|
|
This chapter describes how to create a virtual local-area network (VLAN) and how the VLANs work.
A VLAN is a group of end stations, independent of physical location, with a common set of requirements. For example, several end stations might be grouped as a department, such as engineering or accounting. If the end stations are located close to one another, they can be grouped into a LAN segment. If any of the end stations are on a different LAN segment, such as different buildings or locations, they can be grouped into a VLAN that has all the same attributes as a LAN even though the end stations are not all on the same LAN segment. The information identifying a packet as part of a specific VLAN is preserved across a Catalyst 5000 series switch connection to a router or other switch.
To define the VLAN, indicate the VLAN number, name, type, maximum transmission unit, security association identifier (SAID), state, ring number, bridge identification number, and number to indicate whether source routing should be set to transparent or bridging. For more information on the commands for creating VLANs, refer to the Catalyst 5000 Series Command Reference publication.
To create a VLAN across a networking domain, perform these steps in privileged mode:
| Task | Command |
|---|---|
| Step 1 Define the VLAN management domain. | set vtp [domain name] [mode mode] [interval interval] [passwd passwd] |
| Step 2 Define the VLAN. | set vlan vlan_num [name name] [type type] [mtu mtu] [said said] [state state] [ring ring_number] [bridge bridge_number] [parent vlan_num] [stp stp_type] [translation vlan_num] |
A VLAN created in a management domain remains unused until it is mapped to Catalyst 5000 series switch ports. The set vlan command maps VLANs to ports. The default configuration has all switched Ethernet ports on VLAN 1. However, you can enter groups of ports as individual entries, for example, 2/1, 3/3, 3/4, 3/5. You can also use a hyphenated format, for example, 2/1, 3/3-5. Figure 9-1 shows a local VLAN configuration that groups switch ports into VLAN 10 and VLAN 20.
To create a VLAN, perform the following task in privileged mode:
| Task | Command |
|---|---|
| Define the VLAN and indicate the included ports. | set vlan vlan_num mod_num/port_num |
After entering the set vlan command, you see this display:
system1> (enable) set vlan 10 2/1-4 VLAN 10 modified. VLAN 1 modified. VLAN Mod/Ports 10 2/1-4 system1> (enable) set vlan 20 2/5-24 VLAN 20 modified. VLAN 1 modified. VLAN Mod/Ports 20 2/5-24
To verify that the VLAN configuration is correct, enter the show vlan command. After entering the show vlan command, you see this display:
system1> (enable) show vlan VLAN Mod/Ports ---- --------------------------------------------------------------------- 1 1/1-2 10 2/1-4 20 2/5-24 system1> (enable)
A trunk physically links two Catalyst 5000 series switches or Catalyst 5000 series switches and routers. Trunks carry the traffic of multiple VLANs and allow you to extend VLANs from one Catalyst 5000 switch to another.
Enter the set trunk command to configure trunks on ports or to configure the mode for the trunk: on, off, desirable, or auto. Set the trunk to on to make the port a trunk port and off to make the port a nontrunk port. Set the trunk to desirable to make the port a trunk port if the port it is connecting to allows trunking. Set the trunk to auto to make the port a trunk port if the port it is connected to becomes set for trunking. Port 1 on module 1 is configured as a trunk.
To establish a trunk, you must configure the port on each Catalyst 5000 series switch as a trunk port. For more information, refer to the Catalyst 5000 Series Command Reference publication.
To establish trunks, perform these steps in privileged mode:
| Task | Command |
|---|---|
| Step 1 Establish trunks on specific ports. | set trunk mod_num/port_num {on | off | desirable | auto} [vlans] |
| Step 2 Verify that the trunk configuration is correct. | show trunk |
After entering the set trunk command, you see this display:
Console> (enable) set trunk 1/2 5
Port 1/2 allowed vlans modified to 1-5.
Console> (enable) set trunk 1/1 desirable
Port 1/1 mode set to desirable.
Port 1/1 has become a trunk.
To verify the VLAN trunk configuration, enter the show trunk command. After entering the show trunk command, you see this display:
Console> (enable) show trunk
Port Mode Status
------- --------- ------------
1/1 desirable trunking
1/2 auto not-trunking
3/1 auto not-trunking
3/2 auto not-trunking
3/3 auto not-trunking
Port Vlans allowed
------- ---------------------------------------------------------------
1/1 1-1000
1/2 1-5
3/1 1-1000
3/2 1-1000
3/3 1-1000
Port Vlans active
------- ---------------------------------------------------------------
1/1 1,55
1/2 1
3/1 1
3/2 1
3/3 1
Console> (enable)
With VLAN trunks, you can connect switches to each other and to routers using high-speed interfaces. The Catalyst 5000 series switch can multiplex up to 1000 VLANs between switches and routers by using Inter-Switch Link (ISL) on Fast Ethernet, LAN emulation on Asynchronous Transfer Mode (ATM), or 802.10 on FDDI. You can use any combination of these trunk technologies to form enterprise-wide VLANs and choose between low-cost copper and long-distance fiber connections for your trunks.
Load sharing allows VLAN traffic on parallel Fast Ethernet ISL trunks to be split between multiple trunks. By setting Spanning-Tree Protocol parameters on a VLAN basis, you can define which VLANs have priority access to a trunk and which use the trunk as a backup when another trunk fails.
In Spanning-Tree Protocol (STP), low integer values have the highest priority. Therefore, when you assign spanning-tree port priorities lower than the default value of 32 to VLANs, the traffic of those VLANs travels on the trunk with the lowest integer value. You must set the spanning-tree port priority to the same value at both ends of each trunk on each Catalyst 5000 series switch.
Figure 9-2 illustrates two trunks that are connected to the ports of supervisor engine modules on two Catalyst 5000 series switches. The port cost of carrying VLAN traffic across these trunks is equal.
This splits VLAN traffic between the two trunks and increases the throughput capacity and fault tolerance between Catalyst 5000 series switches; trunk 1 carries traffic for VLANs 8 through 10, and trunk 2 carries traffic for VLANs 3 through 6. If either trunk fails, the remaining trunk carries the traffic for all of the VLANs.
| Caution The port cost of a VLAN must be equal on all parallel trunks when setting port priority for load sharing. |
VLAN Trunk Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency throughout the network. VTP manages the addition, deletion, and renaming of VLANs at the system level. This protocol allows you to manage VLANs on a network-wide basis and make central changes that are automatically communicated to all the other switches in the network without requiring manual intervention at each switch. In addition, VTP minimizes possible configuration inconsistencies that arise when inappropriate changes are made. These inconsistencies can result in security violations because VLANs become cross-connected when duplicate names are used and internally disconnected when VLANs are incorrectly mapped between one LAN type and the other.
VTP is disabled by default on the Catalyst 5000 series ATM switch and must be explicitly enabled. VTP works only with the Network Management Processor (NMP) software release 2.1 or later and ATM software release 3.1 or later. For more information, refer to the Catalyst 5000 Series Command Reference publication.
The following prerequisites apply when configuring VTP:
To configure VTP, perform this task:
| Task | Command |
|---|---|
| Define a VLAN management domain. | set vtp [domain domain_name] [mode mode] [interval interval] passwd passwd] |
After entering the set vtp command, you see this example display:
Console (enable) set vtp Usage: set vtp [domain <name>] [mode <mode> [interval <interval>] [passwd <passwd>] (name: 120-160 characters, mode = (client, server, transparent), interval = 1-300 sec, passwd : 0-64 characters) Console> (enable) set vtp domain catbox mode client interval 160 VTP: domain catbox modified Console> (enable)
To disable VTP, use the set vtp domain domain_name mode transparent command. Setting the mode to transparent does not remove the domain name from the switch, but it disables VTP for that domain. To remove the domain name, use the clear config all command.
Enter these commands to verify your VTP configuration:
console> show vtp domain
Domain Name Domain Index VTP Version Local Mode
----------------- - ---------------- -------------- -------------
Engineering 1 1 client
Advt Interval Vlan-count Max-vlan-storage Config Revision Notifications
--------------- ------------- ---------------- --- -------------------- ---------------
300 5 1023 0 disabled
Last Updater Pruning PruneEligible on Vlans
--------------- --------- ----------------------------------------
172.20.26.151 disabled 2-1000
Console> (enable) show vlan
VLAN Name Type Status Mod/Ports
---- -------------------------- ----- --------- ----------------
1 default enet active 2/1-24
3/1-12
4/13-48
3 vlan3 enet active
55 vlan55 enet active
66 vlan66 fddi active
88 vlan88 tring active
99 vlan99 fddi active
1002 fddi-default fddi active
1003 token-ring-default tring active
1004 fddinet-default fdnet active
1005 trnet-default trnet active
VLAN SAID MTU RingNo BridgeNo StpNo Parent Trans1 Trans2
---- ---------- ----- ------ -------- ----- ------ ------ ------
1 100001 1500 0 0 0 0 0 0
3 100003 1500 0 0 0 0 0 0
55 100055 1500 0 0 0 0 0 0
66 100066 4500 500 0 0 500 0 0
88 100088 1500 0 0 0 0 0 0
99 100099 1500 0 0 0 0 0 0
1002 101002 4500 0 0 0 0 1 1003
1003 101003 4500 0 0 0 0 1 1002
1004 101004 4500 0 1004 0 0 0 0
1005 101005 4500 0 1005 0 0 0 0
Console>
For more information, refer to the Catalyst 5000 Series Command Reference publication.
Using VTP, each Catalyst 5000 series switch advertises its management domain on its trunk ports, its configuration revision number, and its known VLANs and their specific parameters. A VTP domain is made up of one or more interconnected devices that share the same VTP domain name. A switch can be configured to be in one and only one VTP domain.
VTP servers and clients maintain all VLANs everywhere within the VTP domain. A VTP domain defines the boundary of the specified VLAN. Servers and clients also transmit information through trunks to other attached switches and receive updates from those trunks.
VTP servers either maintain information in nonvolatile memory or access it using Trivial File Transfer Protocol (TFTP). Using VTP servers, you can modify the global VLAN information using either the VTP Management Information Base (MIB) or the command-line interface (CLI). When VLANs are added and advertised, both servers and clients are notified that they should be prepared to receive traffic on their trunk ports. A VTP server can also instruct a switch to delete a VLAN and disable all ports assigned to it.
The advertisement frames are sent to a multicast address so that they can be received by all neighboring devices, but they are not forwarded by normal bridging procedures. All devices in the same management domain learn about any new VLANs configured in the transmitting device. Because of this process, you need to configure a new VLAN only on one device in the management domain. All other devices in the same management domain automatically learn the configured information. VTP is transmitted on all trunk connections, including ISL, 802.10, and LAN Emulation (LANE).
New VLAN is indicated by a VTP advertisement received by a device running VTP. Devices then accept the traffic of the new VLAN and propagate it to their trunks after adding the VTP-learned VLANs to their trunks. The VTP pruning protocol (see "Configuring VTP Pruning" in this chapter) limits the extent of this forwarding to areas of the network where the VLAN extends, based on VLAN membership resident within the switch.
Using periodic advertisements, VTP tracks configuration changes and communicates them to other switches in the network. When a new switch is added to the network, the added devices receive updates from VTP and automatically configures existing VLANs within the network. VTP also dynamically maps VLANs across multiple LAN types with unique names and internal index associations. Mapping eliminates excessive device administration required from network administrators.
VTP establishes global configuration values and distributes the following global configuration information:
The VTP MIB provides the Simple Network Management Protocol (SNMP) instrumentation for the VTP, allowing the reading and setting of specific VTP parameters.
VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, which includes broadcast, multicast, unknown, and flooded unicast packets. This feature restricts flooded traffic to only those trunk links that the traffic must use to access the appropriate network devices, increasing available bandwidth.
By default, VTP pruning is disabled in a management domain. Make sure that all devices in the management domain support VTP pruning before enabling it. VTP pruning is supported in software release 2.3 or later.
VTP pruning, even if enabled, does not take effect on a VLAN that is not pruning-eligible. By default, VLAN 1 is not pruning-eligible, while VLANs 2 through 1000 are pruning-eligible. To enable pruning eligibility, enter the set vtp pruneeligible command. To disable pruning eligibility, enter the clear vtp pruneeligible command. You can invoke these commands independently of the pruning mode. Pruning eligibility resides on the local device only.
You can set the pruning enable or pruning disable option at any VTP server, and propagation takes effect on all devices in the same management domain.
After enabling pruning, you must assign a domain name for VTP pruning to take effect. For information on assigning a domain name, refer to the "Configuring VLAN Trunk Protocol" section in this chapter.
VTP pruning takes effect several seconds after configuration. To configure VTP pruning, you must enter the pruning enable option of the set vtp command.
To configure VTP pruning, perform the following steps:
| Task | Command |
|---|---|
| Step 1 Enable the VTP pruning option. | set vtp [domain_name [domain_name]] [mode mode_type] [password <password_string>] pruning enable |
| Step 2 Disable the VLAN pruning eligibility. | clear vtp pruneeligible vlan_range |
| Step 3 Enable VTP pruning eligibility. | set vtp pruneeligible vlan_range> |
| Step 4 Disable the VTP pruning option. | set vtp [domain_name [domain_name]] [mode mode_type] [password <password_string>] pruning disable |
console> clear vtp pruneeligible 2,3,6-8,100-200 Vlans 1-3,6-8,100-200 will not be pruned on this device.
console> set vtp pruneeligible 120,150 Vlans 4-5,9-99,120,150,201-1000 eligible for pruning on this device.
console> show vtp domain Domain Name Domain Index VTP Version Local Mode ----------- ------------ ----------- ----------- WBU 1 1 client Vlan-count Max-vlan-storage Config Revision Notifications ---------- -------------- --------------- - --------------- 6 1023 23 disabled Last Updated Pruning PruneEligible on Vlans -------------- ------- ------------------------ 172.20.26.151 enabled 4-5,9-99,120,150,201-1000
Console> (enable) show trunk 2/2 Port Mode Status -------- --------- ------------ 2/2 on trunking Port Vlans allowed on trunk -------- ----------------------------------------------- 2/2 1-1000 Port Vlans allowed and active in management domain -------- ----------------------------------------------- 2/2 1,10,20,30,40,50,100 Port Vlans supported on trunk after pruning -------- -------------------------------------------------- 2/2 1,40,50
console> show vtp statistics VTP statistics: summary advts received 17 subset advts received 20 request advts received 0 summary advts transmitted 5 subset advts transmitted 14 request advts transmitted 4 No of config revision errors 0 No of config digest errors 0 VTP pruning statistics: Summary advts received from Trunk Join transmitted Join received non-pruning-capable device 1/1 303 312 0 1/2 353 0 8
VTP pruning allows you to forward traffic only on those trunks necessary for access to the appropriate network devices. Refer to Figure 9-3 and Figure 9-4. The Catalyst 5000 series switches are connected by trunks that also are spanning-tree forwarding paths.
In Figure 9-3, VTP pruning is not configured. The switch fabric consists of six Catalyst 5000 series switches, shown as Switches 1 through 6. Port 1 on Switch 1 and port 2 on Switch 4 are associated with the Red VLAN. The flooded traffic from port 1 on Switch 1 to port 2 on Switch 4 is forwarded to all switches, even though Switches 3, 5, and 6 have no ports on the Red VLAN.
Refer to Figure 9-4, in which VTP pruning is enabled.
In Figure 9-4, the broadcast traffic from port 1 on Switch 1 to port 2 on Switch 4 is not forwarded to Switches 3, 5, and 6, because the traffic is pruned on the specified ports. Switches 3, 5, and 6 have no ports on the Red VLAN, and VTP pruning has reduced the unnecessary flooding storm to switches not associated with the Red VLAN.
You can assign dynamic ports to a VLAN based on the source Media Access Control (MAC) address of the hosts connected to that port. On dynamic ports, you can move a connection from a port on one switch to a port on another switch in the network. This section describes how to set up dynamic ports, including the configuration of the VLAN Membership Policy Server (VMPS), which has a database of MAC address-to-VLAN mappings necessary for setting up dynamic ports.
To configure dynamic port VLAN membership, complete the following tasks in this section:
The database of MAC address-to-VLAN mappings enables your workstation to be placed into the correct VLAN. You must configure the VMPS before configuring a port as dynamic.
Before configuring the VMPS, you must perform the following tasks:
When you enable the VMPS, it begins to download the configuration information from the TFTP server. After a successful download, the VMPS task is started, and it accepts the VMPS requests. To enable the VMPS, use the following procedure:
| Task | Command |
|---|---|
| Step 1 Configure the IP address of the TFTP server on which the ASCII file resides. | set vmps tftpserver ip_addr [filename] |
| Step 2 Enable VMPS. | set vmps state {enable | disable} |
Console(enable)> set vmps state enable Vlan Membership Policy Server enable is in progress.
The set vmps state enable command sets the VMPS state in nonvolatile RAM to enable. If it is previously disabled, this command initiates a background task to begin the database download. After a successful database download, this command sets the operational status to active.
Console(enable)> set vmps state disable All the VMPS configuration information will be lost and the resources released on disable. Do you want to continue (y/n[n]): yes Vlan Membership Policy Server disabled.
For more information, refer to the Catalyst 5000 Series Command Reference publication.
Enter the following commands to verify the status of port VLAN membership.
For more information, refer to the Catalyst 5000 Series Command Reference publication.
Table 9-1 shows sample error messages and actions you need to take after entering the set vmps state {enable | disable} command.
| Error Message | Recommended Action |
|---|---|
| Console(enable)> set vmps state enable
TFTP server IP address is not configured. | Enter the set vmps tftpserver ip_addr [filename] command and configure the TFTP server address. |
| Console(enable)> set vmps state enable
Unable to contact the TFTP server 198.4.254.222. | Enter the set route command to reach the TFTP server. |
| Console(enable)> set vmps state enable
File "vmps_configuration.db" not found on the TFTP server 198.4.254.222. | Create a configuration file in the file server. |
| Console(enable)> set vmps state enable
Enable failed due to insufficient resources.
| The Catalyst 5000 series switch does not have sufficient resources to run the database. You can fix this problem by increasing the dynamic random-access memory (DRAM). |
Table 9-2 shows sample error messages and actions you need to take after entering the download vmps command.
| Error Message | Recommended Action |
|---|---|
| Console(enable)> download vmps
TFTP server IP address is not configured. | Enter the set vmps tftpserver ip_addr [filename] command and configure the TFTP server address. |
| Console(enable)> download vmps
Unable to contact the TFTP server 198.4.254.222. | Enter the set route command to reach the TFTP server. This message is printed to the syslog server. |
| Console(enable)> download vmps
File "vmps_configuration.db" not found on the TFTP server 198.4.254.222. | Create a configuration file in the file server. This message is printed to the syslog server. |
The following describes the parameters in the configuration file. A sample VMPS configuration file is shown in the next section, "Example VMPS Configuration File."
!vmps domain <domain-name>
! The VMPS domain must be defined.
!vmps mode { open | secure }
! The default mode is open.
!vmps fallback <vlan-name>
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
vmps domain WBU
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!
!MAC Addresses
!
vmps-mac-addrs
!
! address <addr> vlan-name <vlan_name>
!
address 0012.2233.4455 vlan-name hardware
address 0000.6509.a080 vlan-name hardware
address aabb.ccdd.eeff vlan-name Green
address 1223.5678.9abc vlan-name ExecStaff
address fedc.ba98.7654 vlan-name --NONE--
address fedc.ba23.1245 vlan-name Purple
!
!
!Port Groups
!
!vmps-port-group <group-name>
! device <device-id> { port <port-name> | all-ports }
!
vmps-port-group WiringCloset1
device 198.92.30.32 port 3/2
device 172.20.26.141 port 2/8
vmps-port-group "Executive Row"
device 198.4.254.222 port 1/2
device 198.4.254.222 port 1/3
device 198.4.254.223 all-ports
!
!
!VLAN groups
!
!vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!
!VLAN port Policies
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
!
vmps-port-policies vlan-group Engineering
port-group WiringCloset1
vmps-port-policies vlan-name Green
device 198.92.30.32 port 4/8
vmps-port-policies vlan-name Purple
device 198.4.254.22 port 1/2
port-group "Executive Row"
After you enable VMPS by entering the set vmps state {enable | disable} command, the configuration information is downloaded from a TFTP server, and the VMPS begins to accept requests from clients. Upon subsequent resets of the Catalyst 5000 series switches, the configuration information is downloaded automatically from a TFTP server, and the VMPS is enabled.
The VMPS opens a User Datagram Protocol (UDP) socket to communicate with clients and listen to client requests. Upon receiving a valid request from a client, the VMPS searches its database for a MAC address-to-VLAN mapping. If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group. If the VLAN is legal on this port, the VLAN name is passed in the response. If the VLAN is illegal on that port and the VMPS is not in secure mode, it sends an access denied response. If the VMPS is in secure mode, it sends a port shutdown response.
If the VLAN from the table does not match the current VLAN on the port and there are active hosts on the port, the VMPS sends an access denied or a port shutdown response based on the secure mode of the VMPS.
You can configure a fallback VLAN name into the VMPS. If the requested MAC address is not in the table, the VMPS sends the fallback VLAN name in response. If you do not configure a fallback VLAN and the MAC address does not exist in the table, the VMPS sends an access denied response. If the VMPS is in secure mode, it sends a port shutdown response.
You can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, the VMPS sends an access denied or port shutdown response.
After the VMPS successfully downloads the ASCII configuration file, it parses the file and builds a database. The VMPS outputs the statistics about the total number of lines parsed and the number of parsing errors. Set the syslog level for VMPS to 3 to obtain more information on the errors.
To configure dynamic port VLAN membership on a client, use the following procedure:
The following prerequisites apply to configuring dynamic ports:
To configure dynamic ports on clients, perform the following steps.
| Task | Command |
|---|---|
| Step 1 Configure the VMPS IP address to be queried on the client. | set vmps server ip_addr [primary] |
| Step 2 Configure the VLAN membership assignment to a port. | set port membership mod_num / port_num.. {dynamic | static} |
console (enable)> show vmps server VMPS domain server VMPS Status --------------------------------------- 192.0.0.6 192.0.0.1 primary 192.0.0.9
console (enable) > set port membership help Usage: set port membership < mod_num / port_num..> < dynamic | static > console (enable) > set port membership 3/1-3 dynamic Ports 3/1-3 vlan assignment set to dynamic. Spantree port fast start option enabled for ports 3/1-3. console (enable) > set port membership 1/2 dynamic Trunking port 1/2 vlan assignment cannot be set to dynamic. console (enable) > set port membership 2/1 dynamic ATM LANE port 2/1 vlan assignment can not be set to dynamic.
console> show port Port Name Status Vlan Level Duplex Speed Type 1/1 connect dyn-3 normal full 100 100 BASE-TX 1/2 connect trunk normal half 100 100 BASE-TX 2/1 connect trunk normal full 155 OC3 MMF ATM 3/1 connect dyn-5 normal half 10 10 BASE-T 3/2 connect dyn-5 normal half 10 10 BASE-T 3/3 connect dyn-5 normal half 10 10 BASE-T
reconfirm vmps
A port may shut down under the following circumstances:
If a dynamic port shuts down, enter the set port enable mod_num/port_num to reenable the port.
Refer to Figure 9-5. For this example, the following assumptions apply:
Use the following procedure to configure the VMPS and dynamic ports:
Step 1 Configure Switch 1 as the primary VMPS, by performing the following tasks on Switch 1:
(a) Configure the IP address of the TFTP server on which the ASCII file resides by entering the following command:
console> (enable)set vmps tftpserver 172.20.22.7 Bldg-G.db
(b) Enable the VMPS by entering the following command:
console> (enable)set vmps enable
After entering these commands, the file Bldg-G.db is downloaded to Switch 1. Switch 1 becomes the VMPS server.
Step 2 Configure dynamic ports on the clients, Switch 2, and Switch 9, by performing the following tasks:
(a) Configure the primary VMPS IP address on Switch 2 by entering the following command:
console> (enable)set vmps server 172.20.26.150 primary
Entering this command on Switch 2 designates the VMPS switch to be queried. The primary switch option configures Switch 1 as the primary VMPS.
(b) Configure the secondary VMPS IP addresses on Switch 2 for redundancy by entering the following commands:
console> (enable)set vmps server 172.20.26.152
set vmps server 172.20.26.159
(c) Verify the VMPS IP addresses by entering the following command:
console> (enable)show vmps server
Switch 1, Switch 3, and Switch 10 are configured as VMPSs. Switch 1 is the primary VMPS. Switch 3 and Switch 10 are secondary servers. All the switches are clients.
(d) Configure port 3/1 on Switch 2 as dynamic by entering the following command:
console> (enable)set port membership 3/1 dynamic
Suppose you connect End Station 2 on port 3/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS, Switch 1. Switch 1 responds with a VLAN that is assigned to port 3/1. Because Spanning-Tree Protocol (Portfast mode) is enabled by default for dynamic ports, port 3/1 is immediately connected and enters forwarding mode.
Step 3 Configure dynamic ports on Switch 9 by repeating Step 2 for Switch 9.
Dynamic ports work in conjunction with the VMPS, which holds a database of MAC address-to-VLAN mappings. This section describes dynamic port behavior and the interaction of dynamic port VLAN membership with other features.
On the current Catalyst 5000 series switch hardware platform, a dynamic (nontrunking) port can belong to only one VLAN at a time. Upon link-up, a dynamic port is isolated from its static VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS, which provides the VLAN number to which this port must be assigned. When a new host sends a packet on a dynamic port, the packet is detected by the Network Management Processor (NMP). The NMP, using status information from the host packet, sends a query to the VMPS and then the VMPS responds with options. For example, suppose the NMP sends a query to the VMPS, and the VMPS response is "Place port in VLAN X." The port is then placed in VLAN X if the response is valid. At this point, the host is connected to VLAN X through the switch fabric.
Multiple hosts (MAC addresses) can be active on a dynamic port, provided they are all in the same VLAN. Upon link-down, a dynamic port is moved back to a state in which it is isolated from other VLANs, and the port ends in its initial state. Any hosts that come online through this port are detected by the NMP and then checked with the VMPS before these hosts are allowed network VLAN connectivity.
Dynamic port VLAN membership interacts with the following features:
The VLANs on a Catalyst 5000 series switch simplify adding and moving end stations on a network. For example, when an end station is physically moved to a new location, its attributes can be reassigned from a network management station via SNMP or the CLI. When an end station is moved within the same VLAN, it retains its previously assigned attributes in its new location. When an end station is moved to a different VLAN, the attributes of the new VLAN are applied to the end station, according to the security levels in place.
The IP address of a Catalyst 5000 series switch supervisor engine module can be assigned to any VLAN. This mobility allows a network management station and workstations on any Catalyst 5000 VLAN to access directly another Catalyst 5000 series switch on the same VLAN without a router. Only one IP address can be assigned to a Catalyst 5000 series switch; if the IP address is reassigned to a different VLAN, the previous IP address assignment to a VLAN is invalid.
VLANs allow ports on the same or different switches to be grouped so that traffic is confined to members of that group only. This feature restricts broadcast, unicast, and multicast traffic (flooding) to ports only included in a certain VLAN. You can set up VLANs for an entire management domain from a single Catalyst 5000 series switch. A maximum of 250 VLANs can be active at any time.
Figure 9-6 shows an example of VLANs segmented into logically defined networks.
The set vtp and set vlan commands use VTP to set up VLANs across an entire management domain. The default configuration group, defined as VLAN 1, is all switched Ethernet ports and Ethernet repeater ports.
By default, the Catalyst 5000 series switch is in the no-management domain state until it is configured with a management domain or receives an advertisement for a domain. If a switch receives an advertisement, it inherits the management domain name and configuration revision number. The switch ignores advertisements with a different management domain or an earlier configuration revision number and checks all received advertisements with the same domain for consistency. While a Catalyst 5000 series switch is in the no-management domain state, it is a VTP server; that is, it learns from received advertisements.
The set vtp command sets up the management domain, including establishing the management domain name, the VTP mode of operation (server, client, or transparent), the interval between VLAN advertisements, and the password value. There is no default domain name (the value is set to null). The default advertisement interval is five minutes. The default VTP mode of operation is set to server.
By default, the management domain is set to nonsecure mode without a password. A password sets the management domain to secure mode. You must configure a password on each Catalyst 5000 series switch in the management domain when in secure mode.
| Caution A management domain does not function properly if the management domain password is not assigned to each Catalyst 5000 series switch in the domain. |
The set vlan command uses the following parameters to create a VLAN in the management domain:
The Catalyst 5000 series switch uses the SAID parameter of the set vlan command to identify each VLAN on an 802.10 trunk. The default SAID for VLAN 1 is 100001, for VLAN 2 is 100002, for VLAN 3 is 100003, and so on. The default MTU is 1500 bytes. The default state is active on an 802.10 trunk.
When translating from one VLAN type (Ethernet, FDDI, Token Ring, FDDI NET, or TR NET) to another, the Catalyst 5000 series switch requires a different VLAN number for each media type.
VLANs consist of the following components:
Because switches and routers directly attach to the backbone, they must be able to transport VLAN information and interoperate with other network components. In response to these requirements, several different transport mechanisms are used for communicating VLAN information across high-performance backbones. Among them are the LANE standard that has been approved by the ATM Forum, Inter-Switch Link (ISL) for Fast Ethernet, and the IEEE 802.10 protocol, which provides VLAN communication across shared FDDI backbones. These different, yet interoperable, VLAN technologies are supported on the Catalyst 5000 series switch. Each allows a single link to carry information from multiple VLANs.
This section contains examples of VLAN configurations for ISLs on Fast Ethernet ports, multiple Catalyst 5000 series switches using Spanning-Tree Protocol, and 802.10 protocol on FDDI ports.
Any Fast Ethernet port can be configured as a trunk. Trunks use ISL to support multiple VLANs. An ISL trunk is like a continuation of the switching backplane. It allows for the Catalyst 5000 series switch to multiplex up to 1000 VLANs between switches and routers.
The Dynamic ISL (DISL) protocol dynamically configures trunk ports between Catalyst 5000 series switches; it synchronizes two interconnected Fast Ethernet interfaces into becoming ISL trunks and minimizes VLAN trunk configuration procedures because only one end of a link must be configured as a trunk or nontrunk.
Figure 9-7 shows an example of a Fast Ethernet ISL configuration.
VLAN groups can be set up across multiple Catalyst 5000 series switches if the switches have any two ports of the same VLAN connected, as shown in Figure 9-8.
The trunks and VLANs for the Catalyst 5000 series Switch 1 on the first floor were configured as follows:
System1> (enable) set vtp domain abc
VTP: domain abc modified
System1> (enable) set vlan 10
VTP: vlan addition successful
System1> (enable) set vlan 10 1/1-4
VLAN 10 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
10 1/1-4
System1> (enable) set vlan 20
VTP: vlan addition successful
System1> (enable) set vlan 20 2/5-24
VLAN 20 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
20 2/5-24
System1> (enable) set trunk 1/1-2 on
Port 1/1 mode set to on.
Port 1/2 mode set to on.
System1> (enable)
Mon May 6 1996, 18:22:07 Port 1/1 and 1/2 has become trunk.
System1> (enable) show trunk
Port Mode Status
------- --------- ------------
1/1 on trunking
1/2 on trunking
Port Vlans allowed
------- --------------------------------------------------------------
1/1 1-1000
1/2 1-1000
4/1-2 1-1000
Port Vlans active
------- --------------------------------------------------------------
1/1 1
1/2 1,10,20
4/1-2 1
System1> (enable) show port
Port Name Status Vlan Level Duplex Speed Type
---- -------------- ---------- ---------- ------ ------ ----- -----------
1/1 connected trunk normal full 100 100BaseTX
1/2 notconnect trunk normal full 100 100BaseTX
2/1 notconnect 10 normal half 10 10BaseT
2/2 notconnect 10 normal half 10 10BaseT
2/3 notconnect 10 normal half 10 10BaseT
2/4 connected 10 normal half 10 10BaseT
2/5 notconnect 20 normal half 10 10BaseT
2/6 notconnect 20 normal half 10 10BaseT
.
.
.
2/23 notconnect 20 normal half 10 10BaseT
2/24 notconnect 20 normal half 10 10BaseT
Port Align-Err FCS-Err Xmit-Err Rcv-Err
---- ---------- ---------- ---------- ----------
1/1 0 0 0 0
1/2 0 0 0 0
2/1 0 0 0 0
2/2 0 0 0 0
2/3 0 0 0 0
2/4 0 0 0 0
.
.
.
2/22 0 0 0 0
2/23 0 0 0 0
2/24 0 0 0 0
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sens Runts Giants
---- ---------- ---------- --------- ---------- ---------- ----- -------
1/1 0 0 0 0 0 0 -
1/2 0 0 0 0 0 0 -
2/1 0 0 0 0 0 0 0
2/2 0 0 0 0 0 0 0
2/3 0 0 0 0 0 0 0
2/4 0 0 0 0 0 0 0
.
.
.
2/22 0 0 0 0 0 0 0
2/23 0 0 0 0 0 0 0
2/24 0 0 0 0 0 0 0
Ler
Port CE-State ConnState Type Neig Con Est Alm Cut Lem-Ct Lem-Rej-Ct Tl-Min
---- -------- --------- ---- ---- --------------- ------- --------- ------
Last-Time-Cleared
--------------------------
Mon May 6 1996, 17:59:45
The trunks and VLANs for the Catalyst 5000 series Switch 2 on the second floor were configured as follows:
System2> (enable) Mon May 6 1996, 16:35:47 Port 1/2 has become trunk. System2> (enable) show trunk Port Mode Status ------- --------- ------------ 1/1 auto trunking 1/2 auto trunking Port Vlans allowed ------- -------------------------------------------------------------- 1/1 1-1000 1/2 1-1000 Port Vlans active ------- -------------------------------------------------------------- 1/1 1,10,20,30 1/2 1,10,20,30 System2> (enable) show port Port Name Status Vlan Level Duplex Speed Type ---- -------------- ---------- ---------- ------ ------ ----- ----------- 1/1 connected trunk normal half 100 100BaseTX 1/2 connected trunk normal half 100 100BaseTX 2/1 notconnect 10 normal half 10 10BaseT 2/2 notconnect 10 normal half 10 10BaseT 2/3 notconnect 10 normal half 10 10BaseT 2/4 connected 10 normal half 10 10BaseT . . . 2/21 notconnect 20 normal half 10 10BaseT 2/22 notconnect 20 normal half 10 10BaseT 2/23 notconnect 20 normal half 10 10BaseT 2/24 notconnect 20 normal half 10 10BaseT Port Align-Err FCS-Err Xmit-Err Rcv-Err ---- ---------- --------- ---------- ---------- 1/1 0 0 0 0 1/2 0 0 0 0 2/1 0 0 0 0 2/2 0 0 0 0 2/3 0 0 0 0 2/4 0 0 0 0 . . . 2/19 0 0 0 0 0 0 0 2/20 0 0 0 0 0 0 0 2/21 0 0 0 0 0 0 0 2/22 0 0 0 0 0 0 0 2/23 0 0 0 0 0 0 0 2/24 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------- Mon May 6 1996, 16:04:07 System2> (enable) show port Port Name Status Vlan Level Duplex Speed Type ---- ------------ ---------- ---------- ------ ------ ----- ----------- 1/1 connected trunk normal full 100 100BaseTX 1/2 connected trunk normal full 100 100BaseTX 2/1 notconnect 10 normal half 10 10BaseT 2/2 notconnect 10 normal half 10 10BaseT 2/3 notconnect 10 normal half 10 10BaseT 2/4 connected 10 normal half 10 10BaseT . . . 2/21 notconnect 20 normal half 10 10BaseT 2/22 notconnect 20 normal half 10 10BaseT 2/23 notconnect 20 normal half 10 10BaseT 2/24 notconnect 20 normal half 10 10BaseT Port Align-Err FCS-Err Xmit-Err Rcv-Err ---- ---------- --------- ---------- ---------- 1/1 0 0 0 0 1/2 0 0 0 0 2/1 0 0 0 0 2/2 0 0 0 0 2/3 0 0 0 0 2/4 0 0 0 0 . . . 2/19 0 0 0 0 0 0 0 2/20 0 0 0 0 0 0 0 2/21 0 0 0 0 0 0 0 2/22 0 0 0 0 0 0 0 2/23 0 0 0 0 0 0 0 2/24 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------- Mon May 6 1996, 16:04:07
VLANs can be extended across an FDDI network by multiplexing switched packets over a Copper Distributed Data Interface (CDDI)/FDDI interface using the 802.10 protocol. Using 802.10, Catalyst 5000 CDDI/FDDI interface links can operate as interswitch trunks that provide broadcast control between configured VLANs. The 802.10 protocol encapsulates a VLAN identifier and packet data according to the IEEE 802.10 specification. CDDI/FDDI interfaces that support 802.10 make selective forwarding decisions within a network domain based upon the VLAN identifier.
The VLAN identifier is a user-configurable four-byte SAID. The SAID identifies traffic as belonging to a particular VLAN. It also determines which VLAN each packet is switched to the bus.
Refer to Figure 9-9 for an example of configuring FDDI trunks. In this example, the SAID ensures that packets destined for VLAN 1 only reach VLAN 1 after they are transmitted across the FDDI trunks. Refer to Figure 9-10 for an example of an FDDI 802.10 VLAN network configuration.
VTP provides CDDI/FDDI module configuration for 802.10-based VLANs. VTP requires a protocol type (Ethernet, FDDI, or Token Ring) to be configured for each VLAN. A VLAN can only have one type associated with it. Each VLAN type must have its own unique identifier, and translations between different identifiers must be mapped. VTP advertises VLAN translation mappings to all Catalyst 5000 series switches in a management domain.
FDDI/CDDI modules integrate switched Ethernet and Fast Ethernet LANs into the FDDI network. To map an 802.10 FDDI VLAN to an Ethernet VLAN, you must map the 802.10 VLAN SAID to an Ethernet VLAN by mapping an Ethernet VLAN to an FDDI VLAN and assigning a SAID value to the FDDI VLAN.
If a CDDI/FDDI module receives a packet containing a VLAN SAID that maps to a locally supported Ethernet VLAN on the Catalyst 5000 series switch, the CDDI/FDDI module translates the packet into Ethernet format and forwards it across the switch backplane to the Ethernet module. CDDI/FDDI modules filter the packets they receive from reaching the backplane if the VLAN SAIDs in the packets do not map to a locally supported VLAN.
Figure 9-11 illustrates the configuration for forwarding a packet from the Ethernet module port 1 in slot 2 to the FDDI module port 1 in slot 5. For this example, you would specify the translation of Ethernet VLAN 2 to FDDI VLAN 22. FDDI VLAN 22 is then automatically translated to Ethernet VLAN 2. The VLAN SAID must be identical on both FDDI modules. Since 802.10 CDDI/FDDI interface links can operate as interswitch trunks, you can configure multiple VLAN translations over a link.
CDDI/FDDI modules also support one native (nontrunk) VLAN, which handles all non-802.10 encapsulated FDDI traffic. A translation number does not need to be configured for the native VLAN since packets that are forwarded to the native VLAN do not contain VLAN identifiers. To map an Ethernet VLAN to an FDDI native VLAN, you must configure the FDDI port to be on the Ethernet VLAN. To do this, configure the Ethernet VLAN with the module number and port number of the FDDI-native VLAN.
|
|