Tag Archives: VLANs

Cisco to HP Switch Trunks

My place of work is essentially a Cisco shop, but we do have occasional pieces from other manufacturers that we need to deal with.

My latest challenge was to run a trunk between a Cisco 2960 and an HP5412LZ modular switch. The HP switch is a big beast, with 12 bays; each bay capable of accepting various modules, giving a lot of flexibility. Additionally it is a layer three switch although we are only using it as an access switch with POE modules, so we are not doing any routing on the switch.

The picture below shows the switch chassis, with 4 modules inserted, 8 blank slots. In my case I have 9 x 24 port POE switch modules and 3 blank slots giving me 224 POE ports.

J8700A

So why am I trunking between these two switches? We have migrated our office network from a number of ISPs connections to one MPLS connection. As such we have a standard template for this network configuration that uses a Cisco 2960 as the core switch, handles DHCP and 4 VLANs.

Cisco-HP

The VLAN scheme we have is as follows:

  • VLAN501 – Production VLAN allows connection to company internal services at our data center.
  • VLAN502 – Guest VLAN allows guests to use our network for raw internet but blocks traffic to the data center.
  • VLAN504 – VOIP VLAN provides connection for our phones and our UCaaS provider.

vlans

The issue with doing this sort of trunk is that the HP and Cisco switches handle trunks in very different ways. The Cisco config is simple; define your port channel and create your trunk and you are done. In this case we have 4 x 1Gb ports configured as a port channel, and running LACP.

!
interface Port-channel3
 description Port Channel to HP switch
 switchport trunk native vlan 501
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/2
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/3
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/4
 switchport trunk native vlan 501
 switchport mode trunk
 channel-protocol lacp
 channel-group 3 mode active
!

The important statement in this configuration is the Native VLAN statement for the trunk. This strips away the VLAN tag, essentially making traffic for that tag, the default VLAN.

The HP is a little more complicated, and the key to understanding the HP way of working is to remember one key fact; Dot1Q leaves the native VLAN untagged. So when we create our trunk on the HP, we can get layer two connectivity (CDP etc) but layer three will not work.

What we have to do is make sure that the native VLAN (if it is other than VLAN 1) is untagged on the trunk, and the other VLANs are tagged. Once we do that, we should be able to ping across the VLANs.

!
trunk B17,B19,B21,B23 Trk1 LACP
!
vlan 501
 name "Data"
 untagged Trk1,
!

B17, B19, B21 and B23 are the ports we are using for the other end of the trunk and Trk1 is the trunk group.

Of course all other VLANs must still be tagged in order to pass traffic correctly.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

CCNP: Switch – Part 4

VLANS and Trunking

1.  Virtual Local Area Networks (refresh)

From our CCNA studies, we know that VLANS are used to limit broadcast scope, but they also limit network traffic. If we want hosts on different VLANs to be able to talk to each other, we have to use one of three methods:

Note that the best practice for VLANs is one VLAN per IP subnet

2.  SwitchPort Refresh

Cisco switch ports can are by default in dynamic desirable trunking mode which means that the ports will take the configuration of what ever is connected to it. If we connect a trunk, the port will trunk, if we connect a host, it will become an access port. Trunk ports are essentially transparent to VLANs and are used to allow all traffic between switches and switches, or switches and routers. Access ports can ONLY exist in one VLAN, which also means a host can ONLY exist in one VLAN. Port VLAN membership depends on two factors:

  • Static VLAN: the port is assigned to the VLAN and therefore any host connected to that port will be in that VLAN.
  • Dynamic VLAN: the VLAN is keyed to the host mac address, and thus the port is in what ever VLAN is keyed to the mac address of the host connected to the port.

Dynamic VLANs are not a part of the NP studies, but a brief run down on Dynamic VLAN can be found here.

A quick note about VLAN membership. When a packet enters a switch, via a port, the packet is tagged with the VLAN information pertaining to the VLAN membership of that port. It is this tag, that enables ports to filter VLAN traffic.

However, to get a switch port to perform this function, we have to tell it that it is a switchport and it belongs to a specific VLAN. We do this using the switchport command:

switchport mode access
switchport access vlan n

We do this because, by default, Cisco switchports are in Dynamic Desirable mode, meaning they are looking to trunk, and want to trunk. This can be a security risk.

3.  Trunk Ports

To get traffic across a trunk, the packets have to be encapsulated, so that the VLAN information is sent with the traffic. VLANs often span multiple switches and so we tag (or encapsulate) each packet with its corresponding VLAN ID. There are a number of ways to do this:

  • Inter Switch Link Protocol (ISL) – Cisco proprietary, not really used any more.
  • IEEE 802.1q (dot1q) – industry standard, used everywhere.
  • Dynamic Trunking Protocol (DTP) – Cisco proprietary, negotiates trunks.

ISL encapsulates the frame with a 26 byte header and 4 byte (CRC) trailer packet, for all VLANs. This adds overhead. It also does not understand the concept of native VLAN. Dot1q does not add any encapsulation to the native VLAN, and a 4 byte header for other VLANs, BUT the ‘header’ information is embedded within the frame, so the frame size remains the same. This is important because a frame is 1518 bytes. Add the ISL overhead and that makes it 1548 bytes … making it a giant frame.  With Dot1q adding the 4 byte header within the frame, it just reduces the payload by 4 bytes.

So, we have:

  • Runt frame <64 bytes
  • IEEE 802.3u frames up to 1518 bytes
  • IEEE 802.3ac allows for a frame up to 1522 bytes
    • (this allows a standard frame plus 4 bytes for Dot1q)
  • Frames >1518 bytes are giants
  • some Cisco devices have hardware to handle giant frames

All of this is great but how do we turn off a trunk port and stop it from trunking?  There is no trunk port off command, we simply make it an access port.

One command we should get used to using is show vlan id n. This gives a very nice run down on the VLAN and its ports.

4.  VMPS

Dynamic VLANs, as mentioned above are out of the scope of the CCNP, but we should know a little of the basics.  Dynamic VLANs are based on the VMPS or VLAN Membership Policy Server.

With VMPS, the VLAN is assigned to a host mac address, rather than the port. In order to facilitate this, the MAC address and VLAN assignment is stored in a database, on a TFTP server.

The VMPS data base is read every time the VMPS server is power cycles. The transfer format is UDP so we must make sure we do not block UDP using ACLs.

There are a few things to remember, when using VMPS:

  • portfast is enabled when for each access port by default
  • configure the data base, before configuring the ports
  • turn off port security when using VMPS
  • do not use VMPS when using trunks

 

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Lab Practice – Switching Part 2

We are going to take the lab topology from the previous post and introduce some VLANs to see what happens!

The Caper

Lets assume that our switches form a network for a small business called ACME Inc. We have a number of departments and each department needs to have its own VLAN.

sw4

So we have 5 VLANs as follows:

  • Finance  (VLAN10)
  • HR         (VLAN 20)
  • R&D       (VLAN 30)
  • Sales     (VLAN 40)
  • IT          (VLAN 50)

… and we need to create a trunk to connect to the router. Now remember from our previous studies that we need to user a router and the trunk to allow inter-VLAN communication (if we allow it).

First, lets make sure all the switches are in the same VLAN domain. We are going to use the company name ACME as the domain name.

s2950-12#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 s2950-12(config)#vtp domain acme
 Changing VTP domain name from cisco to acme
 s2950-12#sh vtp status
 VTP Version : 2
 Configuration Revision : 0
 Maximum VLANs supported locally : 128
 Number of existing VLANs : 5
 VTP Operating Mode : Server
 VTP Domain Name : acme
 VTP Pruning Mode : Disabled
 VTP V2 Mode : Disabled
 VTP Traps Generation : Disabled
 MD5 digest : 0x26 0x9F 0x13 0xCA 0x52 0x75 0xA0 0x67
 Configuration last modified by 0.0.0.0 at 3-1-93 03:45:04
 Local updater ID is 0.0.0.0 (no valid interface found)

I did this on each switch to verify the change, and noted that all three switches are in server mode.
Now, lets create our VLANs:

s3550(config)#int range fa0/1 - 6
 s3550(config-if-range)#switchport access vlan 10
 % Access VLAN does not exist. Creating vlan 10
 s3550(config-if-range)#int range fa0/13 - 18
 s3550(config-if-range)#switchport access vlan 20
 % Access VLAN does not exist. Creating vlan 20
 s3550(config-if-range)#exit

I did that on each switch, putting the appropriate ports into the new VLANs and then ran a show command to verify:

s2950#sh vlan br
 VLAN Name                   Status    Ports
 1    default                active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                       Fa0/7, Fa0/8, Fa0/17, Fa0/18
                                       Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                       Fa0/23, Fa0/24
 10  VLAN0010                active
 20  VLAN0020                active
 30  VLAN0030                active
 40  VLAN0040                active
 50  VLAN0050                active    Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                       Fa0/13, Fa0/14, Fa0/15, Fa0/16
 1002 fddi-default act/unsup
 1003 token-ring-default act/unsup
 1004 fddinet-default act/unsup
 1005 trnet-default act/unsup

So I know what VLAN is which because I set them, but what if I’m not the only admin on this network. Lets name the VLANs so anyone else coming in behind me can figure out whats going on. This is pretty easy to do as follows:

s2950(config)#vlan 20 
s2950(config-vlan)#name hr
s2950(config-vlan)#exit

… for each VLAN. If I go to the other switches and do a sh vlan br, I can see the new VLAN names. Now I’m going to run a couple of hosts on these switches and ping around – I wont bother to post the output here, but yes I can ping around my network, but I cannot ping across VLANs.

So what now?

From the show VLAN brief command we can see that VLAN information is being broadcast across the entire network, given that every switch has a every VLAN on the network listed in its VLAN list. This is ok for this small network, but what if we had a much larger network? To cut down on that traffic we are going to prune some of these VLANs.

s2950(config)#vtp pruning

… and that really is all we need to do.

What’s in the trunk?

OK, next we hook up the trunk link between the 2950 and the router. For routing I am using a Cisco 2610XM, which has a single fast Ethernet port, so we will use one fast Ethernet port on the root switch to trunk to the router: lets use fa0/24

s2950#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 s2950(config)#int fa0/24
 s2950(config-if)#no switchport port-sec
 s2950(config-if)#switchport mode trunk
 s2950(config-if)#no shut
 s2950(config-if)#exit
 s2950(config)#

I have the switch ports configured with security as a part of my default lab config, and to get a 2950 port to trunk you need to remove the security.

A quick show command to verify our trunk connection:

s2950#sh int trunk
 !
 Port    Mode         Encapsulation Status    Native vlan
 Fa0/24  on           802.1q        trunking  1
 Po1     desirable    802.1q        trunking  1
 Po2     desirable    802.1q        trunking  1
 !
 Port     Vlans allowed on trunk
 Fa0/24   1-4094
 Po1      1-4094
 Po2      1-4094
 !
 Port     Vlans allowed and active in management domain
 Fa0/24   1,10,20,30,40,50
 Po1      1,10,20,30,40,50
 Po2      1,10,20,30,40,50
 !
 Port     Vlans in spanning tree forwarding state and not pruned
 Fa0/24   1,10,20,30,40,50
 Po1      1,10
 Po2      1

Just as a side note: see the pruning? Cool huh?
Next, lets get the routing sorted out.

 

 

 

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

VLANs – the deep dive!

Just a quick recap:

The default behavior of a switch is send a broadcast out of every port except the one it rode in on.

— Chris Bryant at the Bryant Advantage sums up a switch in a simple and concise manner —

A switch is by default a single broadcast domain. This can be a problem. If you have a 4 or 8 port switch in your home, then likely it isn’t much of a problem, but lets assume you are running a switch with 48 hosts. Every single broadcast has to be pushed out of 47 ports, for each host on the system. Imagine the processor and memory load it takes just to handle that much broadcast traffic. Imagine the amount of traffic each host has to look at and ignore, wasting bandwidth and CPU time – no wonder my Facebook won’t load!

By segmenting our LAN with smaller Virtual LANs, we can ease this load, and reduce the amount of broadcast traffic by creating more broadcast domains. This sounds counter intuitive, but  really, its not.

In order to put ports into a VLAN, the port must be in Access mode (at least for the purposes of the CCNA this is true).

switchport mode access
switchport access vlanx

It is worth pointing out that not only will broadcast traffic not cross VLAN boundaries, but also any other traffic does not cross VLAN boundaries. There are two ways around this:

  • A router (router on a stick)
  • A layer 3 switch

For the CCNA we don’t cover layer 3 switches, so we will concern ourselves only with routers, but layer 3 switches do exist.

We are going to look at router on a stick later.

Other uses for VLANs

Security – we can use VLANs as a way of segregating hosts. We might want to do this to keep unused ports out of our actual network.

Departments – we can also segregate by department. If you need to keep engineering, sales and finance separated, putting the hosts into their own VLANs is one way to do that. Subnet that, and

VLANs and the MAC address table – You can filter the MAC address table by VLAN which can help us limit the number of MAC addresses we see. Not a big deal on a lab setup where we have limited hosts, but in a production network this may be a huge help if that address table has 48+ entries.

VLANs and Trunking

So what is trunking? Trunking is the process of making ‘upstream’ switch ports. Ports connecting to routers are almost always trunk ports. Well, why is that? The reason is that trunk ports can allow all VLAN traffic to flow through them. Remember that access ports can only be connected to one VLAN.

Frame Tagging – when a frame from a VLAN leaves a switch via the trunk port, the switch adds a tag to the frame, identifying the VLAN of origin.

Trunk Protocols – there are two protocols available to us:

  • ISL – Inter Switch Protocol (Cisco prop.)
  • IEEE802.1q – industry standard

ISL only works with Cisco equipment; obvious I know but worth stating. What ISL does is encapsulate the entire frame with a header and trailer. This adds overhead, but is robust.

Dot1q is what we usually use, and in fact some Cisco switches don’t even have ISL capability. The difference here is that there is no encapsulation. Dot1q simply add a 4 byte header and that is all which gives us a much lower overhead.

The native VLAN – This is the default VLAN, in my case VLAN 1 on my 2950. ISL will still encapsulate this, but dot1q does not add a tag to it. As far as dot1q is concerned, any frame with no tag belongs to the default VLAN.

Naming VLANs – One last note on VLANs. There is a very useful command that we should be aware of. When creating a VLAN, the name command can be used to name the VLAN. So now, instead of having VLAN0010, VLAN0020 and VLAN 0030 we could have Engineering, Accounting and Sales.

Final thoughts

  • A switchport can either be an access port or a trunk.
  • To turn off trunking, we put it into access mode (there is no trunk off command)
  • There are two trunking protocols, ISL and dot1q

 

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone