200 lines
6.4 KiB
Markdown
200 lines
6.4 KiB
Markdown
---
|
|
id: 17. VLAN (Part 2)
|
|
aliases: []
|
|
tags: []
|
|
---
|
|
|
|
# VLAN (Part 2)
|
|
|
|
## Trunk ports
|
|
|
|
In a small network with few [[VLAN]]s it is possible to use separate interface for each VLAN
|
|
when connecting switches to switches, and switches to routers.
|
|
|
|
However, when the number of VLANs increases, this is not viable. it will result in wasted interfaces,
|
|
and often routers won't have enough interfaces for each VLAN.
|
|
|
|
You can use trunk ports to carry traffic from multiple VLANs over a single interface.
|
|
|
|
Switches wil 'tag' all frames that they send over a trunk link.
|
|
This allows the receiving switch to know which VLAN the frame belong to.
|
|
|
|
Trunk ports = 'tagged' ports
|
|
Access ports = 'untagged' ports
|
|
|
|
### VLAN Tagging
|
|
|
|
- There are two main trunking protocols: [[ISL]] (Inter-Switch Link) and [[IEEE 802.1Q]] (dot1q)
|
|
- ISL is an old Cisco proprietary protocol created before the industry standard IEEE 802.1Q
|
|
- IEEE 802.1Q is an industry standard protocol created by the [[IEEE]] (Institure of Electrical and
|
|
Electronics Engineers)
|
|
- You will probably NEVER use ISL in the real world. Even modern Cisco equipment doesn't support it
|
|
For the CCNA you only need to learn 802.1Q
|
|
|
|
#### inside Ethernet Header
|
|
|
|
Preamble | SFF | Destination | Source | 802.1Q | Type
|
|
|
|
The 802.1Q tag is inserted between the Source and Type/Length fields of the Ethernet frame.
|
|
The tag is 4 bytes (32 bits) in length.
|
|
The tag consists of two main fields:
|
|
- Tag Protocol Identifier [[TPID]]
|
|
- Tag Control Information [[TCI]]
|
|
|
|
The TCI consists of three sub-fields.
|
|
|
|
802.1Q tag Format
|
|
+-----------------------------------+
|
|
|16 bits | 3 | 1 |12 bits |
|
|
| | bits | bit | |
|
|
| TPID | TCI |
|
|
| | PCP | DEI | VID |
|
|
+-----------------------------------+
|
|
|
|
##### TPID ( Tag Protocol Identifier)
|
|
|
|
- 16 bits (2bytes) in length
|
|
- Always set to a alue of 0x8100. This indicate that the frame is 802.1Q-tagged.
|
|
|
|
##### PCP (Priority code point)
|
|
|
|
- 3 bits in length
|
|
- Used for Class of Service (CoS), which prioritizes iimportant traffic in congested network
|
|
|
|
##### DEI ( Drop Eligible Indicator)
|
|
|
|
- 1 bit in length
|
|
- Used to indicate frames that can be dropped if the network is congested.
|
|
|
|
##### VID (VLAN ID)
|
|
|
|
- 12 bits in lenght
|
|
- Indentifies the VLAN the frame elongs to.
|
|
- 12 bits in length = 4096 total VLANs (2^12), range of 0 - 4095
|
|
- VLANs 0 and 4095 are reserved and can't be used
|
|
- Therefore the actula range of VLANs is 1-4094
|
|
- Cisco's proprietary ISL also has a VLAN range of 1 - 4094
|
|
|
|
more info https://en.wikipedia.org/wiki/IEEE_802.1Q
|
|
|
|
## VLAN Ranges
|
|
|
|
- The range of VLANs (1-4094) is divided into two sections:
|
|
Normal VLANs: 1-1005
|
|
Extended VLANs : 1006-4094
|
|
|
|
- Some older devices cannot use the extended VLAN range, however it's safe to expect that modern
|
|
switches will support the extended VLAN range.
|
|
|
|
## Native VLAN
|
|
|
|
- 802.1Q has a feature called the **native VLAN**.
|
|
ISL does not have this feature
|
|
- The native VLAN is VLAN 1 by default on all trunk ports, however this can be manually configured
|
|
on each trunk port.
|
|
- The switch does not ad an 802.1Q tag to frames in the native VLAN.
|
|
- When a switch receives an untagged frame on a trunk port, it assumes the frame belongs to
|
|
the native VLAN.
|
|
**It's very important that the native VLAN matches!**
|
|
|
|
## Trunk Configuration
|
|
|
|
```Cisco
|
|
SW1(config)#interface g0/0
|
|
SW1(config-if)#switchport mode trunk
|
|
command rejected
|
|
```
|
|
|
|
Many modern switches do not support Cisco;s ISL at all. They only support 802.1Q (dot1q)
|
|
However, switches that do support both (like the one I'm using in this example) have a trunk
|
|
encapsulation of Auto by default
|
|
To manually configure the interface as a trunk port, you must first set the encapsulation to
|
|
802.1Q or ISL. On switches that only support 802.1Q this is not necessary
|
|
|
|
```Cisco
|
|
SW1(config)#interface g0/0
|
|
SW1(config-if)#switchport trunk encapsulation dot1q
|
|
SW1(config-if)#switchport mode trunk
|
|
```
|
|
|
|
To see the configurations about the trunk
|
|
|
|
```Cisco
|
|
SW1#show interfaces trunk
|
|
|
|
Port Mode encapsulation Status Native vlan
|
|
Gi0/0 on 802.1q trunking 1
|
|
```
|
|
|
|
|
|
```Cisco
|
|
## for security reason you must not allow every vlan on the trunk
|
|
SW1(config-if)#switchport trunk allowed vlan 10,30
|
|
|
|
### for adding VLAN
|
|
SW1(config-if)#switchport trunk allowed vlan add 20
|
|
|
|
## For removing Vlan in the trunk use this command
|
|
SW1(config-if)#switchport trunk allowed vlan remove 20
|
|
|
|
### The all option is to allowed all vlan
|
|
SW1(config-if)#switchport trunk allowed vlan all
|
|
|
|
## The except command if for all vlan except a range or a specific vlan
|
|
SW1(config-if)#switchport trunk allowed except 1-5,10
|
|
|
|
## The none disable every VLAN
|
|
SW1(config-if)#switchport trunk allowed none
|
|
```
|
|
|
|
For security purposes, it is best to change the native VLAN to an unused VLAN.
|
|
(network security will be explained more-in depth later in the course)
|
|
**Make sure the native VLAN matches on between switches**
|
|
|
|
The command to change the native VLAN is :
|
|
|
|
```Cisco
|
|
SW1(config-if)#switchport trunk native vlan 1001
|
|
```
|
|
|
|
note : the show vlan brief command shows the access prots assigned to each VLAN, not
|
|
the trunk ports that allow each VLAN.
|
|
Use the **show interfaces trunk** command instead to confirm trunk ports.
|
|
|
|
|
|
## ROAS (Router on a stick)
|
|
|
|
For three VLAN in the same interface
|
|
|
|
```Cisco
|
|
R1(config)#interface g0/0
|
|
R1(config-if)#no shutdown
|
|
R1(config-if)#interface g0/0.10
|
|
R1(config-if)#encapsulation dot1q 10
|
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
|
R1(config-if)#encapsulation dot1q 20
|
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
|
R1(config-if)#encapsulation dot1q 30
|
|
R1(config-subif)#ip address 192.168.1.62 255.255.255.192
|
|
```
|
|
|
|
The subinterface number does not have to match the VLAN number.
|
|
Howerver it is highly recommended that they do match, to make it easier to understand
|
|
|
|
- ROAS is used to route beween multiple VLANs using a single interface on the router and switch.
|
|
- The switch interface is configured as a regular trunk.
|
|
- The router interface is configured using subinterfaces.
|
|
- You configure the VLAN tag and IP address on each subinterface.
|
|
- The router will behave as if frames arriving with a certain VLAN tag have arrived on the
|
|
subinterface configured with that VLAN tag.
|
|
- The router will tag frames sent out of each subinterface with the VLAN tag configured on the
|
|
subinterface.
|
|
|
|
## Review
|
|
|
|
- What is a trunk port ?
|
|
- What is the purpose of trunk ports?
|
|
- 802.1Q Encapsulation
|
|
- How to configure trunk ports
|
|
- 'Router on a Stick'(ROAS)
|