CIS 82 Routing and Switching Essentials

Chapter 6 VLANs

CIS 82 Routing Protocols and Concepts

Rick Graziani
Cabrillo College
graziani@cabrillo.edu

Spring 2018
Chapter 6: Objectives
 Explain the purpose of VLANs in a switched network.
 Analyze how a switch forwards frames based on VLAN
configuration in a multi-switched environment.
 Configure a switch port to be assigned to a VLAN based on
requirements.
 Configure a trunk port on a LAN switch.
 Configure Dynamic Trunk Protocol (DTP).
 Troubleshoot VLAN and trunk configurations in a switched network.
 Configure security features to mitigate attacks in a VLAN-
segmented environment.
 Explain security best practices for a VLAN-segmented environment.
VLAN Segmentation
 It’s all about the IP Address
Emmalia, you are in my Rick
neighborhood so I can Santa Cruz, Ca
take the letter to you!

Emmalia
Lucia, I see by your Santa Cruz, Ca
address that you are
somewhere else. So I
have to take your letter Rick
to the Post Office. Santa Cruz, Ca

Lucia
Emmalia
Capitola, Ca
Santa Cruz, Ca
 Even if two houses are on the same street, you only know the
4
address so must take it to the local post office
 Understanding IP communications
192.168.10.0/24 A MAC MAC B 192.168.10.0/24
Subnet aa.aa bb.bb Subnet

192.168.10.10 192.168.10.11
255.255.255.0 255.255.255.0

Destination Address Source Address Type IP FCS

bb.bb aa.aa DA 192.168.10.11

 Devices can only communicate with other devices on the same subnet
 A knows that it is on the 192.168.10.0/24 subnet (AND operation with its
IP address and subnet mask). (Same subnet = Same subnet mask)
 A knows that B (192.168.1.11) is on its same subnet (AND operation
with B’s IP address and A’s subnet mask)
A 192.168.10.10 SAME Subnet B 192.168.10.11
AND 255.255.255.0 A can reach B AND 255.255.255.0
-------------------- directly without --------------------
192.168.10.0 going through a 192.168.10.0
router
 Understanding IP communications
192.168.10.0/24 A MAC MAC C 192.168.20.0/24
Subnet aa.aa cc.cc Subnet

192.168.10.10 192.168.20.12
255.255.255.0 255.255.255.0

Destination Address Source Address Type IP FCS

DA 192.168.20.12

 Devices can only communicate with other devices on the same subnet
 A knows that it is on the 192.168.10.0/24 subnet (AND operation with its
IP address and subnet mask) (Same subnet = Same subnet mask)
 A knows that C (192.168.20.12) is on a different subnet (AND operation
with B’s IP address and A’s subnet mask) – Can’t get there directly!

A 192.168.10.10 DIFFERENT B 192.168.20.12

AND 255.255.255.0 Subnets AND 255.255.255.0
-------------------- A can NOT reach B --------------------
192.168.10.0 directly. Must go 192.168.20.0
through a router
 192.168.10.0/24 192.168.20.0/24
Subnet Subnet

A MAC MAC MAC MAC C

aa.aa 11.11 22.22 cc.cc
192.168.10.10 192.168.10.1 192.168.20.1 192.168.20.12
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Destination Address Source Address Type IP FCS

11.11 aa.aa DA 192.168.20.12

Destination Address Source Address Type IP FCS

cc.cc 22.22 DA 192.168.20.12

 A sends packet to devices in a DIFFERENT subnet directly to a router which

is on the same subnet as A.
 The router will take care of it from there.

192.168.10.10 DIFFERENT 192.168.20.11

AND 255.255.255.0 Subnets AND 255.255.255.0
-------------------- A can NOT reach B --------------------
192.168.10.0 directly. Must go 192.168.20.0
through a router
 Understanding IP communications
A B

192.168.10.10 192.168.10.11
255.255.255.0 255.255.255.0

A C

192.168.10.10 192.168.20.12
255.255.255.0 255.255.255.0

A C

192.168.10.10 192.168.10.1 192.168.20.1 192.168.20.12

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
 Devices can only communicate with other devices on the same subnet
 Otherwise, they must go through a router, that is on its same subnet
Definition: VLAN

“A VLAN is a virtual LAN that logically

segments switched networks based on
functions, project teams, or
applications of the organization
regardless of the physical location or
connections to the network.”
 TO CLEAR A SWITCH
 ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!!

S1# delete vlan.dat

Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]

S1# erase startup-config

Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1# reload
Proceed with reload? [confirm]
 Default VLAN Assignment

Default: All ports in the same VLAN (subnet)

Switch# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
<output omitted>
 Default VLAN Assignment Default: All ports in the same VLAN

ARP Request
Broadcast

A B C D

192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
 Hosts can communicate with each other because:
 Same IP subnet
 Switch ports are on the same VLAN (subnet)
 Can A, B, C and D ping each other?
 If A did an ARP request for B, who would see this Ethernet broadcast?
 VLAN Definitions

 A VLAN is a logical partition of a Layer 2 network.

 Multiple partitions can be created, allowing for multiple VLANs to co-
exist.
 Each VLAN is a broadcast domain, usually with its own IP network.
 VLANs are mutually isolated and packets can only pass between
them via a router.
 The partitioning of the Layer 2 network takes place inside a Layer 2
device, usually via a switch.
 The hosts grouped within a VLAN are unaware of the VLAN’s
existence.
 With a single VLANs (“no VLANs”)

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

 You can do this but devices can only communicate with each other that
are on the same IP subnet…. Unless you have a …..
 ROUTER (coming)
 Who can A Ping? B ping? C ping? D ping?
A single VLAN (“no VLANs”) means no segmentation

ARP Request
Wasted
Broadcast
bandwidth
MAC A MAC B MAC C MAC D
aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

 Who can A Ping? B ping? C ping? D ping?

 If A did an ARP request for B, who would see this Ethernet broadcast?
 If C did an ARP request for D, who would see this Ethernet broadcast?
 Remember: ARP requests are only when the source IP address and the
destination IP address are on the SAME SUBNET.
A single VLAN (“no VLANs”) means no segmentation

ARP Request
Broadcast

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

 Who can A Ping? B ping? C ping? D ping?

 If A did an ARP request for B, who would see this Ethernet broadcast?
 If C did an ARP request for D, who would see this Ethernet broadcast?
 Remember: ARP requests are only when the source IP address and the
destination IP address are on the SAME SUBNET.
 VLANs and IP Addresses/Masks

 VLANs are configured on the switch port

 IP Addresses and subnet masks are configured on the devices that
connect to the switch ports.
 VLAN on the switch must match the IP network address of the
device.
 Configured
for VLAN 10
Configured for VLAN 10 Configured for VLAN 20

Configured
for VLAN 20

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

 VLANs are configured on the switch port

 IP Addresses and subnet masks are configured on the devices that
connect to the switch ports.
 VLAN on the switch must match the IP network address of the device.
BEFORE (DEFAULT CONFIGURATION)

A B C D

192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Default: All ports in the same VLAN (subnet)
Switch# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
AFTER CONFIGURATION

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Switch# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
10 active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Gig0/1

20 active Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24,
Gig0/2
VLANs give proper segmentation – Like having separate
switches
VLANs do not have to be configured contiguously on the switch.

ARP Request ARP Request

Broadcast Broadcast
A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

 VLANs segment switches in to different VLANs or Subnets

 Think of it like having separate switches
 Who can A Ping? B ping? C ping? D ping?
 If A did an ARP request for B, who would see this Ethernet broadcast?
 If C did an ARP request for D, who would see this Ethernet broadcast?
Router and subnets/VLANs

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

 Router is required to connect (route) between subnets/VLANs

 MAC 192.168.20.1
22.22 255.255.255.0
PCA> ping 192.168.20.12

MAC 192.168.10.1
11.11 255.255.255.0

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
 Router is required to connect (route) between subnets/VLANs
 In this example, a single router with two IP addresses, one on each subnet, is
connected to the switch.
 Each of the router’s interfaces is connected to a proper VLAN port on the switch
to match it’s IP subnet. (Just like the host computers!)
 MAC 192.168.20.1
22.22 255.255.255.0
PCA> ping 192.168.20.12

MAC 192.168.10.1
11.11 255.255.255.0

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

ARP Cache  A does an ARP Request for

192.168.10.1 <-> 11.11 192.168.10.1 (Default gateway).
 Gets ARP Reply
 A adds MAC and IP to ARP Cache
 MAC 192.168.20.1
22.22 255.255.255.0
PCA> ping 192.168.20.12

MAC 192.168.10.1
11.11 255.255.255.0

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Destination Address Source Address Type IP (ICMP) FCS

11.11 aa.aa DA 192.168.20.12

 A sends Ethernet frame to default gateway, the router

 ARP Cache MAC 192.168.20.1
192.168.20.12 <-> cc.cc 22.22 255.255.255.0

MAC 192.168.10.1
11.11 255.255.255.0

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

PCA> ping 192.168.20.12  Router does an ARP Request for

192.168.20.12 (Destination IP).
 Gets ARP Reply
 Router adds MAC and IP to ARP Cache
 MAC 192.168.20.1
22.22 255.255.255.0
PCA> ping 192.168.20.12

MAC 192.168.10.1
11.11 255.255.255.0

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Destination Address Source Address Type IP (ICMP) FCS

cc.cc 22.22 DA 192.168.20.12

 Router sends Ethernet frame to final destination, PC-C

 MAC 192.168.20.1
22.22 255.255.255.0
PCA> ping 192.168.20.12
.!!!!
MAC 192.168.10.1
11.11 255.255.255.0

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Destination Address Source Address Type IP (ICMP) FCS
22.22 cc.cc DA 192.168.10.10

Destination Address Source Address Type IP (ICMP) FCS

aa.aa 11.11 DA 192.168.10.10
Benefits of
VLANs
 Security:
 Improved by isolating user access to sensitive data and
applications.
 Cost reduction:
 Reduces the need for expensive network upgrades and more
efficient use of existing bandwidth and uplinks.
 Smaller Broadcast Domains:
 Divide a network into smaller logical networks, resulting in lower
susceptibility to broadcast storms.
 Better performance:
 Divides the flat Layer 2 networks into multiple broadcast
domains reducing unnecessary traffic on the network and boosts
performance.
 Improved IT staff efficiency:
 Makes the network easier to manage.
How many VLANs can you configure on a
switch? It depends….
on the switch and
the switch’s capabilities
and what you require.
Default VLAN
Assignment
Switch# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Switch#
 Normal Range VLANs
Switch# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

 Used in small- and medium-sized business and enterprise networks.

 VLAN Range: 1 – 1005
 Reserved VLANs: VLANs 1, 1002 – 1005
 Configurations stored in vlan.dat in flash memory.

 Note:
 VLAN Trunking Protocol (VTP) can manage normal range VLANs.
Extended Range
VLANs

 Used in Service Provider networks (great number of customers) or

large, global enterprises.
 VLAN Range: 1006 - 4094.
 Support fewer VLAN features than normal range VLANs.
 Saved in the running configuration file.
 It can support up to 255 normal range and extended range VLANs.
Types of VLANs

 Default VLAN (VLAN 1 by default)

 Native VLAN (VLAN 1 by default)
 Used for untagged traffic (later)
 User VLANs
 Each IP subnet is a separate VLAN
 Management VLAN
 VLAN to connect to infrastructure devices such a switches
 Voice VLAN
 VLAN used to connect IP phones
 Guest VLAN
 For to connect guests and others who do not have access to
internal resources, perhaps Internet access only
 Garbage VLAN
 For unused ports not yet configured for a specific VLAN
36
User VLAN examples

VLAN = Subnet

Business VLANs
 IT VLAN
 HR VLAN
 Sales VLAN

College
 Student VLAN
 Faculty VLAN
 Guest VLAN

37
Default VLAN

VLAN 1
Default VLAN

Native VLAN
Un-tagged (If trunking there is no
802.1Q or ISL encapsulation)
CDP, VTP, PAgP, LACP, DTP,
BPDUs
 By default all traffic is carried across VLAN 1.
 By default all ports are on VLAN 1
 VLAN 1 is:
 The default VLAN (all user traffic)
 Native VLAN: No trunking encapsulation even if configured as a trunk
coming).
 All Layer 2 control traffic (e.g., DTP, VTP, STP BPDUs, PAgP, LACP,
38
CDP, etc.), are associated with VLAN 1
 Default VLAN 1

S1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2

 VLAN 1 cannot be deleted

 Security best practices:
 Avoid using VLAN 1 for all VLANs other that control traffic which must be on
VLAN1
 In other words, create additional VLANs
 User or Data VLANs

MAC A MAC B MAC C MAC D

aa.aa bb.bb cc.cc dd.dd
192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
HR Department Sales Department
 These are VLANs used for different user VLANs/subnets
 For user data traffic
 What about the ports not in the Red or Blue VLAN?
 They are still in VLAN 1 (default VLAN)
 Change them to the Voice (VoIP) VLAN later. 41
Creating Static
User VLANs

S1# configure terminal

S1(config)# vlan 10
VLAN name is optional
S1(config-vlan)# name HR
S1(config-vlan)# exit
Single host attached, not
S1(config)# interface fastethernet 0/2
S1(config-if)# switchport mode access
another switch (trunk)… later
S1(config-if)# switchport access vlan 10
S1(config-if)# end
VLAN 10 assigned to the port
S1#

 Ports on a switch are manually assigned (CLI) to a VLAN.

 If you assign an interface to a VLAN that does not exist, the new VLAN
is created for you.
 Note: Dynamic VLANs can be configured using a special server called a
VLAN Membership Policy Server (VMPS). Beyond the scope of this course.
Configuring a
Range of Ports

S1(config)# interface range fastethernet 0/1 - 10

S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
S1(config-if-range)# exit
S1(config)# interface gigabitethernet 0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# end
S1#
Configuring a
Range of Ports

S1(config)# vlan 20
S1(config-vlan)# name SALES
S1(config-vlan)# exit
S1(config)# interface range fastethernet 0/13 - 22
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 20
S1(config-if-range)# exit
S1(config)# interface gigabitethernet 0/2
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# end
S1#
Configuring a
Range of Ports

S1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
Verifying VLAN
Port Parameters

S1# show interface fa 0/1 switchport

Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (HR)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
<some output omitted>
S1#
Verifying VLAN
Port Parameters

S1# show interface fa 0/11 switchport

Name: Fa0/11
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Verifying VLANs

S1# show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
S1#
Verifying VLANs
S1# show vlan id 10

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1

<output omitted>

S1# show vlan name SALES

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2

<output omitted>

S1#
Verifying VLANs
S1(config)# vlan 444
S1(config-vlan)# end
S1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
444 VLAN0444 active
<output omitted>
S1# conf t
S1(config)# no vlan 444
S1(config)# end
S1# show vlan id 444
VLAN id 444 not found in current VLAN database
S1#
 Management VLAN 1
VLAN 1
192.168.10.254

SSH to
192.168.10.254

S1(config)# inter vlan 1

S1(config-if)# description Management VLAN
S1(config-if)# ip address 192.168.10.254 255.255.255.0
S1(config-if)# no shutdown

• A switch can be managed via HTTP, Telnet, SSH, or SNMP.

• A management VLAN is used to manage the infrastructure devices including
switches, routers, AP, etc.
• Security best practice is to change the management VLAN to a VLAN other than
VLAN 1.
• We will discuss this later, because we will need to route to the management VLAN.
Native VLAN

 A native VLAN is assigned to an IEEE 802.1Q trunk port (later).

 Incoming traffic can be tagged (VLAN) or untagged traffic.
 Native VLANs are set out in the IEEE 802.1Q specification to
maintain backward compatibility with untagged traffic.
 Security best practice is to change the native VLAN to a VLAN
other than VLAN 1.
 We will come back to this later…
Voice VLAN

 VoIP traffic requires:

 Assured bandwidth to ensure voice quality.
 Transmission priority over other types of network traffic.
 Ability to be routed around congested areas on the network.
 Delay of less than 150 milliseconds (ms) across the network.
 Security best practice is that voice traffic must be placed in a separate
VLAN.
Power over Ethernet

 Cisco IP Phone like other devices

requires power to operate.
 Power can come from one of two
sources:
 An external AC adapter
 Power over Ethernet (DC) using the
network data cable.
54
External Adapters
External Adapters
 External adapter are also known as wall
warts.
 Disadvantage of IP Phones: If power
failure the IP Phone will fail.
 Unlike the old days.

55
Power over Ethernet

 Inline power or Power over Ethernet (PoE)

 Advantages of PoE:
 Power where power may not be easily found.
 Managed
 Monitored
 Offered only to selected devices

56
 switchport voice vlan vvid
Voice: 802.1Q trunk
Tagged as vvid CoS in 802.1p bits

Data:
Untagged: Native VLAN
Recommended Option
Switch(config)# interface type mod/num
Switch(config-if)# switchport voice vlan vlan-id

 Instructs the Cisco IP phone to forward all voice traffic through the specified VLAN.
 By default, the Cisco IP phone forwards the voice traffic with an 802.1Q priority of 5.
 Creates a special 802.1Q trunk (so called trunk later)
 Negotiated by DTP and CDP (provisioning of the vvid)
 CoS (Class of Service) in 802.1p bits (later)
 vvid puts:
 Voice packets on voice VLAN
 Voice VLAN is configured.
 Data packets in Native VLAN
 VLAN 1 by default unless modified on the switch
 Can configure the data VLAN to be a a VLAN other than Native or Voice. (coming)
57
 Configuring Voice VLAN Operation
Voice: 802.1Q trunk
Tagged as voice VLAN 100 CoS in 802.1p bits

Data:
Untagged: Native VLAN
Tagged as VLAN 20
Recommended Option
Switch(config)# interface FastEthernet0/24
Switch(config-if)# switchport voice vlan 100
Switch(config-if)# switchport access vlan 20

 Portfast is automatically enabled with voice VLAN.

Switch# show run

interface FastEthernet0/24
switchport voice vlan 100
switchport access vlan 20
spanning-tree portfast

 More to come!
58
VLAN Trunks

Default VLAN
VLAN 1 Control traffic (STP, DTP, VTP, CDP, …)
User VLAN
VLAN 10 HR – 192.168.10.0/24
User VLAN
VLAN 20 Sales– 192.168.20.0/24
Voice VLAN
VLAN 100 VoIP– 192.168.100.0/24
Management VLAN
VLAN 155 Guests – 192.168.150.0/24
Garbage/Guest VLAN
VLAN 199 Garbage – 192.168.199.0/24
Native VLAN
VLAN 200 Untagged traffic

 A point-to-point link that carries more than one VLAN.

 Extend VLANs across multiple switches
 Cisco supports 802.1Q standard
 Some older switches support legacy Cisco ISL 59
A Z

 The TAG is added by the switch before it goes over a trunk link.
 The TAG is removed by the switch at the other end of the trunk link.
60
 Priority
Tag protocol ID VLAN ID (VID)
Used Canonical Format Identifier (CFI)
for QoS (802.1p
(TPID) VLAN identification number
Enables
standard) Token Ring
specifies frames to be
how to
that supports up to 4096
carried
expedite across Ethernet
transmission of links
Ethernet is 0x8100. VLAN IDs
Layer 2 frames

61
Native VLAN

 Native VLAN
 For devices that do not support tagging.
 All trunks must have a native VLAN
 Native VLAN must be the same on both ends (both switches).
 Can be modified to be a VLAN other than VLAN 1.
 Should not be used for user VLAN or Management VLAN.
 Control traffic (CDP, VTP, PAgP, DTP) still transmitted over VLAN 1.
 If Native VLAN is other than VLAN 1 then control traffic on VLAN 1
is sent tagged.
 It is fine to leave VLAN 1 as the Native VLAN but should only carry
control traffic and not user or management traffic. 62
Inter-switching links: Default and Trunking
VLAN 1 VLAN 1

All ports on VLAN 1 All ports on VLAN 1

VLAN VLAN
Trunk Trunk

VLAN 1, 10, 20, VLAN 1, 10, 20,

100, 155, 200 100, 155, 200

63
 Configuring VLAN Trunks
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1# show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
S2# show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 VLAN0010 active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10
20 VLAN0020 active Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
64
Fa0/19, Fa0/20
 Configuring VLAN Trunks
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1(config)# inter fa 0/1
S1(config-if)# no switchport access vlan 10
S1(config-if)# switchport trunk encapsulation dot1q
! Only needed on switches that also support ISL

S1(config-if)# switchport mode trunk

S1(config-if)#
S2(config)# inter fa 0/1
S2(config-if)# no switchport access vlan 10
S2(config-if)# switchport mode trunk
S2(config-if)#

 Minimum configuration.

65
 Configuring VLAN Trunks
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2

 No trunking information.
 Fa 0/1 no longer included in VLAN 10
66
 Configuring VLAN Trunks
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-4094

Port Vlans allowed and active in management domain

Fa0/1 1,10,20

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 none
S1#

67
 Configuring VLAN Trunks
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S2#show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-4094

Port Vlans allowed and active in management domain

Fa0/1 1,10,20

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,10,20
S2#

68
 Configuring the Native VLAN
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk native vlan 200
*Mar 1 01:59:34.927: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered
on FastEthernet0/1 (200), with S2 FastEthernet0/1 (1)
S1(config-if)#

*Mar 1 02:00:39.267: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered

on FastEthernet0/1 (1), with S1 FastEthernet0/1 (200).
S2(config)# inter fa 0/1
S2(config-if)# switchport trunk native vlan 200
S2(config-if)#

 VLAN 200 (Native VLAN) does not need to be created on either

switch but…
 It must match on both ends of the trunk!
 Control data (CDP, STP, etc.) is still sent across VLAN 1 but is now
69
tagged.
 Configuring the Native VLAN
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 200

Port Vlans allowed on trunk

Fa0/1 1-4094
S2# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 200

Port Vlans allowed on trunk

Fa0/1 1-4094

 Happy native VLANs now!

 How about limiting which VLANs are allowed on the trunk?
70
 Configuring Allowed VLANs
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk allowed vlan 10,20,200

S2(config)# inter fa 0/1

S2(config-if)# switchport trunk allowed vlan 10,20,200

 No space between VLANs.

 If the native VLAN (200) is not on the list, it is not a problem.
 The trunk will not allow any data traffic for the native VLAN.

71
 Configuring Allowed VLANs
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
S1# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 200

Port Vlans allowed on trunk

Fa0/1 10,20,200
S2# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 200

Port Vlans allowed on trunk

Fa0/1 10,20,200

72
 What’s in the running-config?
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
interface FastEthernet0/1
Trunk link
switchport trunk native vlan 200
switchport trunk allowed vlan 10,20,200
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 10 VLAN 10 access port
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access

<continued>

73
 What’s in the running-config?
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
!
interface FastEthernet0/11
!
No configuring…. Default VLAN 1
(Should be in garbage, temporary VLAN if
interface FastEthernet0/12
port is not in use)
!
interface FastEthernet0/13
VLAN 20 access port
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access 74
 What’s in the running-config?
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
!
interface Vlan1 SVI (Switched Virtual Interface)
no ip address Management VLAN
shutdown No current IP Address
! Still in VLAN 1

75
 Configuring Management VLAN
VLAN 155 VLAN 155
192.168.155.1/24 192.168.155.2/24 VLANs
VLANs Fa0/1
10, 20 Fa0/1 10, 20
S1 S2
S1(config)# interface vlan 155
S1(config-if)# ip address 192.168.155.1 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# vlan 155
S1(config-vlan)# name MANAGEMENT
S1(config-vlan)#
S2(config)# interface vlan 155
S2(config-if)# ip add 192.168.155.2 255.255.255.0
S2(config-if)# no shutdown
S2(config-if)# exit
S2(config)# vlan 155
S2(config-vlan)# name MANAGMENT
S2(config-vlan)# end
S2# ping 192.168.155.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.158.155.2, timeout is 2 seconds:
..... ??? 76
 Configuring Management VLAN
VLAN 155 VLAN 155
192.168.155.1/24 192.168.155.2/24 VLANs
VLANs Fa0/1
10, 20 Fa0/1 10, 20
S1 S2
S1(config)# inter fa 0/1
S1(config-if)# switchport trunk allowed vlan 10,20,200,155

S1(config)# inter fa 0/1

S1(config-if)# switchport trunk allowed vlan 10,20,200,155
S1(config-if)# end
S2# ping 192.168.155.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.155.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
S2#

77
 Verifying VLANs Once More
VLAN 155 VLAN 155
192.168.155.1/24 192.168.155.2/24 VLANs
VLANs Fa0/1
10, 20 Fa0/1 10, 20
S1 S2
S1# show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/11, Fa0/12, Fa0/23, Fa0/24
10 HR active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Gi0/1
20 SALES active Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Gi0/2
155 MANAGEMENT active

78
 Verifying VLANs Once More
VLAN 155 VLAN 155
192.168.155.1/24 192.168.155.2/24 VLANs
VLANs Fa0/1
10, 20 Fa0/1 10, 20
S1 S2
S1# show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 200

Port Vlans allowed on trunk

Fa0/1 10,20,155,200

S1# show interface vlan 155

Vlan155 is up, line protocol is up
Hardware is EtherSVI, address is 189c.5dff.fac1 (bia 189c.5dff.fac1)
Internet address is 192.168.155.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported

<output omitted> 79
 Verifying VLANs Once More
VLAN 155 VLAN 155
192.168.155.1/24 192.168.155.2/24 VLANs
VLANs Fa0/1
10, 20 Fa0/1 10, 20
S1 S2
S1# show interface fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 200 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
<output omitted>
Trunking VLANs Enabled: 10,20,155,200

80
Dynamic Trunk Protocol
Switch Ethernet Port Type
VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2

 Switch Ethernet ports can be set to:

 Access port: Non-trunking port used to connect to end-devices.
 Trunking: Trunking port to carry VLAN information to another
switch.
 By default, Layer 2 switch ports want to trunk.
Access Port

S1(config-if) # switchport mode access

 Forces the link into access port.

 It will never become a trunk!

Use to connect a host, server, printer, …

Dynamic Trunking Protocol - DTP
DTP DTP DTP

 By default, Catalyst 2960 and Catalyst 3560 Series switches have

Dynamic Trunking Protocol (DTP) enabled.
 DTP is a Cisco proprietary protocol that negotiates trunking
parameters between switches.
 Operates on a point-to-point basis only, between network
devices.
 Designed to make interconnecting switches with VLANs easier.
 DTP is only available on Cisco switches and not supported by other
vendors.
 Four DTP Trunking Modes
S1(config-if)# switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
S1(config-if)# switchport mode dynamic ?
auto Set trunking mode dynamic negotiation parameter to AUTO
desirable Set trunking mode dynamic negotiation parameter to DESIRABLE
S1(config-if)# switchport mode dynamic

 On (default): Default mode. It’s locked into TRUNK mode.

 switchport mode trunk
 Dynamic Desirable: (default mode on Catalyst 2950 / 3550)
 switchport mode dynamic desirable
 Dynamic Auto:
 switchport mode dynamic auto
 Disabled: Nonegotiate. Turns off DTP.
 switchport nonegotiate
Non-trunking by default
S2# show interfaces fastethernet 0/21 switchport
Name: Fa0/21
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q How the port was configured.
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
How the is operating.
Trunking Native Mode VLAN: 1 (default)

VLANs VLANs
Fa0/1 Fa0/1 10, 20
10, 20
S1 S2
Dynamic auto Dynamic auto

 Ports on the 2960 and 3560 are set to dynamic auto by default.
 Does not trunk if both sides default to dynamic auto
 This results in the interface being in access mode (non-trunking)
86
S1(config-if)# switchport mode ?

Dynamic
Trunking
Protocol
(DTP)

 Access - Puts the interface into permanent non-trunking mode and negotiates to convert the link into a
non-trunk link. The interface becomes a non-trunk interface even if the neighboring interface does not
agree to the change.
 Trunk - Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk
link. The interface becomes a trunk interface even if the neighboring interface does not agree to the change.
 Nonegotiate - Puts the interface into permanent trunking mode but prevents the interface from
generating DTP frames. You must configure the neighboring interface manually as a trunk interface to
establish a trunk link. Use this mode when connecting to a device that does not support DTP.
 Dynamic desirable - Makes the interface actively attempt to convert the link to a trunk link. The
interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
 Dynamic auto - Makes the interface willing to convert the link to a trunk link. The interface becomes a
trunk interface if the neighboring interface is set to trunk or desirable mode. This is the default mode for
all Ethernet interfaces in Cisco IOS.
Trunk Modes Must be Compatible
DTP Mode: On (default)

 S1(config-if) # switchport mode trunk

 Forces the link into permanent trunking (even if the neighbor doesn't
agree)
 Enables DTP and exchanges DTP frames.

 Will trunk if remote is configured with:

 On switchport mode trunk
 Desirable switchport mode dynamic desirable
 Dynamic Auto switchport mode dynamic auto

 Will not trunk if remote is configured with:

 Non-negotiate switchport nonegotiate
 Accessswitchport mode access
DTP Dynamic Desirable
 S1(config-if) # switchport mode dynamic desirable
 Causes the port to proactively attempt to become a trunk.
 Enables DTP and exchanges DTP frames.

 Will trunk if remote is configured with:

 On switchport mode trunk
 Desirable switchport mode dynamic desirable
 Dynamic Auto switchport mode dynamic auto

 Will not trunk if remote is configured with:

 Non-negotiate switchport nonegotiate
 Accessswitchport mode access
DTP Dynamic Auto
 S1(config-if) # switchport mode dynamic auto
 Causes the port to passively be willing to convert to trunking.
 Enables DTP and exchanges DTP frames.

 Will trunk if remote is configured with:

 On switchport mode trunk
 Desirable switchport mode dynamic desirable

 Will not trunk if remote is configured with:

 Dynamic Auto switchport mode dynamic auto
 Non-negotiate switchport nonegotiate
 Accessswitchport mode access
DTP Disabled
 S1(config-if) # switchport nonegotiate
 Forces the port to permanently trunk.
 Disables DTP and does not exchange any DTP frames.

 Use to trunk with a different vendor’s switch.

 #1 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode trunk

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode trunk

 Will the ports trunk automatically?

 #2 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode trunk

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode dynamic desirable

 Will the ports trunk automatically?

 #3 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode trunk

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode dynamic auto

 Will the ports trunk automatically?

 #4 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode trunk

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport nonegotiate

 Will the ports trunk automatically?

 #5 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic desirable

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode trunk

 Will the ports trunk automatically?

 #6 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic desirable

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode dynamic desirable

 Will the ports trunk automatically?

 #7 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic desirable

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode dynamic auto

 Will the ports trunk automatically?

 #8 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic desirable

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport nonegotiate

 Will the ports trunk automatically?

 #9 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic auto

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode trunk

 Will the ports trunk automatically?

 #10 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic auto

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport mode dynamic desirable

 Will the ports trunk automatically?

 #11 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic auto

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport mode dynamic auto

 Will the ports trunk automatically?

 #12 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport mode dynamic auto

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport nonegotiate

 Will the ports trunk automatically?

 #13 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport nonegotiate

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport mode trunk

 Will the ports trunk automatically?

 #14 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport nonegotiate

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport mode dynamic desirable

 Will the ports trunk automatically?

 #15 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport nonegotiate

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2
X
S2(config-if)# switchport mode dynamic auto

 Will the ports trunk automatically?

 #16 - “Trunk ” or “No Trunk”

S1(config)# interface fa0/1

S1(config-if)# switchport nonegotiate

S1
F0/1 F0/1

S2(config)# interface fa0/1

S2

S2(config-if)# switchport nonegotiate

 Will the ports trunk automatically?

Verifying DTP Trunk Links
S1# show dtp interface f0/1
DTP information for FastEthernet0/1:
TOS/TAS/TNS: TRUNK/ON/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Neighbor address 1: 0CD996D23F81
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): 12/RUNNING
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S6:TRUNK
# times multi & trunk 0
Enabled: yes
In STP: no

<output omitted>
 TO CLEAR A SWITCH
 ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!!

S1# delete vlan.dat

Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]

S1# erase startup-config

Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1# reload
Proceed with reload? [confirm]
Troubleshooting
VLANs
Troubleshooting VLANs and Trunks
IP Addressing Issues with VLAN
 It is a common practice to associate a VLAN with an IP network.
 Because different IP networks only communicate through a
router, all devices within a VLAN must be part of the same IP
network to communicate.
 The figure displays that PC1 cannot communicate to the server
because it has a wrong IP address configured.
Troubleshooting VLANs and Trunks
Missing VLANs
 If all the IP addresses mismatches have been solved, but the
device still cannot connect, check if the VLAN exists in the
switch.
Troubleshooting VLANs and Trunks
Introduction to Troubleshooting Trunks
Troubleshooting VLANs and Trunks
Common Problems with Trunks
 Trunking issues are usually associated with incorrect
configurations.
 The most common type of trunk configuration errors are:
1. Native VLAN mismatches
2. Trunk mode mismatches
3. Allowed VLANs on trunks
 If a trunk problem is detected, the best practice guidelines
recommend to troubleshoot in the order shown above.
Troubleshooting VLANs and Trunks
Trunk Mode Mismatches
 If a port on a trunk link is configured with a trunk mode that is
incompatible with the neighboring trunk port, a trunk link fails to
form between the two switches.
 Use the show interfaces trunk command to check the status of
the trunk ports on the switches.
 To fix the problem, configure the interfaces with proper trunk
modes.
Troubleshooting VLANs and Trunks
Incorrect VLAN List
 VLANs must be allowed in the trunk before their frames can be
transmitted across the link.
 Use the switchport trunk allowed vlan command to specify which
VLANs are allowed in a trunk link.
 Use the show interfaces trunk command to ensure the correct
VLANs are permitted in a trunk.
Troubleshooting
VLAN Security
Attacks on VLANs
Switch Spoofing Attack

 To prevent a basic switch spoofing attack, turn off trunking on all

ports, except the ones that specifically require trunking.
Attacks on VLANs
Double-Tagging Attack

 The best approach to mitigating double-tagging attacks is to ensure

that the native VLAN of the trunk ports is different from the VLAN of
any user ports.
Attacks on VLANs
PVLAN Edge

 The Private VLAN (PVLAN) Edge feature, also known as protected

ports, ensures that there is no exchange of unicast, broadcast, or
multicast traffic between protected ports on the switch.
 What is Inter-VLAN routing?
 Layer 2 switches cannot forward traffic between VLANs without
the assistance of a router.
 Inter-VLAN routing is a process for forwarding network traffic from
one VLAN to another, using a router.

 Legacy Inter-VLAN
Routing
 Router-on-Stick
 Switch SVI
 Switch Routed Ports
Legacy Inter-VLAN Routing
Legacy Inter-VLAN Routing

 Routers used to route between VLANs.

 Each VLAN was connected to a different physical router interface.
 Packets would arrive on the router through one through interface, be routed
and leave through another.
 Router interfaces connected to VLANs and have IP addresses from that
specific VLAN.
 Large networks with large number of VLANs required many router 124
interfaces.
 192.168.20.1
255.255.255.0
Legacy Inter-VLAN Routing
192.168.10.1
255.255.255.0

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
GW 192.168.10.1 GW 192.168.10.1 GW 192.168.20.1 GW 192.168.20.1

 Router is required to connect (route) between subnets/VLANs

S1(config)# vlan 10
S1(config-vlan)# exit
S1(config)# vlan 30
S1(config-vlan)# exit
S1(config)# interface f0/11
S1(config-if)# switchport access vlan 10
S1(config-if)# exit
S1(config)# interface f0/4
S1(config-if)# switchport access vlan 10
S1(config-if)# exit
S1(config)# interface f0/6
S1(config)# switchport access vlan 30
S1(config-if)# exit
S1(config)# interface f0/5
S1(config-if)# switchport access vlan 30
R1(config)# interface g0/0
R1(config-if)# ip address 172.17.10.1 255.255.255.0
R1(config-if)# no shutdown
R1(config)# exit
R1(config-if)# interface g0/1
R1(config-if)# ip address 172.17.30.1 255.255.255.0
R1(config-if)# no shutdown
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
<output omitted>

172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.17.10.0/24 is directly connected, GigabitEthernet0/0
L 172.17.10.1/32 is directly connected, GigabitEthernet0/0
C 172.17.30.0/24 is directly connected, GigabitEthernet0/1
L 172.17.30.1/32 is directly connected, GigabitEthernet0/1
Router-on-a-Stick
 172.17.10.1
172.17.30.1
Router-on-a-Stick
VLAN 10
PC 2
172.17.10.30

VLAN 30
PC 4
172.17.30.55

 The router-on-a-stick approach uses a different path to route between VLANs.

 One of the router’s physical interfaces is configured as a 802.1Q trunk port so it
can understand VLAN tags.
 Logical subinterfaces are created; one subinterface per VLAN.
 Each subinterface is configured with an IP address from the VLAN it represents.
 VLAN members (hosts) are configured to use the subinterface address as a default
gateway.
131
 Only one of the router’s physical interface is used.
S1(config)# vlan 10
S1(config-vlan)# vlan 30
S1(config-vlan)# exit
S1(config)# interface f0/11
S1(config-if)# switchport access vlan 10
S1(config-if)# exit
S1(config)# interface f0/6
S1(config)# switchport access vlan 30
S1(config-if)# exit
S1(config-vlan)# interface f0/5
S1(config-if)# switchport mode trunk
S1(config-if)# 132
R1(config)# interface g0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 172.17.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface g0/0.30
R1(config-subif)# encapsulation dot1q 30
R1(config-subif)# ip address 172.17.30.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface g0/0
R1(config-if)# no shutdown

133
R1# show vlans
<output omitted>
Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: GigabitEthernet0/0.10

Protocols Configured: Address: Received: Transmitted:

IP 172.17.10.1 11 18
<output omitted>
Virtual LAN ID: 30 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: GigabitEthernet0/0.30

Protocols Configured: Address: Received: Transmitted:

IP 172.17.30.1 11 8
<output omitted>
134
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B –
BGP

<output omitted>

172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.17.10.0/24 is directly connected, GigabitEthernet0/0.10
L 172.17.10.1/32 is directly connected, GigabitEthernet0/0.10
C 172.17.30.0/24 is directly connected, GigabitEthernet0/0.30
L 172.17.30.1/32 is directly connected, GigabitEthernet0/0.30

135
Problem #1
VLAN 10

S1(config)# interface fa0/4

S1(config-if)# switchport access vlan 10

138
Problem #2
Trunk

S1(config)# interface fa0/5

S1(config-if)# switchport mode trunk

139
Problem #3
Trunk

VLAN 10

S1(config)# interface fa0/5

S1(config-if)# switchport access vlan 10
140
Problem #4 172.17.10.1/24

R1(config)# interface g0/0

R1(config-if)# ip address 172.17.10.1 255.255.255.0

142
Problem #5

172.17.10.21/24

143
Problem #6

172.17.10.21/24

144
Multi-layer Switches and Inter-
VLAN Routing
– EXTRA (CIS 83)
Routers vs Multilayer Switches

 Routers and multilayer switches both perform routing (connecting

networks)
 Routers may have different types of interfaces (Ethernet, serial,
ATM, etc.) while multilayer switches will only have Ethernet
interfaces.
 While routers can be used to segment LAN devices, their major use
is as WAN devices.
 Each devices does have its own advantages.
 Routers are:
 The backbone devices of large intranets and of the Internet
 They operate at Layer 3 (network layer) of the OSI model
147
 They make decisions based on network addresses (IPv4, IPv6).
Switched Network Design
 Core –
Route/Switch
packets quickly
across between
distribution
multilayer
switches.
 Distribution –
Route between
VLANs/Subnets,
ACLs
 Access –
Provide access
to end devices
and provide port
security.
148
 Multilayer
Switch Inter-
VLAN Routing

 Multilayer switches can perform Layer 2 and Layer 3 functions, replacing the need for
dedicated routers.
 Multilayer switches support dynamic routing and inter-VLAN routing.
 A switch virtual interface (SVI) exists for VLAN 1 by default.
 On a multilayer switch, a logical (layer 3) interface can be configured for any VLAN.
 With a multilayer switch, traffic is routed internal to the switch device.
 This routing process is a suitable and scalable solution.
149
 Configure Router On A Stick: 802.1Q Trunk Link
interface GigabitEthernet 0/0
no shutdown ! Does not show in config
!
interface GigabitEthernet 0/0.2
description VLAN 2
encapsulation dot1Q 2 native
ip address 172.16.1.2 255.255.255.0
!
interface GigabitEthernet 0/0.10
172.16.10.100/ 172.16.20.100/
24 24 description VLAN 10
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
!
interface GigabitEthernet 1/1 interface GigabitEthernet 0/0.20
switchport mode trunk description VLAN 20
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
 Router on a stick is very !
interface GigabitEthernet 0/0.30
simple to implement. description VLAN 30
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.0
!
interface GigabitEthernet 0/0.40
description VLAN 40
encapsulation dot1Q 40
ip address 172.16.40.1 255.255.255.0 150
Routed Ports versus Switched Virtual Interfaces

 Routed Ports – Just like a router, the port has an IP address/mask that makes it
a member of that subnet.
 SVI – The switch is a member of that IP subnet/VLAN. All switch ports that are a
151
member of that VLAN can communicate with the switch
Multilayer Switch Interfaces
Layer 2: Access or Trunk Ports

Physical Interface
Logical Interface (SVI)

 Performs both Layer 2 switching and interVLAN routing.

 Layer 2 Interface: Access or Trunk ports
 Layer 3 Interface:
 Has an IP address assigned to it.
 The Default Gateway for any hosts connected to that interface or VLAN.
 Physical interface
 Same as a router
 Aka “Routed Port”
 Example: interface gigabit 0/1
 Logical Interface
 Represents an entire VLAN
 Switched Virtual Interface (SVI)
152
 Example: interface vlan 10
 SVI VLAN 10 SVI VLAN 20
192.168.10.1 192.168.20.1
255.255.255.0 255.255.255.0

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
GW 192.168.10.1 GW 192.168.10.1 GW 192.168.20.1 GW 192.168.20.1
 Layer 3 functionality can also be enabled for an entire VLAN.
 The IP address is assigned to the logical interface – the VLAN.
 This is needed when routing is required between VLANs.
 SVI (Switched Virtual Interface)
 No physical connection
 VLANs must be created before the SVI can be used.
 The IP address associated of the VLAN interface is the default gateway of the 153
workstation.
 SVI VLAN 10 SVI VLAN 20
192.168.10.1 192.168.20.1
255.255.255.0 255.255.255.0

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
GW 192.168.10.1 GW 192.168.10.1 GW 192.168.20.1 GW 192.168.20.1
<VLANs have been created or will be created when configured on
the interface>
S1(config)# interface range fastethernet 0/1 - 12
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
S1(config-if-range)# exit
S1(config)# interface range fastethernet 0/12 - 24
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 20
154
S1(config-if-range)# end
 SVI VLAN 10 SVI VLAN 20
192.168.10.1 192.168.20.1
255.255.255.0 255.255.255.0

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
GW 192.168.10.1 GW 192.168.10.1 GW 192.168.20.1 GW 192.168.20.1
DLS1(config)# inter vlan 10
DLS1(config-if)# description Engineering VLAN
DLS1(config-if)# ip address 192.168.10.1 255.255.255.0
DLS1(config-if)# no shutdown
DLS1(config)# inter vlan 20
DLS1(config-if)# description IT VLAN
DLS1(config-if)# ip address 192.168.20.1 255.255.255.0
DLS1(config-if)# no shutdown 155
 SVI VLAN 10 SVI VLAN 20
192.168.10.1 192.168.20.1
255.255.255.0 255.255.255.0

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
GW 192.168.10.1 GW 192.168.10.1 GW 192.168.20.1 GW 192.168.20.1

Alternative Configuration
156
 SVI VLAN 10 SVI VLAN 20
192.168.10.1 192.168.20.1
255.255.255.0 255.255.255.0

Distribution
Layer Switch

Trunk
Access
Layer Switch

A B C D

192.168.10.10 192.168.10.11 192.168.20.12 192.168.20.13

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
GW 192.168.10.1 GW 192.168.10.1 GW 192.168.20.1 GW 192.168.20.1
DLS1(config)# inter gig 0/2
DLS1(config-if)# switchport mode trunk

ALS1(config)# inter fa 0/9 157

ALS1(config-if)# switchport mode trunk
Multilayer Switch Interfaces
Layer 2: Access or Trunk Ports

Physical Interface (L3)

Logical Interface (SVI – L3)

DLS1# show interface gig 0/2 switchport

Name: Gig0/2
Switchport: Enabled
<output omitted>

 Layer 2 or Layer 3 Interface? Is it a “switch” port?

 Default on most Catalyst switches: Layer 2
 Default on Catalyst 6500: Layer 3
 Verify mode:
 Switch# show interface type mod/num switchport
 Switchport: Think Layer 2
 Enabled: Layer 2
 Disabled: Layer 3 158
Multilayer Switch
Interfaces
Is it a “switch” port?

DLS1(config)# interface gig 0/2

DLS1(config-if)# no switchport Converts interface to Layer 3
DLS1(config-if)# end
DLS1# show interface gig 0/2 switchport
Name: Gig0/2
Switchport: Disabled Layer 3
<output omitted>
DLS1# config t
DLS1(config)# interface gig 0/2
DLS1(config-if)# switchport Converts interface to Layer 2
DLS1(config-if)# end
DLS1# show interface gig 0/2 switchport
Name: Gig0/2
Switchport: Enabled Layer 2
<output omitted>
 If in Layer 3 mode switchport interface command puts the port into Layer 159
2 mode.
 SVI Interfaces
- Logical Interfaces X

Switch(config)# vlan vlan-number

Switch(config-vlan)# name vlan-name
SwitchA(config)# interface vlan vlan-number
SwitchA(config-if)# ip address ip-address mask
SwitchA(config-if)# no shutdown

 Layer 3 functionality can also be enabled for an entire VLAN.

 The IP address is assigned to the logical interface – the VLAN.
 This is needed when routing is required between VLANs.
 SVI (Switched Virtual Interface)
 No physical connection
 VLANs must be created before the SVI can be used.
 The IP address associated of the VLAN interface is the default gateway of160
the workstation.
 Creating VLANs
 DLS1: Create and name the user VLANs: 10,
11, 20 and 21.
 DLS1: Create and name a Management VLAN
(used to telnet into switches)
 DLS1: Create and name a NATIVE VLAN other
than VLAN 1 (default)
 DLS1: Create and name a Garbage VLAN
(assigned to all unused ports.)
 All ports that are not used (trunks and
access) will be assigned as an access port
to this VLAN.
DLS1
vlan 2
name NATIVE
vlan 10
name Engineering
vlan 11
name IT
vlan 20
name Sales
vlan 21
name Administration
vlan 99
name ManagementVLAN
vlan 222 161
name GarbageVLAN
 Default Gateway (SVI)
 Configure DLS1 to be the default gateway
for VLANs 10 and 11.
 All hosts on these VLANs will use these
addresses as their default gateway
addresses.

DLS1(config)# inter vlan 99

DLS1(config-if)# description Management VLAN
DLS1(config-if)# ip address 172.16.99.1 255.255.255.0
DLS1(config-if)# no shutdown
DLS1(config)# inter vlan 10
DLS1(config-if)# description Engineering VLAN
DLS1(config-if)# ip address 172.16.10.1 255.255.255.0
DLS1(config-if)# no shutdown
DLS1(config)# inter vlan 11
DLS1(config-if)# description IT VLAN
DLS1(config-if)# ip address 172.16.11.1 255.255.255.0
DLS1(config-if)# no shutdown 164
Default Gateway (SVI)
 Configure DLS2 to be the
default gateway for VLANs 20
and 21.
 All hosts on these VLANs will
use these addresses as their
default gateway addresses.

DLS2(config)# inter vlan 20

DLS2(config-if)# description Sales VLAN
DLS2(config-if)# ip address 172.16.20.1 255.255.255.0
DLS2(config-if)# no shut

DLS2(config)# inter vlan 21

DLS2(config-if)# description Administration VLAN
DLS2(config-if)# ip address 172.16.21.1 255.255.255.0
DLS2(config-if)# no shut

165
Default Gateway (SVI)

172.16.10.10
255.255.255.0 Statically or Dynamically assigned
172.16.10.1

166
Layer 3 Port Configuration
– Physical Interfaces

DLS1(config)# interface gig 0/1

DLS1(config-if)# no switchport
DLS1(config-if)# ip address 192.168.1.1 255.255.255.252

DLS2(config)# interface gig 0/1

DLS2(config-if)# no switchport
DLS2(config-if)# ip address 192.168.1.2 255.255.255.252

 Physical switch ports can operate as Layer 3 interfaces using the

interface command:
Switch(config)# interface type mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask
167
 G0/0
10.10.10.1/24
G0/0
192.168.1.1/24

10.10.10.100/24
DF 10.10.10.1

168
 interface vlan 10 interface vlan 20
172.16.10.1/24 172.16.20.1/24

interface vlan 11 interface vlan 21

172.16.11.1/24 172.16.21.1/24

Trunk =

169
 Management VLAN (SVI)
 For each device in the network
we configured it to be a member
of the management VLAN.

On each switch

Switch(config)# inter vlan 98

Switch(config-if)# description Management VLAN
Switch(config-if)# ip address 172.16.98.x 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit

If you want to reach the management VLAN from other VLANs, assign
this address to one of the multilayer switches (DLS1 and DLS2):
DLS1(config)# ip default-gateway 172.16.98.1 170
 Management VLAN (SVI)
 For each device in the network
we configured it to be a member
of the management VLAN.

On each switch

Switch(config)# inter vlan 99

Switch(config-if)# description Management VLAN
Switch(config-if)# ip address 172.16.99.x 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit

If you want to reach the management VLAN from other VLANs, assign
this address to one of the multilayer switches (DLS1 and DLS2):
DLS1(config)# ip default-gateway 172.16.99.1 171
 interface vlan 98
172.16.98.1/24
On each switch

DLS1(config)# inter vlan 98

DLS1(config-if)# ip address 172.16.98.1 255.255.255.0
DLS1(config-if)# no shutdown

ALS10(config)# inter vlan 98

ALS10(config-if)# ip address 172.16.98.10 255.255.255.0
ALS10(config-if)# no shutdown
ALS10(config)# ip default-gateway 172.16.98.1

172
interface vlan 98 interface vlan 99
172.16.98.1/24 172.16.99.1/24
Switched Network Design
 Core –
Route/Switch
packets quickly
across between
distribution
multilayer
switches.
 Distribution –
Route between
VLANs/Subnets,
ACLs
 Access –
Provide access
to end devices
and provide port L3 = Routed Ports, over IP, separate subnets
security.
L2 = SVI, VLANs over Trunks OR individual VLANs
174
 Verifying
 Verify IP addresses

DLS1#show ip inter brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 192.168.4.6 YES manual up up

GigabitEthernet0/1 192.168.1.1 YES manual up up

Vlan10 172.16.10.1 YES manual up up

Vlan11 172.16.11.1 YES manual up up

175
 InterVLAN Routing
External Router
No VLANs

VLAN 1
External Router VLAN 2
VLANs VLAN 3

VLANs 1, 2, 3
Router on a stick
Trunk
VLANs or No VLANs

VLAN 1
VLAN 2
Multilayer Switch VLAN 3

Trunk
Multilayer Switch

176
SDM
Cisco Switch Database Manager (SDM)

 A Catalyst 2960 switch can function as a Layer 3 device and route

between VLANs and a limited number of static routes.
 The Cisco Switch Database Manager (SDM) provides multiple
templates for the 2960 switch.
 The templates can be enabled to support specific roles depending
on how the switch is used in the network.
 For example, the sdm lanbase-routing template can be enabled to
allow the switch to route between VLANs and to support static
routing.
178
 Switch Database Manager Template

 show sdm prefer command applies

the default template
 Default does not support static
routing.
 If IPv6 addressing has been enabled,
the template will be dual-ipv4-and-
ipv6 default.

S1# show sdm prefer

The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.

number of unicast mac addresses: 8K

number of IPv4 IGMP groups: 0.25K
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
  sdm prefer to change the template
SDM Template
 Switch must be reloaded for the new
template to take effect.

S1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# sdm prefer ?
default Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6
lanbase-routing Supports both IPv4 and IPv6 Static Routing
qos QoS bias

S1(config)# sdm prefer lanbase-routing

Changes to the running SDM preferences have been stored, but cannot take effect
until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
Switch(config)# do reload

System configuration has been modified. Save? [yes/no]: yes

Building configuration...
[OK]
Proceed with reload? [confirm]

*Mar 20 00:10:24.557: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload

command.
 2960 Static Route Support
 lanbase-routing template is active on S1.
 With this template, static routing is supported
for up to 750 static routes.

Switch# show sdm prefer

The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.

number of unicast mac addresses: 4K

number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 0.75K
number of directly-connected IPv4 hosts: 0.75K
number of indirect IPv4 routes: 16
number of IPv6 multicast groups: 0.375k
number of directly-connected IPv6 addresses: 0.75K
number of indirect IPv6 unicast routes: 16
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0.375k
number of IPv6 security aces: 127
  Interface F0/6 on S1 is assigned
Enabling IPv4 Routing to VLAN 2.
 The SVIs for VLANs 1 and 2 are
Functionality on a 2960
also configured with IP
addresses 192.168.1.1/24 and
S1(config)# interface f0/6
S1(config-if)# switchport access vlan 2
192.168.2.1/24, respectively.
S1(config-if)# interface vlan 1
S1(config-if)# ip address 192.168.1.1 255.255.255.0
 IP routing is enabled with the ip
S1(config-if)# interface vlan 2 routing global configuration
S1(config-if)# ip address 192.168.2.1 255.255.255.0
S1(config-if)# no shutdown mode command.
Mar 20 01:00:25.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up
S1(config)# ip routing
S1(config)# do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.1/32 is directly connected, Vlan1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan2
L 192.168.2.1/32 is directly connected, Vlan2
 Router Participating in
Routing with a Switch
 R1 has two IPv4 networks configured:
 Interface G0/1 has IP address 192.168.1.10/24
 loopback interface Lo0 has IP address
209.165.200.225/27

R1# show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.10/32 is directly connected, GigabitEthernet0/1
209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.200.224/27 is directly connected, Loopback0
L 209.165.200.225/32 is directly connected, Loopback0
 Configuring a Static Route on a 2960

 A default route is configured on S1

S1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.10

S1(config)# do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.1.10 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.1.10

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.1/32 is directly connected, Vlan1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan2
L 192.168.2.1/32 is directly connected, Vlan2
Final Routing Table on Router

 A static route to the remote network 192.168.2.0/24

(VLAN 2) is configured on R1

R1(config)# ip route 192.168.2.0 255.255.255.0 g0/1

R1(config)# do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.10/32 is directly connected, GigabitEthernet0/1
S 192.168.2.0/24 is directly connected, GigabitEthernet0/1
209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.200.224/27 is directly connected, Loopback0
L 209.165.200.225/32 is directly connected, Loopback0
 Host Connectivity
209.165.200.225/27
 PC-A is configured with IP address 192.168.2.2/24
in VLAN 2
 PC-B is configured with IP address 192.168.1.2/24
in VLAN 1.
 PC-B is able to ping both PC-B and the loopback
interface on R1.

192.168.2.2/24 192.168.1.2/24
VLAN 2 VLAN 1