Scribd
Upload
2 views

chapter 4

Chapter Four discusses VLANs (Virtual LANs) and their configuration, including static and dynamic membership, management VLANs, and the roles of access and trunk ports. It also covers switch security features, such as port security and the VLAN Trunking Protocol (VTP) for centralized VLAN management. The chapter emphasizes the importance of VLANs in improving network performance and security while providing guidelines for configuring and verifying VLAN settings.

Uploaded by

banm33856
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
2 views

chapter 4

Chapter Four discusses VLANs (Virtual LANs) and their configuration, including static and dynamic membership, management VLANs, and the roles of access and trunk ports. It also covers switch security features, such as port security and the VLAN Trunking Protocol (VTP) for centralized VLAN management. The chapter emphasizes the importance of VLANs in improving network performance and security while providing guidelines for configuring and verifying VLAN settings.

Uploaded by

banm33856
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 65

Chapter Four

Switch Configuration

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
VLAN
 VLAN (virtual LAN) is a logical partition of a network

 Each VLAN is a broadcast domain, usually with its own IP


network.
 VLANS are mutually isolated and packets can only pass between
them through a router

 The partitioning of the layer 2 network takes inside a layer 2


device, usually a switch.

 Hosts on the same VLAN are unaware of the VLAN’s existence.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
 In a switched network, a device can be assigned to a VLAN
based on its, MAC address, IP address, or the applications that
the device most frequently uses.
 Administrators assign membership in a VLAN either statically
or dynamically.
 Static VLAN membership requires an administrator to
manually assign each switch port to a specific VLAN.
Example, port fa0/3 may be assigned to VLAN 20.
 Any device that plugs into port fa0/3 automatically becomes a
member of VLAN 20.
 This type of VLAN membership is the easiest to configure and
is also the most popular, however, it requires the most
administrative support for adds, moves and changes.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
 Dynamic VLAN membership requires a VLAN management
policy server (VMPS).
 The VMPS contains a database that maps MAC addresses to
VLAN assignments.
 When a device plugs into a switch port, the VMPS searches the
database for a match of the MAC address and temporarily assigns
that port to the appropriate VLAN.
 Dynamic VLAN membership requires more configuration but
creates a structure with much more flexibility than static VLAN
membership.

 In dynamic VLAN, moves, adds, and changes are automated and


do not require intervention from the administrator.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Configuring VLAN
 Whether VLANs are created statically or dynamically, the
maximum number of VLANs depends on the type of switch and
the IOS. By default, VLAN1 is the management VLAN.
Management VLAN
 A management VLAN is any VLAN configured to access the
management capabilities of a switch.
 VLAN 1 is the management VLAN by default.
 To create the management VLAN, the switch virtual interface
(SVI) of that VLAN is assigned an IP address and subnet mask,
allowing the switch to be managed via HTTP, Telnet, SSH, or
SNMP
 An administrator will use the IP address of the management
VLAN to configure the switch remotely.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
 When a VLAN is created, it is assigned a number and a name.
 The VLAN number is any number from the range available on
the switch, except for VLAN1.

 Set the following commands to create a VLAN using global


configuration mode:

Switch(config)#vlan vlan_number
Switch(config-vlan)#name vlan_name
Switch(config-vlan)#exit

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
 Assign ports to be members of the VLAN.
 By default, all ports are initially members of VLAN1.
 Assign ports one at a time or as a range.
 Assign port to VLAN one by one:
Switch(config)#interface fa#/#
Switch(config-if)#switchport access vlan vlan_number
Switch(config-if)# exit
 Assign by range
Switch(config)#interface range fa#/start_of_range - end_of_range
Switch(config-if)#switchport access vlan vlan_number
Switch(config-if)#exit

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Verifying vlan configuration
 To verify, maintain, and troubleshoot VLANs, it is important to
understand the key show commands that are available in the Cisco
IOS.
 The following commands are used to verify and maintain VLANs:
show vlan
 Displays a detailed list of all of the VLAN numbers and names
currently active on the switch, along with the ports associated
with each one

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
 show vlan id id_number

 Displays information pertaining to a specific VLAN, based on ID number


 Show vlan name vlan_name

 Displays information pertaining to a specific VLAN, based on name

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
 To delete a VLAN:
Switch(config)#no vlan vlan_number

To disassociate a port from a specific VLAN:


Switch(config)#interface fa#/#
Switch(config-if)#no switchport access vlan vlan_number

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Trunk port
 A VLAN has three major functions:
Limits the size of broadcast domains
Improves network performance
Provides a level of security

 To take full advantage of the benefits of VLANs, they are extended


across multiple switches.
 Switch ports can be configured for two different roles.
 Access port

 A trunk port.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Access Port
 An access port belongs to only one VLAN.

 Typically, single devices such as PCs or servers connect to this


type of port.

 Access ports also carry traffic that comes from only the VLAN
assigned to the port.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Trunk Port
 A trunk port is a point-to-point link between the switch and
another networking device.
 Trunks carry the traffic of multiple VLANs over a single link and
allow VLANs to reach across an entire network.
 Trunk ports are necessary to carry the traffic from multiple
VLANs between devices when connecting either two switches
together, a switch to a router.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
 Without trunk ports, each VLAN requires a separate connection
between switches.
 For example, an enterprise with 100 VLANs requires 100 connecting
links.

 This type of arrangement does not scale well and is very expensive.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
 Trunk links provide a solution to this problem by transporting
traffic from multiple VLANs on the same link.
 When multiple VLANs travel on the same link, they need VLAN
identification.
 A trunk port supports frame tagging. Frame tagging adds VLAN
information to the frame.
 Cisco developed a proprietary frame tagging protocol called Inter-
Switch Link (ISL).

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
 Switch ports are access ports by default.
 To configure a switch port as a trunk port, use the following
commands:
Switch(config)#interface fa #/#
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation dot1q

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
 Switches have the capability to detect the type of link configured
at the other end.
 Based on the attached device, the link configures itself as either
a trunk port or an access port.
Switch(config-if)#switchport mode dynamic {desirable | auto}

switchport mode dynamic auto: The interface becomes a trunk


interface if the neighboring interface is set to trunk or desirable
mode.

switchport mode dynamic desirable: The interface becomes a


trunk interface if the neighboring interface is set to trunk,
desirable, or auto mode.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
To return a trunk port to an access port, issue either of the
following commands:
Switch(config)#interface fa#/#
Switch(config-if)#no switchport mode trunk or
Switch(config-if)#switchport mode access

Switch(config-if)#switchport mode access

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Native VLAN
 To accommodate untagged traffic, a special VLAN called a native
VLAN is available.
 Untagged frames received on the 802.1Q trunk port will become
members of the native VLAN.
 On Cisco Catalyst switches, VLAN 1 is the native VLAN by default.
 VLAN is identified by a “tag” in the frame.
 Native VLAN does not have a tag.
 On an 802.1Q trunk, use the following command to assign the native
VLAN ID on a physical interface:

Switch(config-if)#dot1q native vlan vlan-id

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Switch Security
Secure Remote Access (SSH)
 Telnet uses unsecure plaintext of the username and password as
well as the data transmitted.
 SSH is more secure because it provides an encrypted
management connection

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Switch security
Secure Unused Ports

The interface range command


can be used to apply a
configuration to several switch ports
at one time.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Switch security
Port Security
 Port security limits the number of valid MAC addresses
allowed to transmit data through a switch port.
 If a port has port security enabled and an unknown MAC
address sends data, the switch presents a security violation.

 Default number of secure MAC addresses allowed is 1.

 Methods use to configure MAC addresses within port security:

 Static secure MAC addresses – manually configure


switchport port-security mac-address mac-address
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Switch security
Dynamic secure MAC addresses – dynamically learned,
stored in its MAC address table and removed if the switch
restarts

Sticky secure MAC addresses – dynamically learned and


added to the running configuration (which can later be saved
to the startup-config to permanently retain the MAC
addresses)
switchport port-security mac-address sticky mac-address

Note: Disabling sticky learning converts sticky MAC


addresses to dynamic secure addresses and removes them
from the running-config.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Switch Port Security
 Port Security: Violation Modes
Protect – data from unknown source MAC addresses are
dropped; a security notification IS NOT presented by the
switch
Restrict - data from unknown source MAC addresses are
dropped; a security notification IS presented by the switch and
the violation counter increments.
Shutdown – (default mode) interface becomes error-disabled
and port LED turns off. The violation counter increments.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Switch Security
 Port Security: Configuring

• Before configuring port-security features, place the port in access


mode and use the switchport port-security interface
configuration command to enable port security on an interface

rr or
i o ne!
t d
i gur a m an
nf m
n co i s co
o th
om m r g et
c o
ost t o f
M i s

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Port security
 Switch(config-if)#switchport port-security max ?
<1-132> Maximum addresses
Switch(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
 Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
 Switch(config-if)#switchport port-security maximum 10

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Port Security: Configuring (Cont.)

or
n er r
i o !
u rat and
fi g m
c on com
m on t t h si
m e
t co f o r g
s o
Mo is t

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Port Security: Verifying
 Use the show port-security interface command to verify the
maximum number of MAC addresses allowed on a particular
port and how many of those addresses were learned
dynamically using sticky.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Port Security: Verifying (Cont.)
 Use the show running-config command to see learned MAC
addresses added to the configuration

 The show port-security address command shows how MAC


addresses were learned on a particular port.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Ports in Error Disabled State
 Switch console messages display when a port security
violation occurs. Notice the port link status changes to down.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Ports in Error Disabled State (Cont.)
 Check the port status and the port security settings.

 Do not re-enable a port until the security threat is investigated


and eliminated.
 Notice that you must first shut the port down and then issue the
no shutdown command in order to use the particular port again
after a security violation has occurred.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
VLAN Trunking protocol (VTP)
 As networks grow in size and complexity, centralized
management of the VLAN structure becomes crucial.
 VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol
that provides a method for the distribution and management of
the VLAN database from a centralized server in a network
segment.
 Any change to the VLAN structure requires further manual
configuration. One incorrectly keyed number causes
inconsistencies in connectivity throughout the entire network.
 To resolve this issue, Cisco created VTP to automate many of
the VLAN configuration functions.
 VTP ensures that VLAN configuration is consistently
maintained across the network and reduces the task of VLAN
management and monitoring.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
 VTP is a client/server messaging protocol that adds, deletes, and
renames VLANs in a single VTP domain.
 All switches under a common administration are part of a domain.
 Each domain has a unique name. VTP switches only share VTP
messages with other switches in the same domain.
 Two different versions of VTP exist: Version 1 and Version 2.
 All switches must be configured with the same version.

 VTP has three modes: server, client, and transparent.


 By default, all switches are servers. It is a good practice to have
at least two switches configured as servers on a network, to
provide backup and redundancy.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Server mode—In VTP server mode, you can create, modify, and
delete VLANs and specify other configuration parameters, such as
VTP version and VTP running, for the entire VTP domain.

 Client mode —VTP clients behave the same way as VTP servers,
but you cannot create, change, or delete VLANs on a VTP client.

Transparent—VTP transparent switches do not participate in VTP.


 A VTP transparent switch does not advertise its VLAN
configuration and does not synchronize its VLAN configuration
based on received advertisements, but transparent switches do
forward VTP advertisements that they receive out their trunk
ports in VTP Version 2.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
VTP
 With VTP, each switch advertises messages on its trunk ports.
 Messages include the management domain, configuration
revision number, known VLANs, and parameters for each
VLAN.
 These advertisement frames are sent to a multicast address so that
all neighbor devices receive the frames.
 Each VTP switch saves a VLAN database in NVRAM that
contains a revision number.
 If a VTP receives an update message that has a higher revision
number than the one stored in the database, the switch updates its
VLAN database with this new information.
 To protect some one to insert incorrect VLAN update, is to
configure a VTP password to validate the switch.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
 VTP messages come in three varieties:
 Summary advertisements

Subset advertisements

 Advertisement requests.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Summary Advertisements
 Switches issue summary advertisements every 5 minutes or
whenever a change to the VLAN database occurs.
 Summary advertisements contain the current VTP domain name
and the configuration revision number.
 If VLANs are added, deleted, or changed, the server increments the
configuration revision number and issues a summary
advertisement.
 When a switch receives a summary advertisement packet, it
compares the VTP domain name to its own VTP domain name.
 If the domain name is the same, the switch compares the
configuration revision number to its own number. If it is lower or
equal, the switch ignores the packet.
 If the revision number is higher, an advertisement request is sent.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Subset Advertisements
 A subset advertisement follows the summary advertisement.
 A subset advertisement contains a list of VLAN information.
 The subset advertisement contains the new VLAN information
based on the summary advertisement.
 If there are several VLANs, they require more than one subset
advertisement.
Advertisement Requests
 Switches use advertisement requests to ask for VLAN information.
 Advertisement requests are required if the switch has been reset or
the VTP domain name has been changed.
 The switch receives a VTP summary advertisement with a higher
configuration revision number than its own.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Configuring VTP
 If a switch in server mode issues an update with a higher revision
number than the number currently in place, all switches will modify
their databases to match the new switch.
 When adding a new switch to an existing VTP domain, use the
following steps:
Step 1: Configure VTP off-line (version 1)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Step 2: Verify the VTP configuration

Step 3: Reboot the switch

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Spanning Tree Protocol (STP)
 Spanning Tree Protocol (STP) provides a mechanism for disabling
redundant links in a switched network.
 STP provides the redundancy required for reliability without
creating switching loops.

 When switches are first powered up with STP enabled, they


check the switched network for the existence of loops.

 Switches detecting a potential loop block some of the connecting


ports, while leaving other ports active to forward frames.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
 Switches are constantly checking the network to ensure that there
are no loops and that all ports function as required.

To prevent switching loops, STP:


Forces certain interfaces into a standby or blocked state
Leaves other interfaces in a forwarding state
Reconfigures the network by activating the appropriate standby
path, if the forwarding path becomes unavailable

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
 In STP terminology, the term bridge is frequently used to refer to a
switch.
 For example, the Root Bridge is the primary switch or focal point
in the STP topology.
 The root bridge communicates with the other switches using
Bridge Protocol Data Units (BPDUs).
 BPDUs are frames that multicast every 2 seconds to all other
switches.
 BPDUs contain information such as:
 Identity of the source switch
 Identity of the source port
 Cumulative cost of path to root bridge
 Value of aging timers
 Value of the hello timer

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
 As a switch powers on, each port cycles through a series of four
states:
Blocking,
 Listening,
 Learning, and
Forwarding.

 A fifth state, disabled, indicates that the administrator has shut


down the switch port.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
 When a switch powers on, it first goes into a blocking state to
immediately prevent the formation of a loop.

 It then changes to listening mode, so that it receives BPDUs from


neighbor switches.
 After processing this information the switch determines which
ports can forward frames without creating a loop.
 If the port can forward frames, it changes to learning mode, and
then to forwarding mode.

 Access ports do not create loops in a switched network and


always transition to forwarding if they have a host attached.
 Trunking ports potentially create a looped network and
transition to either a forwarding or blocking state.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
 STP uses root switch, to determine which ports to block and
which ports to put into forwarding state.

 The root bridge sends out BPDUs containing network topology


information to all other switches. This information allows the
network to reconfigure itself in the event of a failure.
 There is only one root bridge on each network, and it is elected
based on the bridge ID (BID).
 The bridge priority value plus the MAC address creates the BID.

 Bridge priority has a default value of 32,768. If a switch has a


MAC address of AA-11-BB-22-CC-33, the BID for that switch
would be: 32768: AA-11-BB-22-CC-33.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
Root Bridge
 The root bridge is based on the lowest BID value. Since switches
typically use the same default priority value, the switch with the
lowest MAC address becomes the root bridge.
 As each switch powers on, it assumes that it is the root bridge,
and sends out BPDUs containing its BID.
 For example, if S2 advertises a root ID that is a lower number
than S1, S1 stops the advertisement of its root ID and accepts the
root ID of S2. S2 is now the root bridge.

 STP designates three types of ports: root ports, designated ports,


and blocked ports.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
Root Port
 The port that provides the least cost path back to the root bridge
becomes the root port. Switches calculate the least cost path using
the bandwidth cost of each link required to reach the root bridge.
Designated Port
 A designated port is a port that forwards traffic toward the root
bridge but does not connect to the least cost path.
Blocked Port
 A blocked port is a port that does not forward traffic.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
 Before configuring STP, the network technician plans and
evaluates the network in order to select the best switch to
become the root of the spanning tree.

 If the root switch goes to the default lowest MAC address,


forwarding might not be optimal.

 To specify the root bridge, the BID of the chosen switch is


configured with the lowest priority value.

 The bridge priority command is used to configure the bridge


priority.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
 The range for the priority is from 0 to 65535, the default value is
32768.
 To set priority:

 S3(config)#spanning-tree vlan 1 priority 4096

 To restore priority to default:

 S3(config)#no spanning-tree vlan 1 priority

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Spanning tree in Hierarchical Network
 After establishing the root bridge, root ports, designated
ports, and blocked ports, STP sends BPDUs throughout the
switched network at 2-second intervals.
 STP continues to listen to these BPDUs to ensure that no links
fail and no new loops appear.

 If a link failure occurs, STP recalculates by:


Changing some blocked ports to forwarding ports
Changing some forwarding ports to blocked ports
Forming a new STP tree to maintain the loop-free integrity of
the network

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
 When a link goes down, STP detects the failure and
recalculates the best paths across the network.

 This calculation and transition period takes about 30 to 50


seconds on each switch. During this recalculation, no user
data passes through the recalculating ports.

 Some user applications time out during the recalculation


period, which can result in lost productivity and revenue.
 Frequent STP recalculations negatively impact uptime.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
 There are several useful commands used to verify spanning tree
operation.

 show spanning-tree - Displays bridge ID, and port states


 show spanning-tree summary - Displays a summary of port
states
 show spanning-tree root - Displays the status and configuration
of the root bridge
 show spanning-tree detail - Displays detailed port information
 show spanning-tree interface - Displays STP interface status
and configuration
 show spanning-tree blockedports - Displays blocked ports

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
Inter-VLAN Routing
 Although VLANs extend to span multiple switches, only
members of the same VLAN can communicate.
 A Layer 3 device provides connectivity between different
VLANs.
 This arrangement enables the network administrator to strictly
control the type of traffic that flows from one VLAN to another.
 One method of accomplishing the inter-VLAN routing requires
a separate interface connection to the Layer 3 device for each
VLAN.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
 Another method for providing connectivity between different
VLANs requires a feature called subinterfaces.

 Subinterfaces logically divide one physical interface into


multiple logical pathways.

 Configure one pathway or subinterface for each VLAN.

 To support inter-VLAN communication using subinterfaces


requires configuration on both the switch and the router.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
 Switch
 Configure the switch interface as an 802.1Q trunk link.
 Router
 Select a router interface with a minimum of a 100Mbps
FastEthernet

 Configure subinterfaces that support 802.1Q encapsulation.


 Configure one subinterface for each VLAN.
 A subinterface allows each VLAN to have its own logical
pathway and default gateway into the router.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
 The host from the sending VLAN forwards traffic to the router
using the default gateway.
 The subinterface for the VLAN specifies the default gateway for
all hosts in that VLAN.
 The router locates the destination IP address and does a routing
table lookup.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
 If the destination VLAN is on the same switch as the source
VLAN, the router forwards the traffic back down to the source
switch using the subinterface parameters of the destination
VLAN ID. This type of configuration is often referred to as a
router-on-a-stick.

 If the exit interface of the router is 802.1Q-compatible, the


frame retains its 4-byte VLAN tag.

 If the outbound interface is not 802.1Q-compatible, the router


strips the tag from the frame and returns the frame to its
original Ethernet format.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62
To configure inter-VLAN routing, use the following steps:
1. Configure a trunk port on the switch.
Switch(config)#interface fa0/2
Switch(config-if)#switchport mode trunk
2. On the router, configure a FastEthernet interface with no IP
address or subnet mask.
Router(config)#interface fa0/1
Router(config-if)#no ip address
Router(config-if)#no shutdown

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
 3. On the router, configure one subinterface with an IP address and
subnet mask for each VLAN. Each subinterface has an 802.1Q
encapsulation.
 Router(config)#interface fa0/0.10
 Router(config-subif)#encapsulation dot1q 10
 Router(config-subif)#ip address 192.168.10.1 255.255.255.0
 4. Use the following commands to verify the inter-VLAN routing
configuration and functionality.
 Switch#show trunk
 Router#show ip interfaces
 Router#show ip interfaces brief
 Router#show ip route

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64
END

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65

You might also like