1 / 51

Chapter 8

Chapter 8. VLAN & VPNs. By Dr. Sukchatri P. Objectives. Upon completion of this chapter, you will be able to perform the following tasks: Configure a VLAN Configure VLAN Trunking Protocol (VTP) Configure a switch for trunking Verify VLAN connectivity Verify spanning-tree operations.

griffin-gross
Download Presentation

Chapter 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8 VLAN & VPNs By Dr.Sukchatri P.

  2. Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Configure a VLAN • Configure VLAN Trunking Protocol (VTP) • Configure a switch for trunking • Verify VLAN connectivity • Verify spanning-tree operations

  3. Contents • A switch connecting three segments • Configuration VLAN (Cisco) • Private network • Hybrid network • Virtual private networks • VPN techniques • Authentication • Encryption • Tunneling • Addressing in VPN

  4. VLAN Overview • Segmentation • Flexibility • Security 3rd floor 2nd floor 1st floor SALES HR ENG A VLAN = A broadcast domain = Logical network (subnet)

  5. A switch connecting three segments

  6. A switch using VLAN software

  7. Two switches in a backbone using VLAN software

  8. Switch A Red VLAN Black VLAN Green VLAN VLAN Operations • Each logical VLAN is like a separate physical bridge

  9. Switch A Red VLAN Black VLAN Green VLAN VLAN Operations Switch B Trunk Fast Ethernet Red VLAN Black VLAN Green VLAN • Each logical VLAN is like a separate physical bridge • VLANs can span across multiple switches • Trunks carries traffic for multiple VLANs

  10. VLAN Membership Modes Static VLAN Dynamic VLAN Trunk Port e0/4 Port e0/9 VLAN5 VLAN10 VMPS 1111.1111.1111 = vlan 10 MAC = 1111.1111.1111

  11. ISL Tagging ISL trunks enable VLANs across a backbone • Performed with ASIC • Not intrusive to client stations, client does not see the ISL header • Effective between switches, routers and switches, switches and servers with ISL network interface cards VLAN Tag added by incoming port Inter-Switch Link carries VLAN identifier VLAN Tag stripped by forwarding port

  12. VLAN BPDU ISL Encapsulation CRC 4 bytes ISL Header 26 bytes Encapsulated Ethernet frame DA Type User SA LEN AAAA03 HSA VLAN BPDU INDEX RES BPDU • Frames encapsulated with ISL header and CRC • Support for many VLANs (1024) • VLAN field • BPDU bit

  13. VLAN Trunking Protocol (VTP) • A messaging system that advertises VLAN configuration information • Maintains VLAN configuration consistency throughout a common administrative domain • VTP sends advertisements on trunk ports only • Support mixed media trunks (Fast Ethernet, FDDI, ATM) VTP Domain “ICND” 3.Sync to the latest vlan information 2 1.“new vlan added”

  14. VTP Modes • Create vlans • Modify vlans • Delete vlans • Sends/forwards advertisements • Synchronize • Saved in NVRAM Server • Sends/forwards advertisements • Synchronize • Not saved in NVRAM • Create vlans • Modify vlans • Delete vlans • Forwards advertisements • Does not synchronize • Saved in NVRAM Client Transparent

  15. How VTP Works • VTP advertisements are sent as multicast frames • VTP servers and clients synchronized to latest revision number • VTP advertisement are sent every five minutes or when there is a change

  16. How VTP Works • VTP advertisements are sent as multicast frames • VTP servers and clients synchronized to latest revision number • VTP advertisement are sent every five minutes or when there is a change 1.Add new VLAN 2.Rev 3 --> Rev 4 Server 3 3 4.Rev 3 --> Rev 4 5.Sync new vlan info 4.Rev 3 --> Rev 4 5.Sync new vlan info Client Client

  17. VTP Pruning • Increases available bandwidth by reducing unnecessary flooded traffic • Example: Station A sends broadcast, broadcast is only flooded toward any switch with ports assigned to the red VLAN Port 2 B Switch 4 Floodedtraffic ispruned Switch 2 RedVLAN Switch 5 Port 1 A Switch 6 Switch 3 Switch 1

  18. VLAN Configuration Guidelines • Maximum number of VLANs is switch-dependent • Catalyst 1900 supports 64 VLANs with a separate spanning tree per VLAN • VLAN1 is One of the factory default VLANs • CDP and VTP advertisements are sent on VLAN1 • Catalyst 1900 IP address is in the VLAN1 broadcast domain • Must be in VTP server or transparent mode to create, add, or delete VLANs

  19. VLAN Configuration Steps • Enable VTP (optional) • Enable trunking • Create VLANs • Assign VLAN to ports

  20. VTP Configuration Guidelines • VTP domain name • VTP mode (server/client/transparent)—VTP server mode is the default • VTP pruning • VTP password • VTP trap • Use caution when adding a new switch into an existing domain. A new switch should be added in client mode to prevent the new switch from propagating incorrect VLANs information • Use the delete vtp command to reset the VTP revision number

  21. Creating a VTP Domain wg_sw_a(config)# vtp [server | transparent] [domain domain-name] [trap {enable | disable}] [password password] [pruning {enable | disable}

  22. Creating a VTP Domain wg_sw_a(config)# vtp [server | transparent] [domain domain-name] [trap {enable | disable}] [password password] [pruning {enable | disable} wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Z wg_sw_a(config)#vtp transparent wg_sw_a(config)#vtp domain switchlab

  23. Verifying VTP Configurations wg_sw_a#show vtp

  24. Verifying VTP Configurations wg_sw_a#show vtp wg_sw_a#show vtp VTP version: 1 Configuration revision: 4 Maximum VLANs supported locally: 1005 Number of existing VLANs: 6 VTP domain name : switchlab VTP password : VTP operating mode : Transparent VTP pruning mode : Enabled VTP traps generation : Enabled Configuration last modified by: 10.1.1.40 at 00-00-0000 00:00:00

  25. Defining a Trunk wg_sw_a(config-if)# trunk [on | off | desirable | auto | nonegotiate] • On = Set trunk on and negotiate with other side • Off = Set trunk off and negotiate with other side • Desirable = Negotiate with other side. Trunk on if other side is on, desirable, or auto • Auto = Will be a trunk only if the other side is on or desirable • Non-negotiate = Set trunk on and will not negotiate

  26. Defining a Trunk wg_sw_a(config-if)# trunk [on | off | desirable | auto | nonegotiate] • On = Set trunk on and negotiate with other side • Off = Set trunk off and negotiate with other side • Desirable = Negotiate with other side. Trunk on if other side is on, desirable, or auto • Auto = Will be a trunk only if the other side is on or desirable • Non-negotiate = Set trunk on and will not negotiate wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Z wg_sw_a(config)#interface f0/26 wg_sw_a(config-if)#trunk on First trunk port(Port A)

  27. Verifying a Trunk wg_sw_a#show trunk [A | B]

  28. Verifying a Trunk wg_sw_a#show trunk [A | B] wg_sw_a#show trunk a DISL state: On, Trunking: On, Encapsulation type: ISL

  29. Adding a VLAN wg_sw_a(config)# vlan vlan# [name vlan-name]

  30. Adding a VLAN wg_sw_a(config)# vlan vlan# [name vlan-name] wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Z wg_sw_a(config)#vlan 9 name switchlab2

  31. Verifying a VLAN wg_sw_a#show vlan [vlan#]

  32. Verifying a VLAN wg_sw_a#show vlan [vlan#] wg_sw_a#sh vlan 9 VLAN Name Status Ports ------------------------------------------------- 9 switchlab2 Enabled ------------------------------------------------- VLAN Type SAID MTU Parent RingNo BridgeNo Stp Trans1 Trans2 ------------------------------------------------------------------------------------------------------- 9 Ethernet 100009 1500 0 1 1 Unkn 0 0 --------------------------------------------------------------------------------------------------------

  33. Modifying a VLAN Name wg_sw_a(config)# vlan vlan# name vlan-name wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Z wg_sw_a(config)#vlan 9 name switchlab90 wg_sw_a#show vlan 9 VLAN Name Status Ports ------------------------------------------------ 9 switchlab90 Enabled ------------------------------------------------

  34. Assigning Switch Ports to a VLAN wg_sw_a(config-if)# vlan-membership {static {vlan#} | dynamic}

  35. Assigning Switch Ports to a VLAN wg_sw_a(config-if)# vlan-membership {static {vlan#} | dynamic} wg_sw_a#conf terminal Enter configuration commands, one per line. End with CNTL/Z wg_sw_a(config)#interface ethernet 0/8 wg_sw_a(config-if)#vlan-membership static 9

  36. Verifying VLAN Membership wg_sw_a#show vlan-membership

  37. Verifying VLAN Membership wg_sw_a#show vlan-membership wg_sw_a#show vlan-membership Port VLAN Membership Type Port VLAN Membership Type -------------------------------------------- ----------------------------------------- 1 5 Static 13 1 Static 2 1 Static 14 1 Static 3 1 Static 15 1 Static 4 1 Static 16 1 Static 5 1 Static 17 1 Static 6 1 Static 18 1 Static 7 1 Static 19 1 Static 8 9 Static 20 1 Static Note: port 1=e0/1, port 2=e0/2 .....

  38. Verifying Spanning Tree wg_sw_a#show spantree {vlan number}

  39. Verifying Spanning Tree wg_sw_a#show spantree {vlan number} • wg_sw_a#show spantree 1 • VLAN1 is executing the IEEE compatible Spanning Tree Protocol • Bridge Identifier has priority 32768, address 0050.F037.DA00 • Configured hello time 2, max age 20, forward delay 15 • Current root has priority 0, address 00D0.588F.B600 • Root port is FastEthernet 0/26, cost of root path is 10 • Topology change flag not set, detected flag not set • Topology changes 53, last topology change occured 0d00h17m14s ago • Times: hold 1, topology change 8960 • hello 2, max age 20, forward delay 15 • Timers: hello 2, topology change 35, notification 2 • Port Ethernet 0/1 of VLAN1 is Forwarding • Port path cost 100, Port priority 128 • Designated root has priority 0, address 00D0.588F.B600 • Designated bridge has priority 32768, address 0050.F037.DA00 • Designated port is Ethernet 0/1, path cost 10 • Timers: message age 20, forward delay 15, hold 1

  40. Visual Objective wg_pc_a 10.2.2.12 SUBNET VLAN POD 10.1.1.0 1 wg_ro_x, wg_sw_x, core_sw_a 10.2.2.0 2 wg_pc_a, core_server 10.3.3.0 3 wg_pc_b, core_server 10.4.4.0 4 wg_pc_c, core_server 10.5.5.0 5 wg_pc_d, core_server 10.6.6.0 6 wg_pc_e, core_server 10.7.7.0 7 wg_pc_f, core_server 10.8.8.0 8 wg_pc_g, core_server 10.9.9.0 9 wg_pc_h, core_server 10.10.10.0 10 wg_pc_i, core_server 10.11.11.0 11 wg_pc_j, core_server 10.12.12.0 12 wg_pc_k, core_server 10.13.13.0 13 wg_pc_l, core_server VLAN2 fa0/26 (port A) e0/1 e0/2 e0 wg_sw_a 10.1.1.10 wg_ro_a 10.1.1.11 wg_pc_l 10.13.13.12 VLAN13 fa0/26 (port A) e0/1 e0/2 e0 wg_ro_l 10.1.1.121 wg_sw_l 10.1.1.120 ... ISL ISL fa0/1 fa0/12 fa0/24 core_ server 10.x.x.1 ISL core_sw_a 10.1.1.2

  41. Visual Objective wg_pc_a 10.2.2.12 VLAN2 SUBNET VLAN POD 10.1.1.0 1 wg_ro_x, wg_sw_x, core_sw_a, core_sw_b 10.2.2.0 2 wg_pc_a, core_server 10.3.3.0 3 wg_pc_b, core_server 10.4.4.0 4 wg_pc_c, core_server 10.5.5.0 5 wg_pc_d, core_server 10.6.6.0 6 wg_pc_e, core_server 10.7.7.0 7 wg_pc_f, core_server 10.8.8.0 8 wg_pc_g, core_server 10.9.9.0 9 wg_pc_h, core_server 10.10.10.0 10 wg_pc_i, core_server 10.11.11.0 11 wg_pc_j, core_server 10.12.12.0 12 wg_pc_k, core_server 10.13.13.0 13 wg_pc_l, core_server fa0/26 (port A) fa0/27 (port B) e0/1 wg_sw_a 10.1.1.10 wg_pc_l 10.13.13.12 VLAN13 fa0/26 (port A) fa0/27 (port B) e0/1 wg_sw_l 10.1.1.120 ... ... ISL ISL ISL ISL fa0/12 fa0/12 fa0/1 fa0/1 fa0/13 fa0/13 fa0/24 ISL fa0/14 ISL fa0/14 core_ server core_sw_a 10.1.1.2 core_sw_b 10.1.1.4 10.x.x.1

  42. Private network

  43. Hybrid network

  44. Virtual private networks

  45. VPN techniques

  46. Authentication

  47. Encryption

  48. Tunneling

  49. Addressing in VPN

  50. After completing this chapter, you should be able to perform the following tasks: Configuring VLAN Configuring VTP Configuring a trunk Verifing Spanning Tree Operations Summary

More Related