VLAN Trunk Links Network Fundamentals Part 13

Using VLANs is like breaking a physical switch into a few virtual ones, but eventually, we’ll need more physical ports which means more physical switches how do we get our VLANs to work across several switches like many branches on a tree trunk we can use a trunk link to carry many VLANs sound confusing hang around it’s all gonna make sense soon if the company we work for grows than they’re going to need more computers printers servers and other devices these all connect to the network which means they all need more switch ports to connect to so eventually, we buy more switches normally we would connect one switch to another to extend our number of ports, but we have cut our network into VLANs now so how do we connect the two switches together should we perhaps run a link between each switch for each VLAN well we could make that work but what happens if we have many VLANs if we need a link for each VLAN we will use up our ports again pretty quickly leaving less for the new devices that we need to connect and than what happens if we want to add a third switch or a fourth clearly this method is not scalable meaning that it’s growth is severely limited Instead, we are able to use a single link which is capable of carrying all of our VLANs this uses a technology called trunking or tagging in the last video we saw how to add devices to a VLAN the type of port they connect to is called an access port typically we would connect workstations printers servers and phones to an access port this will have one data VLAN and maybe one additional VLAN for voice which I’ll talk about in a minute when we connect two switches together we configure these ports as trunk ports are able to have many VLANs configured on them at one time if you have trouble remembering the difference an access port is how workstations access the network trunk ports are like a single tree trunk we have many branches or VLANs, so we are left with an interesting question why do we want to use VLANs to separate traffic if a trunk link just mixes them all together again well let me give you some good news the traffic doesnt fully get mixed together it goes over the same link sure, but it won’t leave its VLAN this is thanks to our good friend Ethan it as a reminder he is the ethernet header think of a device on a VLAN sending a frame it goes to an access port which is configured with a VLAN so the switch knows which VLAN this frame belongs to when the frame reaches the trunk link the switch will add a four byte tag to the Ethernet header the tag contains a few different types of information but the only part we care about right now is the VLAN ID please note it’s just the VLAN ID and not the villain name that we configured in the last lab this means that VLAN names are locally significant to each switch, and they dont have to match on two different switches when the frame arrives at the destination trunk port the switch looks at the tag and knows the VLAN that this frame belongs to it can now strip the tag from the frame and deliver it to the destination workstation so the workstation will never see the VLAN tag in fact it doesnt really even know that it’s in a VLAN and here is a key point for you a trunk link extends VLANs from one switch to another VLANs are in a broadcast domain trunk links also extend broadcast domains across switches so broadcast messages will stay within a VLAN but will pass over a trunk to other switches, and the same is true for flooding any frame that needs to be flooded will stay within the VLAN but will travel over the trunk links to other switches, and once again Cisco’s terminology is a little bit different to everyone else’s to start with a trunk port is really a tag de port this is because of the tag that is added to the frame as it passes between the switches also an access port is really an untagged port remember how I said there is no tag in the ethernet frame when it was delivered to the workstation that’s why it’s called an untagged port dont worry too much about which terminology you use they’re both really well known it’s still a good idea to understand both so you’ll always know what other people are talking about though when it comes to tagging there are two ways it can be done the first is called arrow 2.1 cue which was developed by I Triple E everyone supports this standard, and this is what I’ve been describing so far because this is an I Triple E standard all switches can use it which means a trunk between switches from different manufacturers is possible the second possibility is called ISL or inter switch link this is Cisco’s original trunking standard and is much older than attitude at one cue this one’s getting pretty rare these days in fact I’ve never actually seen it in production myself but you do still see it mentioned in some documentations, and you can still configure it on some switches so you need to be aware that it’s out there but in most cases forget ISL and focus on 802 or 1q Earlier, I mentioned voice VLANs these are important if you have IP telephony in your network if you’re not familiar with that term IP telephony is where you have phones connected to your network in a case like this you would probably have a phone and a workstation on each desk your workstation would belong to a data VLAN while the phone would belong to a voice VLAN so based on what we’ve talked about so far you would probably connect the workstation to one port on the switch and the phone to another but usually phones are a little bit special they have a miniature 3 port switch built in, so we can connect the phone into the switch and the workstation to the phone the third port is hidden from sight it’s inside the phone connecting to the phone Hardware why would we do this well there’re two reasons for one, there’s less need for ports in the main switch secondly you dont normally connect phones and workstations directly into a switch they normally go into a wall socket with cabling through the wall which is eventually connected to the switch so with fewer connections to the switch, there’s less need for cabling which can be expensive to install anyway the link from the phone to the switch is like a mini trunk link except it carries only two VLANs the data VLAN and the voice of e LAN we’ll have a goal configuring this later voice networking is a subject entirely of its so we’re not going to get any deeper into voice than that though right let’s try some of this in the lab our topology is very similar to the last video in fact logically it’s the same network however, you’ll see some differences in the physical topology we’ve now added an extra switch which will mean configuring a trunk link we’ve also removed a physical link from the router, and we’ll see what that’s all about a bit later on, I hope these helps to explain why we have logical and physical diagrams we can make changes to the way the network is physically deployed without really changing the logical component of the network itself so the basic config from the last video is a still there from the point of view of the workstations not much has changed we do have two switches now and one workstation and one server haven’t moved to the second switch I’ve already moved the config for these ports to the second switch so you won’t need to worry about that, and just for a quick review this is how the workstation ports are confirmed it is very simple just a one line to put them in the right villain these are access ports which I hope makes a bit more sensed you now after a bit of an explanation than it did in the last video but access ports arent the only option we have another possibility is to configure a port with a voice VLAN unfortunately I dont actually have a VoIP phone to connect through this lab, but we’re gonna pretend that we do, and we’ll configure the port just like we normally would so we’ll start by configuring VLAN 110, and we’ll give it the name voice this is the same as before there’s no fancy configuration here next we can figure out interface as I said before it’s not connected to anything but you’ll get the idea first I’m going to force this port to be in access mode switch ports are able to dynamically decide what port type they are so forcing it is kind of optional the way the dynamic nature works is a bit adverse for now, so I’m not gonna explain that just yet but the short of it is I like to set the ports manually this is especially useful if other people has been working on the switch and may have changed the default values we can now set the voice VLAN this still uses the switch port command so this should be quite comfortable sorry I’ve done that wrong that should be in VLAN 100 and 10 and finally we set the access port as well so keep in mind that when you have a phone connected you set the voice VLAN as well as a separate access VLAN now let’s go back to that trunk link we haven’t config yet so as you would imagine if we jump onto workstation 1, and we try to ping workstation 2 it’s gonna fail so for this to work we need to configure a link that allows us to add VLAN tags to the frames that we’ll pass between the switches the good news is it’s not really difficult to do it all let’s start over at switch 1 and enter into interface configuration mode the first step is to set the encapsulation type there are three options we could configure which are dot1q ISL and negotiate is that dynamic port type that I was talking about earlier, so we’ll ignore that for now of the other two options we want to use dot1q which is the most common form of tagging now we need to configure the port type previously we’ve configured access ports but on this occasion we’re going to use a trunk port remember that a trunk port allows frames to be tagged with a VLAN ID we need to do the same over on switch 2 I’ve made switch to CL I look purple so it’s easy to tell which is which, so I hope that doesnt hurt your eyes too much when we configure trunk links we have the option of allowing some VLANs while disallowing others this is called pruning, and we do this with the switch port trunk allowed VLAN command if we dont use this command all VLANs are allowed over the link if we do use this command only the VLANs in this list are allowed we dont really need it for what we’re doing today, but you will see other people doing this regularly which is why I wanted to mention it there’s a few things that we should do to make sure that we’ve been successful show interfaces a switch port is a one of the commands we can use and it gives us a lot of information but before we dig into this let me just show you a quick trick when a command gives you too much information, there’s an extra CLI command that you can use to filter this down a bit after you type your command enter the pipe symbol next we’re going to use an extra command called begin this will look for whatever pattern you give it and it will start displaying the output from that point forward, so we’ll use begin GI 0/2 this will start the output at the point where GI 0 slash tooth first shows up pretty neat huh so in this output there is a few points of interest first we can see the port type in our case ear to trump port we can also see the type of encapsulation that we’re using as well as the VLANs that are allowed over the link. Another command we can use is Shou interfaces trunk for a trunk port this gives us similar information but is a little tidier, you should know though that this is only for trunk ports as the name suggests so access ports won’t show up here but the best way to prove that this is working is to head over to workstation one from here we can see that traffic is successfully flowing across the trunk link to workstation so do you understand what’s going on find out by testing yourself with this quiz if you have any questions let me know in the comments when you first turn on a switch all the ports will by default belong to VLAN one we dont do anything to configure VLAN one it’s just always there so is VLAN one special in any way the answer is a little tricky but on a Cisco switch VLAN 1 is indeed a little special from time to time there is a need to pass control traffic between devices, so I’m not talking about a workstation sending traffic through a switch here I’m talking about a case, when two switches are connected together like in our lab we’re gonna see this a bit later on with an example protocol called CDP but the key point here is that control traffic between Cisco switches use VLAN one keep in mind that other switch vendors may have a different way of approaching this so doesn’t try to remove VLAN one I dont even think you can remove VLAN one now I think about it also it’s a good practice to keep your devices like your workstations and printers, and so on a separate VLAN just leave VLAN one for this control traffic there’s another special VLAN that we need to consider this is called the native VLAN the native VLAN was created to support devices that dont support VLANs think of a hub or a cheap switch, for example, if you connect one of these devices to a trunk link they won’t be able to tag any of the traffic they send so which VLAN is this traffic a part of the answer is the native VLAN by default the native VLAN is vlm one, but we can change this to another villain if we want to in fact will see this in a lab soon but before that consider what happens if traffic passes from a switch to a hub any frames that are part of the native VLAN will be sent out untagged this keeps compatibility with these non VLAN enabled devices time to head back over to the lab this is the same one from before so there’re no surprises we can show a villian summary to see how many VLANs have been configured on this switch this doesnt give us a lot of information though, so I prefer to use show VLAN brief now see how VLAN 1 is there even though we didnt configure it VLAN 1 is always there by default on Cisco switches if we have a look at an unused port using our show interface switch port command we can see that it’s already in VLAN 1 all ports on a Cisco switch is in VLAN 1 by default looking at our trunk link we can also see that VLAN 1, is the native VLAN this is also how Cisco switches are configured by default, but it doesnt have to be that way we can set the native VLAN to nearly any number we want under interface configuration mode we can use the switch port trunk command to change trunking parameters, for example where you could change the native VLAN to be VLAN 2 although we’re not seeing any problems here this will eventually generate some warning messages this will happen because the switch 2 is still using VLAN 1 as its native VLAN well it’s not mandatory it is a good idea to have both switches use the same native VLAN for now though we’ll just put it back to VLAN 1 but how do the two switches know there’s a mismatch how does one switch know how the other is configured it does this by using a protocol called CDP or Cisco discovery protocol this is one of those types of traffic that flows between the switches themselves and will always use VLAN 1 this is a little off-topic but I think it’s worth a quick look so a CDP is a Cisco made a protocol if two, devices that are connected together support it they can learn about each other on most Cisco switches it is enabled by default which we can confirm with show CDP this is not too exciting so let’s try show CDP neighbors here we can see that we’ve learned about switch to on interface GI 0/2 it also mentions GI 0/0 which is just something that my lab software does so dont worry about that one for today when we add the detail keyword we get a ton of more information, For, example, we can see the native VLAN and that’s how they detect our mismatch we can also see the iOS version that the connected device is running an interesting point is the capability section this tells us what features our switch thinks the connected device is capable of if we really wanted to we could disable CDP with no CDP run some people like to do this for security reasons which is quite understandable this can be done globally like we’ve just done, or we could disable it on some individuals ports while leaving it active on others and of course we can enable it again with the CDP run so why do we use CDP well it helps with troubleshooting the network and is particularly useful if you haven’t been keeping your network documentation up to date also if you’re connecting Cisco phones CDP will help you to set up your voice network but as I said this is a Cisco protocol they made these years ago when there were no other options so what happens when you connect a device made by another manufacturer well some other vendors like VMware they do support CDP but a lot of vendors dont fortunately there is an alternative called lldp or link layer discovery protocol LLDPE is vendor-neutral so it’s supported by a lot of vendors as well as Cisco and it does the same basic job as CDP justice with CDP we can enable or disable it globally or per interface it’s disabled by default on this model of switch, so we’ll need to head over to switch to and enable it there if we’re particularly security-conscious we can configure interfaces to only send or receive lldp traffic, but we’ll leave it all turned on for now lldp commands are basically the same as CDP and the output is very similar to you so just to see if you’re following along he’s a few more quiz questions that you can try an see how you go now in the last video we connected a router to each VLAN to enable workstations and servers to communicate there were two VLANs, so we use two links but what if we have ten VLANs do we need ten ports on our router does our router even have ten ports what if we needed 30 VLANs this is the same concern we faced with our switch is Earlier, we solved this by using a trunk link the good news is that routers can also use trunk links this might sound surprising as trunking is a switching technology, but you’ll find that the lines between routers and switches are sometimes blurry routers will support some switching functions like trunking and switches will support some routing functions too, but they still behave a little differently routers primarily deal with routing which means their interfaces need IP addresses this is what the workstations, and servers will use as their default gateway but how can we port IP address in each VLAN how does the router know which IP address belongs in each VLAN the answer may surprise you the routers physical interface is connected to the switch, but the physical interface can be divided up into several virtual sub interfaces this is very similar to how we divided our switch into several VLANs on a router we divided up interfaces, and we map each one to a different feeling, and once we have several virtual interfaces we can figure them independently this includes a different IPS for each one and these interfaces even though their virtual still behave like regular interfaces, so we can still use them to route traffic between VLANs this way of configuring the router is called router on a stick or ROAS it’s called this because the single trunk link between the routers and switch looks a bit like a stick maybe is easy to see this in action back to the lab, we go you we need to configure the router sported as a trunk to these uses the same concept but the commands are a little different step one is to make sure that the physical port is a up with the no shut command next we create our first sub interface this is done by entering interface configuration mode using the physical interfaces name followed by a dot, and then a number I always use the VLAN ID as the number as it makes it easier later on under interface configuration we now set the encapsulation type to 802 dot1q so, it matches our switch, we also need to include the VLAN ID and once that’s done we can figure the rest of the interfaces just like, we would for any other interface which includes setting IP address and if we wanted to a description of course we now need to repeat the process for a sub interface on VLAN 20 the IP addresses that we’re adding to the sub interfaces are the default gateways that the workstations, and servers are using now we can go and confirm it’s working over on workstation one let’s start by pinging the routers sub interface, and that looks good so now we can try pinging a server in VLAN 20 this also looks good and finally just to prove there’s no trickery going on we can run a traceroute to confirm that the traffic is going through the router, and that’s the lab configuration done I highly recommend that you try this yourself either build your own lab or download the one-off pre-built for you and of course try to answer the quiz questions to check your understanding we’ve now covered the basics of VLANs including how they work and why we use them you will see them a lot, so get as familiar as you can with them we’re going to step it up in the next video and see how we can limit the traffic between our two VLANs using the router I hope to see you there.

Add Comment