Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- VLAN Identification Methods
- Trunking Native Mode VLAN: 1 (default)
- Assigning Switch Ports to VLANs
|
Frame Tagging As you now know, you can set up your VLANs to span more than one connected switch. You can see that going on in Figure 11.6 , which depicts hosts from two VLANs spread across two switches. This flexible, power- packed capability is probably the main advantage to implementing VLANs, and we can do this with up to a thousand VLANs and thousands upon thousands of hosts! All this can get kind of complicated—even for a switch—so there needs to be a way for each one to keep track of all the users and frames as they travel the switch fabric and VLANs. When I say, “switch fabric,” I’m just referring to a group of switches that share the same VLAN information. And this just happens to be whereframe tagging enters the scene. This frame identification method uniquely assigns a user-defined VLAN ID to each frame. Here’s how it works: Once within the switch fabric, each switch that the frame reaches must first identify the VLAN ID from the frame tag. It then finds out what to do with the frame by looking at the information in what’s known as the filter table. If the frame reaches a switch that has another trunked link, the frame will be forwarded out of the trunk-link port.
Once the frame reaches an exit that’s determined by the forward/filter table to be an access link matching the frame’s VLAN ID, the switch will remove the VLAN identifier. This is so the destination device can receive the frames without being required to understand their VLAN identification information. Another great thing about trunk ports is that they’ll support tagged and untagged traffic simultaneously if you’re using 802.1q trunking, which we will talk about next. The trunk port is assigned a default port VLAN ID (PVID) for a VLAN upon which all untagged traffic will travel. This VLAN is also called the native VLAN and is always VLAN 1 by default, but it can be changed to any VLAN number. Similarly, any untagged or tagged traffic with a NULL (unassigned) VLAN ID is assumed to belong to the VLAN with the port default PVID. Again, this would be VLAN 1 by default. A packet with a VLAN ID equal to the outgoing port native VLAN is sent untagged and can communicate to only hosts or devices in that same VLAN. All other VLAN traffic has to be sent with a VLAN tag to communicate within a particular VLAN that corresponds with that tag. VLAN Identification Methods VLAN identification is what switches use to keep track of all those frames as they’re traversing a switch fabric. It’s how switches identify which frames belong to which VLANs, and there’s more than one trunking method.
onto an Ethernet frame. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method. This allows the switch to identify the VLAN membership of a frame received over the trunked link. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. ISL functions at layer 2 by encapsulating a data frame with a new header and by performing a new cyclic redundancy check (CRC). Of note is that ISL is proprietary to Cisco switches and is pretty versatile as well. ISL can be used on a switch port, router interfaces, and server interface cards to trunk a server. Although some Cisco switches still support ISL frame tagging, Cisco is moving toward using only 802.1q. IEEE 802.1q Created by the IEEE as a standard method of frame tagging, IEEE 802.1q actually inserts a field into the frame to identify the VLAN. If you’re trunking between a Cisco switched link and a different brand of switch, you’ve got to use 802.1q for the trunk to work. Unlike ISL, which encapsulates the frame with control information, 802.1q inserts an 802.1q field along with tag control information, as shown in Figure 11.7 .
FIGURE 11.7 IEEE 802.1q encapsulation with and without the 802.1q tag For the Cisco exam objectives, it’s only the 12-bit VLAN ID that matters. This field identifies the VLAN and can be 2 to the 12th, minus 2 for the 0 and 4,095 reserved VLANs, which means an 802.1q tagged frame can carry information for 4,094 VLANs. It works like this: You first designate each port that’s going to be a trunk with 802.1q encapsulation. The other ports must be assigned a specific VLAN ID in order for them to communicate. VLAN 1 is the default native VLAN, and when using 802.1q, all traffic for a native VLAN is untagged. The ports that populate the same trunk create a group with this native VLAN and each port gets tagged with an identification number reflecting that. Again the default is VLAN 1. The native VLAN allows the trunks to accept information that was received without any VLAN identification or frame tag. Most 2960 model switches only support the IEEE 802.1q trunking protocol, but the 3560 will support both the ISL and IEEE methods, which you’ll see later in this chapter. The basic purpose of ISL and 802.1q frame-tagging methods is to provide inter-switch VLAN communication. Remember that any ISL or 802.1q frame tagging is removed if a frame is forwarded out an access link—tagging is used internally and across trunk links only!
Routing between VLANs Hosts in a VLAN live in their own broadcast domain and can communicate freely. VLANs create network partitioning and traffic separation at layer 2 of the OSI, and as I said when I told you why we still need routers, if you want hosts or any other IP-addressable device to communicate between VLANs, you must have a layer 3 device to provide routing. For this, you can use a router that has an interface for each VLAN or a router that supports ISL or 802.1q routing. The least expensive router that supports ISL or 802.1q routing is the 2600 series router. You’d have to buy that from a used-equipment reseller because they are end-of-life, or EOL. I’d recommend at least a 2800 as a bare minimum, but even that only supports 802.1q; Cisco is really moving away from ISL, so you probably should only be using 802.1q anyway. Some 2800s may support both ISL and 802.1q; I’ve just never seen it supported. Anyway, as shown in Figure 11.8 , if you had two or three VLANs, you could get by with a router equipped with two or three FastEthernet connections. And 10Base-T is okay for home study purposes, and I mean only for your studies, but for anything else I’d highly recommend Gigabit interfaces for real power under the hood! What we see in Figure 11.8 is that each router interface is plugged into an access link. This means that each of the routers’ interface IP addresses would then become the default gateway address for each host in each respective VLAN. FIGURE 11.8 Router connecting three VLANs together for inter-VLAN communication, one router interface for each VLAN If you have more VLANs available than router interfaces, you can configure trunking on one FastEthernet interface or buy a layer 3 switch, like the old and now cheap 3560 or a higher-end switch like a 3850. You could even opt for a 6800 if you’ve got money to burn! Instead of using a router interface for each VLAN, you can use one FastEthernet interface and run ISL or 802.1q trunking. Figure 11.9 shows how a FastEthernet interface on a router will look when configured with ISL or 802.1q trunking. This allows all VLANs to communicate through one interface. Cisco calls this a router on a stick (ROAS). FIGURE 11.9 Router on a stick: single router interface connecting all three VLANs together for inter-VLAN communication I really want to point out that this creates a potential bottleneck, as well as a single point of failure, so your host/VLAN count is limited. To how many? Well, that depends on your traffic level. To really make things right, you’d be better off using a higher-end switch and routing on the backplane. But if you just happen to have a router sitting around, configuring this method is free, right? Figure 11.10 shows how we would create a router on a stick using a router’s physical interface by creating logical interfaces—one for each VLAN.
FIGURE 11.10 A router creates logical interfaces. Here we see one physical interface divided into multiple subinterfaces, with one subnet assigned per VLAN, each subinterface being the default gateway address for each VLAN/subnet. An encapsulation identifier must be assigned to each subinterface to define the VLAN ID of that subinterface. In the next section where I’ll configure VLANs and inter- VLAN routing, I’ll configure our switched network with a router on a stick and demonstrate this configuration for you. But wait, there’s still one more way to go about routing! Instead of using an external router interface for each VLAN, or an external router on a stick, we can configure logical interfaces on the backplane of the layer 3 switch; this is called inter-VLAN routing (IVR), and it’s configured with a switched virtual interface (SVI). Figure 11.11 shows how hosts see these virtual interfaces.
With IVR, routing runs on the backplane of the switch, and it appears to the hosts that a router is present. In
Figure 11.11 , it appears there’s a router present, but there is no physical router present as there was when we used router on a stick. The IVR process takes little effort and is easy to implement, which makes it very cool! Plus, it’s a lot more efficient for inter-VLAN routing than an external router is. To implement IVR on a multilayer switch, we just need to create logical interfaces in the switch configuration for each VLAN. We’ll configure this method in a minute, but first let’s take our existing switched network from Chapter 10, “Layer 2 Switching,” and add some VLANs, then configure VLAN memberships and trunk links between our switches.
Now this may come as a surprise to you, but configuring VLANs is actually pretty easy. It’s just that figuring out which users you want in each VLAN is not, and doing that can eat up a lot of your time! But once you’ve decided on the number of VLANs you want to create and established which users you want belonging to each one, it’s time to bring your first VLAN into the world. To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. In the following example, I’m going to demonstrate how to configure VLANs on the S1 switch by creating three VLANs for three different departments—again, remember that VLAN 1 is the native and management VLAN by default: S1(config)# vlan ? WORD ISL VLAN IDs 1-4094 access-map Create vlan access-map or enter vlan access-map command mode dot1q dot1q parameters filter Apply a VLAN Map group Create a vlan group internal internal VLAN S1(config)#
S1(config-vlan)# name Sales S1(config-vlan)# vlan 3 S1(config-vlan)# name Marketing S1(config-vlan)# vlan 4 S1(config-vlan)# name Accounting S1(config-vlan)# vlan 5 S1(config-vlan)# name Voice S1(config-vlan)# ^Z S1#
In this output, you can see that you can create VLANs from 1 to 4094. But this is only mostly true. As I said, VLANs can really only be created up to 1001, and you can’t use, change, rename, or delete VLANs 1 or 1002 through 1005 because they’re reserved. The VLAN numbers above 1005 are called extended VLANs and won’t be saved in the database unless your switch is set to what is called VLAN Trunking Protocol (VTP) transparent mode. You won’t see these VLAN numbers used too often in production. Here’s an example of me attempting to set my S1 switch to VLAN 4000 when my switch is set to VTP server mode (the default VTP mode):
S1# config t S1(config)# vlan 4000 S1(config-vlan)# ^Z % Failed to create VLANs 4000 Extended VLAN(s) not allowed in current VTP mode. %Failed to commit extended VLAN(s) changes. After you create the VLANs that you want, you can use the show vlan command to check them out. But notice that, by default, all ports on the switch are in VLAN 1. To change the VLAN associated with a port, you need to go to each interface and specifically tell it which VLAN to be a part of.
Remember that a created VLAN is unused until it is assigned to a switch port or ports and that all ports are always assigned in VLAN 1 unless set otherwise. Once the VLANs are created, verify your configuration with the show vlan command ( sh vlan for short): S1# sh vlan VLAN Name Status Ports ---- ------------------------- --------- -------------------------- -----
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2 2 Sales active 3 Marketing active 4 Accounting active 5 Voice active [output cut] This may seem repetitive, but it’s important, and I want you to remember it: You can’t change, delete, or rename VLAN 1 because it’s the default VLAN and you just can’t change that—period. It’s also the native VLAN of all switches by default, and Cisco recommends that you use it as your management VLAN. If you’re worried about security issues, then change it! Basically, any ports that aren’t specifically assigned to a different VLAN will be sent down to the native VLAN—VLAN 1. In the preceding S1 output, you can see that ports Fa0/1 through Fa0/14, Fa0/19 through 23, and Gi0/1 and Gi0/2 uplinks are all in VLAN 1. But where are ports 15 through 18? First, understand that the command show vlan
only displays access ports, so now that you know what you’re looking at with the show vlan command, where do you think ports Fa15–18 are? That’s right! They are trunked ports. Cisco switches run a proprietary protocol called Dynamic Trunk Protocol (DTP), and if there is a compatible switch connected, they will start trunking automatically, which is precisely where my four ports are. You have to use the show interfaces trunk command to see your trunked ports like this: S1#
show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/15 desirable n-isl trunking 1 Fa0/16 desirable n-isl trunking 1 Fa0/17 desirable n-isl trunking 1 Fa0/18 desirable n-isl trunking 1 Fa0/15 1-4094 Fa0/16 1-4094 Fa0/17 1-4094
Fa0/18 1-4094 [output cut] This output reveals that the VLANs from 1 to 4094 are allowed across the trunk by default. Another helpful command, which is also part of the Cisco exam objectives, is the show interfaces interface switchport command: S1#
sh interfaces fastEthernet 0/15 switchport Name: Fa0/15 Switchport: Enabled
Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none [output cut] The highlighted output shows us the administrative mode of dynamic
desirable , that the port is a trunk port, and that DTP was used to negotiate the frame-tagging method of ISL. It also predictably shows that the native VLAN is the default of 1. Now that we can see the VLANs created, we can assign switch ports to specific ones. Each port can be part of only one VLAN, with the exception of voice access ports. Using trunking, you can make a port available to traffic from all VLANs. I’ll cover that next. Assigning Switch Ports to VLANs You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries plus the number of VLANs it can belong to. You can also configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command. You can even configure multiple ports at the same time with the
interface range command.
In the next example, I’ll configure interface Fa0/3 to VLAN 3. This is the connection from the S3 switch to the host device: S3# config t S3(config)# int fa0/3 S3(config-if)# switchport ? access Set access mode characteristics of the interface autostate Include or exclude this port from vlan link up calculation backup Set backup for the interface block Disable forwarding of unknown uni/multi cast addresses host Set port host mode Set trunking mode of the interface nonegotiate Device will not engage in negotiation protocol on this interface port-security Security related command priority Set appliance 802.1p priority private-vlan Set the private VLAN configuration protected Configure an interface to be a protected port trunk Set trunking characteristics of the interface voice Voice appliance attributes voice Well now, what do we have here? There’s some new stuff showing up in our output now. We can see various commands—some that I’ve already covered, but no worries because I’m going to cover the access
, mode
, nonegotiate , and trunk
commands very soon. Let’s start with setting an access port on S1, which is probably the most widely used type of port you’ll find on production switches that have VLANs configured: S3(config-if)# switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally S3(config-if)# switchport mode access S3(config-if)# switchport access vlan 3 S3(config-if)# switchport voice vlan 5 By starting with the switchport mode access command, you’re telling the switch that this is a nontrunking layer 2 port. You can then assign a VLAN to the port with the switchport access command, as well as configure the same port to be a member of a different type of VLAN, called the voice VLAN. This allows you to connect a laptop into a phone, and the phone into a single switch port. Remember, you can choose many ports to configure simultaneously with the interface range command. Let’s take a look at our VLANs now: S3#
VLAN Name Status Ports ---- ------------------------ --------- --------------------------- ----
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11,
Fa0/12, Fa0/13, Fa0/14, Fa0/19,
Fa0/20, Fa0/21, Fa0/22, Fa0/23,
Gi0/1, Gi0/2 2 Sales active 3 Marketing active Fa0/3 5 Voice active Fa0/3 Notice that port Fa0/3 is now a member of VLAN 3 and VLAN 5—two different types of VLANs. But, can you tell me where ports 1 and 2 are? And why aren’t they showing up in the output of show vlan ? That’s right, because they are trunk ports! We can also see this with the show interfaces interface switchport command: S3#
sh int fa0/3 switchport Name: Fa0/3 Switchport: Enabled
Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off
Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled
The highlighted output shows that Fa0/3 is an access port and a member of VLAN 3 (Marketing), as well as a member of the Voice VLAN 5. That’s it. Well, sort of. If you plugged devices into each VLAN port, they can only talk to other devices in the same VLAN. But as soon as you learn a bit more about trunking, we’re going to enable inter-VLAN |