We have already covered VLANs in the video tutorials Day 11, 12 and 13 and today we will continue to study them in accordance with the ICND2 topic. I recorded the previous video, which marked the end of the preparation for the ICND1 exam, a few months ago and have been very busy all this time until today. I think many of you have successfully passed this exam, those who postponed testing can wait until the end of the second part of the course and try to pass the CCNA 200-125 comprehensive exam.
With today's video lesson "Day 34" we begin the topic of the ICND2 course. Many people ask me why we haven't covered OSPF and EIGRP. The fact is that these protocols are not included in the subject of the ICND1 course and are studied in preparation for the ICND2 exam. From today we will begin covering the topics of the second part of the course and, of course, we will study OSPF and EIGRP punctures. Before starting today's topic, I want to talk about structuring our video tutorials. When presenting the topic of ICND1, I did not adhere to accepted patterns, but simply explained the material logically, as I believed that this way was easier to understand. Now, when studying ICND2, at the request of the students, I will begin to submit educational material in accordance with the curriculum and the Cisco course program.
If you go to the company's website, you will see this plan and the fact that the entire course is divided into 5 main parts:
— Local area network switching technologies (26% of educational material);
— Routing technologies (29%);
— Technologies of global networks (16%);
— Infrastructure services (14%);
— Infrastructure maintenance (15%).
I'll start with the first part. If you click on the drop-down menu on the right, you can see the detailed topics of this section. Today's video tutorial will cover section 1.1: "Configuring, testing and troubleshooting VLANs (normal / extended range) spanning multiple switches" and subsections 1.1a "Access ports (data and voice messages)" and 1.1.b "Default VLANs" .
Further, I will try to adhere to the same presentation principle, that is, each video lesson will be devoted to one section with subsections, and if there is not enough material, I will combine the topics of several sections in one lesson, for example, 1.2 and 1.3. If there is a lot of material in the section, I will break it into two videos. Either way, we'll follow the course syllabus so you can easily compare your notes against the current Cisco curriculum.
You see my new desktop on the screen, this is Windows 10. If you want to improve your desktop with various widgets, you can watch my video called “Pimp Your Desktop”, where I show you how to customize your computer desktop to suit your needs. needs. I post videos of this kind on another channel, ExplainWorld, so you can use the link in the upper right corner and check out its content.
Before the start of the lesson, I ask you not to forget to share my videos and put likes. I also want to remind you of our contacts in social networks and links to my personal pages. You can e-mail me, and as I said, people who have made a donation on our site will have priority in receiving my personal response.
If you haven't made a donation, it's okay, you can leave your comments under the video tutorials on the YouTube channel and I will respond to them as much as possible.
So, today, according to the Cisco schedule, we will consider 3 questions: we will compare the Default VLAN, or the default VLAN, with the Native VLAN, or the “native” VLAN, we will find out how the Normal VLAN (normal VLAN range) differs from the extended range of Extended VLAN networks, and consider the difference between Data VLAN (data VLAN) and Voice VLAN (voice VLAN). As I said, we have already studied this issue in previous series, but rather superficially, so many students still find it difficult to distinguish between VLAN types. Today I will explain it in a way that everyone can understand.
Let's look at the difference between Default VLAN and Native VLAN. If you take a brand new Cisco switch with factory settings, it will have 5 VLANs - VLAN1, VLAN1002, VLAN1003, VLAN1004 and VLAN1005.
VLAN1 is the default VLAN for all Cisco devices, while VLANs 1002-1005 are reserved for Token Ring and FDDI. VLAN1 cannot be deleted or renamed, interfaces cannot be added to it, and all switch ports belong to this network by default unless they are configured differently. By default, all switches can communicate with each other because they are all part of VLAN1. That's what "VLAN by default" means, or Default VLAN.
If you go into the SW1 switch settings and assign two interfaces to the VLAN20 network, they will become part of the VLAN20 network. Before starting today's lesson, I strongly advise you to review the 11,12, 13 and XNUMX days series mentioned above, because I will not repeat what VLANs are and how they work.
I'll just remind you that you cannot automatically assign interfaces to VLAN20 until you create it, so you first need to go into the global switch configuration mode and create VLAN20. You can look at the CLI settings console and see what I mean. Once you have assigned these 2 ports to work with VLAN20, PC1 and PC2 will be able to communicate with each other because they will both belong to the same VLAN20. But PC3 will still be part of VLAN1 and therefore will not be able to communicate with computers on VLAN20.
We have a second switch SW2, one of the interfaces of which is assigned to work with VLAN20, and a PC5 computer is connected to this port. With this connection scheme, PC5 cannot communicate with PC4 and PC6, but these two computers can communicate with each other because they belong to the same VLAN1 network.
Both switches are connected by a trunk through appropriately configured ports. I won’t repeat myself, I’ll just say that all switch ports are configured by default for DTP trunking mode. If a computer is connected to a certain port, then this port will use access mode. If you want to put the port to which the PC3 is connected to this mode, you will need to enter the switchport mode access command.
So, if you connect two switches to each other, they form a trunk. The top two SW1 ports will only pass VLAN20 traffic, the bottom port will only pass VLAN1 traffic, but the trunk connection will pass all traffic passing through the switch through itself. Thus, SW2 will receive traffic from both VLAN1 and VLAN20.
As you remember, VLANs have a local meaning. Therefore, SW2 knows that traffic arriving at port VLAN1 from PC4 can only be sent to PC6 through a port that also belongs to VLAN1. However, when one switch sends traffic to another switch over the trunk, it must use a mechanism to explain to the second switch what kind of traffic it is. As such a mechanism, a Native VLAN is used, which is connected to the trunk port and passes tagged traffic through itself.
As I said, the switch has only one network that is not subject to change - this is the default network VLAN1. But by default, Native VLAN is VLAN1. What is Native VLAN? This is a network that passes untagged VLAN1 traffic, but as soon as traffic from any other network, in our case VLAN20, arrives at the trunk port, it is necessarily tagged. Each frame has a DA destination address, an SA source address, and a VLAN tag containing the VLAN ID. In our case, this identifier indicates that this traffic belongs to VLAN20, so it can only be sent through the VLAN20 port and destined for PC5. We can say that the Native VLAN decides whether the traffic should be tagged or untagged.
Remember that VLAN1 is the Native VLAN by default, because by default all ports use VLAN1 as the Native VLAN to carry untagged traffic. However, the Default VLAN is only VLAN1, the only network that cannot be changed. If the switch receives untagged frames on a trunk port, it automatically assigns them to the Native VLAN.
Simply put, in Cisco switches, any VLAN, for example, VLAN20, can be used as a Native VLAN, and only VLAN1 can be used as a Default VLAN.
In doing so, we may have a problem. If we change the Native VLAN for the trunk port of the first switch to VLAN20, then the port will think: “since this is a Native VLAN, then its traffic does not need to be tagged” and will send untagged VLAN20 network traffic over the trunk to the second switch. Switch SW2, having received this traffic, will say: “great, this traffic does not have a tag. According to my settings, my Native VLAN is VLAN1, so I should send this untagged traffic over VLAN1." Thus, SW2 will only forward received traffic to PC4 and PC-6, even though it is destined for PC5. This will create a big security problem as it will mix up the VLAN traffic. That is why the same Native VLAN must always be configured on both trunk ports, that is, if the Native VLAN for trunk port SW1 is VLAN20, then the same VLAN20 must be set as Native VLAN on trunk port SW2.
This is the difference between Native VLAN and Default VLAN, and you need to remember that all Native VLANs in the trunk must match
Let's look at it from the point of view of the switch. You can go into the switch and type the show vlan brief command, after which you will see that all ports on the switch are connected to Default VLAN1.
4 more VLANs are shown below: 1002,1003,1004, 1005, XNUMX and XNUMX. This is also the Default VLAN, you can see it from their designation. They are default networks because they are reserved for specific networks - Token Ring and FDDI. As you can see, they are in the active state, but are not supported, because the networks of the mentioned standards are not connected to the switch.
The “default” designation for VLAN 1 cannot be changed because it is the default network. Since by default all switch ports belong to this network, all switches can communicate with each other by default, that is, without the need for additional port configuration. If you want to connect the switch to another network, you enter the global settings mode and create this network, for example, VLAN20. By pressing "Enter", you will go to the settings of the created network and you can give it a name, for example, Management, and then exit the settings.
If you now use the show vlan brief command, you will see that we have a new VLAN20 network, which does not correspond to any of the switch ports. In order to assign a specific port to this network, you need to select an interface, for example, int e0/1, go to the settings of this port and enter the switchport mode access and switchport access vlan20 commands.
If we ask the system to show the status of the VLANs, we will see that now the Ethernet 0/1 port is intended for the Management network, that is, it was automatically moved here from the default port area for VLAN1.
Note that each access port can only have one Data VLAN, so it cannot serve two VLANs at the same time.
Now let's look at Native VLAN. I use the show int trunk command and see that the Ethernet0/0 port is dedicated to the trunk.
I didn't need to do this on purpose because DTP automatically assigned this interface for trunking. The port is in desirable mode, n-isl encapsulation, port state is trunking, network is Native VLAN1.
The following is the range of VLAN numbers allowed for trunking 1-4094 and indicates that we have VLAN1 and VLAN20 networks working. Now I will enter the global configuration mode and type the int e0 / 0 command, thanks to which I will go to the settings for this interface. I try to manually program this port to work in trunk mode with the switchport mode trunk command, but the system does not accept the command, answering that: "an interface with automatic trunk encapsulation mode cannot be switched to trunk mode."
Therefore, I must first configure the trunk encapsulation type, for which I use the switchport trunk encapsulation command. The system gave prompts with possible parameters for this command:
dot1q - during trunking, the port uses 802.1q trunk encapsulation;
isl - during trunking, the port uses Cisco ISL proprietary protocol trunking encapsulation;
negotiate - The device encapsulates trunking with any device connected to this port.
The same encapsulation type must be selected at each end of the trunk. By default, the out-of-the-box switch only supports dot1q trunking, since this standard is supported by almost all network devices. I will program our interface to encapsulate trunking according to this standard using the switchport trunk encapsulation dot1q command, and then use the previously rejected switchport mode trunk command. Now our port is programmed for trunk mode.
If the trunk is formed by two Cisco switches, the proprietary ISL protocol will be used by default. If one switch supports dot1q and ISL, and the second only dot1q, the trunk will automatically be switched to dot1q encapsulation mode. If we look at the trunking parameters again, we can see that now the Et0/0 interface's trunking encapsulation mode has changed from n-isl to 802.1q.
If we enter the show int e0/0 switchport command, we will see all the status parameters for this port.
You can see that by default, VLAN1 is the Native VLAN for trunking, and Native VLAN traffic tagging is possible. Next, I use the int e0 / 0 command, go to the settings of this interface and type switchport trunk, after which the system gives hints about the possible parameters of this command.
Allowed means that if the port is in trunk mode, the allowed VLAN characteristics will be set. Encapsulation enables trunking encapsulation if the port is in trunk mode. I use the native parameter, which means that in trunk mode the port will be set to native characteristics, and enter the switchport trunk native VLAN20 command. Thus, in trunk mode, VLAN20 will be Native VLAN for this port of the first switch SW1.
We have another switch, SW2, whose trunk port uses VLAN1 as Native VLAN. Now you see that the CDP protocol issues a message stating that a Native VLAN mismatch has been detected at both ends of the trunk: the trunk port of the first Ethernet0 / 0 switch uses Native VLAN20, and the trunk port of the second uses Native VLAN1. This illustrates the difference between Native VLAN and Default VLAN.
Let's start looking at regular and extended range VLANs.
For a long time, Cisco only supported the VLAN number range 1 to 1005, with the 1002 to 1005 range reserved by default for Token Ring and FDDI VLANs. These networks were called regular VLANs. If you remember, the VLAN ID is a 12-bit tag that allows you to set a number up to 4096, but for compatibility reasons, Cisco only used numbers up to 1005.
The extended VLAN range includes numbers from 1006 to 4095. It can only be used on older devices if they support VTP v3. If you are using VTP v3 and extended VLAN range, then you must disable support for VTP v1 and v2, because the first and second versions cannot work with VLANs if they have a number greater than 1005.
So if you are using Extended VLAN for old switches, VTP must be in the "desable" state and you need to manually configure it for the VLAN, otherwise the VLAN database cannot be updated. If you are going to use Extended VLAN with VTP, you need VTP version XNUMX.
Let's look at the status of the VTP using the show vtp status command. You can see that the switch works in VTP v2 mode, while support for versions 1 and 3 is possible. I assigned it the domain name nwking.org.
The VTP management mode is important here - the server. You can see that the maximum number of supported VLANs is 1005. Thus, it can be understood that this switch only supports the normal VLAN range by default.
Now I will type the show vlan brief command and you will see VLAN20 Management, which is mentioned here because it is part of the VLAN database.
If I now ask to show the current configuration of the device with the show run command, we will not see any mention of VLANs, because they are only contained in the VLAN database.
Next, I use the vtp mode command to set the VTP mode of operation. Switches of older models had only three parameters for this command: client, which puts the switch in client mode, server, which turns on server mode, and transparent, which puts the switch in "transparent" mode. Since it was impossible to completely disable VTP on old switches, in this mode the switch, remaining in the VTP domain, simply stopped accepting updates to the VLAN database coming to its ports via the VTP protocol.
In the new switches, the off parameter has appeared, which allows you to completely disable the VTP mode. Let's put the device in transparent mode with the vtp mode transparent command and take another look at the current configuration. As you can see, now an entry about VLAN20 has been added to it. Thus, if we add some VLAN whose number is in the usual VLAN range with numbers from 1 to 1005, and at the same time the VTP is in transparent or off mode, then in accordance with the internal policies of the VLAN, this network will be added to current configuration and to the VLAN database.
Let's try to add VLAN 3000, and you will see that in transparent mode it also appeared in the current configuration. Usually, if we want to add a network from the extended VLAN range, we must use the vtp version 3 command. As you can see, both VLAN20 and VLAN3000 are shown in the current configuration.
If you exit transparent mode and enable server mode with the vtp mode server command, and then look at the current configuration again, you can see that the VLAN entries have completely disappeared. This is because all VLAN information is stored only in the VLAN database and can only be viewed in VTP transparent mode. Since I enabled VTP v3 mode, after using the show vtp status command, you can see that the maximum number of supported VLANs has increased to 4096.
So, the VTP v1 and VTP v2 database only supports normal VLANs from 1 to 1005, while the VTP v3 database includes entries for extended VLANs from 1 to 4096. If you use VTP transparent or VTP off, the information o The VLAN will be added to the current configuration. If you want to use the extended VLAN range, the device must be in VTP v3 mode. This is the difference between regular and extended VLANs.
And now we will compare VLAN for data and VLAN for voice transmission. If you remember, I said that each port can only belong to one VLAN at a time.
However, in many cases we need to configure a port to work with an IP phone. Modern Cisco IP phones have their own switch built in, so you can simply connect the phone with a cable to a wall outlet, and with a patch cord to your computer. The problem was that the wall outlet that the phone port connects to had to have two different VLANs. We have already discussed in the video tutorials of 11 and 12 days what needs to be done to prevent traffic loops, how to use the concept of a “native” VLAN that allows untagged traffic to pass through, but these were all workarounds. The final solution to the problem was the concept of separating VLANs into networks for data traffic and networks for voice traffic.
In this case, you group all telephone lines into a voice VLAN. The figure shows that PC1 and PC2 can belong to the red VLAN20, PC3 to the green VLAN30, but all associated IP phones will belong to the same yellow VLAN50 voice network.
In fact, each port of the SW1 switch will have 2 VLANs at the same time - for data and for voice.
As I said, access VLAN always has one VLAN, you can't have two VLANs on the same port. You cannot apply the switchport access vlan 10, switchport access vlan 20, and switchport access vlan 50 commands to the same interface at the same time. But you can use the command for the same interface with two commands: the switchport access vlan 10 command and the switchport voice vlan 50 command So, since the IP phone contains a switch inside it, it can encapsulate and send VLAN50 voice traffic and simultaneously receive and send VLAN20 data traffic to switch SW1 in switchport access mode. Let's see how this mode is configured.
First, we will create a VLAN50 network, and then we will go to the Ethernet 0/1 interface settings and program it to switchport mode access. After that, I sequentially enter the switchport access vlan 10 and switchport voice vlan 50 commands.
I forgot to configure the same VLAN mode for the trunk, so I'll go to the ethernet port 0/0 settings and enter the switchport trunk native vlan 1 command. Now I will ask you to show the VLAN settings, and you can see that now we have both networks - VLAN 0 and VLAN1.
Thus, if you see that there are two VLANs on the same port, then this means that one of them is a Voice VLAN. This cannot be a trunk, because if you look at the trunk parameters with the show int trunk command, you can see that the trunk port contains all VLANs, including the default VLAN1.
We can say that technically, when you create a data network and a voice network, each of these ports behaves like a half-trunk: for one network it works like a trunk, for the other as an access port.
If you type the show int e0/1 switchport command, you can see that some characteristics correspond to two modes of operation: we have both static access and trunking encapsulation. In this case, the access mode corresponds to the data network VLAN 20 Management and at the same time there is a voice network VLAN 50.
You can look at the current configuration, which will also show that there are access vlan 20 and voice vlan 50 networks on this port.
This is the difference between Data VLANs and Voice VLANs. I hope you understood everything I said, if not, just watch this video tutorial again.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com