Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Trunking Native Mode VLAN: 1 (default)
- Assigning Switch Ports to VLANs
- Defining the Allowed VLANs on a Trunk
- Changing or Modifying the Trunk Native VLAN
|
PART II
ICND 2 Chapter 15 Enhanced Switched Technologies THE FOLLOWING ICND2 EXAM TOPICS ARE COVERED IN THIS CHAPTER: 1.0 LAN Switching Technologies 1.1 Configure, verify, and troubleshoot VLANs (normal/extended range) spanning multiple switches 1.1.a Access ports (data and voice) 1.1.b Default VLAN 1.2 Configure, verify, and troubleshoot interswitch connectivity 1.2.a Add and remove VLANs on a trunk 1.2.b DTP and VTP (v1&v2) 1.3 Configure, verify, and troubleshoot STP protocols 1.3.a STP mode (PVST+ and RPVST+) 1.3.b STP root bridge selection 1.4 Configure, verify, and troubleshoot STP-related optional features 1.4.a PortFast 1.4.b BPDU guard 1.5 Configure, verify, and troubleshoot (Layer 2/Layer 3) EtherChannel 1.5.a Static 1.5.b PAGP 1.5.c LACP 1.7 Describe common access layer threat mitigation techniques
1.7.c Nondefault native VLAN 2.0 Routing Technologies 2.1 Configure, verify, and troubleshoot Inter-VLAN routing 2.1.a Router on a stick 2.1.b SVI Long ago, a company called Digital Equipment Corporation (DEC) created the original version of Spanning Tree
802.1d. Cisco has moved toward another industry standard in its newer switches called 802.1w. We’ll explore both the old and new versions of STP in this chapter, but first, I’ll define some important STP basics. Routing protocols like RIP, EIGRP, and OSPF have processes for preventing loops from occurring at the Network layer, but if you have redundant physical links between your switches, these protocols won’t do a thing to stop loops from occurring at the Data Link layer. That’s exactly why STP was developed—to put an end to loop issues in a layer 2 switched network. It’s also why we’ll be thoroughly exploring the key features of this vital protocol as well as how it works within a switched network in this chapter. After covering STP in detail, we’ll move on to explore EtherChannel. To find up-to-the-minute updates for this chapter, please see www.lammle.com/ccna or the book’s web page at www.sybex.com/go/ccna .
VLAN Review As you may remember from ICND1, configuring VLANs is actually pretty easy. It’s just that figuring out which users you want in each VLAN is not, and doing that can eat up a lot of your time! But once you’ve decided on the number of VLANs you want to create and established which users you want to belong to each one, it’s time to bring your first VLAN into the world. To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. In the following example, I’m going to demonstrate how to configure VLANs on the S1 switch by creating three VLANs for three different departments—again, remember that VLAN 1 is the native and management VLAN by default: S1(config)# vlan ? WORD ISL VLAN IDs 1-4094 access-map Create vlan access-map or enter vlan access-map command mode dot1q dot1q parameters filter Apply a VLAN Map group Create a vlan group internal internal VLAN S1(config)#
S1(config-vlan)# name Sales S1(config-vlan)# vlan 3 S1(config-vlan)# name Marketing S1(config-vlan)# vlan 4 S1(config-vlan)# name Accounting S1(config-vlan)# ^Z S1#
In this output, you can see that you can create VLANs from 1 to 4094. But this is only mostly true. As I said, VLANs can really only be created up to 1001, and you can’t use, change, rename, or delete VLANs 1 or 1002 through 1005 because they’re reserved. The VLAN with numbers above 1005 are called extended VLANs and won’t be saved in the database unless your switch is set to what is called VLAN Trunking Protocol (VTP) transparent mode. You won’t see these VLAN numbers used too often in production. Here’s an example of me attempting to set my S1 switch to VLAN 4000 when my switch is set to VTP server mode (the default VTP mode, which we’ll talk about shortly): S1#
S1(config)# vlan 4000 S1(config-vlan)# ^Z % Failed to create VLANs 4000 Extended VLAN(s) not allowed in current VTP mode. %Failed to commit extended VLAN(s) changes. After you create the VLANs that you want, you can use the show vlan command to check them out. But notice that, by default, all ports on the switch are in VLAN 1. To change the VLAN associated with a port, you need to go to each interface and specifically tell it which VLAN to be a part of.
Remember that a created VLAN is unused until it is assigned to a switch port or ports and that all ports are always assigned in VLAN 1 unless set otherwise. Once the VLANs are created, verify your configuration with the show vlan command ( sh vlan for short): S1# sh vlan VLAN Name Status Ports ---- ------------------------- --------- -------------------------- -----
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Gi0/1 Gi0/2
2 Sales active 3 Marketing active 4 Accounting active [output cut] If you want to see which ports are assigned to a particular VLAN (for example, VLAN 200), you can obviously use the show vlan command as shown above, or you can use the show vlan id 200 command to get ports assigned only to VLAN 200. This may seem repetitive, but it’s important, and I want you to remember it: You can’t change, delete, or rename VLAN 1 because it’s the default VLAN and you just can’t change that—period. It’s also the native VLAN of all switches by default, and Cisco recommends that you use it as your management VLAN. If you’re worried about security issues, then change the native VLAN! Basically, any ports that aren’t specifically assigned to a different VLAN will be sent down to the native VLAN—VLAN 1. In the preceding S1 output, you can see that ports Fa0/1 through Fa0/14, Fa0/19 through 23, and the Gi0/1 and Gi02 uplinks are all in VLAN 1. But where are ports 15 through 18? First, understand that the command show vlan only displays access ports, so now that you know what you’re looking at with the show vlan command, where do you think ports Fa15–18 are? That’s right! They are trunked ports. Cisco switches run a proprietary protocol called Dynamic Trunk Protocol (DTP), and if there is a compatible switch connected, they will start trunking automatically, which is precisely where my four ports are. You have to use the show interfaces trunk command to see your trunked ports like this: S1#
show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/15 desirable n-isl trunking 1 Fa0/16 desirable n-isl trunking 1 Fa0/17 desirable n-isl trunking 1 Fa0/18 desirable n-isl trunking 1 Port Vlans allowed on trunk Fa0/15 1-4094 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 [output cut] This output reveals that the VLANs from 1 to 4094 are allowed across the trunk by default. Another helpful command, which is also part of the Cisco exam objectives, is the show interfaces interface switchport command: S1#
sh interfaces fastEthernet 0/15 switchport Name: Fa0/15 Switchport: Enabled
Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: isl Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none [output cut] The highlighted output shows us the administrative mode of dynamic
desirable , that the port is a trunk port, and that DTP was used to negotiate the frame-tagging method of ISL. It also predictably shows that the native VLAN is the default of 1. Now that we can see the VLANs created, we can assign switch ports to specific ones. Each port can be part of only one VLAN, with the exception of voice access ports. Using trunking, you can make a port available to traffic from all VLANs. I’ll cover that next. Assigning Switch Ports to VLANs You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries plus the number of VLANs it can belong to. You can also configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command. You can even configure multiple ports at the same time with the interface range command. In the next example, I’ll configure interface Fa0/3 to VLAN 3. This is the connection from the S3 switch to the host device: S3#
config t S3(config)# int fa0/3 S3(config-if)# switchport ? access Set access mode characteristics of the interface autostate Include or exclude this port from vlan link up calculation backup Set backup for the interface block Disable forwarding of unknown uni/multi cast addresses host Set port host mode Set trunking mode of the interface nonegotiate Device will not engage in negotiation protocol on this interface port-security Security related command priority Set appliance 802.1p priority private-vlan Set the private VLAN configuration protected Configure an interface to be a protected port trunk Set trunking characteristics of the interface voice Voice appliance attributes voice Well now, what do we have here? There’s some new stuff showing up in our output now. We can see various commands—some that I’ve already covered, but no worries because I’m going to cover the access
, mode
, nonegotiate , and trunk
commands very soon. Let’s start with setting an access port on S1, which is probably the most widely used type of port you’ll find on production switches that have VLANs configured: S3(config-if)# switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally S3(config-if)# switchport mode access S3(config-if)# switchport access vlan 3 By starting with the switchport mode access command, you’re telling the switch that this is a nontrunking layer 2 port. You can then assign a VLAN to the port with the switchport access command. Remember, you can choose many ports to configure simultaneously with the interface range command.
Let’s take a look at our VLANs now: S3#
show vlan VLAN Name Status Ports ---- ------------------------ --------- --------------------------- ----
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11,
Fa0/12, Fa0/13, Fa0/14, Fa0/19,
Fa0/20, Fa0/21, Fa0/22, Fa0/23,
Gi0/1,Gi0/2 2 Sales active 3 Marketing active Fa0/3 Notice that port Fa0/3 is now a member of VLAN 3. But, can you tell me where ports 1 and 2 are? And why aren’t they showing up in the output of show vlan ? That’s right, because they are trunk ports! We can also see this with the show interfaces interface switchport command: S3#
sh int fa0/3 switchport Name: Fa0/3 Switchport: Enabled
Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off
The highlighted output shows that Fa0/3 is an access port and a member of VLAN 3 (Marketing). Before we move onto trunking and VTP, let’s add a voice VLAN on our switch. When an IP phone is connected to a switch port, this port should have a voice VLAN associated with it. By creating a separate VLAN for voice traffic, which of course you would do, what happens when you have a PC or laptop that connects via Ethernet into an IP phone? The phone connects to the Ethernet port and into one port on the switch. You’re now sending both voice and data to the single switch port. All you need to do is add another VLAN to the same switch port like so to fix this issue and separate the data at the switch port into two VLANs: S1(config)#
S1(config-vlan)# name Voice S1(config-vlan)# int g0/1 S1(config-if)# switchport voice vlan 10 That’s it. Well, sort of. If you plugged devices into each VLAN port, they can only talk to other devices in the same VLAN. But as soon as you learn a bit more about trunking, we’re going to enable inter-VLAN communication!
The 2960 switch only runs the IEEE 802.1q encapsulation method. To configure trunking on a FastEthernet port, use the interface command switchport mode trunk . It’s a tad different on the 3560 switch. The following switch output shows the trunk configuration on interfaces Fa0/15–18 as set to trunk :
int range f0/15-18 S1(config-if-range)# switchport trunk encapsulation dot1q S1(config-if-range)# switchport mode trunk If you have a switch that only runs the 802.1q encapsulation method, then you wouldn’t use the encapsulation command as I did in the preceding output. Let’s check out our trunk ports now: S1(config-if-range)#
Name: Fa0/15 Switchport: Enabled
Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Notice that port Fa0/15 is a trunk and running 802.1q. Let’s take another look: S1(config-if-range)# do sh int trunk Port Mode Encapsulation Status Native vlan Fa0/15 on 802.1q trunking 1 Fa0/16 on 802.1q trunking 1 Fa0/17 on 802.1q trunking 1 Fa0/18 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/15 1-4094 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 Take note of the fact that ports 15–18 are now in the trunk mode of on and the encapsulation is now 802.1q instead of the negotiated ISL. Here’s a description of the different options available when configuring a switch
interface: switchport mode access I discussed this in the previous section, but this puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether the neighboring interface is a trunk interface. The port would be a dedicated layer 2 access port. switchport mode dynamic auto This mode makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default is dynamic auto on a lot of Cisco switches, but that default trunk method is changing to dynamic desirable on most new models.
This one makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk ,
, or auto
mode. This is now the default switch port mode for all Ethernet interfaces on all new Cisco switches. switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface isn’t a trunk interface.
Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link. Dynamic Trunking Protocol (DTP) is used for negotiating trunking on a link between two devices as well as negotiating the encapsulation type of either 802.1q or ISL. I use the nonegotiate command when I want dedicated trunk ports; no questions asked. To disable trunking on an interface, use the switchport mode access command, which sets the port back to a dedicated layer 2 access switch port.
Defining the Allowed VLANs on a Trunk As I’ve mentioned, trunk ports send and receive information from all VLANs by default, and if a frame is untagged, it’s sent to the management VLAN. Understand that this applies to the extended range VLANs too. But we can remove VLANs from the allowed list to prevent traffic from certain VLANs from traversing a trunked link. I’ll show you how you’d do that, but first let me again demonstrate that all VLANs are allowed across the trunk link by default: S1#
sh int trunk [output cut] Port Vlans allowed on trunk Fa0/15 1-4094 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 S1(config)# int f0/15 S1(config-if)# switchport trunk allowed vlan 4,6,12,15 S1(config-if)# do show int trunk [output cut] Port Vlans allowed on trunk Fa0/15 4,6,12,15 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 The preceding command affected the trunk link configured on S1 port Fa0/15, causing it to permit all traffic sent and received for VLANs 4, 6, 12, and 15. You can try to remove VLAN 1 on a trunk link, but it will still send and receive management data like CDP, DTP, and VTP, so what’s the point? To remove a range of VLANs, just use the hyphen: S1(config-if)# switchport trunk allowed vlan remove 4-8 If by chance someone has removed some VLANs from a trunk link and you want to set the trunk back to default, just use this command: S1(config-if)# switchport trunk allowed vlan all Next, I want to show you how to configure a native VLAN for a trunk before we start routing between VLANs.
You can change the trunk port native VLAN from VLAN 1, which many people do for security reasons. To change the native VLAN, use the following command: S1(config)# int f0/15 S1(config-if)# switchport trunk native vlan ? <1-4094> VLAN ID of the native VLAN when this port is in trunking mode S1(config-if)#
1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/15 (4), with S3 FastEthernet0/1 (1). So we’ve changed our native VLAN on our trunk link to 4, and by using the show running-config command, I can see the configuration under the trunk link: S1#
Building configuration... Current configuration : 202 bytes ! interface FastEthernet0/15 description 1st connection to S3 switchport trunk encapsulation dot1q switchport trunk native vlan 4 switchport trunk allowed vlan 4,6,12,15 switchport mode trunk end
S1#! Oops—wait a minute! You didn’t think it would be this easy and would just start working, did you? Of course not! Here’s the rub: If all switches don’t have the same native VLAN configured on the given trunk links, then we’ll start to receive this error, which happened immediately after I entered the command: 1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/15 (4), with S3 FastEthernet0/1 (1). Actually, this is a good, noncryptic error, so either we can go to the other end of our trunk link(s) and change the native VLAN or we set the native VLAN back to the default to fix it. Here’s how we’d do that: S1(config-if)# Yüklə 22,5 Mb. Dostları ilə paylaş:
|