa0/15
Switchport: Enabled
Administrative Mode: trunk
Pruning VLANs Enabled: 2-1001

b. Only VLAN 100 should be eligible for pruning:

IOS(config-if)#switchport trunk pruning vlan 100

IOS#sh int f0/15 swi

Name: Fa0/15
Switchport: Enabled
Administrative Mode: trunk
Pruning VLANs Enabled: 100

SVI

1. Layer 2 switchport modes:

a. Access – one Vlan
b. Trunk – multiple Vlans
c. Tunnel – Transparent Layer 2 VPN
d. Dynamic (3560 dynamic auto, 3550 dynamic desirable) – DTP negotiation

*3560 and 3550 are both layer-3 switches: ip routing

2. Layer 3 Ports:

a. Switched Virtual Interface (SVI) => vlan interfaces
b. Native routed interfaces => Fast Ethernet interfaces

3. Example:

3550# sh run int f0/1
interface FastEthernet0/1
switchport mode dynamic desirable
no ip address
end

3550# sh int f0/1 switchport
Name: Fa0/1
Administrative Mode: dynamic desirable
Switchport: Enable <= running layer 2
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On

3550# sh cdp nei
Device ID Local Intrfce Holdtme Capability Platform Port ID
3550 Fas 0/1 172 S I WS-C3550-2 Fas 0/1

3560# sh int f0/5
Name: Fa0/5
Switchport: Enable
Administrative Mode: dynamic auto
Operational Mode: static access <= the other side didn’t initiate trunk, so it fell back to access mode
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On <= via DTP

4. Layer 2 Trunking

a. ISL – Cisco proprietary, all traffic tagged with ISL
b. 802.1q – Open standard, “Native” Vlan sent untagged => native vlan has to match on all switches and routers
c. DTP – Dynamic Trunking Protocol

*The goal of setting vlan is to separate broadcast domain.

5. Example:

3560# sh int trunk
Port Mode Encapsulation Status Natvie vlan
Fa0/5 desirable n-isl trunking 1
Fa0/6 auto n-isl trunking 1

Port Vlans allowed on trunk
Fa0/1 1-4094
Fa0/5 1-4094 <= means not doing any filtering by default
Fa0/6 1-4094

Port Vlans allowed and active in management domain
Fa0/5 1
Fa0/6 1

Port Vlans allowed and active in management domain
Fa0/1 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1 <= forwarding state
Fa0/5 none <= blocking state
Fa0/6 none <= blocking state

3560(config)#int f0/5
3560(config-if)#switchport trunk encapsulation dot1q

3560(config)#sh int trunk | in 802.1q
Fa0/4 auto n-802.1q trunking 1
Fa0/5 desirable n-802.1q trunking 1

*Vlan 1 can’t be removed from “Vlans allowed on trunk list”.

6. You can tag vlan 1 if other devices do not support untagged traffic:

SW1(config)# vlan dot1q tag native

Trunking

1. A trunk — an interface or link that can carry frames for multiple VLANs at once.
=> switches are connected at layer 2 using trunks.

2. How Trunks Work

(1) IP packets have no concept of VLANS, and nor does TCP, UDP, ICMP, or any other protocol above layer 2.
(2) A VLAN is a layer-2 concept, so if there were to be any mention of a VLAN, it would happen at the data-link layer.
(3) The protocols for trunking:

a. ISL — Cisco’s Inter-Switch Link
b. 802.1Q — IEEE standard

(4) To accomplish the tagging of frames to be sent over a trunk, both sides must agree to a protocol.
=> may configure ISL and 802.1Q trunks on the same switch and in the same network.

(5) Cisco 2950 and 4000 only support 802.1Q.
(6) To determine whether a switch can use a specific trunking protocol:

a. IOS-Switch# show interface capabilities
b. Catos-Switch# show port capabilities

(7) ISL differs from 802.1Q:

a. ISL is a Cicso proprietary protocol; 802.1Q is an IEEE standard.
b. ISL encapsulates Etherenet frames within an ISL frame; 802.1Q alters existing frames to include VLAN tags.
c. ISL is only capable of supporting 1,000 VLANs; 802.1Q is capable of supporting 4,096.

3. ISL

(1) If an Ethernet frame has been created at the maximum size of 1,518 bytes, ISL will add an additional 30 bytes, for a total frame size of 1,548 bytes.
(2) These frames may be counted as “giant” frame errors. Cisco Equipment has no problem accepting them.

4. 802.1Q

(1) 802.1Q inserts 4-byte tag field into existing headers b/w the Source Address and Type/Length fields.
(2) FCS (Frame Check Sequence) of the frame is altered to relfect to the change.
(3) The maximum size for an 802.1Q frame is 1,522 bytes.
(4) It may result in “baby giant” frame errors. The frames will still be supported on Cisco devices.

5. Which Protocol to Use

(1) Catalyst 4000 only support 802.1Q
(2) 10-Gb blade available for the Catalyst 6509 only supports 802.1Q
(3) Catalyst 6509 switch supports both 802.1Q and ISL
(4) System Requirements to Implement Trunking
(5) The trunking protocol is local to each individual trunk.

6. Trunk Negotiation — DTP (Dynamic Trunking Protocol)

(1) includes the VTP domain name in the process
=> both switches must have the same VTP domain name

(2) DTP (Dynamic Trunking Protocol)

a. determine what trunking protocol are supported on each side
b. establish a trunk if possible
c. switchport nonegotiate disable DTP

(3) Possible switch port modes related to trunking:

a. mode access — the port will never be a trunk
b. mode trunk — the port will be a trunk regardless of any other settings
c. mode dynamic desirable — the port will attempt to convert the link to a trunk
d. mode dynamic auto — (default mode) the port will become a trunk if the other side is configured to be a trunk. It’ll not attempt to convert a link to a trunk.

i. dynamic — means the port may become a trunk
ii. desirable — indicates the port will initiate negotiations and try to make the link a trunk
iii. auto — indicates the port will listen for DTP but will not actively attempt to become a trunk

(4) Switchport Mode

7. Configuring Trunks on IOS switch:

(1) Configuring a trunk determine:

a. what port will be a trunk
b. what protocol the trunk will run
c. whether and how the port will negotiate
d. what VLANs are allowed on the trunk link

(2) On an IOS switch capable of both ISL and 802.1Q, you must specify a trunk encapsulation before you can configure a port as a trunk.

3550-IOS(config-if)# switchport mode encapsulation dot1q
3550-IOS(config-if)# switchport mode trunk

(3) Remove trunking for the interface, the command to do so is switchport mode access.

(4) By default all VLANs on a switch are included in a trunk.
(5) Broadcasts from all allowed VLANs will be sent on every trunk port, excluding unneeded VLANs can save a lot of bandwidth on the trunk link.
(6) Specify which VLANs are able to traverse a trunk with the switchport trunk allowed command.
(7) More options for switchport trunk allowed vlan:

3550-IOS(config-if)# switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list

(8) Allow only one VLAN (VLAN 100) on a trunk:

3550-IOS(config-if)# switchport trunk allowed vlan 100

(9) Show trunk port:

3550-IOS(config-if)# sho int trunk

(10) Allow all VLANs except VLAN 100:

3550-IOS(config-if)# switchport trunk allowed vlan except 100

(10) Remove VLANs 200 and 300:

3550-IOS(config-if)# switchport trunk allowed vlan remove 200
3550-IOS(config-if)# switchport trunk allowed vlan remove 300