Thursday, April 19, 2012

VLANs and Trunks

A flat network topology – a network with a single subnet or broadcast domain, can be simple to implement and manage but is not scalable. Switched campus networks are often divided into multiple broadcast domains or VLANs, with multilayer switching provides the inter-VLAN communication.

A VLAN is a single broadcast domain.
All devices connected to the VLAN receive unicasts and broadcasts sent by any other VLAN members.
VLAN members communicate as a logical network segment.
In contrast, a physical segment consists of devices that must be connected to the same physical segment.
VLAN members can be located anywhere in the campus network as long as there is end-to-end connectivity of the VLAN for the VLAN members.

Cisco Catalyst switches support the following 2 VLAN membership assignment methods:
  • Static VLAN assignment
    Static VLANs provide port-based VLAN membership, in which switch ports are assigned to specific VLANs. End systems become members in a VLAN based on the physical switch port to which they are connected. The static port-to-VLAN membership mapping is handled in hardware through ASICs, which provides good performance as mappings are performed at the hardware level without complex table lookups.
  • Dynamic VLAN assignment
    Dynamic VLANs provide VLAN membership based on the MAC address of an end system. When an end system is connected to a switch port, the switch must query a VMPS server that contains the MAC-address-to-VLAN mappings using VQP for assigning VLAN membership. Dynamic VLAN mappings are created and maintained using NMS tools such as CiscoWorks. Dynamic VLANs provide flexibility and mobility but require more administrative overhead.
VMPS – VLAN Membership Policy Server; VQP – VLAN Query Protocol.

Normal-range VLANs are referenced by a VLAN number range from 1 to 1005.
VLANs 1 and 1002 through 1005 are automatically created and are set aside for special uses.
VLAN 1 is the default VLAN for every switch port; while VLANs 1002 through 1005 are reserved for legacy functions related to Token Ring and FDDI switching.
Note: When a VLAN is deleted, the access ports that belong to the VLAN move into the inactive state and do not forward traffic.

Catalyst switches can also support extended-range VLANs – the VLAN number can be 1 to 4094, for compatibility with the IEEE 802.1Q standard. The extended range is enabled only when the switch is configured for VTP transparent mode with the vtp mode transparent global configuration command. This is due to the limitations with VTP v1 and VTPv2, which can only advertise normal-range VLANs.
VTPv3 allows extended-range VLANs (VLANs 1006 – 4094, inclusive) to be used and advertised.
Note: The extended-range VLANs provide support of more VLANs for a network with some limitations. A switch normally maintains VLAN definitions in a database file separate from the normal configuration. VTP uses the database file to advertise and share VLAN definitions between switches over trunk links. When extended-range VLANs are created, they are not stored in the VLAN database file.
As long as the switch remains in VTP transparent mode, the extended VLANs can be used.
A switch that is operating in VTP transparent mode and configured with extended-range VLANs cannot be changed to operate as a VTP server or client.
If the switch needs to be configured to participate in VTPv1 or VTPv2 as either a server or client, any switch port that is was assigned to the extended VLAN range must be reconfigured for VLAN membership within the normal VLAN range, followed by delete the extended VLANs manually, and then only allowed to change the VTP mode from transparent to server or client.

Note: Always use the highest numbers first when configuring extended-range VLANs because some Catalyst switch families allocate the lower portion of the extended-range VLANs for internal functions, eg: Generic Online Diagnostics (GOLD) and specific processes used for housekeeping functions.
The show vlan internal usage EXEC command displays information about the internal VLAN allocation.

The Extended System ID or MAC Address Reduction feature must be enabled prior to creating extended-range VLANs. It removes the requirement for a switch to have a unique MAC address per VLAN, which means that a switch does not require 4096 MAC addresses to be allocated to support 4096 VLANs. The spanning-tree extend system-id global configuration command enables this feature.
Note: Catalyst switch families that support only 64 MAC addresses, eg: Catalyst 2950 and Catalyst 3550, always enable this feature and cannot be disabled; while this feature can be enabled or disabled on Catalyst switch families that support 1024 MAC addresses, eg: Catalyst 4500 and Catalyst 6500.
Note: Extended-range VLANs can only be created in global configuration mode; they cannot be created in the deprecated legacy VLAN database configuration mode.

VLANs should not be allowed to extend beyond the L2 domain of the distribution switch – they should not span across the core block and reach another switch block.
VLANs can be scaled in the switch block by using the following 2 basic methods:
  • End-to-end VLANs
    Also called campus-wide VLANs, span across the entire switch fabric of a campus network to support maximum flexibility and mobility of end systems. End systems can be assigned to VLANs regardless of their physical location. Note that all the access layer switches in every switch block must have all the VLANs in placed. Recall that the 80/20 rule for campus network traffic flow patterns estimates that 80% of the user traffic stays within the local workgroup; whereas 20% is destined for a remote resource in the campus network. Although only 20% of the traffic in a VLAN is expected to cross the core layer, end-to-end VLANs make it possible for 100% of the traffic within a VLAN to cross the distribution and core layers.
    End-to-end VLANs are not recommended in an enterprise network, unless there is a good reason. In an end-to-end VLAN, the broadcast traffic is carried across the campus network, and therefore creates the possibility for a broadcast storm or L2 bridging loop to spread across a VLAN that can exhaust the bandwidth of distribution and core layer links, as well as switch CPU resources. Troubleshoot such problems are challenging and difficult, as the traffic for a VLAN can span across switches; hence the risks of end-to-end VLANs outweigh the convenience and benefits.
  • Local VLANs
    As most enterprise networks have moved toward the 20/80 rule, where the server and intranet/Internet resources are centralized, end-to-end VLANs have become difficult to maintain. Local VLANs group users based on their locations regardless of their organizational functions, and rely upon routing and switching across the distribution and core layers to handle the traffic. This approach provides maximum availability by using active redundant paths to destinations, maximum scalability by keeping the VLAN within a switch block, and maximum manageability. It also enables load balancing, which is not easily achievable with a redundant L2 topology. The Cisco Enterprise Campus Architecture is based on the Local VLANs model.
The VLAN database that contains the VLAN parameters is saved separately from the configuration file into a file called vlan.dat that is located in the root directory on the local Flash memory or NVRAM. Therefore the VLAN database is still remained even the startup configuration of a switch is cleared. When a switch is configured in VTP transparent mode, the VLAN configuration (VLAN ID and name) is stored in the startup configuration file. Upon the switch boots, the VLAN database file is ignored, the VLAN configuration in the startup configuration is read and used to populate the VLAN database [1]. When a switch operates in VTP server or client mode, the VLAN configuration is stored only in the VLAN database file and is removed from the startup configuration file.
[1] If the VTP mode or domain name in the vlan.dat file and the startup-config file differs, the switch uses the contents of the vlan.dat file for the VLAN configuration of VLANs 1 to 1005.

Below describes the fields displayed in the output of the show vlan EXEC command:
VLAN VLAN number.
Name Name of the VLAN, if configured.
Status Status of the VLAN (active or suspended).
Ports Switch ports that belong to the VLAN.
Type Media type of the VLAN.
SAID IEEE 802.10 Security Association Identifier for the VLAN.
MTU Maximum Transmission Unit size for the VLAN.
Parent Parent VLAN number for TrCRF VLANs, if one exists.
RingNo Ring number for FDDI or TrCRF VLANs, if applicable.
BridgeNo Bridge identifier number for TrBRF VLANs, if applicable.
Stp Spanning Tree Protocol type for TrCRF VLANs.
BrdgMode Bridging mode for the VLAN.
Trans1 Translational bridge 1
Trans2 Translational bridge 2
AREHops (CatOS only) Maximum number of hops for All-Routes Explorer frames.
STEHops (CatOS only) Maximum number of hops for Spanning Tree Explorer frames.

VLAN Trunking

A switch port supports one VLAN but can support multiple IP subnets for the devices attached to it – multiple IP subnets can exist on a single VLAN.

Connecting switches with separate physical links for each VLAN is possible but not efficient and scalable.
A trunk link is used to carry or transport traffic for multiple VLANs over a switch port.
A trunk link is not assigned to a specific VLAN; one, many, or all active VLANs can be transported between switches through a single physical trunk link.
The switches at both end of a trunk link use one of the following VLAN frame identification mechanisms – tagging, to identify and distinguish the sent and received frames that belong to the appropriate VLANs:
  • Inter-Switch Link (ISL) Protocol (Cisco-proprietary)
    ISL is sometimes referred to as double tagging, as tagging information is added at the beginning (26-byte ISL header) and end of each frame (4-byte CRC / FCS).
  • IEEE 802.1Q Protocol (Industry-standard)
    Instead of encapsulating each frame within a VLAN ID header and trailer as with ISL, 802.1Q embeds tagging information within the L2 frame; hence is referred to as single tagging or internal tagging. The 4-byte 8021.Q tag is consists of the first 2 bytes that are used as the Tag Protocol Identifier (TPID) and always have a value of 0x8100 to indicates an 802.1Q tag; the remaining 2 bytes are used as a Tag Control Information (TCI) field. The TCI information contains a 3-bit Priority Code Point (PCP) field used to implement Class of Service (CoS) functions in the IEEE 802.1p prioritization standard, a 1-bit Canonical Format Indicator (CFI) used to flag and indicate whether the MAC addresses are in Ethernet or Token Ring format, and a 12-bit VLAN Identifier (VID) field used to indicate the source VLAN of the frame. The VID can have values from 0 to 4095, but VLANs 0 and 4095 (0xFFF) are reserved for system use only and cannot be used.

Note: Both ISL and 802.1Q support extended-range VLANs. Originally, ISL using only 10 bits of the 15 bits reserved in the ISL header to identify the VLAN ID hence only supports normal-range VLANs. Cisco changed ISL to use 12 bits of the 15 bits in the VLAN ID field in accordance to the later-defined 802.1Q standard that uses a 12-bit VLAN ID field in order to support the extended-range VLANs.

Note that both the ISL and 802.1Q tagging methods add upon the total length of an Ethernet frame. ISL adds a total of 30 byte, while 802.1Q adds 4 bytes. Since Ethernet frames cannot exceed 1518 bytes, the additional VLAN tagging information can cause Ethernet frames to barely exceed the MTU size – baby giant frames. Switches usually report these frames as Ethernet errors or oversize frames. In order to properly handle and forward baby giant frames, Catalyst switches use proprietary hardware to support the ISL encapsulation method; and use the IEEE 802.3ac standard which extends the Ethernet MTU to 1522 bytes to support the IEEE 802.1Q VLAN encapsulation standard.
Note: ISL-encapsulated and 802.1Q-tag frames have an MTU of 1548 bytes and 1522 bytes respectively.

Dynamic Trunking Protocol (DTP)

Trunk links on Catalyst switches can be manually configured for either ISL or 802.1Q mode.
Cisco has implemented a proprietary point-to-point protocol called Dynamic Trunking Protocol (DTP) that negotiates whether to establish a trunk and the common encapsulation mode between 2 switches. A trunk link can be negotiated between 2 switches only if both switches belong to the same VTP management domain or if one or both switches have not defined their VTP domain – the NULL domain. If 2 switches are in different VTP domains and trunking is desired between them, the trunk links must be manually set to on mode (with or without the nonegotiate mode) to force the trunk to be established.
Note: The %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port <mode/num> because of VTP domain mismatch. error message will be displayed when 2 switches that are configured with different VTP domains try to negotiate a trunk link.
Note: When connecting a switch without configured with a VTP domain to a switch configured with a VTP domain, the former switch will be configured with the VTP domain of the latter switch.

Note: Do not leave out the switchport mode access interface subcommand to disable DTP negotiation (DTP mode off) when connecting a switch port to a non-trunking router or firewall interface as those devices do not support nor understand DTP packets and can report unknown protocol drops in the output of the show interface EXEC command. [1]
Setting the DTP mode to off also reduces port initialization delays associated with DTP negotiation.
[1] – The show interface EXEC command includes the counters for the frames and packets dropped due to unknown protocol beginning in Cisco IOS 12.4(15)T8, but it has some cosmetic bugs – it does record unknown protocol drops properly; however, there are 2 lines with the same output and the counter is incremented every time the show interface EXEC command is issued.

DTP Modes Matrix Chart

Catalyst 2950 and Catalyst 3550 switch ports are default to dynamic desirable.
Catalyst 2960, Catalyst 3560, and Catalyst 3750 switch ports are default to dynamic auto.
Catalyst 3550, Catalyst 3560, and Catalyst 3750 support both ISL and 802.1Q.
Catalyst 2950 and Catalyst 2960 support only 802.1Q.

VLAN Trunking Configuration

Switch(config)#interface {type mod/num}
Switch(config-if)#switchport trunk encapsulation {isl | dotq1 | negotiate}
Switch(config-if)#switchport trunk native vlan {vlan-id}
Switch(config-if)#switchport trunk allowed vlan {vlan-list | all | {add | except | remove} vlan-list}
Switch(config-if)#switchport mode {trunk | dynamic {desirable | auto}}
The switchport interface subcommand configures a switch port for L2 operation before it can support a trunk.
The negotiate keyword (the default) negotiate the encapsulation method to select either ISL or 802.1Q, whichever both ends of the trunk support. ISL is being favored if both ends support both types; 802.1Q is being negotiated only if either side of the trunk does not support ISL.
The switchport trunk native vlan interface subcommand identifies the untagged or native VLAN for an 802.1Q trunk. This command has no effect for an ISL trunk as ISL does not support an untagged VLAN.
The switchport trunk allowed vlan interface subcommand defines the VLANs to be trunked over a trunk link. All active VLANs are transported over a trunk link by default. An active VLAN is one that has been defined on the switch and has ports assigned to carry it.
The switchport mode interface subcommand set the trunking mode to permanent trunking mode (trunk) – the interface becomes a trunk port even if the neighboring interface is not a trunk port, actively attempts to establish a trunk link (dynamic desirable, the default), or passively responses to establish a trunk link (dynamic auto).

When a switch port is operating in permanent trunking mode, DTP is still operational for negotiating the trunk link with the other end that is configured to trunk, dynamic desirable, or dynamic auto. DTP packets are sent out every 30 seconds to inform the mode of the link to the neighboring switch port.
The trunking mode on critical trunk links should be manually configured on both ends to ensure that the link can never be negotiated into any other state.
The switchport nonegotiate interface subcommand can be used to disable DTP completely when both ends of a trunk is configured as an unconditionally trunk (switchport mode trunk).
Q: How do switches negotiate the VLAN encapsulation method if both ends support ISL and 802.1Q and are configured with the switchport mode trunk and switchport nonegotiate commands?
A: This will not happen as it is mandatory to specify the VLAN encapsulation method using the switchport trunk encapsulation command prior to implementing the switchport mode trunk command on a switch port that supports both ISL and 802.1Q.

The following parameters must be agreeable on both ends for the proper operation of a trunk link:
  • Trunking mode (unconditional trunking, negotiated, or non-negotiated).
  • Trunk encapsulation (ISL, IEEE 802.1Q, or negotiated through DTP).
  • Native VLAN. A trunk link with different native VLANs on each end can be up and running. However, both switches will log error messages about the native VLAN mismatch, and traffic for both the local and remote native VLANs will be blocked and denied across the trunk link due to spanning tree PVID-Inconsistent. The native VLAN mismatch is discovered through the exchange of CDP messages and PVST+ BPDUs through the PVID TLV field.
  • Allowed VLANs. A trunk link allows all VLANs to be transported across it by default. If one end of the trunk link is configured to disallow a VLAN, the VLAN will not be contiguous across the trunk.
Note: Native VLAN is configured independently of the encapsulation type. Implementing the switchport trunk native vlan command on a switch port configured for ISL encapsulation has no effect and the “Port is not 802.1Q trunk, no action” message will be received. Additionally the CDP messages transmitted across an ISL trunk link would not contain the Native VLAN TLV field.

Native VLAN is used for the communications of control protocols – CDP, VTP, PAgP, LACP, DTP and STP.
DTP messages are always sent on VLAN 1 for ISL trunks and on the native VLAN for 802.1Q trunks (they are always untagged across 802.1Q trunks despite the Native VLAN configuration of the trunk).
Since some interswitch control communications rely upon the native VLAN, it is recommended that do not carry and forward user data through the native VLAN – creates VLANs separate from the native VLAN for end systems.
Note: STP BPDUs are sent untagged on the VLAN 1 to ensure interoperability with other switch vendors. When establishing 802.1Q trunks to switches from other vendors, it is recommended to leave the VLAN 1 as the native VLAN as many of these switches only support VLAN 1 as the native VLAN.
Note: Although those control protocols are carried over the native VLAN of a trunk, they will not be affected if the native VLAN is pruned from the trunk. They still will be sent and received on the native VLAN as a special case even if the native VLAN ID is not in the list of the allowed VLANs. An exception of this is the UniDirectional Link Detection (UDLD) feature that relies upon the native VLAN to communicate with the neighboring switch on the other end of a trunk. Therefore, the native VLAN must not be pruned on a trunk in order for UDLD to work properly.
Note: Even if the native VLAN on an 802.1Q trunk is not VLAN 1, CDP, VTP, PAgP, LACP, and STP are still sent on VLAN 1, with an 802.1Q tag attached indicating that VLAN 1 is not the native VLAN. If the native VLAN is VLAN 1, then the messages are sent without an 802.1Q tag.

Another important consideration when configuring the native VLAN is security – always ensure that the native VLAN used on 802.1Q trunks is not used by end systems that connect to access ports in order to mitigate the VLAN hopping security vulnerability, which will be discussed further in Chapter 12.

Due to the importance of VLAN 1 upon the Cisco Catalyst control protocols, many low-end and older Cisco Catalyst switches do not allow the VLAN 1 to be cleared from a trunk, which means that VLAN 1 traffic is propagated throughout the network. This is normally not a problem as Cisco recommends that do not use VLAN 1 as a user VLAN; and hence the volumes of traffic in VLAN 1 are very small. The problem with spanning VLAN 1 throughout large switched networks arises where the spanning tree instance for VLAN 1 must span across the entire switched network.
The maximum recommended network diameter of a spanning tree topology is 7 switches.
Therefore, spanning VLAN 1 throughout a large switch network can lead to network instability.

The VLAN 1 Disable on Trunk or VLAN 1 minimization features allows newer Catalyst switches to clear VLAN 1 partially from a trunk – it does not actually fully remove VLAN 1 traffic from a trunk.
The pruning clears or blocks only VLAN 1 user data and STP BPDU traffic on the trunk.
The control protocols, eg: CDP, PAgP, LACP, DTP, and VTP, are still allowed on the trunk.
This can prevent VLAN 1 and its spanning tree instance from spanning across the entire switched network and ensures the stability of large switched networks.

The show interface [type mod/num] trunk EXEC command display information about a trunking port.
Switch#sh int fa0/1 trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/1       auto             n-802.1q       trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-4094

Port        Vlans allowed and active in management domain
Fa0/1       1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1

When a VLAN is deleted, all ports that assigned to that VLAN will be placed into the inactive state. They remain associated with the VLAN until they are being assigned to a new VLAN.
It is recommended to reassign switch ports to a new VLAN prior to deleting a VLAN.

Trunking ports are not displayed in the output of the show vlan and show vlan brief EXEC commands.

The show dtp interface [type mod/num] EXEC command displays the global DTP information for a switch or DTP information for a specified interface.
Switch#sh dtp int fa0/1
DTP information for FastEthernet0/1:
  TOS/TAS/TNS:                              TRUNK/DESIRABLE/TRUNK
  TOT/TAT/TNT:                              ISL/NEGOTIATE/ISL
  Neighbor address 1:                       001120076C05
  Neighbor address 2:                       000000000000
  Hello timer expiration (sec/state):       22/RUNNING
  Access timer expiration (sec/state):      292/RUNNING
  Negotiation timer expiration (sec/state): never/STOPPED
  Multidrop timer expiration (sec/state):   never/STOPPED
  FSM state:                                S6:TRUNK
  # times multi & trunk                     0
  Enabled:                                  yes
  In STP:                                   no

  3 packets received (3 good)
  0 packets dropped
      0 nonegotiate, 0 bad version, 0 domain mismatches,
      0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
  6 packets output (6 good)
      3 native, 3 software encap isl, 0 isl hardware native
  0 output errors
  0 trunk timeouts
  1 link ups, last link up on Mon Mar 01 1993, 00:48:43
  0 link downs

TOS Trunk Operational Status
TAS Trunk Administrative Status
TNS Trunk Negotiated Status
TOT Trunk Operational Trunking Encapsulation
TAT Trunk Administrative Trunking Encapsulation
TNT Trunk Negotiated Trunking Encapsulation

The show dtp EXEC command display the global DTP information for a switch.
Switch#sh dtp
Global DTP information
        Sending DTP Hello packets every 30 seconds
        Dynamic Trunk timeout is 300 seconds
        0 interfaces using DTP


Each routed port on a Catalyst switch uses an extended-range VLAN to create an internal VLAN for its use. If necessary, the routed port that utilizing an internal VLAN can be shutdown to free up the internal VLAN, followed by create the extended-range VLAN and re-enabled the routed port, which then uses another extended-range VLAN as its internal VLAN.

The vlan internal allocation policy {ascending | descending} global configuration command configures whether to allocate internal VLANs in the default ascending order (from 1006 and above) or descending order (from 4094 and below). This command has effect only after a reload.

VLANs numbers 3968 to 4047 and 4094 on Nexus series switches are allocated for internal use of features such as multicast and diagnostics, that need to use internal VLANs for their operation. These VLANs in the reserved group cannot be used, changed, or deleted.
Below shows the output of the show vlan internal usage command on a Nexus 7000 series switch. The command output is identical on the Nexus 5000 series switches.
n7010# sh vlan internal usage

---------   -------------------------------------------------------
3968-4031   Multicast
4032        Online diagnostics vlan1
4033        Online diagnostics vlan2
4034        Online diagnostics vlan3
4035        Online diagnostics vlan4
4036-4047   Reserved
4094        Reserved


switchport mode access + switchport nonegotiate is equivalent to switchport mode access only.
Switch ports configured with both combinations of commands do not send DTP packets, as proven using the debug dtp packets privileged command on both Catalyst 2950 and Catalyst 3560 series switches.

Catalyst 4000 / 4500 and Catalyst 6000 / 6500 switches support either 64 or 1024 MAC addresses depend upon the chassis type. Chassis with 64 MAC addresses enable Extended System ID by default; while chassis with 1024 MAC addresses disable Extended System ID by default, in which MAC addresses are allocated sequentially – the 1st MAC address in the range assigned to VLAN 1, the 2nd MAC address in the range assigned to VLAN 2, and so on. Eventually allows the switch to support 1024 VLANs with each VLAN uses a unique bridge identifier.
When Extended System ID is enabled, it disables the pool of MAC addresses used for the VLAN spanning tree, and uses a single MAC address to identify the switch.
Chassis Type Chassis Address
WS-C4003, WS-C4006,
WS-C6006, WS-C6009, WS-C6506, WS-C6506-E,
WS-C6509, WS-C6509-E, WS-C6509-NEB, OSR-7609.
WS-C4503, WS-C4506,
WS-C6503, WS-C6503-E, WS-C6513,
Cisco 7603, Cisco 7606, Cisco 7609, Cisco 7613.


  1. Thank you!! BTW.. I noticed a typo: "VLANs 1 through 1005 are reserved for legacy functions related to Token Ring and FDDI switching."

    - I think should be: VLANs 1002 through 1005 are reserved for legacy functions related to Token Ring and FDDI switching.