vlanCisco Networks Routers Switches Tim Hogan

Web Hosting by Netfirms | Free Domain Names by Netfirms

VLAN - Virtual Lan

Protocols and Versions
Timers
Switched VS Routed
Trunk Encapsulations
VTP Configs
Router to Switch Config
Switch VLAN Config
Port-Ether-Channel
Spanning tree Priority
VTP Sniffer trace
Performance issues with asymmetric routing and backup segments
Performance issues with STP changes
Link to IOS Switch commands

A virtual LAN (VLAN) is a group of hosts or network devices that form a single bridging domain.

VLANs are formed to group related users (logically), regardless of the physical connections of their hosts to the network.

Know as frame-tagging or label switching.
Sets a BROADCAST DOMAIN
Works at the Layer 2 level.
All devices in the same vlan must reside on the same IP network.
IEEE's 802.1Q Virtual LANs Standard.
Each VLAN establishes its own spanning tree 802.1d table.
VLANs are differentiated by assigning each VLAN a "color" (or VLAN ID)
Native VLAN frames are carried over the trunk "UNTAGGED"

Reasons
Broadcast control - Just as switches physically isolate collision domains for attached hosts and only forward traffic out a particular port, VLANs provide logical collision domains that confine broadcast and multicast traffic to the bridging domain.

Security - If you do not include a router in a VLAN, no users outside of that VLAN can communicate with the users in the VLAN and vice versa. This extreme level of security can be highly desirable for certain projects and applications. Packets must move up a layer and route.

Performance -You can assign users that require high performance networking to their own VLANs. Segmenting bandwidth and improving thruput.

Network management - Software on the switch allows you to assign users to VLANs and later reassign them to another VLAN. Recabling to change connectivity is no longer necessary in the switched LAN environment because network management tools allow you to reconfigure the LAN logically in seconds.

When a LAN switch first starts up and as the devices that are connected to it request services from other devices, the switch builds a table that associates the MAC address of each local device with the port number through which that device is reachable.
Caching the MAC address and delivering subsequent packets only to that port A switch can also handle multiple simultaneous conversations.
Whenever a device connected to the LAN switch sends a packet to an address that is not in the LAN switch's table (for example, to a device that is beyond the LAN switch), or whenever the device sends a broadcast or multicast packet, the LAN switch sends the packet out all ports (except for the port from which the packet originated) - a technique known as unicast flooding.

Protocols

The Spanning Tree Protocol (STP) provides network link redundancy so that a Layer 2 switched network can recover from failures without intervention in a timely manner. The STP is defined in the IEEE 802.1D standard.
The IEEE 802.1Q standard specifies how VLANs are to be trunked between switches. It also specifies only a single instance of STP that encompasses all VLANs. Known as the Common Spanning Tree (CST).

Spanning-Tree 802.1D - Sends Bridge Protocol Data Units:

Two Types of BPDU Packets:

Configuration
Topology change notification (TCN) - these get acknowledged

Common Spanning Tree
The IEEE 802.1Q standard specifies how VLANs are to be trunked between switches.

CST 802.1Q specifies only a SINGLE instance of STP that encompasses all VLANs.
All CST BPDUs are transmitted over trunk links using the native VLAN with untagged frames.

IEEE 802.10 MAN - defines a method for secure bridging of data across a shared metropolitan area network
(MAN) Switched or Routed backbone.

Spanning-Tree Interoperability and Backward Compatibility

Lists the interoperability and compatibility among the supported spanning-tree modes in a network.

**PVST+, MSTP, and Rapid-PVST+ Interoperability**
	PVST+ (IEEE) (P2P)	MSTP	Rapid PVST+
PVST+ (default)	Yes	Yes (with restrictions)	Yes (reverts to PVST+)
MSTP	Yes (with restrictions)	Yes	Yes (reverts to PVST+)
Rapid PVST+	Yes (reverts to PVST+)	Yes (reverts to PVST+)	Yes

In a mixed MSTP and PVST+ network, the common spanning-tree (CST) root must be inside the MST backbone, and a PVST+ switch cannot connect to multiple MST regions.

When a network contains switches running rapid PVST+ and switches running PVST+, we recommend that the rapid-PVST+ switches and PVST+ switches be configured for different spanning-tree instances. In the rapid-PVST+ spanning-tree instances, the root switch must be a rapid-PVST+ switch. In the PVST+ instances, the root switch must be a PVST+ switch. The PVST+ switches should be at the edge of the network.

STP - 802.1D

One spanning tree instance

CST -Common Spanning Tree

802.1Q
One spanning tree instance
Multiple Links (Only One forwards)
Standards based

PVST Per-VLAN Spanning Tree

One instance per vlan
Cisco Proprietary - Requires ISL
Problems with CST

PVST+

Solves Interoperability Problems (uses ISL or 802.1q)
IEEE version
Default now in code

RPVST+

Rapid PVST - Enhanced PVST
RSTP - Faster Convergence 802.1W
Removes link between ports role and state
RSTP Synchronization - Proposal and agreement

MST - Multiple Spanning Tree Protocol 802.1S

Reduces STP regions, takes multiple VLANS creates on instance of STP
Sets up regions of control (Name, Revision and Instance map)
IST - Internal # = 0

Timers:

Hello timer Controls how often the switch broadcasts hello messages to other switches.
Forward-delay timer Controls how long each of the listening and learning states last before the interface begins
forwarding.
Maximum-age timer Controls the amount of time the switch stores protocol information received on an interface. This gets reset when a TCN takes place. On a trunk all VLANs change (Default from 300 seconds to Forward delay 15)

Timing Summary

Max Age - A port stays in blocking for 20s.
Forward Delay - A port stays in listening for 15s, and then learning for another 15s. 2 x 15 = 30 seconds
Time for a backup link to move from blocking to forwarding after a failure is 20+15+15s = 50s.

Switched Versus Routed

Switched . Routed .

Advantage Disadvantage Advantage Disadvantage

Propagates color
information across
entire network. Backbone is running bridging. No bridging in backbone. Color information is not propagated across backbone and must be configured manually.

Allows greater
scalability by
extending bridge
domains. Broadcast traffic
increases drastically on
the backbone. Easy to integrate into existing internetwork. If subnets are split, a bridged path has to be set up between switches.

. . Can run native protocols in the backbone. .

Trunking Encapsulations:

DOT1Q ISL

Proprietary NO YES (default Cisco to Cisco)

TAG YES except Native VLAN YES

Encapsulation NO (Adds 4 bit tag + 18 CRC) 1522 YES (Entire Frame) 30 bytes (26 Header + 4 Trailer)

CRC Recalculated YES YES - But its in the FCS (trailer)

Supported VLANS 4096 1024

Inter-Switch Link
ISL is a CISCO proprietary protocol for interconnecting multiple switches and maintaining VLAN information as traffic goes between switches. This technology is similar to IEEE 802.10 in that it is a method of multiplexing bridge groups over a high speed backbone.

With ISL, an Ethernet frame is encapsulated with a header that maintains VLAN IDs between switches. A 30-byte header is prepended to the Ethernet frame, and it contains a two-byte VLAN ID. This is applied only on trunks LEAVING the switch, known as tagging.

802.1Q Industry standard for Trunking

Does not add external encapsulation instead Adds 4 byte tag inside the frame
Supports Multi vendor
Frame size becomes 1522 bytes: 1500 MTU + 4 TAG + 18 CRC
Works with 802.3 standard of 1518 bytes untagged

Dynamic Trunk Protocol

Will send DTP packets out every 30 seconds

Access Sets switch to permanent NON-Trunking mode

Trunk Set and negotiate to become trunk

Nonegotiate Will be a trunk but will not send DTP

Dynamic Auto Will respond to DTP, but not send

Dynamic Desirable Will send and respond to DTP

Antispoof Method - Hard code non trunks as access ports: switchport mode access

LANE
LAN Emulation (LANE) is a service that provides interoperability between ATM-based workstations and devices connected to existing legacy LAN technology.
LANE uses MAC encapsulation (OSI Layer 2) because this approach supports the largest number of existing OSI Layer 3 protocols. The end result is that all devices attached to an emulated LAN appear to be on one bridged segment. In this way, AppleTalk, IPX, and other protocols should have similar performance characteristics as in a traditional bridged environment. In ATM LANE environments, the ATM switch handles traffic that belongs to the same emulated LAN (ELAN), and routers handle routing

VTP VLAN Trunking Protocol

Cisco's VTP provides a means to distribute and synchronize identifying information about VLANs configured throughout a bridged network.
Configurations made to a single VTP SERVER device are propagated across trunks to all connected devices in the network.

Benefits of The Cisco's Virtual Trunk Protocol (VTP).

Integration of ISL, 802.10, 802.Q and ATM LAN based VLANs
Auto intelligence within the switches for configuring VLANs
Configuration consistency across the network
An auto mapping scheme for going across mixed media backbones
Accurate tracking and monitoring of VLANs
Dynamic reporting of added VLANs across the network
Plug-and-play setup and configuration when adding new VLANs
Default mode is SERVER

VTP Modes

Mode Domain Comments

Client YES Only Listens - Can't Create / Modify

Server YES Complete Control

Transparent NO Complete control (High VLAN #) Will Relay if in domain

IOS OS Comments

sw(config)#vtp mode ?
client Set the device to client mode.
server Set the device to server mode.
transparent Set the device to transparent mode set vtp mode ?
client VTP client mode
off VTP off
server VTP server mode
transparent VTP transparent mode Default is SERVER

(config)#vtp domain test set vtp domain test Default is NULL

(config)#vtp password XXX set vtp passwd XXX Default is none | Must match | can be authenticated

VTP Pruning

Disabled by default
Configured on VTP Server
VLAN 1 is left alone (Management)

Cisco's extended VTP provides means whereby areas of the network containing no members of a VLAN are identified. This identification is propagated through the network and used to avoid transmitting frames of that VLAN along trunks into those areas. Limiting such transmissions on a VLAN basis is termed VLAN pruning. In a large network with many VLANs, this is an important network optimization which lightens the load on many of the networks trouncing connections.

Commands:

set vtp pruning enable

vtp pruning

Configuration Example - Router to Switch

Defined as a point to point link
Router - Uses Sub Interface plan.
Each VLAN is assigned a unique IP network.
Main Interface has NO IP Address.

Command - encapsulation isl X
X = VLAN ID in switches

!
interface FastEthernet1/0
no ip address
full-duplex
! SUB INTERFACE
interface FastEthernet1/0.1
ip address 207.115.62.1 255.255.255.0
ip access-group 130 in
no ip redirects
encapsulation isl 1
! SUB INTERFACE
interface FastEthernet1/0.2
ip address 192.168.240.1 255.255.255.0
ip access-group 140 in
no ip redirects
encapsulation isl 100
! SUB INTERFACE
interface FastEthernet1/0.3
ip address 192.168.241.1 255.255.255.0
ip access-group 140 in
no ip redirects
encapsulation isl 101
!

Switch - Connects VIA trunks
Under VTP Section - Must be common domain
Use Set VTP, Set VLAN, Set TRUNK commands

set vtp [domain domain_name] [mode {client | server | transparent}] [passwd passwd] [pruning
{enable | disable}] [v2 {enable | disable}]

Command - set vtp domain (PRODIGY) mode (SERVER)
Command - set vlan # name XYZ state ACTIVE
Command - set trunk X/Y on
Command - set vlan # x/y
Command on 2900 - under interface - switchport access vlan x
Command on 1900 - under interface - vlan-membership static x

#vtp Set up DOMAIN
set vtp domain PRODIGY    [Establish Common environment]
set vtp mode server     [Server = Send Changes, Client = Listen for Changes, Transparent = Idle Config]
set vtp passwd P0lCAT   [protects Domain]
set vtp v2 disable
set vtp pruning disable
set vtp pruneeligible 2-1000
clear vtp pruneeligible 1001-1005
# Match to Router ISL numbers
set vlan 1 name default type ethernet mtu 1500 said 100001 state active    [set vlan 1 name default state active]
set vlan 100 name private type ethernet mtu 1500 said 100100 state active
set vlan 101 name cs-mail type ethernet mtu 1500 said 100101 state active

# Turn Trunk ON !!!
set trunk 1/1 on 1-1000

~~~~~~~~~~~~~~~~~~~~~~~~
NOTE :

to change / clear the VTP password - VTP passwd 0 - (zero).
to clear a VLAN - CLEAR VLAN X - (X = vlan #).

Fast EtherChannel

FastEther Channel or Port Groups
Fast Ether Channel is a trunking technology based on grouping together multiple full duplex GIG / Fast Ethernets to provide fault-tolerant high-speed links between switches, routers, and servers. EtherChannels can be composed of at least two and up to eight (Switch dependent) industry-standard links to provide load sharing of traffic..

Fast EtherChannel does not require the use of 802.1D Spanning-Tree Protocol (STP) to maintain topology state within the channel. Rather it uses a peer-to- peer control protocol that provides autoconfiguration and sub-second convergence times for parallel links, yet allows higher-level protocols such as STP, or existing routing protocols, to maintain topology. The channel ports look like one bundle, it allows a Forward / Forward condition on STP. The MAC address is used to handle a "balance" of traffic.

Set up of Channels or Groups / Bundles to aggregate ports.

Can be used -

Router (7500 = channel-group x) to Switch (Cats)
Switch to Switch (Cat5k = set port channel 3/1-2 on | Cat29K / 35K = port group x distribution )
Switch to Server (Server = EtherChannel functionality is provided through a LAN driver)

Configuration: varies by switch type and IOS.

Set up of Channels or Groups / Bundles to aggregate ports. Ports can be on different cards and not contiguos.
Distribution can be controlled by "MAC or IP" and "Source or Destination".

Channel Commands: varies by switch type and IOS.

Cat5K / 6K
show port channel - Base configuration.
show port channel info - Full display, shows remote connections.
show port channel statistics - Look for errors.
show spantree - Base conditions.

Cat29K / 35K
show etherchannel summary - Base configuration.
show spanning-tree summary - Base conditions.

Channel Connections

There are four user-configurable channel modes: on, off, auto, and desirable.
PAgP packets are exchanged only between ports in auto and desirable mode.
Ports configured in on or off mode do not exchange PAgP packets.
6K trunk channels use mode desirable silent -
Example set port chan 7/1-8/2 mode desirable silent

Channel Modes

Mode	Description
on	Forces the port to channel without negotiation. PAgP packets are not exchanged. The port is channeling regardless of how the peer port is configured. If the peer port is in on mode, a channel is formed. In any other mode, the peer port is placed in the errdisable state due to a channel misconfiguration.
off	Prevents the port from channeling. PAgP packets are not exchanged. The port is not channeling regardless of how the peer port is configured. No channel is formed.
auto	Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not initiate PAgP packet negotiation. A channel is formed only with another port group in desirable mode. (Default)
desirable	Places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending PAgP packets. A channel is formed with another port group in either desirable or auto mode.

Key in display outputs is if you see "Members" listed individually:

With LACP: Member 0 : GigabitEthernet3/0/0 , Full-duplex, 1000Mb/s Member 1 : GigabitEthernet7/1/0

With PAPG: Members in this channel: Gi7/1 Gi7/2 Gi8/1 Gi8/2

passive	LACP mode that places a port into a passive negotiating state, in which the port responds to LACP packets it receives but does not initiate LACP negotiation. (Default)
active	LACP mode that places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending LACP packets.

Link Aggregation Control Protocol (LACP)

channel-group number mode {active | passive}

channel-protocol lacp
LACP system priority defined (1 to 65,535; default 32,768) used to determine boss of negotiation.

Example:
Router(config-if)# channel-group 1 mode active

Assigns the interface to the previously configured port channel group.

•Number—Valid range is 1 to 64.
•Active: Places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending LACP packets.
•Passive: Places a port into a passive negotiating state, in which the port responds to LACP packets it receives but does not initiate LACP negotiation.

Passive mode cannot form an EtherChannel with another port that is also in passive mode.

Performance issues with asymmetric routing and backup segments

A common problem with backup segments causing performance problems by flooding data. Asymmetric routing issues do not break connectivity. However, asymmetric routing can cause excessive unicast flooding and MLS entries that are missing. Also by default if there is no entry in the cam table; the packet gets forward to every port in the vlan on all switches. Sometimes all ports.

Router default is 4 hours | Switch default is 5 minutes

Three configuration changes that can remedy this situation

Adjust the MAC aging time on the respective switches to 14,400 seconds (4 hours default) or longer.
Change the ARP timeout on the routers to 5 minutes (300 seconds default).
Change the MAC aging time and ARP timeout to the same timeout value.

Medium / Large Sites The preferable method is to change the MAC aging time to 14,400 seconds.

The only caveat is when you have a too large number of CAM entries.

Otherwise drop the IOS

int vlan24
arp timeout 300

To change cam timer on switch:

Do this on the Core switches
You can do this to just one vlan - (in this case vlan 24)
(OS) set cam agingtime 24 14400
(IOS) mac-address-table aging-time 14400 vlan 24

Verify Change:

IOS	OS
3K-SW#sho mac-address-table aging-time Vlan Aging Time ---- ---------- 24 14400 3K-SW#	6K sho cam agingtime 24 VLAN 24 aging time = 14400 sec 6K

When the ARP is sent out, the cam table will be updated on the appropriate port since the response has to get back to this MSFC. This essentially synchronizes the tables because that cam timer gets reset to 0 or relearned at that time

-- but this only happens every 4 hours by default.

Troubleshooting performance issues with spanning tree:

Look for LAST TOPOLOGY CHANGE
If all VLANS keep reverting back - usually under 5 Minutes - LOOK for TRUNKS bouncing.
Trace back by MAC and forwarder port - leads back to ROOT Switches:

IOS
sho spanning-tree detail active VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 0013.802b.d200 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set Number of topology changes 1 last change occurred 4w1d ago from FastEthernet1/0/45 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300	#sho spanning-tree vlan 1 det VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 28672, sysid 100, address 0011.bc35.cd00 Configured hello time 2, max age 20, forward delay 15 Current root has priority 24676, address 0011.bcd1.6ac0 Root port is 1665 (Port-channel1), cost of root path is 3 Topology change flag not set, detected flag not set Number of topology changes 11739 last change occurred 1w6d ago from Port-channel25 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

OS
sho spantree sta 2/2 67
spanningtree type ieee
spanningtree multicast address 01-80-c2-00-00-00
bridge priority 49152
bridge mac address 00-0b-fc-3f-63-82
bridge hello time 2 sec
bridge forward delay 15(15) sec
topology change initiator: 1/1
last topology change occured: Sun Apr 15 2007, 05:44:36
topology change FALSE
topology change time 35
topology change detected FALSE
topology change count 27
topology change last recvd. from 00-00-00-00-00-00

Switched	.	Routed	.
Advantage	Disadvantage	Advantage	Disadvantage
Propagates color information across entire network.	Backbone is running bridging.	No bridging in backbone.	Color information is not propagated across backbone and must be configured manually.
Allows greater scalability by extending bridge domains.	Broadcast traffic increases drastically on the backbone.	Easy to integrate into existing internetwork.	If subnets are split, a bridged path has to be set up between switches.
.	.	Can run native protocols in the backbone.	.

	DOT1Q	ISL
Proprietary	NO	YES (default Cisco to Cisco)
TAG	YES except Native VLAN	YES
Encapsulation	NO (Adds 4 bit tag + 18 CRC) 1522	YES (Entire Frame) 30 bytes (26 Header + 4 Trailer)
CRC Recalculated	YES	YES - But its in the FCS (trailer)
Supported VLANS	4096	1024

Access	Sets switch to permanent NON-Trunking mode
Trunk	Set and negotiate to become trunk
Nonegotiate	Will be a trunk but will not send DTP
Dynamic Auto	Will respond to DTP, but not send
Dynamic Desirable	Will send and respond to DTP

Mode	Domain	Comments
Client	YES	Only Listens - Can't Create / Modify
Server	YES	Complete Control
Transparent	NO	Complete control (High VLAN #) Will Relay if in domain

IOS	OS	Comments
sw(config)#vtp mode ? client Set the device to client mode. server Set the device to server mode. transparent Set the device to transparent mode	set vtp mode ? client VTP client mode off VTP off server VTP server mode transparent VTP transparent mode	Default is SERVER
(config)#vtp domain test	set vtp domain test	Default is NULL
(config)#vtp password XXX	set vtp passwd XXX	Default is none \| Must match \| can be authenticated