Implement and Troubleshoot Trunking

---

Trunking

• Allows devices to send traffic for multiple vlans across a single link
• Trunking protocols must match on both ends

ISL

• Cisco Proprietary
• Supports normal and extended vlans
• Encapsulates original frame
  • 26 byte header + trailer for FCS
• No concept of native vlan

802.1Q

• Open Standard (IEEE)
• Supports normal and extended vlans
• Inserts tag into original frame
  • 4 byte header
  • Frame tagging
• Concept of native vlan
  • Traffic in native vlan is untagged
  • All received untagged frames are sent over native vlan
  • Must match on both ends of trunk
  • Detection for mismatch
    • Cisco Switches – Proprietary extension in PVST+ and Rapid PVST+
    • CDP Neighbor can detect and report (syslog)
  • Default native vlan is 1
    • Best practice is to change to prevent vlan hopping attacks

DTP – Dynamic Trunking Protocol

• Dynamically learn if device on other end wants to perform trunking and negotiate what protocol to use
• Modes
  • Dynamic Auto – negotiate automatically
    • Prefers to be access port
  • Dynamic Desirable
    • Prefers to be a trunk port
    • Highest priority
    • Will choose ISL is both sides support
  • Different switch models have different default behaviors
  • DTP and VTP are independent
    • DTP carries the VTP domain name
• Reduce number of vlans on trunk
  • Vlans must be configured on switch before being considered active
  • Administratively configure or use VTP pruning
    • Switchport trunk allowed [add | remove ]
• Config
  • Switchport mode [trunk | dynanmic desirable / auto | access
  • Switchport nonegotiate
    • Port no longer sends DTP messages
  • Switchport trunk encapsulation [isl | dot1q]

Q in Q Tunneling

• VLANs traditionally do not extend past WAN boundary
• Standard 802.1ad – Provider Bridges
• Allow SP to preserve 802.1q vlan tag across WAN service
• CDP and VTP can be configured to pass transparently over Q-in-Q
• New tagging concept
  • C-Tag – Original customer tagged frame
  • S-Tag – Additional tag added to C-Tag frame at ingress of SP
    • Tag is removed at egress of SP, preserving original C-Tag
    • Different customers get different S-Tags
• Configuration
  • Change MTU to 1504 for extra header size

Manual VLAN Pruning

Manually specify which vlans are allowed across a trunk link

---

VTP – VLAN Trunking Protocol

• Advertises vlan config information to neighboring switches
• Allows vlan config to be done from 1 switch in the domain (dynamic)
• Advertises VLAN ID, name and type
• Does not forward which ports are in the vlan
• Sends updates out all active trunk links by default
  • Without domain name switches do not send any VTP updates
• VTP starts working when there is an active trunk link and domain name
• Configuration
  • Vtp domain [name]
  • Show vtp status
  • Options
    • Domain – sets domain name
      • Switch can only belogn to one domain
    • Password – sets password to prevent unauthorized switches from joining domain
    • Mode [server | client | transparent]
    • Version [1 | 2 | 3]
      • Can configure on server switch and will sync with other switches
      • V3 must be manually configured and have domain name configured
    • Pruning
      • Prevent flooding per-VLAN to switches that do not have the VLAN configured
      • Only applied to normal VLAN range
    • Interface
      • Sets interface whos IP is used to ID the switch
      • Default is to use IP of lowest numbered SVI

VTPv1

Version 1 is default

• Supports only normal vlan range

Message Types (v1 and v2)

• Summary advertise
  • Originated by VTP server and client every 5 minutes and after each modification to vlan database
  • Carries domain name, revision number, ID of updater, timestamp, MD5, password & number of subset advertise
  • Does not carry vlan database contents
• Subset Advertise
  • Originated by server and client after modification of vlan database
  • Carries full vlan database contents
• Advertise Request
  • Request neighbors complete vlan database or part of it
  • Request sent when switch enters client mode or client switch is restarted
• Join
  • Every 6 seconds if VTP pruning is active

Update Process (v1 and v2)

• Begins when a modification is made on a vlan
• VTP server will increment revision number by 1 and advertise entire vlan database with new revision number
• Revision number allow switches to know when vlan database changes have occurred
  • Switches replace their vlan database when a larger revision shows up

VTP Modes

• Server –
  • Default with no domain name
  • Updates to not occur until a domain name is configured
• Client
  • Will assume first received domain name
  • Default domain is NULL
• Transparent / Off
  • Prevents switches from listening to other switches VTP updates
• Protect VTP domain – VTP password
  • Summary adv – carries MD5 hash computed over the vlan database contents and VTP password if configured

VTPv2

Enhanced version of v1

• Supports token ring concentrator relay function and bridge relay function
  • Not used in ethernet based networks
• Supports unknown TLV (Type Length Value)
  • V1 would drop unrecognized TLV’s which would stop propagation to other switches
• Optimized vlan database consistency checking
  • Implementation optimization
  • Skips consistency check if change was received by a VTP message

VTPv3

Introduced to IOS release 12.2(52)SE

• New server roles – Addresses problem of inadvertent rewrites to the vlan database
  • Primary – Only 1 at a time
    • Can modify VTP domain contents
    • Only switch who’s vlan database is propagated through domain
    • Database will be shared if switch agrees on domain name and ID of primary server (MAC address)
  • Secondary –
    • Cannot make changes,
    • but can be promoted
    • All other server switches in domain are secondary
  • Primary role is a runtime state. Does not get saved into configuration
  • Server role helps prevent unwanted changes to VTP domain
• Password storage and usage improved
  • Encrypted and cannot be displayed in plaintext
  • Promotion of secondary required entering password in plaintext
  • String is carried encrypted to different switches
• Capable of distributing full range of vlans and private vlans
  • No longer need to be in transparent mode when using extended vlan range and private vlans
  • Pruning only applied to normal vlan range
• Supports VTP off
  • Switch does not participate in VTP and drops all VTP messages
• Distributes content of MST region config
• Client switches cannot make changes to domain or be promoted
• Both Secondary and Client store copy of primaries vlan database and share with neighboring server and client if they agree on the primaries ID
• Secondary or client servers with higher revision number can overwrite vlan database, but must match on domain name, primary ID and password
• Conflicts
  • Server or client in domain having different primary server IDs
  • Conflciting switches do not sync the vlan database even if all other parameters match
• Promotion to primary sever done in exec mode
  • Vtp primary
• Cannot reset revision number to 0 by switching mode to transparent
  • Only will be reset by modifying the domain name or configuring password
• Switches that cannot run v3, the port will revert to v2
  • V3 to v1 is not supported

VTP Pruning

Reduces unnecessary flooded traffic such as broadcasts, multicast and unicast packet

• Disabled by default
• Enabling on server enables for entire domain
• Vlans 2 – 1000 are eligible for pruning
• Cmd: vtp pruning