Hierachical Model

Layers in a Hierachical Model

Access Layer
• Provides access and aggregation for users in a feature-rich
environment
• Provides high availability through software attributes and
redundancy
• Supports convergence for voice, wireless and data
• Provides security services to help control network access
• Offer QoS services including traffic classification and
queuing
• Support IP multicast traffic for efficient network use
Distribution Layer

• Aggregate nodes and uplinks

• Provide redundant connections and devices for high
availability
• Offers routing services such as summarization,
redistribution, and default gateways
• Implementing policies including filtering, security, and QoS
mechanisms
• Segments workgroups and isolates problems
Core Layer

• The core layer is a high-speed backbone and aggregation

point for the enterprise
• It provides reliability through redundancy and fast
convergence
• The separate core layer helps in scalability during future
growth
Is a Core Layer Needed?
Campus Core Layer

Benefits of a Campus Core:

• Distribution layer switches are connected hiearchically
• Less physical cabling is required
• Less routing complexity is imposed
Small Campus Network

• Collapse the campus backbone and building distribution

submodules in the campus backbone submodule
• Scale up to several building access switches
Medium Campus Network
Data Center Infrastructure Overview
Defining VLANs

Implementing Best Practices for VLAN

Topologies
Issues in a Poorly Designed Network

• Unbounded failure
domains
• Large broadcast domains
• Large amount of
unknown MAC unicast
traffic
• Unbounded multicast
traffic
• Management and
support challenges
• Possible security
vulnerabilities
VLANs and the Logical Network
What Is an End-to-End VLAN?

• Users are grouped into VLANs independent of physical

location.
• If users are moved within the campus, their VLAN
membership remains the same.
What Is a Local VLAN?

Local VLANs are generally confined to a wiring closet.

VLAN Configuration Modes

Global Mode

Switch# configure terminal

Switch(config)# vlan 3
Switch(config-vlan)# name Vlan3
Switch(config-vlan)# exit
Switch(config)# end
VLAN Configuration Modes

Database Mode

Switch# vlan database

Switch(vlan)# vlan 3

VLAN 3 added:
Name: VLAN0003
Switch(vlan)# exit
APPLY completed.
Exiting....
 VLAN Access Ports

The access switch port associated with a single data VLAN

VLAN Implementation Commands

Configuring VLANs
• vlan 101
• switchport mode access
• switchport access vlan 101
Verifying VLANs
• show interfaces
• show vlan
How to Implement a VLAN

• Create or configure a VLAN.

• Verify VLAN configuration.
• Associate switch ports with
the VLAN.
• Verify switch port
configuration.
• Test VLAN connectivity.
• Implement VLAN and switch
security.
 Configuring an Access VLAN

Switch(config)# vlan vlan_id

Create a VLAN.

Switch(config-vlan)# name vlan_name

Provide a VLAN name.

Switch(config-if)# switchport mode access

Place the switch port into access mode.

Switch(config-if)# switchport access vlan vlan_id

Associate the access switch port with a VLAN.

Verifying the Access VLAN Configuration

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- ---------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/9
11 asw11_data active
12 asw12_data active
95 VLAN0095 active Fa0/8
99 Trunk_Native active
100 Internal_Access active
111 voice-for-group-11 active
112 voice-for-group-12 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
----- ---------- ----- ------ ------ -------- ---- -------- ------
1 enet 100001 1500 - - - - - 0
11 enet 100011 1500 - - - - - 0
. . . . .
. . . .
. . .
Implementing Trunks
Maintaining Specific VLAN Identification

• Specifically developed for multi-VLAN interswitch

communications
• Places a unique identifier in each frame
• Functions at Layer 2
VLAN Trunking
Comparing ISL and 802.1Q

ISL 802.1Q

Proprietary Nonproprietary

Encapsulated Tagged

Protocol independent Protocol dependent

Encapsulates the old Adds a field to
frame in a new frame the frame header
Trunking with ISL

• Is a Cisco proprietary
protocol
• Supports PVST
• Uses an encapsulation
process
• Does not modify the
original frame
ISL Encapsulation
Trunking with 802.1Q

• An IEEE standard
• Adds a 4-byte tag to
the original frame
• Additional tag
includes a priority
field
• Does not tag frames
that belong to the
native VLAN
• Supports Cisco IP
telephony
The 802.1Q Tagging Process
802.1Q Native VLAN

Native VLAN frames are carried over the trunk link untagged.
VLAN Ranges

VLAN Range Use

0, 4095 Reserved for system use only

1 Cisco default
2–1001 For Ethernet VLANs
1002–1005 Cisco defaults for FDDI and Token Ring

Ethernet VLANs only, unusable on specific

1006–4094
legacy platforms
Trunking Configuration Commands

• Trunks can be configured statically or via DTP.

• DTP provides the ability to negotiate the trunking method.

Configuring a Trunk
• switchport trunk
• switchport mode
• switchport nonegotiate
 Switchport Mode Interactions

Dynamic Dynamic
Trunk Access
Auto Desirable
Dynamic
Access Trunk Trunk Access
Auto
Dynamic
Trunk Trunk Trunk Access
Desirable
Not
Trunk Trunk Trunk Trunk
recommended
Not
Access Access Access Access
recommended

Note: Table assumes DTP is enabled at both ends.

• show dtp interface – to determine current setting
How to Configure Trunking

1. Enter interface configuration mode.

2. Shut down interface.
3. Select the encapsulation (802.1Q or ISL).
4. Configure the interface as a Layer 2 trunk.
5. Specify the trunking native VLAN (for 802.1Q).
6. Configure the allowable VLANs for this trunk.
7. Use the no shutdown command on the interface to
activate the trunking process.
8. Verify the trunk configuration.
802.1Q Trunk Configuration

Switch(config)#interface fastethernet 5/8

Switch(config-if)#shutdown
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport trunk allowed vlan 1,5,11,1002-1005
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk native vlan 99
Switch(config-if)#switchport nonegotiate
Switch(config-if)#no shutdown
 Verifying the 802.1Q Configuration

Switch#show running-config interface {fastethernet |

gigabitethernet} slot/port

Switch#show interfaces [fastethernet | gigabitethernet] slot/port

[ switchport | trunk ]

Switch#show interfaces fastEthernet 5/8 switchport

Name: fa5/8
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (trunk_only)
Trunking VLANs Enabled: 1,5,11,1002-1005
Pruning VLANs Enabled: 2-1001

. . .
Verifying a 802.1Q Dynamic Trunk Link

Switch#show running-config interface fastethernet 5/8

Building configuration...
Current configuration:
!
interface FastEthernet5/8
switchport mode dynamic desirable
switchport trunk encapsulation dot1q

Switch#show interfaces fastethernet 5/8 trunk

Port Mode Encapsulation Status Native vlan

Fa5/8 desirable 802.1q trunking 99

Port Vlans allowed on trunk

Fa5/8 1,5,11,1002-1005

Port Vlans allowed and active in management domain

Fa5/8 1,5,1002-1005

Port Vlans in spanning tree forwarding state and not pruned

Fa5/8 1,5,1002-1005
ISL Trunk Configuration

Switch(config)#interface fastethernet 2/1

Switch(config-if)#shutdown
Switch(config-if)#switchport trunk encapsulation isl
Switch(config-if)#switchport trunk allowed vlan 1-5,1002-1005
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport nonegotiate
Switch(config-if)#no shutdown
 Verifying ISL Trunking
Switch#show running-config interface {fastethernet |
gigabitethernet} slot/port

Switch#show interfaces [fastethernet | gigabitethernet] slot/port

[ switchport | trunk ]

Switch#show interfaces fastethernet 2/1 trunk

Port Mode Encapsulation Status Native VLAN

Fa2/1 trunk isl trunking 99

Port VLANs allowed on trunk

Fa2/1 1-5,1002-1005

Port VLANs allowed and active in management domain

Fa2/1 1-2,1002-1005

Port VLANs in spanning tree forwarding state and not pruned

Fa2/1 1-2,1002-1005
Propagating VLAN Configurations with VTP
The VTP Domain

• Group of switches that exchange VLAN information

• VLANs administered centrally at a chosen switch
The VTP Protocol

• Advertises VLAN configuration information

• Maintains VLAN configuration consistency throughout a
common administrative domain
• Sends advertisements on trunk ports only
VTP Modes

Server (default mode)

• Creates, modifies, and deletes VLANs
• Sends and forwards advertisements
• Synchronizes VLAN configurations
• Saves configuration in NVRAM

Client
• Cannot create, change, Transparent
or delete VLANs
• Creates, modifies, and deletes local VLANs
• Forwards advertisements
• Forwards advertisements
• Synchronizes VLAN
• Does not synchronize VLAN configurations
configurations
• Saves configuration in NVRAM
• Does not save in
NVRAM
VTP Pruning

• Uses bandwidth more efficiently by reducing unnecessary

flooded traffic
• Example: Station A sends broadcast; broadcast flooded only
toward any switch with ports assigned to the red VLAN

Pruning Disabled Pruning Enabled

VTP Operation
• VTP advertisements are sent as multicast frames.
• VTP servers and clients are synchronized to the latest revision number.
• VTP advertisements are sent every 5 minutes or when there is a change.
VTP Configuration Commands

Configuring VTP
• vtp domain
• vtp mode
• vtp password

Verifying VTP
• show vtp status
• show vtp counters
Configuring a VTP Management Domain

Configure each switch in the following order to avoid

dynamic learning of the domain name:
• VTP password
• VTP domain name (case sensitive)
• VTP mode (server mode is the default)
 Configuring and Verifying VTP

Switch#show vlan brief

• Displays a list of current VLANs

Switch(config)#vtp password password_string

• Sets the VTP password

Switch(config)#vtp domain domain_name

• Sets the VTP domain name

Switch(config)#vtp mode
• Sets the VTP mode to server, client, or transparent

Switch# show vtp status

• Displays the current settings for VTP
 Verifying the VTP Configuration

Switch#show vtp status

Switch#show vtp status

VTP Version : 2
Configuration Revision : 28
Maximum VLANs supported locally : 1005
Number of existing VLANs : 17
VTP Operating Mode : Client
VTP Domain Name : BCMSN
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80
Configuration last modified by 10.1.1.1 at 8-12-05 15:04:49
Switch#
 Verifying the VTP Configuration (Cont.)

Switch#show vtp counters

Switch#show vtp counters

VTP statistics:
Summary advertisements received : 7
Subset advertisements received : 5
Request advertisements received : 0
Summary advertisements transmitted : 997
Subset advertisements transmitted : 13
Request advertisements transmitted : 3
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0

VTP pruning statistics:

Trunk Join Transmitted Join Received Summary advts received from
non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Fa5/8 43071 42766 5
Adding a Switch to an Existing VTP Domain

Ensure a new switch has VTP revision 0 before adding it

to a network.
Correcting Common VLAN Configuration
Errors
Issues with 802.1Q Native VLAN

• Native VLAN frames are carried over the trunk link untagged.
• A native VLAN mismatch will merge traffic between VLANs.
802.1Q Native VLAN Considerations

• Native VLAN must match at ends of trunk; otherwise, frames will

“leak” from one VLAN to another.
• By default, the native VLAN will be VLAN1.
– Avoid using VLAN1 for management purposes.
• Eliminate native VLANs from 802.1Q trunks by making the native
VLAN an “unused” VLAN.
Explaining Trunk Link Problems

• Trunks can be configured statically or autonegotiated with DTP.

• For trunking to be autonegotiated, the switches must be in the same
VTP domain.
• Some trunk configuration combinations will successfully configure
a trunk, some will not.

• Will any of the above combinations result in an operational trunk?

Resolving Trunk Link Problems

• When using DTP, ensure that both ends of the link are in the
same VTP domain.
• Ensure that the trunk encapsulation type configured on both
ends of the link is valid.
• On links where trunking is not required, DTP should be
turned off.
• Best practice is to configure trunk and nonegotiate where
trunks are required.
Common Problems with VTP Configuration

• Updates not received as

expected
– VTP domain and password
must match.

• Missing VLANs
– Configuration has been
overwritten by another VTP
device.

• Too many VLANs

– Consider making VTP domain
smaller.
Example of New Switch Overwriting
an Existing VTP Domain

New switch not connected

VTP Version :2
Configuration Revision :2
Maximum VLANs supported locally : 1005
Number of existing VLANs :7
VTP Operating Mode : Client
VTP Domain Name : building1

VTP Version :2
Configuration Revision :1
Maximum VLANs supported locally : 1005
Number of existing VLANs :6
VTP Operating Mode : Server
VTP Domain Name : building1
Example of New Switch Overwriting an
Existing VTP Domain (Cont.)

New switch connected

VTP Version :2
Configuration Revision :2
Maximum VLANs supported locally : 1005
Number of existing VLANs :7
VTP Operating Mode : Client
VTP Domain Name : building1

VTP Version :2
Configuration Revision :2
Maximum VLANs supported locally : 1005
Number of existing VLANs :7
VTP Operating Mode : Server
VTP Domain Name : building1
Implementing VTP

• Plan VTP domain boundaries.

• Have only one or two VTP servers.
• Configure a VTP password.
• Manually configure the VTP domain name on all devices.
• When setting up a new domain:
– Configure VTP client switches first so that they participate
passively.
• When cleaning up an existing VTP domain:
– Configure passwords on servers first because clients may need
to maintain current VLAN information until the server is verified
as complete.