3 VLANs

3.0 Chapter Introduction

3.0.1 Chapter Introduction

Page 1:
Network performance can be a factor in an organization's productivity and its reputation for delivering as promised. One of the contributing technologies to excellent network performance is the separation of large broadcast domains into smaller ones with VLANs. Smaller broadcast domains limit the number of devices participating in broadcasts and allow devices to be separated into functional groupings, such as database services for an accounting department and high-speed data transfer for an engineering department. In this chapter, you will learn how to configure, manage, and troubleshoot VLANs and trunks.


3.0.1 - Chapter Introduction
The diagram depicts the chapter objectives.
Explain the role of V LAN's in a network.
- Explain the role of trunking V LAN's in a network.
- Configure V LAN's on the switches in a network topology.
- Troubleshoot the common software or hardware configuration problems associated with V LAN's on switches in a network topology.


3.1 Introducing VLANs

3.1.1 Introducing VLANs

Page 1:
Before VLANs

To appreciate why VLANs are being widely used today, consider a small community college with student dorms and the faculty offices all in one building. The figure shows the student computers in one LAN and the faculty computers in another LAN. This works fine because each department is physically together, so it is easy to provide them with their network resources.

Click the Many Buildings button in the figure.

A year later, the college has grown and now has three buildings. In the figure, the original network is the same, but student and faculty computers are spread out across three buildings. The student dorms remain on the fifth floor and the faculty offices remain on the third floor. However, now the IT department wants to ensure that student computers all share the same security features and bandwidth controls. How can the network accommodate the shared needs of the geographically separated departments? Do you create a large LAN and wire each department together? How easy would it be to make changes to that network? It would be great to group the people with the resources they use regardless of their geographic location, and it would make it easier to manage their specific security and bandwidth needs.


3.1.1 - Introducing V LAN's
The diagram depicts the construction of LAN's before the availability of V LAN's. Examples of single-building and multi-building LAN's are provided.

One Building
One standalone building contains two LAN's, one for the students and one for the faculty, connected by a router. Three student PC's, Student 1, Student 2, and Student 3, are connected to switch S2. S2 is connected to an interface on router R1. Three faculty PC's, Faculty 1, Faculty 2, and Faculty 3, are connected to switch S3. S3 is connected to an interface on router R1. The three student PC's are labeled Fifth Floor Student Dorms LAN 1. The three faculty PC's are labeled Third Floor Faculty Offices LAN 2. Each LAN is confined to a separate switch.

Multiple Buildings
Three buildings are in a campus environment, Building 1, Building 2, and Building 3. Each building has the same LAN design and device connections as in the One Building description. The student PC's in each building are labeled Fifth Floor Student Dorms LAN 1. The faculty PC's are labeled Third Floor Faculty Offices LAN 2.


Page 2:
VLAN Overview

The solution for the community college is to use a networking technology called a virtual LAN (VLAN). A VLAN allows a network administrator to create groups of logically networked devices that act as if they are on their own independent network, even if they share a common infrastructure with other VLANs. When you configure a VLAN, you can name it to describe the primary role of the users for that VLAN. As another example, all of the student computers in a school can be configured in the "Student" VLAN. Using VLANs, you can logically segment switched networks based on functions, departments, or project teams. You can also use a VLAN to geographically structure your network to support the growing reliance of companies on home-based workers. In the figure, one VLAN is created for students and another for faculty. These VLANs allow the network administrator to implement access and security policies to particular groups of users. For example, the faculty, but not the students, can be allowed access to e-learning management servers for developing online course materials.

Click the Details button in the figure.

VLAN Details

A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network. The figure shows a network with three computers. For computers to communicate on the same VLAN, each must have an IP address and a subnet mask that is consistent for that VLAN. The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN. A switch port with a singular VLAN configured on it is called an access port. Remember, just because two computers are physically connected to the same switch does not mean that they can communicate. Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used. You do not need VLANs to have multiple networks and subnets on a switched network, but there are definite advantages to using VLANs.


3.1.1 - Introducing V LAN's
The diagram depicts an overview and give details of what a V LAN is.

Overview
One standalone building contains two V LAN's, one for the students and one for the faculty.
- A V LAN is an independent LAN network.
- A V LAN allows student and faculty PC's to be separated although they share the same infrastructure.
- A V LAN can be named for easier identification.

Details
Three PC's, PC1, PC2 and PC3, are connected to switch S2. PC1, with IP address 172.17.30.21, is connected to switch port F0/11. PC2, with IP address 172.17.30.22, is connected to switch port F0/18, and PC3, with IP address 172.17.30.23, is connected to switch port F0/6.

All PC's have IP addresses in the subnet defined for V LAN 30. V LAN 30 addresses consist of 172.17.30.0 /24. All switch ports are in V LAN 30.
- A V LAN equals a subnet (in modern switched LAN's).
- On the switch:
Configure the V LAN.
Assign the port to the V LAN.
- On the PC, assign an IP address in the V LAN subnet.


Page 3:
Benefits of a VLAN

User productivity and network adaptability are key drivers for business growth and success. Implementing VLAN technology enables a network to more flexibly support business goals. The primary benefits of using VLANs are as follows:

  • Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. Faculty computers are on VLAN 10 and completely separated from student and guest data traffic.
  • Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
  • Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
  • Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. As discussed in the "Configure a Switch" chapter, LAN segmentation prevents a broadcast storm from propagating to the whole network. In the figure you can see that although there are six computers on this network, there are only three broadcast domains: Faculty, Student, and Guest.
  • Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. In the figure, for easy identification VLAN 20 has been named "Student", VLAN 10 could be named "Faculty", and VLAN 30 "Guest."
  • Simpler project or application management - VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier, for example, an e-learning development platform for faculty. It is also easier to determine the scope of the effects of upgrading network services.


3.1.1 - Introducing V LAN's
The diagram depicts a multi-switch environment (three switches) with three V LAN's spread across the three switches.

Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable. Router R1 interface F0/1 is connected to Switch S1 port F0/5 using a straight-through cable.

There are six PC's in total. PC1, PC2, and PC3 connect to switch S2 using ports F0/11, F0/18, and F0/6, respectively, with straight-through cables. PC4, PC5, and PC6 are connected to switch S3 using ports F0/11, F0/18 and F0/6 respectively, with straight-through cables.

PC1:
Faculty V LAN 10.
172.17.10.21 /24.

PC4:
Faculty V LAN 10.
172.17.10.24 /24.

PC2:
Student V LAN 20.
172.17.20.22 /24.

PC5:
Student V LAN 20.
172.17.20.25 /24.

PC3:
Guest V LAN 30.
172.17.30.23 /24.

PC6:
Guest V LAN 30.
172.17.30.26 /24.

Benefits of V LAN's include:
- Security.
- Cost reduction.
- Higher performance.
- Broadcast storm mitigation.
- Improved I T staff efficiency.
- Simpler project and application management.


Page 4:
VLAN ID Ranges

Access VLANs are divided into either a normal range or an extended range.

Normal Range VLANs

  • Used in small- and medium-sized business and enterprise networks.
  • Identified by a VLAN ID between 1 and 1005.
  • IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
  • IDs 1 and 1002 to 1005 are automatically created and cannot be removed. You will learn more about VLAN 1 later in this chapter.
  • Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
  • The VLAN trunking protocol (VTP), which helps manage VLAN configurations between switches, can only learn normal range VLANs and stores them in the VLAN database file.

Extended Range VLANs

  • Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs.
  • Are identified by a VLAN ID between 1006 and 4094.
  • Support fewer VLAN features than normal range VLANs.
  • Are saved in the running configuration file.
  • VTP does not learn extended range VLANs.

255 VLANs Configurable

One Cisco Catalyst 2960 switch can support up to 255 normal range and extended range VLANs, although the number configured affects the performance of the switch hardware. Because an enterprise network may need a switch with a lot of ports, Cisco has developed enterprise-level switches that can be joined or stacked together to create a single switching unit consisting of nine separate switches. Each separate switch can have 48 ports, which totals 432 ports on a single switching unit. In this case, the 255 VLAN limit per single switch could be a constraint for some enterprise customers.


3.1.1 - Introducing V LAN's
The diagram depicts V LAN characteristics.
- V LAN ID
- Normal-range ID's
- 1 to 1005.
- 1002 to 1005 reserved for Token Ring and FDDI V LAN's.
- 1 and 1002 to 1005 are automatically created and cannot be removed.
- Stored in the v lan dot dat file in flash memory.
- Extended range ID's
- 1006 to 4094.
- Designed for service providers.
- Have fewer options than normal range V LAN's.
- Stored in the running configuration file.
A Cisco Catalyst 2960 switch supports 255 normal and extended range V LAN's.


3.1.2 Types of VLANs

Page 1:
Today there is essentially one way of implementing VLANs - port-based VLANs. A port-based VLAN is associated with a port called an access VLAN.

However in the network there are a number of terms for VLANs. Some terms define the type of network traffic they carry and others define a specific function a VLAN performs. The following describes common VLAN terminology:

Roll over the Data VLAN button in the figure.

Data VLAN

A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic. The importance of separating user data from switch management control data and voice traffic is highlighted by the use of a special term used to identify VLANs that only carry user data - a "data VLAN". A data VLAN is sometimes referred to as a user VLAN.

Roll over the Default VLAN button in the figure.

Default VLAN

All switch ports become a member of the default VLAN after the initial boot up of the switch. Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. This allows any device connected to any switch port to communicate with other devices on other switch ports. The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it. By default, Layer 2 control traffic, such as CDP and spanning tree protocol traffic, are associated with VLAN 1. In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1. VLAN trunks support the transmission of traffic from more than one VLAN. Although VLAN trunks are mentioned throughout this section, they are explained in the next section on VLAN trunking.

Note: Some network administrators use the term "default VLAN" to mean a VLAN other than VLAN 1 defined by the network administrator as the VLAN that all ports are assigned to when they are not in use. In this case, the only role that VLAN 1 plays is that of handling Layer 2 control traffic for the network.

Roll over the Native VLAN button in the figure.

Native VLAN

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. In the figure, the native VLAN is VLAN 99. Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. For our purposes, a native VLAN serves as a common identifier on opposing ends of a trunk link. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.

Roll over the Management VLAN button in the figure.

Management VLAN

A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN; you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN. Recall that you configured the management VLAN as VLAN 99 in the Basic Switch Concepts and Configuration chapter.

On the next page we will explore the one remaining VLAN type: voice VLANs.


3.1.2 - Types of V LAN's
The diagram depicts four types of V LAN's: data, default, native, and management.

Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable. Router R1 interface F0/1 is connected to switch S1 port F0/5 using a straight-through cable.

There are five PC's in total. PC0 connects to switch S1 using port F0/4. PC2 and PC3 connect to switch S2 using ports F0/18 and F0/6, respectively. PC5 and PC6 are connected to switch S3 using ports F0/18 and F0/6, respectively.

PC0:
Management PC
V LAN 99
172.17.99.10 /24

PC2:
Student V LAN 20
172.17.20.22 /24

PC5:
Student V LAN 20
172.17.20.25 /24

PC3:
Guest V LAN 30
172.17.30.23 /24

PC6:
Guest V LAN 30
172.17.30.26 /24

Switches S1, S2, and S3:
F0/1 and F0/3 are 8 0 2 dot 1Q trunk interfaces with native V LAN 99-172.17.99.0 /24

Data V LAN:
Cables are highlighted from PC2 and PC3 to switch S2, and from PC5 and PC5 to switch S3.

Default V LAN:
The ports interconnecting switches S1, S2, and S3 are highlighted. These include switch S1 port F0/1 and F0/3, switch S2 port F0/1, and switch S3 port F0/3.

Native V LAN:
Cables are highlighted between switches S1 and S2, between S3 and S2, and between S1 and router R1.

Management V LAN:
Cables are highlighted between switches S1 and S2 and between S3 and S1. The cable between switch S1 and PC0 is also highlighted.


Page 2:
Voice VLANs

It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP). Imagine you are receiving an emergency call and suddenly the quality of the transmission degrades so much you cannot understand what the caller is saying. VoIP traffic requires:

  • Assured bandwidth to ensure voice quality
  • Transmission priority over other types of network traffic
  • Ability to be routed around congested areas on the network
  • Delay of less than 150 milliseconds (ms) across the network

To meet these requirements, the entire network has to be designed to support VoIP. The details of how to configure a network to support VoIP are beyond the scope of the course, but it is useful to summarize how a voice VLAN works between a switch, a Cisco IP phone, and a computer.

In the figure, VLAN 150 is designed to carry voice traffic. The student computer PC5 is attached to the Cisco IP phone, and the phone is attached to switch S3. PC5 is in VLAN 20, which is used for student data. The F0/18 port on S3 is configured to be in voice mode so that it will tell the phone to tag voice frames with VLAN 150. Data frames coming through the Cisco IP phone from PC5 are left untagged. Data destined for PC5 coming from port F0/18 is tagged with VLAN 20 on the way to the phone, which strips the VLAN tag before the data is forwarded to PC5. Tagging refers to the addition of bytes to a field in the data frame which is used by the switch to identify which VLAN the data frame should be sent to. You will learn later about how data frames are tagged.

Click The Details button in the figure.

A Cisco Phone is a Switch

The Cisco IP Phone contains an integrated three-port 10/100 switch as shown in the Figure. The ports provide dedicated connections to these devices:

  • Port 1 connects to the switch or other voice-over-IP (VoIP) device.
  • Port 2 is an internal 10/100 interface that carries the IP phone traffic.
  • Port 3 (access port) connects to a PC or other device.

The figure shows one way to connect an IP Phone.

The voice VLAN feature enables switch ports to carry IP voice traffic from an IP phone. When the switch is connected to an IP Phone, the switch sends messages that instruct the attached IP phone to send voice traffic tagged with the voice VLAN ID 150. The traffic from the PC attached to the IP Phone passes through the IP phone untagged. When the switch port has been configured with a voice VLAN, the link between the switch and the IP phone acts as a trunk to carry both the tagged voice traffic and untagged data traffic.

Note: Communication between the switch and IP phone is facilitated by the CDP protocol. This protocol is discussed in greater detail in the CCNA Exploration: Routing Protocols and Concepts course.

Click the Sample Configuration button in the figure.

Sample Configuration

The figure shows sample output. A discussion of the Cisco IOS commands are beyond the scope of this course, but you can see that the highlighted areas in the sample output show the F0/18 interface configured with a VLAN configured for data (VLAN 20) and a VLAN configured for voice (VLAN 150).


3.1.2 - Types of V LAN's
The diagram depicts an overview of voice V LAN's including details and a sample configuration with multiple images.

Network Topology:
Router R1, switch S1, and switch S3 are connected. Switch S1 port F0/3 is connected to S3 port F0/3 using a crossover cable. Router R1 interface F0/1 is connected to switch S1 port F0/5 using a straight-through cable.

A single PC, PC5, connects to an IP phone, which then connects to switch S3 port F0/18 using straight-through cables.

IP Phones in the Network:
Switch S3 port is configured to support voice traffic:
- port sends CDP frames to provide information used by the IP phone.
- Port forwards frames associated with V LAN 150.

Switch S1 is configured to support voice traffic:
- Uses V LAN 150 for voice V LAN.
- Prioritizes voice traffic.

The Details:
Uses the same basic network topology but expands the Cisco IP phone 7960 to show external and internal port connections. A Cisco IP phone contains an integrated three-port 10 /100 switch.

The S2 switch, IP phone, and PC connections are as follows:

Switch S2 port F0/18 (connection to IP phone port P1).
Switch port configured to support voice traffic:
- Instructs phone to tag voice frames with V LAN 150.
- Prioritizes voice frames.
- Forwards data frame on V LAN 20.

IP phone port P1 (external connection to switch S2).
Configured to send untagged data traffic.

IP phone port P2 (internal connection to phone ASIC).
Configured to tag voice traffic frames with V LAN 150.

IP phone port P3 (external access port connection to PC5).
Configured to send untagged data traffic.

Sample Configuration:
Shown is sample output from the show interfaces FA0/18 switchport command. The highlighted areas in the sample output are:

Name: FA0/18
Access Mode V LAN: 20 (V LAN 0020)
Voice V LAN: 150 (V LAN 0150)

These show the F0/18 interface configured with a V LAN configured for data (V LAN 20), and a V LAN configured for voice (V LAN 150).


Page 3:
Network Traffic Types

In CCNA Exploration: Network Fundamentals, you learned about the different kinds of traffic a LAN handles. Because a VLAN has all the characteristics of a LAN, a VLAN must accommodate the same network traffic as a LAN.

Network Management and Control Traffic

Many different types of network management and control traffic can be present on the network, such as Cisco Discovery Protocol (CDP) updates, Simple Network Management Protocol (SNMP) traffic, and Remote Monitoring (RMON) traffic.

Roll over the Network Management button in the figure.

IP Telephony

The types of IP telephony traffic are signaling traffic and voice traffic. Signaling traffic is, responsible for call setup, progress, and teardown, and traverses the network end to end. The other type of telephony traffic consists of data packets of the actual voice conversation. As you just learned, in a network configured with VLANs, it is strongly recommended to assign a VLAN other than VLAN 1 as the management VLAN. Data traffic should be associated with a data VLAN (other than VLAN 1), and voice traffic is associated with a voice VLAN.

Roll over the IP Telephony button in the figure.

IP Multicast

IP multicast traffic is sent from a particular source address to a multicast group that is identified by a single IP and MAC destination-group address pair. Examples of applications that generate this type of traffic are Cisco IP/TV broadcasts. Multicast traffic can produce a large amount of data streaming across the network. When the network must support multicast traffic, VLANs should be configured to ensure multicast traffic only goes to those user devices that use the service provided, such as remote video or audio applications. Routers must be configured to ensure that multicast traffic is forwarded to the network areas where it is requested.

Roll over the IP Multicast button in the figure.

Normal Data

Normal data traffic is related to file creation and storage, print services, e-mail database access, and other shared network applications that are common to business uses. VLANs are a natural solution for this type of traffic because you can segment users by their functions or geographic area to more easily manage their specific needs.

Roll over the Normal Data button in the figure.

Scavenger Class

The Scavenger class is intended to provide less-than best-effort services to certain applications. Applications assigned to this class have little or no contribution to the organizational objectives of the enterprise and are typically entertainment oriented in nature. These include peer-to-peer media-sharing applications (KaZaa, Morpheus, Groekster, Napster, iMesh, and so on), gaming applications (Doom, Quake, Unreal Tournament, and so on), and any entertainment video applications.


3.1.2 - Types of V LAN's
The diagram depicts four network traffic types: network management, IP telephony, IP multicast, and normal data.

Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable. Router R1 interface F0/1 is connected to switch S1 port F0/5 using a straight-through cable. A relational database and a Web/TFTP server are connected to R1 using crossover cables.

There are seven PC's in total. PC0 connects to switch S1 using port F0/18. PC1 and PC3 connect directly to switch S2 using ports F0/11 and F0/6, respectively. PC2 connects to an IP phone, which connects to switch S2 port F0/18.

PC4 and PC6 connect directly to switch S3 using ports F0/11 and F0/6, respectively. PC5 connects to an IP phone, which connects to switch S3 using port F0/18.

Relational Database:
V LAN 50
172.17.50.253 /24

Web/TFTP Server:
V LAN 50
172.17.50.254 /24

PC0:
Management V LAN 99
172.17.40.21 /24

PC1:
Faculty V LAN 10
172.17.10.21 /24

PC4:
Faculty V LAN 10
172.17.10.24 /24

PC2:
Student V LAN 20
172.17.20.22 /24
Voice V LAN 150

PC5:
Student V LAN 20
172.17.20.25 /24
Voice V LAN 150

PC3:
Guest V LAN 30
172.17.30.23 /24

PC6:
Guest V LAN 30
172.17.30.26 /24

Network Management:
Cables are highlighted between PC0 and switch S1 and from S1 to S2, S1 to S3 and from S1 to R1.

IP Telephony:
The cables are highlighted switches S1 to S2, S1 to S3, and S1 to R1. Switch S2 port F0/18 and switch S3 port F0/18, each of which connects to an IP phone, are also highlighted.

IP Multicast:
Cables are highlighted from switch S2 to PC1 and PC2. Cables are highlighted from S1 to S2, S1 to S3, and S1 to R1. The cable from R1 to the Web/TFTP server is highlighted as well as the cables from switch S3 to PC4 and PC5.

Normal Data:
Cables are highlighted between all devices, except between PC0 and switch S1.


3.1.3 Switch Port Membership Modes

Page 1:
Switch Ports

Switch ports are Layer 2-only interfaces associated with a physical port. Switch ports are used for managing the physical interface and associated Layer 2 protocols. They do not handle routing or bridging. Switch ports belong to one or more VLANs.

VLAN Switch Port Modes

When you configure a VLAN, you must assign it a number ID, and you can optionally give it a name. The purpose of VLAN implementations is to judiciously associate ports with particular VLANs. You configure the port to forward a frame to a specific VLAN. As mentioned previously, you can configure a VLAN in voice mode to support voice and data traffic coming from a Cisco IP phone. You can configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the VLANs to which it can belong. A port can be configured to support these VLAN types:

  • Static VLAN - Ports on a switch are manually assigned to a VLAN. Static VLANs are configured using the Cisco CLI. This can also be accomplished with GUI management applications, such as the Cisco Network Assistant. However, a convenient feature of the CLI is that if you assign an interface to a VLAN that does not exist, the new VLAN is created for you. To see a sample static-VLAN configuration, click the Static Mode Example button in the figure. When you are done, click the Port Modes button in the figure. This configuration will not be examined in detail now. You will see this configuration later in the chapter.
  • Dynamic VLAN - This mode is not widely used in production networks and is not explored in this course. However, it is useful to know what a dynamic VLAN is. A dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). With the VMPS, you assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. The benefit comes when you move a host from a port on one switch in the network to a port on another switch in the network, the switch dynamically assigns the new port to the proper VLAN for that host.
  • Voice VLAN - A port is configured to be in voice mode so that it can support an IP phone attached to it. Before you configure a voice VLAN on the port, you need to first configure a VLAN for voice and a VLAN for data. In the figure, VLAN 150 is the voice VLAN, and VLAN 20 is the data VLAN. It is assumed that the network has been configured to ensure that voice traffic can be transmitted with a priority status over the network. When a phone is first plugged into a switch port that is in voice mode, the switch port sends messages to the phone providing the phone with the appropriate voice VLAN ID and configuration. The IP phone tags the voice frames with the voice VLAN ID and forwards all voice traffic through the voice VLAN.

To examine parts of a voice mode configuration, click the Voice Mode Example button in the figure:

  • The configuration command mls qos trust cos ensures that voice traffic is identified as priority traffic. Remember that the entire network must be set up to prioritize voice traffic. You cannot just configure the port with this command.
  • The switchport voice vlan 150 command identifies VLAN 150 as the voice VLAN. You can see this verified in the bottom screen capture: Voice VLAN: 150 (VLAN0150).
  • The switchport access vlan 20 command configures VLAN 20 as the access mode (data) VLAN. You can see this verified in the bottom screen capture: Access Mode VLAN: 20 (VLAN0020).

For more details about configuring a voice VLAN, visit this Cisco.com site: http://www.cisco.com/en/US/docs/switches/lan/catalyst2975/software/release/12.2_46_ex/configuration/guide/swvoip.html.


3.1.3 - Switch Port Membership Modes
The diagram depicts three V LAN switch port membership modes: static, dynamic, and voice. Static mode and voice mode configuration examples are provided.

Port Modes:
- Static V LAN: PC is attached to port F0/18 on the switch, which is in V LAN 20.
- Dynamic V LAN: A PC and V LAN Membership Policy Server (VMPS) are connected to the switch through ports F0/18 and F0/2, respectively. The VMPS assigns the PC port to V LAN 10 based on the MAC addresses of the PC.
- Voice V LAN: A PC is connected to an IP phone, and the IP phone is connected to port F0/18 on the switch. The IP phone is in V LAN 150, and the PC is in V LAN 20.

Static Mode Example:
S3#configure terminal
S3(config)#interface fastEthernet 0/18
S3(config-i f)#switchport mode access
S3(config-i f)#switchport access v lan 20
S3(config-i f)#end

Voice Mode Example:
S3#config terminal
S3(config)#interface fastEthernet 0/18
S3(config-i f)#mls Q o S trust c o s
S3(config-i f)#switchport voice v lan 150
S3(config-i f)#switchport mode access
S3(config-i f)#switchport access v lan 20
S3(config-i f)#end

The show interfaces FA0/18 switchport command shows highlighted output for voice V LAN: 150 (V LAN 0150) and access mode V LAN: 20 (V LAN 0020).


3.1.4 Controlling Broadcast Domains with VLANs

Page 1:
Network Without VLANS

In normal operation, when a switch receives a broadcast frame on one of its ports, it forwards the frame out all other ports on the switch. In the figure, the entire network is configured in the same subnet, 172.17.40.0/24. As a result, when the faculty computer, PC1, sends out a broadcast frame, switch S2 sends that broadcast frame out all of its ports. Eventually the entire network receives it; the network is one broadcast domain.

Click the Network broadcasts with VLAN segmentation button in the figure.

Network with VLANs

In the figure, the network has been segmented into two VLANs: Faculty as VLAN 10 and Student as VLAN 20. When the broadcast frame is sent from the faculty computer, PC1, to switch S2, the switch forwards that broadcast frame only to those switch ports configured to support VLAN 10.

In the figure, the ports that make up the connection between switches S2 and S1 (ports F0/1) and between S1 and S3 (ports F0/3) have been configured to support all the VLANs in the network. This connection is called a trunk. You will learn more about trunks later in this chapter.

When S1 receives the broadcast frame on port F0/1, S1 forwards that broadcast frame out the only port configured to support VLAN 10, port F0/3. When S3 receives the broadcast frame on port F0/3, it forwards that broadcast frame out the only port configured to support VLAN 10, port F0/11. The broadcast frame arrives at the only other computer in the network configured on VLAN 10, faculty computer PC4.

When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host on a particular VLAN are constrained to the devices that are on the VLAN.


3.1.4 - Controlling Broadcast Domains with V LAN's
The animation depicts controlling network broadcast domains with V LAN segmentation. The action of broadcast frames with and without V LAN segmentation is demonstrated.

Animation One: Network Broadcasts with No V LAN Segmentation.
Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable.

There are six PC's in total. PC1, PC2, and PC3 connect to switch S2 using ports F0/11, F0/18 and F0/6, respectively, using straight-through cables. PC4, PC5, and PC6 are connected to switch S3 using ports F0/11, F0/18, and F0/6, respectively, using straight-through cables.

PC1:
Faculty V LAN
172.17.40.21/24

PC4:
Faculty V LAN
172.17.40.24 /24

PC2:
Student V LAN
172.17.40.21 /24

PC5:
Student V LAN
172.17.40.25 /24

PC3:
Guest V LAN
172.17.40.23 /24

PC6:
Guest V LAN
172.17.40.25 /24

The animation shows a broadcast coming from PC1 to switch S2. Switch S2 sends the broadcast to other PC's on S2 as well as switches S1 and S3. Switch S3 sends the broadcast to all PC's connected to it.

Animation Two: Network Broadcasts with V LAN Segmentation.
Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable.

There are four PC's in total. PC1 and PC2 connect to switch S2 using ports F0/11 and F0/18, respectively, using straight-through cables. PC4 and PC5 are connected to switch S3 using ports F0/11 and F0/18, respectively, using straight-through cables.

PC1:
Faculty V LAN 10
172.17.10.21 /24

PC4:
Faculty V LAN 10
172.17.10.24 /24

PC2:
Student V LAN 20
172.17.20.22 /24

PC5:
Student V LAN 20
172.17.20.25 /24

An arrow points to the links between S1 and S2 and to the links between S1 and S3 with the text: V LAN trunks configured to support V LAN 10, 20.

The animation shows a broadcast coming from PC1 in V LAN 10 to switch S2, and then to S1 and S3. The broadcast is only sent to other PC's (in this case PC4) in V LAN 10. PC's in V LAN 20 (PC2 and PC5) do not see the broadcast.


Page 2:
Controlling Broadcast Domains with Switches and Routers

Breaking up a big broadcast domain into several smaller ones reduces broadcast traffic and improves network performance. Breaking up domains into VLANs also allows for better information confidentiality within an organization. Breaking up broadcast domains can be performed either with VLANs (on switches) or with routers. A router is needed any time devices on different Layer 3 networks need to communicate, regardless whether VLANs are used.

Click the Intra-VLAN Communication button and click the Play button to start the animation.

Intra-VLAN Communication

In the figure, PC1, wants to communicate with another device, PC4. PC1 and PC4 are both in VLAN 10. Communicating with a device in the same VLAN is called intra-VLAN communication. The following describes how this process is accomplished:

Step 1. PC1 in VLAN 10 sends its ARP request frame (broadcast) to switch S2. Switches S2 and S1 send the ARP request frame out all ports on VLAN 10. Switch S3 sends the ARP request out port F0/11 to PC4 on VLAN 10.

Step 2. The switches in the network forward the ARP reply frame (unicast) to PC1. PC1 receives the reply which contains the MAC address of PC4.

Step 3. PC1 now has the destination MAC address of PC4 and uses this to create a unicast frame with PC4's MAC address as the destination. Switches S2, S1 and S3 deliver the frame to PC4.

Click the Inter-VLAN Communication button and click the Play button to start the animation.

Inter-VLAN Communication

In the figure, PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20. Communicating with a device in another VLAN is called inter-VLAN communication.

Note: There are two connections from switch S1 to the router: one to carry transmissions on VLAN 10, and the other to carry transmissions on VLAN 20 to the router interface.

The following describes how this process is accomplished:

Step 1. PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20. PC1 sends an ARP request frame for the MAC address of the default gateway R1.

Step 2. The router R1 replies with an ARP reply frame from its interface configured on VLAN 10.

All switches forward the ARP reply frame and PC1 receives it. The ARP reply contains the MAC address of the default gateway.

Step 3. PC1 then creates an Ethernet frame with the MAC address of the Default Gateway. The frame is sent from switch S2 to S1.

Step 4. The router R1 sends an ARP request frame on VLAN 20 to determine the MAC address of PC5. Switches, S1, S2, S3, broadcast the ARP request frame out ports configured for VLAN 20. PC5 on VLAN 20 receives the ARP request frame from router R1.

Step 5. PC5 on VLAN 20 sends an ARP reply frame to switch S3. Switches S3 and S1 forward the ARP reply frame to router R1 with the destination MAC address of interface F0/2 on router R1.

Step 6. Router R1 sends the frame received from PC1 though S1 and S3 to PC5 (on VLAN 20).


3.1.4 - Controlling Broadcast Domains with V LAN's
The diagram depicts controlling broadcast domains with switches and routers. intra-V LAN communication and inter-V LAN communication are demonstrated.

Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable. Switch S1 port F0/5 is connected to router R1 interface F0/1. Switch S1 port F0/6 is connected to router R1 interface F0/2, both using straight-through cables.

There are four PC's in total. PC1 and PC2 connect to switch S2 using ports F0/11 and F0/18, respectively, using straight-through cables. PC4 and PC5 are connected to switch S3 using ports F0/11 and F0/18, respectively, using straight-through cables.

Router R1 Gateways
Port F0/1 - 172.17.10.1 (V LAN 10)
Port F0/2 - 172.17.20.1 (V LAN 20)

PC1:
Faculty V LAN 10
172.17.10.21

PC4:
Faculty V LAN 10
172.17.10.24

PC2:
Student V LAN 20
172.17.20.22

PC5:
Student V LAN 20
172.17.20.25

Animation One: Intra-V LAN (within a V LAN) Communication

An arrow points to the link between S1 and S2 and to the link between S1 and S3, with the text: V LAN trunks configured to support V LAN's 10 and 20.

Scenario: PC1 in V LAN 10 wants to communicate with PC4 in V LAN 10. The animation shows:
Step One. A broadcast ARP request passes from PC1 in V LAN 10 to switch S2, and then to S1 and S3. The broadcast is sent to all other PC's in V LAN 10.
Step Two. PC4 receives the ARP request and sends an ARP reply back to PC1 with its MAC address.
Step Three. A unicast frame with data is sent from PC1 in V LAN 10 to switch S2, then to S1 and S3, and finally to PC4.

Animation Two: Inter-V LAN (between V LAN's) Communication

Network Topology:
Same as Animation 1.

Scenario: PC1 in V LAN 10 wants to communicate with PC5 in V LAN 20. The animation shows:

Step One. PC1 sends an ARP request frame for the MAC address of the default gateway R1 via switches S2 and S1.

Step Two. The router R1 sends an ARP reply frame from its interface configured on V LAN 10.

Step Three. PC1 then sends a unicast frame with the MAC address of the default gateway to R1. The frame is sent from switch S2 to S1.

Step Four. The router R1 sends an ARP request frame on V LAN 20 to determine the MAC address of PC5. Switches S1, S2, and S3 broadcast the ARP request frame out ports configured for V LAN 20. PC5 on V LAN 20 receives the ARP request frame from router R1.

Step Five. PC5 on V LAN 20 sends an ARP reply frame to switch S3. Switches S3 and S1 forward the ARP reply frame to router R1 with the destination MAC address of interface F0/2 on router R1.

Step Six. Router R1 sends the frame received from PC1 though S1 and S3 to PC5 (on V LAN 20).


Page 3:
Controlling Broadcast Domains with VLANs and Layer 3 Forwarding

In the last chapter, you learned about some of the differences between Layer 2 and Layer 3 switches. The figure shows the Catalyst 3750G-24PS switch, one of many Cisco switches that supports Layer 3 routing. The icon that represents a Layer 3 switch is shown. A discussion of Layer 3 switching is beyond the scope of this course, but a brief description of the switch virtual interface (SVI) technology that allows a Layer 3 switch to route transmissions between VLANs is helpful.

SVI

SVI is a logical interface configured for a specific VLAN. You need to configure an SVI for a VLAN if you want to route between VLANs or to provide IP host connectivity to the switch. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration.

Click the Layer 3 Forwarding Example button in the figure to see an animation that presents a simplified representation of how a Layer 3 switch controls broadcast domains.

Layer 3 Forwarding

A Layer 3 switch has the ability to route transmissions between VLANs. The procedure is the same as described for the inter-VLAN communication using a separate router, except that the SVIs act as the router interfaces for routing the data between VLANs. The animation describes this process.

In the animation, PC1 wants to communicate with PC5. The following steps outline the communication through the Layer 3 switch S1:

Step 1. PC1 sends an ARP request broadcast on VLAN10. S2 forwards the ARP request out all ports configured for VLAN 10.

Step 2. Switch S1 forwards the ARP request out all ports configured for VLAN 10, including the SVI for VLAN 10. Switch S3 forwards the ARP request out all ports configured for VLAN 10.

Step 3. The SVI for VLAN 10 in switch S1 knows the location of VLAN 20. The SVI for VLAN 10 in switch S1 sends an ARP reply back to PC1 with this information.

Step 4. PC1 sends data, destined for PC5, as a unicast frame through switch S2 to the SVI for VLAN 10 in switch S1.

Step 5. The SVI for VLAN 20 sends an ARP request broadcast out all switch ports configured for VLAN 20. Switch S3 sends that ARP request broadcast out all switch ports configured for VLAN 20.

Step 6. PC5 on VLAN 20 sends an ARP reply. Switch S3 sends that ARP reply to S1. Switch S1 forwards the ARP reply to the SVI for VLAN 20.

Step 7. The SVI for VLAN 20 forwards the data, sent from PC1, in a unicast frame to PC5 using the destination address it learned from the ARP reply in step 6.


3.1.4 - Controlling Broadcast Domains with V LAN's
The diagram depicts controlling broadcast domains with V LAN's and Layer 3 forwarding.

Image description: The photograph shows a front view of a Catalyst Layer 3 switch. An equal sign associates it with an icon of a Layer 3 switch.

Animation description: Layer 3 Forwarding Example
Network Topology:
There are two Layer 2 switches (S2 and S3) and one Layer 3 switch (S1). Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable.

There are four PC's total. PC1 and PC2 connect to switch S2 through ports F0/11 and F0/18, respectively, using straight-through cables. PC4 and PC5 are connected to switch S3 through ports F0/11 and F0/18, respectively, using straight-through cables.

Switch S1 Switch Virtual Interfaces (S V I's):
S V I for V LAN 10
S V I for V LAN 20

PC1:
Faculty V LAN 10
172.17.10.21

PC4:
Faculty V LAN 10
172.17.10.24

PC2:
Student V LAN 20
172.17.20.22

PC5:
Student V LAN 20
172.17.20.25

An arrow points to the links between S2 and S1 and between S3 and S1 with the text: V LAN trunks configured to support V LANs 10 and 20.

Scenario: PC1 in V LAN 10 wants to communicate with PC5 in V LAN 20.

Step One. PC1 sends an ARP request broadcast on V LAN 10. S2 forwards the ARP request out all ports configured for V LAN 10.

Step Two. Switch S1 forwards the ARP request out all ports configured for V LAN 10, including the S V I for V LAN 10. Switch S3 forwards the ARP request out all ports configured for V LAN 10.

Step Three. The S V I for V LAN 10 in switch S1 knows the location of V LAN 20. The S V I for V LAN 10 in switch S1 sends an ARP reply back to PC1 with this information.

Step Four. PC1 sends data destined for PC5 as a unicast frame through switch S2 to the S V I for V LAN 10 in switch S1.

Step Five. The S V I for V LAN 20 sends an ARP request broadcast out all switch ports configured for V LAN 20. Switch S3 sends that ARP request broadcast out all switch ports configured for V LAN 20.

Step Six. PC5 on V LAN 20 sends an ARP reply. Switch S3 sends that ARP reply to S1. Switch S1 forwards the ARP reply to the S V I for V LAN 20.

Step Seven. The S V I for V LAN 20 forwards the data sent from PC1 in a unicast frame to PC5 using the destination address it learned from the ARP reply in step 6.


Page 4:
This activity opens in simulation mode and with completion at 100%. The purpose of the activity is to observe how broadcast traffic is forwarded by the switches when VLANs are configured and when VLANs are not configured. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.1.4 - Controlling Broadcast Domains with V LAN's
Link to Packet Tracer Exploration: Investigating a V LAN Implementation


3.2 VLAN Trunking

3.2.1 VLAN Trunks

Page 1:
What is a Trunk?

It is hard to describe VLANs without mentioning VLAN trunks. You learned about controlling network broadcasts with VLAN segmentation, and you saw how VLAN trunks transmitted traffic to different parts of the network configured in one VLAN. In the figure, the links between switches S1 and S2, and S1 and S3, are configured to transmit traffic coming from VLAN 10, 20, 30, and 99. This network simply could not function without VLAN trunks. You will find that most networks that you encounter are configured with VLAN trunks. This section brings together the knowledge you already have on VLAN trunking and provides the details you need to be able to configure VLAN trunking in a network.

Definition of a VLAN Trunk

A trunk is a point-to-point link between two network devices that carries more than one VLAN. A VLAN trunk allows you to extend the VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces. You will learn about 802.1Q later in this section.

A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.


3.2.1 - V LAN Trunks
The diagram depicts the concept of a V LAN Trunk Link.

Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable.

There are six PC's in total. PC1, PC2, and PC3 connect to switch S2 through ports F0/11, F0/18 and F0/6, respectively, using straight-through cables. PC4, PC5, and PC6 are connected to switch S3 through ports F0/11, F0/18 and F0/6, respectively, using straight-through cables.

V LAN definitions:
V LAN 10 Faculty/Staff - 172.17.10.0 /24
V LAN 20 Students - 172.17.20.0 /24
V LAN 30 Guest - 172.17.30.0 /24
V LAN 99 Management and Native - 172.17.99.0 /24

Ports:
F0/1 to F0/5 are 8 0 2 dot 1Q trunk interfaces with native V LAN 99
F0/11 to F0/17 are in V LAN 10
F0/18 to F0/24 are in V LAN 20
F0/6 to F0/10 are in V LAN 30

PC1:
Faculty V LAN 10
172.17.10.21

PC4:
Faculty V LAN 10
172.17.10.24

PC2:
Student V LAN 20
172.17.20.22

PC5:
Student V LAN 20
172.17.20.25

PC3:
Guest V LAN 30
172.17.30.23

PC6:
Guest V LAN 30
172.17.30.26

An arrow points to the links between S1 and S2 and between S1 and S3 with the text: V LAN trunks configured to support V LANs 10, 20, and 30 and V LAN 99.


Page 2:
What Problem Does a Trunk Solve?

In the figure, you see the standard topology used in this chapter, except instead of the VLAN trunk that you are used to seeing between switches S1 and S2, there is a separate link for each subnet. There are four separate links connecting switches S1 and S2, leaving three fewer ports to allocate to end-user devices. Each time a new subnetwork is considered, a new link is needed for each switch in the network.

Click the With VLAN Trunks button in the figure.

In the figure, the network topology shows a VLAN trunk connecting switches S1 and S2 with a single physical link. This is the way a network should be configured.


3.2.1 - V LAN Trunks
The diagram depicts using a V LAN trunk link to consolidate and reduce the number of switch ports used.

Without V LAN Trunks:
There are two switches, S1 and S2. S2 is connected to S1 using four crossover cables and four ports on each switch.

There are three PC's, PC1, PC2, and PC3, which are connected to switch S2 using straight-through cables.

V LAN definitions:
Faculty - 172.17.10.0 /24
Students - 172.17.20.0 /24
Guest - 172.17.30.0 /24
Management and Native - 172.17.99.0 /24

PC1:
Faculty V LAN 10
172.17.10.21

PC2:
Student V LAN 20
172.17.20.22

PC3:
Guest V LAN 20
172.17.30.23

An oval surrounds the four links between the switches with the text:
Four switch ports, one for each subnetwork.

With V LAN Trunks:
The diagram is same as the previous one but the four separate interconnecting switch links are merged into one trunk link.

V LAN definitions:
V LAN 10-Faculty - 172.17.10.0 /24
V LAN 20-Students - 172.17.20.0 /24
V LAN 30-Guest - 172.17.30.0 /24
V LAN 99-Management and Native - 172.17.99.0 /24

PC1:
Faculty V LAN 10
172.17.10.21

PC2:
Student V LAN 20
172.17.20.22

PC3:
Guest V LAN 30
172.17.30.23

An oval surrounds the single link between the switches with the text:
One switch port and four V LAN's: 10, 20, 30, and 99 subnetworks.


Page 3:
802.1Q Frame Tagging

Remember that switches are Layer 2 devices. They only use the Ethernet frame header information to forward packets. The frame header does not contain information about which VLAN the frame should belong to. Subsequently, when Ethernet frames are placed on a trunk they need additional information about the VLANs they belong to. This is accomplished by using the 802.1Q encapsulation header. This header adds a tag to the original Ethernet frame specifying the VLAN to which the frame belongs.

Frame tagging has been mentioned a number of times. The first time was in reference to the voice mode configuration on a switch port. There you learned that once configured, a Cisco phone (which includes a small switch) tags voice frames with a VLAN ID. You also learned that VLAN IDs can be in a normal range, 1-1005, and an extended range, 1006-4094. How do VLAN IDs get inserted into a frame?

VLAN Frame Tagging Overview

Before exploring the details of an 802.1Q frame, it is helpful to understand what a switch does when it forwards a frame out a trunk link. When the switch receives a frame on a port configured in access mode with a static VLAN, the switch takes apart the frame and inserts a VLAN tag, recalculates the FCS and sends the tagged frame out a trunk port.

Note: An animation of the trunking operation is presented later in this section.

VLAN Tag Field Details

The VLAN tag field consists of an EtherType field, a tag control information field,and the FCS field.

EtherType field

Set to the hexadecimal value of 0x8100. This value is called the tag protocol ID (TPID) value. With the EtherType field set to the TPID value, the switch receiving the frame knows to look for information in the tag control information field.

Tag control information field

The tag control information field contains:

  • 3 bits of user priority - Used by the 802.1p standard, which specifies how to provide expedited transmission of Layer 2 frames. A description of the IEEE 802.1p is beyond the scope of this course; however, you learned a little about it earlier in the discussion on voice VLANs.
  • 1 bit of Canonical Format Identifier (CFI) - Enables Token Ring frames to be carried across Ethernet links easily.
  • 12 bits of VLAN ID (VID) - VLAN identification numbers; supports up to 4096 VLAN IDs.

FCS field

After the switch inserts the EtherType and tag control information fields, it recalculates the FCS values and inserts it into the frame.


3.2.1 - V LAN Trunks
The diagram depicts an Ethernet frame and the use of V LAN tagging. An Ethernet frame is shown listing the following fields as they are processed. The V LAN tag control information is expanded and highlighted.

Destination MAC address (6 bytes).
Source MAC address (6 bytes).
EtherType (2 bytes, set to the hexadecimal value of 0x8100).
Tag control information containing:
- 3 bits of user priority.
- 1 bit of Canonical Format Identifier (CFI).
- 12 bits of V LAN ID (V ID).
User priority (2 bytes).
Data (Variable).
PAD (4 bytes).
FCS (recalculated after the V LAN tag information is added).


Page 4:
Native VLANs and 802.1Q Trunking

Now that you know more about how a switch tags a frame with the correct VLAN, it is time to explore how the native VLAN supports the switch in handling tagged and untagged frames that arrive on an 802.1Q trunk port.

Tagged Frames on the Native VLAN

Some devices that support trunking tag native VLAN traffic as a default behavior. Control traffic sent on the native VLAN should be untagged. If an 802.1Q trunk port receives a tagged frame on the native VLAN, it drops the frame. Consequently, when configuring a switch port on a Cisco switch, you need to identify these devices and configure them so that they do not send tagged frames on the native VLAN. Devices from other vendors that support tagged frames on the native VLAN include IP phones, servers, routers, and non-Cisco switches.

Untagged Frames on the Native VLAN

When a Cisco switch trunk port receives untagged frames it forwards those frames to the native VLAN. As you may recall, the default native VLAN is VLAN 1. When you configure an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value. For example, if VLAN 99 is configured as the native VLAN, the PVID is 99 and all untagged traffic is forward to VLAN 99. If the native VLAN has not been reconfigured, the PVID value is set to VLAN 1.

Click the Native VLAN Configuration Example button in the figure.

In this example, VLAN 99 will be configured as the native VLAN on port F0/1 on switch S1. This example shows how to reconfigure the native VLAN from its default setting of VLAN 1.

Starting in privileged EXEC mode, the figure describes how to configure the native VLAN on port F0/1 on switch S1 as an IEEE 802.1Q trunk with native VLAN 99.

Click the Native VLAN Verification button in the figure.

Using the show interfaces interface-id switchport command, you can quickly verify that you have correctly reconfigured the native VLAN from VLAN 1 to VLAN 99. The highlighted output in the screen capture indicates that the configuration was successful.


3.2.1 - V LAN Trunks
The diagram depicts the behavior of switches, native V LAN's and 8 0 2 dot 1Q trunking with tagged and untagged frames. Examples of native V LAN configuration and verification are provided.

Tagged and Untagged Frames:
Tagged frames on the native V LAN:
- Dropped by the switch
- Devices should not tag control traffic destined for the native V LAN
Untagged frames on the native V LAN:
- Have their PVID changed to the value of the configured native V LAN
- Remain untagged
- Are forwarded on the configured native V LAN

Native V LAN Configuration Example:

Enter global configuration mode on switch S1.
Command: S1#configure terminal

Enter interface configuration mode.
Command: S1(config)#interface F0/1

Define the F0/1 interface as an i e e e 802 dot 1Q trunk.
Command: S1(config-i f)switchport mode trunk

Configure V LAN 99 to be the native V LAN.
Command: S1(config-i f)#switchport trunk native v lan 99

Return to privileged EXEC mode.
Command: S1(config-i f)#end

Native V LAN Verification:
The output from the show interfaces f0/1 switchport command has the following lines highlighted:

Administrative Trunking Encapsulation: dot 1 q
Access Mode V LAN: 50
Trunking Native Mode V LAN: 99 (V LAN 0099)
Administrative Native V LAN tagging: enabled
Administrative Private V LAN trunk encapsulation: dot 1 q


3.2.2 Trunking Operation

Page 1:
A Trunk in Action

You have learned how a switch handles untagged traffic on a trunk link. You now know that frames traversing a trunk are tagged with the VLAN ID of the access port the frame arrived on. In the figure, PC1 on VLAN 10 and PC3 on VLAN 30 send broadcast frames to switch S2. Switch S2 tags these frames with the appropriate VLAN ID and then forwards the frames over the trunk to switch S1. Switch S1 reads the VLAN ID on the frames and broadcasts them to each port configured to support VLAN 10 and VLAN 30. Switch S3 receives these frames and strips off the VLAN IDs and forwards them as untagged frames to PC4 on VLAN 10 and PC6 on VLAN 30.

Click Play on the animation toolbar in the figure.


3.2.2 - Trunking Operation
The animation depicts the V LAN trunking operation.

Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable.

There are six PC's in total. PC1, PC2, and PC3 connect to switch S2 through ports F0/11, F0/18 and F0/6, respectively, using straight-through cables. PC4, PC5, and PC6 are connected to switch S3 through ports F0/11, F0/18, and F0/6, respectively, using straight-through cables.

An arrow points to the links between S1 and S2 and between S1 and S3 with the text: V LAN trunks configured to support V LANs 10, 20, and 30.

PC1:
Faculty V LAN 10
172.17.10.21

PC4:
Faculty V LAN 10
172.17.10.24

PC2:
Student V LAN 20
172.17.20.22

PC5:
Student V LAN 20
172.17.20.25

PC3:
Guest V LAN 30
172.17.30.23

PC6:
Guest V LAN 30
172.17.30.25

Step One: PC1 and PC3 scenario text:
PC1 sends out a broadcast on V LAN 10.
PC3 sends out a broadcast on V LAN 30.

Step Two: Switch S2 tags each frame with the correct V LAN ID.
Tagged Frame (from PC1): V ID=10.
Tagged Frame (from PC3): V ID=30.

Step Three: The S2 and S1 switches send the tagged frames out all ports configured for V LAN's 10 and 30.

Step Four: S3 receives the tagged frames, strips the tags from the frames, and routes the untagged frames out the correct ports: port F0/11 for V LAN 10 to PC4, and port F0/6 for V LAN 30 to PC6.


3.2.3 Trunking Modes

Page 1:
You have learned how 802.1Q trunking works on Cisco switch ports. Now it is time to examine the 802.1Q trunk port mode configuration options. First we need to discuss a Cisco legacy trunking protocol called inter-switch link (ISL), because you will see this option in the switch software configuration guides.

IEEE, Not ISL

Although a Cisco switch can be configured to support two types of trunk ports, IEEE 802.1Q and ISL, today only 802.1Q is used. However, legacy networks may still use ISL, and it is useful to learn about each type of trunk port.

  • An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default PVID, and all untagged traffic travels on the port default PVID. All untagged traffic and tagged traffic with a null VLAN ID are assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. All other traffic is sent with a VLAN tag.
  • In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received from an ISL trunk port are dropped. ISL is no longer a recommended trunk port mode, and it is not supported on a number of Cisco switches.

DTP

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other vendors do not support DTP. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port.

DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. DTP supports both ISL and 802.1Q trunks. This course focuses on the 802.1Q implementation of DTP. A detailed discussion on DTP is beyond the scope of this course; however, you will enable it in the labs and activities associated with the chapter. Switches do not need DTP to do trunking, and some Cisco switches and routers do not support DTP. To learn about DTP support on Cisco switches, visit: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a008017f86a.shtml.

Trunking Modes

A switch port on a Cisco switch supports a number of trunking modes. The trunking mode defines how the port negotiates using DTP to set up a trunk link with its peer port. The following provides a brief description of the available trunking modes and how DTP is implemented in each.

On (default)

The switch port periodically sends DTP frames, called advertisements, to the remote port. The command used is switchport mode trunk. The local switch port advertises to the remote port that it is dynamically changing to a trunking state. The local port then, regardless of what DTP information the remote port sends as a response to the advertisement, changes to a trunking state. The local port is considered to be in an unconditional (always on) trunking state.

Dynamic auto

The switch port periodically sends DTP frames to the remote port. The command used is switchport mode dynamic auto. The local switch port advertises to the remote switch port that it is able to trunk but does not request to go to the trunking state. After a DTP negotiation, the local port ends up in trunking state only if the remote port trunk mode has been configured to be on or desirable. If both ports on the switches are set to auto, they do not negotiate to be in a trunking state. They negotiate to be in the access (non-trunk) mode state.

Dynamic desirable

DTP frames are sent periodically to the remote port. The command used is switchport mode dynamic desirable. The local switch port advertises to the remote switch port that it is able to trunk and asks the remote switch port to go to the trunking state. If the local port detects that the remote has been configured in on, desirable, or auto mode, the local port ends up in trunking state. If the remote switch port is in the nonegotiate mode, the local switch port remains as a nontrunking port.

Turn off DTP

You can turn off DTP for the trunk so that the local port does not send out DTP frames to the remote port. Use the command switchport nonegotiate. The local port is then considered to be in an unconditional trunking state. Use this feature when you need to configure a trunk with a switch from another switch vendor.

A Trunk Mode Example

In the figure, the F0/1 ports on switches S1 and S2 are configured with trunk mode on. The F0/3 ports on switches S1 and S3 are configured to be in auto trunk mode. When the switch configurations are completed and the switches are fully configured, which link will be a trunk?

Click the Which link will be configured as a trunk? button in the figure.

The link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements and come up and stay in trunk port mode. The F0/3 ports on switches S1 and S3 are set to auto, so they negotiate to be in the default state, the access (non-trunk) mode state. This results in an inactive trunk link. When you configure a trunk port to be in trunk port mode, there is no ambiguity about which state the trunk is in-it is always on. It is also easy to remember which state the trunk ports are in-if the port is supposed to be a trunk, trunk mode is on.

Note: The default switchport mode for an interface on a Catalyst 2950 switch is dynamic desirable, but the default switchport mode for an interface on a Catalyst 2960 switch is dynamic auto. If S1 and S3 were Catalyst 2950 switches with interface F0/3 in default switchport mode, the link between S1 and S3 would become an active trunk.

Click the DTP Modes button in the figure to review the mode interactions.

For information on which Cisco switches support 802.1Q, ISL, and DTP, visit: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a008017f86a.shtml#topic1.

For information on how to support ISL on legacy networks, visit: http://www.cisco.com/en/US/tech/tk389/tk689/tsd_technology_support_troubleshooting_technotes_list.html.


3.2.3 - Trunking Modes
The diagram depicts Dynamic Trunking Protocol (DTP) mode interactions, including initial port configuration, determining which link to configure as a trunk, and DTP modes.

Initial Port Configuration:
Network Topology:
There are three switches, S1, S2, and S3. Switch S2 port F0/1 is connected to S1 port F0/1 using a crossover cable. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable.

Switch S1 port F0/1 is configured with the command switchport mode trunk.

Switch S2 port F0/1 is configured with the command switchport mode trunk.

Switch S1 port F0/3 is configured with the command switchport mode dynamic auto.

Switch S3 port F0/3 is configured with the command switchport mode dynamic auto.

Determining which link is configured as a trunk:
Switch S1 links to S2. This link is a trunk.
Configuring both ports with switchport mode trunk effectively forces them to stay in trunk mode.

Switch S1 links to S3. This link is not a trunk.
Configuring both ports with switchport mode dynamic auto results in an inactive trunk link.

DTP Mode and Switch Port Mode Interactions Table:
Note: The table assumes that DTP is enabled at both ends. The command show dtp interfaces is used to determine the current settings.

S1 Port F0/1 set to: Dynamic Auto.
S2 Port F0/1 set to: Dynamic Auto.
S1 to S2 DTP Link mode: Access.

S1 Port F0/1 set to: Dynamic Auto.
S2 Port F0/1 set to: Dynamic Desirable.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Dynamic Auto.
S2 Port F0/1 set to: Trunk.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Dynamic Auto.
S2 Port F0/1 set to: Access.
S1 to S2 DTP Link mode: Access.

S1 Port F0/1 set to: Dynamic Desirable.
S2 Port F0/1 set to: Dynamic Auto.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Dynamic Desirable.
S2 Port F01 set to: Dynamic Desirable.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Dynamic Desirable.
S2 Port F0/1 set to: Trunk.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Dynamic Desirable.
S2 Port F0/1 set to: Access.
S1 to S2 DTP Link mode: Access.

S1 Port F0/1 set to: Trunk.
S2 Port F0/1 set to: Dynamic Auto.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Trunk.
S2 Port F0/1 set to: Dynamic Desirable.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Trunk.
S2 Port F0/1 set to: Trunk.
S1 to S2 DTP Link mode: Trunk.

S1 Port F0/1 set to: Trunk.
S2 Port F0/1 set to: Access.
S1 to S2 DTP Link mode: Not recommended.

S1 Port F0/1 set to: Access.
S2 Port F0/1 set to: Dynamic Auto.
S1 to S2 DTP Link mode: Access.

S1 Port F0/1 set to: Access.
S2 Port F0/1 set to: Dynamic Desirable.
S1 to S2 DTP Link mode: Access.

S1 Port F0/1 set to: Access.
S2 Port F0/1 set to: Trunk.
S1 to S2 DTP Link mode: Not recommended.

S1 Port F0/1 set to: Access.
S2 Port F0/1 set to: Access.
S1 to S2 DTP Link mode: Access.


Page 2:
Trunks carry the traffic of multiple VLANs through a single link, making them a vital part of communicating between switches with VLANs. This activity focuses on viewing switch configuration, trunk configuration, and VLAN tagging information. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.2.3 - Trunking Modes
Link to Packet Tracer Exploration: Investigating V LAN Trunks


3.3 Configure VLANs and Trunks

3.3.1 Configuring VLANs and Trunks Overview

Page 1:
In this chapter, you have already seen examples of the commands used to configure VLANs and VLAN trunks. In this section, you will learn the key Cisco IOS commands needed to create, delete, and verify VLANs and VLAN trunks. Often these commands have many optional parameters that extend the capabilities of the VLAN and VLAN trunk technology. These optional commands are not presented; however, references are provided if you want to research these options. The focus of this section is to provide you with the necessary skills and knowledge to configure VLANs and VLAN trunks with their key features.

In this section, you are shown the configuration and verification syntax for one side of a VLAN or trunk. In the labs and activities, you will configure both sides and verify that the link (VLAN or VLAN trunk) is configured correctly.

Note: If you want to keep the newly configured running configuration, you must save it to the startup configuration.


3.3.1 - Configuring V LAN's and Trunks Overview
The diagram depicts overview text for configuring V LAN's and Trunks.

Use the following steps to configure and verify V LAN's and trunks on a switched network:
One. Create the V LAN's.
Two. Assign switch ports to V LAN's statically.
Three. Verify V LAN configuration.
Four. Enable trunking on the inter-switch connections.
Five. Verify trunk configuration.


3.3.2 Configure a VLAN

Page 1:
Add a VLAN

In this topic, you will learn how to create a static VLAN on a Cisco Catalyst switch using VLAN global configuration mode. There are two different modes for configuring VLANs on a Cisco Catalyst switch, database configuration mode and global configuration mode. Although the Cisco documentation mentions VLAN database configuration mode, it is being phased out in favor of VLAN global configuration mode.

You will configure VLANs with IDs in the normal range. Recall there are two ranges of VLAN IDs. The normal range includes IDs 1 to 1001, and extended range consists of IDs 1006 to 4094. VLAN 1 and 1002 to 1005 are reserved ID numbers. When you configure normal range VLANs, the configuration details are stored automatically in flash memory on the switch in a file called vlan.dat. Because you often configure other aspects of a Cisco switch at the same time, it is good practice to save running configuration changes to the startup configuration.

Click the Command Syntax button in the figure.

The figure reviews the Cisco IOS commands used to add a VLAN to a switch.

Click the Example button in the figure.

The figure shows how the student VLAN, VLAN 20, is configured on switch S1. In the topology example, the student computer, PC2, is not in a VLAN yet it, but has an IP address of 172.17.20.22.

Click the Verification button in figure.

The figure shows an example of using the show vlan brief command to display the contents of the vlan.dat file. The student VLAN, VLAN 20, is highlighted in the screen capture. The default VLAN IDs 1 and 1002 to 1005 are shown in the screen output.

Note: In addition to entering a single VLAN ID, you can enter a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command, for example: switch(config)#vlan 100,102,105-107.


3.3.2 - Configure a V LAN
The diagram depicts the Cisco I O S C L I commands and their functions for adding a V LAN. An example and verification are also provided.

Command syntax:
Switch from privileged EXEC mode to global configuration mode.
Command: S1#configure terminal

Create a V LAN where v lan id is the V LAN number that is to be created. Switch to V LAN configuration mode for V LAN v lan id.
Command: S1(config)#v lan v lan id

(Optional) Specify a unique V LAN name to identify the V LAN.
If no name is entered, the V LAN number, with padded zeros, is appended to the word V LAN, for example, V LAN0020.
Command: S1(config-v lan)#name v lan name

Return to privileged EXEC mode. You must end your configuration session for the configuration to be saved in the v lan dot dat file and for the configuration to take effect.
Command: S1(config-v lan)#end

Example:
PC2 is connected to switch S1, and S1 is connected to S2. Switch S1 is configured with V LAN 20 and named student. The configuration commands to configure S1 are as follows:

S1#configure terminal
S1(config)#v lan 20
S1(config-v lan)#name student
S1(config-v lan)#end

Verification:
The output from the show v lan brief command shows the following.
V LAN: 20
Name: student
Status: active
Ports: Currently no ports in this V LAN


Page 2:
Assign a Switch Port

After you have created a VLAN, assign one or more ports to the VLAN. When you manually assign a switch port to a VLAN, it is known as a static access port. A static access port can belong to only one VLAN at a time.

Click the Command Syntax button in the figure to review the Cisco IOS commands used to assign a static access port to VLAN.

Click the Example button in the figure to see how the student VLAN, VLAN 20, is statically assigned to port F0/18 on switch S1. Port F0/18 has been assigned to VLAN 20 so the student computer, PC2, is in VLAN 20. When VLAN 20 is configured on other switches, the network administrator knows to configure the other student computers to be in the same subnet as PC2: 172.17.20.0 /24.

Click the Verification button in the figure to confirm that the show vlan brief command displays the contents of the vlan.dat file. The student VLAN, VLAN 20, is highlighted in the screen capture.


3.3.2 - Configure a V LAN
The diagram depicts the Cisco I O S C L I commands and their functions for assigning a switch port. An example and verification are also provided.

Command syntax:
Enter global configuration mode.
Command: S1#configure terminal

Enter the interface to assign the V LAN.
Command: S1(config)#interface interface id

Define the V LAN membership mode for the port.
Command: S1(config-i f)#switchport mode access

Assign the port to a V LAN.
Command: S1(config-i f)#switchport access v lan v lan id

Return to privileged EXEC mode.
Command: S1(config-i f)#end

Example:
PC2 is connected to switch S1, and S1 is connected to S2. Switch S1 is configured so that port F0/18 is in V LAN 20. The configuration commands to configure S1 are as follows:

S1#configure terminal
S1(config)#interface F0/18
S1(config-i f)#switchport mode access
S1(config-i f)#switchport access v lan 20
S1(config-i f)#end

Verification:
The output from the show v lan brief command shows the following.
V LAN: 20
Name: student
Status: active
Ports: FA0/18


3.3.3 Managing VLANs

Page 1:
Verify VLANs and Port Memberships

After you configure the VLAN, you can validate the VLAN configurations using Cisco IOS show commands.

Click the Command Syntax button in the figure.

The command syntax for the various Cisco IOS show commands should be well known. You have used the show vlan brief command already. Examples of these commands can be seen by clicking the buttons in the figure.

Click the Show VLAN button in the figure.

In this example, you can see that the show vlan name student command does not produce very readable output. The preference here is to use the show vlan brief command. The show vlan summary command displays the count of all configured VLANs. The output shows six VLANs: 1, 1002-1005, and the student VLAN, VLAN 20.

Click the Interfaces VLAN button in the figure.

This command displays a lot of detail that is beyond the scope of this chapter. The key information appears on the second line of the screen capture, indicating that VLAN 20 is up.

Click the Interfaces Switchport button in the figure.

This command displays information that is useful to you. You can determine that the port F0/18 is assigned to VLAN 20 and that the native VLAN is VLAN 1. You have used this command to review the configuration of a voice VLAN.

For details on the show vlan command output fields, visit: http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_s2.html#wp1011412.

For details on the show interfaces command output fields, visit: http://www.cisco.com/en/US/docs/ios/12_0/interface/command/reference/irshowin.html#wp1017387.


3.3.3 - Managing V LAN's
The diagram depicts the Cisco I O S C L I commands and their functions to verify V LAN's and port memberships. Output examples are provided for the show v lan, show interfaces v lan, and show interfaces switchport commands.

Command syntax:
show v lan [brief | id v lan-id | name v lan-name | summary]

Display one line for each V LAN with the V LAN name, status, and its ports.
Command option: brief

Display information about a single V LAN identified by the V LAN ID number.
For v lan-id, the range is 1 to 4094.
Command option: id v lan-id

Display information about a single V LAN identified by name. The V LAN name is an ASCII (pronounced ASKEE) string from 1 to 32 characters.
Command option: name v lan-name

Display V LAN summary information.
Command option: summary

Command syntax:
show interfaces [interface-id | v lan v lan-id] | switchport

Display valid interfaces, including type, module, port number, and port channels. The channel range is 1 to 6.
Command option: interface-id

Display V LAN identification. The range is 1 to 4094.
Command option: v lan v lan-id

Display the administrative and operational status of a switching port, including port blocking and port protection settings.
Command option: switchport

show v lan command options examples:
Output from the show v lan name student command shows the following:
V LAN: 20
Name: student
Status: active
Ports: FA0/18

Output from the show v lan summary command shows the following:
Number of existing V LAN's: Six.
Number of existing VTP V LAN's: Six.
Number of existing extended V LAN's: Zero.

show v lan command options examples:
Output from the show interfaces v lan 20 command shows (highlighted): V lan 20 is up

Output from the show interfaces FA0/18 switchport command shows (highlighted): Access Mode V LAN: 20 (student)


Page 2:
Manage Port Memberships

There are a number of ways to manage VLANs and VLAN port memberships. The figure shows the syntax for the no switchport access vlan command.

Click the Remove VLAN button in the figure.

Reassign a Port to VLAN 1

To reassign a port to VLAN 1, you can use the no switchport access vlan command in interface configuration mode. Examine the output in the show vlan brief command that immediately follows. Notice how VLAN 20 is still active. It has only been removed from interface F0/18. In the show interfaces f0/18 switchport command, you can see that the access VLAN for interface F0/18 has been reset to VLAN 1.

Click the Reassign VLAN button in the figure.

Reassign the VLAN to Another Port

A static access port can only have one VLAN. With Cisco IOS software, you do not need to first remove a port from a VLAN to change its VLAN membership. When you reassign a static access port to an existing VLAN, the VLAN is automatically removed from the previous port. In the example, port F0/11is reassigned to VLAN 20 .


3.3.3 - Managing V LAN's
The diagram depicts the Cisco I O S C L I commands and their functions for managing port memberships. This includes command syntax for removing and reassigning ports and V LAN's.

Removing a port from a V LAN:
Enter global configuration mode.
Command: S1#configure terminal

Enter interface configuration mode for the interface to be configured.
Command: S1(config)#interface interface id

Remove the V LAN assignment on that switch port interface and revert it to the default V LAN membership of V LAN 1.
Command: S1(config-i f)#no switchport access v lan

Return to privileged EXEC mode.
Command: S1(config-i f)#end

Output from the show v lan brief command confirms that F0/18 has been removed from V LAN 20.

V LAN: 20
Name: student
Status: active
Ports: Currently no ports in this V LAN

Output from the show interface F A 0/18 switchport command confirms that F0/18 is now in default V LAN 1 (highlighted):
Access Mode V LAN: 1 (default)

Reassigning a port to a V LAN:
S1(config)#interface F0/11
S1(config-i f)#switchport mode access
S1(config-i f)#switchport access v lan 20

Output from the show v lan brief command confirms that F0/11 is now in V LAN 20.

V LAN: 20
Name: student
Status: active
Ports: FA0/11


Page 3:
Delete VLANs

The figure provides an example of using the global configuration command no vlan vlan-id to remove VLAN 20 from the system. The show vlan brief command verifies that VLAN 20 is no longer in the vlan.dat file.

Alternatively, the entire vlan.dat file can be deleted using the command delete flash:vlan.dat from privileged EXEC mode. After the switch is reloaded, the previously configured VLANs will no longer be present. This effectively places the switch into is "factory default" concerning VLAN configurations.

Note: Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN.


3.3.3 - Managing V LAN's
The diagram depicts the output from the show v lan brief command after the using the no v lan 20 command. No V LAN's, other than the defaults, are defined, and all switch ports reside in the default V LAN 1.


3.3.4 Configure a Trunk

Page 1:
Configure an 802.1Q Trunk

To configure a trunk on a switch port, use the switchport mode trunk command. When you enter trunk mode, the interface changes to permanent trunking mode, and the port enters into a DTP negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change. In this course, you will configure a trunk using only the switchport mode trunk command. The Cisco IOS command syntax to specify a native VLAN other than VLAN 1 is shown in the figure. In the example, you configure VLAN 99 as the native VLAN.

Click the Topology button in the figure.

You are familiar with this topology. The VLANs 10, 20, and 30 will support the Faculty, Student, and Guest computers, PC1, PC2, and PC3. The F0/1 port on switch S1 will be configured as a trunk port and will forward traffic for VLANs 10, 20, and 30. VLAN 99 will be configured as the native VLAN.

Click the Example button in the figure.

The example configures port F0/1 on switch S1 as the trunk port. It reconfigures the native VLAN as VLAN 99.

A discussion on DTP and the details of how each switchport access mode option works is beyond the scope of the course. For details on all of the parameters associated with the switchport mode interface command, visit: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/command/reference/cli3.html#wp1948171.


3.3.4 - Configure a Trunk
The diagram depicts the Cisco I O S C L I commands and their functions for configuring an 802 dot 1Q trunk. The topology and a configuration example are provided.

Command syntax:
Enter global configuration mode.
Command: S1#configure terminal

Enter interface configuration mode for the interface to be configured.
Command: S1(config)#interface interface id

Force the link connecting the switches to be a trunk link.
Command: S1(config-i f)#switchport mode trunk

Specify another V LAN as the native V LAN for untagged i e e e 802 dot 1Q trunks.
Command: S1(config-i f)#switchport trunk native v lan v lan id

Return to privileged EXEC mode.
Command: S1(config-i f)#end

Topology:
Switch S1 is connected to switch S2 with a single trunk link.

There are three PC's, PC1, PC2, and PC3, connecting to switch S2 using straight-through cables.

V LAN Definitions:
V LAN 10-Faculty/Staff - 172.17.10.0 /24
V LAN 20-Students - 172.17.20.0 /24
V LAN 30-Guest (Default) - 172.17.30.0 /24
V LAN 99-Management and Native - 172.17.99.0 /24

The F0/1 port on switches S1 and S2 will be configured as a trunk port and will forward traffic for V LAN's 10, 20, and 30. V LAN 99 will be configured as the native V LAN.

PC1:
Faculty V LAN 10
172.17.10.21

PC2:
Student V LAN 20
172.17.20.22

PC3:
Guest V LAN 30
172.17.30.23

Example:
S1#config terminal
S1(config)#interface F0/1
S1(config-i f)#switchport mode trunk
S1(config-i f)#switchport trunk native v lan 99
S1(config-i f)#end


Page 2:
Verify Trunk Configuration

The figure displays the configuration of switch port F0/1 on switch S1. The command used is the show interfaces interface-ID switchport command.

The first highlighted area shows that port F0/1 has its administrative mode set to Trunk-the port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99, the management VLAN. At the bottom of the output, the last highlighted area shows that the enabled trunking VLANs are VLANs 10, 20, and 30.


3.3.4 - Configure a Trunk
The diagram depicts the output from the show interfaces F0/1 switchport command used to verify trunk configuration. Highlighted lines in the output include:
Administrative Mode: trunk
Trunking Native Mode V LAN: 99 (management)
Administrative Native V LAN tagging: enabled
Pruning V LAN's Enabled: 2-1001


Page 3:
Managing a Trunk Configuration

In the figure, the commands to reset the allowed VLANs and the native VLAN of the trunk to the default state are shown. The command to reset the switch port to an access port and, in effect, deleting the trunk port is also shown.

Click the Reset Example button in the figure.

In the figure, the commands used to reset all trunking characteristics of a trunking interface to the default settings are highlighted in the sample output. The show interfaces f0/1 switchport command reveals that the trunk has been reconfigured to a default state.

Click the Remove Example button in the figure.

In the figure, the sample output shows the commands used to remove the trunk feature from the F0/1 switch port on switch S1. The show interfaces f0/1 switchport command reveals that the F0/1 interface is now in static access mode.


3.3.4 - Configure a Trunk
The diagram depicts the Cisco I O S C L I commands and their functions for managing a trunk configuration. It includes command syntax and reset and removal examples.

Command syntax:
Use this command in interface configuration mode to reset all V LAN's configured on the trunk interface.
Command: S1(config-i f)# no switchport trunk allowed v lan

Reset the native V LAN back to V LAN 1.
Command: S1(config-i f)#no switchport trunk native v lan

Reset the trunk port interface back to a static access mode port.
Command: S1(config-i f)#switchport mode access

Reset Example:
S1(config-i f)#no switchport trunk allowed v lan
S1(config-i f)#no switchport trunk native v lan

Output from the show interfaces F0/1 switchport command shows that the trunk has been reconfigured to a default state:

Trunking Native Mode V LAN: 1 (default)
Trunking V LAN's Enabled: ALL

Remove Example:
S1(config-i f)#switchport mode access
Output from the show interfaces F0/1 switchport command shows that the F0/1 interface is now in static access mode:

Administrative Mode: static access


Page 4:
VLANs are helpful in the administration of logical groups, allowing members of a group to be easily moved, changed, or added. This activity focuses on creating and naming VLANs, assigning access ports to specific VLANs, changing the native VLAN, and configuring trunk links. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.3.4 - Configure a Trunk
Link to Packet Tracer Exploration: Configuring V LAN's and Trunks


3.4 Troubleshooting VLANs and Trunks

3.4.1 Common Problems with Trunks

Page 1:
Common Problems with Trunks

In this topic, you learn about common VLAN and trunking issues, which usually are associated with incorrect configurations. When you are configuring VLANs and trunks on a switched infrastructure, these types of configuration errors are most common in the following order:

  • Native VLAN mismatches - Trunk ports are configured with different native VLANs, for example, if one port has defined VLAN 99 as the native VLAN and the other trunk port has defined VLAN 100 as the native VLAN. This configuration error generates console notifications, causes control and management traffic to be misdirected and, as you have learned, poses a security risk.
  • Trunk mode mismatches - One trunk port is configured with trunk mode "off" and the other with trunk mode "on". This configuration error causes the trunk link to stop working.
  • VLANs and IP Subnets - End user devices configured with incorrect IP addresses will not have network connectivity. Each VLAN is a logically separate IP subnetwork. Devices within the VLAN must be configured with the correct IP settings.
  • Allowed VLANs on trunks - The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk.

If you have discovered an issue with a VLAN or trunk and do not know what the problem is, start your troubleshooting by examining the trunks for a native VLAN mismatch and then work down the list. The rest of this topic examines how to fix the common problems with trunks. The next topic presents how to identify and solve incorrectly configured VLAN and IP subnets.


3.4.1 - Common Problems with Trunks
The diagram depicts an overview of common problems with V LAN's and trunks.
Problem One: Native V LAN mismatches.
Result: Poses a security risk and creates unintended results.
Example: One port is defined as V LAN 99, and the other is defined as V LAN 100.

Problem Two: Trunk mode mismatches.
Result: Causes loss of network connectivity.
Example: One port is configured as trunk mode off, and the other is configured as trunk mode on.

Problem Three: V LAN's and IP subnets
Result: Causes loss of network connectivity.
Example: User computers may have been configured with the incorrect IP addresses.

Problem Four: Allowed V LAN's on trunks
Result: Causes unexpected traffic or no traffic being sent over the trunk.
Example: The list of allowed V LAN's does not support the current V LAN trunking requirements.


Page 2:
Native VLAN Mismatches

You are a network administrator and you get a call that the person using computer PC4 cannot connect to the internal web server, WEB/TFTP server in the figure. You learn that a new technician was recently configuring switch S3. The topology diagram seems correct, so why is there a problem? You decide to check the configuration on S3.

Click the Configurations button in the figure.

As soon as you connect to switch S3, the error message shown in the top highlighted area in the figure appears in your console window. You take a look at the interface using the show interfaces f0/3 switchport command. You notice that the native VLAN, the second highlighted area in the figure, has been set to VLAN 100 and it is inactive. As you scan further down the output, you see that the allowed VLANs are 10 and 99, shown in the bottom highlighted area.

Click the Solution button in the figure.

You need to reconfigure the native VLAN on the Fast Ethernet F0/3 trunk port to be VLAN 99. In the figure, the top highlighted area shows the command to configure the native VLAN to be VLAN 99. The next two highlighted areas confirm that the Fast Ethernet F0/3 trunk port has the native VLAN reset to VLAN 99.

The screen output for the computer PC4 shows that connectivity has been restored to the WEB/TFTP server found at IP address 172.17.10.30.


3.4.1 - Common Problems with Trunks
The diagram depicts a scenario where there is a native V LAN mismatch problem. Configurations and a solution are provided.

Network Topology:
There are two switches, S1 and S3. Switch S1 port F0/2 is connected to a Web/TFTP server. Switch S3 port F0/3 is connected to S1 port F0/3 using a crossover cable. Switch S3 port F0/11 is connected to PC4.

Web/TFTP Server:
V LAN 10
172.17.10.30

PC4:
Faculty V LAN 10
172.17.10.24

S1: V LAN 99, IP address 172.17.99.1
S3: V LAN 99, IP address 172.17.99.3
S1 to S3 Trunk Link - Allowed V LAN trunks are 10 and 99. The native V LAN is 99.

Scenario:
Computer PC4 cannot connect to the internal web server, Web/TFTP.

Configurations:
S3#
%CDP-4-NATIVE_V LAN_MISMATCH: Native V LAN mismatch discovered on FastEthernet0/3 (100), with S1 FastEthernet0/3 (99).

Output from the show interfaces F0/3 switchport command shows:
Trunking Native Mode V LAN: 100 (Inactive)
Trunking V LAN's Enabled: 10, 99

Solution:
Commands issued on S3:
S3#config terminal
S3(config)#interface F0/3
S3(config-i f)#switchport trunk native v lan 99
S3(config-i f)#end

Output from the show interfaces F0/3 switchport command shows:
Name: FA0/3
Switchport: Enabled
Administrative Mode: trunk
Access Mode V LAN: 1 (default)
Trunking Native Mode V LAN: 99 (management)
Trunking V LAN's Enabled: 10, 99


PC4 can now access the Web/TFTP server as indicated by the results of the ping command.


Page 3:
Trunk Mode Mismatches

In this course, you have learned that trunk links are configured statically with the switchport mode trunk command. You have learned that the trunk ports use DTP advertisements to negotiate the state of the link with the remote port. When a port on a trunk link is configured with a trunk mode that is incompatible with the other trunk port, a trunk link fails to form between the two switches.

In this scenario, the same problem arises: the person using computer PC4 cannot connect to the internal web server. Again, the topology diagram has been maintained and shows a correct configuration. Why is there a problem?

Click the Configurations button in the figure.

The first thing you do is check the status of the trunk ports on switch S1 using the show interfaces trunk command. It reveals in the figure that there is not a trunk on interface F0/3 on switch S1. You examine the F0/3 interface to learn that the switch port is in dynamic auto mode, the first highlighted area in the top figure. An examination of the trunks on switch S3 reveals that are no active trunk ports. Further checking reveals that the F0/3 interface is also in dynamic auto mode, the first highlighted area in the bottom figure. Now you know why the trunk is down.

Click the Solution button in the figure.

You need to reconfigure the trunk mode of the Fast Ethernet F0/3 ports on switches S1 and S3. In the top left figure, the highlighted area shows that the port is now in trunking mode. The top right output from switch S3 shows the commands used to reconfigure the port and the results of the show interfaces trunk command, revealing that interface F0/3 has been reconfigured as a trunk. The output from computer PC4 indicates that PC4 has regained connectivity to the WEB/TFTP server found at IP address 172.17.10.30.


3.4.1 - Common Problems with Trunks
The diagram depicts a scenario where there is a trunk mode mismatch problem. Configurations and a solution are provided.

Network Topology:
There are three switches, S1, S2, and S3. Switch S1 port F0/2 is connected to a Web/TFTP server. Switch S1 port F0/1 is connected to S2 port F0/1 using a crossover cable. Switch S1 port F0/3 is connected to S3 port F0/3 using a crossover cable. Switch S3 port F0/11 is connected to PC4.

Web/TFTP Server:
V LAN 10
172.17.10.30

PC4:
Faculty V LAN 10
172.17.10.24

Switch S1:
Port F0/3
Trunk Mode: On

Switch S3:
Port F0/3
Trunk Mode: On

The link from S1 to S2 and the link from S1 to S3 serve as trunk links. The allowed V LAN trunks are 10 and 99. The native V LAN is 99.

Scenario:
Computer PC4 cannot connect to the internal web server, Web/TFTP.

Configurations:
S1 output from the show interfaces trunk command shows that there is no trunk on F0/3:
S1 output from the show interfaces F0/3 switchport command shows:
Administrative Mode: dynamic auto

S3 output from the show interfaces trunk command shows that there are no active trunk ports.
S3 output from the show interfaces F0/3 switchport command shows:
Administrative Mode: dynamic auto

Solution:
Commands issued on S1:
S1#config terminal
S1(config)#interface F0/3
S1(config-i f)#switchport mode trunk
S1(config-i f)#end

S1 output from the show interfaces F0/3 switchport command shows that F0/3 administrative mode is now trunk.

Commands issued on S3:
S3#config terminal
S3(config)#interface F0/3
S3(config-i f)#switchport mode trunk
S3(config-i f)#end

S3 output from the show interfaces F0/3 switchport command shows that F0/3 administrative mode is now trunk.

S3 output from the show interfaces trunk command shows that F0/3 mode is on, encapsulation is 802 dot 1q, status is trunking, and the native v lan is 99.

PC4 can now access the Web/TFTP server as indicated by the results of the ping command.


Page 4:
Incorrect VLAN List

You have learned that for traffic from a VLAN to be transmitted across a trunk it has to be allowed access on the trunk. The command used to do this is the switchport access trunk allowed vlan add vlan-id command. In the figure, VLAN 20 (Student) and computer PC5 have been added to the network. The documentation has been updated to show that the VLANs allowed on the trunk are 10, 20, and 99.

In this scenario, the person using computer PC5 cannot connect to the student e-mail server shown in the figure.

Click the Configurations button in the figure.

Check the trunk ports on switch S1 using the show interfaces trunk command. The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10, 20, and 99. An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 only allow VLANs 10 and 99. It seems someone updated the documentation but forgot to reconfigure the ports on the S1 switch.

Click the Solution button in the figure.

You need to reconfigure the F0/1 and the F0/3 ports on switch S1 using the switchport trunk allowed vlan 10,20,99 command. The top screen output in the figure shows that VLANs 10, 20, and 99 are now added to the F0/1 and F0/3 ports on switch S1. The show interfaces trunk command is an excellent tool for revealing common trunking problems. The bottom figure indicates that PC5 has regained connectivity to the student e-mail server found at IP address 172.17.20.10.


3.4.1 - Common Problems with Trunks
The diagram depicts a scenario where there is an incorrect V LAN list problem. Configurations and a solution are provided.

Network Topology:
There are three switches, S1, S2, and S3. Switch S1 port F0/2 is connected to a Web/TFTP server. Switch S1 port F0/4 is connected to a Student E-mail server. Switch S1 port F0/1 is connected to S2 port F0/1 using a crossover cable. Switch S1 port F0/3 is connected to S3 port F0/3 using a crossover cable. Switch S3 port F0/11 is connected to PC4. Switch S3 port F0/18 is connected to PC5.

Web/TFTP Server:
V LAN 10
172.17.10.30

Student E-mail Server:
V LAN 20
172.17.20.10

PC4:
Faculty V LAN 10
172.17.10.24

PC5:
Student V LAN 20
172.17.20.25

S1 to S2 and S1 to S3 are trunk links. The allowed V LAN trunks are 10, 20, and 99. The native V LAN is 99.

Scenario:
Computer PC5 cannot connect to the Student E-mail Server.

Configurations:
S3 output from the show interfaces trunk command shows that interface F0/3 is correctly configured to allow V LAN's 10, 20, and 99.

S1 output from the show interfaces trunk command shows that interface F0/3 only allows V LAN's 10 and 99.

Solution:
Commands issued on S1:
S1#config terminal
S1(config)#interface F0/3
S1(config-i f)#switchport trunk allowed v lan 10, 20, 99
S1(config-i f)#end

S1 output from the show interfaces F0/3 switchport command shows that F0/3 administrative mode is now trunk.

S1 output from the show interfaces trunk command shows that ports F0/1 and F0/3 allow V LAN's 10, 20, and 99 on the trunk.

PC4 can now access the Student E-mail server as indicated by the results of the ping command.


3.4.2 A Common Problem with VLAN Configurations

Page 1:
VLAN and IP Subnets

As you have learned, each VLAN must correspond to a unique IP subnet. If two devices in the same VLAN have different subnet addresses, they cannot communicate. This type of incorrect configuration is a common problem, and it is easy to solve by identifying the offending device and changing the subnet address to the correct one.

In this scenario, the person using computer PC1 cannot connect to the WEB/TFTP server shown in the figure.

Click the Configurations button in the figure.

In the figure, a check of the IP configuration settings of PC1 reveals the most common error in configuring VLANs: an incorrectly configured IP address. The PC1 computer is configured with an IP address of 172.172.10.21, but it should have been configured with 172.17.10.21.

Click the Solution button in the figure.

The screen capture of the PC1 Fast Ethernet configuration dialog box shows the updated IP address of 172.17.10.21. The bottom screen capture reveals that PC1 has regained connectivity to the WEB/TFTP server found at IP address 172.17.10.30.


3.4.2 - A Common Problem with V LAN Configurations
The diagram depicts a scenario where there is a V LAN and IP subnet configuration problem. Configurations and a solution are provided.

Network Topology:
There are three switches, S1, S2, and S3. Switch S1 port F0/2 is connected to a Web/TFTP server. Switch S1 port F0/1 is connected to S2 port F0/1 using a crossover cable. Switch S1 port F0/3 is connected to S3 port F0/3 using a crossover cable. Switch S2 port F0/11 is connected to PC1. Switch S3 port F0/11 is connected to PC4.

Web/TFTP Server:
V LAN 10
172.17.10.30

PC1:
Faculty V LAN 10
172.172.10.21

PC4:
Faculty V LAN 10
172.17.10.24

The link between S1 and S2 and between S1 and S3 are trunk links. The allowed V LAN trunks are 10 and 99. The native V LAN is 99.

Scenario:
Computer PC1 cannot connect to the internal Web/TFTP server.

Configurations:
PC1 output from the i p config command shows an IP address of 172.172.10.21, but it should have been configured with 172.17.10.21.

Solution:
Screenshot of the Packet Tracer PC1 configuration to correct the IP address.

PC1 can now access the Web/TFTP server as indicated by the results of the ping command.


Page 2:
In this activity, you will troubleshoot connectivity problems between PCs on the same VLAN. The activity is complete when you achieve 100% and the PCs can ping the other PCs on the same VLAN. Any solution you implement must conform to the topology diagram. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.4.2 - A Common Problem with V LAN Configurations
Link to Packet Tracer Exploration: Troubleshooting a V LAN Implementation.


3.5 Chapter Labs

3.5.1 Basic VLAN Configuration

Page 1:
In a network it is essential to be able to limit the effects of network broadcasts. One way to do this is to break up a large physical network into a number of smaller logical or virtual networks. This is one of the goals of VLANs. This lab will teach you the basics of configuring VLANs.


3.5.1 - Basic V LAN Configuration
Link to Hands-on Lab: Basic V LAN Configuration


Page 2:
This activity is a variation of Lab 3.5.1. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.5.1 - Basic V LAN Configuration
Link to Packet Tracer Exploration: Basic V LAN Configuration


3.5.2 Challenge VLAN Configuration

Page 1:
Having set up VLANs once in the Basic lab, this lab will verify how much you learned. Attempt to do as much of the lab as possible without referring back to the Basic lab. Once you have completed as much of the lab as possible on your own, check your work with the answer key that your instructor will provide.


3.5.2 - Challenge V LAN Configuration
Link to Hands-on Lab: Challenge V LAN Configuration


Page 2:
This activity is a variation of Lab 3.5.2. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.5.2 - Challenge V LAN Configuration
Link to Packet Tracer Exploration: Challenge V LAN Configuration


3.5.3 Troubleshooting VLAN Configurations

Page 1:
In this lab, you will practice troubleshooting a misconfigured VLAN environment. Load or have your instructor load the configurations below into your lab gear. Your objective is to locate and correct any and all errors in the configurations and establish end-to-end connectivity. Your final configuration should match the topology diagram and addressing table.


3.5.3 - Troubleshooting V LAN Configurations
Link to Hands-on Lab: Troubleshooting V LAN Configurations


Page 2:
In this activity, you will practice troubleshooting a misconfigured VLAN environment. The initial network has errors. Your objective is to locate and correct any and all errors in the configurations and establish end-to-end connectivity. Your final configuration should match the topology diagram and addressing table. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.5.3 - Troubleshooting V LAN Configurations
Link to Packet Tracer Exploration: Troubleshooting V LAN Configurations


3.6 Chapter Summary

3.6.1 Chapter Summary

Page 1:
In this chapter, we introduced VLANs. VLANs are used to segment broadcast domains in a switched LAN. This improves the performance and manageability of LANs. VLANs provides network administrators flexible control over traffic associated with devices in the LAN.

There are several types of VLANs: a default VLAN, a management VLAN, native VLANs, user/data VLANs, and voice VLANs.

VLAN trunks facilitate inter-switch communication with multiple VLANs. IEEE 802.1Q frame tagging enables differentiation between Ethernet frames associated with distinct VLANs as they traverse common trunk links.

We discussed the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI.


3.6.1 - Summary and Review
In this chapter, you have learned:
- V LAN's separate broadcast domains on switches.
- V LAN's improve network performance, management, and security.
- V LAN can be used for data, voice, network protocol, and network management traffic.
- There are 3 different membership modes: static, dynamic, and voice V LAN mode.
- Routers or Layer 3 switches are required for inter-V LAN communication.
- Trunks allow multiple V LAN's to traverse a single link to simplify intra-V LAN communication across multiple switches.
- i e e e 802 dot 1Q is the standard trunking protocol.
- 802 dot 1Q uses a process of frame tagging to keep V LAN traffic separate as it traverse the trunk link.
- 802 dot 1Q does not tag native V LAN traffic, which can result in problems when trunking is misconfigured.


Page 2:


3.6.1 - Summary and Review
This is a review and is not a quiz. Questions and answers are provided.
Question 1. Which of the following best describes the mapping between V LAN's and IP subnets in a modem switched network?

A. One IP subnet to many V LAN's.
B. One V LAN to many IP subnets.
C. Two IP subnets to one V LAN.
D. Two V LAN's to one IP subnet.
E. One IP subnet to one V LAN.
F. Varies with the model of Cisco Catalyst switch.

Answer: E

Question 2. Refer to the following diagram description to answer the question:

Exhibit diagram description:
Network Topology:
Switches S1 and S2 are connected by a trunk link using a crossover cable. Switch S2 has three computers, PC1, PC2, and PC3, connected to it. The link from S1 to S2 is a trunk link with one switch port, and five V LAN's, 1, 10, 20, 30, and 99.

PC1: Faculty
V LAN 10
172.17.10.21

PC2: Student
V LAN 20
172.17.20.22

PC3: Guest
V LAN 30
172.17.30.23

The dashed line indicates a trunk line. S1 and S2 are members of V LAN 99. Which two of the following are true? (Choose two.)

A. All PC's can successfully ping each other.
B. No PC can successfully ping another PC.
C. Switch S1 can successfully ping switch S2.
D. All the PC's can successfully ping switch S1.
E. All the PC's can successfully ping switch S2.

Answer: B, C

Question 3. Which of the following is normally performed at the switch (config-v lan)# prompt?

A. Adding V LAN's.
B. Deleting V LAN's.
C. Assigning ports to V LAN's.
D. Naming V LAN's.
E. Assigning the native V LAN.

Answer: D

Question 4. Refer to the following diagram description to answer the question:

Exhibit diagram description:
There are three switches, S1, S2, and S3. Switch S1 port F0/2 is connected to a Web/TFTP server. Switch S1 port F0/1 is connected to S2 port F0/1 using a crossover cable. Switch S1 port F0/3 is connected to S3 port F0/3 using a crossover cable. Switch S2 port F0/11 is connected to PC1. Switch S3 port F0/11 is connected to PC4.

Web/TFTP Server:
V LAN 10
172.17.10.30

PC1:
Faculty V LAN 10
172.17.10.21

PC4:
Faculty V LAN 10
172.17.10.24

The link from S1 to S2 and the link from S1 to S3 are trunk links. The allowed V LAN trunks are 10 and 99. The native V LAN is 99.

Scenario:
Computer PC1 cannot connect to the internal web server, Web/TFTP.
What are some of the possible causes of the lack of connectivity?
A. Native V LAN mismatch on the trunk between switches S1 and S2.
B. Trunk mode mismatch between switches S1 and S2.
C. Misconfigured set of allowed V LAN's on the trunk between switches S1 and S2.
D. Misconfigured IP addresses associated with V LAN 10.
E. A link is down along the path between PC1 and the Web/TFTP server.

Answer: A, B, C, D, E.


Page 3:
In this activity, you will connect and completely configure the Chapter 3 topology, including adding and connecting devices, and configuring security and VLANs. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


3.6.1 - Summary and Review
Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge


3.7 Chapter Quiz

3.7.1 Chapter Quiz

Page 1:


3.7.1 - Chapter Quiz
1. Switch 1 and switch 2 are both configured with ports in the Marketing, Sales, Production, and Admin V LAN's. Each V LAN contains 12 users. How many different subnetworks are needed to address V LAN's?
A. 1
B. 2
C. 4
D. 8
E. 12
F. 24

2. What mechanism is used to achieve the separation between different V LANs as they cross a trunk link?
A. V LAN tagging using 8 0 2 dot 1Q protocol
B. V LAN tagging using 8 0 2 dot 1p protocol
C. V LAN multiplexing
D. V LAN set as native V LAN

3. What are two options to consider when configuring a trunk between two switches? (Choose two.)
A. The switchport no negotiate command must be configured for trunks that use DTP.
B. Port security cannot be configured on the trunk interfaces.
C. The native V LAN must be the same on both ends of the trunk.
D. Different encapsulation types can be configured on both ends of the trunk link.
E. Trunk ports can only be configured on the Gigabit Ethernet ports.

4. A 12-port switch has been configured to support three V LAN's named Sales, Marketing, and Finance. Each V LAN spans four ports on the switch. The network administrator has deleted the Marketing V LAN from the switch. Which two statements describe the status of the ports associated with this V LAN? (Choose two.)
A. The ports are inactive.
B. The ports are administratively disabled.
C. The ports become trunks to carry data from all remaining V LAN's.
D. The ports remain part of the Marketing V LAN until reassigned to another V LAN.
E. The ports are released from the Marketing V LAN and automatically reassigned to V LAN 1.

5. Which three statements are true about hosts configured in the same V LAN? (Choose three.)
A. Hosts in the same V LAN must be on the same IP subnet.
B. Hosts in different V LAN's can communicate with the aid of only the Layer 2 switch.
C. Hosts in the same V LAN share the same broadcast domain.
D. Hosts in the same V LAN share the same collision domain.
E. Hosts in the same V LAN comply with the same security policy.
F. Hosts in the same V LAN must be on the same physical segment.

6. Refer to the following diagram description to answer the question:
Two switches, S1 and S2, are connected together. Each switch has two V LAN's defined. On switch S1, V LAN 1 and V LAN 2 are defined. On switch S2, V LAN 2 and V LAN 3 are defined. Host A on S1 is in V LAN 1. Host B on S1 is in V LAN 2. Host C on S2 is in V LAN 2. Host D on S2 is in V LAN 3.

Host C is unable to transfer data because it does not have the MAC address of the destination host. If Host C sends out an ARP request, which of the other hosts will see this message?
A. Host A
B. Host B
C. Hosts A and B
D. Hosts A and D
E. Hosts B and D
F. Hosts A, B, and D

7. Match the characteristics listed to the type of V LAN, static or dynamic.
Characteristics:
A. Each port is associated with a specific V LAN.
B. Manual configuration of port assignments required.
C. Ports work out their own configuration.
D. Less administrative overheard when users are moved.
E. Requires administrator interaction when users move.
F. Configuration based on database.

V LAN Type:
One. Static V LAN
Two. Dynamic V LAN

8. Match the V LAN related option to the appropriate category.
Options:
A. 1 to 1005
B. 1006 to 4094
C. Not learned by VT
D. Default management V LAN
E. All ports are a member by default
F. Contains reserved V LAN's for Token Ring and FDDI

Categories:
One. Normal range V LAN
Two: Extended range V LAN
Three: V LAN 1

9. Refer to the following diagram description to answer the question:
Two switches, S1 and S2, are connected together using a trunk link between S1 F0/1 and S2 F0/2. Each switch has two V LAN's defined, V LAN 10 and V LAN 20. Host B and two unlabelled hosts on S1 are in V LAN 10. Host A and one unlabelled host on S1 are also in V LAN 10. There is an unlabelled host in VLAN 20 on each switch.

Brand new switches with empty CAM tables are interconnected via a trunk link. All hosts on both switches are configured with the V LAN memberships described above. How is a frame sent from Host A forwarded to Host B?
A. Switch S1 floods the message from Host A to all hosts attached to S1.
B. Switch S1 floods the message from Host A to all hosts attached to both switches.
C. Switch S1 tags the frame with V LAN ID 10 and floods the frame to all hosts on switch S2.
D. Switch S1 tags the frame with V LAN ID 10 and floods the frame to all hosts on switch S2 that are members of V LAN 10.

10. Refer to the following configuration commands issued on Switch_A to answer the question:

Switch_A#config terminal
Switch_A(config)#v lan 10
Switch_A(config-v lan)#name Accounting
Switch_A(config-v lan)#exit
Switch_A(config)#v lan 20
Switch_A(config-v lan)#name Marketing
Switch_A(config-v lan)#exit
Switch_A(config)#interface fast ethernet 0/4
Switch_A(config-i f)#switchport mode access
Switch_A(config-i f)#switchport access v lan 10
Switch_A(config-i f)#interface fast ethernet 0/5
Switch_A(config-i f)#switchport mode access
Switch_A(config-i f)#switchport access v lan 20
Switch_A(config-i f)#interface fast ethernet 0/6
Switch_A(config-i f)#switchport mode access
Switch_A(config-i f)#switchport access v lan 10

Host1 is connected to port F0/4 with an IP address of 192.168.1.22 /28. Host2 is connected to port F0/5 with an IP address of 192.168.1.33 /28. Host3 is connected to port F0/6 with an IP address of 192.168.1.30 /28.
Select the three statements that describe the success of pinging from one host to another. (Choose three.)
A. Host1 can ping Host2.
B. Host1 cannot ping Host2.
C. Host1 can ping Host3.
D. Host1 cannot ping Host3.
E. Host2 can ping Host3.
F. Host2 cannot ping Host3.

11. Match the command to the associated description. (Not all options are used.)
Commands:
A. show v lan id
B. show v lan
C. show v lan brief
D. show interface F0/1 switchport
E. show interface F0/1

Descriptions:
One. Displays detailed information about all V LAN's on the switch.
Two. Displays V LAN information about a specific port.
Three. Displays information about a specific V LAN.

12. Match the command to the associated description.
Commands:
A. switchport mode trunk
B. switchport mode dynamic desirable
C. switchport nonnegotiate
D. switchport mode access

Descriptions:
One. Configures the port to negotiate a trunk.
Two. Configures the trunk to not send DTP packets.
Three. Configures the port as a permanent 802 dot 1q trunk.
Four. Disables trunk mode.

13. Match the term to the associated description.
Terms:
A. Native V LAN mismatch
B. Trunk mode mismatch
C. Incorrect V LAN list
D. V LAN subnet conflict

Descriptions:
One. Both switches are configured to dynamic auto and will not negotiate a link.
Two. Not all the V LAN's needed are allowed to transverse a trunk.
Three. Two V LAN's are sharing the same address space.
Four. The V LAN configured for untagged frames is not the same on two switches connected by a trunk.

14. Match the V LAN port membership statement to the correct option.

Statements:
A. Access port attached to a PC, configured to use one V LAN for voice traffic and another V LAN for data traffic.
B. Port on a switch that maintains its assigned V LAN configuration until it is changed manually.
C. Port on a switch using VMPS and associates a port to a V LAN based on the destination MAC address.
D. Port on a switch that can change the manually assigned V LAN configuration dynamically.
E. Access port attached to an IP phone, configured to use one V LAN for voice traffic and another V LAN for data traffic.
F. Port on a switch using VMPS and associates a port to a V LAN based on the source MAC address.

Options:
One. Static V LAN port membership
Two. Dynamic V LAN port membership
Three. Voice V LAN port membership



0 comments:

Post a Comment