What is the purpose of the switch command switchport access vlan 99

Network administrators who are responsible for portions of the switched network are familiar with the basic configuration tasks related to creating VLANs, configuring trunk links, associating voice and data VLANs with ports, and securing the VLAN implementation. This section describes the major tasks required to configure VLANs and trunks on switches in the network infrastructure.

Table of Contents Show

VLAN Assignment (3.2.1)
VLAN Trunks (3.2.2)
Dynamic Trunking Protocol (3.2.3)
Troubleshoot VLANs and Trunks (3.2.4)
Attacks on VLANs (3.3.1)
VLAN Best Practices (3.3.2)
Class Activities
Packet Tracer Activities

VLAN Assignment (3.2.1)

The first step in configuring VLANs is to create the VLANs and to associate switch ports with VLANs.

VLAN Ranges on Catalyst Switches (3.2.1.1)

Different Cisco Catalyst switches support various numbers of VLANs. The number of supported VLANs is large enough to accommodate the needs of most organizations. For example, the Catalyst 2960 and 3560 Series switches support over 4000 VLANs. Normal-range VLANs on these switches are numbered 1 to 1005, and extended-range VLANs are numbered 1006 to 4094. Catalyst 2960 switches running Cisco IOS Release 15.x support extended-range VLANs.

Normal-Range VLANs

Normal range VLANs are usually the ones utilized in switched networks, because most networks do not need over 1000 VLANs!

Used in small- and medium-sized business and enterprise networks.
Identified by a VLAN ID between 1 and 1005.
IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Configurations are stored within a VLAN database file called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches, can only learn and store normal-range VLANs.

Extended-Range VLANs

Extended range VLANs are primarily used in metropolitan service provider networks requiring over 1000 VLANs to support the various customers.

Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended-range VLAN IDs.
Are identified by a VLAN ID between 1006 and 4094.
Configurations are not written to the vlan.dat file.
Support fewer VLAN features than normal-range VLANs.
Are, by default, saved in the running configuration file.
VTP does not learn extended-range VLANs.

Creating a VLAN (3.2.1.2)

When configuring normal-range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat. Flash memory is persistent and does not require the copy running-config startup-config command. However, because other details are often configured on a Cisco switch at the same time that VLANs are created, it is good practice to save running configuration changes to the startup configuration.

Table 3-1 displays the Cisco IOS command syntax used to add a VLAN to a switch and give it a name. Naming each VLAN is considered a best practice in switch configuration.

Table 3-1 Creating a VLAN

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Create a VLAN with a valid ID number.	S1(config)# vlan vlan-id
Specify a unique name to identify the VLAN.	S1(config-vlan)# name vlan-name
Return to privileged EXEC mode.	S1(config-vlan)# end

Figure 3-10 shows how the student VLAN (VLAN 20) is configured on switch S1. In the topology example, the student computer (PC2) has not been associated with a VLAN yet, but it does have an IP address of 172.17.20.22.

Figure 3-10 Sample VLAN Configuration

In addition to entering a single VLAN ID, a series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command. For example, use the following command to create VLANs 100, 102, 105, 106, and 107:

S1(config)# vlan 100,102,105-107

Assigning Ports to VLANs (3.2.1.3)

After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only one VLAN at a time. One exception to this rule is that of a port connected to an IP phone, in which case there are two VLANs associated with the port: one for voice and one for data.

Table 3-2 displays the syntax for defining a port to be an access port and assigning it to a VLAN. The switchport mode access command is optional but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.

Table 3-2 Assign Ports to VLANs

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Set the port to access mode.	S1(config-if)# switchport mode access
Assign the port to a VLAN.	S1(config-if)# switchport access vlan vlan-id
Return to the privileged EXEC mode.	S1(config-if)# end

In Figure 3-11, VLAN 20 is assigned to port F0/18 on switch S1; therefore, the student computer (PC2) is in VLAN 20. When VLAN 20 is configured on other switches, the network administrator knows to configure the other student computers to be in the same subnet as PC2 (172.17.20.0/24).

Figure 3-11 Sample Interface Configuration for VLANs

The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch. For example, VLAN 30 is not present in the show vlan brief output of the switch. If the switchport access vlan 30 command is entered on any interface with no previous configuration, the switch displays

% Access VLAN does not exist. Creating vlan 30

Changing VLAN Port Membership (3.2.1.4)

There are a number of ways to change VLAN port membership. Table 3-3 shows the syntax for changing a switch port to VLAN 1 membership with the no switchport access vlan interface configuration mode command.

Table 3-3 Removing a VLAN Assignment

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Remove the VLAN assignment from the port.	S1(config-if)# no switchport access vlan
Return to the privileged EXEC mode.	S1(config-if)# end

Interface F0/18 was previously assigned to VLAN 20. The no switchport access vlan command is entered for interface F0/18. Examine the output in the show vlan brief command, as shown in Example 3-3. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. The show vlan brief command displays one line for each VLAN. The output for each VLAN includes the VLAN name, status, and switch ports.

Example 3-3 Sample VLAN Assignment Removal

S1(config)# interface f0/18 S1(config-if)# no switchport access vlan S1(config-if)# do show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 20 student active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

VLAN 20 is still active, even though no ports are assigned to it. In Example 3-4, the show interfaces f0/18 switchport output verifies that the access VLAN for interface F0/18 has been reset to VLAN 1.

Example 3-4 Verification of VLAN Assignment Removal

S1# show interfaces f0/18 switchport Name: Fa0/18 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) <output omitted>

A port can easily have its VLAN membership changed. It is not necessary to first remove a port from a VLAN to change its VLAN membership. When an access port has its VLAN membership reassigned to another existing VLAN, the new VLAN membership simply replaces the previous VLAN membership. In Example 3-5, port F0/11 is assigned to VLAN 20.

Example 3-5 Changing VLAN Assignment

S1(config)# interface f0/11 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 20 S1(config-if)# end *Mar 31 09:33:26.058: %SYS-5-CONFIG_I: Configured from console by console S1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 20 student active Fa0/11 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup S1#

Deleting VLANs (3.2.1.5)

In Example 3-6, the no vlan vlan-id global configuration mode command is used to remove VLAN 20 from the switch. Switch S1 had a minimal configuration with all ports in VLAN 1 and an unused VLAN 20 in the VLAN database. The show vlan brief command verifies that VLAN 20 is no longer present in the vlan.dat file after using the no vlan 20 command.

Example 3-6 Deleting a VLAN

S1(config)# no vlan 20 S1(config)# end S1# *Mar 1 07:37:55.785: %SYS-5-CONFIG_I: Configured from console by console S1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- -------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

Alternatively, the entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command. The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, the previously configured VLANs are no longer present. This effectively places the switch into its factory default condition concerning VLAN configurations.

Verifying VLAN Information (3.2.1.6)

After a VLAN is configured, VLAN configurations can be validated using Cisco IOS show commands.

Table 3-4 displays the show vlan command options.

Table 3-4 show vlan Command

Cisco IOS CLI Command Syntax
show vlan [brief \| id vlan-id \| name vlan-name \| summary]
Display one line for each VLAN with the VLAN name, status, and its ports.	brief
Display information about a single VLAN identified by VLAN ID number. For vlan-id, the range is 1 to 4094.	id vlan-id
Display information about a single VLAN identified by VLAN name. The VLAN name is an ASCII string from 1 to 32 characters.	name vlan-name
Display VLAN summary information.	summary

Table 3-5 displays the show interfaces command options.

Table 3-5 show interfaces Command

Cisco IOS CLI Command Syntax
show interfaces [interface-id \| vlan vlan-id] \| switchport
Valid interfaces include physical ports (including type, module, and port number) and port channels. The port-channel range is 1 to 6.	interface-id
VLAN identification. The range is 1 to 4095.	vlan vlan-id
Display the administrative and operational status of a switching port, including port blocking and port protection settings.	switchport

In Example 3-7, the show vlan name student command produces output that is not easily interpreted. The preferable option is to use the show vlan brief command. The show vlan summary command displays the count of all configured VLANs. The output in Example 3-7 shows seven VLANs.

Example 3-7 Using the show vlan Command

S1# show vlan name student VLAN Name Status Ports ---- -------------------------------- --------- -------------------------- 20 student active Fa0/11 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 20 enet 100020 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------- S1# show vlan summary Number of existing VLANs : 7 Number of existing VTP VLANs : 7 Number of existing extended VLANs : 0

The show interfaces vlan vlan-id command displays details that are beyond the scope of this course. The important information appears on the second line in Example 3-8, indicating that VLAN 20 is up.

Example 3-8 Using the show interfaces vlan Command

S1# show interfaces vlan 20 Vlan 20 is up, line protocol is down Hardware is EtherSVI, address is 0021.a1e0.78c1 (bia 0021.a1e0.78c1) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 interface resets 0 output buffer failures, 0 output buffers swapped out S1#

VLAN Trunks (3.2.2)

In this section, the elements of VLAN trunk configuration are explored. Remember that VLAN trunks carry all the control traffic between switches. VLAN trunks enable the communication between switches required for many of the technologies specific to the LAN switched environment.

Configuring IEEE 802.1Q Trunk Links (3.2.2.1)

A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically). To enable trunk links, configure the ports on either end of the physical link with parallel sets of commands.

To configure a switch port on one end of a trunk link, use the switchport mode trunk command. With this command, the interface changes to permanent trunking mode. The port enters into a Dynamic Trunking Protocol (DTP) negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change. DTP is described in the next topic. In this course, the switchport mode trunk command is the only method implemented for trunk configuration.

The Cisco IOS command syntax to specify a native VLAN (other than VLAN 1) is shown in Table 3-6.

Table 3-6 802.1Q Trunk Configuration

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Force the link to be a trunk link.	S1(config-if)# switchport mode trunk
Specify a native VLAN for 802.1Q trunks.	S1(config-if)# switchport trunk native vlan vlan-id
Specify the list of VLANs to be allowed on the trunk link.	S1(config-if)# switchport trunk allowed vlan vlan-list
Return to the privileged EXEC mode.	S1(config-if)# end

Use the Cisco IOS switchport trunk allowed vlan vlan-list command to specify the list of VLANs to be allowed on the trunk link.

In Figure 3-12, VLANs 10, 20, and 30 support the Faculty, Student, and Guest computers (PC1, PC2, and PC3). The native VLAN should also be changed from VLAN 1 and changed to another VLAN such as VLAN 99. By default, all VLANs are allowed across a trunk link. The switchport trunk allowed vlan command can be used to limit the allowed VLANs.

Figure 3-12 Sample Interface Configuration for VLANs

In Example 3-9, the F0/1 port on switch S1 is configured as a trunk port, assigns the native VLAN to VLAN 99, and specifies the trunk to only forward traffic for VLANs 10, 20, 30, and 99.

Example 3-9 Sample Trunk Configuration

S1(config)# interface FastEthernet0/1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S1(config-if)# switchport trunk allowed vlan 10,20,30 S1(config-if)# end

Resetting the Trunk to the Default State (3.2.2.2)

Table 3-7 shows the commands to remove the allowed VLANs and reset the native VLAN of the trunk. When reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN.

Table 3-7 Resetting Configured Values on Trunk Links

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Force the link to be a trunk link.	S1(config-if)# no switchport trunk allowed vlan
Specify a native VLAN for 802.1Q trunks.	S1(config-if)# no switchport trunk native vlan
Return to the privileged EXEC mode.	S1(config-if)# end

Example 3-10 shows the commands used to reset all trunking characteristics of a trunking interface to the default settings. The show interfaces f0/1 switchport command reveals that the trunk has been reconfigured to a default state.

Example 3-10 Resetting Trunk Link

S1(config)# interface f0/1 S1(config-if)# no switchport trunk allowed vlan S1(config-if)# no switchport trunk native vlan S1(config-if)# end S1# show interfaces f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled <output omitted> Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 <output omitted>

In Example 3-11, the sample output shows the commands used to remove the trunk feature from the F0/1 switch port on switch S1. The show interfaces f0/1 switchport command reveals that the F0/1 interface is now in static access mode.

Example 3-11 Return Port to Access Mode

S1(config)# interface f0/1 S1(config-if)# switchport mode access S1(config-if)# end S1# show interfaces f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled <output omitted>

Verifying Trunk Configuration (3.2.2.3)

Example 3-12 displays the configuration of switch port F0/1 on switch S1. The configuration is verified with the show interfaces interface-id switchport command.

Example 3-12 Verifying Trunk Configuration

S1(config)# interface f0/1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99 S1(config-if)# end S1# show interfaces f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 99 (VLAN0099) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 <output omitted>

The top highlighted area shows that port F0/1 has its administrative mode set to trunk. The port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99. Farther down in the output, the bottom highlighted area shows that all VLANs are enabled on the trunk.

Dynamic Trunking Protocol (3.2.3)

Networking technologies often involve both manual and automatic implementations. For example, routing, speed/duplex port configuration, and cable selection versus auto-MDIX illustrate this dichotomy of manual versus automatic. In LAN switching, Dynamic Trunking Protocol (DTP) is one of the first examples one encounters of manual versus automatic. With DTP, network administrators have the option to let neighboring switches autonegotiate trunk formation.

Introduction to DTP (3.2.3.1)

Ethernet trunk interfaces support different trunking modes. An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only between network devices.

DTP is a Cisco-proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. Switches from other vendors do not support DTP. DTP manages trunk negotiation only if the port on the neighbor switch is configured in a trunk mode that supports DTP.

The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto, as shown in Figure 3-13 on interface F0/3 of switches S1 and S3.

Figure 3-13 Initial DTP Configuration

To enable trunking from a Cisco switch to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration mode commands. This causes the interface to become a trunk, but not generate DTP frames.

In Figure 3-14, the link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements, and to come up in and stay in trunk port mode. The F0/3 ports on switches S1 and S3 are set to dynamic auto, so the negotiation results in the access mode state. This creates an inactive trunk link. When configuring a port to be in trunk mode, use the switchport mode trunk command. There is no ambiguity about which state the trunk is in; it is always on. With this configuration, it is easy to remember which state the trunk ports are in; if the port is supposed to be a trunk, the mode is set to trunk.

Figure 3-14 DTP Interaction Results

Negotiated Interface Modes (3.2.3.2)

Ethernet interfaces on Catalyst 2960 and Catalyst 3560 Series switches support different trunking modes with the help of DTP:

switchport mode access: Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface, regardless of whether the neighboring interface is a trunk interface.
switchport mode dynamic auto: Makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default switch port mode for all Ethernet interfaces is dynamic auto.
switchport mode dynamic desirable: Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. This is the default switch port mode on older switches, such as the Catalyst 2950 and 3550 Series switches.
switchport mode trunk: Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface.
switchport nonegotiate: Prevents the interface from generating DTP frames. You can use this command only when the interface switch port mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.

Table 3-8 illustrates the results of the DTP configuration options on opposite ends of a trunk link connected to Catalyst 2960 switch ports.

Table 3-8 DTP-Negotiated Interface Modes

	Dynamic Auto	Dynamic Desirable	Trunk	Access
Dynamic Auto	Access	Trunk	Trunk	Access
Dynamic Desirable	Trunk	Trunk	Trunk	Access
Trunk	Trunk	Trunk	Trunk	Limited Connectivity
Access	Access	Access	Limited Connectivity	Trunk

Configure trunk links statically whenever possible. The default DTP mode is dependent on the Cisco IOS Software version and on the platform. To determine the current DTP mode, issue the show dtp interface command, as shown in Example 3-13.

Example 3-13 Verifying DTP Mode

S1# show dtp interface f0/1 DTP information for FastEthernet0/1: TOS/TAS/TNS: TRUNK/ON/TRUNK TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q Neighbor address 1: 0CD996D23F81 Neighbor address 2: 000000000000 Hello timer expiration (sec/state): 12/RUNNING Access timer expiration (sec/state): never/STOPPED Negotiation timer expiration (sec/state): never/STOPPED Multidrop timer expiration (sec/state): never/STOPPED FSM state: S6:TRUNK # times multi & trunk 0 Enabled: yes In STP: <output omitted>

Troubleshoot VLANs and Trunks (3.2.4)

A network administrator responsible for portions of the switched infrastructure is able to quickly diagnose and solve problems. Troubleshooting VLANs and VLAN trunks is standard practice in a switched environment.

IP Addressing Issues with VLAN (3.2.4.1)

Each VLAN must correspond to a unique IP subnet. If two devices in the same VLAN have different subnet addresses, they cannot communicate. This is a common problem, and it is easy to solve by identifying the incorrect configuration and changing the subnet address to the correct one.

In Figure 3-15, PC1 cannot connect to the Web/TFTP server shown.

Figure 3-15 IP Issue Within VLAN

A check of the IP configuration settings of PC1 shown in Example 3-14 reveals the most common error in configuring VLANs: an incorrectly configured IP address. PC1 is configured with an IP address of 172.172.10.21, but it should have been configured with 172.17.10.21.

Example 3-14 Problem: Incorrect IP Address

PC1> ipconfig IPv4 Address. . . . . . . . . . . : 172.172.10.21 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 0.0.0.0

The PC1 Fast Ethernet configuration dialog box shows the updated IP address of 172.17.10.21. In Figure 3-16, the output on the bottom reveals that PC1 has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30.

Figure 3-16 Solution: Change PC IP Address

Missing VLANs (3.2.4.2)

If there is still no connection between devices in a VLAN, but IP addressing issues have been ruled out, refer to the flowchart in Figure 3-17 to troubleshoot:

Step 1. Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned.
Step 2. If the VLAN to which the port is assigned is deleted, the port becomes inactive. Use the show vlan or show interfaces switchport command.

Figure 3-17 Missing VLAN

To display the MAC address table, use the show macaddress-table command. Example 3-15 shows MAC addresses that were learned on the F0/1 interface. It can be seen that MAC address 000c.296a.a21c was learned on interface F0/1 in VLAN 10. If this number is not the expected VLAN number, change the port VLAN membership using the switchport access vlan command.

Example 3-15 Missing VLAN

S1# show mac address-table interface FastEthernet 0/1 Mac Address Table Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 000c.296a.a21c DYNAMIC Fa0/1 10 000f.34f9.9181 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2 S1# show interfaces FastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none

Each port in a switch belongs to a VLAN. If the VLAN to which the port belongs is deleted, the port becomes inactive. All ports belonging to the VLAN that was deleted are unable to communicate with the rest of the network. Use the show interface f0/1 switchport command to check whether the port is inactive. If the port is inactive, it is not functional until the missing VLAN is created using the vlan vlan-id command.

Introduction to Troubleshooting Trunks (3.2.4.3)

A common task of a network administrator is to troubleshoot trunk link formation or links incorrectly behaving as trunk links. Sometimes a switch port can behave like a trunk port even if it is not configured as a trunk port. For example, an access port might accept frames from VLANs different from the VLAN to which it is assigned. This is called VLAN leaking.

Figure 3-18 displays a flowchart of general trunk troubleshooting guidelines.

Figure 3-18 Troubleshooting Trunks

To troubleshoot issues when a trunk is not forming or when VLAN leaking is occurring, proceed as follows:

Step 1. Use the show interfaces trunk command to check whether the local and peer native VLANs match. If the native VLAN does not match on both sides, VLAN leaking occurs.
Step 2. Use the show interfaces trunk command to check whether a trunk has been established between switches. Statically configure trunk links whenever possible. Cisco Catalyst switch ports use DTP by default and attempt to negotiate a trunk link.

To display the status of the trunk and to display the native VLAN used on that trunk link, and to verify trunk establishment, use the show interfaces trunk command. Example 3-16 shows that the native VLAN on one side of the trunk link was changed to VLAN 2. If one end of the trunk is configured as native VLAN 99 and the other end is configured as native VLAN 2, a frame sent from VLAN 99 on one side is received on VLAN 2 on the other side. VLAN 99 leaks into the VLAN 2 segment.

Example 3-16 Troubleshooting Trunks

S1# show interfaces f0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 auto 802.1q trunking 2 <output omitted>

CDP displays a notification of a native VLAN mismatch on a trunk link with this message:

*Mar 1 06:45:26.232: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (2), with S2 FastEthernet0/1 (99).

Connectivity issues occur in the network if a native VLAN mismatch exists. Data traffic for VLANs, other than the two native VLANs configured, successfully propagates across the trunk link, but data associated with either of the native VLANs does not successfully propagate across the trunk link.

As shown in Example 3-16, native VLAN mismatch issues do not keep the trunk from forming. To solve the native VLAN mismatch, configure the native VLAN to be the same VLAN on both sides of the link.

Common Problems with Trunks (3.2.4.4)

Trunking issues are usually associated with incorrect configurations. When configuring VLANs and trunks on a switched infrastructure, the following types of configuration errors are the most common:

Native VLAN mismatches: Trunk ports are configured with different native VLANs. This configuration error generates console notifications, and causes control and management traffic to be misdirected. This poses a security risk. For example, one port might be configured with VLAN 99 and the other with VLAN 100.
Trunk mode mismatches: One trunk port is configured in a mode that is not compatible for trunking on the corresponding peer port. This configuration error causes the trunk link to stop working. For example, both local and peer switch port modes might be configured as dynamic auto.
Allowed VLANs on trunks: The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk. For example, the list of allowed VLANs might not support current VLAN trunking requirements.

If an issue with a trunk is discovered and if the cause is unknown, start troubleshooting by examining the trunks for a native VLAN mismatch. If that is not the cause, check for trunk mode mismatches, and finally check for the allowed VLAN list on the trunk. The next several sections examine how to fix the common problems with trunks.

Trunk Mode Mismatches (3.2.4.5)

Trunk links are normally configured statically with the switchport mode trunk command. Cisco Catalyst switch trunk ports use DTP to negotiate the state of the link. When a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches.

In the scenario illustrated in Figure 3-19, PC4 cannot connect to the internal web server. The topology indicates a valid configuration. Why is there a problem?

Figure 3-19 Scenario Topology

Check the status of the trunk ports on switch S1 using the show interfaces trunk command. The output shown in Example 3-17 reveals that interface Fa0/3 on switch S1 is not currently a trunk link. Examining the F0/3 interface reveals that the switch port is actually in dynamic auto mode. An examination of the trunks on switch S3 reveals that there are no active trunk ports. Further checking reveals that the Fa0/3 interface is also in dynamic auto mode. This explains why the trunk is down.

Example 3-17 Mismatched DTP Modes

S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,99 Port Vlans allowed and active in management domain Fa0/1 10,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 10,99 S1# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: dynamic auto <output omitted> S3# show interfaces trunk S3# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: dynamic auto <output omitted>

To resolve the issue, reconfigure the trunk mode of the F0/3 ports on switches S1 and S3, as shown in Example 3-18. After the configuration change, the output of the show interfaces command indicates that the port on switch S1 is now in trunking mode. The output from PC4 indicates that it has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30.

Example 3-18 Corrected Trunk Modes

S1(config)# interface f0/3 S1(config-if)# switchport mode trunk S1(config-if)# end S1# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk <output omitted> S3(config)# interface f0/3 S3(config-if)# switchport mode trunk S3(config-if)# end S3# show interfaces f0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: trunk <output omitted> S3# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/3 10,99 Port Vlans allowed and active in management domain Fa0/3 10,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 10,99 PC4> ping 172.17.10.30 Pinging 172.17.10.30 with 32 bytes of data: Reply from 172.17.10.30: bytes=32 time=147ms TTL=128 <output omitted>

Incorrect VLAN List (3.2.4.6)

For traffic from a VLAN to be transmitted across a trunk, it must be allowed on the trunk. To do so, use the switchport trunk allowed vlan vlan-id command.

In Figure 3-20, VLAN 20 (Student) and PC5 have been added to the network. The documentation has been updated to show that the VLANs allowed on the trunk are 10, 20, and 99. In this scenario, PC5 cannot connect to the student email server.

Figure 3-20 Scenario Topology

Check the trunk ports on switch S1 using the show interfaces trunk command, as shown in Example 3-19. The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10, 20, and 99. An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 only allow VLANs 10 and 99. Someone updated the documentation but forgot to reconfigure the ports on the S1 switch.

Example 3-19 Missing VLANs

S3# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/3 10,20,99 Port Vlans allowed and active in management domain Fa0/3 10,20,99 Port Vlans in spanning tree forwarding state and not pruned Fa0/3 10,20,99 S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,99 Fa0/3 10,99 <output omitted>

Reconfigure F0/1 and F0/3 on switch S1 using the switchport trunk allowed vlan 10,20,99 command, as shown in Example 3-20. The output shows that VLANs 10, 20, and 99 are now added to the F0/1 and F0/3 ports on switch S1. The show interfaces trunk command is an excellent tool for revealing common trunking problems. PC5 has regained connectivity to the student email server found at IP address 172.17.20.10

Example 3-20 Corrected VLAN List

S1(config)# interface f0/1 S1(config-if)# switchport trunk allowed vlan 10,20,99 S1(config-if)# interface f0/3 S1(config-if)# switchport trunk allowed vlan 10,20,99 S1(config-if)# end S1# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 99 Fa0/3 on 802.1q trunking 99 Port Vlans allowed on trunk Fa0/1 10,20,99 Fa0/3 10,20,99 <output omitted> PC5> ping 172.17.20.10 Pinging 172.17.10.30 with 32 bytes of data: Reply from 172.17.10.30: bytes=32 time=147ms TTL=128 <output omitted>

Page 2

The proliferation of network security certifications indicates that the importance of network security is growing. Every configuration, monitoring, maintenance, and troubleshooting procedure in a switched network must include an analysis of the security implications. VLANs and VLAN technologies play an integral role in the design and implementation of switched networks.

Attacks on VLANs (3.3.1)

A number of attacks are specific to the VLAN infrastructure. In this section, the various types of attacks involving VLANs are explored.

Switch Spoofing Attack (3.3.1.1)

There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them.

VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches.

Figure 3-21 illustrates a switch spoofing attack.

Figure 3-21 Switch Spoofing Attack

In a basic switch spoofing attack, the attacker takes advantage of the fact that the default configuration of the switch port is dynamic auto. The network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating 802.1Q and DTP messages. By tricking a switch into thinking that another switch is attempting to form a trunk, an attacker can gain access to all the VLANs allowed on the trunk port.

The best way to prevent a basic switch spoofing attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP and manually enable trunking.

Double-Tagging Attack (3.3.1.2)

Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q deencapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link.

A double-tagging attack, illustrated in Figure 3-22, follows three steps:

The attacker sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the attacker, which is the same as the native VLAN of the trunk port. The assumption is that the switch processes the frame received from the attacker as if it were on a trunk port or a port with a voice VLAN (a switch should not receive a tagged Ethernet frame on an access port). For the purposes of this example, assume that the native VLAN is VLAN 10. The inner tag is the victim VLAN, in this case, VLAN 20.
The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out on all VLAN 10 ports after stripping the VLAN 10 tag. On the trunk port, the VLAN 10 tag is stripped, and the packet is not retagged because it is part of the native VLAN. At this point, the VLAN 20 tag is still intact and has not been inspected by the first switch.
The second switch looks only at the inner 802.1Q tag that the attacker sent and sees that the frame is destined for VLAN 20, the target VLAN. The second switch sends the frame on to the victim port or floods it, depending on whether there is an existing MAC address table entry for the victim host.

Figure 3-22 Double-Tagging Attack

This type of attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. Thwarting this type of attack is not as easy as stopping basic VLAN hopping attacks.

The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.

PVLAN Edge (3.3.1.3)

Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of the Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch, as shown in Figure 3-23.

Figure 3-23 Private VLAN Edge

The PVLAN Edge feature has the following characteristics:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port, except for control traffic. Data traffic cannot be forwarded between protected ports at Layer 2.
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
Protected ports must be manually configured.

To configure the PVLAN Edge feature, enter the switchport protected command in interface configuration mode, as shown in Example 3-21. To disable protected port, use the no switchport protected interface configuration mode command. To verify the configuration of the PVLAN Edge feature, use the show interfaces interface-id switchport global configuration mode command.

Example 3-21 PVLAN Edge

S1(config)# interface g0/1 S1(config-if)# switchport protected S1(config-if)# end S1# show interfaces g0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none <output omitted> Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

VLAN Best Practices (3.3.2)

VLAN best practices refer to those practices that any network administrator responsible for portions of a switched network should employ in his day-to-day work. These comprise standard operating procedures for switch practitioners.

VLAN Design Guidelines (3.3.2.1)

Cisco switches have a factory configuration in which default VLANs are preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1. It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1. This is usually done by configuring all unused ports to a black hole VLAN that is not used for anything on the network. All used ports are associated with VLANs distinct from VLAN 1 and distinct from the black hole VLAN. It is also a good practice to shut down unused switch ports to prevent unauthorized access.

A good security practice is to separate management and user data traffic. The management VLAN, which is VLAN 1 by default, should be changed to a separate, distinct VLAN. To communicate remotely with a Cisco switch for management purposes, the switch must have an IP address configured on the management VLAN. Users in other VLANs would not be able to establish remote access sessions to the switch unless they were routed into the management VLAN, providing an additional layer of security. Also, the switch should be configured to accept only encrypted SSH sessions for remote management.

All control traffic is sent on VLAN 1. Therefore, when the native VLAN is changed to something other than VLAN 1, all control traffic is tagged on IEEE 802.1Q VLAN trunks (tagged with VLAN ID 1). A recommended security practice is to change the native VLAN to a different VLAN than VLAN 1. The native VLAN should also be distinct from all user VLANs. Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link.

DTP offers four switch port modes: access, trunk, dynamic auto, and dynamic desirable. A general guideline is to disable autonegotiation. As a port security best practice, do not use the dynamic auto or dynamic desirable switch port modes.

Finally, voice traffic has stringent QoS requirements. If user PCs and IP phones are on the same VLAN, each tries to use the available bandwidth without considering the other device. To avoid this conflict, it is good practice to use separate VLANs for IP telephony and data traffic.

Page 3

This chapter introduced VLANs. VLANs are based on logical connections, instead of physical connections. VLANs are a mechanism to allow network administrators to create logical broadcast domains that can span across a single switch or multiple switches, regardless of physical proximity. This function is useful to reduce the size of broadcast domains or to allow groups of users to be logically grouped without the need to be physically located in the same place.

There are several types of VLANs:

Default VLAN
Management VLAN
Native VLAN
User/Data VLANs
Black Hole VLAN
Voice VLAN

On a Cisco switch, VLAN 1 is the default Ethernet VLAN, the default native VLAN, and the default management VLAN. Best practices suggest that the native and management VLANs be moved to another distinct VLAN and that unused switch ports be moved to a “black hole” VLAN for increased security.

The switchport access vlan command is used to create a VLAN on a switch. After creating a VLAN, the next step is to assign ports to the VLAN. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. Each VLAN must correspond to a unique IP subnet.

Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned.

A port on a switch is either an access port or a trunk port. Access ports carry traffic from a specific VLAN assigned to the port. A trunk port by default is a member of all VLANs; therefore, it carries traffic for all VLANs.

VLAN trunks facilitate inter-switch communication by carrying traffic associated with multiple VLANs. IEEE 802.1Q frame tagging differentiates between Ethernet frames associated with distinct VLANs as they traverse common trunk links. To enable trunk links, use the switchport mode trunk command. Use the show interfaces trunk command to check whether a trunk has been established between switches.

Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices. DTP is a Cisco-proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches.

To place a switch into its factory default condition with one default VLAN, use the delete flash:vlan.dat and erase startup-config commands.

This chapter also examined the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI and explored basic security and design considerations in the context of VLANs.

Page 4

The following activities provide practice with the topics introduced in this chapter. The Labs and Class Activities are available in the companion Switched Networks Lab Manual (ISBN 978-1-58713-372-5). The Packet Tracer Activities PKA files are found in the online course.

Class Activities

Class Activity 3.0.1.2: Vacation Station
Class Activity 3.4.1.1: VLAN Plan

Labs

Lab 3.2.2.5: Configuring VLANs and Trunking
Lab 3.2.4.9: Troubleshooting VLAN Configurations

Packet Tracer Activities

Packet Tracer Activity 3.1.1.5: Who Hears the Broadcast?
Packet Tracer Activity 3.1.2.7: Investigating a VLAN Implementation
Packet Tracer Activity 3.2.1.7: Configuring VLANs
Packet Tracer Activity 3.2.2.4: Configuring Trunks
Packet Tracer Activity 3.2.4.7: Troubleshooting a VLAN Implementation—Scenario 1
Packet Tracer Activity 3.2.4.8: Troubleshooting a VLAN Implementation—Scenario 2

9. Check Your Understanding Questions | Next Section Previous Section