Today we will look at the dynamic trunking protocol DTP and VTP - VLAN trunking protocol. As I said in the last lesson, we will follow the ICND2 exam topics in the order they appear on the Cisco website.
Last time we considered point 1.1, and today we will consider 1.2 - configuring, checking and troubleshooting network switch connections: adding and removing VLANs from the trunk and DTP and VTP protocols versions 1 and 2.
All switch ports out of the box are configured by default to use the Dynamic Auto mode of the DTP protocol. This means that when two ports of different switches are connected, a trunk is automatically turned on between them if one of the ports is in trunk or desirable mode. If the ports of both switches are in Dynamic Auto mode, no trunk is formed.
Thus, it all depends on the setting of the operating modes of each of the 2 switches. For ease of understanding, I made a table of possible combinations of DTP modes of two switches. You can see that if both switches use Dynamic Auto, then they will not form a trunk, but will remain in Access mode. Therefore, if you want a trunk to be created between two switches, then you must program at least one of the switches to Trunk mode, or program the trunk port to use Dynamic Desirable mode. As can be seen from the table, each of the switch ports can be in one of 4 modes: Access, Dynamic Auto, Dynamic Desirable or Trunk.
If both ports are set to Access, the connected switches will use Access mode. If one port is set to Dynamic Auto and the other to Access, both will work in Access mode. If one port operates in Access mode and the other in Trunk mode, the switches cannot be connected, so this combination of modes cannot be used.
So, for trunking to work, it is necessary that one of the switch ports be programmed for Trunk, and the other for Trunk, Dynamic Auto or Dynamic Desirable. A trunk is also formed if both ports are set to Dynamic Desirable.
The difference between Dynamic Desirable and Dynamic Auto is that in the first mode, the port itself initiates the trunk by sending DTP frames to the port of the second switch. In the second mode, the switch port waits until someone starts talking to it, and if the ports of both switches are set to Dynamic Auto, a trunk will never form between them. In the case of Dynamic Desirable, there is an opposite situation - if both ports are configured for this mode, a trunk is necessarily formed between them.
I advise you to remember this table, as it will help you correctly configure the switches connected to each other. Let's look at this aspect in Packet Tracer. I have daisy-chained 3 switches together and will now display the CLI console windows for each of these devices.
If I enter the show int trunk command, we will not see any trunk, which is quite natural in the absence of the necessary settings, since all switches are set to Dynamic Auto mode. If I ask you to show the parameters of the f0 / 1 interface of the middle switch, you will see that the dynamic auto parameter is listed in the administrative settings mode.
The third and first switches have similar settings - they also have port f0 / 1 in dynamic auto mode. If you remember the table, for trunking, all ports must be in trunk mode, or one of the ports must be in Dynamic Desirable mode.
Let's go to the settings of the first switch SW0 and configure port f0 / 1. After entering the switchport mode command, the system will prompt you for possible mode options: access, dynamic, or trunk. I use the switchport mode dynamic desirable command, and you can notice how the trunk port f0 / 1 of the second switch, after entering this command, first went into the down state, and then, after receiving the DTP frame of the first switch, went into the up state.
If we now enter the show int trunk command in the CLI console of switch SW1, we will see that port f0 / 1 is in the trunking state. I enter the same command in the SW1 switch console and see the same information, that is, now a trunk is installed between the SW0 and SW1 switches. In this case, the port of the first switch is in desirable mode, and the port of the second is in auto mode.
There is no connection between the second and third switches, so I go to the settings of the third switch and enter the switchport mode dynamic desirable command. You can see that the same down-up state changes occurred in the second switch, only now they concern the f0 / 2 port, to which the 3rd switch is connected. Now the second switch has two trunks: one on the f0/1 interface, the second on f0/2. This can be seen using the show int trunk command.
Both ports of the second switch are in the auto state, that is, for trunking with neighboring switches, it is necessary that their ports be in trunk or desirable mode, because in this case there are only 2 modes for setting up a trunk. Using the table, you can always configure the switch ports in such a way as to organize a trunk between them. This is the essence of using DTP dynamic trunking protocol.
Let's get started with the VLAN Trunking Protocol, or VTP. This protocol provides synchronization of VLAN databases of different network devices, carrying out the transfer of the updated VLAN database from one device to another. Let's return to our scheme of 3 switches. VTP can work in 3 modes: server, client and transparent. VTP v3 has another mode called Off, but only VTP vXNUMX and vXNUMX are covered in the Cisco exam.
Server mode is used to create new VLANs, delete or change networks through the switch command line. In client mode, no operations can be performed on VLANs; in this mode, only the VLAN database is updated from the server. The transparent mode acts as if the VTP protocol is disabled, that is, the switch does not issue its own VTP messages, but transmits updates from other switches - if an update arrives on one of the switch ports, it passes it through itself and sends it further through the network through another port . In transparent mode, the switch simply serves as a transmitter of other people's messages without updating its own VLAN database.
On this slide, you see the VTP protocol configuration commands entered in global configuration mode. With the first command, you can change the protocol version used. The second command selects the VTP operation mode.
If you want to create a VTP domain, use the vtp domain <domain name> command, and to set a VTP password, use the vtp password <PASSWORD> command. Let's go to the CLI console of the first switch and look at the VTP status by entering the show vtp status command.
You see the version of the VTP protocol is the second, the maximum number of supported VLANs is 255, the number of existing VLANs is 5, and the VLAN operation mode is server. These are all default settings. We already discussed VTP in the Day 30 lesson, so if you forgot something, you can go back and watch this video again.
In order to see the VLAN database, I enter the show vlan brief command. Shown here are VLAN1 and VLAN1002-1005. By default, all free switch interfaces are connected to the first network - 23 Fast Ethernet ports and 2 Gigabit Ethernet ports, the remaining 4 VLANs are not supported. The VLAN databases of the other two switches look exactly the same, except that SW1 has not 23, but 22 Fast Ethernet ports free for VLANs, since f0 / 1 and f0 / 2 are occupied by trunks. Let me remind you once again of what was said in the Day 30 lesson - the VTP protocol only supports updating VLAN databases.
If I configure multiple ports to work with VLANs with the switchport access and switchport mode access VLAN10, VLAN20, or VLAN30 commands, the configuration of these ports will not be replicated by VTP because VTP only updates the VLAN database.
So, if one of the SW1 ports is configured to work with VLAN20, but this network is not in the VLAN database, then the port will be disabled. In turn, updating databases occurs only when using the VTP protocol.
With the show vtp status command, I see that all 3 switches are now in server mode. I will put the middle switch SW1 into transparent mode with the vtp mode transparent command, and the third switch SW2 into client mode with the vtp mode client command.
Now let's go back to the first SW0 switch and create the nwking.org domain using the vtp domain <domain name> command. If you now look at the VTP status of the second switch, which is in transparent mode, you can see that it did not react in any way to the creation of the domain - the VTP Domain Name field remained empty. However, the third switch, which is in client mode, updated its database and got the domain name VTP-nwking.org. Thus, the update of the SW0 switch database passed through SW1 and was reflected in SW2.
Now I will try to change the given domain name, for which I will go to the SW0 settings and type the vtp domain NetworKing command. As you can see, this time there was no update - the VTP domain name on the third switch remained the same. The fact is that such a domain name update occurs only 1 time, when the default domain changes. If after that the VTP domain name changes again, it will need to be changed manually on the remaining switches.
Now I will create a new VLAN100 network in the CLI console of the first switch and name it IMRAN. It appeared in the VLAN database of the first switch, but did not appear in the third switch database, because these are different domains. Remember that updating the VLAN database only happens if both switches have the same domain, or, as I showed earlier, a new domain name is set instead of the default name.
I go into the settings of the 3rd switch and sequentially enter the vtp mode and vtp domain NetworKing commands. Please note that the name input is case sensitive, so the spelling of the domain name must be exactly the same for both switches. Now I put SW2 into client mode again with the vtp mode client command. Let's see what happens. As you can see, now, when the domain name matches, the SW2 database has been updated and a new VLAN100 IMRAN network has appeared in it, and these changes did not affect the middle switch in any way, because it is in transparent mode.
If you want to protect against unauthorized access, you can create a VTP password. However, you must be sure that the device on the other side will have exactly the same password, because only in this case it will be able to receive VTP updates.
The next thing we'll look at is VTP pruning, or pruning of unused VLANs. If you have 100 VTP devices on your network, the VLAN database update of one device will automatically be replicated to the other 99 devices. However, not all of these devices have the VLANs mentioned in the update, so information about them may not be needed.
Sending VLAN database updates to devices using VTP means that all ports of all devices will receive information about added, deleted, and changed VLANs that they may not have anything to do with. In this case, the network is clogged with excess traffic. To prevent this from happening, the concept of "trimming" VTP is used. In order to enable the βpruningβ mode of irrelevant VLANs on the switch, use the vtp pruning command. After that, the switches will automatically tell each other which VLANs they actually use, thereby warning neighbors that they do not need to send updates to networks that are not connected to them.
For example, if SW2 does not have any VLAN10 ports, then it does not need SW1 to send it traffic for this network. At the same time, switch SW1 needs VLAN10 traffic, because one of its ports is connected to this network, it just does not need to send this traffic to switch SW2.
Therefore, if SW2 uses vtp pruning mode, it tells SW1: "please do not send me traffic for VLAN10 because this network is not connected to me and none of my ports are configured to work with this network." This is what the vtp pruning command gives.
There is another way to filter traffic for a specific interface. It allows you to configure a port on a trunk with a specific VLAN. The disadvantage of this method is the need to manually configure each trunk port, which will need to specify which VLANs are allowed and which are prohibited. For this, a sequence of 3 commands is used. The first one specifies the interface affected by these restrictions, the second one turns this interface into a trunk port, and the third one - switchport trunk allowed vlan <all/none/add/remove/VLAN number> - shows which VLAN is allowed on this port: all, none one, the VLAN to be added or the VLAN to be removed.
Depending on the specific situation, you choose what to use: VTP pruning or Trunk allowed. Some organizations choose not to use VTP for security reasons, so they choose to manually configure trunking. Since the vtp pruning command does not work in Packet Tracer, I will show it in the GNS3 emulator.
If you go into the SW2 settings and enter the vtp pruning command, the system will immediately report that this mode is enabled: Pruning switched on, that is, VLAN βcuttingβ is turned on with just one command.
If we type the show vtp status command, we will see that the vtp pruning mode is enabled.
If you configure this mode on a switch server, then go to its settings and enter the vtp pruning command. This means that devices connected to the server will automatically use vtp pruning to minimize trunking traffic for irrelevant VLANs.
If you don't want to use this mode, you must log in to a specific interface, such as e0/0, and then issue the switchport trunk allowed vlan command. The system will prompt you for possible options for this command:
β WORD β VLAN number that will be allowed on this interface in trunk mode;
- add - VLAN to be added to the VLAN database list;
β all β allow all VLANs;
- except - allow all VLANs except those specified;
β none β disable all VLANs;
β removeβremove a VLAN from the VLAN database list.
For example, if we have a trunk allowed for VLAN10 and we want to allow it for VLAN20, then we need to enter the switchport trunk allowed vlan add 20 command.
I want to show you something else, so I use the show interface trunk command. Please note that by default all VLANs 1-1005 were allowed for the trunk, and now VLAN10 has also been added to them.
If I use the switchport trunk allowed vlan add 20 command and ask again to show the trunking status, we will see that two networks are now allowed for the trunk - VLAN10 and VLAN20.
At the same time, no other traffic, except for those intended for the specified networks, will be able to pass through this trunk. By allowing traffic only for VLAN 10 and VLAN 20, we denied traffic for all other VLANs. Here's how to manually configure trunking settings for a specific VLAN on a specific switch interface.
Please note that until the end of the day on November 17, 2017, we have a 90% discount on the cost of downloading a laboratory work on this topic on our website.
Thank you for your attention and see you at the next video tutorial!
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com