-
User Guide for Campus Manager 4.0
-
Preface
-
About Campus Manager
-
Campus Manager 4.0 Changes and Enhancements
-
Getting Started With Campus Manager
-
Administering Campus Manager
-
CiscoWorks Common Services Integration
-
User Tracking
-
Discrepancy Reporting
-
Topology Services
-
VLAN and VTP Management
-
Managing Network Spanning Trees
-
Support for Internet Protocol v6
-
ATM Management
-
Path Analysis Using Campus Manager
-
Data Extraction Engine
-
Index
-
Table Of Contents
Understanding Virtual LAN (VLAN)
Simplification of Adds, Moves, and Changes
Workgroup and Network Security
Interpreting VLAN Summary Information
Creating Secondary VLAN and Associating to Primary VLAN
Associating Ports to Secondary VLAN
Understanding Inter-VLAN Routing
Configuring Inter-VLAN Routing on RSM, MSFC, L2/L3 Devices
Configuring Inter-VLAN Routing on External Routers
Understanding VLAN Trunking Protocol Version 3
Support for VTP Version 3 in Campus
Using VLAN Trunking Protocol (VTP)
Dynamic Trunking Protocol (DTP)
Understanding VLAN Port Assignment
Navigating in VLAN Port Assignment
Displaying All Ports in Specified VTP Domains
Querying Ports in Specified VTP Domains
Displaying Ports in Unspecified VTP Domains
Finding Entries in VLAN Ports Summary Table
Extending VLANs Across VTP Domains
Displaying Topology Views and Attribute Summaries
Displaying Attribute Summaries
VLAN Port Assignment Command Shortcuts
Usage Scenarios for Managing VLANs
Configuring PVLANs in External Demilitarized Zone
Managing VLANs and VTP
To ensure that the ANI Server successfully performs Data Collection in your network, you must set up your network properly. Campus uses ANI Server to discover devices data so that you can configure and manage virtual LANs (VLANs) in your network.
•
Understanding Virtual LAN (VLAN)
•
•
•
Understanding Virtual LAN (VLAN)
A Virtual Local Area Network (VLAN) allows you to create logical broadcast domains that can span across a single switch or multiple switches, regardless of physical positioning. A VLAN would contain a group of devices on one or more LANs.
These devices are configured in such a way that they can communicate as if they were all on the same network segment. VLANs are based on logical connections instead of physical connections, and hence they are extremely flexible.
VLAN allows you to group ports on a switch to limit unicast, multicast, and broadcast traffic flooding. Flooded traffic originating from a particular VLAN is only flooded out to other ports belonging to that VLAN.
This is useful for reducing the size of broadcast domains, or allowing groups or users to be logically grouped without being physically located in the same place.
The following topics are covered in this chapter:
Advantages of VLANs
VLANs provide the following advantages:
•
•
•
Simplification of Adds, Moves, and Changes
Adds, moves, and changes are some of the greatest expenses in managing a network. Many moves require re-cabling and almost all moves require new station addressing and hub and router re-configuration.
VLANs simplify adds, moves, and changes. VLAN users can share the same network address space regardless of their location.
If a group of VLAN users move but remain in the same VLAN connected to a switch port, their network addresses do not change.
If a user moves from one location to another but stays in the same VLAN, the router configuration does not need to be modified.
Controlled Broadcast Activity
Broadcast traffic occurs in every network. Broadcasts can seriously degrade network performance or even bring down an entire network, if the network is not properly managed.
Broadcast traffic in one VLAN is not transmitted outside that VLAN. This substantially reduces overall broadcast traffic, frees bandwidth for real user traffic, and lowers the vulnerability of the network to broadcast storms.
You can control the size of broadcast domains by regulating the size of their associated VLANs and by restricting both the number of switch ports in a VLAN and the number of people using the ports.
You can also assign VLANs based on the application type and the amount of application broadcasts. You can place users sharing a broadcast-intensive application in the same VLAN group and distribute the application across the network.
Workgroup and Network Security
You can use VLANs to provide security Firewalls, restrict individual user access, flag any unwanted network intrusion, and control the size and composition of the broadcast domain.
You can perform the following:
•
•
•
VLAN Components
The VLAN components are:
•
Switches are the entry point for end-station devices into the switched domain and provide the intelligence to group users, ports, or logical addresses into common communities of interest. LAN switches also increase performance and dedicated bandwidth across the network.
You can group ports and users into communities using a single switch or connected switches. By grouping ports and users across multiple switches, VLANs can span single-building infrastructures, interconnected buildings, or campus networks.
Each switch can make filtering and forwarding decisions by packet and communicate this information to other switches and routers within the network.
•
Routers provide policy-based control, broadcast management, and route processing and distribution. They also provide the communication between VLANs and VLAN access to shared resources such as servers and hosts.
Routers connect to other parts of the network that are either logically segmented into subnets or require access to remote sites across wide area links.
•
The VLAN transport enables information exchange between interconnected switches and routers on the corporate backbone. The backbone acts as the aggregation point for large volume of traffic.
It also carries end-user VLAN information and identification between switches, routers, and directly attached servers. Within the backbone, high-capacity links with high-bandwidth carry the traffic throughout the enterprise.
Types of VLANs Supported
Topology Services supports four types of VLANs:
Using Virtual LANs
You can use Campus to create, modify, and delete VLANs. This topic contains the following:
Creating VLANs
You can use Topology Services to create Ethernet VLANs (which is the typical VLAN design), or you can create Token Ring VLANs. This topic contains the following:
Ethernet VLANs
An Ethernet VLAN is the typical VLAN design. This consists of a logical group of end-stations, independent of physical location on an Ethernet network. Catalyst switches support a port-centric or static VLAN configuration. All end stations that are connected to ports belonging to the same VLAN, are assigned to the same Ethernet VLAN.
Creating Ethernet VLANs
Before you create Ethernet VLANs, you must create a VTP domain in your network.
Your login determines whether you can use this option.
To create Ethernet VLANs in your network:
Step 1
Step 2
Step 3
See Table 9-1, Creating Ethernet VLANs Field Descriptions table for details.
Step 4
Token Ring VLANs
A Token Ring VLAN is a set of rings interconnected through a bridging function. There are two Token Ring VLAN types defined in VTP version 2:
Token Ring Bridge Relay Function (trBRF)—Domain of interconnected rings formed, using an internal multiport bridge function.
Token Ring Concentrator Relay Function (trCRF)—Logical ring domains formed by defining groups of ports that have the same ring number.
You can create Token Ring Bridge Relay Function (trBRF) VLANs and Token Ring Concentrator Relay Function (trCRF) VLANs. Multiple trCRFs can be interconnected using a single trBRF.
A trBRF VLAN is a domain of interconnected rings formed using an internal multiport bridge function. A trCRF VLAN is a logical ring domain formed by defining groups of ports that have the same ring number.
Understanding trBRF VLANs
A Token Ring Bridge Relay Function (trBRF) is a logical grouping of trCRFs. The trBRF is used to join different trCRFs. In addition, the trBRF can be extended across a network of switches through high-speed uplinks between the switches to join trCRFs contained in different switches.
A trBRF has two global parameters: a bridge number and a bridge type. The bridge number is used to identify the logical distributed source-route bridge (SRB), which interconnects all logical rings that have the same parent trBRF.
Creating trBRF VLANs
To create Token Ring Bridge Relay Function (trBRF) VLANs in your network.
Step 1
Step 2
See Table 9-2 for details.
Step 3
Understanding trCRF VLANs
A Token Ring Concentrator Relay Function (trCRF) is a logical grouping of ports. Each trCRF is contained in only one trBRF, which is referred to as its parent. When a port is assigned to the trCRF, only ports on that switch can belong to that trCRF.
As a rule, a trCRF cannot span different switches; this type of trCRF is called an undistributed trCRF.
However, if your switches are connected through Inter-Switch Link (ISL), the Cisco Duplicate Ring Protocol (DRiP) allows two types of trCRFs in which the ports of a single trCRF can be on different switches.
These types of trCRFs are the default and the backup trCRF:
•
The default trCRF can contain ports that are located on multiple switches. The default trCRF is associated with the default trBRF, which can span switches through ISL.
Since the default trCRF is the only trCRF that can be associated with the default trBRF, the default trBRF does not perform any bridging functions, but uses source-route switching to forward traffic between the ports of the default trCRF.
•
The backup trCRF allows you to configure an alternate route for traffic between undistributed trCRFs located on separate switches that are connected by a trBRF. The backup trCRF is only used if the ISL connection between the switches becomes inactive.
Creating trCRF VLANs
You must configure a Token Ring Bridge Relay Function (trBRF) VLAN before creating the trCRFs that you want associated with the trBRF.
To create Token Ring Concentrator Relay Function (trCRF) VLANs in your network:
Step 1
Step 2
For more information, see Table 9-3.
Step 3
The LANE Services option is active.
To configure LANE in your network, click LANE Services.
For assistance configuring LANE services, see Managing LANE Services.
Step 4
Your changes are saved and the window closes.
Modifying VLANs
You can modify most of the VLAN characteristics that were entered when you created the VLAN, such as purpose, description, and LANE services.
You can perform these:
Modifying Ethernet VLANs
Your login determines whether you can use this option. To modify characteristics for an Ethernet VLAN:
Step 1
Step 2
Step 3
•
•
•
Step 4
Your changes are saved and the window closes.
Modifying trBRF VLANs
Your login determines whether you can use this option. To modify characteristics for a trBRF VLAN.
Step 1
Step 2
Step 3
•
•
•
Step 4
Your changes are saved and the window closes.
Modifying trCRF VLANs
Your login determines whether you can use this option. To modify characteristics for a trCRF VLAN.
Step 1
Step 2
Step 3
•
•
•
•
•
•
•
•
Step 4
Your changes are saved and the window closes.
Deleting VLANs
You can delete VLANs in your network. If you delete a VLAN with active ports, it disables the active ports in that VLAN.
You can use VLAN Port Assignment application to move any port to another VLAN.
You can delete a token ring Bridge Relay Function (trBRF) only if all token ring Concentrator Relay Functions (trCRFs) within it have been deleted, or if they do not contain any ports.
Deleting a VLAN with an associated ATM-VLAN does not delete the ATM-VLAN. The ATM-VLAN remains intact and appears in the Standalone ATM-VLANs folder for the ATM domain to which it belongs.
Your login determines whether you can use this option.
To delete a VLAN:
Step 1
Step 2
Step 3
The domain window appears with a message:
The selected VLAN will be deleted if no ports are associated with this VLAN. Do you want to continue?Step 4
Step 5
Interpreting VLAN Summary Information
You can display summary information about the VLANs in your network.
Step 1
See Table 9-4 to interpret this information.
Displaying VLAN Reports
Campus Manager allows you to generate VLAN reports for devices, switch clouds, or VTP domains.
Step 1
Step 2
This view is in the Tree View in the Topology Services Main Window.
Step 3
or
Right-click the VTP Domain or the device, and select Display View.
The Network Topology window appears.
Step 4
Step 5
or
Select Reports > VLAN Report.
The VLAN Report window appears.
Interpreting VLAN Reports
See Table 9-5 to interpret the fields in VLAN Report.
Understanding Private VLAN
A Private VLAN (PVLAN) is a VLAN that isolates devices at Layer 2 (L2), from other ports within the same broadcast domain or subnet. PVLAN segregates traffic at L2 and converts a broadcast segment into a non-broadcast multi-access segment.
PVLANs can stop L2 connectivity between end stations on a switch without distributing them into different IP subnets, thus preventing wastage of IP addresses.
You can also assign a specific set of ports within a PVLAN, and thus control the connectivity among them. You can configure PVLANs and normal VLANs on the same switch.
This topic contains:
Types of Private VLAN Ports
The ports in a private VLAN are categorized as:
Promiscuous Ports
Promiscuous port communicates with all other interfaces and ports within a PVLAN. Such ports are used to communicate with external routers, local directories, network management devices, backup servers, administrative workstations, and the like.
Ports to the routing module in some switches are promiscuous in nature (for example, MSFC).
PVLAN Host Ports
A PVLAN host port is a port connected to a server or an end host that requires Layer 2 (L2) isolation. A host port exists in the PortFast mode and the BPDU Guard feature is enabled on these ports. These ports can be further classified into:
This depends on the secondary VLAN to which the ports belong.
Isolated Ports
Isolated ports are completely isolated in L2, from other ports in the same PVLAN. These ports cannot receive the broadcasts from other ports within the same PVLAN, but receive broadcasts from promiscuous ports.
Privacy for the VLAN is ensured at L2 level by blocking the traffic to all isolated ports, except the promiscuous ports. Broadcasts from an isolated port is always forwarded to all promiscuous ports.
Community Ports
Community ports communicate among themselves and with their promiscuous ports. These ports are isolated at L2 from all other ports in other communities, or isolated ports within their private VLAN. Broadcasts propagate only between associated community ports and the promiscuous port.
PVLAN Trunk Ports
Private VLAN Trunk Ports are similar to Host Ports, which can carry multiple VLANs. A trunk port carries the primary VLAN and the secondary VLANs to the neighboring switch. The trunk port is unaware of PVLAN and will carry PVLAN traffic without any special action.
Using Private VLAN
A Private VLAN has four distinct parts:
•
Manages the incoming traffic from the promiscuous port to isolated, community, two-way community ports, and all other promiscuous ports, in the same primary VLAN.
•
Isolated ports use this VLAN to communicate to the promiscuous ports. The traffic from an isolated port is blocked from reaching all adjacent ports within its private VLAN, except for its promiscuous ports.
•
A group of community ports use this unidirectional VLAN to communicate among themselves and to manage the outgoing traffic through the designated promiscuous ports from the private VLAN.
•
A group of community ports use this VLAN to communicate among themselves. This bidirectional VLAN manages the incoming and outgoing traffic for community ports and Multilayer Switch Feature Cards (MSFC).
Isolated and community VLANs are called secondary VLANs.
While creating private VLANs, you:
•
•
Campus Manager 4.0 enables you to:
•
•
•
•
•
Creating PVLAN
To create a Private VLAN, you must designate one VLAN as primary and another as either isolated, community, or two-way community VLAN. Then, you can assign additional VLANs as secondary VLANs.
After creating primary and secondary VLANs you must associate the secondary VLANs to the respective primary VLANs.
Hence, for creating a private VLAN you must:
•
•
•
•
•
Creating Primary VLAN
To create Primary VLANs:
Step 1
Step 2
Step 3
A Create Private VLAN window appears.
Step 4
•
•
•
•
VTP Domain field displays the domain you have chosen.
Step 5
You may select the Private VLAN Index, if you want to.
Step 6
•
•
The check box for creating private VLANs on all transparent switches, is enabled only when the VLAN contains a device in transparent mode.
Step 7
Note
Creating Secondary VLAN and Associating to Primary VLAN
After creating a primary VLAN, you can create secondary VLANs. Once you create a secondary VLAN, you must associate that to a primary VLAN.
To do this:
Step 1
Step 2
This view is in the Tree View in the Topology Services Main Window.
Step 3
A Create Private VLAN window appears.
Step 4
•
•
•
•
Step 5
You can associate a secondary VLAN that you have created to a primary VLAN.
VTP Domain field displays the domain you have chosen.
You may enter the Private VLAN Name that you want to assign.
Step 6
Step 7
•
•
The check box for creating private VLANs on all transparent switches, is enabled only when the VLAN contains a device in transparent mode.
Step 8
Associating Ports to Secondary VLAN
You must associate ports to the secondary VLAN that you have created. You can assign ports to a secondary VLAN as you assign for normal VLANs. For assigning ports to VLANs, see "Assigning Ports to VLANs" section.
Configuring Promiscuous Ports
You must associate the promiscuous ports to the PVLANs you have created, to receive traffic from outside the PVLAN.
You can configure only the ports on which trunking is not enabled.
To configure Promiscuous Port:
Step 1
Or
From Topology Services main window, select the device, which has the ports you require and select Tools > VLAN Port Assignment.
The VLAN Port Assignment window appears.
Step 2
Step 3
•
Or
•
The table below provides a list of ports and the details of the port.
Step 4
Step 5
The Configure Promiscuous Port window appears. The table displaying Port details displays:
•
•
•
•
Step 6
Step 7
The configured port details appear in the Mapped VLANs table.
Step 8
Deleting PVLAN
To delete PVLAN:
Step 1
Step 2
Step 3
Step 4
A VTP Domain Name: Delete Private VLAN Name appears.
Step 5
•
•
The check box for creating private VLANs on all transparent switches, is enabled only when the VLAN contains a device in transparent mode.
Step 6
Understanding Inter-VLAN Routing
Inter-VLAN Routing enables to route the traffic between different VLANs. This feature is required when an end station wants to communicate with another end station in a different VLAN. Devices within a VLAN can communicate with one another without the help of a router.
On the contrary, devices in separate VLANs require a routing device to communicate with one another. Network devices in different VLANs cannot communicate with one another without a router to route the traffic between the VLANs.
In most of the network environments, VLANs will be associated with individual networks or subnetworks. In a switched network, VLANs segregate devices into different collision domains and Layer 3 (L3) subnets.
Configuring VLANs for inter-VLAN routing helps to control the size of the broadcast domain and to keep local traffic local. You can configure one or more routers to route traffic in the network.
Layer 2 switches require a L3 routing device (either external to the switch or in another module on the same chassis).
The new L3 Switches accommodate routing capabilities. The router or the switch receives a packet, determines the VLAN to which it belongs, and sends the packet to the appropriate port on the other VLAN.
Using Inter-VLAN Routing
Configuring Inter-VLAN Routing
Campus Manager 4.0 supports Inter-VLAN Routing configuration on devices like MSFC, RSM, and external routers with IPv4.
Prerequisite for configuring Inter-VLAN Routing through Campus Manager 4.0
Resource Manager Essentials 4.0 (RME 4.0) is a prerequisite for configuring Inter-VLAN Routing using Campus Manager 4.0. If the server running Campus Manager does not have RME 4.0, you can use a remote server, which has the RME 4.0 application.
If you want to configure Inter-VLAN Routing on a device:
•
•
See the User Guide for Resource Manager Essentials 4.0 for more details on how to manage devices. To access this, go to http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/
e_4_x/4_0/u_guide/device.htmConfiguring Inter-VLAN Routing on RSM, MSFC, L2/L3 Devices
To configure Inter-VLAN Routing on a VLAN interface:
Step 1
Step 2
Step 3
The Configure Inter-VLAN Routing window appears. The window displays the Device Name and the Device IP of the selected device.
Step 4
Step 5
Or
Click New to configure Inter-VLAN Routing for a new VLAN interface.
You can edit IP Address, Admin Status, and Subnet Mask.
Table 9-6 Configuring Inter-VLAN Routing Field Descriptions
VLAN Interface1
Enter the VLAN interface.
IP Address
Enter the IP address for the interface
Subnet Mask
Enter the subnet mask address.
Admin Status
Select the Admin status:
•
•
1 You can enter the VLAN interface name to create a new interface. You cannot edit an existing VLAN interface.
You can also delete a Device Interface from the list of Interfaces for which you do not want to configure Inter-VLAN Routing.
Step 6
If you want to edit the configuration details again:
a.
b.
c.
Step 7
Note
RME Server credentials window appears.
Step 8
Table 9-7 RME Server credentials Field Description
RME Server
Name of the RME server or the IP address
Server Port1
Enter the port number
User Name
Enter the user name
Password
Enter the password
1 In Campus 1741 is the default port for http mode and 443 is the default port for SSL (https) mode.
Step 9
Inter-VLAN Routing is configured for all the VLAN interfaces in Interface Set.
Configuring Inter-VLAN Routing on External Routers
To configure Inter-VLAN Routing on a VLAN interface of an external router:
Step 1
Step 2
Step 3
The RME Server credentials window appears.
Step 4
Table 9-8 RME Server credentials Field Description
RME Server
Name of the RME server or the IP address.
Server Port1
Enter the port number.
User Name
Enter the user name.
Password
Enter the password.
1 In Campus 1741 is the default port for http mode and 443 is the default port for SSL (https) mode.
Step 5
The Configure Inter-VLAN Routing window appears.
Step 6
Step 7
Or
Click New to configure Inter-VLAN Routing for a new VLAN interface.
You can edit IP Address, Admin Status, Encapsulation, and Subnet Mask.
Table 9-9 Configuring Inter-VLAN Routing Field Descriptions
VLAN Interface1
Enter the VLAN interface.
IP Address
Enter the IP address for the interface.
Sub-Interface ID
Enter the ID for the sub-interface.
Admin Status
Select the Admin status:
•
•
Encapsulation
Select the encapsulation:
•
•
Subnet Mask
Enter the subnet mask address.
1 You can enter the VLAN interface name to create a new interface. You cannot edit an existing VLAN interface.
You can also delete a device interface from the list of interfaces for which you do not want to configure Inter-VLAN Routing.
Step 8
If you want to edit the configuration details again:
a.
b.
c.
Step 9
Note
Inter-VLAN Routing is configured for all VLAN interfaces in the Interface Set.
VLAN Trunking Protocol
VLAN Trunking Protocol (VTP) is a Layer 2 multicast messaging protocol that maps VLANs across all media types and VLAN tagging methods between switches, thus maintaining the VLAN configuration consistency throughout a network. VTP reduces the effort in adding, deleting, or renaming a VLAN at each switch, when the VLAN extends to other switches in the network.
VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
With VTP, you can make configuration changes centrally on one switch and have those changes automatically communicated to all the other switches in the network.
The major function of VTP is to distribute VLAN information. You must configure VTP before you configure any VLAN. Using VTP, each switch in server mode displays the following:
•
•
•
For more details on VLAN, see "Understanding Virtual LAN (VLAN)" section, and for VTP Domains, see"VTP Domains" section.
This topic contains:
•
•
VTP Domains
A VTP domain is made up of one or more interconnected devices that share the same VTP domain name. A switch can be configured to be in only one VTP domain, and each VLAN has a name that is unique within a management domain.
Typically, you use a VTP domain to ease administrative control of your network or to account for physical boundaries within your network. However, you can set up as many or as few VTP domains as are appropriate for your administrative needs. Consider that VTP is transmitted on all trunk connections, including ISL, IEEE 802.1Q, 802.10, and LANE.
VTP Domains display and monitor the details of the VLANs in your network. Sometimes includes special cases labeled NULL or NO_VTP.
•
•
However, devices which do not support VTP but support VLANs (for example, Catalyst 2900XL Standard Edition switches) will be placed in the NO_VTP domain.
The devices that do not support VLANs and VTP (for example, Catalyst 1900 Standard Edition switches) will be placed in the domain category of the neighbor device.
Components of VTP Domains
Within a VTP domain, you can configure switches as follows:
•
•
•
Your VTP domain structure influences the behavior of Topology Services.
Understanding VLAN Trunking Protocol Version 3
VTP version 3 is capable of distributing a list of opaque databases over an administrative domain.
VTP version 3 provides following enhancements to the previous VTP versions:
•
•
•
•
•
•
•
•
VTP version 3 is a collection of protocol instances. Each instance handles one database, which is associated with a given feature. VTP version 3 runs multiple instances of the protocol by which it handles the configuration propagation of multiple databases that are independent of one another.
Support for VTP Version 3 in Campus
Campus Manager supports the version 3 of VTP. Following are the major features supported in this release:
•
If your network contains devices running VTP version 3, the primary server is displayed as a subfolder under the parent Domain in the VTP Domains. Under Primary server folder, you can find all the server and client modes.
•
The devices which are set to off mode are supported as for the transparent mode devices. The Tree View displays the off mode devices in subfolder under the parent domain.
•
Topology Filters contains a filter for devices running VTP version 3 in the Network Topology view for the VTP Domains and VTP Views.
You can enable the filters to view the primary, server, client, transparent, and off mode devices. The off mode devices in VTP version 2 and version 3 domains, are displayed under different subfolders of the parent domain, in the Tree View.
When you change the configuration through Campus, the off mode devices are considered similar to the transparent mode devices.
For more details, see Figure 9-1.
Figure 9-1 VTP Filters
•
You can create a VLAN or PVLAN using a primary server domain or the parent domain. You can create a VLAN or PVLAN only on the Primary server, transparent and off mode devices, in a VTP version 3 environment.
Notes on creating VLAN or PVLAN in VTP version 3 domain using Campus
•
•
•
•
Using VLAN Trunking Protocol (VTP)
Using VLAN Trunking Protocol (VTP), each switch in server mode advertises its management domain on its trunk ports, its configuration revision number, and its known VLANs and their specific parameters.
Therefore, a new VLAN must be configured on only one device in the management domain, and the information is automatically learned by all other devices (not in VTP transparent mode) in the same management domain.
After a device learns about a VLAN, it receives all frames on that VLAN from any trunk port and, if appropriate, forwards them to each of its other trunk ports.
This topic contains:
Displaying VTP Reports
To display a VTP report for the VTP domains in your network.
Step 1
Step 2
The VTP Report, which is the summary view, appears.
Interpreting VTP Reports
See Table 9-10 to interpret the fields shown in the VT Reports Summary view.
Using VTP Views
VTP Views shows devices that participate in VTP domains. VTP Views also shows the non-VTP devices and ATM domains connected directly to the VTP domain.
Figure 9-2 VTP Tree View
Use the VTP views to:
•
•
•
–
–
–
•
–
–
Understanding Trunking
A trunk is a point-to-point link carrying several VLANs. The purpose of a trunk is to save ports when creating a link between two devices implementing VLANs, typically two switches.
Trunking is hence a type of configuration on an interface which allows VLANs to span the entire network, instead of just one switch.
The trunked interface that connects to another network device is allowed to pass traffic for multiple VLANs, instead of just one VLAN as would happen on a non-trunked interface on a switch.
This topic contains:
•
Trunking Considerations
Note the following:
•
•
•
•
•
Dynamic Trunking Protocol (DTP)
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Trunk negotiation is managed by the DTP on a link between two devices. DTP is also used for negotiating the type of trunking encapsulation to be used.
Dynamic Trunking is the ability to negotiate the trunking method with the other device, and DTP is a point-to-point protocol that supports auto-negotiation of both ISL and 802.1Q trunks. DTP sends the VTP domain name in a DTP packet.
Therefore, if you use DTP, and if the two ends of a link belong to a different VTP domain, the trunk will not function.
The Catalyst operating system options of auto, desirable, and on, and the IOS options of dynamic auto, dynamic desirable, and trunk, configure a trunk link using DTP. If one side of the link is configured to trunk and sends DTP signals, the other side of the link will dynamically begin to trunk, if the options match correctly.
To enable trunking and not send any DTP signaling, you can use the option nonegotiate for switches that support that function. If you want to disable trunking completely, you can use the off option for a Catalyst operating system switch or the no switchport mode trunk command on an IOS switch.
DTP is a second generation Dynamic Inter-Switch Link Protocol (DISL) and allows the Cisco Catalyst devices to negotiate whether to use 802.1Q encapsulation. DISL and DTP do not negotiate trunking in case of EtherChannel—they only negotiate whether to enable trunking.
Trunk Encapsulation
The following trunking encapsulations are available on all Ethernet interfaces:
•
•
Trunk Characteristics
Table 9-11 shows the DTP signaling and the characteristics of each mode.
Encapsulation Types
The encapsulation type allows you to specify whether ISL or 802.1q should be used for trunking. The parameter is only relevant if the module you are using is able to use both types of encapsulation. The parameter can have three different values as shown in table below.
Creating Trunk
To create trunk for a port:
Step 1
The VLAN Port Assignment window appears.
Or
From Topology Services main window, select the device, which has the ports you require and select Tools > VLAN Port Assignment.
The VLAN Port Assignment window appears.
Step 2
Step 3
•
Or
•
The VTP Domain table provides a list of ports and the details of the ports.
Step 4
Step 5
The Create Trunk window appears.
In the Create Trunk window, Device Information panel displays the device IP address and the port number of all the devices you have selected.
Step 6
a.
–
–
–
b.
Campus Manager 4.0 supports only the Desirable mode.
Step 7
•
•
Step 8
EtherChannel
EtherChannel is a technology that bundles individual Fast Ethernet and Gigabit Ethernet links into a single logical link that would provide higher bandwidth. EtherChannels thus enable you to aggregate up to Gigabit Ethernet connections, providing up to 16 Gbps of bandwidth (in full duplex mode).
The channel is treated as a single logical connection between two switches. If one of the connections fails in the EtherChannel, the other connections will be operating so that the connection is not down.
This topic contains:
Understanding EtherChannel
EtherChannel provides incremental trunk speeds between Fast Ethernet (FE) and Gigabit Ethernet (GE) by grouping multiple equal-speed ports into a logical port channel. EtherChannel combines multiple FEs up to 800 Mbps or GEs up to 8 Gbps, providing fault-tolerant, high-speed links between switches, routers, and servers.
Campus Manager 4.0 supports only PAgP, the aggregation protocol. When a user selects a port or link for configuring EtherChannel, the user is prompted with all available ports that can participate in the channel (Ports that are directly connected between devices).
Admin Group ID attribute for each port is also provided under group attribute. User can change them accordingly to choose which ports need to aggregate into a channel.
All ports that have same group value will participate in channel. Campus supports only desirable mode for EtherChannel configuration.
Campus Manager 4.0 does not support EtherChannel configuration between a switch and router.
Using EtherChannel
Campus Manager 4.0 allows you to:
•
•
Configuring EtherChannel
To configure EtherChannel:
Step 1
Step 2
Step 3
A Network Topology View window appears.
Step 4
Step 5
The EtherChannel Configuration window appears.
Protocol field displays PAgP. Port Aggregation Protocol (PAgP) is the Protocol that is supported for configuring EtherChannel.
Step 6
•
•
•
•
Select leave default when you do not want to configure distribution protocols.
The Channel Mode field displays the mode of the port.
Campus supports only the desirable mode for EtherChannel configuration.
Step 7
•
•
•
•
Select leave default when you do not want to configure distribution address type.
Step 8
Step 9
VLAN Port Assignment
VLAN Port Assignment is an application that displays device, port, and related VLAN information for an associated VTP domain in a tabular format and helps you manage ports on your network's VLANs.
Use VLAN Port Assignment to:
•
•
•
•
•
This topic contains the following sections:
•
•
•
Prior to using VLAN Port Assignment, you should understand the concepts of VLANs and VTP domains. See "Understanding Virtual LAN (VLAN)" section, and "VTP Domains" section for more details.
Understanding VLAN Port Assignment
To enable end-user ports to participate in a specific VLAN, you must first assign the ports. You assign ports to specified VLANs. The VLANs allow the ports to share the same broadcasts.
Ports that are not assigned to the VLAN cannot share these broadcasts. For more information about VLANs, see "Understanding Virtual LAN (VLAN)" section.
For VLAN Port Assignment to work correctly, ANI Server must discover the network. ANI Server requires a properly configured network to complete network discovery.
For information about setting up your network, see Installation and Setup Guide for Campus Manager (to access this document, go to http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/camp_mgr/
camp_4x/cmgr_4_0/index.htm) or the "Using Campus Manager Administration" section.VLAN Port Assignment queries the ANI database based on criteria you enter.
After you submit the query, VLAN Port Assignment displays the device, port, and related VLAN information for an associated VTP domain. This is displayed in a tabular format.
You can use VLAN Port Assignment to:
•
•
•
•
Starting VLAN Port Assignment
To start VLAN Port Assignment:
Step 1
Step 2
See "Analyzing ANI Server" section for more details.
Step 3
If you are prompted to install the Java plug-in, you can download and install the plug-in using the displayed installation screens. The next time you start the application, it will automatically use the plug-in.
See Online help for ANI Server, for information about setting up your network and the ANI Server.
Using VLAN Port Assignment
You use VLAN Port Assignment to:
•
•
•
Navigating in VLAN Port Assignment
The VLAN Port Assignment main window provides command menu options, a drop-down list box of discovered VTP domains, searching criteria fields, and a table displaying matching port information.
The following topics contain descriptions of the VLAN Port Assignment commands and the table where discovered port information appears:
•
•
Displaying Port Information
VLAN Port Assignment displays port information for a VTP domain. You can do the following:
•
•
•
Displaying All Ports in Specified VTP Domains
You can use VLAN Port Assignment to list all ports in every VLAN that participates in a selected VTP domain. To do this:
Step 1
Sometimes, NULL and NO_VTP appear in the list of domains:
•
•
If you want to display all ports that are assigned to auxiliary VLANs, verify that the multi-access port check box is selected.
Step 2
All port information in all VLANs associated with the selected VTP domain are displayed in the VTP Domain table.
Querying Ports in Specified VTP Domains
You can use VLAN Port Assignment to find specific ports in a known VTP domain by entering search criteria. To do this:
Step 1
Sometimes, NULL and NO_VTP appear in the list of domains:
•
•
Step 2
The Table 9-12 describes these search criteria.
If you want to display all ports that are assigned to auxiliary VLANs, verify that the multi-access ports check box is selected.
Step 3
Ports that match the search criteria are displayed in the VTP Domain table.
Displaying Ports in Unspecified VTP Domains
When you do not know what VTP domain a device resides on, you can search all VTP domains by providing a device address or name. To do this:
Step 1
Step 2
Step 3
If you want to display all ports that are assigned to auxiliary VLANs, verify that the multi-access ports check box is selected.
Step 4
Ports that match the device address or name you entered appear in the VTP Domain table. The VTP domain name appears above the VTP Domain Table in the VTP Domain field.
VTP Domain Table
The VTP Domain table displays port information for an associated VTP domain:
Step 1
The VLAN Port Assignment window appears.
Step 2
The VTP Domain table lists the ports, which are in that VTP domain.
Ports configured for multiple VLAN access will have two VLANs assigned: native and auxiliary. A native VLAN carries data traffic and an auxiliary VLAN carries voice and data traffic.
If you check the multi-access ports check box, each VLAN type is displayed as a separate entry in the table. If the multi-access ports check box is not selected, only native VLANs are displayed.
Note
See Table 9-13 to interpret this information.
Finding Entries in VLAN Ports Summary Table
You can perform a string search to find a specific entry or range of entries in the VTP Domain table. To do this:
Step 1
The Find dialog box appears.
Step 2
Step 3
Step 4
Assigning Ports to VLANs
After you create VLANs, you can assign ports to the VLANs that you have created. You can use VLAN Port Assignment to assign access ports on network switches to different VLANs.
Your login determines whether you can use this option. You must have Operator, Network Administrator, or System Administrator privileges.
To assign ports:
Step 1
Step 2
To select multiple ports, press and hold the Ctrl key while highlighting each row; to select contiguous ports, press and hold the Shift key as you click on the ports.
Considerations:
•
•
•
Step 3
Step 4
The port is moved to the selected VLAN.
Extending VLANs Across VTP Domains
A trunk is a point-to-point link that transmits and receives traffic between switches or between switches and routers. Trunks carry the traffic of multiple VLANs and can extend VLANs across an entire network.
100BaseT and Gigabit Ethernet trunks use Inter-Switch Link (ISL) or industry-standard IEEE 802.1Q to carry traffic for multiple VLANs over a single link.
To use ISL, you must configure the ports on both sides of the link as trunk ports.
When two VTP domains are interconnected using an ISL trunk between two LAN switches by default, no VLAN traffic is forwarded. However, you can configure the ports on each switch to receive and forward specific VLANs.
To enable port configuration, the VLANs on either side of the ISL trunk must be identical and share VLAN characteristics such as VLAN names, VLAN indexes, and so on.
Configuring Trunk Attributes
You can use VLAN Port Assignment to specify the VLAN indexes that you want to allow on a trunk.
Your login determines whether you can use this option. You must have either Network Administrator or System Administrator privileges.
To configure Trunk Attributes:
Step 1
Or
From Topology Services Main Window, right-click a trunk link from a network view and select VLAN Port Assignment from the popup menu.
Step 2
Step 3
Step 4
To interpret this information, see Table 9-16.
Step 5
Step 6
If you enter numbers into both fields, the ISL indexes that you are disallowing will take precedence over ISL indexes that you are allowing.
For example, if you allow 1-1024 and disallow 1-100, VLANs with ISL indexes of 101-1024 will be allowed.
Step 7
VLAN Port Assignment Commands
You can run VLAN Port Assignment commands from the menu. See Table 9-15 for details.
Table 9-15 VLAN Port Assignment Command Description
File
Prints the information from the "VTP Domain Table" section.
Export
None
Exports the information from the "VTP Domain Table" section to a text file.
Exit
None
Exits VLAN Port Assignment.
Edit
Find
Opens Find window and helps in "Finding Entries in VLAN Ports Summary Table" section.
View
Show Toolbar
None
Shows or hides the toolbar.
Refresh Summary
Rediscovers port information in the "VTP Domain Table" section.
Show VTP Domain
None
Displays the VTP domain view.
Show VLAN
None
Highlights a specified VLAN in the VTP domain view.
Show Device
None
Highlights a specified device in the VTP domain view.
Reports
Trunk Attributes
None
Displays descriptive information about the links that are configured as trunks.
Port Attributes
None
Displays descriptive information about the ports belonging to the selected device.
Device Attributes
None
Displays descriptive information about the selected device.
Tools
CiscoView
None
CiscoView starts if it has been configured with information about the selected device.
Telnet
None
Initiates a remote terminal connection with the Cisco Systems Console on a device that supports Telnet
Help
Using VLAN Port Assignment
None
Opens the online help for VLAN Port Assignment.
About
None
Shows version and copyright information for VLAN Port Assignment.
Displaying Topology Views and Attribute Summaries
The following topics describe how to use VLAN Port Assignment to display topology views of a VTP domain and attribute summaries for devices:
•
•
Displaying Topology Views
You can use VLAN Port Assignment for:
•
Topology Services must be running to enable you to display these views.
Displaying VTP Domain
To use VLAN Port Assignment to display the VTP domain view:
Step 1
Step 2
For more information, see Querying Ports in Specified VTP Domains.
Step 3
Step 4
The network topology view for the VTP domain appears. If you select a port, which is in transparent mode, the network topology view highlights the device.
Highlighting VLANs
You can use VLAN Port Assignment to highlight all devices and links belonging to a specific VLAN in the VTP domain view. To do this:
Step 1
Step 2
For more information, see Querying Ports in Specified VTP Domains.
Step 3
For more information, see VTP Domain Table.
Step 4
The network topology view for the VLAN appears. If you select a port, which is in transparent mode, the network topology view highlights the device.
Highlighting Devices
You can use VLAN Port Assignment to highlight a specific device in the VTP domain view, as well as display the Layer 2 view.
Step 1
Step 2
The VLAN Port Assignment window appears.
Step 3
For more information, see Querying Ports in Specified VTP Domains.
Step 4
For more information, see VTP Domain Table.
Step 5
The network topology view for the VTP domain which has the device, appears. If you select a port, which is in transparent mode, the network topology view highlights the device.
Displaying Attribute Summaries
The following topics describe how to use VLAN Port Assignment to display status information about ports, devices, and trunks in your network:
Displaying Port Attributes
To display information about the status of the ports in your network:
Step 1
The VLAN Port Assignment window appears.
Step 2
Step 3
Step 4
The Port Attributes window appears.
For more information on Port Attributes, see Interpreting Port Attributes.
Displaying Device Attributes
To display information about a specific device.
Step 1
The VLAN Port Assignment window appears.
Step 2
Step 3
Step 4
The Device Attributes window appears.
For more information on Device Attributes, see Interpreting Device Attributes.
Displaying Trunk Attributes
To display information about the status of the trunking ports in your network.
Step 1
The VLAN Port Assignment window appears.
Step 2
Step 3
Step 4
The Trunk Attributes window appears.
For more information on Trunk Attributes, see Interpreting Trunk Attributes.
Interpreting Trunk Attributes
See Table 9-16 for details about the fields shown in the Trunk Attributes window.
VLAN Port Assignment Command Shortcuts
After the you click Show All Ports or Get Ports, and the VTP Domain table has entries, you can select a row and issue several commands that are normally accessed through the command menu. To do this:
Step 1
Step 2
Step 3
A popup menu appears.
Step 4
Table 9-17 displays the commands displayed in the popup menu.
Troubleshooting Suggestions
Use the information in the Troubleshooting VLAN Port Assignment Table 4-3 to troubleshoot the VLAN Port Assignment application.
Usage Scenarios for Managing VLANs
You can use the following scenarios to manage your network using Campus Manager.
Configuring PVLANs in External Demilitarized Zone
Scenario
Web servers and Domain Name Servers (DNS) are connected to a Demilitarized Zone (DMZ) switch. The DMZ switch is configured with the VTP domain name, DMZ, where the switch is in transparent mode running VTP version 2. The servers belong to the same broadcast domain or VLAN.
Understanding the Scenario
This scenario would help you to isolate Layer 2 devices using PVLAN, and ensure that the DMZ servers do not send data across them, while internal and external hosts access these servers.
DMZ servers must be accessible from external clients as well as from the internal network. DMZ servers eventually needs access to some internal resources, and the servers must not send data across. The servers must not initiate traffic from the DMZ switch to the Internet. The DMZ servers reply only to the traffic from the internal resources.
Understanding Concepts
Campus Manager provides an end-to end solution for configuring Private VLANs, the security feature which Campus provides for managing LANs. You can configure PVLANs using Campus Manager.
You can configure PVLANs in scenarios where Demilitarized Zone (DMZ) switches are configured without adhering to the right policies, leading to potential intrusions into your network.
Demilitarized Zone
Demilitarized Zone is a small subnetwork, which lies between a secure internal network, such as a corporate private LAN, and a non secure external network, such as the public Internet. DMZ contains devices like Web servers, FTP servers, SMTP servers and DNS that are accessible to the Internet traffic.
DMZ servers process incoming requests from the Internet, and initiate connections to certain internal servers or other DMZ segments, such as database servers.
DMZ servers must not send data or initiate any connection to the external networks. This shows that the necessary traffic flows on the basis of a trust model; but the model is not adequately enforced in many networks.
Prerequisites
In this scenario, you need the following applications and tools in Campus Manager.
•
•
•
•
•
•
Reproducing Scenario
To set up the scenario you must configure secondary VLAN on the servers, with isolated ports and community ports. The Firewall, the only device within the primary VLAN, must be defined in a primary VLAN with a promiscuous port.
Step 1
Enter VLAN 100 in the Private VLAN Name field to name the primary VLAN. For more details on creating primary VLAN, see Creating Primary VLAN.
Step 2
a.
b.
For more details on creating secondary VLAN, see Creating Secondary VLAN and Associating to Primary VLAN.
Step 3
a.
b.
For more details on creating secondary VLAN, see Creating Secondary VLAN and Associating to Primary VLAN.
Step 4
Step 5
Step 6
After you configure the promiscuous port, the secondary VLANs appear in the Mapped VLANs table.
You have configured promiscuous port and mapped both secondary VLANs to the primary VLAN 100.
If you want to map only the community VLAN 60, you must check the configurations, and map the other isolated VLANs.
Check the Select to Unmap check box and click Apply to unmap the isolated VLAN from primary VLAN. Community VLAN 60 is unmapped from the primary VLAN.
Verifying Configuration
To verify the configuration for this scenario:
Step 1
Step 2
Primary VLAN 100 is listed as a subfolder under the DMZ domain and the secondary VLAN under the Primary VLAN subfolder. Note that the icon for PVLANs is different from the icon for normal VLANs.
Step 3
Step 4
Step 5
Step 6
a.
b.
c.
