EN 
11.09.2024 WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco IOS 7 - konfigurace VLAN, VTP

Cisco IOS 7 - VLAN configuration, VTP

Edited 23.04.2009 09:35 | created | Petr Bouška - Samuraj |
Another description of the Cisco IOS operating system this time focuses on the important, and practically necessary, area of ​​virtual local networks, i.e. VLANs. I covered the theory in an earlier article, so now this is a practical description of VLAN configuration. Also mentioned are the Dynamic Trunk Protocol (DTP) for automatic trunk negotiation and the useful VLAN Trunking Protocol (VTP) for configuring a VLAN in one place and automatically distributing it to other switches.
displayed: 139 234x (139 213 CZ, 21 EN) | Comments [23]

I wrote about the theory, possibilities, and advantages of VLANs in the article VLAN - Virtual Local Area Network. I have already described some information about VLAN configuration, in connection with assigning a port to a VLAN or trunk, in the article Cisco IOS 3 - interface/port settings - access, trunk, port security. However, I did not mention the actual creation of VLANs. This article provides a comprehensive description of VLAN configuration and related matters.

VLAN Numbers

VLANs are commonly identified by a number, so we have, for example, VLAN 10. For easier memorization and orientation, names are also assigned to them.

Cisco switches in recent years should support these numerical ranges for VLANs. Older devices do not support numbers above 1005, and these VLANs are not transmitted using VTP and are not stored in the VLAN database.

VLANs Description
0 and 4095 Reserved for system use
1 Default VLAN, standardly contains all ports, cannot be deleted
2-1001 Common range for Ethernet VLANs
1002-1005 Special default VLANs for Token Ring and FDDI, cannot be deleted
1006-4094 Extended VLAN - extended VLANs for Ethernet, not always supported

Creating and Naming VLANs

VLAN configuration is (for some types of switches) maintained in the running configuration and in the vlan.dat file.

We create a new VLAN with the following command, if the VLAN already exists, we switch to its configuration.

SWITCH(config)#vlan 10                      // create/switch to VLAN 10

We are now in the VLAN configuration and can set several parameters, it is good to set the VLAN name for easier orientation.

SWITCH(config-vlan)#name net1               // name the VLAN 

Of the properties that we can set for the entire VLAN, I will only mention changing the IP MTU (maximum size of transmitted packets - payload frame), the standard is 1500B for Ethernet (the frame size is 1518B).

SWITCH(config-vlan)#mtu 2000                // possible values 576 to 18190 (depending on the type of switch)

Changes are saved when exiting the configuration.

SWITCH(config-vlan)#exit                    // one level up

We can delete a VLAN in the standard way. However, deleting a VLAN does not remove the bindings that exist for it (such as assigning ports to the VLAN).

SWITCH(config)#no vlan 10                   // delete VLAN 10

Note: We can also create a VLAN by using it in a certain place. For example, if we assign a port to a non-existent VLAN, it will be created.

Setting an IP Address for a VLAN

VLANs are virtual interfaces, so we can perform a number of operations with them as with a classic interface (port). One option is to set an IP address, which actually sets the switch's address in the given VLAN.

SWITCH(config)#interface vlan 10                          // switch to configuration
SWITCH(config-if)#ip address 192.168.190.1 255.255.255.0  // set IP address
SWITCH(config-if)#no shutdown                             // bring up the interface

Switch Virtual Interface - SVI

The above information is not accurate. We must correctly say that for each VLAN we can create a Switch Virtual Interface (SVI), which is the mentioned virtual interface. VLANs and SVI, however, exist independently of each other, although mapping (which can be at most 1:1) between SVI and VLAN is performed. We create an SVI by first accessing it, and we can create it even for a non-existent VLAN. SVI operates at the 3rd layer of the ISO/OSI model and is by default created for VLAN 1 (and cannot be deleted). We need SVI if we want to perform inter VLAN routing (route traffic between VLANs) or enable IP connectivity to the switch (for access to CLI via telnet/SSH and similar functions).

SWITCH(config)#interface vlan 15        // create SVI

To delete an SVI, we use

SWITCH(config)#no interface vlan 15     // delete SVI

VLAN 1

On switches that support VLANs, at least one VLAN must exist because each port must be assigned to some VLAN. On Cisco devices, this is VLAN 1, and all ports are assigned to it by default.

From a security perspective, it is good not to use this default VLAN 1, or to use it only for guest access, and to create other VLANs for the actual network.

VLAN 1 cannot be deleted and cannot be disabled, which is possible for all other VLANs.

SWITCH(config-vlan)#shutdown            // disable VLAN

Assigning a Port to a VLAN

By default, all ports are assigned to VLAN 1. If we want to configure an access port with a fixed assignment to a VLAN, we proceed as follows.

SWITCH(config)#interface f0/1                // switch to port configuration
SWITCH(config-if)#switchport mode access     // set port to access mode
SWITCH(config-if)#switchport access vlan 10  // assign to VLAN 10

Voice VLAN

For VoIP (IP telephony), Cisco has a number of simplifications. One of them is the configuration where a Cisco phone (which contains a small 3-port switch) is connected to the port, and a PC is connected behind it. On the port, we set the access VLAN, which includes PC communication, and also the voice VLAN (sometimes referred to as auxiliary VLAN - it has more uses), which includes phone communication. For everything to work as it should, we must use a Cisco IP phone, and CDP must be enabled on the port. In reality, everything works so that a trunk is set on the port, the access VLAN becomes the native VLAN (i.e., untagged), and phone communication uses 802.1q.

SWITCH(config-if)#switchport voice vlan 20   // assign voice to VLAN 20

Trunk Configuration

To maintain VLAN information and transmit data in different VLANs between switches, a trunk needs to be established between them. This is configured on both sides, on the port that connects the switches. We can use the IEEE802.1q standard (frame tagging) or Cisco proprietary ISL (encapsulation), which is only supported on higher-end Cisco switches. It is also possible to list the VLANs that can be transmitted through the trunk; if the command is not specified, all VLANs are transmitted.

SWITCH(config)#interface f0/1                           // switch to the correct port
SWITCH(config-if)#shutdown                              // recommended to first shut down the port
SWITCH(config-if)#switchport trunk encapsulation dot1q  // choose the VLAN differentiation method
SWITCH(config-if)#switchport trunk allowed vlan 2-200   // which VLANs are transmitted
SWITCH(config-if)#switchport trunk native vlan 10       // specify the native VLAN
SWITCH(config-if)#switchport mode trunk                 // set the port to TRUNK mode
SWITCH(config-if)#switchport nonegotiate                // do not negotiate with the DTP protocol
SWITCH(config-if)#no shutdown                           // bring up the port

Note: The same configuration needs to be done on the other side. To establish a trunk, several prerequisites must be met. It must be a Point to Point link, ports must have the same speed, duplex, encapsulation method, and native VLAN (with ISL, it can differ).

Dynamic Trunk Protocol (DTP)

Dynamic Trunk Protocol (DTP) is used for automatic negotiation of whether a port is a trunk. From a security perspective, it is recommended not to use this option, as some stations could negotiate that it is a trunk and then intercept all communication.

DTP configuration is done on each port.

  • If we set the port to access mode, it is not affected by the DTP protocol.
  • If we set it to trunk mode, its mode cannot change, but it negotiates using DTP to switch the link (other side) to trunk mode.
  • If the port is in trunk mode, we can set it not to generate DTP frames (and not use DTP at all).
SWITCH(config-if)#switchport nonegotiate
  • The last option is to set the port to dynamic mode, actively using DTP.
SWITCH(config-if)#switchport mode dynamic auto      // switches to trunk mode if a request is received
SWITCH(config-if)#switchport mode dynamic desirable // sends requests to create a trunk

The most suitable is to set access ports to access mode and trunk ports to trunk mode with negotiation disabled.

To display information about DTP, use the commands:

SWITCH#show dtp
SWITCH#show dtp interface f0/1

Displaying VLAN Information - show commands

SWITCH#show vlan                        // brief info about VLAN and port assignments
SWITCH#show vlan id 500                 // list of ports in VLAN 500 and MTU for the VLAN
SWITCH#show interface vlan 10           // information about SVI
SWITCH#show running-config vlan         // information about VLAN from the running configuration
SWITCH#show interfaces f0/1 switchport  // information about the port along with VLAN
SWITCH#show interfaces trunk            // info about trunks

VTP - VLAN Trunking Protocol

We usually want the created VLANs to exist throughout the network (or in a certain part, but not just on one switch). To transmit data in these VLANs between switches, trunks are used. However, to work with these VLANs, they must be created on each switch. With a smaller number of switches (and if we want more control), we configure these VLANs manually on each switch (usually not much work). However, we must remember to configure the new VLAN everywhere when it is created.

The second option is to use the VLAN Trunking Protocol (VTP), which is an L2 protocol used to transmit VLAN information between switches. VTP manages the addition, deletion, and renaming of VLANs within a VTP domain. A VTP domain consists of one or more network devices that have the same domain name (optionally also a password) and are connected via trunks.

The principle is that each switch in the VTP domain is set to one of three modes:

  • server - manages the list of all VLANs, stores it in NVRAM, can create and delete VLANs, receives and sends advertisements over trunks in the VTP domain, this is the default mode
  • client - receives configuration from the server, maintains a local copy of all VLANs that cannot be changed and is not stored in NVRAM, receives and sends advertisements
  • transparent - does not participate in VTP, works independently, can create and delete VLANs, but changes are local, receives advertisements and in version 2 also forwards them (but does not synchronize its VLANs or advertise them), this is the only mode where we can create Extended and Private VLANs, VTP and VLAN configuration is stored in NVRAM

Note: VTP configuration, if in server or client mode, is not found in the running config.

The server sends (only over trunks) VTP advertisements every 5 minutes or when there is a configuration change. The server maintains a configuration revision number, which increases by one with each change. The client compares its number with the received number during synchronization. VTP advertisements contain the management domain, revision number, VTP version, known VLANs and their parameters. Advertisements are of three types: Summary, Subset, and Client Request.

Note: The standardized equivalent of VTP is the Generic VLAN Registration Protocol - GVRP and its successor Multiple VLAN Registration Protocol - MVRP. However, it is rarely found on Cisco devices.

VTP Configuration

To configure, we must first create a VTP domain; there can be multiple domains, and information is transmitted only within the domain.

Note: VTP packets do not pass through a router.

SWITCH(config)#vtp domain domain1 

Optionally, we can set a password, which must be the same on all switches in the domain. The password is not stored in the running-config.

SWITCH(config)#vtp password password 

Finally, we set the mode in which the switch operates.

SWITCH(config)#vtp mode server     // options server, client, transparent

On today's Cisco switches, we can use VTP in two versions (VTP 1 and 2). Version 2 additionally supports Token Ring, VLAN consistency check, unrecognized TLV, and in Transparent mode forwards advertisements. The default is version 1, and the setting can be changed.

SWITCH(config)#vtp version 2 

We can get information about VTP using the commands

SWITCH#show vtp status          // basic info about VTP operation on the switch
SWITCH#show vtp counters        // VTP transmission statistics
SWITCH#show vtp password        // displays the VTP password

VTP Pruning

We can also enable pruning. It is configured on the VTP server and affects the entire domain. It prevents the sending of unnecessary packets (broadcast, multicast, unknown) to switches where there is no port in the given VLAN and no functional path through it.

SWITCH(config)#vtp pruning 

VLAN 1 is pruning ineligible, meaning pruning does not apply to it. VLANs 2 to 1001 are by default pruning eligible, but this can be changed through configuration.

Author:

Related articles:

Cisco IOS

A large series about the operating system of Cisco's active elements. It contains some of the most read articles on this site. The articles describe the configuration of switches and routers, primarily with Cisco IOS. Things about ports, VLANs, STP, ACLs, QoS, etc.

If you want write something about this article use comments.

Comments
  1. [1] Honza

    :-)bezva článek,přesně tohle sem potřeboal abych se dostal do obrazu

    Wednesday, 20.06.2007 08:59 | answer
  2. [2] regiss

    Opravdu super, tvoje clanky jsou strucne, ale zaroven velice vystizne. Thx much ;-)

    Saturday, 14.07.2007 15:12 | answer
  3. [3] Samuraj

    Děkuji. Takovéhle reakce potěší :). Ještě musím získat více čtenářů.

    Monday, 16.07.2007 17:54 | answer
  4. [4] bf

    Nahodou (jako vzdy ;-)) jsem nasel tuhle stranku a vypada fakt skvele, ukladam do slozky s uzitecnymi odkazy! :)

    Thursday, 11.10.2007 10:06 | answer
  5. [5] erik

    :-) Taky me to konecne dostalo do obrazu :D

    Wednesday, 04.06.2008 11:05 | answer
  6. [6] Jarda

    Pekne :-). Jen pripominam, ze se lze dost casto setkat se starsimi prepinaci (treba rada 2900, kde podpora konci IOSem 12.0.5-WC17). U nich zejmena VLAN a VTP konfiguruje jinak:

    SwitchA# vlan database

    SwitchA(vlan)# vlan 10 name Horni

    SwitchA(vlan)# vlan 20 name Dolni

    SwitchA(vlan)# vtp domain Cisco

    SwitchA(vlan)# vtp server

    SwitchA(vlan)# exit

    Tuesday, 17.06.2008 15:59 | answer
  7. [7] Yen

    Jojo,povedeny popis, diky;-) trochu me to nakoplo k pochopeni trunku a nastaveni vtp :-)

    Tuesday, 24.02.2009 11:11 | answer
  8. [8] davro

    U VTP by možná stálo za zmínku, že nespolupracuje s VLAN > 1005

    Friday, 24.04.2009 10:24 | answer
  9. [9] Samuraj

    respond to [8]davro: Pravda, pro někoho je dobré to napsat takhle jasně. Já tam mám napsáno, že pouze ve VTP Transparent je možno použít Extended VLANy.

    Friday, 24.04.2009 10:34 | answer
  10. [10] tomfi

    respond to [9]Samuraj:

    Bohužel termín Extended VLAN není v článku popsán a vzhledem k tomu, že to je Cisco terminologie, mohla by tato "featura" trochu zmást neznalého, koupivšího člověka :)

    Možná by se šiknul i článek o GVRP (jenom takový námět :))

    Sunday, 26.04.2009 23:41 | answer
  11. [11] Samuraj

    respond to [10]tomfi: První kapitola Čísla VLAN, ale tam jsem to uvedl pouze česky :-).

    Monday, 27.04.2009 08:33 | answer
  12. [12] Katka M.

    Ahoj Samuraji. Děkuji za tyto bezva IT stránky. Hodně je využívám. Je to stručné a výstižné a vím, že když zadám do vyhledávacího okénka na tvých stránkách VTP, tak mi to najde to, co mám na mysly a né jako při googlování Voda Topení Plyn :-D

    Thursday, 04.03.2010 15:00 | answer
  13. [13] miso

    Perfektne veci. a pomoze to nielen pri praci ale ja v skole :) zajtra mam prakticky test zo sieti a toto je presne co som potreboval. diky moc :)

    Sunday, 02.05.2010 23:52 | answer
  14. [14] Longmatys

    Ještě taková drobnost, pokud někdo využívá DTP v dynamickém, tak se musí shodovat i VTP domény! Jinak se dva switche na trunku nedomluví. Další záludná věc ohledně VTP prunningu jsou trunky vůči jiným výrobcům, lehce se může stát, že okrajový Cisco switch odřízne access porty na switchi jiného výrobce...

    Podrobný Cisco popis s omáčkou: www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml

    Tuesday, 11.05.2010 10:48 | answer
  15. [15] Děda

    Fakt super, díky moc!!:-)

    Wednesday, 03.11.2010 16:34 | answer
  16. [16] Michal

    Jsem právě na Cisco školení A2 a již se nedoporučuje DTP ani VTP používat, pro ty, kdo chtějí předejít problémům :)

    Raději vše pěkně ručně, ale mám pak jistotu že trunk naběhne kde má a nepřijdu o VLAN díky nějakému nově zapojenému switchi (co má stejnou doménu a vyšší rev. číslo)

    Jinak díky, skvělá práce, skvělý web!

    Wednesday, 23.02.2011 10:42 | answer
  17. [17] Tomas

    Dobrý den,

    předem musím podotknout, že Vaše články jsou opravdu čtivé a hlavně chápavé. Mám nakonfigurovanou vlan na ciscu 2960. Kde mám na testovacím portu Gi0/47 a tam mám také nastaven i DHCP server. VLANa funguje a DHCP server mně adresy rozdává, no a kde je problém? Nemám internet...,

    V síťi mám pouze jednu gateway, takže tuto gateway jsem také určil ip default-gateway a v konfiguraci DHCP -> default-router jsem tuto gateway také uvedl, nicméně asi je něco špatně.

    Děkuji za radu

    S pozdrave

    Tomas

    Tuesday, 08.11.2011 23:50 | answer
  18. [18] Samuraj

    respond to [17]Tomas: A je ta GW připojena do té stejné VLANy? Dá se z počítače, který dostal IP adresu z toho DHCP na GW pingnout?

    Wednesday, 09.11.2011 09:40 | answer
  19. [19] Ronald

    Ahoj, super clanky. Len mala poznamka. Defaultna vlan 1 sa da vypnut.

    Monday, 19.03.2012 14:54 | answer
  20. [20] Samuraj

    respond to [19]Ronald: Tak to by mne zajímalo jak :-). Vypnout můžeme VLAN 1 interface, ale vlastní VLAN 1 nevypneme (když se o to pokusíme, tak dostaneme informaci, že to nelze).

    Monday, 19.03.2012 15:58 | answer
  21. [21] Roland

    respond to [20]Samuraj:

    Mate pravdu :) Zle som to napisal. Vlan 1 interface sa da shut-nut

    Friday, 23.03.2012 13:03 | answer
  22. [22] Hrošík

    respond to [16]Michal: Taky mi někde říkali na školení (asi CCNA), že nemám používat VTP. Podle mě, pokud se dodrží potřebné kroky a nebudu připojovat switch se stejnou VTP doménou jako server (taky, kde bych ho přece vzal), tak je vše v pohodě. A v praxi až narazíte na síť bez VTP, tak je to dost opruz. Ted řeším jen malou část v serverovně a to je takovej bordel, když tam ručně přidávaj asi 3 lidi VLANy. O výluce to budu předělávat na VTP.

    Friday, 29.01.2016 19:53 | answer
  23. [23] Hrošík

    Máte někdo zkušenost se dvěma VTP servery v jedné VTP doméně? Zahlídl jsem, že to jde, ale nějak nemůžu najít přesné a bezpečné informace a nemám to kde otestovat. Ale přijde mi to jako dobrý nápad, kdyby VTP server switch odešel. Ale abych si celou VTP doménu nerozházel na Rev number.

    Friday, 29.01.2016 20:53 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)