|
VLANs, VTP, and VLAN Trunking |
The second new Newsletter article discusses VLANs, VTP, and VLAN Trunking. Originally developed as a security technique for isolating groups of users on the same wire, VLANs have many more applications than first thought. They will be found doing useful things in most networks. VTP is a Cisco-proprietary mechanism that reduces the operational workload of making changes to VLANs. Though CCNA candidates need to know the basics of these techniques, most of the information is designed to help candidates working towards higher level certifications. |
Originally developed as a security technique, for isolating groups of users on the same wire, Virtual Local Area Networks (VLANs) have many more applications than first thought. VLANs will be found doing useful things in most networks.
In his Ethernet Switching II tutorial, Dan Farkas has a great way to remember the role of anything virtual... "with terms like "virtual LANs" being flung around, it's important to keep our definitions straight.
"So a virtual LAN is a LAN that looks like it's there but really isn't. A VLAN is a virtual wire, a virtual hub that spans across multiple switches. VLANs are broadcast domains. There is a one-to-one correspondence between VLANs and IP subnets. In fact, in my classes I let my students use the terms VLAN, subnet, and broadcast domain interchangeably."
VLANs themselves are what you see individually at edge LAN switch ports, to which hosts connect. In general, when you interconnect more than one modern switch, the ports interconnecting them run a trunking protocol. Trunking protocols allow traffic from different VLANs to share a physical link. A single non-trunked switch still can contain VLANs, with different ports assigned to different VLANs.
The process of getting a packet from the edge port to a trunk involves tagging each frame with information that lets switches know what VLAN it belongs to.
They are not the panacea for almost every problem, as once believed. At one time, there was truth to the axiom "switch [i.e., bridge at layer 2] when you can, route when you must." With current technology, there isn't a significant amount of performance difference between L2 and L3 decision making. L3 switches are routers, and distinguishing between them sometimes is no more than a matter of sales emphasis.
Realistically, you do tend to see certain differences in the way functions are packaged into commercial products. Products marketed as L3 switches tend to have lower per-port cost and higher per-port density for Ethernet ports than "routers". Routers tend to have better per-port economics for WAN ports, and often have more processing power for such non-forwarding tasks as quality of service enforcement.
Table 21. Port Membership Modes defined for IOS VLAN switching
Port type | VLAN relationships | VTP requirements |
Static-access | Configured manually to belong to only 1 VLAN. | Not required. For VTP to work for this switch there must be at least one trunk port on the local switch connected to a trunk port on another switch. |
802.1Q trunk | By default, trunk ports are in every VLAN, including the extended range VLANs. You may restrict the VLANs that can traverse this trunk by defining those in the allowed-VLAN list, which typically is an advanced performance tuning method. | Cisco recommends but does not require VTP on trunk ports. VTP simplifies configuration, especially of complex switched network, but does impact bandwidth and switch processing. It can be used for trunk performance tuning by adjusting the VTP pruning-eligible list. |
Dynamic access | Ports are assigned dynamically to a single normal-range VLAN, based on the first frame MAC address. You must have a VMP server to do this assignment, a function that does not run on the 2950. If the switch has trunk ports, its dynamic access ports can only connect to end stations, not other switches. | VTP is required; both on the switch with the dynamic access port and the VMPS. |
Voice VLAN | This port is actually on a Cisco IP phone, and presents a data and an auxiliary voice VLAN to the switch port. |
VLAN Trunking Protocol (VTP) is a Cisco-proprietary mechanism that reduces the operational workload of making changes to VLANs. VTP travels over trunks, so any participating switch must have at least one trunk port. VTP can improve overall performance by preventing the propagation of VLAN traffic to switches with no port in the VLAN, reducing trunk bandwidth ands switch processing. It can also prevent certain configuration errors and inconsistencies.
The way in which you configure VLANs, assuming you have more than one switch interconnected by trunks, will depend on whether or not VTP will be part of your network, so the decision to use it has to come early in the design process. We will consider the factors that go into that decision now, but defer the details of VTP configuration until after we go through basic VLAN configuration.
Table 22. Default VTP Database Information
VTP domain name | Null. |
VTP mode | Server. |
VTP version 2 enable state | Version 2 is disabled. |
VTP password | None. |
VTP pruning | Disabled. |
Since a non-null domain name, if nothing else, is needed for VTP operation, you will have to do at least some configuration to make it work.
Table 23. VTP Switch Modes
VTP Mode | Description |
server | The default mode for VTP-enabled switches. This lets you configure and reconfigure on one switch and have the information propagate to all other switches in the domain. If changes are made on more than one server, the servers dynamically synchronize as long as the options are compatible. Configurations will be saved in NVRAM. Be aware that server mode requires more NVRAM and RAM than other modes. |
client | Clients do not let you make changes, although they will propagate changes to other VTP switches. They do not save the learned configuration in NVRAM. Remember that you must have at least on server in a domain, or nothing can be configured. |
transparent | VTP transparent mode causes a switch to pass VTP messages, but not be affected by them. You still can create, delete and modify VLANs in this mode, but the information configured on the switch will not propagate via VTP. VTP mode and domain information is saved in NVRAM. Transparent mode is the only mode you can use to create extended-range VLANs. |
When VTP is running, it propagates the information in Table 24.
Table 24. Information in VTP Messages
Global | Per-VLAN |
VTP domain name | VLAN ID |
VTP configuration revision number | Name |
Update identity and update timestamp | Type |
MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. | State |
Frame format | Type-specific information |
There are three versions of VTP. VTP Version 3 is very new and will be available only in the latest IOS versions. Remember that all VTP is off by default. When you enable VTP, it will run as Version 1 unless you configure:
vtp version 2 | 3
Which version should you use? See Table 25 for the additional features supported by Version 2. Version 1 is adequate for most systems that do not contain Token Ring. Many of the Version 2 features impose tighter management control on VTP, which could very well help avoid problems if you are merging VTP systems. Only Versions 1 and 2 are listed in the CCNA blueprint.
Table 25. VTP Version 2 Functionality differences with Version 1
VTP Functionality | Support/Processing in Version 2 |
Token Ring | Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay Function (TrCRF) VLAN are supported |
Unrecognized Type-Length-Value (TLV) | In V2, a server will propagate TLVs even those it does not understand. It also saves them in NVRAM when the switch is in VTP server mode. This could be useful if not all devices are at the same version or release level. |
Version-Dependent Transparent Mode | Version 1 supports multiple domains while Version 2 supports only 1. Normal behavior for V1 would be to forward messages only if they match the destination domain name and version. VTPv2 does not do this check before forwarding. |
Consistency Checks | VTPv1 does more consistency checking on messages, which can add overhead. As long as the MD5 digest on a message is correct, VTPv2 will forward it. VTPv2 will consistency-check new configuration information added through the configuration editor, Cluster Management Software or SNMP. |
VTPv3 introduces more features beyond the scope of this article, but perhaps the most important enhancement is that it will support the extended range of all VLAN identifier values.
VTP pruning is an important function in reducing VTP overhead on trunks, often more than offsetting the increased overhead induced by VTP itself. You avoid consuming trunk bandwidth and switch processing for messages the receiving switch will only discard. Pruning recognizes when a downstream destination switch will actually be able to use certain VTP messages, and will flood them downstream only when they will be relevant to the destination. The term "spanning tree" is especially apropos, because this function prunes branches of the tree that don't need to receive any sap from the trunk of the tree -- I mean, any frames from the conceptual all-VLAN trunk. As opposed to garden pruning where you amputate the branches, VTP pruning can reattach branches when the relevant switches do include ports that include the previously pruned VLANs.
This feature is off by default in both VTPv1 and VTPv2. When it is enabled, only the information for VLANs in the pruning-eligible list can be pruned. The contents of this list depend on software image and any manual configuration. With the Standard image and default behavior, VLANs 2-1001 are pruning-eligible. VLANs 1 and the range 1002-1005 can never be eligible for pruning. Extended range (ID > 1500) can be pruned only when running EMI software in all switches in the domain.
Figure 16. Example of VLAN Pruning's Benefit
VTP does consume RAM and sometimes NVRAM. It also is not intended to affect switches in VTP transparent mode. If any of your switches are in VTP transparent mode, you have to make adjustments to avoid incompatibilities. One such adjustment is turning off VTP pruning (i.e., not all VTP, just pruning) for the entire switched system. Alternatively, you can make sure that the transparent switches do not see pruning, by adjusting the pruning-eligible list of directly connected non-transparent switches. You adjust the list such that no VLAN on the trunk to .the transparent switch can be pruned by the switch at the other end of the trunk from the transparent switch. On this trunk, you must not make any VLAN present eligible for pruning. As long as the upstream switch(es) and their trunks do not run VTP pruning, it is perfectly acceptable to prune on their upstream trunks.
Figure 17. VLAN Pruning upstream of a transparent switch
The command for VTP pruning is:
interface fa0/4 switchport mode trunk switchport trunk pruning vlan
First, you need to know how many, and what VLAN numbers, can run on a given switch and software image. While the release notes for a given release is definitive, Table 26 gives the basic rules for the 2950 switch, which is the fairly simple switch that is the knowledge target for the CCNA.
SMI software generally supports only a small number of VLANs in the "normal range" of VLAN identifiers. Formally, this range is 1 to 1005, but certain identifiers have special significance.
If you use the EMI image, you can support the extended range of VLANs 1005-4096, but VTP cannot learn about these in Version 1 or 2. Using the extended range, in practice, means that you will have to run the switch in VTP transparent mode, greatly limiting the functionality available through VTP, unless you use VTPv3. VTPv3 is not in the current CCNA blueprint.
Table 26. VLAN identifiers with special significance
VLAN ID | Purpose |
1 | Management (and default) VLAN. Should always be available to a switch. |
1002-1005 | Reserved for (obsolescent) Token Ring and FDDI VLANs |
1006-4096 | Extended range, not stored in the VTP database |
LLike most IOS functions, you configure VTP through the configuration editor. You have two choices in the way you configure VTP. You can configure it in global mode, where you set parameters in the VTP database. You can also configure it in VLAN configuration mode, which is more fine-grained. Remember that the stored configuration and the VTP database are not always the same; the VTP database can contain dynamically learned information. Specifying a new filename simply renames the place where dynamic information will be stored.
The vlan level changes single VLANs, while the vtp level applies to all standard-range VLANs.
As opposed to most other configuration editor changes, the commands do not take effect immediately, but only after you complete the module and commit the changes (Table 27).
Table 27. VTP Configuration Module Commands
Command | Meaning |
abort | exits the mode without applying the changes and without resetting. The existing database remains valid. |
apply | applies the database changes, increments the database revision number, and propagates the information. The switch remains in VLAN configuration mode so you can configure a different VLAN. You can't use this command if the switch is in client mode. |
exit | applies the database changes, increments the database revision number, and propagates the information. The switch returns to global configuration mode. |
no | negates a command or set its defaults. You can code no vtp or no vlan |
reset | exits the mode and resets the database |
Be aware of some startup behavior that may result from configuration mismatches (Table 28).
Table 28. VTP Special Behavior on Startup
Switch is in transparent mode. VLAN database and the VTP domain name from the VLAN database matches those defined the startup configuration file | VTP and VLAN configurations in the startup configuration file are used, but other information stored in the database is ignored. The VLAN database revision number remains unchanged in the VLAN database. |
VTP mode or domain name in the startup configuration do not match the VLAN database | The domain name and VTP mode and configuration for the standard range use the information from the database. |
Certain parameters always need to be set globally. The first step is to define the domain name, which can be 1 to 32 characters long. Every client or server in the same domain must have the same domain name. Switches in VTP transparent mode do not need the domain name, because they pass messages without checking the domain name.
Some VTP parameters, such as the password whether to enable Version 2, and whether to use pruning, are optional, but still can be set with global commands.
If you want VTP to work...Never configure a domain without at least a VTP server. If all the switches are in client mode, there is no way to change the configuration. |
While domain names are mandatory, VTP passwords are optional strings, 8 to 64 characters long. If you configure a VTP password, it must be the same in all switches of a domain. A switch without the right password will not accept VTP advertisements, or learn the domain name, until the correct password is configured into it.
If you want to use VTP transparent mode, you must use global configuration mode. Global configuration is the only way to establish the domain name, database file and switch mode if the switch is in transparent mode.
vtp {domain domain-name | file filename | interface name | mode {client | server | transparent} | password password | pruning | version number}
If you do a copy running startup followed by a reload, the restarted switch behavior will be as defined in Table 28. Note that there are some variations based on IOS version, principally if the switch software image is IOS 12.1(9) EA1 or a later version. If your configuration was stored with an earlier IOS, there may be different behavior. See the appropriate release notes.
For the actual configuration,
vlan database ! Enter VLAN configuration mode.
If you can, it's generally most flexible to have all your switches in server mode. The nice thing is that if a switch is configured as a server, you can make changes on it and have them propagate through the domain. One reason you cannot is if extended-range VLANs are in the switch configuration -- you can't change to server when the switch is running extended VLANs. Another reason you may not be able to make every switch a server is that server mode requires more RAM and NVRAM.
To set server mode, enter server mode and configure:
vtp mode server ! server mode is the default mode, but remember that ! VTP is not enabled by default vtp domain domain-name vtp password password
To configure parameters for individual VLANs, use VLAN configuration mode. Global commands such as the domain would normally have been set already, at the global level.
Many options of this command are not relevant at the CCNA level. They tend to be associated with non-Ethernet use, or with operation in a mixed environment containing Ethernet and other media such as Token Ring. See the Command Reference for all options. The relevant command is:
vlan vlan-id [name vlan-name] [state {suspend | active}]
|