VLAN

Virtual Local Area Network (VLAN) divides large physical LAN into smaller logical segments, thus reducing the broadcast domain. VLAN is statically assigned to switch ports or dynamically to users and MAC addresses. There are two types of VLANs:

• End-to-end VLANs - members reside on different switches. Membership is governed by policies, not physical location.
• Local VLAN - members likely reside on the same switch. Membership is dictated by a physical location; for example, the same floor in a building.

Creating VLANs is easy:

 config# vlan <number>
 config# vlan <name> <-- optional command

Statically assigning VLAN to a port:

 config-if# switchport mode access
 config-if# switchport access vlan <number>

Verify the config:

1. show vlan
2. show running-config interface <if-number>
3. show mac address-table interface <if-number> vlan <vlan-number>
4. show interfaces <if-number> switchport

VLAN Trunking

A trunk is a link that carries traffic for more than one VLAN. They typically connect the switches. There are two kinds of trunks:

• Inter-Switch Link (ISL) - Cisco proprietary protocol independent, can identify CDP and BPDU frames.
• 802.1q - IEEE standard, tags the frames, supports Ethernet and Token Ring.

Cisco makes VLAN usages transparent to end-users by attaching a VLAN tag to a packet arriving to a switchport and removing it when sending the packet out. If the outgoing interface is a trunk, then the packet is encapsulated in either ISL or 802.1q and the receiving switch strips off the encapsulation and tags the packet internally. It removes the tag before sending it to end user.

When an ISL packet arrives on a non-trunking port, it is dropped. ISL does not support untagged frames, thus native VLAN has no meaning for ISL. When a 802.1q packet arrives on a non-trunking port, it is processed as a regular Ethernet packet, the tag field is ignored. Doing this, Cisco switches insist that there should be no reason to send tagged frames on a non-trunking ports!

A port can be configured as a trunk statically or dynamically.

DTP

Dynamic Trunking Protocol (DTP) defines 5 modes for a port:

• Access - end user port
• Trunk - the port negotiate trunking with the other port
• Non-negotiate - the port is a trunk but it does not do negotiation
• Dynamic desirable - Actively negotiate a trunk with the other end and becomes a trunk if the other side is configured to be either trunk, dynamic desirable or auto
• Dynamic auto - passively waits to be negotiated by the other switch, which should be configured as either dynamic desirable or trunk

DTP negotiates the encapsulation protocol (isl or dot1q) and whether the port will become a trunk or not.

For security and interoperability, it is best to configure the trunk port statically as 802.1q, change the native VLAN to the one that is not assigned to users and disable DTP:

 config-if# switchport trunk encapsulation dot1q
 config-if# switchport trunk native vlan <number>
 config-if# switchport trunk allowed vlan <numbers> <-- if not used, all VLANs are allowed over the trunk!
 config-if# switchport mode trunk
 config-if# switchport nonnegotiate
 # show running-config
 # show interfaces <if-number> trunk

Packets in the native VLAN sent over the trunk, does not have a tag.

Access ports should be set to host - that would disable Etherchannel negotiation, enables !PortFast and sets the mode to access. BPDUGuard ideally should also be enabled on the access ports!

 config-if# switchport mode host
 config-if# spanning-tree bpduguard enable

VTP

VLAN Trunking Protocol (VTP) is Cisco proprietary. It synchronizes VLAN databases in a VTP domain. All switches within the domain must have the same VTP domain name configured. VTP uses configuration revision numbers and VTP advertisements, which are sent every 5 minutes or whenever there is a change in a VLAN database (VLAN is created, deleted or renamed). If the configuration revision number is higher than local, the database is updated and new database if forwarded to other members. If it is the same, the ad is ignored. If it is lower, then the switch replies with updated database. VTP only works over the trunk links!

There are 3 VTP roles:

• Server - the default. It can create, delete and rename VLANs.
• Client - cannot make VLAN changes.
• Transparent - It can create, delete and rename its local VLANs. It does not originate ads or synchonize its database with any other switch. However, it forward the ads out its trunk links.

There are two non-compatible versions of VTP: 1 and 2.

 config# vtp server | client | transparent
 config# vtp version 1 | 2
 config# vtp domain <name>
 config# vtp password <password>
 # show vtp status

Special care must be taken when adding a new switch to the existing VTP domain: its VTP configuration revision number must be reset to 0; otherwise, it may overwrite the valid database with its own!

 config# vtp transparent
 config# delete flash:vlan.dat
 config# vtp client
 config# vtp domain <faked-name>
 # reload
 <configure the switch for VTP as usual>