Академический Документы
Профессиональный Документы
Культура Документы
By default a cisco switch sends a broadcast everywhere but only its VLAN where broadcast traffic restrained upto the VLAN itself. Every VLAN has separate broadcast domain. As we can see in the figure that if red VLAN sends out a broadcast the only ports marked as red will receive them and same is with blue ports and VLAN. Where the white ports which are connecting switches and carry all the traffic of VLAN are known as TRUNK PORTS Where this name is CISCO given to it other vendors calls these TRUNK Ports as TAG Ports. So the VLAN helps us to create and manages 1. 2. 3. 4. 5. Logically separated groups, users Segments broadcast domains (Means every VLAN correlated/requires a subnet) Subnet correlation Access control Quality of service
1.
Local VLANS do not extend beyond the distribution layer Local VLAN Traffic routed to other destinations (as the Server Block of switch has connected the server directly to it and has its own VLANs and same case is with user now if from user VLAN if someone want to connect to the Server Block then the traffic should be routed between the two block purpose of doing this is that we want to restrict the broadcast to locally only and dont want to flood it out to all over the network) Should be created around physical boundaries (like the access layer VLAN should remain within the Access Layer and Distribution Layer VLAN should be restricted to Distribution layer and shouldnt move to CORE Layer).
2.
3.
In above output we can see the Default settings for the VLAN configurations as it comes with the switch. Default VLAN 1 has 23 ports assigned to it by default all Ports are included in VLAN1, where the 1002,1003,1004 and 1005 VLANS are Industry compliant standards VLANS having status ACTIVE / UNSUPPORTED as these are currently not supported by the switch vendor have to create these in order to meet the industry compliant. Now we can create our own VLANS, there are two methods for creating VLAN one is the old one (can be created from privilege mode) not recommended where the other is the new method (uses Configuration mode to create VLAN) and is recommended.
The new VLAN 100 with name IT has been created where 100 is the number of VLAN can be any number.
NOTE: We dont use this mode of creating VLAN as normally we use Ctrl + Z to come out of the privilege mode but if you use this key here it will UNDO every thing. So to come out of it always use EXIT Command.
In above output we have assigned ports to the VLANs and before doing this we set the mode of port as ACCESS because by default all ports are in Dynamic Mode which means they are potentially trying to negotiate with the TRUNK Port of the other side.
Above output shows that two VLANS IT and SALES has been assigned the ports respectively and now they cannot communicate with each other as they are completely in separate domains. NOTE: The VLAN configurations are not stored in Running Configurations as if we use show running configuration command we will not able to fine the information about our VLAN Configuration instead the switch stores the VLAN information in FLASH Memory in a file called VLAN.DAT.
There is a very important note about erasing VLAN configurations from the switch as we have to delete the vlan.dat individually and manually other wise it stays up partially and VTP will keep propagating them in the network as valid VLAN information
And then erase vlan.dat file using this command delete flash:vlan.dat
Even we have deleted the vlan.dat but it still shows in vlan show for the reason we have to reboot the switch for changes to take place Done
TRUNKING
Trunking is the process of connecting multiple switches together and allowing them to send vlan information between each other. Computer has no idea what VLAN they belong to infact we configure switches that define the Ports for which VLAN they belongs to, When computer attached to a switch within a VLAN sends a broadcast to switch the switch before sending it out attached a TAG to the packets but before sending it out the TAG strips off of the packet so when a computer receives this packets he receives it just like another normal packets. But in case of TRUNKING the TAG is not striped off from the packet instead it keeps its tag while it passes through the one TRUNK port to another and then before computer receives it this TAG is removed.
NOTE: the term TRUNKING is the CISCO Term and no other vendor call this by this name instead they call this TAGED PORT and its all LAYER 2 Feature and works on Data Link Layer. 1. 2. 3. Trunking (aka tagging) passes MULTI-VLAN information between switches Places VLAN Information into each frame Layer 2 Feature
CISCO Proprietary (only works between cisco switches) The only difference between 802.1Q and ISL is that in ISL it encapsulates the entire Frame before it goes out of trunk. When a CISCO switch receives a frame fro VLAN before sending it out it adds a new header at the start of frame and at the end of the frame it adds a trailer and then it sends out to the trunk. This method has been phased out. Its no more in practice in CISCO switches.
802.1Q
OPEN Standard / Industry Standard Inserts the TAG into Frame Rather than Encapsulates and before sending it out it recalculates CRC and sends out for trunking
The Native VLAN messages received because of the above topology if we have the situation like above in which the two Trunk ports are connected with each other through a HUB where HUM also have some of the device attached to it directly. Now the computer attached with HUB are sending messages to HUB and TRUNKING PORTS on either switches are also receiving those messages as we know that TRUNK LINKS should only allow to send TAGED Packets only, what a trunk link can do with UNTAGED Packet when it receives is what NATIVE VLAN is there for, its a configuration on switch that if it receives some of the packets that are untagged then I assign it automatically to VLAN (Any VLAN created for this purpose) and thats the native VLAN.
When we connects switches together and they have mismatched NATIVE VLAN information configured on them (one in VLAN 10 and other is in VLAN1) then there we will start receiving this message saying we have received native vlan mismatched error on these VLANs?. As we are not using this topology and not putting HUB between our switches so we will not be using this concept in its original form but the NATIV VLAN idea has been used similarly in VoIP.
This is the very common scenario in which an IP phone is connected with a switch and from switch port on IP phone it is connected to the Computer now both are connected via Ethernet cable and there is separated cable for IP phone in Common practice the IP phone and Computer both will never be in the same VLAN as it could degrade the service of IP phone it a heavy file transfer or data traffic generated on that ethernet segment and also at the same time it becomes a security issue as well. As both IP phone and Computer is on the same Length of ethernet by using 2 drops of cable and other end is connected with only one port of switch so its normally not possible to put them on separate VLANs. To do this we run a small version of a trunk from the switch to the phone and that phone has the ability to understand and sends TAGED packets where computer sends untagged packets, so in this case the TRUNK port is also receiving untagged packets and here we will use the native VLAN concept as when the switch Trunk port receives the untagged packets the native vlan configured on the switch will put the untagged packet to its appropriate VLAN.
TRUNKING PROTOCOL
The switches use a protocol to auto-negotiate Trunk links that is called Dynamic Trunking Protocol (DTP). There are 5 different modes of switch port that can be used as Trunking. Access Mode Trunk Dynamic-Auto Dynamic Desirable Non-Negotiate Access Mode If a port is configured as access mode then whatever device connected to this port will be consider an access layer device and can only access a single VLAN and whatever VLAN 50 is assigned to this port this attached device will be on it. But in case if the computer attached to it is replaced with switch then every port on that switch will be the part of that specific VLAN50.
Dynamic Desirable
Every fresh switch from CISCO by default is in this mode means the port on the switch is not in TRUNK or Access mode but it will try to negotiate to be in a mode whatever it will be plugged into on other side. It will become an ACCESS Port if attached to a PC and becomes a TRUNK Port if it is attached to a switch. How to check the mode of the Port
Dynamic-Auto It will automatically change between Access and Trunk port but it differ from Dynamic Desirable in a way it do not send DTP Packets out to ask that make me a trunk port like if the both ends to the switches are set to AUTO then the ports will become a Access port but if the one ends sets to Auto and other dynamic then dynamic sends out DTP Packets and the Auto will then tend to became a TRUNK port in this case. Trunk Where the TRUNK mode is only server as TRUNK Port and sends DTP Packets out this cant be Access Mode in anyway. Non-Negotiate Where the Port is TRUNK doesnt sends DTP Packets out this means that we know where the other Trunk ports are on the other switch so we dont waste DTP packets out to discover them. This is the most preferred method. If a computer is attached to this port it will not sends DTP Packets to it so its secure as well.
Here we can leave the port as default after setting port encapsulation as the default mode is Dynamic Desirable and when we will set the other end port as TRUNK and when that port will sends out the DTP Packet it will automatically move to TRUNK Mode.
Here we can see that after setting port as TRUNK it has sends out DTP packet and it will start negotiating with other remote port to be a TRUNK port
If we will use the non-negotiating mode it will not sends out DTP packet to be TRUNK port so if we have set AUTO on the other side it will not be negotiated to be as TRUNK Port.
We can set any number of VLAN if we want untagged traffic received by this port to some specific VLAN.
With ALLOWED we can specify what VLAN we want to be allowed on TRANK where ALL allow the all VLANs and EXCEPT can be used filter few of them and NONE will allow you to specify them manually etc. How to Verify