-
Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(8)EA1
-
Index
-
Preface
-
Overview
-
Using the Command-Line Interface
-
Getting Started with CMS
-
Assigning the Switch IP Address and Default Gateway
-
Clustering Switches
-
Administering the Switch
-
Configuring 802.1X Port-Based Authentication
-
Configuring Interface Characteristics
-
Creating and Maintaining VLANs
-
Configuring STP
-
Configuring IGMP Snooping and MVR
-
Configuring Port-Based Traffic Control
-
Configuring CDP
-
Configuring UDLD
-
Configuring SPAN
-
Configuring RMON
-
Configuring System Message Logging
-
Configuring SNMP
-
Configuring Network Security with ACLs
-
Configuring QoS
-
Configuring EtherChannel
-
Configuring IP Unicast Routing
-
Configuring HSRP
-
Configuring IP Multicast Routing
-
Configuring MSDP
-
Configuring Fallback Bridging
-
Troubleshooting
-
Supported MIBs
-
Working with the IOS File System, Configuration Files, and Software Images
-
Unsupported CLI Commands for Release 12.1(8)EA1
-
Table Of Contents
Creating and Maintaining VLANs
Using the VLAN Trunking Protocol
Disabling VTP (VTP Transparent Mode)
Configuring VLANs in the VTP Database
Deleting a VLAN from the Database
Assigning Static-Access Ports to a VLAN
Displaying VLANs in the VTP Database
802.1Q Configuration Considerations
Default Layer 2 Ethernet Interface VLAN Configuration
Configuring an Ethernet Interface as a Trunk Port
Defining the Allowed VLANs on a Trunk
Changing the Pruning-Eligible List
Configuring the Native VLAN for Untagged Traffic
Load Sharing Using STP Port Priorities
Configuring STP Port Priorities and Load Sharing
Load Sharing Using STP Path Cost
Configuring STP Path Costs and Load Sharing
VMPS Database Configuration File
Configuring an Interface as a Layer 2 Dynamic Access Port
Entering the IP Address of the VMPS
Configuring Dynamic Access Ports on VMPS Clients
Changing the Reconfirmation Interval
Administering and Monitoring the VMPS
Troubleshooting Dynamic Port VLAN Membership
Dynamic Port VLAN Membership Configuration Example
Creating and Maintaining VLANs
This chapter describes how to create and maintain VLANs. It includes information about VLAN modes, the VLAN Trunking Protocol (VTP) database, and the VLAN Membership Policy Server (VMPS).
Note
For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
The chapter includes these sections:
•
Understanding VLANs
A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router or bridge as shown in Figure 9-1. Because a VLAN is considered a separate logical network, it contains its own bridge Management Information Base (MIB) information and can support its own implementation of the Spanning Tree Protocol (STP).
Note
Figure 9-1 shows an example of VLANs segmented into logically defined networks.
Figure 9-1 VLANs as Logically Defined Networks
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis. When you assign switch interfaces to VLANs by using this method, it is known as interface-based, or static, VLAN membership.
Traffic between VLANs must be routed. A Catalyst 3550 switch with the enhanced mutilayer software image installed can route traffic between VLANs by using switch virtual interfaces (SVIs). An SVI must be explicitly configured and assigned an IP address to route traffic between VLANs. For more information, see the "Switch Virtual Interfaces" section and the "Configuring Layer 3 Interfaces" section.
Number of Supported VLANs
The Catalyst 3550 switch supports 1005 VLANs in VTP client, server, and transparent modes. VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs. The switch supports per-VLAN spanning tree (PVST) with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports both Inter-Switch Link (ISL) and IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
VLAN Port Membership Modes
You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 9-1 lists the membership modes and characteristics.
Table 9-1 Port Membership Modes
Static-access
A static-access port can belong to one VLAN and is manually assigned by using the switchport mode access interface configuration command.
For more information, see the "Assigning Static-Access Ports to a VLAN" section.
Trunk (ISL or
IEEE 802.1Q)A trunk is a member of all VLANs in the VLAN database by default, but membership can be limited by configuring the allowed-VLAN list. You can also modify the pruning-eligible list to block flooded traffic to VLANs on trunk ports that are included in the list.
VTP maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP exchanges VLAN configuration messages with other switches over trunk links.
Configure VLAN trunks using the switchport mode trunk interface configuration command. For more information, see the "Configuring an Ethernet Interface as a Trunk Port" section.
Dynamic access
A dynamic-access port can belong to one VLAN and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6000 series switch, for example, but never a Catalyst 3550 switch.
You begin configuration by using the switchport mode access interface configuration command.
For more information, see the "Configuring an Interface as a Layer 2 Dynamic Access Port" section.
For more detailed definitions of the modes and their functions, see Table 9-6.
When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. For more information, see the "Managing the MAC Address Table" section.
Using the VLAN Trunking Protocol
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.
The VTP Domain and VTP Modes
A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
You can configure a supported switch to be in one of the VTP modes listed in Table 9-2.
By default, the switch is in VTP server mode and in the no-management-domain state until it receives an advertisement for a domain over a trunk link (a link that carries the traffic of multiple VLANs) or until you configure a domain name. Until the management domain name is specified or learned, you cannot create or modify VLANs on a VTP server, and VLAN information is not propagated over the network.
If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name and the VTP configuration revision number. The switch then ignores advertisements with a different domain name or an earlier configuration revision number.
When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are sent over all trunk connections, including Inter-Switch Link (ISL) and IEEE 802.1Q.
VTP maps VLANs dynamically across multiple LAN types with unique names and internal index associates. Mapping eliminates excessive device administration required from network administrators.
If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch.
The "Configuring VTP" section provides tips and caveats for configuring VTP.
VTP Advertisements
Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Note
VTP advertisements distribute this global domain information:
•
•
•
•
•
VTP advertisements distribute this VLAN information for each configured VLAN:
•
•
•
•
•
VTP Version 2
If you use VTP in your network, you must decide whether to use version 1 or version 2.
VTP version 2 supports these features not supported in version 1:
•
•
•
•
VTP Pruning
VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them. VTP pruning is disabled by default.
VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on Catalyst 3550 trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP version 1 and version 2.
Figure 9-2 shows a switched network without VTP pruning enabled. Port 1 on Switch 1 and Port 2 on Switch 4 are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch 1, Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN.
Figure 9-2 Flooding Traffic without VTP Pruning
Figure 9-3 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Figure 9-3 Optimized Flooded Traffic with VTP Pruning
Enabling VTP pruning on a VTP server enables pruning for the entire management domain. See the "Enabling VTP Pruning" section. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 is always pruning-ineligible; traffic from VLAN 1 cannot be pruned.
VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these:
•
•
To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration command (see the "Changing the Pruning-Eligible List" section). VTP pruning operates when an interface is trunking. You can set VLAN pruning-eligibility, whether or not VTP pruning is enabled for the VTP domain, whether or not any given VLAN exists, and whether or not the interface is currently trunking.
Configuring VTP
This section includes procedures for configuring VTP. These sections are included:
•
Default VTP Configuration
Table 9-3 shows the default VTP configuration.
Table 9-3 Default VTP Configuration
VTP domain name
Null.
VTP mode
Server.
VTP version 2 enable state
Version 2 is disabled.
VTP password
None.
VTP pruning
Disabled.
VTP Configuration Guidelines
These sections describe guidelines you should follow when implementing VTP in your network.
Domain Names
When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Note
Passwords
You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain. Switches without a password or with the wrong password reject VTP advertisements.
If you configure a VTP password for a domain, a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.
If you are adding a new switch to an existing network with VTP capability, the new switch learns the domain name only after the applicable password has been configured on it.
Caution
VTP Version
Follow these guidelines when deciding which VTP version to implement:
•
•
•
•
•
•
Configuration Requirements
When you configure VTP, you must configure a trunk port so that the switch can send and receive VTP advertisements. For more information, see the "Understanding VLAN Trunks" section.
You can configure VTP by entering commands in the VLAN configuration mode. When you enter the exit command in VLAN configuration mode, it applies all the commands that you entered. VTP messages are sent to other switches in the VTP domain, and the privileged EXEC mode prompt appears.
Note
For more configuration guidelines, see the "VLAN Configuration Guidelines" section.
Configuring a VTP Server
When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network.
Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP server:
When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain.
To return the switch to a no-password state, use the no vtp password VLAN configuration command.
This example shows how to configure the switch as a VTP server with the domain name eng_group and verify the configuration:
Switch# vlan databaseSwitch(vlan)# vtp domain eng_groupSwitch(vlan)# exitAPPLY completed.Exiting....Switch# show vtp statusVTP Version : 2Configuration Revision : 211Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : eng_groupVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x31 0xB3 0xCD 0xEF 0x34 0xD2 0x44 0xADConfiguration last modified by 172.20.135.204 at 3-1-93 00:05:51Local updater ID is 172.20.135.202 on interface Vl1 (lowest numbered VLAN interface found)Configuring a VTP Client
When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP client mode:
Use the no vtp client VLAN configuration command to return the switch to VTP server mode. To return the switch to a no-password state, use the no vtp password VLAN configuration command. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain.
Disabling VTP (VTP Transparent Mode)
When you configure the switch for VTP transparent mode, you disable VTP on the switch. The switch then does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP version 2 does forward received VTP advertisements on all of its trunk links.
Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP transparent mode:
To return the switch to VTP server mode, use the no vtp transparent VLAN configuration command.
Enabling VTP Version 2
VTP version 2 is disabled by default on VTP version 2-capable switches. When you enable VTP version 2 on a switch, every VTP version 2-capable switch in the VTP domain enables version 2.
Caution
Note
For more information on VTP version configuration guidelines, see the "VTP Version" section.
Beginning in privileged EXEC mode, follow these steps to enable VTP version 2:
To disable VTP version 2, use the no vtp v2-mode VLAN configuration command.
Enabling VTP Pruning
Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You enable VTP pruning on a switch in VTP server mode.
Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the management domain:
Pruning is supported with VTP version 1 and version 2. If you enable pruning on the VTP server, it is enabled for the entire VTP domain.
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on trunk ports. To change the pruning-eligible VLANs, see the "Changing the Pruning-Eligible List" section.
To disable VTP pruning, use the no vtp pruning VLAN configuration command.
Monitoring VTP
You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch.
Beginning in privileged EXEC mode, follow these steps to monitor VTP activity:
This is an example of output from the show vtp status privileged EXEC command:
Switch# show vtp statusVTP Version : 2Configuration Revision : 5Maximum VLANs supported locally : 1005Number of existing VLANs : 69VTP Operating Mode : ServerVTP Domain Name : testVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29Configuration last modified by 0.0.0.0 at 3-1-93 00:18:42Local updater ID is 10.1.1.59 on interface Vl1 (lowest numbered VLAN interface found)This is an example of output from the show vtp counters privileged EXEC command:
Switch# show vtp countersVTP statistics:Summary advertisements received : 0Subset advertisements received : 0Request advertisements received : 0Summary advertisements transmitted : 0Subset advertisements transmitted : 0Request advertisements transmitted : 0Number of config revision errors : 0Number of config digest errors : 0Number of V1 summary errors : 0VTP pruning statistics:Trunk Join Transmitted Join Received Summary advts received fromnon-pruning-capable device---------------- ---------------- ---------------- ---------------------------VLANs in the VTP Database
You can set these parameters when you create a new VLAN or modify an existing VLAN in the VTP database:
•
•
•
•
•
•
•
•
•
•
•
The "Default VLAN Configuration" section lists the default values and possible ranges for each VLAN media type.
Token Ring VLANs
Although the Catalyst 3550 switches do not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches. Switches running VTP version 2 advertise information about these Token Ring VLANs:
•
•
For more information on configuring Token Ring VLANs, see the Catalyst 5000 Series Software Configuration Guide.
Default VLAN Configuration
Table 9-5 shows the default configuration for Ethernet VLANs.
Note
VLAN Configuration Guidelines
Follow these guidelines when creating and modifying VLANs in your network:
•
•
•
•
•
•
Configuring VLANs in the VTP Database
You can add, modify or remove VLAN configurations in the VTP database by using the CLI VLAN configuration mode. VTP globally propagates these VLAN changes throughout the VTP domain.
In VTP server or transparent mode, commands to add, change, and delete VLANs are written to the file vlan.dat, and you can display them by entering the show vlan privileged EXEC command. The vlan.dat file is stored in NVRAM.
Caution
You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the show running-config privileged EXEC command.
Note
Adding an Ethernet VLAN
Each Ethernet VLAN has a unique, 4-digit ID that can be a number from 1 to 1001. To add a VLAN to the VLAN database, assign a number and name to the VLAN. For the list of default parameters that are assigned when you add a VLAN, see the "Default VLAN Configuration" section.
Beginning in privileged EXEC mode, follow these steps to add an Ethernet VLAN:
To return the VLAN name to the default setting, use the no vlan vlan-id name VLAN configuration command.
This example shows how to add Ethernet VLAN 20 to the VLAN database and name it test20:
Switch# vlan databaseSwitch(vlan)# vlan 20 name test20Switch(vlan)# exitAPPLY completed.Exiting....Switch# show vlan name test20VLAN Name Status Ports---- -------------------------------- --------- -------------------------------20 test20 activeVLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------20 enet 100020 1500 - - - - - 0 0Modifying an Ethernet VLAN
Beginning in privileged EXEC mode, follow these steps to modify an Ethernet VLAN:
To return the VLAN to the default MTU setting, use the no vlan vlan-id mtu VLAN configuration command.
This example shows how to verify a VLAN configuration:
Switch# show vlan id 20VLAN Name Status Portsshow vlan---- -------------------------------- --------- -------------------------------20 VLAN0020 activeVLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------20 enet 100020 1500 - - - - - 0 0Deleting a VLAN from the Database
When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch.
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
Caution
Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch:
This example shows how to verify a VLAN removal by using the show vlan brief privileged EXEC command:
Switch# show vlan briefVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4Gi0/5, Gi0/7, Gi0/8, Gi0/9Gi0/10, Gi0/11, Gi0/1211 VLAN0011 active20 VLAN0020 active129 VLAN0129 active1002 fddi-default active1003 token-ring-default active1004 fddinet-default active1005 trnet-default activeAssigning Static-Access Ports to a VLAN
You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled).
Note
Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VTP database:
To return an interface to its default configuration, use the default interface interface-id interface configuration command.
This example shows how to configure Gigabit Ethernet interface 0/1 as an access port in VLAN 2:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet0/1Switch(config-if)# switchport mode accessSwitch(config-if)# switchport access vlan 2Switch(config-if)# endSwitch#These examples show how to verify the configuration:
Switch# show running-config interface gigabitethernet0/1Building configuration...Current configuration : 74 bytes!interface GigabitEthernet0/1no ip addresssnmp trap link-statusendSwitch# show interfaces gigabitethernet0/1 switchportName: Gi0/1Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: static accessAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: nativeNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Protected: falseUnknown unicast blocked: falseUnknown multicast blocked: falseBroadcast Suppression Level: 100Multicast Suppression Level: 100Unicast Suppression Level: 100Displaying VLANs in the VTP Database
Use the show vlan privileged EXEC command to display a list of VLANs in the database, including status, ports, and configuration:
Switch# show vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4Gi0/7, Gi0/8, Gi0/9, Gi0/11Gi0/1220 VLAN0020 active21 VLAN0021 active22 VLAN0022 active27 VLAN0027 active31 VLAN0031 active1002 fddi-default active1003 trcrf-default active1004 fddinet-default active1005 trbrf-default activeVLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1 enet 100001 1500 - - - - - 1002 100320 enet 100020 1500 - - - - - 0 021 enet 100021 1500 - - - - - 0 0VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------22 enet 100022 1500 - - - - - 0 027 enet 100027 1500 - - - - - 0 031 enet 100031 1500 - - - - - 0 01002 fddi 101002 1500 - - - - - 1 10031003 trcrf 101003 4472 1005 3276 - - srb 1 10021004 fdnet 101004 1500 - - 1 ibm - 0 01005 trbrf 101005 4472 - - 15 ibm - 0 0VLAN AREHops STEHops Backup CRF---- ------- ------- ----------1003 7 7 offUse the show vlan brief privileged EXEC command to display a list of VLANs in the database with status and port information but without configuration information:
Switch# show vlan briefVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4Gi0/7, Gi0/8, Gi0/9, Gi0/11Gi0/1220 VLAN0020 active21 VLAN0021 active22 VLAN0022 active27 VLAN0027 active31 VLAN0031 active1002 fddi-default active1003 trcrf-default active1004 fddinet-default active1005 trbrf-default activeUnderstanding VLAN Trunks
These sections describe how VLAN trunks function on the switch:
•
Trunking Overview
A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Trunks carry the traffic of multiple VLANs over a single link, and you can extend VLANs across an entire network. The 100BASE-T and Gigabit Ethernet trunks carry traffic for multiple VLANs over a single link.
Two trunking encapsulations are available on all Ethernet interfaces:
•
•
Figure 9-4 shows a network of switches that are connected by ISL trunks.
Figure 9-4 Switches in an ISL Trunking Environment
You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle. For more information about EtherChannel, see "Configuring EtherChannel."
Ethernet trunk interfaces support different trunking modes (see Table 9-6). You can specify whether the trunk uses ISL or 802.1Q encapsulation or if the encapsulation type is autonegotiated. To autonegotiate trunking, the interfaces must be in the same VTP domain. Use the trunk or nonegotiate keywords to force interfaces in different domains to trunk. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which supports autonegotiation of both ISL and 802.1Q trunks.
Note
Encapsulation Types
Table 9-7 lists the Ethernet trunk encapsulation types and keywords.
Note
The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected interfaces determine whether a link becomes an ISL or 802.1Q trunk.
802.1Q Configuration Considerations
802.1Q trunks impose these limitations on the trunking strategy for a network:
•
When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch. However, spanning-tree information for each VLAN is maintained by Cisco switches separated by a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches.
•
•
Default Layer 2 Ethernet Interface VLAN Configuration
Table 9-8 shows the default Layer 2 Ethernet interface VLAN configuration.
Configuring an Ethernet Interface as a Trunk Port
Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
This section includes these procedures for configuring an Ethernet interface as a trunk port on the switch:
•
•
•
Note
Configuring a Trunk Port
Beginning in privileged EXEC mode, follow these steps to configure a port as an ISL or 802.1Q trunk port:
To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. Use the no switchport mode and no switchport access interface configuration commands to return to the default settings.
This example shows how to configure the Gigabit Ethernet interface 0/4 as an 802.1Q trunk. This example assumes that the neighbor interface is configured to support 802.1Q trunking:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet0/4Switch(config-if)# switchport mode dynamic desirableSwitch(config-if)# switchport trunk encapsulation dot1qSwitch(config-if)# endSwitch#These examples show how to verify the configuration:
Switch# show running-config interface gigabitethernet0/4Building configuration...Current configuration : 112 bytes!interface GigabitEthernet0/4switchport trunk encapsulation dot1qno ip addresssnmp trap link-statusendSwitch# show interfaces gigabitethernet0/4 switchportName: Gi0/4Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Protected: falseUnknown unicast blocked: falseUnknown multicast blocked: falseBroadcast Suppression Level: 100Multicast Suppression Level: 100Unicast Suppression Level: 100In this example, the encapsulation method is ISL:
Switch# show interfaces gigabitethernet0/4 trunkPort Mode Encapsulation Status Native vlanGi0/4 desirable n-isl trunking 1Port Vlans allowed on trunkGi0/4 1-1005Port Vlans allowed and active in management domainGi0/4 1,10-1000Port Vlans in spanning tree forwarding state and not prunedGi0/4 1,10-1000Defining the Allowed VLANs on a Trunk
By default, a trunk port sends traffic to and receives traffic from all VLANs in the VLAN database. All VLANs, VLANs 1 to 1005, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk. To restrict the traffic a trunk carries, use the switchport trunk allowed vlan remove vlan-list interface configuration to remove specific VLANs from the allowed list.
A trunk port can become a member of a VLAN if the VLAN is enabled, if VTP knows of the VLAN, and if the VLAN is in the allowed list for the port. When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the new VLAN.
Beginning in privileged EXEC mode, follow these steps to modify the allowed list of an ISL or 802.1Q trunk:
To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command.
This example shows how to remove VLAN 2 from the allowed VLAN list and verify the configuration.
Switch(config)# interface gigabitethernet0/1Switch(config-if)# switchport trunk allowed vlan remove 2Switch(config-if)# endSwitch# show interfaces gigabitethernet0/1 switchportName: Gi0/1Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: static accessAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: nativeNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: 1,3-1005Pruning VLANs Enabled: 2-1001Protected: falseUnknown unicast blocked: falseUnknown multicast blocked: falseBroadcast Suppression Level: 100Multicast Suppression Level: 100Unicast Suppression Level: 100Changing the Pruning-Eligible List
The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect. The "Enabling VTP Pruning" section describes how to enable VTP pruning.
Beginning in privileged EXEC mode, follow these steps to remove VLANs from the pruning-eligible list on a trunk port:
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Enter interface configuration mode, and select the trunk port for which VLANs should be pruned.
Step 3
switchport trunk pruning vlan {add | except | none | remove} vlan-list [,vlan[,vlan[,,,]]
Configure the list of VLANs allowed to be pruned from the trunk. (See the "VTP Pruning" section).
For explanations about using the add, except, none, and remove keywords, refer to Catalyst 3550 Multilayer Switch Command Reference for this release.
Separate nonconsecutive VLAN IDs with a comma and no spaces; use a hyphen to designate a range of IDs. Valid IDs are from 2 to 1001.
VLANs that are pruning-ineligible receive flooded traffic.
The default list of VLANs allowed to be pruned contains all VLANs.
Step 4
end
Return to privileged EXEC mode.
Step 5
show interfaces interface-id switchport
Verify your entries in the Pruning VLANs Enabled field of the display.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Configuring the Native VLAN for Untagged Traffic
A trunk port configured with 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default.
Note
For information about 802.1Q configuration issues, see the "Encapsulation Types" section.
Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an 802.1Q trunk:
To return to the default native VLAN, VLAN 1, use the no switchport trunk native vlan interface configuration command.
If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged; otherwise, the switch sends the packet with a tag.
Load Sharing Using STP
Load sharing divides the bandwidth supplied by parallel trunks connecting switches. To avoid loops, STP normally blocks all but one parallel link between switches. Using load sharing, you divide the traffic between the links according to which VLAN the traffic belongs.
You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information, see "Configuring STP."
Load Sharing Using STP Port Priorities
When two ports on the same switch form a loop, the STP port priority setting determines which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN. The trunk port with the lower priority (higher values) for the same VLAN remains in a blocking state for that VLAN. One trunk port sends or receives all traffic for the VLAN.
Figure 9-5 shows two trunks connecting supported switches. In this example, the switches are configured as follows:
•
•
•
•
In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Figure 9-5 Load Sharing by Using STP Port Priorities
Configuring STP Port Priorities and Load Sharing
Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 9-5:
Load Sharing Using STP Path Cost
You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. The VLANs keep the traffic separate. Because no loops exist, STP does not disable the ports, and redundancy is maintained in the event of a lost link.
In Figure 9-6, Trunk ports 1 and 2 are 100BASE-T ports. The path costs for the VLANs are assigned as follows:
•
•
•
•
Figure 9-6 Load-Sharing Trunks with Traffic Distributed by Path Cost
Configuring STP Path Costs and Load Sharing
Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 9-6:
Understanding VMPS
The Catalyst 3550 switch acts as a client to the VMPS and communicates with it through the VLAN Query Protocol (VQP). When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in secure mode. Secure mode determines whether the server shuts down the port when a VLAN is not allowed on it or just denies the port access to the VLAN.
In response to a request, the VMPS takes one of these actions:
•
–
–
–
•
If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using the CLI, CMS, or SNMP.
You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the none keyword for the VLAN name, the VMPS sends an access-denied or port-shutdown response, depending on the VMPS secure mode setting.
Dynamic Port VLAN Membership
A dynamic (nontrunking) port on the switch can belong to only one VLAN. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic port and attempts to match the MAC address to a VLAN in the VMPS database.
If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. If the client switch was previously configured, it includes its domain name in the query packet to the VMPS to obtain its VLAN number. The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client. If there is no match, the VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN; however, the VMPS shuts down a dynamic port if more than 20 hosts are active on the port.
If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN.
VMPS Database Configuration File
The VMPS contains a database configuration file that you create. This ASCII text file is stored on a switch-accessible TFTP server that functions as a VMPS server. The file contains VMPS information, such as the domain name, the fallback VLAN name, and the MAC-address-to-VLAN mapping. The Catalyst 3550 switch cannot act as the VMPS, but you can use a Catalyst 5000 or Catalyst 6000 series switch as the VMPS.
You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client. If you do not configure a fallback VLAN and the MAC address does not exist in the database, the VMPS sends an access-denied response. If the VMPS is in secure mode, it sends a port-shutdown response.
Whenever port names are used in the VMPS database configuration file, the server must use the switch convention for naming ports. For example, Gi0/4 is fixed Gigabit Ethernet port number 4. If the switch is a cluster member, the command switch adds the name of the switch before the type. For example, es3%Gi0/4 refers to fixed Gigabit Ethernet port 4 on member switch 3. When port names are required, these naming conventions must be followed in the VMPS database configuration file when it is configured to support a cluster.
This example shows a example of a VMPS database configuration file as it appears on a Catalyst 6000 series switch. The file has these characteristics:
•
•
•
•
•
•
!VMPS File Format, version 1.1! Always begin the configuration file with! the word "VMPS"!!vmps domain <domain-name>! The VMPS domain must be defined.!vmps mode {open | secure}! The default mode is open.!vmps fallback <vlan-name>!vmps no-domain-req { allow | deny }!! The default value is allow.vmps domain DSBUvmps mode openvmps fallback defaultvmps no-domain-req deny!!!MAC Addresses!vmps-mac-addrs!! address <addr> vlan-name <vlan_name>!address 0012.2233.4455 vlan-name hardwareaddress 0000.6509.a080 vlan-name hardwareaddress aabb.ccdd.eeff vlan-name Greenaddress 1223.5678.9abc vlan-name ExecStaffaddress fedc.ba98.7654 vlan-name --NONE--address fedc.ba23.1245 vlan-name Purple!!Port Groups!!vmps-port-group <group-name>! device <device-id> { port <port-name> | all-ports }!vmps-port-group WiringCloset1device 198.92.30.32 port 0/2device 172.20.26.141 port 0/8vmps-port-group "Executive Row"device 198.4.254.222 port 0/2device 198.4.254.222 port 0/3device 198.4.254.223 all-ports!!!VLAN groups!!vmps-vlan-group <group-name>! vlan-name <vlan-name>!vmps-vlan-group Engineeringvlan-name hardwarevlan-name software!!!VLAN port Policies!!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }! { port-group <group-name> | device <device-id> port <port-name> }!vmps-port-policies vlan-group Engineeringport-group WiringCloset1vmps-port-policies vlan-name Greendevice 198.92.30.32 port 0/8vmps-port-policies vlan-name Purpledevice 198.4.254.22 port 0/2port-group "Executive Row"VMPS Configuration Guidelines
These guidelines and restrictions apply to dynamic port VLAN membership:
•
•
•
•
•
You must turn off trunking on the port before the dynamic access setting takes effect.
•
•
•
•
Default VMPS Configuration
Table 9-9 shows the default VMPS and dynamic port configuration on client switches.
Table 9-9 Default VMPS Client and Dynamic Port Configuration
VMPS domain server
None
VMPS reconfirm interval
60 minutes
VMPS server retry count
3
Dynamic ports
None configured
Configuring an Interface as a Layer 2 Dynamic Access Port
You configure dynamic VLANs by using the VMPS (server). The switch cannot be a VMPS server; the server can be a Catalyst 6000 switch or other similar device.
Entering the IP Address of the VMPS
You must first enter the IP address of the server to configure the switch as a client.
Note
Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS:
This is an example of output for the show vmps privileged EXEC command, used to verify the VMPS server IP address.
Switch# show vmpsVQP Client Status:--------------------VMPS VQP Version: 1Reconfirm Interval: 60 minServer Retry Count: 3VMPS domain server: 172.20.128.86 (primary, current)172.20.128.87Reconfirmation status---------------------VMPS Action: No Dynamic Port
Note
Configuring Dynamic Access Ports on VMPS Clients
Caution
Beginning in privileged EXEC mode, follow these steps to configure a dynamic access port on a VMPS client switch:
To return an interface to its default configuration, use the default interface interface-id interface configuration command. To return an interface to its default switchport mode (dynamic desirable), use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access interface configuration command.
Reconfirming VLAN Memberships
Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS:
Step 1
vmps reconfirm
Reconfirm dynamic port VLAN membership.
Step 2
show vmps
Verify the dynamic VLAN reconfirmation status.
Changing the Reconfirmation Interval
VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes after which reconfirmation occurs.
If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch.
Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval:
To return the switch to its default setting, use the no vmps reconfirm global configuration command.
Changing the Retry Count
Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server:
To return the switch to its default setting, use the no vmps retry global configuration command.
Administering and Monitoring the VMPS
You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS:
Troubleshooting Dynamic Port VLAN Membership
The VMPS shuts down a dynamic port under these conditions:
•
•
To re-enable a disabled dynamic port, enter the no shutdown interface configuration command.
Dynamic Port VLAN Membership Configuration Example
Figure 9-7 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply:
•
•
•
•
•
Figure 9-7 Dynamic Port VLAN Membership Configuration
