VLAN

On Cisco switches, all interfaces belong to VLAN 1 by default. VLAN 1 is also considered the Management VLAN, and should be dedicated for system traffic such as CDP, STP, VTP, and DTP.

Advantages of VLANs

VLANs provide the several benefits:

  • Broadcast Control – eliminates unnecessary broadcast traffic, improving network performance and scalability.
  • Security – Logically separates users and departments, allowing administrators to implement access-lists to control traffic between VLANs.
  • Flexibility – removes the physical boundaries of a network, allowing a user or device to exist anywhere.

VLAN membership

Statically assigning a VLAN involves manually assigning an individual or group of ports to a VLAN. Any host connected to that port (or ports) immediately becomes a member of that VLAN. This is transparent to the host – it is unaware that it belongs to a VLAN.

VLANs can be assigned dynamically based on the MAC address of the host. This allows a host to remain in the same VLAN, regardless of which switch port it is connected to. Dynamic VLAN assignment requires a separate database to maintain the MAC-address-to-VLAN relationship. Cisco developed the VLAN Membership Policy Server (VMPS) to provide this functionality.

In more sophisticated systems, a user’s network account can be used to determine VLAN membership, instead of a host’s MAC address. Static VLAN assignment is far more common than dynamic.

Creating VLANs

By default, all interfaces belong to VLAN 1. To assign an interface to a different VLAN, that VLAN must first be created:

Switch(config)#  vlan 100

Switch(config-vlan)#  name SERVERS

Note that naming a VLAN is not required.

The standard range of VLAN numbers is 1 – 1005, with VLANs 1002-1005 reserved for legacy Token Ring and FDDI purposes.

A switch operating in VTP transparent mode can additionally use the VLAN range of 1006 – 4094. These are known as extended-range VLANs.

To remove a group of VLANs:

Switch(config)#  no vlan 150-200

 

To statically assign an interface into a specific VLAN:

Switch(config)#  interface gi1/10

Switch(config-if)#  switchport mode access

Switch(config-if)#  switchport access vlan 100

 

For switches running in VTP server or client mode, the list of VLANs are stored in a database file named vlan.dat. The vlan.dat file is usually stored in flash, though on some switch models it is stored in NVRAM. The VLAN database will be maintained even if the switch is rebooted.

For switches running in VTP transparent mode, the list of VLANs is stored in the startup-config file in NVRAM. Regardless of VTP mode, the VLAN assignment for every switch interface is stored in the switch’s startup-config.

 

The tagging protocol can be manually specified on a trunk port, or dynamically negotiated using Cisco’s proprietary Dynamic Trunking Protocol (DTP).

To explicitly allow a subset of VLANs on a trunk port:

Switch(config)# interface gi2/24

Switch(config-if)# switchport trunk allowed vlan 3,9,11-15.

Switch(config)# interface gi2/24 Switch(config-if)# switchport trunk allowed vlan add 25

Important Note: It is common to restrict the allowed VLANs on a trunk link, and then add to the allowed list as new VLANs are created. However, don’t forget to use the add parameter. If add is omitted, the command will replace the list of allowed VLANs on the trunk link.

DTP(Dynamic trunking protocol)

Trunk’s frame tagging protocol can be auto negotiated, through the use of the Dynamic Trunking Protocol (DTP).

DTP has two modes to dynamically decide whether a port becomes a trunk:

  • Desirable – the port will actively attempt to form a trunk with the remote switch. This is the default setting.
  • Auto – the port will passively wait for the remote switch to initiate the

To configure the DTP mode on an interface:

Switch(config)#  interface gi2/24

Switch(config-if)#  switchport mode dynamic desirable

Switch(config-if)#  switchport mode dynamic auto

Trunk ports send out DTP frames every 30 seconds to indicate their configured mode.

A trunk will form in the following configurations:

manual trunk manual trunk, manual trunk dynamic desirable, manual trunk dynamic auto, dynamic desirable dynamic desirable, dynamic desirable dynamic auto.

 

A trunk will never form if the two sides of the trunk are set to dynamic auto, as both ports are waiting for the other to initialize the trunk. It is best practice to manually configure trunk ports, to avoid DTP negotiation errors. DTP is also vulnerable to VLAN spoofing attacks.

To explicitly disable DTP:

Switch(config)#  interface gi2/24

Switch(config-if)#  switchport mode trunk

Switch(config-if)#  switchport nonegotiate

VTP (VLAN Trunking Protocol)

Cisco’s proprietary VTP simplifies this management – updates to the VLAN database are propagated to all switches using VTP advertisements. VTP requires that all participating switches join a VTP domain. Switches must belong to the same domain to share VLAN information, and a switch can only belong to a single domain.

VTP Versions

There are three versions of VTP. VTP version 1 supports the standard 1 – 1005 VLAN range. VTP version 1 is also default on Catalyst switches.

VTP version 2 introduces some additional features:

  • Token Ring support
  • VLAN consistency checks
  • Domain-independent transparent pass through

VTPv1 and v2 are not compatible. If the VTP server is configured for VTPv2, all other switches in the VTP domain will change to v2 as well.

Until recently, VTP Version 3 was supported on only limited Cisco switch platforms. VTPv3 was built to be flexible, and can forward both VLAN and other database information, such as Multiple Spanning Tree (MST) protocol.

Other enhancements provided by VTPv3 include:

  • Support for the extended 1006-4094 VLAN range.
  • Support for private VLANs.
  • Improved VTP authentication.
  • Protection from accidental database overwrites, by using VTP primary and secondary servers.
  • Ability to enable VTP on a per-port basis.

VTP Modes

A switch using VTP must operate in one of three modes: Server, Client, transparent.

VTP servers are responsible for creating, deleting, or modifying entries in the VLAN database. Each VTP domain must have at least one VTP server, and this is the default mode for Cisco switches. VTP servers can only advertise the standard 1-1005 VLAN range, and advertisements are only sent out trunk ports.

VTP clients cannot modify the VLAN database, and rely on advertisements from other switches to update VLAN information. A client will also forward VTP advertisements out every trunk port.

A VTP transparent switch maintains its own local VLAN database, and does not directly participate in the VTP domain. Transparent switches will pass through advertisements from other switches in the VTP domain.

The VTP version dictates how the pass through is handled:

  • VTP version 1 – the transparent switch will only pass through advertisements from the same VTP domain.
  • VTP version 2 – the transparent switch will pass through advertisements from any VTP domain.

VTP Advertisements – Revision Number

VTP advertisements are marked with a 32-bit configuration revision number. Any change to the VLAN database increments the configuration revision number by 1. A switch will only accept an advertisement if the revision number is higher than the current VLAN database. Advertisements with a lower revision number are ignored.

Important note: While only VTP servers can change the VLAN database, VTP clients can advertise updates, to other clients and even to a server! As long as the revision number is higher, the switch will accept the update.

Best practice is to configure a new switch as a VTP client, and reset its revision number to zero before deploying into a production network.

There are two methods of resetting the revision number to zero on a switch:

  • Change the VTP domain name, and then change it back to the original name.
  • Change the VTP mode to transparent, and then change it back to either server or client. Transparent switches always a revision number of 0.

VTP has fallen out of favor, due to the risk of an unintentional overwrite of the VLAN database. Until very recently, Cisco did not support VTP on the Nexus platform of switches.

Configuring VTP

By default, a switch is in VTP server mode, and joined to a blank domain labeled NULL.

Switch(config)#  vtp domain MYDOMAIN

Note that the domain name is case sensitive.

The VTP domain can be secured using a password:

Switch(config)#  vtp password P@SSWORD!

The password is hashed into a 16-byte MD5 digest.

Cisco switches use VTP version 1 by default, which is not compatible with VTPv2. The VTP version is dictated by the VTP server, and if the server is configured for VTPv2, all other switches in the VTP domain will change to v2 as well.

Switch(config)#  vtp version 2

Switch#  show vtp status

Switch#  show vtp counters

VTP Pruning

Recall that Layer-2 switches belong to only one broadcast domain. A Layer-2 switch will thus forward both broadcasts and multicasts out every port in the same VLAN but the originating port. This includes sending out broadcasts out trunk ports to other switches, which will in turn flood that broadcast out all ports in the same VLAN. VTP pruning eliminates unnecessary broadcast or multicast traffic throughout the switching infrastructure. Consider the following example:

Assume that a host is connected to Switch B, in VLAN 300. If the host sends out a broadcast, Switch B will forward the broadcast out every port in VLAN 300, including the trunk ports to Switch A and Switch C. Both Switch A and Switch C will then forward that broadcast out every port in VLAN 300.However, Switch A does not have any ports in VLAN 300, and will drop the broadcast. Thus, sending the broadcast to Switch A is a waste of bandwidth.

VTP pruning allows broadcasts are only sent out the necessary trunk ports where those VLANs exist. In the preceding example, pruning would prevent VLAN 300 broadcasts from being sent to Switch A, and would prevent VLAN 100 and 200 broadcasts from being sent to Switch C.

VTP pruning is disabled by default on IOS switches. VTP pruning must be enabled on a server, and will be applied globally to the entire VTP domain:

Switch(config)#  vtp pruning

Both VLAN 1 and the system VLANs 1002-1005 are never eligible for pruning. To manually specify which VLANs are pruning eligible on a trunk:

Switch(config)#  interface gi2/24

Switch(config-if)#  switchport trunk pruning vlan 2-10

Switch(config-if)#  switchport trunk pruning vlan add 42

Switch(config-if)#  switchport trunk pruning vlan remove 5

Switch(config-if)#  switchport trunk pruning vlan except 100-200

Switch(config-if)#  switchport trunk pruning vlan none