Network administrators who are responsible for portions of the switched network are familiar with the basic configuration tasks related to creating VLANs, configuring trunk links, associating voice and data VLANs with ports, and securing the VLAN implementation. This section describes the major tasks required to configure VLANs and trunks on switches in the network infrastructure. Show VLAN Assignment (3.2.1)The first step in configuring VLANs is to create the VLANs and to associate switch ports with VLANs. VLAN Ranges on Catalyst Switches (3.2.1.1)Different Cisco Catalyst switches support various numbers of VLANs. The number of supported VLANs is large enough to accommodate the needs of most organizations. For example, the Catalyst 2960 and 3560 Series switches support over 4000 VLANs. Normal-range VLANs on these switches are numbered 1 to 1005, and extended-range VLANs are numbered 1006 to 4094. Catalyst 2960 switches running Cisco IOS Release 15.x support extended-range VLANs. Normal-Range VLANsNormal range VLANs are usually the ones utilized in switched networks, because most networks do not need over 1000 VLANs!
Extended-Range VLANsExtended range VLANs are primarily used in metropolitan service provider networks requiring over 1000 VLANs to support the various customers.
Creating a VLAN (3.2.1.2)When configuring normal-range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat. Flash memory is persistent and does not require the copy running-config startup-config command. However, because other details are often configured on a Cisco switch at the same time that VLANs are created, it is good practice to save running configuration changes to the startup configuration. Table 3-1 displays the Cisco IOS command syntax used to add a VLAN to a switch and give it a name. Naming each VLAN is considered a best practice in switch configuration. Table 3-1 Creating a VLAN
Figure 3-10 shows how the student VLAN (VLAN 20) is configured on switch S1. In the topology example, the student computer (PC2) has not been associated with a VLAN yet, but it does have an IP address of 172.17.20.22.
Figure 3-10 Sample VLAN Configuration In addition to entering a single VLAN ID, a series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command. For example, use the following command to create VLANs 100, 102, 105, 106, and 107: S1(config)# vlan 100,102,105-107Assigning Ports to VLANs (3.2.1.3)After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only one VLAN at a time. One exception to this rule is that of a port connected to an IP phone, in which case there are two VLANs associated with the port: one for voice and one for data. Table 3-2 displays the syntax for defining a port to be an access port and assigning it to a VLAN. The switchport mode access command is optional but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode. Table 3-2 Assign Ports to VLANs
In Figure 3-11, VLAN 20 is assigned to port F0/18 on switch S1; therefore, the student computer (PC2) is in VLAN 20. When VLAN 20 is configured on other switches, the network administrator knows to configure the other student computers to be in the same subnet as PC2 (172.17.20.0/24).
Figure 3-11 Sample Interface Configuration for VLANs The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch. For example, VLAN 30 is not present in the show vlan brief output of the switch. If the switchport access vlan 30 command is entered on any interface with no previous configuration, the switch displays % Access VLAN does not exist. Creating vlan 30Changing VLAN Port Membership (3.2.1.4)There are a number of ways to change VLAN port membership. Table 3-3 shows the syntax for changing a switch port to VLAN 1 membership with the no switchport access vlan interface configuration mode command. Table 3-3 Removing a VLAN Assignment
Interface F0/18 was previously assigned to VLAN 20. The no switchport access vlan command is entered for interface F0/18. Examine the output in the show vlan brief command, as shown in Example 3-3. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. The show vlan brief command displays one line for each VLAN. The output for each VLAN includes the VLAN name, status, and switch ports. Example 3-3 Sample VLAN Assignment RemovalS1(config)# interface f0/18 S1(config-if)# no switchport access vlan S1(config-if)# do show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 20 student active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsupVLAN 20 is still active, even though no ports are assigned to it. In Example 3-4, the show interfaces f0/18 switchport output verifies that the access VLAN for interface F0/18 has been reset to VLAN 1. Example 3-4 Verification of VLAN Assignment RemovalS1# show interfaces f0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) <output omitted>A port can easily have its VLAN membership changed. It is not necessary to first remove a port from a VLAN to change its VLAN membership. When an access port has its VLAN membership reassigned to another existing VLAN, the new VLAN membership simply replaces the previous VLAN membership. In Example 3-5, port F0/11 is assigned to VLAN 20. Example 3-5 Changing VLAN AssignmentS1(config)# interface f0/11 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 S1(config-if)# end *Mar 31 09:33:26.058: %SYS-5-CONFIG_I: Configured from console by console S1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 20 student active Fa0/11 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup S1#Deleting VLANs (3.2.1.5)In Example 3-6, the no vlan vlan-id global configuration mode command is used to remove VLAN 20 from the switch. Switch S1 had a minimal configuration with all ports in VLAN 1 and an unused VLAN 20 in the VLAN database. The show vlan brief command verifies that VLAN 20 is no longer present in the vlan.dat file after using the no vlan 20 command. Example 3-6 Deleting a VLANS1(config)# no vlan 20 S1(config)# end S1# *Mar 1 07:37:55.785: %SYS-5-CONFIG_I: Configured from console by console S1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsupAlternatively, the entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command. The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, the previously configured VLANs are no longer present. This effectively places the switch into its factory default condition concerning VLAN configurations. Verifying VLAN Information (3.2.1.6)After a VLAN is configured, VLAN configurations can be validated using Cisco IOS show commands. Table 3-4 displays the show vlan command options. Table 3-4 show vlan Command
Table 3-5 displays the show interfaces command options. Table 3-5 show interfaces Command
In Example 3-7, the show vlan name student command produces output that is not easily interpreted. The preferable option is to use the show vlan brief command. The show vlan summary command displays the count of all configured VLANs. The output in Example 3-7 shows seven VLANs. Example 3-7 Using the show vlan CommandS1# show vlan name student VLAN Name Status Ports ---- -------------------------------- --------- -------------------------- 20 student active Fa0/11 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 20 enet 100020 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------- S1# show vlan summary Number of existing VLANs : 7 Number of existing VTP VLANs : 7 Number of existing extended VLANs : 0The show interfaces vlan vlan-id command displays details that are beyond the scope of this course. The important information appears on the second line in Example 3-8, indicating that VLAN 20 is up. Example 3-8 Using the show interfaces vlan CommandS1# show interfaces vlan 20 Vlan 20 is up, line protocol is down Hardware is EtherSVI, address is 0021.a1e0.78c1 (bia 0021.a1e0.78c1) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 interface resets 0 output buffer failures, 0 output buffers swapped out S1#VLAN Trunks (3.2.2)In this section, the elements of VLAN trunk configuration are explored. Remember that VLAN trunks carry all the control traffic between switches. VLAN trunks enable the communication between switches required for many of the technologies specific to the LAN switched environment. Configuring IEEE 802.1Q Trunk Links (3.2.2.1)A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically). To enable trunk links, configure the ports on either end of the physical link with parallel sets of commands. To configure a switch port on one end of a trunk link, use the switchport mode trunk command. With this command, the interface changes to permanent trunking mode. The port enters into a Dynamic Trunking Protocol (DTP) negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change. DTP is described in the next topic. In this course, the switchport mode trunk command is the only method implemented for trunk configuration. The Cisco IOS command syntax to specify a native VLAN (other than VLAN 1) is shown in Table 3-6. Table 3-6 802.1Q Trunk Configuration
Use the Cisco IOS switchport trunk allowed vlan vlan-list command to specify the list of VLANs to be allowed on the trunk link. In Figure 3-12, VLANs 10, 20, and 30 support the Faculty, Student, and Guest computers (PC1, PC2, and PC3). The native VLAN should also be changed from VLAN 1 and changed to another VLAN such as VLAN 99. By default, all VLANs are allowed across a trunk link. The switchport trunk allowed vlan command can be used to limit the allowed VLANs.
Figure 3-12 Sample Interface Configuration for VLANs In Example 3-9, the F0/1 port on switch S1 is configured as a trunk port, assigns the native VLAN to VLAN 99, and specifies the trunk to only forward traffic for VLANs 10, 20, 30, and 99. Example 3-9 Sample Trunk ConfigurationS1(config)# interface FastEthernet0/1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S1(config-if)# switchport trunk allowed vlan 10,20,30 S1(config-if)# endResetting the Trunk to the Default State (3.2.2.2)Table 3-7 shows the commands to remove the allowed VLANs and reset the native VLAN of the trunk. When reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN. Table 3-7 Resetting Configured Values on Trunk Links
Example 3-10 shows the commands used to reset all trunking characteristics of a trunking interface to the default settings. The show interfaces f0/1 switchport command reveals that the trunk has been reconfigured to a default state. Example 3-10 Resetting Trunk LinkS1(config)# interface f0/1 S1(config-if)# no switchport trunk allowed vlan S1(config-if)# no switchport trunk native vlan S1(config-if)# end S1# show interfaces f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled <output omitted> Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 <output omitted>In Example 3-11, the sample output shows the commands used to remove the trunk feature from the F0/1 switch port on switch S1. The show interfaces f0/1 switchport command reveals that the F0/1 interface is now in static access mode. Example 3-11 Return Port to Access ModeS1(config)# interface f0/1 S1(config-if)# switchport mode access S1(config-if)# end S1# show interfaces f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled <output omitted>Verifying Trunk Configuration (3.2.2.3)Example 3-12 displays the configuration of switch port F0/1 on switch S1. The configuration is verified with the show interfaces interface-id switchport command. Example 3-12 Verifying Trunk ConfigurationS1(config)# interface f0/1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S1(config-if)# end S1# show interfaces f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 99 (VLAN0099) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 <output omitted>The top highlighted area shows that port F0/1 has its administrative mode set to trunk. The port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99. Farther down in the output, the bottom highlighted area shows that all VLANs are enabled on the trunk. Dynamic Trunking Protocol (3.2.3)Networking technologies often involve both manual and automatic implementations. For example, routing, speed/duplex port configuration, and cable selection versus auto-MDIX illustrate this dichotomy of manual versus automatic. In LAN switching, Dynamic Trunking Protocol (DTP) is one of the first examples one encounters of manual versus automatic. With DTP, network administrators have the option to let neighboring switches autonegotiate trunk formation. Introduction to DTP (3.2.3.1)Ethernet trunk interfaces support different trunking modes. An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only between network devices. DTP is a Cisco-proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. Switches from other vendors do not support DTP. DTP manages trunk negotiation only if the port on the neighbor switch is configured in a trunk mode that supports DTP. The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto, as shown in Figure 3-13 on interface F0/3 of switches S1 and S3.
Figure 3-13 Initial DTP Configuration To enable trunking from a Cisco switch to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration mode commands. This causes the interface to become a trunk, but not generate DTP frames. In Figure 3-14, the link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements, and to come up in and stay in trunk port mode. The F0/3 ports on switches S1 and S3 are set to dynamic auto, so the negotiation results in the access mode state. This creates an inactive trunk link. When configuring a port to be in trunk mode, use the switchport mode trunk command. There is no ambiguity about which state the trunk is in; it is always on. With this configuration, it is easy to remember which state the trunk ports are in; if the port is supposed to be a trunk, the mode is set to trunk.
Figure 3-14 DTP Interaction Results Negotiated Interface Modes (3.2.3.2)Ethernet interfaces on Catalyst 2960 and Catalyst 3560 Series switches support different trunking modes with the help of DTP:
Table 3-8 illustrates the results of the DTP configuration options on opposite ends of a trunk link connected to Catalyst 2960 switch ports. Table 3-8 DTP-Negotiated Interface Modes
Configure trunk links statically whenever possible. The default DTP mode is dependent on the Cisco IOS Software version and on the platform. To determine the current DTP mode, issue the show dtp interface command, as shown in Example 3-13. Example 3-13 Verifying DTP ModeS1# show dtp interface f0/1 DTP information for FastEthernet0/1: TOS/TAS/TNS: TRUNK/ON/TRUNK TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q Neighbor address 1: 0CD996D23F81 Neighbor address 2: 000000000000 Hello timer expiration (sec/state): 12/RUNNING Access timer expiration (sec/state): never/STOPPED Negotiation timer expiration (sec/state): never/STOPPED Multidrop timer expiration (sec/state): never/STOPPED FSM state: S6:TRUNK # times multi & trunk 0 Enabled: yes In STP: <output omitted>Troubleshoot VLANs and Trunks (3.2.4)A network administrator responsible for portions of the switched infrastructure is able to quickly diagnose and solve problems. Troubleshooting VLANs and VLAN trunks is standard practice in a switched environment. IP Addressing Issues with VLAN (3.2.4.1)Each VLAN must correspond to a unique IP subnet. If two devices in the same VLAN have different subnet addresses, they cannot communicate. This is a common problem, and it is easy to solve by identifying the incorrect configuration and changing the subnet address to the correct one. In Figure 3-15, PC1 cannot connect to the Web/TFTP server shown.
Figure 3-15 IP Issue Within VLAN A check of the IP configuration settings of PC1 shown in Example 3-14 reveals the most common error in configuring VLANs: an incorrectly configured IP address. PC1 is configured with an IP address of 172.172.10.21, but it should have been configured with 172.17.10.21. Example 3-14 Problem: Incorrect IP AddressPC1> ipconfig IPv4 Address. . . . . . . . . . . : 172.172.10.21 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 0.0.0.0The PC1 Fast Ethernet configuration dialog box shows the updated IP address of 172.17.10.21. In Figure 3-16, the output on the bottom reveals that PC1 has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30.
Figure 3-16 Solution: Change PC IP Address Missing VLANs (3.2.4.2)If there is still no connection between devices in a VLAN, but IP addressing issues have been ruled out, refer to the flowchart in Figure 3-17 to troubleshoot:
Figure 3-17 Missing VLAN To display the MAC address table, use the show macaddress-table command. Example 3-15 shows MAC addresses that were learned on the F0/1 interface. It can be seen that MAC address 000c.296a.a21c was learned on interface F0/1 in VLAN 10. If this number is not the expected VLAN number, change the port VLAN membership using the switchport access vlan command. Example 3-15 Missing VLANS1# show mac address-table interface FastEthernet 0/1 Mac Address Table Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 000c.296a.a21c DYNAMIC Fa0/1 10 000f.34f9.9181 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2 S1# show interfaces FastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: noneEach port in a switch belongs to a VLAN. If the VLAN to which the port belongs is deleted, the port becomes inactive. All ports belonging to the VLAN that was deleted are unable to communicate with the rest of the network. Use the show interface f0/1 switchport command to check whether the port is inactive. If the port is inactive, it is not functional until the missing VLAN is created using the vlan vlan-id command. Introduction to Troubleshooting Trunks (3.2.4.3)A common task of a network administrator is to troubleshoot trunk link formation or links incorrectly behaving as trunk links. Sometimes a switch port can behave like a trunk port even if it is not configured as a trunk port. For example, an access port might accept frames from VLANs different from the VLAN to which it is assigned. This is called VLAN leaking. Figure 3-18 displays a flowchart of general trunk troubleshooting guidelines.
Figure 3-18 Troubleshooting Trunks To troubleshoot issues when a trunk is not forming or when VLAN leaking is occurring, proceed as follows:
To display the status of the trunk and to display the native VLAN used on that trunk link, and to verify trunk establishment, use the show interfaces trunk command. Example 3-16 shows that the native VLAN on one side of the trunk link was changed to VLAN 2. If one end of the trunk is configured as native VLAN 99 and the other end is configured as native VLAN 2, a frame sent from VLAN 99 on one side is received on VLAN 2 on the other side. VLAN 99 leaks into the VLAN 2 segment. Example 3-16 Troubleshooting TrunksS1# show interfaces f0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 auto 802.1q trunking 2 <output omitted>CDP displays a notification of a native VLAN mismatch on a trunk link with this message: *Mar 1 06:45:26.232: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (2), with S2 FastEthernet0/1 (99).Connectivity issues occur in the network if a native VLAN mismatch exists. Data traffic for VLANs, other than the two native VLANs configured, successfully propagates across the trunk link, but data associated with either of the native VLANs does not successfully propagate across the trunk link. As shown in Example 3-16, native VLAN mismatch issues do not keep the trunk from forming. To solve the native VLAN mismatch, configure the native VLAN to be the same VLAN on both sides of the link. Common Problems with Trunks (3.2.4.4)Trunking issues are usually associated with incorrect configurations. When configuring VLANs and trunks on a switched infrastructure, the following types of configuration errors are the most common:
If an issue with a trunk is discovered and if the cause is unknown, start troubleshooting by examining the trunks for a native VLAN mismatch. If that is not the cause, check for trunk mode mismatches, and finally check for the allowed VLAN list on the trunk. The next several sections examine how to fix the common problems with trunks. Trunk Mode Mismatches (3.2.4.5)Trunk links are normally configured statically with the switchport mode trunk command. Cisco Catalyst switch trunk ports use DTP to negotiate the state of the link. When a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches. In the scenario illustrated in Figure 3-19, PC4 cannot connect to the internal web server. The topology indicates a valid configuration. Why is there a problem?
Figure 3-19 Scenario Topology Check the status of the trunk ports on switch S1 using the show interfaces trunk command. The output shown in Example 3-17 reveals that interface Fa0/3 on switch S1 is not currently a trunk link. Examining the F0/3 interface reveals that the switch port is actually in dynamic auto mode. An examination of the trunks on switch S3 reveals that there are no active trunk ports. Further checking reveals that the Fa0/3 interface is also in dynamic auto mode. This explains why the trunk is down. Example 3-17 Mismatched DTP ModesS1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,99 Port Vlans allowed and active in management domain Fa0/1 10,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 10,99 S1# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: dynamic auto <output omitted> S3# show interfaces trunk S3# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: dynamic auto <output omitted>To resolve the issue, reconfigure the trunk mode of the F0/3 ports on switches S1 and S3, as shown in Example 3-18. After the configuration change, the output of the show interfaces command indicates that the port on switch S1 is now in trunking mode. The output from PC4 indicates that it has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30. Example 3-18 Corrected Trunk ModesS1(config)# interface f0/3 S1(config-if)# switchport mode trunk S1(config-if)# end S1# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk <output omitted> S3(config)# interface f0/3 S3(config-if)# switchport mode trunk S3(config-if)# end S3# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk <output omitted> S3# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/3 10,99 Port Vlans allowed and active in management domain Fa0/3 10,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 10,99 PC4> ping 172.17.10.30 Pinging 172.17.10.30 with 32 bytes of data: Reply from 172.17.10.30: bytes=32 time=147ms TTL=128 <output omitted>Incorrect VLAN List (3.2.4.6)For traffic from a VLAN to be transmitted across a trunk, it must be allowed on the trunk. To do so, use the switchport trunk allowed vlan vlan-id command. In Figure 3-20, VLAN 20 (Student) and PC5 have been added to the network. The documentation has been updated to show that the VLANs allowed on the trunk are 10, 20, and 99. In this scenario, PC5 cannot connect to the student email server.
Figure 3-20 Scenario Topology Check the trunk ports on switch S1 using the show interfaces trunk command, as shown in Example 3-19. The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10, 20, and 99. An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 only allow VLANs 10 and 99. Someone updated the documentation but forgot to reconfigure the ports on the S1 switch. Example 3-19 Missing VLANsS3# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/3 10,20,99 Port Vlans allowed and active in management domain Fa0/3 10,20,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 10,20,99 S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,99 Fa0/3 10,99 <output omitted>Reconfigure F0/1 and F0/3 on switch S1 using the switchport trunk allowed vlan 10,20,99 command, as shown in Example 3-20. The output shows that VLANs 10, 20, and 99 are now added to the F0/1 and F0/3 ports on switch S1. The show interfaces trunk command is an excellent tool for revealing common trunking problems. PC5 has regained connectivity to the student email server found at IP address 172.17.20.10 Example 3-20 Corrected VLAN ListS1(config)# interface f0/1 S1(config-if)# switchport trunk allowed vlan 10,20,99 S1(config-if)# interface f0/3 S1(config-if)# switchport trunk allowed vlan 10,20,99 S1(config-if)# end S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,20,99 Fa0/3 10,20,99 <output omitted> PC5> ping 172.17.20.10 Pinging 172.17.10.30 with 32 bytes of data: Reply from 172.17.10.30: bytes=32 time=147ms TTL=128 <output omitted>Page 2
The proliferation of network security certifications indicates that the importance of network security is growing. Every configuration, monitoring, maintenance, and troubleshooting procedure in a switched network must include an analysis of the security implications. VLANs and VLAN technologies play an integral role in the design and implementation of switched networks. Attacks on VLANs (3.3.1)A number of attacks are specific to the VLAN infrastructure. In this section, the various types of attacks involving VLANs are explored. Switch Spoofing Attack (3.3.1.1)There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them. VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. Figure 3-21 illustrates a switch spoofing attack.
Figure 3-21 Switch Spoofing Attack In a basic switch spoofing attack, the attacker takes advantage of the fact that the default configuration of the switch port is dynamic auto. The network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating 802.1Q and DTP messages. By tricking a switch into thinking that another switch is attempting to form a trunk, an attacker can gain access to all the VLANs allowed on the trunk port. The best way to prevent a basic switch spoofing attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP and manually enable trunking. Double-Tagging Attack (3.3.1.2)Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q deencapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link. A double-tagging attack, illustrated in Figure 3-22, follows three steps:
This type of attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. Thwarting this type of attack is not as easy as stopping basic VLAN hopping attacks. The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks. PVLAN Edge (3.3.1.3)Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of the Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch, as shown in Figure 3-23.
Figure 3-23 Private VLAN Edge The PVLAN Edge feature has the following characteristics:
To configure the PVLAN Edge feature, enter the switchport protected command in interface configuration mode, as shown in Example 3-21. To disable protected port, use the no switchport protected interface configuration mode command. To verify the configuration of the PVLAN Edge feature, use the show interfaces interface-id switchport global configuration mode command. Example 3-21 PVLAN EdgeS1(config)# interface g0/1 S1(config-if)# switchport protected S1(config-if)# end S1# show interfaces g0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none <output omitted> Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: noneVLAN Best Practices (3.3.2)VLAN best practices refer to those practices that any network administrator responsible for portions of a switched network should employ in his day-to-day work. These comprise standard operating procedures for switch practitioners. VLAN Design Guidelines (3.3.2.1)Cisco switches have a factory configuration in which default VLANs are preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1. It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1. This is usually done by configuring all unused ports to a black hole VLAN that is not used for anything on the network. All used ports are associated with VLANs distinct from VLAN 1 and distinct from the black hole VLAN. It is also a good practice to shut down unused switch ports to prevent unauthorized access. A good security practice is to separate management and user data traffic. The management VLAN, which is VLAN 1 by default, should be changed to a separate, distinct VLAN. To communicate remotely with a Cisco switch for management purposes, the switch must have an IP address configured on the management VLAN. Users in other VLANs would not be able to establish remote access sessions to the switch unless they were routed into the management VLAN, providing an additional layer of security. Also, the switch should be configured to accept only encrypted SSH sessions for remote management. All control traffic is sent on VLAN 1. Therefore, when the native VLAN is changed to something other than VLAN 1, all control traffic is tagged on IEEE 802.1Q VLAN trunks (tagged with VLAN ID 1). A recommended security practice is to change the native VLAN to a different VLAN than VLAN 1. The native VLAN should also be distinct from all user VLANs. Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. DTP offers four switch port modes: access, trunk, dynamic auto, and dynamic desirable. A general guideline is to disable autonegotiation. As a port security best practice, do not use the dynamic auto or dynamic desirable switch port modes. Finally, voice traffic has stringent QoS requirements. If user PCs and IP phones are on the same VLAN, each tries to use the available bandwidth without considering the other device. To avoid this conflict, it is good practice to use separate VLANs for IP telephony and data traffic. Page 3
This chapter introduced VLANs. VLANs are based on logical connections, instead of physical connections. VLANs are a mechanism to allow network administrators to create logical broadcast domains that can span across a single switch or multiple switches, regardless of physical proximity. This function is useful to reduce the size of broadcast domains or to allow groups of users to be logically grouped without the need to be physically located in the same place. There are several types of VLANs:
On a Cisco switch, VLAN 1 is the default Ethernet VLAN, the default native VLAN, and the default management VLAN. Best practices suggest that the native and management VLANs be moved to another distinct VLAN and that unused switch ports be moved to a “black hole” VLAN for increased security. The switchport access vlan command is used to create a VLAN on a switch. After creating a VLAN, the next step is to assign ports to the VLAN. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. Each VLAN must correspond to a unique IP subnet. Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned. A port on a switch is either an access port or a trunk port. Access ports carry traffic from a specific VLAN assigned to the port. A trunk port by default is a member of all VLANs; therefore, it carries traffic for all VLANs. VLAN trunks facilitate inter-switch communication by carrying traffic associated with multiple VLANs. IEEE 802.1Q frame tagging differentiates between Ethernet frames associated with distinct VLANs as they traverse common trunk links. To enable trunk links, use the switchport mode trunk command. Use the show interfaces trunk command to check whether a trunk has been established between switches. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices. DTP is a Cisco-proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. To place a switch into its factory default condition with one default VLAN, use the delete flash:vlan.dat and erase startup-config commands. This chapter also examined the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI and explored basic security and design considerations in the context of VLANs. Page 4
The following activities provide practice with the topics introduced in this chapter. The Labs and Class Activities are available in the companion Switched Networks Lab Manual (ISBN 978-1-58713-372-5). The Packet Tracer Activities PKA files are found in the online course. Class Activities
Labs
Packet Tracer Activities
9. Check Your Understanding Questions | Next Section Previous Section |