Enabling and Configuring VLAN Trunking Protocol (VTP) on Cisco 1900 Switches

The VLAN Trunking Protocol (VTP) is used to manage the configuration of switches that are part of a VTP management domain, as we learned in Chapter 3. Recall that three VTP modes exist – server, client, and transparent mode. Once a VTP server is configured, any changes made (such as adding or removing VLANs) will be propagated throughout the VTP domain. Remember that all members of the same VTP management domain must be configured with the same VTP password.

Cisco1912#config t
Enter configuration commands, one per line. End with CNTL/Z
Cisco1912(config)#vtp ?
client VTP client
domain Set VTP domain name
password Set VTP password
pruning VTP pruning
server VTP server
transparent VTP transparent
trap VTP trap
Cisco1912(config)#vtp server
Cisco1912(config)#vtp domain ?
WORD Name of the VTP management domain
Cisco1912(config)#vtp domain 2000trainers.com
Cisco1912(config)#vtp password cisco999
Cisco1912#show vtp
VTP version: 1
Configuration revision: 1
Maximum VLANs supported locally: 1005
Number of existing VLANs: 6
VTP domain name : 2000trainers.com
VTP password : cisco999
VTP operating mode : Server
VTP pruning mode : Disabled
VTP traps generation : Enabled
Configuration last modified by: at 00-00-0000 00:00:00

VTP pruning was also discussed in Chapter 3. When VTP pruning is enabled, traffic will not be passed to another switch across a trunk link unless that switch has ports configured for a given VLAN. For example, imagine SwitchA has VLANs 1, 2, and 3 configured, and a trunk link to SwitchB. If VTP pruning is enabled, and SwitchB has no ports on VLAN 2, traffic for VLAN 2 will not passed to it. VLAN pruning is enabled using the command vtp pruning enable.

Cisco1912(config)#vtp pruning ?
disable Disable VTP pruning
enable Enable VTP pruning
Cisco1912(config)#vtp pruning enable

Recall from earlier in this appendix that while the command delete nvram erases the configuration of a switch, it does not delete the VTP database. To delete VTP information from a Cisco 1900 switch, you must issue the delete vtp command, which also requires the switch to reload.

Cisco1912#delete ?
nvram NVRAM configuration
vtp Reset VTP configuration to defaults
Cisco1912#delete vtp

This command resets the switch with VTP parameters set to factory defaults.
All other parameters will be unchanged.

Reset system with VTP parameters set to factory defaults, [Y]es or [N]o? Yes

Configuring ISL Trunk Links

Earlier in Chapter 3, we looked at ways to connect switches with trunk links, such that VLANs could span multiple switches. The two main ways to accomplish this are via the Inter-Switch Link (ISL) and 802.1q frame tagging methods. The Cisco 1900 series does not support 802.1q, leaving ISL as the only option for creating trunk connections with other Cisco switches.

Recall that two main types of links exist between switches – access links, which provide a link for only a single VLAN, and trunk links, which are capable of carrying the traffic of many VLANs through the use of a tagging method like ISL. ISL can only be configured on switch ports with speeds of 100 Mbps and above. On a Cisco 1900, this means that only ports 26 and 27 can be used to define ISL trunk links.

The command to configure a trunk port is simply trunk, followed by the state of the port. There are five states into which you can place a trunk port, as shown below.

  • auto – Will configure the port as a trunk link if the connected system is set to on or auto.
  • desirable – Port will negotiate to become a trunk link if the other system is set to auto, desirable, or on.
  • nonegotiate – Port will become a permanent trunk link, will not negotiate the connection.
  • off – Disables the trunk port and negotiates with the connected system to turn trunking off.
  • on – Configures the port as a permanent ISL trunk link, and negotiates with the other system to convert their port to trunk mode.

In this example we’ll configure port e0/26 as a trunk port, turning ISL on.

Cisco1912#config t
Enter configuration commands, one per line. End with CNTL/Z
Cisco1912(config)#int f0/26
Cisco1912(config-if)#trunk ?
auto Set DISL state to AUTO
desirable Set DISL state to DESIRABLE
nonegotiate Set DISL state to NONEGOTIATE
off Set DISL state to OFF
on Set DISL state to ON
Cisco1912(config-if)#trunk on

Once trunking is configured for a given port, that port will trunk traffic for all configured VLANs. However, it is also possible to deny traffic from certain VLANs from being trunked by issuing the no trunk-vlan command. In the example below, traffic from VLAN 50 will not be trunked across the port 26 link.

Cisco1912(config-if)#no trunk-vlan 50

Once trunk links have been configured, their state can be viewed using the show trunk command, followed by a letter associated with that link. Since port 0/26 is the first FastEthernet port, it is known as trunk A, while port 0/27 would be known as trunk B.

Cisco1912#show trunk ?
A Trunk A
B Trunk B
Cisco1912#show trunk A
DISL state: On, Trunking: On, Encapsulation type: ISL

Going a step further, you can also view which VLANs are allowed to use the trunk link by appending the command to include allowed-vlans, as shown below.

Cisco1912#show trunk a allowed-vlans
1-49, 51-1005

Configuring VLANs on a Cisco Catalyst 1900 Switch

A VLAN is essentially a broadcast domain, assigned according to switch ports. By default, all ports on a Cisco 1900 are assigned to VLAN 1, sometimes referred to as the management or administrative VLAN. In order to implement additional VLANs, you will first need to define them, and then add ports to that VLAN. New VLANs are created from global configuration mode by using the vlan command and specifying both a VLAN number and name. For example, let’s say that we want to create a new VLAN for our Human Resources department (VLAN 100), and one for executives, VLAN 50.

Cisco1912#config t
Enter configuration commands, one per line. End with CNTL/Z
Cisco1912(config)#vlan 100 name HR
Cisco1912(config)#vlan 50 name Executives

To view all VLANs configured on a switch, use the show vlan command.

Cisco1912#show vlan

VLAN Name Status Ports
1 default Enabled 1-12, AUI, A, B
50 Executives Enabled
100 HR Enabled
1002 fddi-default Suspended
1003 token-ring-defau Suspended
1004 fddinet-default Suspended
1005 trnet-default Suspended

Notice that currently, all ports on our Catalyst 1912 switch are still part of VLAN 1. The next step involves adding ports to the newly configured VLAN. This is done from interface configuration mode, using the vlan-membership static command. In this case, we’ll add Ethernet ports 0/2 and 0/8 to VLAN 100.

Cisco1912#config t
Enter configuration commands, one per line. End with CNTL/Z
Cisco1912(config)#int e0/2
Cisco1912(config-if)#vlan-membership static 100
Cisco1912(config-if)#int e0/8
Cisco1912(config-if)#vlan-membership static 100

To confirm that the ports are now part of VLAN 100, use the show vlan command. An individual VLAN can be viewed by specifying the VLAN number after this command.

Cisco1912#show vlan

VLAN Name Status Ports
1 default Enabled 1, 3-7, 9-12, AUI, A, B
50 Executives Enabled
100 HR Enabled 2, 8
1002 fddi-default Suspended
1003 token-ring-defau Suspended
1004 fddinet-default Suspended
1005 trnet-default Suspended

VTP Pruning

In some cases, it may not make sense for all traffic to be trunked to all switches. For example, consider the network diagram shown in the figure below. In it, Switch C does not have any ports configured on VLAN99. As such, it doesn’t make much sense for traffic destined for VLAN99 to be sent over the trunk link between switches A and C. In order to control traffic destined for VLAN99 from being forwarded to Switch C, you can enable VTP pruning. Once enabled, VTP pruning will stop unnecessary traffic from being forwarded to a switch with no configured ports on that VLAN. If VTP pruning were enabled in this example, traffic for VLAN 99 would not be forwarded to Switch C by Switch A, thus conserving bandwidth and switch resources.

Figure: With VTP pruning enabled, traffic for VLAN99 is not forwarded to Switch C.

By default, all switches have VTP pruning disabled. When enabled, VTP pruning enables the function for the entire VTP management domain. If you do choose to use VTP pruning, note that you also have the option to go a step further and define which VLANs are eligible to be pruned and which are not.

VTP Modes

Switches can operate in three different VTP modes, which affect the way in which they share or interact with VTP advertisements. Once configured, VTP information is stored in their VTP database. The three modes include:

Server. By default, every Catalyst switch configured to use VTP will be configured as a server. In any VTP domain, at least one server must exist. When in server mode, a switch can be used to add, modify or delete VLAN related information, which will be passed to all other switches in the VTP management domain.

Client. In client mode, a switch receives VTP advertisements and makes changes according to their contents. Note that a VTP client cannot change VLAN information.

Transparent. In transparent mode, a VTP switch will forward VTP messages, but will not actually use the configuration information it receives. VLANs that are added, modified or deleted on a VTP switch in transparent mode will only apply to that particular switch.

When a switch receives a VTP update, it checks the VTP domain name and revision number information stored in the advertisement. If the information is for a different VTP domain, it is ignored. If the revision number of the advertisement is below the number currently stored in its database, it is similarly ignored.

VLAN Trunking Protocol VTP

In large networks, configuring VLAN information on each and every switch would be incredibly time consuming. In order to deal with this issue, Cisco created a protocol referred to as the VLAN Trunking Protocol (VTP). VTP actually has very little to do with trunking. Instead, its responsibility is propagating information about the configuration of VLANs across trunk links. For example, let’s say that you’ve defined a new VLAN on a switch, VLAN 99. Instead of having to manually create that VLAN on each and every switch, you could instead use VTP – it would automatically make VLAN 99 available on every switch after it was defined on the first. This information is sent to other switches in the form of VTP advertisements. These are multicasts that provide update information to neighboring switches over trunk links. VTP can be used to add, modify or delete VLANs across what is known as a VTP management domain. For example, you might add a new VLAN, change the name of a VLAN, or delete a VLAN that you no longer require.

By default, VTP is not configured on Catalyst switches. You first have to define what is known as a VTP management domain, the group of switches among which you want VLAN information passed and shared. You can actually define multiple VTP domains for different groups of switches that require different configurations. However, you can only make any given switch part of a single VTP management domain.

InterSwitch Link ISL

VLAN tagging is not a difficult concept – just remember that its purpose is to allow frames from multiple VLANs to be transferred across a trunk link and properly identified at the other end.

Recall that ISL only works on 100Mbps ports and faster. As such, if your switch only has 10 Mbps ports available, using ISL will not be an option. One other limitation of ISL is that only ISL-aware devices will understand ISL frames – all others will not consider the frame to be valid.

Some network interface cards include ISL capabilities. If installed in a server, the server could then be part of two (or more) VLANs concurrently. This would allow systems from different VLANs to connect to the server without needing to route between different broadcast domains. In this way, the connection between the server and the ISL-configured switch port acts as a trunk link. In an even more common example, imagine if you connected a router to your switch in order to route between different VLANs. If that router had a 100Mb port that was ISL-capable (as many Cisco routers do), it could be connected to a trunk port on the switch, and provide routing between your VLANs. In this case, the router would add VLAN identification tags before forwarding a frame to the switch (and vice versa). The switch interface would strip away the tagging, and be sure that the frame is forwarded onto the proper VLAN.

Note that there is a downside to this configuration. By making a system (the router in this case) part of multiple VLANs, it will receive broadcast traffic from each of the VLANs for which its switch port is configured.

Trunking and VLAN Identification

Setting up VLANs on a single switch is relatively simple. First you define different VLANs, and then make ports members of those VLANs. However, when you interconnect or link switches across a network (referred to as trunking), you’ll need a way for switches to know on what VLAN a frame belongs. There are two main types of trunk links, as described below.

Access Link. When a link connects a single VLAN between switches, and no traffic for other VLANs is passed over that link, it is considered an access link. The only traffic that moves across an access link is traffic belonging the VLAN defined for the ports that are connected.

Trunk Link. If a link connects two switches, and the switches have 2 or more VLANs defined, it wouldn’t make much sense to set up a separate access link for each VLAN. Instead, it would be great if we could have traffic from multiple VLANs move across a single link. If a VLAN identification (frame tagging) technique is used, this is possible. The link is then known as a trunk link.

Consider the figure below, which outlines both access and trunk links.

Figure: Access and Trunk Links.

Remember that switches are always connected together using a crossover cable.

If you remember back to Chapter 2, none of the Ethernet frames we looked at had any field used to identify the VLAN membership of frame. In order for VLANs to work properly between switches, we’ll need some way to be able to let switches know what VLAN a frame is meant for.

Enter frame tagging. Frame tagging is a technique where additional VLAN identification information is added to a frame. Two main protocols exists for the purpose of Ethernet frame tagging – Inter Switch Linking (ISL) and IEEE 802.1q. Both modify a frame in different ways to add VLAN identifiers. Once implemented, VLAN tagging allows ports on the same VLAN (but on different switches) to communicate as though they were part of a single physical switch.

Adding more information to a frame creates a slight dilemma. Remember that an Ethernet frame has a maximum size of 1518 bytes. How can we add information to a large frame without making it appear oversized and thus invalid to network devices? Well, we need to configure the ports that link switches to use a VLAN identification protocol. When configured with VLAN tagging, a switch port will tag a frame with VLAN information when sending it out a trunk port. This tagging will be stripped away by the switch at the receiving end of the link. In this way, end devices need not be aware that any special framing or tagging took place. It also helps avoid end systems seeing these frames as being invalid. A VLAN tagged frame has a maximum size of 1522 bytes. The figure below illustrates the process by which a frame is tagged to include VLAN identification information. Note that the special tagging is added before it leaves the Switch 1 trunk port, and is removed once it enters the trunk port on Switch 2.

Figure: Frame tagging over a trunk link.

A number of different protocols exist for the purpose of adding VLAN identification to frames. These include:

InterSwitch Link (ISL). ISL is a Cisco proprietary VLAN identification protocol that can be used only on Fast Ethernet and Gigabit Ethernet trunk ports. Because the protocol is proprietary, it can only be used to trunk between Cisco devices. ISL actually re-encapsulates the entire original frame with a new header and a new CRC value.

IEEE 802.1q. The IEEE 802.1q is the industry standard method of VLAN identification. This protocol doesn’t entirely re-encapsulate a frame, but instead adds VLAN identification information into Ethernet frames. This in turn can make Ethernet frames as large as 1522 bytes. When you want to use VLAN identification on a network that includes equipment from different vendors, 802.1q should be used.

Dynamic Trunking Protocol (DTP). An enhancement of Cisco’s Dynamic ISL (DISL) protocol, DTP dynamically negotiates both ends of a trunk link to use a common VLAN identification protocol, such as ISL or 802.1q.

FDDI 802.10. While trunking protocols such as ISL are meant to create a trunk link between only two switches, 802.10 encapsulation allows VLAN tagging to be used on a shared FDDI backbone. It does this by adding a 4-byte Security Association Identifier (SAID) field to the FDDI frame header.

ATM Lane. When Ethernet or Token Ring networks connect over ATM, LAN Emulation (LANE) must be used to emulate their native environments (since ATM doesn’t support broadcasts, for example). In cases where VLANs are required over ATM connections, Emulated LANs (ELANs) need to be defined. Each ATM ELAN maps to a single VLAN.

Tip: VLAN tagging methods like ISL allow VLAN membership information to be transported with a frame across trunk links.

VLAN Types

VLAN membership can be configured in two different ways, known as static and dynamic.

Static VLANs. With a static VLAN, an administrator defines VLANs on a switch and then assigns ports to them. This is the most common way in which VLANs are configured.

Dynamic VLANs. A dynamic VLAN is one in which a switch port automatically configures itself to be part of a particular VLAN, based on the MAC address of a connected system. Think of a scenario where a laptop user uses different connections within an office building. In this case, she could plug into a given jack (which is connected to a switch) and automatically be made part of her native VLAN. In order to accomplish this, a management database needs to be created that maps MAC addresses to VLANs, which requires additional administrative effort. Cisco has a product that provides this functionality – VLAN Management Policy Server (VMPS).

VLAN Benefits

The main benefits of using VLANs are that they provide increased flexibility, scalability, and security.

Flexibility. Because a VLAN assigns a user to a broadcast domain based on the port their system is plugged into, additions, moves, and changes are made simple. If you wanted a user to be moved to a different broadcast domain, all you would have to do is reconfigure the port they’re connected to. For example, a user might have been working in Marketing and is now moving to Finance. Instead of moving their physical PC, simply modify the VLAN configuration of the port, changing it from the Marketing VLAN to the Finance VLAN. This flexibility allows you to create logical (rather than physical) groupings of users.

Scalability. VLANs aren’t limited to a single switch. In fact, you can actually have VLANs that span an enterprise organization. For example, you might have groups of users on the 4th, 18th, and 42nd floors all be part of the same VLAN, even though they’re connected to different switches. Taken a step further, VLANs can also be scaled beyond a single location, over a WAN link if necessary.

Security. VLANs provide a greater degree of security than a traditional LAN. Consider the situation where a user from Human Resources might be connected to the same physical segment as a variety of other users. If plugged into a hub, other users could capture the information passed to the HR computer using a protocol analyzer program. By configuring all HR user systems to be in their own VLAN, their traffic remains separate and distinct from other network users. Also, traffic between VLANs can then be more easily controlled using router features such as access lists.

In the above explanation, the groupings of users to VLANs were based on functional departments. This is a popular way to divide traffic on a network, especially if departments have their own servers. Human Resources tends to be particularly good example of a department that might require its own VLAN, based on the sensitive nature of the information they deal with. Separate VLANs are often defined for other purposes as well, including network management and monitoring.

Tip: Remember that when you define additional VLANs, you are actually creating a larger number of smaller broadcast domains.