Showing posts with label VLANs. Show all posts
Showing posts with label VLANs. Show all posts

Thursday, October 7, 2010

Lesson 18 - VTP and VLAN Quiz

The last lesson presented the gory details behind inter-VLAN routing. Now, I would like you to play a little game with me. A simple quiz will check your understanding of both access and trunk ports. Have fun!

Study the first topology carefully (Pic. 1) and answer the question 1.

Question1: When PC1 is sending broadcast frames (destination MAC address: FFFF.FFFF.FFFF), which computers are going to receive them?

NOTICE!
All switch-to-switch connections in Pic.1 are ACCESS ports.

Pic. 1 - Switches are connected using ACCESS mode (NOT a trunk mode).
Icons designed by: Andrzej Szoblik - http://www.newo.pl

The answer to question 1 can be found at the bottom of this post. But try not to cheat. Check the answer after you have provided yours;).

Study the second topology carefully (Pic. 2) and answer the question 2.

Pic. 2 - Switches are connected using TRUNKING mode.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Question2: When PC1 is sending broadcast frames (destination MAC address: FFFF.FFFF.FFFF), which computers are going to receive them?

The answer to question 1 can be found at the bottom of this post. But try not to cheat. Check the answer after you have provided yours;).

Now, I can start our last lesson related to VLANs. It's about Cisco Vlan Trunking Protocol.

Vlan Trunking Protocol (VTP)
Cisco have created this protocol to facilitate automatic VLAN distribution between switches that use trunking connection. There is similar protocol called GVRP that is industry standard solution. At first glance, it looks like it works like VTP but it has some significant differences. For more details use google to learn it.

What Does VTP Do?
VTP is turned on by default but there are some things that need to be configured for this to work. The idea is very simple: instead of typing in all the VLANs end-to-end, (on all switches individually), you can configure VLANs on one switch only, and the same configuration will be propagated to all switches in the network (VTP domain to be more accurate). By 'the same configuration', I mean that VLAN database is synchronized (exchanged) between all the switches. In other words, VLAN numbers and their names are exchanged. The port-to-VLAN assignments are NOT exchanged. Consider this example:

SW1(config)#vlan 4
SW1(config-vlan)#name IT_Dept
SW1(config-vlan)#end
SW1#

The above configuration creates 'VLAN 4' and assings the name of 'IT_Dept' to it. In a split of a second, the same VLAN 4 named IT_Dept is populated into the database of all switches in the network (VTP domain).

How Does VTP Work?
As you recall from the lesson 16, VLAN configuration typically involves three steps:
  1. Configuring VLAN numbers in the 'global config' mode. Optionally, you can also give those VLAN unique names.
  2. Assigning interfaces to VLANs (access mode). Optionally, you can map MAC addresses to VLANs (access dynamic mode). But in order to use this method VMPS server is required.
  3. Configuring trunking connections between the switches (if the same VLANs are applied on all switches - aka end-to-end VLANs).
Even though VTP is turned on by default, a few things must be configured for VLANs to be distributed among switches.
  1. Switches must belong to the same VTP domain (the same domain name must be configured on the switches to synchronize their VLAN databases).
  2. If, optionally, switches use domain password, this password must be identical on all switches in the VTP domain.
  3. The connections between switches must be in the 'trunking mode' (it is Vlan TRUNKING Protocol after all).
  4. VTP version must be the same on all switches (there are VTP 1,2 or 3 version).
VTP Modes
A Cisco switch can be configured in one of the three VTP modes:
  • VTP Server (default mode) - this mode allow you to add, remove, delete, modify VLANs to a database. All is saved in NVRAM (Non-Volatile RAM memory - the one that does not lose its content on power-down). 
  • VTP Client - in this mode you CANNOT create VLANs in the local database. The only way for the VTP client to learn VLANs is to send a request advertisement. Server respond to this, by sending information about VLANs and their names used in the domain (subset advertisement).
  • VTP Transparent - is a similar to a server mode of operation. The major difference is that, the transparent mode does NOT participate in the VTP domain. This means that the transparent mode does NOT synchronize its database with any other switch (a local database of VLANs), and it does NOT learn VLANs propagated by a VTP server. Transparent mode WILL forward VTP messages between other switches over trunk ports.
VTP server sends a special VTP frame every 5 minutes out of all trunking ports. This message is the summary advertisement. In this message, among other pieces of information, it inlcudes:
  • VTP domain name
  • MD5 digest (if password is used in VTP domain)
  • Revision number

If there is a topology change (VLAN added, removed, name modified etc.), VTP server sends new summary advertisement IMMEDIATELY with the revision number incremented. All other switches, upon receiving this message, will compare their own VTP domain name, protocol version, MD5 digest (if used), and the revision number. If the 'revision number' in the incoming message is HIGHER than the last seen, they send an advertisement request message towards the server. The VTP server responds with one or more subset advertisement describing all the VLANs found in its database. This new information is going to replace the old one on all other VTP client or server switches.

VTP Pruning
Vlan Trunking Protocol offers one more interesting feature called: PRUNING. It allows the switches to communicate over trunks which VLAN traffic should not be sent down from the upstream switch. Consider the Pic. 3 below:

Pic. 3 - VTP VLAN Pruning Example.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

If SW1 is sending broadcast from VLAN 10, the frames will be flooded out of all active ports in VLAN 10 as well as the trunking ports. Recall, that the ports in the trunking mode are multi VLAN ports allowing ALL of them by default (VLANs 1-4094). SW2 receives the broadcast from VLAN 10, on its interface F0/13, but then realizes, that currently there are NO members of VLAN 10 connected to any of its ports.

When VTP Pruning is enabled, SW2 will inform SW1 (pic. 3), that it does not want to receive traffic from VLAN 10. Should you connect at least one host to VLAN 10 to SW2 though, it will send another request, that VLAN 10 be on longer pruned on SW1 trunk port F0/13. It happens automatically without any further configuration.

Of course, if you do not want to use VTP, you do not have to. You can configure VLANs manually on all switches of yours. Also, you can prune the traffic on trunk ports manually. The command is shown below:

SW1#conf t
SW1(config)#interface f0/13
SW1(config-if)#switchport encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 10,15,22
SW1(config-if)#

The above configuration will allow only VLANs 10,15 and 22 to cross the trunk f0/13 (command in blue).

VTP Configuration
In order to illustrate configuration steps, I am going to use the same topology as in a few previous posts.

Pic. 4 - Topology Diagram
Icons designed by: Andrzej Szoblik - http://www.newo.pl

The default configuration looks like the output below: 'show vtp status'.

Pic. 5 - Default VTP settings.

Well, in my output, the only setting that is not the default is the 'Number of existing VLANs'. I have one VLAN configured (VLAN 500), which is my management VLAN allowing me access the switch remotely.

As you can notice, the VTP mode is server, and the domain name is empty (no domain name configured). So, the switch allows you to configure VLANs but the database is not going to be propagate to other switches. Below are the steps of introducing VTP protocol for the first time.

NOTICE!
The command: vtp mode transparent in the 'global config' mode will clear the revision number back to '0'.

In my topology I am going to use the secure way of introducing VTP protocol FOR THE FIRST TIME!!!

Step 1
Clear the revision number on all the switches by typing the following in the 'global config' mode:

switch(config)#vtp mode transparent
switch(config)#

Step 2
Initially, I am going to use SW1 as the VTP server, SW2 and SW3 as the VTP clients.

SW1(config)#vtp mode server
SW1(config)#

SW2(config)#vtp mode client
SW2(config)#

SW3(config)#vtp mode client
SW3(config)#

Step 3
Configure VTP domain on SW1 (here domain name = CCNA).

SW1(config)#vtp domain CCNA

NOTICE!
SW1 is going to propagate the domain name (CCNA) to all other switches. They will learn it on their trunk ports. Trunk ports were configured in my previous lab.

Step 4
Apply the same password (MD5 algorithm is used), on all switches, so if somebody plugs in a new switch, that new switch without this password is not going to change the VLANs configured so far. Here the password used is: Secret123

SW1(config)#vtp password Secret123
SW1(config)#

SW2(config)#vtp password Secret123
SW2(config)#

SW3(config)#vtp password Secret123
SW3(config)#

Step 5 (Optional)
Enable VTP pruning to save bandwidth by not transmitting the broadcast traffic towards switches that have no members of VLANs defined in their databases. If you configure this on SW1 (server), this will enable pruning on all switches in our VTP domain.

SW1(config)#vtp pruning

If you want to make other switches servers, you can change their mode of operation now.

This way we have introduced VTP domain and now you can add, remove, delete, modify VLANs on one switch (VTP server), and all these changes will be propagated to all of switches (VTP servers or clients) in your domain CCNA.

I will have two videos recorded soon. The first one will provide you with explanation to the answers of my quiz presented above. The second one will show you how VTP can cause serious problems in your network if you do not take the right precautions.

And now, let me give you the answers to the quiz questions.

The answer to question 1 (pic. 1):
The broadcast frames sent by PC1 will be sent to PC2 and PC5.

Explanation:
1. If switch connections are not using trunks, the sending switch will flood broadcast out of all ports, except it was received on, as long as they belong to the same VLAN. The sending port does not include a VLAN tag (number) since only TRUNK ports attach extra 4 bytes with sending VLAN id (tag).

2. The receiving switchport is going to accept frame without the TAG because it is an access port (not trunk). It assumes that the frame belongs to a VLAN number is was configured to use locally (there is no difference connecting a computer to a port of a switch, or other device, printer, router or switch). It follows what the first switch did. It interprets the incoming frame as a frame that belongs to a VLAN it was configured as (switchport access vlan #). Since the frame destination address is broadcast, it floods it out of all ports that belong to the same VLAN number as the receiving port.

3. The next switch receiving this frame will follow step 2.

Best ways is to experiment: two switches, and three computers (1 sender on SW1 and 2receivers on SW2) with wireshark enabled. ;)


The answer to question 2 (pic. 2):
The broadcast frames sent by PC1 will be sent to PC3 and PC6.

In my next post I will talk about Spanning-Tree Protocol. 
at
Labels: , ,

Sunday, October 3, 2010

Lesson 17 - Inter VLAN Traffic Flow Analysis

In Lesson 16, you had a chance to see how to implement simple VLAN scenario. It is relatively easy to configure VLANs, but what is far more important, is to understand the traffic flow between them. This post is going to show you step-by-step, how traffic flows between VLAN 10 and VLAN 20 used in the previous lesson.

Fancy a little, virtual journey between VLANs?

Our topology looks like this:

Pic. 1 - Topology Diagram
Icons designed by: Andrzej Szoblik - http://www.newo.pl

In our scenario, PC1 (source) is going to send the packet to PC2 (destination). Let's jump on the packet and see what happens, shall we?
NOTICE!
MAC addresses use hexadecimal notation and are case insensitive (i.e. lower or upper case are interpreted as the same address).
PC1 (hostname=ancient) Addresses:
IP: 192.168.10.1/24
MAC: 0050.BF9C.456A
Gateway: 192.168.10.254

PC2 (hostname=red) Addresses:

IP: 192.168.20.1/24
MAC: 0010.5AD3.E4E0
Gateway: 192.168.20.254
NOTICE!
R1's interface FastEthernet0/0 has been configured as two sub-interfaces, but the MAC address used by both of them is the same (real MAC address of Fas0/0)
R1 Addresses:

Gateway for VLAN 10 clients (sub-interface)
F0/0.10
IP: 192.168.10.254/24

Gateway for VLAN 20 clients
F0/0.20

IP: 192.168.20.254/24


F0/0 (both sub-interfaces use the real MAC below)
MAC:  000F.F752.EFE0

Having learned all these addresses we can finally hit the road!

Step 1
PC1 (ancient) wants to send a packet to PC2 (red). Since the IP address of the PC2 (destination) is NOT in the same layer 3 network as PC1 (source), it must be delivered to the default gateway. PC1 checks the destination IP by comparing its own 24 bits of the IP address (it uses 24 bit subnet mask=255.255.255.0) with 24 bits of the destination IP address.
192.168.10.0 (first 24 bits of PC1 in decimal notation)
192.168.20.0 (first 24 bits of PC2 in decimal notation)

The first sixteen bits (two bytes) are identical, but the third byte is NOT!

The packet must be sent to PC1's default gateway (192.168.10.254).

Step 2
Packet is encapsulated in a layer 2 Ethernet header. Source MAC address is PC1 (ancient=0050.BF9C.456A) and the destination MAC address must be the default gateway's MAC address. PC1 (ancient) tries to find the mapping of the default gateway IP to its MAC address like shown below. If one is not found, the ARP request is sent asking for it. In my case the PC1 has it.

Pic. 2 - PC1 (ancient) ARP cache has mapping of R1's IP to its MAC address.
IP packet is encapsulated in the Ethernet header:
Src IP=192.168.10.1
Dst IP=192.168.20.1
Src MAC=0050.BF9C.456A
Dst MAC=000F.F752.EFE0

Those address are NOT going to change, until delivered to R1 router (look at step 7).

The frame leaves PC1 (ancient) and is sent towards SW1, interface F0/1.

Step 3
SW1 receives the frame on port F0/1. It learns or refreshes its MAC address table entry (PC1's source MAC address on F0/1). Remember, that F0/1 is now an 'access' port assigned to VLAN 10! This means, that all traffic coming to that port is considered as sourced by VLAN 10.

Pic. 3 - SW1 CAM entry for PC1.


SW1 must now find the outbound port for our destination MAC address (R1=000F.F752.EFE0).

Step 4
SW1 looks into its Content Addressable Memory (CAM) aka MAC address table, and finds the outbound port showing where the destination MAC has been previously learned.

Pic. 4 - SW1 outbound interface.

SW1 performs an additional check. It must make sure that the inbound interface (F0/1) and the outbound one (F0/15) belong to the SAME VLAN. As the F0/15 (outbound) interface is in a trunking mode, and allows ALL VLANs by default, the frame can be sent out that port. The frame is moved to the outbound interface (F0/15) and the TAG is going to be injected with the source VLAN identifier (VLAN 10).

Step 5
The SW3 (port F0/15) is receiving the frame with the TAG containing source VLAN 10. It refreshes the entry regarding the sender's MAC address (0050.BF9C.456A) on port F0/15. As this interface is also configured as a trunk, it accepts the frame with the 802.1q TAG inserted into the frame. It processes the frame trying to find the outbound interface by looking at the destination MAC address (000F.F752.EFE0). The entry is found in the CAM as shown below (pic. 5).

Pic. 5 - Default Gateway MAC address Entry on SW3.

The SW3 realizes that the outbound port is also a trunk interface. The frame is moved to F0/1 interface and the TAG (with source VLAN 10) is going to be preserved while sending this frame towards R1's F0/0 interface.

Step 6
Here's a tricky part. Normally, the R1 would expect to see just a regular Ethernet header (no TAG in it), but R1 has been configured to accept frames with the TAG containing VLAN 10 in it! Look at the picture below.

Pic. 6 - R1 accepts Ethernet header with the TAG containing VLAN 10 identifier.

Can you see this line: encapsulation dot1Q 10?

The TAG with VLAN 10 is allowed on this sub-interface. Now, since the layer 2 header is useless (remember that a router is a layer 3 device), it is stripped off and ditched. What is now being processed is the IP header. The R1, reads the destination IP address (192.168.20.1), and tries to find the outbound interface in the routing table by comparing source and destination IP addresses.

Step 7
Destination IP address (192.168.20.1) is compared with the entries in the routing table. The longest number that matches our destination points to F0/0.20 sub-interface (pic. 7). According to the routing table, the destination IP address (192.168.20.1) is directly connected to R1 (sub-interface F0/0.20).

Pic. 7 - R1 routing table.

The packet is moved from F0/0.10 sub-interface (inbound), to the F0/0.20 sub-interface (outbound).

Step 8
Since the interface is also configured with encapsulation dot1Q, the packet is going to be encapsulated with new source and destination MAC addresses and the TAG with the new source VLAN identifier (VLAN 20). Take a look at the picture below (pic. 8).

Pic. 8 - R1's outbound sub-interface configuration.


Step 9
R1 encapsulates IP packet the Ethernet header as follows:
Src IP=192.168.10.1
Dst IP=192.168.20.1
Src MAC=000F.F752.EFE0
Dst MAC=0010.5AD3.E4E0 (PC2)
VLAN ID=20

Since the destination for the packet is directly connected to R1, the destination MAC address (that of PC2) is found in the ARP cache on R1. If one is not found, R1 sends ARP request asking for it as the destination is directly connected network.

Pic. 9 - ARP Cache on R1 shows MAC address for 192.168.20.1 (the last entry).

Step 10
The frame leaves sub-interface F0/0.20 with the TAG containing source VLAN 20 identifier as per R1's configuration (pic. 8).

Step 11
SW3 receives the frame on its F0/1 interface, but this time the MAC addresses look like below:
Src MAC: 000F.F752.EFE0 (R1's f0/0)
Dst MAC: 0010.5AD3.E4E0 (PC2)

SW3 refreshes the source MAC on its F0/1 interface. It is configured as trunk port, the TAG containing source VLAN 20 is allowed to be there.

Step 12
SW3 processes the frame and reads the destination MAC address (0010.5AD3.E4E0) trying to find the outbound interface for that destination.The entry is found pointing to F0/15 as the outbound interface (pic. 10)

Pic. 10 - SW3 entry for PC2 MAC address.


Step 13
The frame is delivered back to F0/15 of SW1. SW1 refreshes the source MAC address (000F.F752.EFE0) on its interface F0/15 and does the looks up in its CAM table trying to find the outbound interface for our destination MAC address (PC2). One is found as shown below.

Pic. 11 - SW1 finds the outbound interface for destination MAC (PC2)


Since both ports: inbound and outbound are trunks, the frame is sent out that port carrying VLAN 20. You can now guess what happens when the frame is delivered to SW2 port F0/13. Source MAC address is going to be refreshed on that port in the MAC address table (source here is the R1's MAC address). The inbound interface F0/13 on SW2 is configured as trunk port so it allows the TAG to be part of the Ethernet header. The SW2's outbound interface is going to be F0/1. Since this port is configured as an 'access' interface and is member of VLAN 20, both source and destination VLANs are the same. The frame is moved to the port F0/1, then the TAG is removed, as the outbound port is in 'access mode' and the frame is finally sent to PC2.

You may now be wondering why the path between the two VLANs looks like this. Why does SW3 not send the frame directly to SW2 but it sends it back through SW1?

In order to answer that question, I must explain the details of Spanning-Tree Protocol. But this is the topic I will focus on in the upcoming lessons (starting with lesson 19).

Before we leave VLANs for good, I would like to dedicate one more lesson to it. In this lesson (lesson 18) I will try to help you check if you truly understand the implications of using VLANs, access and trunking interfaces. I'll also show you Cisco proprietary protocol called Vlan Trunking Protocol (VTP). This protocol is used to disseminate the VLANs among switches automatically.
at
Labels: , ,

Saturday, October 2, 2010

Lesson 16 - VLANs In Practice

Lesson 15 introduced another layer 2 concept called VLANs (Virtual Local Area Networks). If you understand their purpose, it is time to get the juices flow by configuring them.




In this post, I am going to show you how to configure VLANs in a simple design, routing between VLANs and how to verify their operation. I am going to use the following network topology to accomplish our goals (Pic. 1).


Pic. 1 - VLAN Topology
Icons designed by: Andrzej Szoblik - http://www.newo.pl

NOTICE!
In my testing topology (pic.1) I have already configured the management VLAN (500), for the purpose of accessing the switches and R1 remotely from my computer.

VLANs 10 and 20 as well as the R1 routing configuration have not been configure yet. This is going to be our main task in this lesson.

Before we begin, take a closer look at the the topology (click at the picture to enlarge it). Please, pay a special attention to the IP addresses of the computers. Have you noticed that they belong to two DIFFERENT layer 3 networks? The blue numbers below denote the network address and they are different. If you are not familiar with IP addresses, and you have no clue what I'm talking about, don't worry. I'm going to explain those in the upcoming lessons. 
  • PC1 address is 192.168.10.1 255.255.255.0 
  • PC2 address is 192.168.20.1 255.255.255.0

For now though, take for granted that if computers are members of different layer 3 networks, the applications installed on them cannot communicate without a router.

Okay, it's time to type in our first command: show vlans.

Pic. 2 - 'show vlans' command.

The output (Pic.2) gives you a plethora of information. Take a closer look and then read on to know what you're looking at.

  1. VLAN - This column shows all VLANs that exist in a switch database. In the case of my switch, there is only one VLAN I have created (VLAN 500). I've named it HOME_LAN. I use it be able to access my equipment using Telnet. All other VLANs listed exist on a switch by default. You can safely ignore these as they are not even supported by the switch (VLANs 1002-1005). Important is VLAN 1, which is the default one. All interfaces belong to VLAN 1 by default.
  2. Name - This column lists the names given to VLANs. Switches use numbers to differentiate between VLANs, not names. You name VLANs using friendly names, so we know which VLAN number is which group. If you do not give a name to a newly created VLAN, the default name is given (e.g. Vlan0002 for VLAN 2, Vlan0003 for VLAN 3 etc.).
  3. Status - It tells you what VLANs are active and supported by a switch. If you delete VLAN from the database, and the port is still configured as member of this VLAN, the port is not going to forward any frames. Default VLAN (VLAN=1) CANNOT be removed. You can try, but it won't work.
  4. Ports - The last column, shows which ports belong to VLANs. Simple as that. In order to change VLAN's membership of the interface, you have to do it manually.
Below, you can see some additional parameters related to the VLANs such as MTU (Maximum Transmission Unit), which for Ethernet is 1500 bytes.

A more handy command is: show vlan brief. Take a look at its output (pic. 3).

Pic. 3 - 'show vlan brief' output.

This is probably more often used command if you want to check the VLANs and port membership.

Interfaces have default settings which are not seen in the running configuration:
show running-config.

In order to verify what are the default settings of the interface use the following command (here interface f0/1 is used):
show interface f0/1 switchport.

Familiarize yourself with the output of this command. Pay a special attention to the lines I highlighted.

Pic. 4 - 'show interface f0/1 switchport' output.


Recall from the previous lesson (Lesson 15) the two types of the ports used in VLAN infrastructure: trunk and access. I need to ramble a tad more before we proceed to the configuration.

  1. Administrative Mode: dynamic desirable - This option means that the port is running Dynamic Trunk Protocol (DTP). Port int this mode (the default setting on this particular switch), will send special frames to the device connected to it, trying to negotiate trunk connection. If the other end responds to this proposal, both interfaces become trunks. Since in my case, it is a PC that is connected to port F0/1, and did not respond to this negotiation (no DTP), the port became a 'static access' (member of one VLAN only).
  2. Operational Mode: static access – This tells you what the real mode of the port is. Here, the interface did not negotiate trunk connections so automatically became an 'access' interface.
  3. Negotiation of Trunking: On – This option informs you, that the DTP protocol is active on the interface. The port will be sending DTP frames out trying to negotiate trunk mode.
  4. Access Mode VLAN: 1 (default) – Since the interface did not become trunk, and there is no manual configuration regarding the VLAN it should belong to, the interface ended up as a member of the default VLAN (VLAN 1).
  5. Trunking VLANs Enabled: All – In case the interface transitions to a trunking mode, ALL VLANs are going to be allowed on this interface (1-4094).

Now, it is time to define our configuration tasks and complete our mission.

CONFIGURATION STEPS

Given the topology diagram (pic. 1), configure the following:
  1. Configure end-to-end VLANs (the same set of VLANs on all switches).
  2. Assign ports to VLANs.
  3. Create an unconditional trunking between the switches.
  4. Enable routing between VLANs using 'router on a stick' (yes, it is a real name of this method).
SOLUTION
Step 1
Configure end-to-end VLANs (the same set of VLANs on all switches).

On SW1:
SW1#configure terminal
SW1(config)#vlan 10,20
SW1(config-vlan)#exit
SW1(config)#

On SW2:
SW2#configure terminal
SW2(config)#vlan 10,20
SW2(config-vlan)#exit
SW2(config)#

On SW3:
SW3#configure terminal
SW3(config)#vlan 10,20
SW3(config-vlan)#exit
SW3(config)#

Verification
On all switches you should see the VLANs created (here SW1 output).

Pic. 5 – VLANs in the database

Steps 2
Assign ports to VLANs.

Since we are going to use port-to-vlan assignment (recommended in most cases) , this option puts the ports permanently in a given VLAN and disables DTP.

On SW1:
SW1(config)#interface f0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#exit
SW1(config)#

On SW2:
SW2(config)#int f0/1
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 20
SW2(config-if)#exit
SW2(config)#

Explanation!
The command: 'switchport mode access' puts the port in an unconditional 'access mode' in which DTP is turned off. The port CANNOT become trunk anymore.

The command: 'switchport access vlan 10' places the interface in VLAN 10 (broadcast domain). From now on, the port can communicate with other hosts in VLAN 10 but not other VLANs.

Verification (here only SW1 output)

Pic.6 – show vlan brief

As you can see the port f0/1 is now a member of VLAN 10.

Step 3
Create an unconditional trunking between the switches.
NOTICE!
The trunking should be enabled on ports f0/15, f0/16 and also on f0/1 since this port will use trunking mode to connect multiple R1's sub-interfaces ('router on a stick') for the purpose of routing unicast between VLANs 10 and 20.

Also, in my case SW3 is Catalyst 2950 which supports only DOT1q protocol. That is why the command 'switchport trunk encapsulation' does NOT exist on this switch. I will use that command on SW1 and SW2 though, in order to select this type of trunking protocol.

On SW1:
SW1(config)#interface range f0/13 - 15
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#exit
SW1(config)#

On SW2:
SW2(config)#interface range f0/13 - 14 , f0/16
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#exit
SW2(config)#

On SW3:
SW3(config)#interface range f0/1 , f0/15 - 16
SW3(config-if-range)#switchport mode trunk
SW3(config-if-range)#exit
SW3(config)#

Verification (here SW1 only):

Pic. 7 – show interface trunk

An alternate method of verifying trunk ports is shown below. However, this way you can see one port at a time. But the output is more verbose.

Pic. 8 – 'show int f0/15 switchport'

Step 4
Enable routing between VLANs using 'router on a stick'.

On R1:
R1(config)#
R1(config)#int f0/0
R1(config-if)#no ip address
R1(config-if)#no shutdown
!
! Create sub-interface with IP address to be gateway for VLAN 10.
R1(config-if)#int f0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip address 192.168.10.254 255.255.255.0
R1(config-subif)#
!
! Create sub-interface with IP address to be gateway for VLAN20.
R1(config-subif)#int f0/0.20
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip address 192.168.20.254 255.255.255.0
R1(config-subif)#end
R1#

Verification
The ultimate test to verify the connectivity between VLANs is to use ping utility and check if PC1 talks to PC2. If successful, it is proving that our configuration is correct.

The routing table on R1 should show you that router knows both networks: 192.168.10.0/24 and 192.168.20.0/24 (pic. 9). So it can transmit the packets between these two.


Pic. 9 - Routing Table on R1
 

Soon, video is going to be available with the above configuration and additional options for inter-VLAN routing.

In my next post, we will look at what is really happening 'behind the curtain'. I will show you the traffic flow using our VLAN's configuration step by step.
at
Labels: , ,

Wednesday, September 29, 2010

Lesson 15 - VLANs Overview

At this stage you should be familiar with the concepts related to TCP/IP traffic flow and switch operation. You should also feel confident about how to diagnose basic layer 2 connectivity issues. For the details please review my previous posts. In this one, I am going to extend your understanding of layer 2 technologies by introducing Virtual LANs (VLANs).




Before I introduce our main topic let's define the problem which VLANS address first. This way, it's going to be easier to understand them.

Problem With Switching
As you remember from previous lessons, each port of a switch creates its own collision domain (for details look at lesson 9 in this tutorial). In addition to that a switch can use FULL DUPLEX connectivity when connecting other devices to its ports (computers, printers, switches, routers). That allows the ports to SEND and RECEIVE streams of bits at the SAME time. This is due to the special design of a switch. Thus, the efficiency of transmission is radically increased when compared to its older cousin a hub using half-duplex connections (sending or receiving but not both at the same time).

However, switches still maintain ONE BROADCAST DOMAIN. This means that in some situations they flood frames out of all active interfaces except the one that receives the frame. The flooding occurs if either of these are true:
  1. The destination MAC address of the arriving frame is unknown.
  2. The destination MAC address of the arriving frame is broadcast.
  3. The destination MAC address of the arriving frame is multicast.
  4. A switch reaches its limit of MAC addresses learned on a port. Then all other MAC addresses can no longer be learned.
Pic. 1 - Switches maintain one broadcast domain (bottom left computer sends broadcast).
Icons designed by: Andrzej Szoblik - http://www.newo.pl

In a flat network like the one depicted above (Pic. 1), imagine a thousand computers sending broadcast traffic (e.g. ARP requests). They will be propagated everywhere as per rules described earlier. Imagine another situation in which a broken NIC (Network Interface Card =  Network Adapter) sends thousands of broadcast frames per second. Those will be flooded to all hosts interrupting them as they need to process broadcast frames. In those situations not only do we interrupt all hosts by sending frames to them, but also saturate links with garbage data unnecessarily. Why would my computer have to listen to broadcast traffic sent by HR server if I work in IT department? I do not use HR server's resources at all. Exactly!

VLANs Are Broadcast Domains
Virtual LANs are the method of creating multiple broadcast domains of smaller size in a switching infrastructure. They are commonly used solution to the above mentioned problems. By configuring VLANs on the switches you create multiple broadcast domains which are treated as separate, isolated LANs which CANNOT communicate with one another by default. This allows us to contain the broadcast/multicast/unicast traffic WITHIN a boundary of a given VLAN. 

Pic. 2 - VLANs Are Broadcast Domains
Icons designed by: Andrzej Szoblik - http://www.newo.pl

If you consider traffic in the Pic. 2, the computers in red transmit their bits onto the wire, switches will send those only to computers that are in the same VLAN, that is red in this case. For instance, if the bottom right red computer sends layer 2 broadcast (destination MAC address = FFFF.FFFF.FFFF), only computers in red VLAN are going to receive this transmission. Computers located in turquoise VLAN will NOT receive those frames anymore. This way we can segment the traffic between different hosts based on criteria such as groups of interests (workgroups), type of traffic (e.g. VoIP), type of the application used, user location, etc. So, the major benefits of using VLANs are: 
  1. Broadcast/multicast traffic propagation is limited to a given VLAN (broadcast domain) where it originated.
  2. Security is increased, as hosts located in different VLANs CANNOT communicate at all. The only way for them to communicate is to allocate different network/subnet addresses for VLANs and use a layer 3 device (router) to move the packets between them. The routers offer some control as to who can transmit to whom (ACLs, firewalls etc.). How to accomplish routing between VLANs I will explain in my next post.
I hope the above description sheds enough light on what VLANs are used for. Now, is the time to look at some details regarding their configuration.

VLAN Port Types
In order to segment the traffic, the hosts generating it must be assigned to the appropriate VLAN since all ports of the switch are members of VLAN 1 by default. The process of configuring that usually involves three major steps:
  1. Configuring VLAN number in the switch database (optionally name of the VLAN and/or other parameters).
  2. Assigning hosts to VLANs defined in step 1. There are two ways of doing that: either MAC address can be assigned to a VLAN (dynamic method), or port of the switch can be assigned to a VLAN (manual method).
  3. Configuring VLAN Trunk connections between the switches. Even though, this step is optional, the majority of designs out there will need it.
The above mentioned configuration steps define two different port types VLANs can use:
  1. Access Port - this type of port can be member of ONE VLAN ONLY. If a static port-to-vlan configuration is used, the port interprets all incoming frames as belonging to this specific VLAN. In case of using mac-address-to-vlan configuration the port will determine VLAN number (ID) for transmission based on the MAC address which is mapped to a specific VLAN.
  2. Trunk Port - which by default belongs to ALL VLANS (1-4094). In other words, this port is capable of sending and receiving a traffic coming from different VLANs.
When is the trunk (multi VLAN) port required?

The below picture (Pic. 3) illustrates the need for it.

Pic. 3 - VLAN Port Types
Icons designed by: Andrzej Szoblik - http://www.newo.pl

The grey rectangles symbolize two switches. The colors, represents different ports assigned to different VLANs. Of course, VLANs in practice use numbers, not colors, to distinguish between themselves. When any bottom computer sends broadcast (or unicast towards another computer in the same VLAN/color connected to the upper switch), the port connecting the two switches must be trunk (multi-vlan port). In such situation w must allow all VLAN members to communicate with their peers in the same VLAN, irrespective where they are located. Both switches have yellow, red and blue members here! And according to the rules, red computers must be able to talk to all red computers located on the same and all other switches as well (yellow-to-yellow, and blue-to-blue).They are members of the same Virtual LAN after all.

In such design, in which members of the same logical network (VLAN) or broadcast domain are connected to different physical switches, the connection between them must be a trunk. Trunk ports run a special protocol called IEEE 802.1q (Cisco have also their own protocol called ISL, details of which are beyond the scope of this tutorial). This protocol is responsible for 'tagging' the frames (injecting extra information into their headers), while sending them out the trunk port.

Why?

Let me explain. Look carefully at the Pic. 3 and imagine that the computer connected  to yellow VLAN is sending broadcast towards all computers that are in the same, yellow, VLAN. The port between the switches is trunk, and as such allows ALL VLANs in and out. But the problem is that the receiving port on the upper switch gets the Ethernet frame on the port working as trunk as well. So, this port is also a MULTI-VLAN port! How does this upper, receiving, switch know which VLAN the frame is coming from? Well, it does NOT know whether the VLAN sending this broadcast was yellow, red or blue. This is where the sending (bottom) switch, using the trunk as outbound port, is going to inject extra 4 bytes into the Ethernet frame while transmitting it out. The tag will contain VLAN ID (number) of the sender. This way, the broadcast frame will have an extra information allowing the receiving switch (upper one) to recognize which VLAN it is coming from and forward this broadcast to ALL computers in the same VLAN (here yellow VLAN).

NOTICE!
The TAG  is stripped off on the outbound ports configured as ACCESS ones. The tag is useful only on trunk ports.

Before we finish this VLAN overview lesson, let me show you what information this TAG contains.

Pic. 4 - 802.1q TAG

The 802.1q tag is injected between the source MAC address and the type field in the Ethernet II header (pic. 4). It consist of two fields taking two bytes each:
  1. First two byte field contains a signature of 802.1q protocol using value of 0x8100.
  2. Second two byte field  contains:
  • PRI - Class of Service 3 bits used by QoS, 
  • Canonical bit for token ring support, 
  • VLAN ID value that takes up 12 the least significant bits in the tag.
    802.1q Native VLAN
    There is one more thing I need to touch upon that is related to the 802.1q trunk port. That is the concept of Native Vlan. The designers of the protocol decided to send frames coming from so called 'native VLAN' out the trunk as UNTAGGED. In other words this frame does not have any tag inserted into the Ethernet header. So, frame coming from 'native VLAN' is a regular Ethernet frame. As long as the switches agree on the trunk link which VLAN is their 'native VLAN' for this trunk, a frame arriving on the trunk port without the tag is assumed to be coming from the same native VLAN the sender was transmitting. The default  'native VLAN' is VLAN 1, since this one cannot be removed from the switch. Probably the reason VLAN 1 is the 'native VLAN' by default is becuase switches originate frames such CDP, VTP, STP from this VLAN and there is no need to tag them as they are switch-to-switch communication only.

    NOTICE!
    As of the time of writing this tutorial, all ports of Cisco switches belong to VLAN 1 by default which is also the (untagged) 'native vlan'. That VLAN is not going to tag frames on trunk-to-trunk connections.

    I am sure you realize what can happen if the two ports connecting switches use different VLAN ID for their 'native VLAN'. Yes, that can cause leaking frames between VLANs. And this is a serious security issue. So keep the same 'native VLAN' on trunk paired ports between switches.

    In my next post we will look at the same concepts from the command line perspective. I will also introduce VTP protocol as well as Inter-VLAN routing.
    at
    Labels: , ,
    Subscribe to: Posts (Atom)

    Cisco Is Easy - Main

      Cisco Basics (CCNA level)  Lessons: Watch Video Tutorials on Youtube 01 - Connecting to Cisco Console Port with MINICOM 02 - Navigatin...