12 min read Implementing VLANs and STP

CCNA | P3: Implementing VLANs and STP | C1: Implementing Ethernet Virtual LANs

CCNA | P3: Implementing VLANs and STP | C1: Implementing Ethernet Virtual LANs

Get ready to dive into the exciting world of Ethernet Virtual LANs (VLANs)!

Lesson Contents

What are VLANs

VLANs are a fantastic tool that allows us to slice and dice a physical network into logical segments. Whether it’s based on function, location, or security requirements, VLANs have got you covered!
They empower network administrators to isolate traffic, boost performance, and ramp up security. In this thrilling blog post, we’re going to master the art of implementing VLANs on Cisco switches using the command-line interface (CLI). Buckle up!

First up, let’s get to grips with the range of VLAN IDs we can use.
A VLAN ID is a unique numerical identifier that sets one VLAN apart from another.
The standard range of VLAN IDs stretches from 1 to 1001, and all Cisco switches support these.
But wait, there’s more! Some of the latest Cisco devices also support an extended range of VLAN IDs, from 1006 all the way up to 4094.

VLAN Creation

Next on our agenda, we’re going to create the VLANs and assign them names and interfaces.
To create a VLAN, we use the command (config)# vlan n, where n is the VLAN ID.
This will usher us into the VLAN configuration mode, where we can assign the name test to the VLAN using the command (config-vlan)# name test.

For instance, to create a VLAN with ID 10 and name Sales, we can use the following commands:

Sw1(config)# vlan 10
Sw1(config-vlan)# name Sales

Assigning Ports to VLAN

To assign an interface to a VLAN, we need to enter the interface configuration mode using the command (config)# interface type number, where type and number are the interface type and number.

For example, to enter the configuration mode for interface GigabitEthernet0/2, we can use the command (config)# interface GigabitEthernet0/2.
Then, we need to link the interface with the VLAN using the command (config-if)# switchport access vlan n, where n is the VLAN ID.
For example, to assign interface GigabitEthernet0/2 to VLAN 10, we can use the following command:

Sw1(config-if)# switchport access vlan 10

Finally, we need to force the interface to access mode using the command (config-if)# switchport mode access.
This will stop the interface from negotiating trunking or accepting trunking frames.

Trunking is a method of carrying multiple VLANs over a single link, which we will delve into in another blog post. For now, we want our interfaces to belong to only one VLAN and send and receive only untagged frames.
For example, to force interface GigabitEthernet0/2 to access mode, we can use the following command:

Sw1(config-if)# switchport mode access

Verifying VLAN Configuration

To verify our VLAN configuration, we can use two commands: # show vlan brief and # show vlan.
The first command will give us a snapshot of all enabled VLANs, their names, and interfaces.

The second command will provide us with more detailed information about each VLAN, including their status and spanning tree protocol settings.
Spanning tree protocol (STP) is a technique of preventing loops in a network with redundant links, which we will also explore in another blog post.
For example, to see the summary of our VLAN configuration on switch Sw1, we can use the following command:

Sw1# show vlan brief

And voila! You’ll see something like this:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1
10   Sales                            active    Gi0/2
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup

Disable VLAN

If you want to disable a VLAN, you have two options at your disposal. You can either use the command (config-vlan)# shutdown in the VLAN configuration mode, or you can use the command (config)# shutdown vlan n in the global configuration mode.
Both commands will deactivate the VLAN and remove it from the running configuration.
However, the first command will also delete the VLAN from the switch’s database file (vlan.dat), while the second command will not.
The database file is like the switch’s memory bank, storing all VLAN information and used when the switch boots up.
So, if you want to permanently delete a VLAN from a switch, you should use the first option.
For example, to disable and delete VLAN 10 from switch Sw1, you can use the following commands:

Sw1(config)# vlan 10
Sw1(config-vlan)# shutdown

VLAN Trunking

Now, let’s talk about trunking. Trunking is a technique that allows multiple VLANs to share a single physical link between switches.
It’s a real game-changer, reducing the number of cables and ports needed to connect different VLANs, while maintaining the logical separation of the VLANs across the switches.

There are two main types of trunking protocols that can be used to encapsulate the VLAN information in the frames that traverse the trunk link: 802.1Q and ISL(Cisco Propriety Depreciated and included only for the purpose of awarness).

  • 802.1Q is an IEEE standard that inserts a 4-byte tag in the Ethernet frame header, containing a 12-bit VLAN ID and a 3-bit priority field.
    The tag is inserted after the source MAC address and before the type/length field. The original frame header is preserved, except for the recalculation of the FCS (Frame Check Sequence).
    802.1Q supports up to 4094 VLANs, with VLAN ID 0 and 4095 reserved for special purposes.
  • ISL is a Cisco proprietary protocol that encapsulates the entire Ethernet frame with a new header and trailer, containing a 15-bit VLAN ID and a 2-bit user priority field.
    The new header also includes a 10-bit ISL type field, which identifies the type of frame being encapsulated, such as Ethernet, Token Ring, FDDI, etc. The new trailer includes a 16-bit CRC (Cyclic Redundancy Check) for error detection. ISL supports up to 1024 VLANs, with VLAN ID 0 and 1023 reserved for special purposes.

To configure trunking on a Cisco switch, you need to enter the interface configuration mode and use the following commands:

• switchport trunk encapsulation {dot1q | isl | negotiate}

This command sets the trunking protocol to use on the interface. The negotiate option allows the switch to negotiate with the other end of the link to choose either dot1q or isl.
However, this option is only available on older switch models that support both protocols. On newer switch models that only support dot1q, this command is not needed and will generate an error message if entered.

• switchport mode {access | trunk | dynamic {auto | desirable}}: This command sets the trunking mode of the interface.

  • The access mode forces the interface to operate as an access port, which belongs to a single VLAN and does not trunk.
  • The trunk mode forces the interface to operate as a trunk port, which carries multiple VLANs and trunks.
  • The dynamic mode allows the interface to negotiate with the other end of the link to determine whether to trunk or not, using a protocol called DTP (Dynamic Trunking Protocol).
    1. The auto option makes the interface passive in the negotiation process, meaning that it will only trunk if the other end initiates trunking.
    2. The desirable option makes the interface active in the negotiation process, meaning that it will initiate trunking with the other end.

Lets Visualize using the table below:

Mode Access Trunk Auto Desirable
Access Access Error Access Access
Trunk Error Trunk Trunk Trunk
Auto Access Trunk Access Trunk
Desirable Access Trunk Trunk Trunk

In this table, "Error" means that the combination of modes is not possible or not allowed. "Trunk" and "Access" mean that a trunk or access is formed, respectively. Please note that this is a simplified representation and actual behavior may depend on specific network configurations and devices.

Default Configuration

The default settings are dependent on the switch model and IOS version. On newer switches, such as the Catalyst 2960 or 3560, the default trunking protocol is dot1q and the default trunking mode is dynamic auto.
On older switches, such as the Catalyst 2950 or 3550, the default trunking protocol is negotiate and the default trunking mode is dynamic desirable.
To verify the trunking configuration and status on a switch interface, you can use the following commands:

  • show interfaces [interface-id] switchport:
    This command displays information about the switchport settings of an interface, such as its administrative and operational mode, its administrative and operational encapsulation, its access VLAN, its native VLAN (the untagged VLAN on a trunk port), its allowed VLANs (the list of VLANs that can be carried on a trunk port), its pruning eligible VLANs (the list of VLANs that can be pruned from a trunk port if they are not needed), etc.

  • show interfaces [interface-id] trunk:
    This command displays information about the trunking status of an interface, such as whether it is trunking or not, what protocol it is using, what VLANs are active on it, what VLANs are in STP forwarding state on it, etc.

Voice VLANs

Voice VLANs are a special type of VLAN that carry voice traffic from IP phones and separate it from data traffic from PCs.
To configure VLANs on a Cisco switch, you need to do the following steps:

  • Create the VLANs and assign them names using the vlan and name commands in global configuration mode.

  • Assign switch ports to the VLANs using the switchport mode access and switchport access vlan commands in interface configuration mode.

  • Optionally, you can also configure trunk ports that allow multiple VLANs to pass through using the switchport trunk encapsulation, switchport mode trunk, and switchport trunk allowed vlan commands in interface configuration mode.

For example, let’s say we have two VLANs: VLAN 10 for sales department PCs and VLAN 20 for IP phones.
We also have a trunk port on GigabitEthernet0/1 that connects to another switch. The configuration would look like this:

Sw1(config)# vlan 10
Sw1(config-vlan)# name Sales
Sw1(config)# vlan 20
Sw1(config-vlan)# name Phones
Sw1(config)#Interface GigabitEthernet0/1
Sw1(config-if)# switchport trunk encapsulation dot1q
Sw1(config-if)# switchport mode trunk
Sw1(config-if)# switchport trunk allowed vlan 10,20
Sw1(config)#Interface GigabitEthernet0/3
Sw1(config-if)# switchport mode access
Sw1(config-if)# switchport access vlan 10
Sw1(config-if)# switchport voice vlan 20

Verify vlan configuration of ports

To verify the configuration, you can use the following commands:

  • show interfaces ifname switchport - show settings of a given port

  • show interfaces trunk - show all trunking ports, including information on VLANs allowed on a given port and VLANs pruned by STP

For example, the output of show interfaces GigabitEthernet0/3 switchport would look like this:

Sw1# show interfaces GigabitEthernet0/3 switchport
Name: Gi0/3
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Sales)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 20 (Phones)
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001

What is VTP(Vlan Trunking Protocol)

This is a protocol that helps you manage the VLAN configuration across multiple switches.

VTP is a protocol that allows a switch to advertise its VLAN information (such as VLAN IDs, names, and status) to other switches in the same VTP domain.
A VTP domain is a group of switches that share the same VTP configuration, such as the domain name, password, and version.
VTP can reduce the administrative overhead of creating and maintaining VLANs on each switch individually.
It can also prevent inconsistencies and errors in the VLAN configuration.
VTP works by sending periodic VTP advertisements on trunk links.
A trunk link is a link that carries traffic from multiple VLANs.
VTP advertisements contain information such as the VTP domain name, the configuration revision number, the list of VLANs, and their attributes.
When a switch receives a VTP advertisement, it compares the configuration revision number with its own.
If the received number is higher, it means that the sender has a more recent VLAN configuration, and the receiver updates its own VLAN database accordingly.
If the received number is lower or equal, it means that the sender has an older or identical VLAN configuration, and the receiver ignores the advertisement.

Modes of VTP Operation

  1. Server mode: This is the default mode for most switches. A switch in server mode can create, modify, and delete VLANs locally, and store them in its NVRAM (non-volatile memory). It also sends and receives VTP advertisements, and synchronizes its VLAN database with other switches in the same domain. A VTP domain must have at least one server switch to function properly.

  2. Client mode: A switch in client mode cannot create, modify, or delete VLANs locally. It only relies on VTP advertisements from server switches to update its VLAN database. It also does not store its VLAN database in NVRAM, but only in RAM (volatile memory). It still sends and receives VTP advertisements, and forwards them to other switches.

  3. Transparent mode: A switch in transparent mode does not participate in VTP at all. It does not send or receive VTP advertisements, nor does it use them to update its VLAN database. It maintains its own VLAN database locally, and stores it in NVRAM. It can create, modify, and delete VLANs independently from other switches. However, it still forwards VTP advertisements that it receives on trunk links to other switches.

The three versions of VTP

They are VTPv1, VTPv2, and VTPv3. They are not compatible with each other, so all switches in a domain must use the same version.
The main differences between them are:

  • VTPv1: This is the original version of VTP. It supports up to 1005 VLANs (from 1 to 1005). It does not support extended-range VLANs (from 1006 to 4094), nor private VLANs (a type of VLAN that isolates traffic within a subnet). It also does not support authentication or pruning (a feature that reduces unnecessary traffic on trunk links).

  • VTPv2: This is an enhanced version of VTPv1. It supports all the features of VTPv1, plus extended-range VLANs, authentication, and pruning. It also has some improvements in stability and compatibility.

  • VTPv3: This is the latest version of VTP. It supports all the features of VTPv2, plus private VLANs, generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), multiple spanning tree protocol (MSTP), and unknown unicast flooding control. It also has some enhancements in security and flexibility.

VTP Configuration

To configure VTP on a switch, you need to enter the global configuration mode and use the following commands:

  • vtp domain name: This command sets the name of the VTP domain. The name can be up to 32 characters long, and it is case-sensitive. All switches in a domain must have the same name.

  • vtp password password: This command sets the password for the VTP domain. The password can be up to 64 characters long, and it is case-sensitive. All switches in a domain must have the same password. This command is optional for VTPv1 and VTPv2, but mandatory for VTPv3.

  • vtp version number: This command sets the version of VTP to use. The number can be 1, 2, or 3. All switches in a domain must use the same version.

  • vtp mode mode: This command sets the mode of VTP to use. The mode can be server, client, or transparent. The default mode is server.

Example

Let’s see how to configure a switch as a VTP server in the domain “CCNA” with the password “Cisco123” and the version 3. You can use the following commands:

(config)# vtp domain CCNA
(config)# vtp password Cisco123
(config)# vtp version 3
(config)# vtp mode server

To verify the VTP configuration on a switch, you can use the show vtp status command.
This command displays information such as the VTP domain name, password, version, mode, configuration revision number, and VLAN database.

VTP is a powerful protocol for managing VLANs in a network of switches.
However, it also comes with some risks.
For instance, if a switch with a higher configuration revision number joins a domain, it can overwrite the VLAN configuration of other switches, leading to network disruption or even an outage.
This can happen either accidentally or maliciously.
Therefore, it’s recommended to use VTP with caution and adhere to some best practices, such as:

  • Use VTPv3 if possible, as it offers more features and security than previous versions.

  • Use a strong and unique password for each VTP domain, and keep it confidential.

  • Use transparent mode for switches that do not need to participate in VTP, such as edge switches or standalone switches.

  • Use pruning to reduce unnecessary traffic on trunk links.

  • Use authentication to prevent unauthorized switches from joining a domain.

  • Use backup and restore procedures to recover from VTP errors or failures.

Summary

Ethernet Virtual LANs (VLANs) are a powerful tool for managing network traffic, improving performance, and enhancing security. We’ve explored how to implement VLANs on Cisco switches using the command-line interface (CLI), including creating VLANs, assigning them names and interfaces, and verifying our VLAN configuration. We’ve also delved into the world of trunking, which allows multiple VLANs to share a single physical link between switches.
We’ve learned about the different modes of VLAN Trunking Protocol (VTP) and how it can help manage VLAN configurations across multiple switches. We’ve also discussed the importance of using VTP with caution and following best practices to prevent network disruption or outage.
Furthermore, we’ve touched on the concept of Voice VLANs, which allow IP phones and PCs to connect to the same switch port without compromising quality or security. We’ve seen how to configure voice VLANs on a Cisco switch and verify the configuration.
Throughout this journey, we’ve encountered various key concepts such as VLAN IDs, access mode, trunking mode, spanning tree protocol, and database file. We’ve also learned about the different versions of VTP and their features.
As we continue to explore the vast world of networking, remember that these concepts and techniques are just the tip of the iceberg. There’s always more to learn and discover. So, keep experimenting, keep learning, and most importantly, have fun along the way! 🚀

If you have any queries feel free to connect with with from below section or the Contact Me tab in to top navigation.

Kunal Patel | Contact me
description
Contact me

Kunal Patel

Working as Assistant Manager IT my curiosity led me to learn technologies beyond networking, including cloud computing, Python, APIs, Rust, Dart/Flutter, Linux, and Virtualization.
Mumbai, India