S7C4 – VLANs

Download Report

Transcript S7C4 – VLANs

S7C4 – VLANs
VLAN Details
Problems with Layer 2 Switching
• Results in flat network structure
– Every device sees every pack transmitted
• Security
– All users have access to all devices
• Multiple paths to destinations
– Do not allow for redundant paths
– Are not capable of intelligent load balancing
VLAN Characteristics
• All VLAN members are in same broadcast
domain
• Logical subnet
– Devices can exist any place in switch block
• Membership usually based on port number
– Can be dynamically assigned based on MAC
• End-to-end throughout switch fabric
– Can span several wiring closets or buildings
VLANs Solve Problems
• Efficient bandwidth utilization
– Traffic routed between switches with router
• Security
– Forces layer 3 routing process to occur
• Access lists
• Load balancing
– Layer 3 device determines best path
• Isolation of problem components
– Router keeps problems from propagating
End-to-End VLAN
• Users grouped into VLANs independent of
physical location
• All users have same 80/20 traffic flow
pattern
• As user moves, VLAN membership remains
the same
• Each VLAN has a common set of security
requirements for all members
Local VLANs
• Range from single switch in a wiring closet
to an entire building
– Multiple paths to destinations
– Maximum scalability by keeping the VLAN
within a switch block
VLAN Memberships
• Static
– Port-based – assigning a port to a VLAN
• As device enters network, it assumes port’s VLAN
• Requires administrator to make a port-to-VAN assignment for
new connection when move is maDE
• Dynamic
– CiscoWorks 2000 or SWSI
• As device enters network, it queries database for VLAN
membership
– Not covered in this course
Configuring Static VLANs
•
•
•
•
•
•
•
•
Switch#vlan database
Switch(vlan)# vlan vl# name vlname
Switch (config)#int 1/1
Switch (config-if)# switchport mode access
Switch (config-if)# switchport access vlan vl#
CLI
Set vlan vl# name vlname
Set vlan vl# mod#/portlist
Verifying VLAN Configuration
VLAN Identification
• Show vlan
– Displays each vlan number, status, and ports assigned
• Identification
– Frame Tagging
• Places unique identifier in header of each frame
– Called id or color
• Used across backbone
• Discarded if destination host is on same switch
– VLAN hidden from end user
Link Types
• Access
– Member of only one VLAN
• Called port’s native VLAN
• Can’t receive information from another VLAN
• Requires router to communicate with another VLAN
• Trunk
– Fast Ethernet of Gigabit Ethernit (can be aggregated)
– Can carry multiple VLANs
• Cisco ISL or IEEE 802.1q
– Does not belong to any specific VLAN
– Does have a native VLAN – uses when trunk link fails
ISL and 802.1q
• ISL
– Cisco proprietary
– Can carry ethernet, tokenring, FDDI
– Adds 26-byte header and 4-byte trailer to frame
• 10-bit VLAN ID
• 802.1q
– Standardized
– Embeds tagging information within frame
• Adds 4-byte tag after source address field
– First two bytes are 0x8100 (signifies 802.1Q tag)
• Native VLAN not encapsulated with tagging information
– SAID (security Association Identifier) – holds Cisco
NOTES
• Dynamic Trunking Protocol – DTP
– Can be manually configured for either ISL or 802.1q
• Should be disables if switch has trunk line connected to router
because router can’t participate in DTP negotiation protocol
• Trunk Line Negotiations
– Possible only if both switches belong to same VLAN
Trunking Protocol management cdomain
VLAN Trunk Configuration
• (config)#int 1/3
• (config-if)#switchport mode trunk
• (config-if)#switchport trunk encapsulation [isl |
802.1q]
• (config-if)#switchport trunk allowed vlan remove
vllist
• (config-if)#switchport trunk allowed vlan add
vllist
• CLI Switch
– Set trunk 3/1 [on|off |desirable|auto|nonegotiate] vlan—
range [isl|dotq.1|lane|negotiate]
• Dtp frames sent every 30 seconds
– Clear trunk 3/1 vlan-range
VTP Domains
• Management Domains
– Advertise attributes (revision number, known VLANs,
VLAN parameters)
• Server mode
– Full control (default)
• Client mode
– Can’t create, change or delete VLANs
• Transparent mode
– Does not participate in VTP; does not advertise
Advertisements
• Management domain name
• Configuration revision number
• MD5 digest
– Key sent with VTP when a password is
assigned
• Updater identity – switch sending
advertisement
VTP Configuration
•
•
•
•
•
•
•
VTP must be configured BEFORE VLAN
Switch#vlan database
Switch (vlan)# vtp domain domName
Switch (vlan)# vtp [server|client|transparent]
Switch (vlan)# password psswrd
Switch (vlan)# vtp v2-mode
CLI
– Switch(enable) SET VTP DOMAIN DNAME
[server|client|transparent] [password psswrd]
– Switch (enable) set vtp v2 enable
Confirming VTP
• Show vtp domain
– Shows version number, local mode, password
• Show vtp counters
– Shows exchange of advertisements
• Show vtp statistics
– Shows exchange of advertisements
VTP Pruning
• Disabled by default
– Switch#vtp pruning
• IOS
– Set vtp pruning enable
– Clear vtp pruneeligible vlan-range
– Set vtp pruneligible vlan-range