01.More LAN Switching

8/22/2019 01.More LAN Switching

1/45

The Ultimate CCNA Study Package - ICND 2

Chris Bryant, CCIE #12933 http://www.thebryantadvantage.com Back To Index

More LAN Switching

Overview

NOTE: Before reading this chapter, you MUST read and understand the topicsin the CCENT Study Guide switching chapter.

Spanning Tree Protocol

In almost every switching network, there will bepathredundancy that is, there will be more than one way to get toa given destination. We always want redundancy, but that

redundancy can cause problems at Layer 2. If all the paths inthe following diagram were available at all times, switching

loopswould form.

Spanning Tree Protocol

Root Bridge, Root Ports, and Designated Ports

STP Timers

STP Port States

Portfast

VLANs

Trunking

Access And Trunk Port Comparison

VTP

"Router On A Stick"

RSTP

PVST

Etherchannels

"Hot Spots And Gotchas"


2/45

Don't get me wrong, we love redundant paths! Each of those

switches has three different ways to get to every other switch inthe network. The key is that we can't have all of those pathsavailable simultaneously, or we're going to end up withswitching loops. That's where STP comes in!

The Spanning Tree Protocol(STP) , defined by IEEE 802.1d,prevents switching loops from occurring by placing ports alongthe most desirable path intoforwardingmode, while ports alongless-desirable paths are placed into blockingmode. Once STPconverges, every port on these paths is in either forwarding or

blocking mode, making only one path available between anytwo destinations, and a switching loop cannot occur.

Note: You're going to hear about routingloops later in yourstudies, if you haven't already. STP has nothing to do withrouting loops. STP is strictly a Layer 2 protocol and is used toprevent switching loops.

If a problem arises with the available path, STP will run thespanning-tree algorithm to recalculate the available paths and

determine the best path. Ports along the new best path will bebrought out of blocking mode and into forwarding mode, whileports along less-desirable paths are placed into blocking mode.

Again, only one path will be available.

For example, let's say that STP has decided that the best pathfrom SW1 to SW3 is the most direct path. (This is not alwaysthe case, as you'll see later.) Logically, SW1 sees only one

way to get to SW3.


3/45

If something happens that makes that path unavailable, STPwill recalculate its available paths. When that recalculationends, STP will begin to bring the appropriate ports out ofblocking mode and into forwarding mode.

The Root Bridge Election

STP must first determine a root bridge for every Virtual LAN(VLAN).

When people are born, they act like they are the center of theuniverse. In a similar fashion, when a switch is first poweredon, it believes it is the root bridge for every single VLAN on yournetwork. Since your network has multiple switches, and theyall believe they are the root bridge for every VLAN, there mustbe an election process to determine the true root bridge foreach VLAN.

The election process is carried out by the exchange of BPDUs

(Bridge Protocol Data Units). Switches are continually sendingBPDUs; hubs, repeaters, routers, servers, and other network


4/45

devices do not send BPDUs.

The BPDU contains the following data:

The root bridges Bridge ID (BID). The BID is a combinationof the bridges priority and MAC address. At the beginning ofthe election process, every switch thinks it is the root, so thiswill at first be the sending routers BID.

The bridge with the lowest BID will be the root bridge. Thedefault priority value is 32768 for all switches; therefore, sincethe lowest BID wins, the switch with the lowest MAC address

will become the root bridge unless the priority is changed.

I'll demonstrate this later in the section, but I do want tomention now that the easiest way to guarantee that a certainswitch becomes the root bridge is to lower its priority. In theBID, the priority comes first and is followed by the MACaddress, so lowering the priority is sufficient to make a certainswitch the root bridge.

Cost To Reach Root From This Bridge: STP considers the

path to have the lowest cost to be the best path. Every port isassigned a cost relative to its speed; the higher the speed, thelower the port cost.

BID Of The BPDUs Sender: This simply identifies whichswitch sent the BPDU.

When a switch receives a BPDU, the switch compares the rootbridge BID contained in the BPDU against its own BID.

If the incoming root bridge BID is lower than that of theswitch receiving it, the switch starts announcing thatdeviceas the root bridge.


5/45

If the incoming BID is higher than that of the receiver, thereceiver continues to announce itself as the root. Thisprocess continues until every switch has agreed on the rootbridge. (This may sound confusing, but we'll go through anillustrated example in just a moment.)

Once STP has converged - that is, all switches agree on theroot bridge - every port on the switched network will be in eitherblocking or forwarding mode. There are intermediate statesthat you should be aware of, though. Here's the order of STPport states as a port goes from blocking to forwarding.

BLOCKING: Frames are not forwarded, but BPDUs areaccepted.

LISTENING: Frames are not forwarded, and the MACaddress table is not yet being built.

LEARNING: Frames are not forwarded. MAC addressesare being learned and the MAC address table is being built.

FORWARDING: Frames are forwarded, MAC addressesare still learned.

Note that even though we have a "learning" state, there are two

states where the port is learning MAC addresses - learning andforwarding.

There is a fifth STP state,disabled,and it's just what it soundslike. The port is actually disabled, and disabled ports cannotaccept BPDUs.

We're going to take two looks at STP in action, the first with twoswitches and the second with three switches. In the firstexample, there are two separate crossover cables connecting

the switches. It's important to note that once STP hasconverged, one port - and only one port - will be in blockingmode, with the other three in forwarding mode.

I haven't configured anything on these switches beyond ahostname and the usual lab commands, so what VLANs, if any,


6/45

will be running on these switches?

SW1#show vlan brief

VLAN Name Status

Ports---- -------------------------------- ----------------------------------------1 default activeFa0/1, Fa0/2, Fa0/3, Fa0/4Fa0/5, Fa0/6, Fa0/7, Fa0/8Fa0/9, Fa0/101002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsup

Right! All ports belong to VLAN 1 by default. Except there'sone odd thing here... notice that the ports used to connect theswitches, Fa0/11 and Fa0/12, don't show up in show vlan brief?That's because they're trunk ports, the kind of port we have tohave in order to connect to another switch via that port. We'll

talk much more about trunking later in this section, and you canalways see what ports are trunking with the show interface trunkcommand.

SW1#show interface trunk

Port Mode EncapsulationStatus Native vlanFa0/11 desirable 802.1qtrunking 1

Fa0/12 desirable 802.1qtrunking 1

Port Vlans allowed on trunkFa0/11 1-4094Fa0/12 1-4094

Port Vlans allowed and active inmanagement domainFa0/11 1

Fa0/12 1Port Vlans in spanning tree forwarding


7/45

state and not prunedFa0/11 1Fa0/12 none

We will examine that command's output in greater detail later in

this section, but for now I wanted you to know why those portswere not showing up in show vlan brief. Don't panic, just runshow interface trunk!

Now back to our network....

To see each switch's STP values for VLAN 1, we'll run showspanning-tree vlan 1. First, we'll take a look at SW1's output forthat command.

SW1#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000b.be2c.5180 Cost 19 Port 11 (FastEthernet0/11) Hello Time 2 sec Max Age 20sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768sys-id-ext 1)

Address 000f.90e2.25c0 Hello Time 2 sec Max Age 20sec Forward Delay 15 sec Aging Time 300

Interface Role Sts Cost Prio.NbrType---------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 19 128.11

P2pFa0/12 Altn BLK 19 128.12


8/45

P2p

The Root ID is the BID information for the root bridge; theBridge ID is the BID information for the local switch. Since theaddresses are different for the Root and Bridge ID, this switchis definitely not the root switch.

The BID of any switch is the priority followed by the MACaddress, so let's compare the two values:

Root ID BID: 32769:00-0b-be-2c-51-80 Bridge ID BID: 32769:00-0f-90-e2-25-c0

The device with the lowest BID will be elected root. Since bothdevices have the exact same priority, the switch with the lowest

MAC address is named the root switch, and that's exactly whathappened here.

On SW1, Fa0/11 is in FWD status, short for forwarding. Notethat this port is marked Root, meaning that this port will be usedby SW1 to reach the root switch. Fa0/11 is SW1's root portforVLAN 1.

Fa0/12 is in BLK status, short forblocking. How did the switchdecide to put Fa0/11 into forwarding mode while 0/12 goes into

blocking? The switch first looked at the path cost, but that's thesame for both ports - 19. The tiebreaker is the port priority,found under the prio.nbr field. Fa0/11's port priority is lower,so it's chosen as the root port.

Let's mark that on our exhibit and then move on to SW2.

Here's the output ofshow spanning-tree vlan 1on SW2.


VLAN0001 Spanning tree enabled protocol ieee

Root ID Priority 32769 Address 000b.be2c.5180


9/45

This bridge is the root Hello Time 2 sec Max Age 20sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768

sys-id-ext 1) Address 000b.be2c.5180 Hello Time 2 sec Max Age 20sec Forward Delay 15 sec Aging Time 15

Interface Role Sts Cost Prio.NbrType---------------- ---- --- --------- -------- --

------------------------------Fa0/11 Desg FWD 19 128.11P2pFa0/12 Desg FWD 19 128.12P2p

We have two really big hints that SW2 is the root switch forVLAN 1. The first is really, really big - the phrase "This bridgeis the root"!

The next isn't quite as obvious, but it's a good one to keep inmind for exam day. Both Fa0/11 and Fa0/12 are in FWDstatus. They're both in forwarding mode! A root bridge willalways have all of its ports in Forwarding mode. This does helpspeed up convergence if and when STP recalculates. The rootbridge doesn't need its port(s) brought out of blocking mode,because they're already in forwarding mode. Blocking thesingle port on SW1 in this topology is enough to preventswitching loops.

Here's how our switched network looks now:

It's a common misconception that the Fa0/12 port on bothswitches would be blocked in this situation. Remember that aroot switch will have all its ports in forwarding mode.


10/45

Now we'll take a look at a three-switch example.

In the following network, there are three switches, fully meshed.When VLAN 10 comes online, all three switches will believethey are the root bridge for VLAN 10.

For clarity's sake, each switch's MAC address is the switch'sletter repeated 12 times. The switch priorities have been left attheir defaults, resulting in the BIDs shown below.

MAC Address Default PriorityBridge ID (BID)Switch A aaaa.aaaa.aaaa 3276832768:aaaa.aaaa.aaaa

Switch B bbbb.bbbb.bbbb 3276832768:bbbb.bbbb.bbbbSwitch C cccc.cccc.cccc 3276832768:cccc.cccc.cccc

Assuming that all three switches just came online, they all thinkthey're the root switch. To take a closer look at how thissituation gets resolved, we'll take a look at each switch'sindividual behavior during the root bridge election.

Switch Areceives BPDUs from Switch B and Switch C, each


11/45

claiming they are the root bridge. Switch A examines their

BIDs, and sees that its own BID of 32768:aaaa.aaaa.aaaa islower than either of the BIDs it is receiving. Switch A willcontinue to advertise itself as the root bridge.

Switch B receives BPDUs from Switch A and Switch C, eachclaiming they are the root bridge. Switch B examines the BIDsfrom these switches. SwitchB sees it has a lower bid thanSwitch C, but a higher bid than Switch A. Switch B recognizesSwitch A should be the root bridge due to its lower BID. Switch

B will now send BPDUs naming Switch A as the root bridge.

Switch Creceives BPDUs from Switch A and Switch B. Switch C will see that it hasa higher BID than both of the other switches, but that A's is the lowest BID of all.Switch C will now recognize Switch A as the root bridge and will send BPDUs namingSwitch A as the root bridge.

At this point, both ports on SW A will be placed into Forwarding mode, since it's theroot switch.


12/45

Next, the root portson each non-root bridge must be selected. Each non-root bridgehas two different ports that it can reach the root bridge through, but the cost islower for the port that is closer to the root bridge (we're assuming all port speeds arethe same). Those ports will now be selected as the root port on their respectiveswitches - the switch port with the lowest cost to the root bridge is that switch's rootport.

Hey, we're almost done! Now either Switch B or Switch C must be elected thedesignated bridgeof their common segment. The switch that advertises the lowestcost to the root bridge will be the designated bridge, and that switch's port on the

shared segment will be the designated port (DP).

In this network, SW B and SW C will advertise the same cost to each other over theshared segment. In that case, the switch with the lowest BID will be the designatedbridge, and we know that's SW B. SW B's Fa0/2 port will be put into forwardingmode and named the DP for that segment; SW C's Fa0/2 port will be put intoblocking mode and will be that segment's non-designated port (NDP). The DP isalways in forwarding mode and the NDP will always be in blocking mode.

Additionally, all forwarding ports on the root switch are considered DPs. A rootswitch will not have root ports - it doesn't have a port to reach the root, it isthe root!


13/45

At this point, only the root switch actually originates BPDUs. The other switchesreceive them, read them, update the port costs, and then forward them - but nonrootswitches do not originate BPDUs.

The switching network is now in a state ofconvergence - all switches are inagreement on the various STP port states, and all ports are in either Forwarding orBlocking mode.

In earlier examples, the speed of both links between switches was the same. Whatif they were different, as shown in the following example?

In our earlier two-switch example, fast0/11 was chosen as the root port on SW1.The port cost was the same (19), so the port priority was the tiebreaker. In thisscenario, the speeds of the links are not the same. The faster the port setting, thelower the port cost, so now fast0/12 would be chosen as the RP on SW1.

Here are some common port speeds and their associated STP port costs:

10 MBPS: 100 100 MBPS: 19 1 GBPS (also expressed as 1000 MBPS): 4 10 GBPS: 2

You must keep those costs in mind when examining a network diagram to determinethe flow of traffic, because it's our nature to think the physically shortest path is thefastest path - but STP does not see things that way. Consider:


14/45

At first glance, you'd think that SW B would select Fa0/1 as its root port. Would it?

The BPDU actually carries the Root Path Cost, and this cost increments as the

BPDU is forwarded throughout the network. A port's Path Cost is locally significantonly and is unknown by downstream switches.

The root bridge will transmit a BPDU with the Root Path Cost set to zero. When aneighboring switch receives this BDPU, that switch adds the cost of the port theBPDU was received on to the incoming Root Path Cost. Root Path Cost incrementsas BPDUs are received, not sent. That new root path cost value will be reflected inthe BDPU that switch then sends out.

Let's look at the network again, with the port costs listed. As mentioned earlier, 100MBPS ports have a port cost of 19, and 1000 MBPS ports have a port cost of 4. Forclarity's sake, I've removed the speeds from the diagram.

Two very important points regarding port cost:

The root switch originates the BPDU with a cost of zero The root port cost increments as BPDUs are received

When SW A sends a BPDU directly to SW B, the root path cost is zero. That willincrement to 19 as it's received by SW B.

When SW A sends a BPDU to SW C, the root path cost is zero. That will incrementto 4 as it's received by SW C. That BPDU is then forwarded to SW B, which then

adds 4 to that cost as it's received on Fa0/2. That results in an overall root path costof 8, which will result in SW B naming Fa 0/2 as the root port.


15/45

The moral of the story: The physically shortest path is not always the logicallyshortest path. Watch for that any time you see different link speeds in a networkdiagram!

The STP Timers

Once these elections have taken place, the root bridge will begin sending a HelloBPDU out all its ports every two seconds. This Hello BPDU serves as the heartbeatof STP, since as long as the non-root bridges receive it, they know the path to theroot is unchanged and stable.

Once that heartbeat disappears, its an indication of a failure somewhere along thepath. STP will run the spanning-tree algorithm to determine the best available path,and ports will be brought out of blocking mode as needed to build this path.

The Hello BPDUs carry values for three timers that are used by all bridges inidentifying situations when the STP algorithm needs to be run again:

Hello Time: Time between Hello BPDUs. Default: 2 seconds.

Max Age: The bridge should wait this amount of time after not hearing a HelloBPDU before attempting to change the STP topology. Default: 20 seconds.

Forward Delay: The amount of time a port should stay in the listening andlearning stages as it changes from blocking to forwarding mode. Default: 15seconds.

Think carefully before changing these timers, and should you choose to do so, youmust do so on the root bridge. The non-root switches will allow you to change thetimers on them, but the changes will not be advertised to the other switches!

Change any and all of these timers with the spanning-tree vlan command, specifyingthe timers as shown below.

SW1(config)#spanning-tree vlan 1 ? forward-time Set the forward delay for the spanning tree hello-time Set the hello interval for the spanning tree max-age Set the max age interval for the spanning tree priority Set the bridge priority for the spanning tree root Configure switch as root

The STP Interface States

When a port goes from blocking state to forwarding state, it does not do soinstantly. If it did, loops could result. STP has interfaces go through twointermediate states between blocking and forwarding -- listeningand learning.

A port coming out of blocking state first goes into listeningstate. The port is


16/45

listening for Hello BPDUs from other possible root switches. The port will listen forthe value of the Forward Delay timer, 15 seconds by default.

The port will then go into learningstate. This state has the port learn the newlocation of MAC addresses, but will not allow forwarding of them, since there is agood possibility other switches are currently converging and loops could develop ifMAC addresses were learned from other switches during convergence. Learningstate also lasts the duration of the ForwardDelay timer.

To review the order and timers involved:

Port comes out of blocking state, goes into listening state for 15 seconds Port transitions from listening to learning, stays in learning state for 15 seconds Port transitions from learning to blocking

The one STP state we didn't mention here is disabled. Some non-Ciscodocumentation does not consider this an official STP state, but since the CCNA is aCisco exam, we certainly should! Ports in disabled mode are not learning MACaddresses, and they're not accepting or sending BPDUs - they're not doing anything!

So What Happens If I Turn STP Off?

A lot of bad things. The most obvious is that you're going to have switching loopsform very quickly, which in turn will lead to broadcast storms. A broadcast stormoccurs when one broadcast is answered with multiple broadcasts, which in turngenerate even more broadcasts. It's a really ugly situation, and there really is nogood reason to turn STP off.

Portfast

Consider the amount of time a port ordinarily takes to go from blocking to forwardingwhen it stops receiving Hello BPDUs:

Port stays in blocking mode for 20 seconds before beginning the transition tolistening (as defined by the MaxAge value)

Port stays in listening mode for 15 seconds before beginning the transition tolearning (as defined by the Forward Delay value)

Port stays in learning mode for 15 seconds before transitioning to forwardingmode (also as defined by Forward Delay)

That's 50 seconds, or what seems like 50 hours in networking terms. :)

The listening and learning stages are there for a reason, the primary one being loopprevention during convergence. In certain circumstances, we can avoid thesedelays with Portfast.

Portfast allows a port to bypass the listening and learning stages of this process, butis only appropriate to use on switch ports that connect directly to an end-userdevice, such as a PC. Using portfast on a port leading to another networking devicecan lead to switching loops. That threat is so serious that Cisco even warns youabout it on the router when you configure Portfast.

SW2(config)#int fast 0/6SW2(config-if)#spanning portfast%Warning: portfast should only be enabled on ports connected to a single host.

Connecting hubs, concentrators, switches, bridges, etc... to this interface whenportfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/6 but will only


17/45

have effect when the interface is in a non-trunking mode.

That's a pretty serious warning! I love the mention of "temporary bridging loops",though. All pain is temporary, but that doesn't make it feel good at the time!

Portfast can be a real help in the right circumstances....

... and a real hazard in the wrong circumstances.

Make sure you know which is which!

Virtual LANs (VLANs)

We went over basic VLAN concepts in the Basic Switching section, and I'm going torepeat that information here since it relates closely to the information following thissection - namely, trunking and VLAN Trunking Protocol (VTP). There is some newmaterial in the following that's pertinent to the CCNA exam, so read carefully - this isnot just the same VLAN information from earlier in the course.

Let's review a switch's default behavior regarding broadcasts and then go into moredetail about why this is so important.

The default behavior of a switch is to forward a broadcast out every single port onthe switch except the one it came in on. All hosts that receive a broadcast sent by ahost are considered to be on the same physical LAN as the sender.

Looks pretty innocent, right? We actually have two potential issues with thissituation. First, in a production network, you'll have many other hosts connected to


18/45

that switch - and every single one of those hosts is going to get a copy of anybroadcast sent by any other host connected to that switch. That's a lot ofbroadcasts, and it's a big waste of bandwidth.

The next problem is that broadcasts tend to result in the recipients generatingbroadcasts of their own. Pretty soon, the switch is so busy handling all of the

broadcasts that it can't carry out its other functions, and the network comes to astandstill. This continual generation of new broadcasts is called a broadcast storm,and this is one storm that can sink your switch for good.

A broadcast storm can overwhelm a switch's memory and CPU capabilities,rendering the switch virtually useless.

Between the waste of bandwidth and switch resources and the possibility of abroadcast storm, we're veryinterested in limiting broadcasts.

Before we take a look at how Virtual LANs can help us limit broadcasts, I want toreiterate that broadcasts are not evil, and they can't be eliminated. The more youlearn about networking, the more you realize that broadcasts are actually quitehelpful and have some very important roles in our network. What we want to do islimitbroadcasts, particularly the sending of broadcasts to hosts that do not needthem.

To illustrate how Virtual LANs can help limit broadcast propagation, we'll assign anIP address to each one of our hosts and then take a look at the default Cisco switchsettings for VLANs. The circle(s) will continue to illustrate the broadcast domain(s).The numbers on the switch indicate the switch port that's connected to that host.

To test connectivity, we'll send pings from 172.34.34.4 to the other three hosts.Note that I'm using Cisco routers for our hosts, so these pings will look different thanany you've run from PCs.

Host4#ping 172.34.34.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.34.34.2, timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Host4#ping 172.34.34.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.34.34.3, timeout is 2 seconds:!!!!!



19/45

Host4#ping 172.34.34.1



Everything looks good!

Now that we know that Host 4 can ping the other hosts, let's take a look at theswitch.

I occasionally have a student tell me that their network doesn't use VLANs, but aCisco switch is set up for and is using VLANs by default. The key command forviewing and verifying VLAN configuration is show vlan brief.

SW1#show vlan brief

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/101002 fddi-default active1003 token-ring-default active1004 fddinet-default active1005 trnet-default active

Note that VLAN1 has the name "default". That's exactly what VLAN 1 is - the defaultVLAN for every host connected to this switch. Under "ports", you can see that 10ports are in this VLAN. By default, a copy of every broadcast sent by any host in a

given VLAN will be sent to every other host in that VLAN. (The default VLAN is alsocalled the native VLAN.)

If a host is connected to every one of those ports, and any of the hosts sends abroadcast, a copy of that broadcast will be sent to every other host connected to thatswitch. That's a real waste of switch resources and bandwidth!

Let's say that we want only Host 2 to receive any broadcast sent by Host 4, and viceversa. We can accomplish this by placing those two hosts into their own VLAN.That's done at the port level with the switchport access vlancommand, followed bythe VLAN number the port's being placed into. You must make the port an accessport before you can place it into a VLAN.

SW1(config-if)#interface fast 0/2

SW1(config-if)#switchport access vlan 24% Access VLAN does not exist. Creating vlan 24

SW1(config-if)#interface fast 0/4SW1(config-if)#switchport access vlan 24

If you try to put a port into a VLAN that hasn't been created yet, the switch creates itfor you and even tells you so. Pretty good deal!

Now Hosts 2 and 4 are in VLAN 24, and Hosts 1 and 3 are still in VLAN 1. We'llverify that after the illustration with show vlan brief.


20/45

SW1#show vlan brief

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9,Fa0/1024 VLAN0024 active Fa0/2, Fa0/41002 fddi-default active1003 token-ring-default active1004 fddinet-default active1005 trnet-default active

That simple configuration really helps to reduce broadcasts! When all four hostswere in the same VLAN and one host sent a broadcast, the switch would make surethat all three of the other hosts received a copy. Now when a member of any givenVLAN sends a broadcast, only members of that same VLAN will receive it - and rightnow, that means only one other host will receive it!

When we create VLANs, we're creating multiple, smaller broadcast domains, andthat really helps to limit the scope of those broadcasts.

In networking, thought, there's almost always a tradeoff. If Host 4 sends abroadcast, Hosts 1 and 3 will not receive it because they're in another VLAN. Doesthat hold true for other kinds of traffic - like pings, for instance? To find out, let'ssend a ping from Host 4 to the other three hosts. When they were all in the sameVLAN, the pings were all returned. What about now?

Host4#ping 172.34.34.1


Sending 5, 100-byte ICMP Echos to 172.34.34.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Host4#ping 172.34.34.2



Host4#ping 172.34.34.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.34.34.3, timeout is 2 seconds:.....

Success rate is 0 percent (0/5)


21/45

When you ping a remote host and get five periods back, that means the local hosthas no IP connectivity to the specified destination. Host 4 can still ping Host 2, sincethey're in the same VLAN, but Host 4 can no longer ping the other two hosts sincethey are not in that VLAN.

It's vital to remember that no traffic- pings or data packets - can be sent from oneVLAN to another without the intervention of a Layer 3 device, most likely a router.

Notice I said "most likely". We really have two options here:

Using a technique called "router on a stick" Using a Layer 3 switch for that switch

We're going to look at "router on a stick" in much greater detail later in this section,but I'd like to talk about L3 switches for just a moment before we move on.

You're not going to be asked questions about L3 switches in your CCNA exam, but

as a CCNA you should certainly know they exist. An L3 switch is a switch that canactually run routing protocols as well. You can switch on some ports and configureother ports as routing ports!

Once you get your CCNA, you really should learn more about L3 switches. In theprevious example, if that switch were an L3 switch, we could simply configure somerouting ports on that switch and the VLANs could send data to each other without arouter getting involved.

But for the CCNA exam, a switch runs at L2, and that's it. I'll show you more thanyou'd ever want to know about "router on a stick" later in this section!

VLANs have uses beyond limiting broadcasts. One common usage is to use VLANsto group users by their job function or department. Let's say you have three hostseach in your Accounting and Security departments, and two in Maintenance. WithoutVLANs, they're in one big group, sharing the same address space. (For clarity, I'veleft out the cabling. Straightthrough cables, that is!)

With VLANs, we can logicallysegment the switch into three logical groups.(Physically segmenting the switch is not recommended, it's a little rough on the

hardware.)


22/45

This also helps to limit access to network resources on a per-VLAN basis - after all,you know our end users can get a bit territorial! If someone in the Accountingdepartment said they had a new server that contained data that should be availableonly to Accounting personnel, you could just put the port leading to the server intoVLAN 30.

The ability to place hosts in their own VLAN is also considered a security feature. Ifsomeone came to you and told you they have a new department that needs to betotally segregated from the rest of the network, putting those hosts in their ownVLAN will do the job. So VLANs are a security feature, but I wouldn't throw away myfirewalls just yet.

VLANs and the MAC Address Table

In the first Switching section in this course, you learned - everyone repeat after me -the switch examines the source MAC address of incoming frames before looking atanything else. That's how the switch builds its MAC table.

Now that you know about VLANs, I wanted to mention that the switch actually keepsa separate switching table for each VLAN. This command can really come in handywith troubleshooting on occasion. In this example, I've put port fast0/2 into VLAN 17and then run the show mac-address-table dynamic vlan 17command.

SW1#show mac-address-table dynamic vlan 17 Mac Address Table-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- ----- 17 0010.7b39.c5e9 DYNAMIC Fa0/2Total Mac Addresses for this criterion: 1

Trunking

Trunking is the process of allowing VLAN traffic to flow over physically connectedswitches. In order for a switch receiving a frame to know the destination VLAN ofthat frame, a tagis placed on the frame indicating the destination VLAN by thetransmitting switch ("frame tagging").

In the following network, we have two hosts in VLAN 10, and they're connected toseparate, trunking switches. A frame would be tagged "VLAN 10" before being sentacross the trunk. When the receiving switch processes that incoming frame, the

switch knows that frame should be distributed only to members of VLAN 10. Thisallows members in the same VLAN to communicate when they are physicallyconnected to different switches, which is a common need since VLANs can and


23/45

usually do span multiple switches.

The trunk consists of two trunking ports and a crossover cable. The PCs areconnected to access ports with a straightthrough cable.

We do need the help of a trunking protocol to build this trunk. Not all switchessupport both of these protocols, but for your CCNA exam, it's an excellent idea toknow them both and the differences between them.

The Inter-Switch Protocol(ISL) is the Cisco-proprietary trunking protocol. Obviously,it can only be used between two Cisco switches. The entire frame is encapsulatedbefore transmission across the trunk.

IEEE 802.1Q, generally known as "dot1q", is the industry standard trunkingprotocol. If a non-Cisco switch is involved in the trunk, this is the trunking protocol touse. Dot1q does notencapsulate the entire frame. Instead, a 4-byte header isadded to the Ethernet header, indicating the VLAN to which the frame is intended.

The key difference between the two is the way they handle - or do not handle - thenative vlan. By default, the native vlan is VLAN 1. The native vlan is the defaultvlan. When dot1q is ready to transmit a frame destined for the native vlan over thetrunk, the protocol will notput that 4-byte header onto the frame. Instead, the frameis transmitted as-is. This helps to cut down even more on overhead.

When the receiving frame sees there is no header on the frame, it assumes theframe is intended for the native vlan, and it is forwarded accordingly. Dot1q allowsfor a different VLAN to be selected as the native VLAN.

ISL does not recognize the concept of the native vlan. Every single frametransmitted over an ISL trunk will be encapsulated. That means a lot of additionaloverhead as compared to dot1q.

To sum it up:

ISL is the Cisco-proprietary trunking protocol. ISL encapsulates every frame


24/45

before it crosses the trunk, and doesn't recognize the native VLAN concept.

Dot1q is the industry standard, places only a 4-byte header onto a frame, andwon't even do that if the frame is destined for the native VLAN.

Access Ports, Trunk Ports, And Trunk Port Settings

A Cisco switch port is going to be either an access port or a trunk port; it cannot beboth.

As we saw earlier, an access port belongs to one and only one VLAN. Once youconfigure a port as an access port, that port cannot trunk.

Trunk ports carry traffic for multiple VLANs. The default behavior of a trunk port isthat it is a member of all VLANs, but you will not see this indicated by show vlanbrief. Here's the output of that command on our switch where fast0/11 and 0/12 aretrunking:

SW1#show vlan br

VLAN Name Status Ports---- -------------------------------- --------- ---------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/101002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsup

Notice that 0/11 and 0/12 are missing from the port list. They're seen with the showinterface trunkcommand.


Port Mode Encapsulation Status Native vlanFa0/11 desirable 802.1q trunking 1Fa0/12 desirable 802.1q trunking 1

Port Vlans allowed on trunkFa0/11 1-4094Fa0/12 1-4094

Port Vlans allowed and active in management domainFa0/11 1Fa0/12 1

Port Vlans in spanning tree forwarding state and not prunedFa0/11 1Fa0/12 none

Let's use IOS Help to look at our trunking options. We have quite a few, but they'renot all visible in one place.

SW1(config-if)#switchport mode ?access Set trunking mode to ACCESS unconditionallydynamic Set trunking mode to dynamically negotiate access or trunk modetrunk Set trunking mode to TRUNK unconditionally

The top choice refers to access ports, and we saw that in action earlier. When youconfigure a port as an access port, this is in effect setting the trunking mode to OFFunconditionally.

The dynamicoption will dynamically negotiate trunk mode, while the trunkoptionunconditionally turns trunking on for this port. dynamichas a few options we need toknow as well.

SW1(config-if)#switchport mode dynamic ?


25/45

auto Set trunking mode dynamic negotiation parameter to AUTO desirable Set trunking mode dynamic negotiation parameter to DESIRABLE

We have dynamic auto and dynamic desirable, and these options are generally

referred to simply as "auto" and "desirable".

There's one more "hidden" trunk port setting:

SW1(config-if)#switchport nonegotiate

Therefore, according to IOS Help, we actually have five options for trunk ports:

on off auto desirable nonegotiate

Onmeans that the switchport is unconditionally trunking, whether the other end ofthe trunk likes it or not.

Offmeans that the port will not trunk with the remote partner under anycircumstances. This mode is the result of making a port an access port.

Desirable means that the port will actively attempt to trunk. If the remote port is in

on, desirable, or auto mode, a trunk will result.


26/45

Automeans the port will trunk, but the other side must initiate trunking. If the remoteport is desirable or on mode, a trunk will result. If both sides are in auto trunkingmode, no trunk will result.

Finally, nonegotiatemeans that the local port will go into permanent trunking mode,but Dynamic Trunking Protocol (DTP) frames are not sent across the trunk.

Now that we've got our switches trunking, we need to let them exchange VLANinformation. It's important for our switches to know about all VLANs in the network,not just the VLANs configured on the switch.

Here's why:

SW2 doesn't have any ports in VLAN 10, but it still has to know about that VLAN. Ifone PC in VLAN 10 sends data to the other, those frames are going to be tagged for


27/45

VLAN 10. With this topology, the frames have to go through SW2. If SW2 doesn'tknow about VLAN 10, it'll have no way to send them to the correct destination!

To give our switches a common view of the VLANs in use, we use the Cisco-proprietary protocol VTP - the VLAN Trunking Protocol.

VLAN Trunking Protocol (VTP)

VTP allows switches to advertise VLAN information between other members of thesame VTP domain. VTP allows a consistent view of the switched network across allswitches. When a VLAN is created on one switch in a VTP server, all other VTPdevices in the domain are notified of that VLANs existence. VTP servers will knowabout every VLAN -- even VLANs that have no members on that switch.

This information is shared between VTP devices in the form ofsummaryadvertisements. A VTP Server will send one of these advertisements every fiveminutes, and immediately upon a change in its VTP database.

There are three separate VTP modes. Be sure you are very clear on all three before

taking the CCNA exam.

In server mode, VLANs can be created, modified, and deleted. When these actionsare taken, the changes are advertised to allswitches in the VTP domain. VTPServers can originate, forward, and process VTP summary ads. VTP Servers keepVLAN configuration information upon reboot by storing that information in non-volatile RAM (NVRAM).

In client mode, the switch cannotmodify, create, or delete VLANs. VTP clientscannot retain VLAN configuration information upon reboot. VTP clients keep thisinformation in their running configuration, but not in NVRAM. If a VTP client isreloaded, it must obtain this information from a VTP server when it comes backup. VTP clients can accept and process summary advertisements.

The third VTP mode is a specialty VTP mode, transparent mode. You don't see itvery often, but you still see it on occasion. Take special note of the differencesbetween transparent mode and the other two VTP modes.

Switches in transparent mode forward the VTP advertisements received from otherswitches, but they do not process the information contained in those ads. VLANscanbe created, deleted, and modified on a transparent server, but those changesare not advertised to the other switches in the VTP domain - they are locallysignificant only.

Transparent VTP switches keep their VLAN information in NVRAM, just as VTPServers do.

Setting the VTP mode of a Cisco switch is done with thevtp modecommand.

SW1(config)#vtp mode ? client Set the device to client mode. server Set the device to server mode. transparent Set the device to transparent mode.

There are two VTP basics we have to be aware of for VLAN information to becorrectly exchanged.

1. The VTP domain name must match. This is case-sensitive. "CISCO" and "cisco"are two different domains. The VTP domain is set with the vtp domaincommand.When you see the domain name changed from NULL to a new name, NULLindicates that there was no previous domain name.

SW1(config)#vtp domain CCNA


28/45

Changing VTP domain name from NULL to CCNA

2. To distribute information about a newly-created VLAN, the switch upon which thatVLAN is created must be in Server mode. You can't have a VTP domain with onlyVTP clients.

This is what happens when you try to create a VLAN on a switch configured as aVTP client:

SW1(config)#vtp mode client

Setting device to VTP CLIENT mode.SW1(config)#vlan 20VTP VLAN configuration not allowed when device is in CLIENT mode.

The switch is kind enough to remind you that you cannot create, modify, or deleteVLANs on a VTP client. I doubt the exam will remind you, so remember that!

The one major VTP command to view the number of VLANs, the local switch'soperating mode, the VTP domain name, the configuration revision number, andmore is show vtp status.

SW1#show vtp statusVTP Version : 2Configuration Revision : 2

Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ServerVTP Domain Name : CCNAVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x00 0xE9 0x2B 0x8D 0x0B 0xF9 0x37 0x57Configuration last modified by 74.92.187.151 at 3-1-93 09:14:26Local updater ID is 74.92.187.151 on interface Vl1 (first interface found)

And what's the configuration revision number? Glad you asked, because if you don'tknow, you could have a little trouble on your exam - and a lotof trouble in your real-world network.

VTP Configuration Revision Numbers

Most VTP deployments are going to have two or more VTP servers, so when oneVTP server sends a summary advertisement, how does the receiving VTP serverknow if that ad has the latest and greatest information?

Every VTP summary advertisement has a configuration revision numberthat is


29/45

incremented by one when it updates its own VTP database. That same number isplaced into the outgoing VTP summary advertisement. If the receiving switch's ownVTP configuration revision number is lowerthan that of the incoming advertisement,

the incoming ad's information is considered to be more recent and is accepted.

If the receiving switch's revision number is higherthan that of the incomingadvertisement, the incoming advertisement is considered out-of-date and is

therefore ignored.

If you want to authenticate VTP updates, you can do so with the vtp passwordcommand. This password is case-sensitive and needs to be set on every VTPswitch in the domain.

SW1(config)#vtp password CCNASetting device VLAN database password to CCNA

Although this is referred to as secure VTP andVTP Secure mode, there's verylittle about it that's secure - the command show vtp passworddisplays the password,and this password can't be encrypted with service password-encryption.

SW1#show vtp passwordVTP Password: CCNA

SW1(config)#service password-encryption

SW1#show vtp passwordVTP Password: CCNA

VTP Pruning

Trunk ports belong to all VLANs, which leads to an issue involving broadcasts andmulticasts. A trunk port will forward broadcasts and multicasts for all VLANs itknows about, regardless of whether the remote switch actually has ports in thatVLAN!

In the following example, VTP allows both switches to know about VLANs 2 - 19,even though neither switch has ports in all those VLANs. Since a trunk port belongsto every VLAN, they both forward broadcasts and multicasts for all those VLANs.Both switches are transmitting and receiving broadcasts and multicasts that they donot need, since the only VLANs they have in common are VLANs 10 and 11.


30/45

Configuring VTP Pruningallows the switches to send broadcasts and multicasts to aremote switch only if the remote switch actually has ports that belong to that VLAN.This simple configuration will prevent a great deal of unnecessary traffic fromcrossing the trunk.

The command vtp pruningenables pruning for all VLANs in the VTP domain. AllVLANs from 2 - 1001 are eligible to be pruned. The reserved VLANs you see inshow vlan brief- VLANs 1 and 1002 - 1005 - cannot be pruned. You cannot enablepruning on a VTP client.

SW1(config)#vtp pruningCannot modify pruning unless in VTP server modeSW1(config)#vtp mode serverSetting device to VTP SERVER modeSW1(config)#vtp pruningPruning switched on

As a result of VTP pruning, only broadcasts and multicasts for the VLANs actuallyneeded by the remote switch will be sent across the trunk. In this case, each switchwill now send broadcast and multicasts across the trunk only if they're intended forVLANs 10 and 11.

Verify VTP pruning has been enabled with show vtp status.

SW1#show vtp statusVTP Version : 2Configuration Revision : 1Maximum VLANs supported locally : 64Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name :

VTP Pruning Mode : Enabled

VTP V2 Mode : DisabledVTP Traps Generation : Disabled

"Router On A Stick"

We have two options for configuring interVLAN communication:

Using an L3 switch Configuring "router on a stick" (ROAS)

L3 switches are becoming more and more prevalent in today's networks, and as aCCNA you should know that an L3 switch doesn't require an outside device to allow


31/45

interVLAN communication. You're very likely to see ROAS configs on your CCNAexam, though, and let's face it - we can't just tear out a client's L2 switch and replaceit with an L3 switch just because we want to!

We'll first go through an ROAS configuration with the following network, and thenwe'll take a detailed look at troubleshooting. Once this config is up and running, you

can leave it alone for months or years, but there are quite a few details that we needto watch to getit up and running!

Here's the network:

Right away, we've got a few important details to take note of:

As expected, the switch ports connected to the hosts are access ports. The switch port connected to the router must be trunking, and the trunking

protocol (ISL or dot1q) must be the same as that used by the router. The router must use a Fast Ethernet port for ROAS. A regular Ethernet port will

not suffice. (Gigabit Ethernet, or 1000 MBPS Ethernet, is great, too, but youprobably won't have a spare Gig Ethernet port to spare.)

Let's verify those VLAN memberships:

SW1#show vlan brief

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/3, Fa0/5, Fa0/6, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Gi0/22 VLAN0002 active Fa0/24 VLAN0004 active Fa0/4

Looks good. Since port Fa0/1 is trunking, we will not see it in that output; instead,we'll run show interface trunk.


Port Mode Encapsulation Status Native vlanFa0/1 on isl trunking 1

That port is up and trunking with ISL encapsulation. Let's move up to the router andbegin the configuration. The next important detail is that the Fast Ethernet port onthe router will be using subinterfaces, and we'll use two commands on eachsubinterface:

the encapsulationcommand, matching the encap type set on the connectingswitch's trunk port

an appropriate IP address for the VLAN indicated by the encapsulationcommand

Sounds complicated, but it's not. However, you have to use the encapsulationcommand first. If you try to apply an IP address onto the subinterface first, here's


32/45

the message you get.

R1(config)#int fast 0/0.2R1(config-subif)#ip address 172.12.2.1 255.255.255.0

% Configuring IP routing on a LAN subinterface is only allowed if thatsubinterface is already configured as part of an IEEE 802.10, IEEE 802.1Q,or ISL vLAN.

So let's do just that, and then apply the IP address.

R1(config-subif)#encapsulation isl 2R1(config-subif)#ip address 172.12.2.1 255.255.255.0

Let's use IOS Help to look at the options we had for the encapsulation command,and just why I have that number "2" in bold.

R1(config)#int fast 0/0.2R1(config-subif)#encapsulation ? dot1Q IEEE 802.1Q Virtual LAN isl Inter Switch Link - Virtual LAN encapsulation

R1(config-subif)#encapsulation isl ?

Virtual LAN Identifier.

R1(config-subif)#encapsulation isl 2

R1(config-subif)#ip address 172.12.2.1 255.255.255.0

The IP address must come from the address space of the VLAN we indicate with theencapsulationcommand. This interface will be part of VLAN 2, so we had to put anIP address from the 172.12.2.0 /24 subnet. Where did I get that IP range? Checkthe IP address of the host that's already in VLAN 2.

That's probably the most common error in a ROAS configuration. Make sure youhave the right VLAN ID associated with the appropriate IP address on the routersubinterfaces!

Now let's configure a subinterface to be part of VLAN 4. That subinterface will needan IP address from the 172.12.4.0 /24 subnet.

R1(config-subif)#int fast 0/0.4R1(config-subif)#encap isl 4R1(config-subif)#ip address 172.12.4.1 255.255.255.0

When you're done, don't forget to open the physical interface!

R1(config-subif)#int fast 0/0R1(config-if)#no shutR1(config-if)#^ZR1#wrBuilding configuration...[OK]R1#

*Nov 27 04:35:52.171: %SYS-5-CONFIG_I: Configured from console by console*Nov 27 04:35:53.675: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Nov 27 04:35:54.871: %LINEPROTO-5-UPDOWN: Line protocol on InterfaceFastEthernet0/0, changed state to up


33/45

I'll run show interface fast 0/0.2to see what we can see!

R1#show interface fast 0/0.2FastEthernet0/0.2 is up, line protocol is up Hardware is AmdFE, address is 000a.4164.31c1 (bia 000a.4164.31c1) Internet address is 172.12.2.1/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ISL Virtual LAN, Color 2. ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters never

The encapsulation type is listed along with the VLAN number - that's behind theinteresting term "Color". We'll verify fast 0/0.4 as well.

R1#show interface fast 0/0.4FastEthernet0/0.4 is up, line protocol is up Hardware is AmdFE, address is 000a.4164.31c1 (bia 000a.4164.31c1) Internet address is 172.12.4.1/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ISL Virtual LAN, Color 4. ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters never

At this point, the default gateway on the hosts mustbe set to the appropriatesubinterface IP address on the router. If you have an IP address assigned to theswitch - remember, we can apply an IP address to the switch's VLAN1 interface tomake remote management possible - do not use that IP address. Always use theappropriate IP address from the router's subinterfaces as the default gateway foreach host.

For our host in VLAN 2, that address is the router subinterface's IP address in theVLAN 2 address space, and for the VLAN 4 host it's the subinterface's IP address inVLAN 4.

And of course, the final test - do we now have interVLAN communication? From

Host 4, let's ping the following three addresses:

Host 4's own default gateway, 172.12.4.1 Host 2's default gateway, 172.12.2.1 Host 2, 172.12.2.2

Host4#ping 172.12.4.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.12.4.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 msHost4#ping 172.12.2.1


Sending 5, 100-byte ICMP Echos to 172.12.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msHost4#ping 172.12.2.1


34/45

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.12.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

All three are successful! Let's ping the following three destinations from Host 2:

Host 2's own default gateway, 172.12.2.1 Host 4's default gateway, 172.12.4.1 Host 4, 172.12.4.4

Host2#ping 172.12.2.1



Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.12.4.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Success! If you have connectivity issues from one host to another after configuringROAS, you should follow that order - always ping your local host's default gatewayfirst. If you can't ping that, there's no way you can ping the other two!

ROAS does work beautifully, but as you now know, there are quite a few details toattend to. I'll list those here and then we'll look at some common misconfigurations.

The Router:

The port must be a Fast Ethernet port. An Ethernet port won't do the job. You cancreate Ethernet subinterfaces, but the encapsulationcommand will not berecognized.

R3(config)#interface e0.12R3(config-subif)#encapsulation ?% Unrecognized command

Subinterfaces must be configured on the FE port.

The trunking protocol configured on the router's subinterfaces must match that of the

trunk port connected to that router.

The IP address configured on a subinterface must be part of the subnet used by theVLAN indicated in the encapsulation command. For example, the following configrequired an IP address from VLAN 2's address space since the encapsulationcommand is configured with a VLAN ID tag of 2.

R1(config)#int fast 0/0.2R1(config-subif)#encapsulation ? dot1Q IEEE 802.1Q Virtual LAN isl Inter Switch Link - Virtual LAN encapsulation

R1(config-subif)#encapsulation isl ? Virtual LAN Identifier.

R1(config-subif)#ip address 172.12.2.1 255.255.255.0


35/45

The Switch:

The switch port connected to the router must be trunking.

The trunking protocol in use (ISL or dot1q) must match the one in use on the router'ssubinterfaces.

Naturally, the ports leading to the hosts must be access ports.

The Hosts:

Each host should have its default gateway set to the IP address on the routersubinterface that is part of that VLAN's address space.

ROAS FSC (Frequently Screwed-up Configurations)

I think you'll agree with me that the ROAS config is very straightforward, but it iscommonly misconfigured. Since there's not much to configure in the first place, themisconfiguration is pretty easy to spot!

Since we perform most of the ROAS config on the router, we tend to concentrate onthe router config when we have a problem. What we have to keep in mind with

ROAS troubleshooting is that the problem might not be on the router - it might be onthe hosts, or even the switch!

Frequent ROAS Misconfig #1: Wrong Default Gateway Settings

If you spotted that right away, nice work! The default gateway settings on the hostsare backwards. The default gateway address must always be in the same subnetas the host's IP address.

Frequent ROAS Misconfig #2: Router IP Addresses & VLAN IDs Do Not MatchUp


36/45

R1 Config:

interface FastEthernet0/0no ip addressduplex autospeed auto!interface FastEthernet0/0.2encapsulation isl 2

ip address 172.12.4.1 255.255.255.0

no ip redirectsno snmp trap link-status!interface FastEthernet0/0.4encapsulation isl 4

ip address 172.12.2.1 255.255.255.0

no ip redirectsno snmp trap link-status

This is one of the two most common ROAS configs. An IP address from VLAN 2'ssubnet has been applied to the subinterface with the VLAN 4 ID, and vice versa.With that config, neither host will even be able to ping its own default gateway.

Host4#ping 172.12.4.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.12.4.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Host2#ping 172.12.2.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.12.2.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

ROAS troubleshooting can be a little tricky without a structured approach, so Isuggest the approach I've always used:

Always check the default gateway settings on the hosts first. Make sure the port leading to the router is trunking. On the router, make sure the IP address assigned to each subinterface is from

the subnet assigned to the VLAN that's assigned to that subinterface.

Follow those three tips and you'll configure and troubleshoot ROAS successfullyevery time!

Rapid Spanning Tree Protocol

So you understand STP, and you've got all those STP features down - and nowhere's another kind of STP! Specifically, it's RSTP, orRapid Spanning TreeProtocol. RSTP is defined by IEEE 802.1w, and is considered an extensionof IEEE


37/45

802.1d, the formal name of STP.

Where does the "rapid" part come in? Isn't STP rapid enough?

Well ... not really. The 30-second delay caused by the listening and learning statesduring STP convergence was once considered an acceptable delay. Then again, afloppy disk used to be considered all the storage space anyone would ever need,and thattheory didn't exactly stand the test of time!

Root bridges are still elected with RSTP, but the port roles themselves are differentbetween STP and RSTP. Let's take a look at the RSTP port roles in the followingthree-switch network, where SW1 is the root.

We'll use the same switched network we used in the STP discussion, with oneexception - there's a hub on SW3. And you just know it's gotta be there for areason! And just to complicate things, we've got two physical connections from SW3to the hub. (Actually, I put it there to illustrate an RSTP port state.)

RSTP uses the root port in the same fashion that STP does. All nonroot ports willselect a root port, and this port is the one reflecting the lowest root path cost.Assuming all links in this network are running at the same speed, SW2 and SW3 willboth select the port directly connected to SW1 as their root ports. As with STP,there will be no root port on a root bridge.

An RSTP designated portis the port with the best root path cost. Just as with STP,the ports on the root port will be DPs. We'll assume R3 has the DP for the segmentconnected to SW2.


38/45

At this point, you're probably wondering what the real differences between STP andRSTP are! Here's one - RSTP's equivalent to an STP blocked port is an alternateport. In this segment, SW2's port leading to SW3 is an alternate port.

In this network, SW3 has two separate ports on the same physical segment. Oneport will be the designated port for that segment, and the other port will become thebackup port. This port gives a redundant path to that segment.

The only time you'll see a backup port is when a switch has two connections to thesame segment. You don't see this terribly often, but you do see it!

The "rapid" in RSTP comes in with the new port states. The STP port statesdisabled, blocking, and listeningare combined into the RSTP port state discarding,which is the initial RSTP port state.

RSTP ports transition from the discarding state to the learning state, where incomingframes are still discarded. However, the MAC addresses are now being learned bythe switch.

Finally, an RSTP port will transition to the forwarding state, which is the same as the

STP forwarding state.

Let's compare the transition states:


39/45

STP: disabled > blocking > listening > learning > forwarding

RSTP: discarding > learning > forwarding

There are other port types unique to RSTP. You know what a root port is, but RSTPalso has edge ports and point-to-point ports. An edge portis just what it sounds like

- a port on the edge of the network. In this case, it's a switch port that is connected toa single host, most likely an end user's PC. An edge port will operate just like anSTP port that is running Portfast.

Apoint-to-point portis any port that is connected to another switch and is running infull-duplex mode.

Edge Ports And RSTP Topology Changes

Edge ports play a role in when RSTP considers a topology change to have takenplace. Rather, I should say that they don'tplay a role, because RSTP considers atopology change to have taken place when a port moves into Forwarding mode -unless that port is an edge port.

When an edge port moves into Forwarding mode, RSTP doesn't consider that atopology change, since only a single host will be connected to that particular port.

Another major difference between STP and RSTP is the way BPDUs are handled.With STP, only the root bridge is sending BPDUs every two seconds; the nonrootbridges simply forward, or relay, that BPDU when they receive it.

RSTP-enabled switches generate a BPDU every two seconds, regardless of whetherthey have received a BPDU from the root switch or not. (The default value of hellotime, the interval at which switches send BPDUs, is two seconds in both STP andRSTP.)

This change not only allows all switches in the network to have a role in detecting linkfailures, but discovery of link failures is faster. Why? Because every switch expectsto see a BPDU from its neighbor every two seconds, andif three BPDUs are missed,the link is considered down. The switch then immediatelyages out all informationconcerning that port. This cuts the error detection process from 20 seconds in STP to6 seconds in RSTP.

Let's compare STP and RSTP and their link failure detection times.

When a switch running STP misses a BPDU, the MaxAge timer begins. This timerdictates how long the switch will retain the last BPDU before timing it out andbeginning the STP recalculation process. By default, MaxAge is 20 seconds.

When a switch running RSTP misses three BPDUs, it will immediately are out thesuperior BPDU's information and begin the STP recalculation process. Since thedefault hello-time is 2 seconds for both STP and RSTP, it takes an RSTP-enabledswitch only 6 seconds overall to determine that a link to a neighbor has failed.

That's where the "rapid" part comes in!

Per-VLAN Spanning Tree

Per-VLAN Spanning Tree Plus (PVST+) is just what it sounds like - every VLAN hasits own instance of STP running. PVST+ allows per-VLAN load balancing and is also


40/45

Cisco-proprietary.

The "+" has been left off this acronym for so long that it's generally just referred to as"PVST" today. PVST is actually the version of STP that we've been running duringthe entire switching section of the course - Cisco Catalyst switches run PVST by

default. You'll see many of the benefits of PVST in future studies, but just to mentionone - we can load-balance on a per-VLAN basis by default. Let's take a quick look asto when that might come in handy using a two-switch example.

We know that we'll have one root bridge selected; we'll assume it's the one on theright. We also know that the non-root bridge will select one root port, and the otherport leading to the root bridge will go into blocking mode. If we have 50 VLANs inthis network, traffic for all 50 VLANs will go over one of the two available links whilethe other remains totally idle.

That's not an efficient use of available resources! With PVST, we can fine-tune theport costs on a per-VLAN basis to enable one port to be selected as the root port forhalf of the VLANs, and the other port to be selected as the root port for the other

half. That's per-VLAN load balancing!

We've got another option for better utilization of multiple trunk links - anEtherchannel.

Etherchannels

An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. Thisbundling of trunks is also referred to as aggregation. This provides greaterthroughput, and is another effective way to avoid the 50-second wait betweenblocking and forwarding states in case of a link failure.

Spanning-Tree Protocol (STP) considers an Etherchannel to be one link. If one ofthe physical links making up the logical Etherchannel should fail, there is no STPreconfiguration, since STP doesnt know the physical link went down. STP sees onlythe Etherchannel, and a single link failure will not bring an Etherchannel down.

In this example, we have two switches connected by three separate crossovercables.


41/45

We'll verify the connections with show interface trunkand then run show spanning-

tree vlan 1.SW1#show interface trunk

Port Mode Encapsulation Status Native vlanFa0/10 desirable 802.1q trunking 1Fa0/11 desirable 802.1q trunking 1Fa0/12 desirable 802.1q trunking 1


VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000b.be2c.5180 Cost 19

Port 10 (FastEthernet0/10) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.90e2.25c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- ------------------------Fa0/10 Root FWD 19 128.10 P2pFa0/11 Altn BLK 19 128.11 P2pFa0/12 Altn BLK 19 128.12 P2p

We know this is not the root switch, because...

there's no "this bridge is the root" message there is a root port, which is forwarding

So right now, we have three physical connections between the two switches, andonly one of them is actually in use. That's a waste of bandwidth! Additionally, if theroot port goes down, we're in for a delay while one of the other two ports comes outof blocking mode and through listening and learning mode on the way to forwarding.

Both of these issues can be addressed by configuring an Etherchannel. Bycombining the three physical ports into a single logical link, not only is the bandwidthof the three links combined, but the failure of a single link will not force STP torecalculate the spanning tree.

Ports are placed into an Etherchannel with the channel-groupcommand. Natually,the channel group must be the same on all interfaces that will be part of thatparticular Etherchannel. Here's the configuration, and this is a great chance topractice ourinterface rangecommand! (Nothing wrong with configuring each portindividually, but this command saves time - on the job and in the exam room!)

SW1(config)#interface range fast 0/10 - 12SW1(config-if-range)#channel-group 1 mode onCreating a port-channel interface Port-channel 1

00:33:57: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up00:33:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1,changed state to up

SW2(config)#int range fast 0/10 - 12SW2(config-if-range)#channel-group 1 mode onCreating a port-channel interface Port-channel 1


42/45

00:47:36: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up00:47:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1,changed state to up

After configuring an Etherchannel on each router with the interface-level commandchannel-group, the output of commands show interface trunkand show spanningvlan 1verifies that STP now sees the three physical links as one logical link -- the

virtual interfaceport-channel 1("Po1").

Note that the Etherchannel's cost is 9, instead of 19. This lower cost reflects theincreased bandwidth of the Etherchannel as compared to a single physicalconnection.


Port Mode Encapsulation Status Native vlanPo1 desirable 802.1q trunking 1

SW1#show spanning vlan 1

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- ---------------------------

Po1 Root FWD 9 128.65 P2p

Before configuring the Etherchannel, closing fast0/10 would have resulted in an STPrecalculation and a temporary loss of connectivity between the switches. Now thatthe channels are bundled, I'll close that port and immediately run show spanningvlan 1.

SW1(config)#int fast 0/10SW1(config-if)#shut

SW1#show spanning vlan 1

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- -------------------------Po1 Root FWD 12 128.65 P2p

The cost is now higher since there are only two physical channels bundled insteadof three, but the truly important point is that STP does not consider the Etherchannelto be down and there's no loss of connectivity between our switches.

"Hot Spots And Gotchas"

Yeah, I know it's a big chapter. But you gotta read it before you read thissummary! ;) And with a chapter this big, this is just that - a summary!

STP

The Spanning Tree Protocol is a Layer 2 switching loop prevention protocol.

BPDUs are the heartbeat of STP, and are originated by root switches and forwardedby all other switches. No host device or router is going to send a BPDU.

The root bridge is the one with the lowest BID, and that BID is a combination of thepriority and the switch's MAC address.

In Per-VLAN Spanning Tree (PVST), each VLAN will have its own root switch. Ofcourse, if you leave things at the default, every VLAN will have the same root switch.

The STP port states: disabled, blocking, listening, learning, forwarding.

A port begins learning MAC addresses in learning mode, and continues to do soonce it's migrated to forwarding mode.


43/45

Root switches will have the phrase "this switch is the root" in its show spanning-treevlan output. If you don't see that phrase, the information under Root ID indicateswhich switch is the root.

STP convergence has occured when the switched network is "quiet" - that is, allports are either blocking or forwarding, with none in the intermediate states oflistening and learning.

To view the MAC address table on a per-VLAN basis, run the show mac-address-table vlancommand followed by the VLAN number. To see the dynamic entriesonly, run show mac-address-table dynamic vlancommand. An excellenttroubleshooting command!

The root switch will have no blocked ports, and all ports will be Designated Ports(DP).

Non-root switches select their root port (RP) on the basis of path cost through eachpotential root port. The port with the lowest overall path cost will be the root port.

VLANs

VLANs are used to create multiple, smaller broadcast domains. This helps to limitthe scope of the broadcasts.

By default, all switch ports belong to the default VLAN, VLAN 1. VLAN 1 cannot bedeleted.

The default VLAN is also called the native VLAN. The native vlan can be changedwith the switchport trunk native vlancommand.

VLANs allow the restriction of access to network resources on a per-user or a per-

department basis. As you'll see in a later section, access lists are great for this aswell - it just depends on your network topology and your exact needs.

When moving a switch from one switched network to another, make sure to erasethe VLAN database on that switch before putting it into the new network. As abonus for reading this section, here's how you do it:

SW1#delete vlan.datDelete filename [vlan.dat]?Delete flash:vlan.dat? [confirm]SW1#

Just hit ENTER to accept those prompts - if you type in "y" or "yes" to that secondquestion, the switch thinks you're trying to delete a file called "y" or "yes"!

Trunking

The trunking port modes are desirable, on, off, nonegotiate, and auto.

Desirable - port is actively attempting to trunk with remote port Auto - port will trunk if the other port initiates the process On - port has sent Dynamic Trunking Protocol frames to remote port and is

unconditionally ready to trunk Nonegotiate - port has NOT sent DTP frames, and is unconditionally ready to

trunk Off - port is an access port and cannot trunk

Even though trunk ports belong to all VLANs by default, they will not appear in the


44/45

output of show vlan brief. Instead, run show interface trunk - that will display thetrunking ports, their modes, and the trunking protocols in use.

Access ports vs. Trunk ports

Access ports:

belong to one and only one VLAN connect a host device to the switch uses a straightthrough cable for that connection literally cannot trunk

Trunk ports:

By default, belongs to all VLANs Connects another switch to the local switch (or a router, in the case of router-

on-a-stick) Can use ISL or dot1q as the trunking port Uses a crossover cable for the trunk

VTP

VTP's purpose is to allow switches to exchange VLAN information.

A VTP domain must have at least one VTP Server.

VTP Servers allow the deletion, creation, and modification of VLANs. Thesechanges are advertised throughout the VTP domain.

VTP Clients cannot delete, create, or modify VLANs.

VTP Transparent switches can delete, create, and modify VLANs; however, thesechanges are locally significant only and are not advertised.

For switches to exchange information via VTP, they must be in the same VTPdomain. The VTP domain name is case-sensitive.

You can set a VTP password, officially called "secure mode". That password will becontained in the VTP advertisements, and must match on all switches in the VTPdomain.

VTP Clients will both process and forward VTP summary advertisements. Only theVTP Server can originate these ads. VTP Transparent switches will forward theseadvertisements, but will not process them.

VTP Clients can only save their VLAN information to the running configuration; theycannot save this information in NVRAM. The Client will have to get that informationfrom a VTP Server upon a reload of the Client.

Both VTP Server and Transparent switches save their VLAN information to NVRAM.

VTP devices keep a configuration revision number, and if a VTP ad comes in with arevision number lower than the receiving switch's number, that update is ignored.

If a VTP ad comes in with a revision number higher than the receiving switch'snumber, that update is accepted and the information in it is used to overwrite thereceiving switch's VLAN database.


45/45

Router-On-A-Stick

The hosts must have their default gateway set to the router subinterface IP addressthat is part of their VLAN's address space.

The switch port leading to the router must be trunking.

ROAS is one of the two ways to allow interVLAN communication. A Layer 3 switchis the other. L3 switch configuration is not part of the CCNA or CCENT exam.

The fastethernet interface requires subinterfaces, one for each VLAN.

There will be no IP address on the physical interface.

Each subinterface must be configured with the encapsulationcommand reflectingthe VLAN ID of that subinterface and an IP address.

Back To Index

Copyright 2011 The Bryant Advantage. All Rights Reserved.

Documents

01.More LAN Switching