vlan & vpns chapter 8 vlan & vpns by dr.sukchatri p
TRANSCRIPT
VLAN & VPNs
Chapter 8Chapter 8
VLAN &
VPNsBy Dr.Sukchatri P.
VLAN & VPNs
ObjectivesObjectives
Upon completion of this chapter, you will be able to perform the following tasks:• Configure a VLAN• Configure VLAN Trunking Protocol (VTP)• Configure a switch for trunking• Verify VLAN connectivity• Verify spanning-tree operations
VLAN & VPNs
ContentsContents
• A switch connecting three segments• Configuration VLAN (Cisco)• Private network • Hybrid network• Virtual private networks• VPN techniques• Authentication• Encryption• Tunneling• Addressing in VPN
VLAN & VPNs
VLAN OverviewVLAN Overview
• Segmentation
• Flexibility
• Security
3rd floor
2nd floor
1st floor
SALES HR ENG
A VLAN = A broadcast domain = Logical network (subnet)
VLAN & VPNs
A switch connecting three segments
VLAN & VPNs
A switch using VLAN software
VLAN & VPNs
Two switches in a
backbone using VLAN
software
VLAN & VPNs
VLAN OperationsVLAN Operations
Switch A
GreenVLAN
BlackVLAN
RedVLAN
• Each logical VLAN is like a separate physical bridge
VLAN & VPNs
VLAN OperationsVLAN Operations
Switch A
GreenVLAN
BlackVLAN
RedVLAN
Switch B
GreenVLAN
BlackVLAN
RedVLAN
Trunk
• Each logical VLAN is like a separate physical bridge• VLANs can span across multiple switches• Trunks carries traffic for multiple VLANs
Fast Ethernet
VLAN & VPNs
VLAN Membership ModesVLAN Membership Modes
VLAN5
Static VLAN Dynamic VLAN
MAC = 1111.1111.1111
Trunk
VMPS
1111.1111.1111 = vlan 10
VLAN10
Port e0/9Port e0/4
VLAN & VPNs
ISL TaggingISL Tagging
• Performed with ASIC
• Not intrusive to client stations, client does not see the ISL header
• Effective between switches, routers and switches, switches and servers with ISL network interface cards
ISL trunks enable VLANs across a backbone
VLAN Tag added by incoming
port
VLAN Tag stripped by
forwarding port
Inter-Switch Link carries
VLAN identifier
VLAN & VPNs
ISL EncapsulationISL Encapsulation
ISL Header26 bytes
Encapsulated Ethernet frameCRC
4 bytes
• Frames encapsulated with ISL header and CRC• Support for many VLANs (1024)• VLAN field • BPDU bit
DA Type User SA LEN
VLAN
AAAA03
BPDU
HSA VLAN BPDUBPDU INDEX RES
VLAN & VPNs
VLAN Trunking Protocol (VTP)VLAN Trunking Protocol (VTP)
• A messaging system that advertises VLAN configuration information
• Maintains VLAN configuration consistency throughout a common administrative domain
• VTP sends advertisements on trunk ports only
• Support mixed media trunks (Fast Ethernet, FDDI, ATM)
1.“new vlan added”
3.Sync to the latest vlan information
2
VTP Domain “ICND”
VLAN & VPNs
VTP ModesVTP Modes
Server
Client Transparent
• Sends/forwards advertisements
• Synchronize• Not saved in
NVRAM
• Create vlans• Modify vlans• Delete vlans• Sends/forwards
advertisements• Synchronize• Saved in NVRAM
• Create vlans• Modify vlans• Delete vlans• Forwards
advertisements• Does not
synchronize• Saved in NVRAM
VLAN & VPNs
How VTP WorksHow VTP Works
• VTP advertisements are sent as multicast frames • VTP servers and clients synchronized to latest revision number• VTP advertisement are sent every five minutes or when there is a change
VLAN & VPNs
• VTP advertisements are sent as multicast frames • VTP servers and clients synchronized to latest revision number• VTP advertisement are sent every five minutes or when there is a change
How VTP WorksHow VTP Works
1.Add new VLAN2.Rev 3 --> Rev 4
Server
Client Client
4.Rev 3 --> Rev 45.Sync new vlan info
3 3
4.Rev 3 --> Rev 45.Sync new vlan info
VLAN & VPNs
VTP PruningVTP Pruning
• Increases available bandwidth by reducing unnecessary flooded traffic• Example: Station A sends broadcast, broadcast is only flooded toward
any switch with ports assigned to the red VLAN
Switch 4
Switch 2
Switch 6 Switch 3 Switch 1
Port 2
Floodedtraffic ispruned
RedVLAN
Port 1
Switch 5
A
B
VLAN & VPNs
VLAN Configuration Guidelines
VLAN Configuration Guidelines
• Maximum number of VLANs is switch-dependent• Catalyst 1900 supports 64 VLANs with a separate
spanning tree per VLAN • VLAN1 is One of the factory default VLANs• CDP and VTP advertisements are sent on VLAN1• Catalyst 1900 IP address is in the VLAN1 broadcast
domain• Must be in VTP server or transparent mode to
create, add, or delete VLANs
VLAN & VPNs
VLAN Configuration StepsVLAN Configuration Steps
• Enable VTP (optional)• Enable trunking • Create VLANs• Assign VLAN to ports
VLAN & VPNs
• VTP domain name • VTP mode (server/client/transparent)—VTP server
mode is the default• VTP pruning• VTP password• VTP trap
VTP Configuration GuidelinesVTP Configuration Guidelines
Use caution when adding a new switch into an existing domain. A new switch should be added in client mode to prevent the new switch from propagating incorrect VLANs information
Use the delete vtp command to reset the VTP revision number
VLAN & VPNs
Creating a VTP DomainCreating a VTP Domain
vtp [server | transparent] [domain domain-name] [trap {enable | disable}] [password password] [pruning {enable | disable}
wg_sw_a(config)#
VLAN & VPNs
Creating a VTP DomainCreating a VTP Domain
wg_sw_a#conf terminalEnter configuration commands, one per line. End with CNTL/Zwg_sw_a(config)#vtp transparent wg_sw_a(config)#vtp domain switchlab
vtp [server | transparent] [domain domain-name] [trap {enable | disable}] [password password] [pruning {enable | disable}
wg_sw_a(config)#
VLAN & VPNs
Verifying VTP ConfigurationsVerifying VTP Configurations
wg_sw_a#show vtp
VLAN & VPNs
Verifying VTP ConfigurationsVerifying VTP Configurations
wg_sw_a#show vtp VTP version: 1 Configuration revision: 4 Maximum VLANs supported locally: 1005 Number of existing VLANs: 6 VTP domain name : switchlab VTP password : VTP operating mode : Transparent VTP pruning mode : Enabled VTP traps generation : Enabled Configuration last modified by: 10.1.1.40 at 00-00-0000 00:00:00
wg_sw_a#show vtp
VLAN & VPNs
Defining a TrunkDefining a Trunk
trunk [on | off | desirable | auto | nonegotiate]
wg_sw_a(config-if)#
• On = Set trunk on and negotiate with other side• Off = Set trunk off and negotiate with other side• Desirable = Negotiate with other side.
Trunk on if other side is on, desirable, or auto• Auto = Will be a trunk only if the other side is on or desirable• Non-negotiate = Set trunk on and will not negotiate
VLAN & VPNs
Defining a TrunkDefining a Trunk
wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Zwg_sw_a(config)#interface f0/26wg_sw_a(config-if)#trunk on
First trunk port(Port A)
• On = Set trunk on and negotiate with other side• Off = Set trunk off and negotiate with other side• Desirable = Negotiate with other side.
Trunk on if other side is on, desirable, or auto• Auto = Will be a trunk only if the other side is on or desirable• Non-negotiate = Set trunk on and will not negotiate
trunk [on | off | desirable | auto | nonegotiate]
wg_sw_a(config-if)#
VLAN & VPNs
Verifying a TrunkVerifying a Trunk
wg_sw_a#show trunk [A | B]
VLAN & VPNs
Verifying a TrunkVerifying a Trunk
wg_sw_a#show trunk aDISL state: On, Trunking: On, Encapsulation type: ISL
wg_sw_a#show trunk [A | B]
VLAN & VPNs
Adding a VLANAdding a VLAN
vlan vlan# [name vlan-name]
wg_sw_a(config)#
VLAN & VPNs
Adding a VLANAdding a VLAN
wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Zwg_sw_a(config)#vlan 9 name switchlab2
vlan vlan# [name vlan-name]
wg_sw_a(config)#
VLAN & VPNs
Verifying a VLANVerifying a VLAN
wg_sw_a#show vlan [vlan#]
VLAN & VPNs
Verifying a VLANVerifying a VLAN
wg_sw_a#sh vlan 9
VLAN Name Status Ports-------------------------------------------------9 switchlab2 Enabled -------------------------------------------------
VLAN Type SAID MTU Parent RingNo BridgeNo Stp Trans1 Trans2-------------------------------------------------------------------------------------------------------9 Ethernet 100009 1500 0 1 1 Unkn 0 0 --------------------------------------------------------------------------------------------------------
wg_sw_a#show vlan [vlan#]
VLAN & VPNs
Modifying a VLAN NameModifying a VLAN Name
vlan vlan# name vlan-name
wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Zwg_sw_a(config)#vlan 9 name switchlab90
wg_sw_a#show vlan 9
VLAN Name Status Ports------------------------------------------------9 switchlab90 Enabled ------------------------------------------------
wg_sw_a(config)#
VLAN & VPNs
Assigning Switch Ports to a VLAN
Assigning Switch Ports to a VLAN
vlan-membership {static {vlan#} | dynamic}
wg_sw_a(config-if)#
VLAN & VPNs
Assigning Switch Ports to a VLAN
Assigning Switch Ports to a VLAN
wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Zwg_sw_a(config)#interface ethernet 0/8wg_sw_a(config-if)#vlan-membership static 9
vlan-membership {static {vlan#} | dynamic}
wg_sw_a(config-if)#
VLAN & VPNs
Verifying VLAN MembershipVerifying VLAN Membership
wg_sw_a#show vlan-membership
VLAN & VPNs
Verifying VLAN MembershipVerifying VLAN Membership
wg_sw_a#show vlan-membership
Port VLAN Membership Type Port VLAN Membership Type -------------------------------------------- ----------------------------------------- 1 5 Static 13 1 Static 2 1 Static 14 1 Static 3 1 Static 15 1 Static 4 1 Static 16 1 Static 5 1 Static 17 1 Static 6 1 Static 18 1 Static 7 1 Static 19 1 Static 8 9 Static 20 1 Static
Note: port 1=e0/1, port 2=e0/2 .....
wg_sw_a#show vlan-membership
VLAN & VPNs
Verifying Spanning TreeVerifying Spanning Tree
wg_sw_a#show spantree {vlan number}
VLAN & VPNs
Verifying Spanning TreeVerifying Spanning Tree
wg_sw_a#show spantree 1
VLAN1 is executing the IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0050.F037.DA00 Configured hello time 2, max age 20, forward delay 15 Current root has priority 0, address 00D0.588F.B600 Root port is FastEthernet 0/26, cost of root path is 10 Topology change flag not set, detected flag not set Topology changes 53, last topology change occured 0d00h17m14s ago Times: hold 1, topology change 8960 hello 2, max age 20, forward delay 15 Timers: hello 2, topology change 35, notification 2Port Ethernet 0/1 of VLAN1 is Forwarding Port path cost 100, Port priority 128 Designated root has priority 0, address 00D0.588F.B600 Designated bridge has priority 32768, address 0050.F037.DA00 Designated port is Ethernet 0/1, path cost 10 Timers: message age 20, forward delay 15, hold 1
wg_sw_a#show spantree {vlan number}
VLAN & VPNs
Visual Objective Visual Objective
core_ server10.x.x.1
wg_sw_a10.1.1.10
wg_sw_l10.1.1.120
wg_pc_a10.2.2.12
wg_pc_l10.13.13.12
...
e0/1fa0/26(port A)
e0/1fa0/26(port A)
fa0/1 fa0/12
fa0/24
core_sw_a10.1.1.2
ISLISL
ISL
SUBNET VLAN POD10.1.1.0 1 wg_ro_x, wg_sw_x, core_sw_a10.2.2.0 2 wg_pc_a, core_server10.3.3.0 3 wg_pc_b, core_server10.4.4.0 4 wg_pc_c, core_server10.5.5.0 5 wg_pc_d, core_server10.6.6.0 6 wg_pc_e, core_server10.7.7.0 7 wg_pc_f, core_server10.8.8.0 8 wg_pc_g, core_server 10.9.9.0 9 wg_pc_h, core_server10.10.10.0 10 wg_pc_i, core_server10.11.11.0 11 wg_pc_j, core_server10.12.12.0 12 wg_pc_k, core_server10.13.13.0 13 wg_pc_l, core_server
VLAN2
VLAN13
wg_ro_a10.1.1.11
e0/2 e0
wg_ro_l10.1.1.121
e0e0/2
VLAN & VPNs
Visual Objective Visual Objective
core_ server
wg_sw_a10.1.1.10
wg_sw_l10.1.1.120
...
e0/1fa0/26(port A)
e0/1fa0/26(port A)
fa0/1 fa0/12
fa0/24
core_sw_a10.1.1.2
core_sw_b10.1.1.4
fa0/12 fa0/1fa0/13 fa0/13
fa0/27(port B)
fa0/27(port B)
wg_pc_a10.2.2.12
wg_pc_l10.13.13.12
ISL
ISL ISL ISL ISL
ISL
10.x.x.1
VLAN2
VLAN13
SUBNET VLAN POD10.1.1.0 1 wg_ro_x, wg_sw_x, core_sw_a, core_sw_b10.2.2.0 2 wg_pc_a, core_server10.3.3.0 3 wg_pc_b, core_server10.4.4.0 4 wg_pc_c, core_server10.5.5.0 5 wg_pc_d, core_server10.6.6.0 6 wg_pc_e, core_server10.7.7.0 7 wg_pc_f, core_server10.8.8.0 8 wg_pc_g, core_server 10.9.9.0 9 wg_pc_h, core_server10.10.10.0 10 wg_pc_i, core_server10.11.11.0 11 wg_pc_j, core_server10.12.12.0 12 wg_pc_k, core_server10.13.13.0 13 wg_pc_l, core_server
fa0/14 fa0/14
...
VLAN & VPNs
Private network
VLAN & VPNs
Hybrid network
VLAN & VPNs
Virtual private networks
VLAN & VPNs
VPN techniques
VLAN & VPNs
Authentication
VLAN & VPNs
Encryption
VLAN & VPNs
Tunneling
VLAN & VPNs
Addressing in VPN
VLAN & VPNs
SummarySummary
After completing this chapter, you should be able to perform the following tasks:
• Configuring VLAN• Configuring VTP• Configuring a trunk• Verifing Spanning Tree Operations
VLAN & VPNs
Review QuestionsReview Questions
1. What are the three VTP modes?
2. Over what type of port can VTP advertisements be sent?
3. VLAN ID is carried in the ________ header.
4. How do we assign a VLAN to a port?