VLANS (Virtual Lans) and Trunking
Exam Topics:
Describe the operation of the Spanning Tree Protocol and it's benefits.
Describe the benefits of Virtual Lans (VLANs)
JUMP TO: MAIN PAGE | KEY TERMS | RELATED COMMANDS
Topic Notes :
VLANS and Trunking
A Virtual Lan is a broadcast domain created by one or more switches. Instead of all ports on a switch or group of switches being part of the same broadcast domain, creating a VLAN through administration of the switch or switch fabric. If VLANs are not used in a network, breaking up broadcast domains would require 3 separate, physical switch devices. The use of VLANS allows for a single switch to do the same job for less cost and easier administration of the switch or switch fabric.
By creating separate broadcast domains, you create separate layer 3 groupings, as each VLAN is it's own subnet. When implementing VLANS, each VLAN group on a switch will need to have a port configured to access a router to allow traffic to traverse between the VLANS. If you use 1 router, it will need an ethernet port for each VLAN it will be connecting (unless trunking is utilized, which we shall see in a moment). With the exception of implemented multilayer switching, (which is not part of the CCNA exam), a switch will never forward a frame recieved on one VLAN port to a port configured for a different VLAN. The default router for a VLAN will be the ethernet port on the router for that VLAN. So, if VLAN 2 is physically connected to interface e0 on the router, interface e0 will be the default router for VLAN 2. For example, a packet sent from VLAN 2 and destined for VLAN 3 will send an IP packet encapsulated within an ethernet frame including the MAC address of the default router (the connected router interface). The router will then forward that packet out the interface connected to VLAN 3.
VLAN 1 is an administrative VLAN. Using VLAN one is similar to not using any VLANs at all. This is default and unchangeable. If you plan on implementing VLANs in a network, do not configure any ports on your switch to use VLAN 1 except ports except for administrative ports that do not require being broken into a separate broadcast domain.
Since a VLAN is a logical configuration, physical device moves do not require re-cabling in order to allow the device to be part of it's original VLAN. Only VLAN port identification within the switch needs to be changed.
Switches use separate address tables for VLANS. When a frame is received by the switch, it will check the VLAN address map that the port is configured for. It checks to see if the frame comes from a known MAC address for that VLAN. If it is a new, or unknown MAC address, it will add that devices MAC address to the VLAN address table for that VLAN. The switch will then check the destination address to see if it exists within it's own address table. If it does, the frame will be sent out to the destination device through it's related port on the switch (layer 2 handling). If the destination MAC address is not part of the VLAN address table, then the frame will be forwarded out the switch port connected to the router interface for that VLAN for layer 3 handling.
When a switch fabric is created, implementing 1 or more connected switches, switches can share VLANS using VLAN tagging. VLAN tagging is also known as trunking. Cisco equipment uses two options for trunking within Ethernet. One is ISL (Inter-Switch Linking), which requires that both connected switchs be Cisco equipment. ISL is a Cisco proprietary trunking protocol, so switches of other manufacture would not have it included in their software, nor would they be able to utilize it. For switch fabrics using multiple vendors switchs, IEEE802.Q is the trunking option that would be used. ISL headers encapsulate the LAN frame, lengthening it. IEEE802.Q actually modifies the ethernet header information, maintaining a standard frame length. Both IEEE802.Q and ISL add the VLAN ID to a frame, just in different ways. Without the added VLAN ID, the packet would be dropped before being forwarded to the destination switch. Remember, frames sent directly between switched must be part of the same VLAN. If they are destined for a different VLAN, they will have to travel through the router first.
Table VLAN 1.1: An Encapsulated ISL Frame
ISL Frame (modified Ethernet frame) ISL Header (26 bytes) DA Type User SA LEN AAAA03 HSA VLAN BDPU INDEX RES Encapsulated Ethernet Frame CRC (4 bytes) You can configure multiple VLANS on a switch to use the same interface on a router using trunking. This reduces the number of interface ports used on a switch, and the number of interfaces required on a router (which is good, because router interfaces can be very expensive). Frames sent between vlans using a trunked router interface are tagged in the same manner as frames sent between switches. This lets the router know which VLAN the frame came from. The router interface would receive the tagged frame with the originating VLAN ID from the switch, and then send the frame back out with the destination VLAN ID through the same interface and back into the switch. The router interface handles this by the administrator breaking the interface into different subinterfaces and using an encapsulation command to notify each sub-interface to use ISL (or IEEE802.Q) trunking.
Example VLAN 1.1 Router commands for ISL encapsulation for a 4 VLAN trunk
interface fastethernet 0.1
ip address 172.16.1.1 255.255.255.0
encapsulation isl 2
!
interface fastethernet 0.2
ip address 172.16.2.1 255.255.255.0
encapsulation isl 3
!
interface fastethernet 0.3
ip address 172.16.3.1 255.255.255.0
encapsulation isl 4
!
interface fastethernet 0.4
ip address 172.16.4.1 255.255.255.0
encapsulation isl 5
What you see in example VLAN 1.1 is the configuration of 4 subinterfaces on the fast ethernet interface on the router. Each is assigned an IP address within the scope of their respective VLAN subnet, as each subinterface is considered to be part of its attached VLAN. The encapsulation command attaches the VLAN number to the subinterface. The IP address and VLAN number for each sub interface must match the IP subnet and VLAN number on the switch. This allows for 1 physical interface on the router, and a separate single physical interface on the switch, reducing monetary cost, but also reducing bandwidth, as the single connection is now handling traffic for multiple VLANS where a non-trunked connection scheme would have each connection dedicated to the traffic of a single VLAN.
Cisco uses 4 different types of trunking/tagging protocols, dependant upon the type of physical interface it is being used on. ISL trunking/tagging is used on Fast Ethernet interfaces, as is 802.1Q. 802.10 is the protocol for tagging/trunking on a FDDI (Fiber Optic) interface, and LAN Emulation (LANE) is used for ATM interfaces. Trunking cannot be used on interfaces slower than 100 Mbps (like a 10Mbps ethernet link).
Virtual Trunking Protocol (VTP)
VTP should not be confused with trunking, as it manages and coordinates information on a multi-switch fabric, allowing all switches within a fabric to maintain continuitous information regarding VLANS between them. VTP allows an administrator to make changes to a VLAN on one switch, and then VTP notifies other switches of the change. If you have a VLAN that exists on multiple switches, VTP would update the changes on 1 switch so that the related VLAN information would then be updated on all the other switches that utilize that same VLAN. Otherwise, an administrator would have to physically update the configuration on each switch, which could lead to errors in configuration or continuity.
The changes to VLANS cannot be made on just any switch. The changes must be made on the switch(or switches) that are identified as the VTP server. These changes are then sent out via VTP across all trunks to other switches (running in either client or transparent modes, covered a bit further on) within the same VTP group (VTP domain). VTP is a scalability solution for switch management. The addition, subtraction, change of VLANS or switches within the VTP domain can all be handled from a single source, reducing cost. A VTP domain is declared by assigning all switches the same VTP domain name. Switches within the same VTP domain normally are grouped by domain based upon the VLANs they share. You would not find switches that don't share VLANS with other switches (normally) within the same VTP domain.
VTP advertisements are sent out automatically every 5 minutes, or whenever a change to a VLAN is made. VTP advertisements include a revision number, VLAN ID's (names & numbers), and which switch ports are assigned to which VLANs. The VTP Configuration Revision Number is important in the determining of when a switch will update it's VLAN information based upon VTP advertisements. To reduce overhead, a switch will only update it's internal VLAN information if the VTP Configuration Revision number is greater than it's own. The number is incremented by 1 whenever a change is made on the VTP server(s). If no change has been entered since the last revision number was created, client switches, seeing the same revision number as they have been expecting, will ignore the VTP advertisement. If the number is different, they will then begin to update their own VLAN information accordingly.
VTP Clients do not store VLAN configurations in NVRAM. That is the job of the VTP server, which saves the information in what is called Catalyst NVRAM. VTP clients simply listen to changes made at the VTP servers, and adjust accordingly. A VTP client cannot have it's configuration changed locally, nor can it initiate any changes in the VTP domain.
VTP transparent switches are used to isolate switches within a VTP domain from VTP advertisements, while allowing those switches to still pass on VTP advertisements to other switches within the domain. Transparent mode does not issue any VLAn advertisements of its own.A switch running in VTP Transparent mode can make local changes to their internal VLAN configuration, but these changes are not propogated throughout the domain. Transparent switches will ignore changes to the VLAN segments they host as advertised by the VTP server, but also will not tell the VTP server anything about the changes that have occured internally either. For example, if you have 10 switches in a VTP domain, each sharing VLANS, but one of the switches is controlled by a different administrator or department that the other 9, that switch can go transparent. It can still share VLANs with the other 9 switches, and it will still pass one VTP advertisements from the server, but it can have it's internal configuration altered, and those alterations will not change or be changed by the advertisements of the VTP server.
VTP Pruning is a method of conserving ISL trunk bandwidth by reducing traffic among the VTP domain to only those trunks that need to carry it. Not all switches in a VTP domain have all their ports configured for all the same VLANS as every other switch. VTP pruning allows VTP to only send VLAN traffic only across ISL trunks that are related to those VLANS. For example, if you have a 5 switch VTP domain, and only 3 of those switches use VLAN 3, then the ISL trunks for the two switches that don't use VLAN 3 will not see VLAN traffic for VLAN 3. The ISL trunks for those switches will only carry traffic related to the VLANs they share with other switches. This affects broadcast traffic, as well as unknown destination unicasts.
Configuring VLANS & Trunking
The CCNA Exam assumes the use of a 1900 switch. Configurations listed here
are those that would be used on the Cisco 1900.
Cisco equipment has STP (Spanning Tree Protocol) and VTP on by default. It can be connected with redundant links and configurations without ever having to configure these two protocols. However, once you decide that you need to break up your networking into different VLANs, you will need to take VTP and STP into account, as decisions on their implementation can affect allowed and functional configurations within your network.
Some key points:
 | The amount of VLANs you can use is based on the switch. The Cisco 1900 supports 64 VLANs with a separate Spanning Tree per VLAN. |
| VLAN-1 is the factory default (administrative) VLAN |
| CDP & VTP advertisements travel across VLAN 1 |
| The IP address for the Cisco 1900 switch is in the VLAN 1 broadcast domain (Therefore, all devices using VLAN 1 must be on the same subnet/network) |
| VTP Server mode is the default mode for a Cisco switch. |
| When only a single switch is being used, VTP should be set to be in Transparent mode. There is no advantage to useing VTP in a single switch environment. |
Single Switch Configuration
Configuring VLANs on a single switch (the name Denver_SW1 is the hostname for the switch. It will be different based upon the individual adminsitrators configuration. Also, the VTP domain name is Denver, but, once again, is the personal preference of the administrator)
Denver_SW1(config)# vtp transparent domain Denver_Dev
Denver_SW1(config)# vlan 2 name VLAN2
Denver_SW1(config)# vlan 3 name VLAN3
Denver_SW1(config)# interface e 0/2
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# interface e 0/3
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# interface e 0/4
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# interface e 0/5
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface e 0/6
Denver_SW1(config-if)# vlan-membership static 3
This configures the Denver_SW1 switch to run in transparent VTP mode, and activates VLANs 2 and 3. It also then sets switch ports 2,3, & 4 for VLAN 2, and ports 5 & 6 for VLAN 3. VLAN 1 is already configured be default, and cannot be renamed.
After you configure a switch for VLANS, you should manually confirm the creation and configuration of each VLAN by using the show vlan command.
Denver_SW1# show vlan 2 VLAN Name Status Ports
--------------------------------------------------------------
2 VLAN 2 Enabled 2-4
--------------------------------------------------------------VLAN Type SAID MTU Parent RingNo BridgeNo STP Trans1 Trans2
--------------------------------------------------------------------------------
2 Ethernet 100003 1500 0 1 1 Unkn 0 0
--------------------------------------------------------------------------------
Some things to keep in mind. Ethernet is the default TYPE, SAID is used for FDDI trunks, the default MTU for ethernet VLANs is 1500, and the Cisco 1900 only supports STP 802.1D procotol. The Other protocols are only used for Token Ring or FDDI VLANS.
Multi Switch Configuration
You configure multiple switches to share VLANs by setting up trunks, lan segments that connect the switches. A trunk must be Fast Ethernet (100Mbps) or higher. The Cisco 1900 uses fa0/26 and fa0/27 as it's Fast Ethernet ports. You configure this using the trunk command, which has 5 options: on - configures the port to permanent ISL mode and tells the connected device to convert the link to trunk mode. off - disables port trunking and tells the connected link to do the same desireable - if the connected device is in On, Auto, or Desireable mode, then the port will self activate trunking. It will not do so for OFF or NEGOTIATE modes. auto - port will trunk if connected device is in ON or DESIREABLE mode negotiate - configures a port to permanent ISL trunk mode and no negotiation takes place with the connected device.
This configuration example uses 2 switches with 3 vlans.
Sample for VTP Server Switch:
Denver_SW1(config)# vtp server domain Denver_Dev
Denver_SW1(config)# vlan 2 name VLAN2
Denver_SW1(config)# vlan 3 name VLAN3
Denver_SW1(config)# interface e 0/2
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# interface e 0/3
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# interface e 0/4
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# interface e 0/5
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface e 0/6
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# exit
Denver_SW1(config)# interface fa0/26
Denver_SW1(config-if)# trunk on
Denver_SW1(config-if)# vlan-membership static 1
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface fa0/27
Denver_SW1(config-if)# vlan-membership static 1
Denver_SW1(config-if)# vlan-membership static 2
Denver_SW1(config-if)# vlan-membership static 3
Sample for VTP Client Switch:
Denver_SW1(config)# vtp client
Denver_SW1(config)# interface e 0/2
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface e 0/3
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface e 0/4
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface e 0/5
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface e 0/6
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# exit
Denver_SW1(config)# interface fa0/26
Denver_SW1(config-if)# trunk on
Denver_SW1(config-if)# vlan-membership static 1
Denver_SW1(config-if)# vlan-membership static 3
Denver_SW1(config-if)# interface fa0/27
Denver_SW1(config-if)# vlan-membership static 1
Denver_SW1(config-if)# vlan-membership static 3
Notice that the client only shares VLAN 1 & 3 with the server switch. VTP pruning will remove any VLAN 2 traffic from the ISL link, only VLAN 1 and 3 traffic will traverse it. VLAN 1 is already pre-configured for all ports, and each switches IP address is part of VLAN 1. So, on the client switch, you only need to configure VLAN3. You do not need to name the Domain or VLANS on the client swtich, as VTP will inform it of these items upon the first VTP advertisement. Statically configuring the trunk ports (fa0/26 & fa0/27) with vlan membership information will make the switch treat these ports as part of the respective VLAN's they are configured for.
| The command to confirm VTP configurations is show vtp |
| The command to confirm trunk configurations is show trunk [ a | b ] where a = fa0/26 and b = fa0/27 |
| The show vlan-membership command will list each port and the VLAN it is a member of |
| The show spantree command will display information regarding the STP protocol on that switch. The CCNA Exam does not include questions on the tuning of STP. |
SRL 10/4/2002
| access link | A link used with switches and is only part of one Virtual LAN (VLAN). Trunk links carry information from multiple VLANs |
| broadcast domain | A group of devices receiving broadcast frames initiating from any device within the group. Because they do not forward broadcast frames, broadcast domains are generally surrounded by routers. |
| collision domain | The network area in Ethernet over which frames that have collided will spread. Collisions are propagated by hubs and repeaters, but not by LAN switches, routers, or bridges. |
| dynamic VLAN | An administrator will create an entry in a special server with the hardware addresses of all devices on the internetwork. The server will then assign dynamically used VLANs |
| flat network | Network that is one large collision domain and one large broadcast domain |
| ISL (Inter- Switch Link) routing | Inter-Switch Link routing is a Cisco proprietary method of frame tagging in a switched internetwork. Frame tagging is a way to identify the VLAN membership of a frame as it traverses a switched internetwork. |
| static VLAN | Static VLANs are manually configured port-by-port. This is the method typically used in production networks. |
| switch fabric | Term used to identify a layer-2 switched internetwork with many switches. |
| trunk link | Link used between switches and from some servers to the switches. Trunk links carry information about many VLANs. Access links are used to connect host devices to a switch and carry only VLAN information that the device is a member of. |
| Virtual LAN (VLAN) | A group of devices on one or more logically segmented LANs (configured by the used of management software), enabling devices to communicate as if attached to the same physical medium, when they are actually located on numerous different LAN segments. VLANs are based on logical instead of physical connections and thus are tremendously flexible. |
| Virtual Lan Trunking Protocol (VTP) | VTP is used to update switches in a switch fabric about VLANs configured on a VTP server. VTP devices can be a VTP server, client, or transparent device. Servers update clients. Transparent devices are only local devices and do not share information with VTP clients. VTPs send VLAN information down trunked links only. |
| VLAN tagging | VLAN tagging uses frame tagging to have a sending switch add VLAN information to a frame that is part of the same VLAN but located on a different switch before sending that frame on to the destination switch. The destination switch will then look up the VLAN information in the frame header to resolve the destination address of the frame by looking up the destination device through the VLAN address table. |
| Command | Description |
| delete vtp | Resets all VTP parameters to defaults and resets the configuration revision number to 1 |
| vtp
[ server | transparent | client ] [ domain domain name ] [trap {enable | disable}] [ password password ] [ pruning {enable | disable} ] |
Defines all VTP parameters |
| vtp trunk pruning disable vlan-list | Disables pruning for specified VLANs on a particular trunk interface (interface subcommand) |
| show vtp | Displays VTP status |
| trunk [ on | off | desireable | auto | negotiate ] | Configures a trunk interface |
| show trunk { A | B | port-channel } [ allowed-vlans | prune-eligible | joined-vlans | joining-vlans }] | Displays trunk status |
| vlan vlan name [ vlan name ] [state { operational | suspended } ] | Defines a VLAN and its name |
| show vlan [ vlan ] | Displays VLAN information |
| vlan-membership { static { vlan } | dynamic } | Assigns a port to a VLAN |
| show vlan-membership | Displays VLAN membership |
| show spantree [ bridge-group | vlan ] | Displays spanning tree information for a VLAN |