I wrote about the theory, possibilities, and advantages of VLANs in the article VLAN - Virtual Local Area Network. I have already described some information about VLAN configuration, in connection with assigning a port to a VLAN or trunk, in the article Cisco IOS 3 - interface/port settings - access, trunk, port security. However, I did not mention the actual creation of VLANs. This article provides a comprehensive description of VLAN configuration and related matters.
VLAN Numbers
VLANs are commonly identified by a number, so we have, for example, VLAN 10. For easier memorization and orientation, names are also assigned to them.
Cisco switches in recent years should support these numerical ranges for VLANs. Older devices do not support numbers above 1005, and these VLANs are not transmitted using VTP and are not stored in the VLAN database.
VLANs | Description |
---|---|
0 and 4095 | Reserved for system use |
1 | Default VLAN, standardly contains all ports, cannot be deleted |
2-1001 | Common range for Ethernet VLANs |
1002-1005 | Special default VLANs for Token Ring and FDDI, cannot be deleted |
1006-4094 | Extended VLAN - extended VLANs for Ethernet, not always supported |
Creating and Naming VLANs
VLAN configuration is (for some types of switches) maintained in the running configuration and in the vlan.dat
file.
We create a new VLAN with the following command, if the VLAN already exists, we switch to its configuration.
SWITCH(config)#vlan 10 // create/switch to VLAN 10
We are now in the VLAN configuration and can set several parameters, it is good to set the VLAN name for easier orientation.
SWITCH(config-vlan)#name net1 // name the VLAN
Of the properties that we can set for the entire VLAN, I will only mention changing the IP MTU (maximum size of transmitted packets - payload frame), the standard is 1500B for Ethernet (the frame size is 1518B).
SWITCH(config-vlan)#mtu 2000 // possible values 576 to 18190 (depending on the type of switch)
Changes are saved when exiting the configuration.
SWITCH(config-vlan)#exit // one level up
We can delete a VLAN in the standard way. However, deleting a VLAN does not remove the bindings that exist for it (such as assigning ports to the VLAN).
SWITCH(config)#no vlan 10 // delete VLAN 10
Note: We can also create a VLAN by using it in a certain place. For example, if we assign a port to a non-existent VLAN, it will be created.
Setting an IP Address for a VLAN
VLANs are virtual interfaces, so we can perform a number of operations with them as with a classic interface (port). One option is to set an IP address, which actually sets the switch's address in the given VLAN.
SWITCH(config)#interface vlan 10 // switch to configuration SWITCH(config-if)#ip address 192.168.190.1 255.255.255.0 // set IP address SWITCH(config-if)#no shutdown // bring up the interface
Switch Virtual Interface - SVI
The above information is not accurate. We must correctly say that for each VLAN we can create a Switch Virtual Interface (SVI), which is the mentioned virtual interface. VLANs and SVI, however, exist independently of each other, although mapping (which can be at most 1:1) between SVI and VLAN is performed. We create an SVI by first accessing it, and we can create it even for a non-existent VLAN. SVI operates at the 3rd layer of the ISO/OSI model and is by default created for VLAN 1 (and cannot be deleted). We need SVI if we want to perform inter VLAN routing (route traffic between VLANs) or enable IP connectivity to the switch (for access to CLI via telnet/SSH and similar functions).
SWITCH(config)#interface vlan 15 // create SVI
To delete an SVI, we use
SWITCH(config)#no interface vlan 15 // delete SVI
VLAN 1
On switches that support VLANs, at least one VLAN must exist because each port must be assigned to some VLAN. On Cisco devices, this is VLAN 1, and all ports are assigned to it by default.
From a security perspective, it is good not to use this default VLAN 1, or to use it only for guest access, and to create other VLANs for the actual network.
VLAN 1 cannot be deleted and cannot be disabled, which is possible for all other VLANs.
SWITCH(config-vlan)#shutdown // disable VLAN
Assigning a Port to a VLAN
By default, all ports are assigned to VLAN 1. If we want to configure an access port with a fixed assignment to a VLAN, we proceed as follows.
SWITCH(config)#interface f0/1 // switch to port configuration SWITCH(config-if)#switchport mode access // set port to access mode SWITCH(config-if)#switchport access vlan 10 // assign to VLAN 10
Voice VLAN
For VoIP (IP telephony), Cisco has a number of simplifications. One of them is the configuration where a Cisco phone (which contains a small 3-port switch) is connected to the port, and a PC is connected behind it. On the port, we set the access VLAN, which includes PC communication, and also the voice VLAN (sometimes referred to as auxiliary VLAN - it has more uses), which includes phone communication. For everything to work as it should, we must use a Cisco IP phone, and CDP must be enabled on the port. In reality, everything works so that a trunk is set on the port, the access VLAN becomes the native VLAN (i.e., untagged), and phone communication uses 802.1q.
SWITCH(config-if)#switchport voice vlan 20 // assign voice to VLAN 20
Trunk Configuration
To maintain VLAN information and transmit data in different VLANs between switches, a trunk needs to be established between them. This is configured on both sides, on the port that connects the switches. We can use the IEEE802.1q standard (frame tagging) or Cisco proprietary ISL (encapsulation), which is only supported on higher-end Cisco switches. It is also possible to list the VLANs that can be transmitted through the trunk; if the command is not specified, all VLANs are transmitted.
SWITCH(config)#interface f0/1 // switch to the correct port SWITCH(config-if)#shutdown // recommended to first shut down the port SWITCH(config-if)#switchport trunk encapsulation dot1q // choose the VLAN differentiation method SWITCH(config-if)#switchport trunk allowed vlan 2-200 // which VLANs are transmitted SWITCH(config-if)#switchport trunk native vlan 10 // specify the native VLAN SWITCH(config-if)#switchport mode trunk // set the port to TRUNK mode SWITCH(config-if)#switchport nonegotiate // do not negotiate with the DTP protocol SWITCH(config-if)#no shutdown // bring up the port
Note: The same configuration needs to be done on the other side. To establish a trunk, several prerequisites must be met. It must be a Point to Point link, ports must have the same speed, duplex, encapsulation method, and native VLAN (with ISL, it can differ).
Dynamic Trunk Protocol (DTP)
Dynamic Trunk Protocol (DTP) is used for automatic negotiation of whether a port is a trunk. From a security perspective, it is recommended not to use this option, as some stations could negotiate that it is a trunk and then intercept all communication.
DTP configuration is done on each port.
- If we set the port to access mode, it is not affected by the DTP protocol.
- If we set it to trunk mode, its mode cannot change, but it negotiates using DTP to switch the link (other side) to trunk mode.
- If the port is in trunk mode, we can set it not to generate DTP frames (and not use DTP at all).
SWITCH(config-if)#switchport nonegotiate
- The last option is to set the port to dynamic mode, actively using DTP.
SWITCH(config-if)#switchport mode dynamic auto // switches to trunk mode if a request is received SWITCH(config-if)#switchport mode dynamic desirable // sends requests to create a trunk
The most suitable is to set access ports to access mode and trunk ports to trunk mode with negotiation disabled.
To display information about DTP, use the commands:
SWITCH#show dtp SWITCH#show dtp interface f0/1
Displaying VLAN Information - show commands
SWITCH#show vlan // brief info about VLAN and port assignments SWITCH#show vlan id 500 // list of ports in VLAN 500 and MTU for the VLAN SWITCH#show interface vlan 10 // information about SVI SWITCH#show running-config vlan // information about VLAN from the running configuration SWITCH#show interfaces f0/1 switchport // information about the port along with VLAN SWITCH#show interfaces trunk // info about trunks
VTP - VLAN Trunking Protocol
We usually want the created VLANs to exist throughout the network (or in a certain part, but not just on one switch). To transmit data in these VLANs between switches, trunks are used. However, to work with these VLANs, they must be created on each switch. With a smaller number of switches (and if we want more control), we configure these VLANs manually on each switch (usually not much work). However, we must remember to configure the new VLAN everywhere when it is created.
The second option is to use the VLAN Trunking Protocol (VTP), which is an L2 protocol used to transmit VLAN information between switches. VTP manages the addition, deletion, and renaming of VLANs within a VTP domain. A VTP domain consists of one or more network devices that have the same domain name (optionally also a password) and are connected via trunks.
The principle is that each switch in the VTP domain is set to one of three modes:
- server - manages the list of all VLANs, stores it in NVRAM, can create and delete VLANs, receives and sends advertisements over trunks in the VTP domain, this is the default mode
- client - receives configuration from the server, maintains a local copy of all VLANs that cannot be changed and is not stored in NVRAM, receives and sends advertisements
- transparent - does not participate in VTP, works independently, can create and delete VLANs, but changes are local, receives advertisements and in version 2 also forwards them (but does not synchronize its VLANs or advertise them), this is the only mode where we can create Extended and Private VLANs, VTP and VLAN configuration is stored in NVRAM
Note: VTP configuration, if in server or client mode, is not found in the running config.
The server sends (only over trunks) VTP advertisements every 5 minutes or when there is a configuration change. The server maintains a configuration revision number, which increases by one with each change. The client compares its number with the received number during synchronization. VTP advertisements contain the management domain, revision number, VTP version, known VLANs and their parameters. Advertisements are of three types: Summary, Subset, and Client Request.
Note: The standardized equivalent of VTP is the Generic VLAN Registration Protocol - GVRP and its successor Multiple VLAN Registration Protocol - MVRP. However, it is rarely found on Cisco devices.
VTP Configuration
To configure, we must first create a VTP domain; there can be multiple domains, and information is transmitted only within the domain.
Note: VTP packets do not pass through a router.
SWITCH(config)#vtp domain domain1
Optionally, we can set a password, which must be the same on all switches in the domain. The password is not stored in the running-config.
SWITCH(config)#vtp password password
Finally, we set the mode in which the switch operates.
SWITCH(config)#vtp mode server // options server, client, transparent
On today's Cisco switches, we can use VTP in two versions (VTP 1 and 2). Version 2 additionally supports Token Ring, VLAN consistency check, unrecognized TLV, and in Transparent mode forwards advertisements. The default is version 1, and the setting can be changed.
SWITCH(config)#vtp version 2
We can get information about VTP using the commands
SWITCH#show vtp status // basic info about VTP operation on the switch SWITCH#show vtp counters // VTP transmission statistics SWITCH#show vtp password // displays the VTP password
VTP Pruning
We can also enable pruning. It is configured on the VTP server and affects the entire domain. It prevents the sending of unnecessary packets (broadcast, multicast, unknown) to switches where there is no port in the given VLAN and no functional path through it.
SWITCH(config)#vtp pruning
VLAN 1 is pruning ineligible, meaning pruning does not apply to it. VLANs 2 to 1001 are by default pruning eligible, but this can be changed through configuration.
bezva článek,přesně tohle sem potřeboal abych se dostal do obrazu
Opravdu super, tvoje clanky jsou strucne, ale zaroven velice vystizne. Thx much
Děkuji. Takovéhle reakce potěší :). Ještě musím získat více čtenářů.
Nahodou (jako vzdy ) jsem nasel tuhle stranku a vypada fakt skvele, ukladam do slozky s uzitecnymi odkazy! :)
Taky me to konecne dostalo do obrazu :D
Pekne . Jen pripominam, ze se lze dost casto setkat se starsimi prepinaci (treba rada 2900, kde podpora konci IOSem 12.0.5-WC17). U nich zejmena VLAN a VTP konfiguruje jinak:
SwitchA# vlan database
SwitchA(vlan)# vlan 10 name Horni
SwitchA(vlan)# vlan 20 name Dolni
SwitchA(vlan)# vtp domain Cisco
SwitchA(vlan)# vtp server
SwitchA(vlan)# exit
Jojo,povedeny popis, diky trochu me to nakoplo k pochopeni trunku a nastaveni vtp
U VTP by možná stálo za zmínku, že nespolupracuje s VLAN > 1005
respond to [8]davro: Pravda, pro někoho je dobré to napsat takhle jasně. Já tam mám napsáno, že pouze ve VTP Transparent je možno použít Extended VLANy.
respond to [9]Samuraj:
Bohužel termín Extended VLAN není v článku popsán a vzhledem k tomu, že to je Cisco terminologie, mohla by tato "featura" trochu zmást neznalého, koupivšího člověka :)
Možná by se šiknul i článek o GVRP (jenom takový námět :))
respond to [10]tomfi: První kapitola Čísla VLAN, ale tam jsem to uvedl pouze česky .
Ahoj Samuraji. Děkuji za tyto bezva IT stránky. Hodně je využívám. Je to stručné a výstižné a vím, že když zadám do vyhledávacího okénka na tvých stránkách VTP, tak mi to najde to, co mám na mysly a né jako při googlování Voda Topení Plyn :-D
Perfektne veci. a pomoze to nielen pri praci ale ja v skole :) zajtra mam prakticky test zo sieti a toto je presne co som potreboval. diky moc :)
Ještě taková drobnost, pokud někdo využívá DTP v dynamickém, tak se musí shodovat i VTP domény! Jinak se dva switche na trunku nedomluví. Další záludná věc ohledně VTP prunningu jsou trunky vůči jiným výrobcům, lehce se může stát, že okrajový Cisco switch odřízne access porty na switchi jiného výrobce...
Podrobný Cisco popis s omáčkou: www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
Fakt super, díky moc!!
Jsem právě na Cisco školení A2 a již se nedoporučuje DTP ani VTP používat, pro ty, kdo chtějí předejít problémům :)
Raději vše pěkně ručně, ale mám pak jistotu že trunk naběhne kde má a nepřijdu o VLAN díky nějakému nově zapojenému switchi (co má stejnou doménu a vyšší rev. číslo)
Jinak díky, skvělá práce, skvělý web!
Dobrý den,
předem musím podotknout, že Vaše články jsou opravdu čtivé a hlavně chápavé. Mám nakonfigurovanou vlan na ciscu 2960. Kde mám na testovacím portu Gi0/47 a tam mám také nastaven i DHCP server. VLANa funguje a DHCP server mně adresy rozdává, no a kde je problém? Nemám internet...,
V síťi mám pouze jednu gateway, takže tuto gateway jsem také určil ip default-gateway a v konfiguraci DHCP -> default-router jsem tuto gateway také uvedl, nicméně asi je něco špatně.
Děkuji za radu
S pozdrave
Tomas
respond to [17]Tomas: A je ta GW připojena do té stejné VLANy? Dá se z počítače, který dostal IP adresu z toho DHCP na GW pingnout?
Ahoj, super clanky. Len mala poznamka. Defaultna vlan 1 sa da vypnut.
respond to [19]Ronald: Tak to by mne zajímalo jak . Vypnout můžeme VLAN 1 interface, ale vlastní VLAN 1 nevypneme (když se o to pokusíme, tak dostaneme informaci, že to nelze).
respond to [20]Samuraj:
Mate pravdu :) Zle som to napisal. Vlan 1 interface sa da shut-nut
respond to [16]Michal: Taky mi někde říkali na školení (asi CCNA), že nemám používat VTP. Podle mě, pokud se dodrží potřebné kroky a nebudu připojovat switch se stejnou VTP doménou jako server (taky, kde bych ho přece vzal), tak je vše v pohodě. A v praxi až narazíte na síť bez VTP, tak je to dost opruz. Ted řeším jen malou část v serverovně a to je takovej bordel, když tam ručně přidávaj asi 3 lidi VLANy. O výluce to budu předělávat na VTP.
Máte někdo zkušenost se dvěma VTP servery v jedné VTP doméně? Zahlídl jsem, že to jde, ale nějak nemůžu najít přesné a bezpečné informace a nemám to kde otestovat. Ale přijde mi to jako dobrý nápad, kdyby VTP server switch odešel. Ale abych si celou VTP doménu nerozházel na Rev number.