Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
|
Configuring Trunk Ports The 2960 switch only runs the IEEE 802.1q encapsulation method. To configure trunking on a FastEthernet port, use the interface command switchport mode trunk . It’s a tad different on the 3560 switch. The following switch output shows the trunk configuration on interfaces Fa0/15–18 as set to trunk
: S1(config)# int range f0/15-18 S1(config-if-range)# switchport trunk encapsulation dot1q S1(config-if-range)# switchport mode trunk If you have a switch that only runs the 802.1q encapsulation method, then you wouldn’t use the encapsulation command as I did in the preceding output. Let’s check out our trunk ports now: S1(config-if-range)#
Name: Fa0/15 Switchport: Enabled
Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Notice that port Fa0/15 is a trunk and running 802.1q. Let’s take another look: S1(config-if-range)# do sh int trunk Port Mode Encapsulation Status Native vlan Fa0/15 on 802.1q trunking 1 Fa0/16 on 802.1q trunking 1 Fa0/17 on 802.1q trunking 1 Fa0/18 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/15 1-4094 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 Take note of the fact that ports 15–18 are now in the trunk mode of on and the encapsulation is now 802.1q instead of the negotiated ISL. Here’s a description of the different options available when configuring a switch interface: switchport mode access I discussed this in the previous section, but this puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether the neighboring interface is a trunk interface. The port would be a dedicated layer 2 access port. switchport mode dynamic auto This mode makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default is dynamic auto on a lot of Cisco switches, but that default trunk method is changing to dynamic desirable on most new models.
This one makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk ,
, or auto
mode. I used to see this mode as the default on some switches, but not any longer. This is now the default switch port mode for all Ethernet interfaces on all new Cisco switches.
Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface isn’t a trunk interface.
Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link. Dynamic Trunking Protocol (DTP) is used for negotiating trunking on a link between two devices as well as negotiating the encapsulation type of either 802.1q or ISL. I use the nonegotiate command when I want dedicated trunk ports; no questions asked. To disable trunking on an interface, use the switchport mode access command, which sets the port back to a dedicated layer 2 access switch port.
Defining the Allowed VLANs on a Trunk As I’ve mentioned, trunk ports send and receive information from all VLANs by default, and if a frame is untagged, it’s sent to the management VLAN. Understand that this applies to the extended range VLANs too. But we can remove VLANs from the allowed list to prevent traffic from certain VLANs from traversing a trunked link. I’ll show you how you’d do that, but first let me again demonstrate that all VLANs are allowed across the trunk link by default: S1#
[output cut] Port Vlans allowed on trunk Fa0/15 1-4094 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 S1(config)# S1(config)# S1(config-if)# S1(config-if)# S1(config-if)# S1(config-if)# [output cut] Port Vlans allowed on trunk Fa0/15 4,6,12,15 Fa0/16 1-4094 Fa0/17 1-4094 Fa0/18 1-4094 The preceding command affected the trunk link configured on S1 port F0/15, causing it to permit all traffic sent and received for VLANs 4, 6, 12, and 15. You can try to remove VLAN 1 on a trunk link, but it will still send and receive management like CDP, DTP, and VTP, so what’s the point? To remove a range of VLANs, just use the hyphen: S1(config-if)#
If by chance someone has removed some VLANs from a trunk link and you want to set the trunk back to default, just use this command: S1(config-if)# switchport trunk allowed vlan all Next, I want to show you how to configure a native VLAN for a trunk before we start routing between VLANs. Changing or Modifying the Trunk Native VLAN You can change the trunk port native VLAN from VLAN 1, which many people do for security reasons. To change the native VLAN, use the following command: S1(config)#
S1(config-if)# switchport trunk native vlan ? <1-4094> VLAN ID of the native VLAN when this port is in trunking mode S1(config-if)#
1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/15 (4), with S3 FastEthernet0/1 (1). So we’ve changed our native VLAN on our trunk link to 4, and by using the show running-config command, I can see the configuration under the trunk link: S1#
Building configuration... Current configuration : 202 bytes ! interface FastEthernet0/15 description 1st connection to S3 switchport trunk encapsulation dot1q switchport trunk native vlan 4 switchport trunk allowed vlan 4,6,12,15 switchport mode trunk end
S1#! Oops—wait a minute! You didn’t think it would be this easy and would just start working, did you? Of course not! Here’s the rub: If all switches don’t have the same native VLAN configured on the given trunk links, then we’ll start to receive this error, which happened immediately after I entered the command: 1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/15 (4), with S3 FastEthernet0/1 (1). Actually, this is a good, noncryptic error, so either we can go to the other
end of our trunk link(s) and change the native VLAN or we set the native VLAN back to the default to fix it. Here’s how we’d do that: S1(config-if)#
1w6d: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/15 on VLAN0004. Port consistency restored. Now our trunk link is using the default VLAN 1 as the native VLAN. Just remember that all switches on a given trunk must use the same native VLAN or you’ll have some serious management problems. These issues won’t affect user data, just management traffic between switches. Now, let’s mix it up by connecting a router into our switched network and configure inter-VLAN communication.
By default, only hosts that are members of the same VLAN can communicate. To change this and allow inter-VLAN communication, you need a router or a layer 3 switch. I’m going to start with the router approach. To support ISL or 802.1q routing on a FastEthernet interface, the router’s interface is divided into logical interfaces—one for each VLAN—as was shown in Figure 11.10 . These are called subinterfaces. From a FastEthernet or Gigabit interface, you can set the interface to trunk with the
encapsulation command:
ISR# config t ISR(config)# int f0/0.1 ISR(config-subif)# encapsulation ? dot1Q IEEE 802.1Q Virtual LAN ISR(config-subif)#
Notice that my 2811 router (named ISR) only supports 802.1q. We’d need an older-model router to run the ISL encapsulation, but why bother? The subinterface number is only locally significant, so it doesn’t matter which subinterface numbers are configured on the router. Most of the time, I’ll configure a subinterface with the same number as the VLAN I want to route. It’s easy to remember that way since the subinterface number is used only for administrative purposes. It’s really important that you understand that each VLAN is actually a
separate subnet. True, I know—they don’t have to be. But it really is a good idea to configure your VLANs as separate subnets, so just do that. Before we move on, I want to define upstream routing. This is a term used to define the router on a stick. This router will provide inter-VLAN routing, but it can also be used to forward traffic upstream from the switched network to other parts of the corporate network or Internet. Now, I need to make sure you’re fully prepared to configure inter-VLAN routing as well as determine the IP addresses of hosts connected in a switched VLAN environment. And as always, it’s also a good idea to be able to fix any problems that may arise. To set you up for success, let me give you few examples. First, start by looking at Figure 11.12 and read the router and switch configuration within it. By this point in the book, you should be able to determine the IP address, masks, and default gateways of each of the hosts in the VLANs.
Configuring inter-VLAN example 1 The next step is to figure out which subnets are being used. By looking at the router configuration in the figure, you can see that we’re using 192.168.10.0/28 for VLAN1, 192.168.1.64/26 with VLAN 2, and 192.168.1.128/27 for VLAN 10. By looking at the switch configuration, you can see that ports 2 and 3 are
in VLAN 2 and port 4 is in VLAN 10. This means that Host A and Host B are in VLAN 2 and Host C is in VLAN 10. But wait—what’s that IP address doing there under the physical interface? Can we even do that? Sure we can! If we place an IP address under the physical interface, the result is that frames sent from the IP address would be untagged. So what VLAN would those frames be a member of? By default, they would belong to VLAN 1, our management VLAN. This means the address 192.168.10.1 /28 is my native VLAN IP address for this switch. Here’s what the hosts’ IP addresses should be: Host A: 192.168.1.66, 255.255.255.192, default gateway 192.168.1.65 Host B: 192.168.1.67, 255.255.255.192, default gateway 192.168.1.65 Host C: 192.168.1.130, 255.255.255.224, default gateway 192.168.1.129 The hosts could be any address in the range—I just chose the first available IP address after the default gateway address. That wasn’t so hard, was it? Now, again using Figure 11.12 , let’s go through the commands necessary to configure switch port 1 so it will establish a link with the router and provide inter-VLAN communication using the IEEE version for encapsulation. Keep in mind that the commands can vary slightly depending on what type of switch you’re dealing with. For a 2960 switch, use the following: 2960#
config t 2960(config)# interface fa0/1 2960(config-if)# switchport mode trunk That’s it! As you already know, the 2960 switch can only run the 802.1q encapsulation, so there’s no need to specify it. You can’t anyway. For a 3560, it’s basically the same, but because it can run ISL and 802.1q, you have to specify the trunking encapsulation protocol you’re going to use. Remember that when you create a trunked link, all VLANs are allowed to pass data by default.
Let’s take a look at Figure 11.13 and see what we can determine. This figure shows three VLANs, with two hosts in each of them. The router in Figure 11.13 is connected to the Fa0/1 switch port, and VLAN 4 is configured on port F0/6. When looking at this diagram, keep in mind that these three factors are what Cisco expects you to know: The router is connected to the switch using subinterfaces. The switch port connecting to the router is a trunk port. The switch ports connecting to the clients and the hub are access ports, not trunk ports.
Inter-VLAN example 2 The configuration of the switch would look something like this: 2960#
config t 2960(config)# int f0/1 2960(config-if)# switchport mode trunk 2960(config-if)# int f0/2 2960(config-if)# switchport access vlan 2 2960(config-if)# int f0/3 2960(config-if)# switchport access vlan 2 2960(config-if)# int f0/4 2960(config-if)# switchport access vlan 3 2960(config-if)# int f0/5 2960(config-if)# switchport access vlan 3 2960(config-if)# int f0/6 2960(config-if)# switchport access vlan 4 Before we configure the router, we need to design our logical network: VLAN 1: 192.168.10.0/28 VLAN 2: 192.168.10.16/28 VLAN 3: 192.168.10.32/28 VLAN 4: 192.168.10.48/28 The configuration of the router would then look like this: ISR#
ISR(config)# int fa0/0 ISR(config-if)# ip address 192.168.10.1 255.255.255.240 ISR(config-if)# no shutdown ISR(config-if)# int f0/0.2 ISR(config-subif)# encapsulation dot1q 2 ISR(config-subif)# ip address 192.168.10.17 255.255.255.240 ISR(config-subif)# int f0/0.3 ISR(config-subif)# encapsulation dot1q 3 ISR(config-subif)# ip address 192.168.10.33 255.255.255.240 ISR(config-subif)# int f0/0.4 ISR(config-subif)# encapsulation dot1q 4 ISR(config-subif)# ip address 192.168.10.49 255.255.255.240 Notice I didn’t tag VLAN 1. Even though I could have created a subinterface and tagged VLAN 1, it’s not necessary with 802.1q because untagged frames are members of the native VLAN. The hosts in each VLAN would be assigned an address from their subnet range, and the default gateway would be the IP address assigned to the router’s subinterface in that VLAN. Now, let’s take a look at another figure and see if you can determine the switch and router configurations without looking at the answer—no cheating! Figure 11.14 shows a router connected to a 2960 switch with two VLANs. One host in each VLAN is assigned an IP address. What would your router and switch configurations be based on these IP addresses?
Inter-VLAN example 3 Since the hosts don’t list a subnet mask, you have to look for the number of hosts used in each VLAN to figure out the block size. VLAN 2 has 85 hosts and VLAN 3 has 115 hosts. Each of these will fit in a block size of 128, which is a /25 mask, or 255.255.255.128. You should know by now that the subnets are 0 and 128; the 0 subnet (VLAN 2) has a host range of 1–126, and the 128 subnet (VLAN 3) has a range of 129–254. You can almost be fooled since Host A has an IP address of 126, which makes it almost seem that Host A and B are in the same subnet. But they’re not, and you’re way too smart by now to be fooled by this one! Here is the switch configuration: 2960#
config t 2960(config)# int f0/1 2960(config-if)# switchport mode trunk 2960(config-if)# int f0/2 2960(config-if)# switchport access vlan 2 2960(config-if)# int f0/3 2960(config-if)# switchport access vlan 3 Here is the router configuration: ISR#
ISR(config) # int f0/0 ISR(config-if)# ip address 192.168.10.1 255.255.255.0 ISR(config-if)# no shutdown ISR(config-if)# int f0/0.2 ISR(config-subif)# encapsulation dot1q 2 ISR(config-subif)# ip address 172.16.10.1 255.255.255.128 ISR(config-subif)# int f0/0.3 ISR(config-subif)# encapsulation dot1q 3 ISR(config-subif)# ip address 172.16.10.254 255.255.255.128 I used the first address in the host range for VLAN 2 and the last address in the range for VLAN 3, but any address in the range would work. You would just have to configure the host’s default gateway to whatever you make the router’s address. Also, I used a different subnet for my physical interface, which is my management VLAN router’s address. Now, before we go on to the next example, I need to make sure you know how to set the IP address on the switch. Since VLAN 1 is typically the administrative VLAN, we’ll use an IP address from out of that pool of addresses. Here’s how to set the IP address of the switch (not nagging, but you really should already know this!): 2960#
config t 2960(config)# int vlan 1 2960(config-if)# ip address 192.168.10.2 255.255.255.0 2960(config-if)# no shutdown 2960(config-if)# exit 2960(config)# ip default-gateway 192.168.10.1 Yes, you have to execute a no shutdown on the VLAN interface and set the ip default-gateway address to the router. One more example, and then we’ll move on to IVR using a multilayer switch—another important subject that you definitely don’t want to miss! In
Figure 11.15 there are two VLANs, plus the management VLAN 1. By looking at the router configuration, what’s the IP address, subnet mask, and default gateway of Host A? Use the last IP address in the range for Host A’s address. If you really look carefully at the router configuration (the hostname in this configuration is just Router), there’s a simple and quick answer. All subnets are using a /28, which is a 255.255.255.240 mask. This is a block size of 16. The router’s address for VLAN 2 is in subnet 128. The next subnet is 144, so the broadcast address of VLAN 2 is 143 and the valid host range is 129–142. So the host address would be this:
FIGURE 11.15 Inter-VLAN example 4 This section was probably the hardest part of this entire book, and I honestly created the simplest configuration you can possibly get away with using to help you through it! I’ll use Figure 11.16 to demonstrate configuring inter-VLAN routing (IVR) with a multilayer switch, which is often referred to as a switched virtual interface (SVI). I’m going to use the same network that I used to discuss a multilayer switch back in Figure 11.11 , and I’ll use this IP address scheme: 192.168.x.0/24, where x represents the VLAN subnet. In my example this will be the same as the VLAN number.
Inter-VLAN routing with a multilayer switch The hosts are already configured with the IP address, subnet mask, and default gateway address using the first address in the range. Now I just need to configure the routing on the switch, which is pretty simple actually: S1(config)#
S1(config)# int vlan 10 S1(config-if)# ip address 192.168.10.1 255.255.255.0 S1(config-if)# int vlan 20 S1(config-if)# ip address 192.168.20.1 255.255.255.0 And that’s it! Enable IP routing and create one logical interface for each VLAN using the interface vlan number command and voilà! You’ve now accomplished making inter-VLAN routing work on the backplane of the switch!
Yüklə 22,5 Mb. Dostları ilə paylaş:
|