Implement and Troubleshoot Trunking
Trunking
- Allows devices to send traffic for multiple vlans across a single link
- Trunking protocols must match on both ends
ISL
- Cisco Proprietary
- Supports normal and extended vlans
- Encapsulates original frame
- 26 byte header + trailer for FCS
- No concept of native vlan
802.1Q
- Open Standard (IEEE)
- Supports normal and extended vlans
- Inserts tag into original frame
- 4 byte header
- Frame tagging
- Concept of native vlan
- Traffic in native vlan is untagged
- All received untagged frames are sent over native vlan
- Must match on both ends of trunk
- Detection for mismatch
- Cisco Switches – Proprietary extension in PVST+ and Rapid PVST+
- CDP Neighbor can detect and report (syslog)
- Default native vlan is 1
- Best practice is to change to prevent vlan hopping attacks
DTP – Dynamic Trunking Protocol
- Dynamically learn if device on other end wants to perform trunking and negotiate what protocol to use
- Modes
- Dynamic Auto – negotiate automatically
- Prefers to be access port
- Dynamic Desirable
- Prefers to be a trunk port
- Highest priority
- Will choose ISL is both sides support
- Different switch models have different default behaviors
- DTP and VTP are independent
- DTP carries the VTP domain name
- Dynamic Auto – negotiate automatically
- Reduce number of vlans on trunk
- Vlans must be configured on switch before being considered active
- Administratively configure or use VTP pruning
- Switchport trunk allowed [add | remove ]
- Config
- Switchport mode [trunk | dynanmic desirable / auto | access
- Switchport nonegotiate
- Port no longer sends DTP messages
- Switchport trunk encapsulation [isl | dot1q]
Q in Q Tunneling
- VLANs traditionally do not extend past WAN boundary
- Standard 802.1ad – Provider Bridges
- Allow SP to preserve 802.1q vlan tag across WAN service
- CDP and VTP can be configured to pass transparently over Q-in-Q
- New tagging concept
- C-Tag – Original customer tagged frame
- S-Tag – Additional tag added to C-Tag frame at ingress of SP
- Tag is removed at egress of SP, preserving original C-Tag
- Different customers get different S-Tags
- Configuration
- Change MTU to 1504 for extra header size
Manual VLAN Pruning
Manually specify which vlans are allowed across a trunk link
VTP – VLAN Trunking Protocol
- Advertises vlan config information to neighboring switches
- Allows vlan config to be done from 1 switch in the domain (dynamic)
- Advertises VLAN ID, name and type
- Does not forward which ports are in the vlan
- Sends updates out all active trunk links by default
- Without domain name switches do not send any VTP updates
- VTP starts working when there is an active trunk link and domain name
- Configuration
- Vtp domain [name]
- Show vtp status
- Options
- Domain – sets domain name
- Switch can only belogn to one domain
- Password – sets password to prevent unauthorized switches from joining domain
- Mode [server | client | transparent]
- Version [1 | 2 | 3]
- Can configure on server switch and will sync with other switches
- V3 must be manually configured and have domain name configured
- Pruning
- Prevent flooding per-VLAN to switches that do not have the VLAN configured
- Only applied to normal VLAN range
- Interface
- Sets interface whos IP is used to ID the switch
- Default is to use IP of lowest numbered SVI
- Domain – sets domain name
VTPv1
Version 1 is default
- Supports only normal vlan range
Message Types (v1 and v2)
- Summary advertise
- Originated by VTP server and client every 5 minutes and after each modification to vlan database
- Carries domain name, revision number, ID of updater, timestamp, MD5, password & number of subset advertise
- Does not carry vlan database contents
- Subset Advertise
- Originated by server and client after modification of vlan database
- Carries full vlan database contents
- Advertise Request
- Request neighbors complete vlan database or part of it
- Request sent when switch enters client mode or client switch is restarted
- Join
- Every 6 seconds if VTP pruning is active
Update Process (v1 and v2)
- Begins when a modification is made on a vlan
- VTP server will increment revision number by 1 and advertise entire vlan database with new revision number
- Revision number allow switches to know when vlan database changes have occurred
- Switches replace their vlan database when a larger revision shows up
VTP Modes
- Server –
- Default with no domain name
- Updates to not occur until a domain name is configured
- Client
- Will assume first received domain name
- Default domain is NULL
- Transparent / Off
- Prevents switches from listening to other switches VTP updates
- Protect VTP domain – VTP password
- Summary adv – carries MD5 hash computed over the vlan database contents and VTP password if configured
VTPv2
Enhanced version of v1
- Supports token ring concentrator relay function and bridge relay function
- Not used in ethernet based networks
- Supports unknown TLV (Type Length Value)
- V1 would drop unrecognized TLV’s which would stop propagation to other switches
- Optimized vlan database consistency checking
- Implementation optimization
- Skips consistency check if change was received by a VTP message
VTPv3
Introduced to IOS release 12.2(52)SE
- New server roles – Addresses problem of inadvertent rewrites to the vlan database
- Primary – Only 1 at a time
- Can modify VTP domain contents
- Only switch who’s vlan database is propagated through domain
- Database will be shared if switch agrees on domain name and ID of primary server (MAC address)
- Secondary –
- Cannot make changes,
- but can be promoted
- All other server switches in domain are secondary
- Primary role is a runtime state. Does not get saved into configuration
- Server role helps prevent unwanted changes to VTP domain
- Primary – Only 1 at a time
- Password storage and usage improved
- Encrypted and cannot be displayed in plaintext
- Promotion of secondary required entering password in plaintext
- String is carried encrypted to different switches
- Capable of distributing full range of vlans and private vlans
- No longer need to be in transparent mode when using extended vlan range and private vlans
- Pruning only applied to normal vlan range
- Supports VTP off
- Switch does not participate in VTP and drops all VTP messages
- Distributes content of MST region config
- Client switches cannot make changes to domain or be promoted
- Both Secondary and Client store copy of primaries vlan database and share with neighboring server and client if they agree on the primaries ID
- Secondary or client servers with higher revision number can overwrite vlan database, but must match on domain name, primary ID and password
- Conflicts
- Server or client in domain having different primary server IDs
- Conflciting switches do not sync the vlan database even if all other parameters match
- Promotion to primary sever done in exec mode
- Vtp primary
- Cannot reset revision number to 0 by switching mode to transparent
- Only will be reset by modifying the domain name or configuring password
- Switches that cannot run v3, the port will revert to v2
- V3 to v1 is not supported
VTP Pruning
Reduces unnecessary flooded traffic such as broadcasts, multicast and unicast packet
- Disabled by default
- Enabling on server enables for entire domain
- Vlans 2 – 1000 are eligible for pruning
- Cmd: vtp pruning