First set of Switch Notes the basics plus PVALNS and Etherchannel.

Implementing VLANs in the Campus Network…

Some things are not 100% Clear to me

Things I need to try out and read more / master from this chapter.
*PVLANS – Setting up PVLANS* – > From Stretchs Blog, a huge help when creating PVLANS

PAgp and LACP Etherchannel types – > I have used etherchannel before but never setup Load balancing options based off of source and destination before seems interesting.  Also I have never set it up with LACP… although there really isnt much of a difference.




*Private VLANS

*Ether channel

Vlan 1,2,3 towards the right show how to logically assign users to different VLANS on different

Switchs do not propagate Layer 2 Broadcasts throughout different VLANs all Broadcasts are specific per VLAN

Normally VLANs will be matched with subnets, vlan 2 would be, VLAN 3 ..

All members of the VLAN are members of the Layer 2 broadcast domain.

End to End VLAN Vs Local VLAN

*End to End VLAN

*The term End to End VLAN is related to VLANs that are propagated onto different Switchs, in the picture there are 2 different VLANs HR Department and the IT department.

*VLANs are generally based off of Geographic Regions like floors etc etc

*Switchs commonly work through out VTP Clients/Servers.

*Local VLAN

*Each Access Layer Switch receives its own VLAN for every interface, so if the 4th floor has a 24 port switch, Each interface is assigned to VLAN 4 for example.

*Generally VLANs are created between the switchs, nor pictured but from 4th floor to 3rd floor there is a trunk link allowing all the VLANs.  Also at a distribution switch connected at the very bottom it normally defines the VLAN.

*Generally The information in the VLAN is sent to the distribution switch where it is routed to the core levels to reach its destination.

*Normally at the access Layer if VTP is implemented it is in transparent mode, reason being is that it is logically significant and does not need to be propagated to all the other switchs if it’s a server.

80/20 rule – Rule when designing networks, 80% of the traffic on your network was passed between local access and 20% of the traffic should be passed remotely.

20/80 rule – Vice versa since the internet and it is 2011!!  Everything is based off of this rule currently.

VLAN Support Matrix

Catalyst 2940 – > Maximum # of VLANS – > 4  VLAN ID Range – > 1-1005

Catalyst 2950 – > Maximum # of VLANS – > 250 VLAN ID Range – > 1-4094

Catalyst 2960 – > Maximum # of VLANS – > 255 VLAN ID Range – > 1-4094

Catalyst 2970 – > Maximum # of VLANS – > 1005 VLAN ID Range – > 1-4094

Catalyst 3500 – > Maximum # of VLANS – > 1005 VLAN ID Range – > 1-4094

Catalyst 2800-4000 Maxumim #  VLANS – > 4093 VLAN ID Range – >1-4094

Catalyst 6500 Maximum # of VLANS – >  4094 VLAN ID Range – >1-4094

VLAN Ranges – > What is normally Reserved #’s

0,4095 – > Reserved Range / For system uses only you cannot see these even if you use a sh vlan command

1-> Normal Range / Default VLAN, Cannot be Deleted / Can be used through VTP.

2-1001 – > Normal Range / For Ethernet VLANS, Normal uses can be deleted / VTP

1002-1005 – > Normal / These are the VLANS you cannot delete TokenR,FDDI / VTP

1006-1024 – > Reserved / For System use Only cannot see these VLANS/ NON VTP

1025 – 4094 – > Extended VLANS/ For Ethernet VLANS / Only supported in VTP version 3 , the switch also must run in transparent mode, so it wouldn’t be sent to other switchs.

How to assign a interface a VLAN

Switch#config t

Switch(Config)#Interface fa0/1

Switch(Config-if)#Switchport mode access

Switch(Config-if)#Switchport access VLAN 5

Using the Switchport host command is optional

Switchport host command – > Turns on Portfast and also turns the interface into a access port, this is really good if someone is looking to use the interface range command to given a range of interfaces instead of going 1 by one and configuring per interface.


Trunks are in simple what are used to carry traffic from different VLANs from one switch to another.

A access port can Carry a VLAN as in one , any more than one VLAN and it must be trunked.

*on Both sides of the trunk the native VLAN must match for 802.1Q

The purpose of a native VLAn is to enable frames that are not tagged with a VLAN ID to traverse the trunk link.

When two switchs are trunked the Sender of the VLAN will have a VID(VLAN ID) Which will be stripped as soon as it hits its neighboring Switch so the switch knows where the VLAN originated from.

Trunking Protocols..

ISL – > Inter-Switch LINK – > Cisco proprietary

802.1Q – > Industry standard.

ISL is for the most part obsolete, its never really used.  On some switches ISL Does not exists 802.1Q is the only option.


IEEE 802.1Q

802.1Q uses trunk links to employ tagging to carry frames for multiple VLANS.  Each Frame is tagged to identify the VLAN the frame belongs to.

Advantages to tagging frames using 802.1Q

*smaller overhead, since the frame is tagged instead of adding the ISL Header and trailer you are comparing 4 bytes of a tag to 30 bytes of the header + trailer.

*802.1Q Is supported by every vender

*802.1Q is supported for QoS

802.1Q Frame

The 802.1Q 4 byte Tag

TPID(tag protocol identifier)->2 byte field that has a value of 0x8100

TCI(Tag Control Information)-2 byte field which has the following info..

*PRI-3 byte priority field, for CoS

*CFI-Canonical Format Identifier-1 bit field that indicated frame format.

*VID-12 bit VLAN field

802.1q uses a internal tagging mechanism that modifies the original frame… hence the big X on the CRC/FCS … it recalculates the CRC value for the entire frame with the tag and inserts a new CRC value in a new FCS.

*If a non 802.1Q enabled device or Access port receives a 802.1Q frame, the tag data is ignored and the packet is switched at layer 2 standard Ethernet frame.

*A device MUST HAVE A MTU of 1522 or higher to pass as a 802.1Q frame.

*Baby Giants – >

ISL Adds 30 bytes to each frame – > 1548 bytes

802.1Q Adds 4 bytes to each frame   1522 bytes

This is used for the reason that Ethernet frames cannot be larger than 1518 bytes, the can become too large….

So frames between 1500-2000 are called Baby Giants.

To handle the “baby giants” They are encapsulated with either ISL or 802.1Q.

*Native VLANs with 802.1Q Trunking VLANS

Native VLAN by default is 1

Native VLAN on both sides when using trunking has to be the same VLAN, Otherwise you will receive CDP Mismatch errors constantly.   Very anoiying!!!

All Untagged VLANS go to VLAN 1 or the native VLAN…… so anything that is untagged not encapsulated for a VLAN it will be forwarded out native VLAN1

The biggest different between the two 802.1q is the tagged vs non tagged, that everything that is untagged between trunk ports is sent out to the native VLAN or VLAN 1 in most cases.

*DTP – > Dynamic Trunking Protocol…

Access – > Puts a interface into permanent non trunking mode.  Regardless of what is on the other end this will never become a trunk link.

Trunk  – > Puts the interface into permanent Trunk modem if the other interface is a access interface it will still remain a trunk port.

Nonnegotiate – > Puts the interface into permanent trunking mode but prevents the interface from generating DTP frames.

Dynamic Desirable – > default Makes the interface actively attempt to convert the link to a trunk link.  The interface becomes a trunk if the neighboring interface Is set to trunk,desirable or auto mode.

Dynamic Auto – > Makes the interface willing to convert to a trunk link.

DTP Modes per different type…


Dynamic and Access = Access

Access and Dynamic Desirable = Access

Access and trunk = Limited connectivity

Access and Access = Access

Dynamic Auto

Dynamic Auto and Dynamic Auto = Access

Dynamic Auto and Dynamic Desirable = Trunk

Dynamic Desirable and Trunk = Trunk

Dunamic Desirable and Access = Access


Trunk and Dynamic Auto = Trunk

Trunk and Dynamic Desirable = Trunk

Trunk and Trunk = Trunk

Trunk and Access = Limited Connectivity

Dynamic Desirable

-Tries to negotiate anything into a trunk, it will Negotiate anything but Access

Dynamic Desirable and Access = Access.

Configuring a Trunk

Switch(config)# interface type mod/port
Switch(config-if)# switchport



Switch(config-if)# switchport trunk encapsulation {isldot1q negotiate}

The switchport trunk encapsulation command configures the type of enccapsulation for the port:

  • isl – VLANs are tagged by encapsulating each frame with the Cisco ISL protocol.
  • dot1q – VLANs are tagged in each frame using the IEEE 802.1Q standard protocol. The native VLAN is sent normally and is untagged.
  • negotiate – The default configuration, negotiates the encapsulation to select either ISL or 802.1Q, whichever both ends of the trunk support. If both ends support both types, ISL is used.

Switch(config-if)# switchport trunk native vlan vlan-id – > how to change the native VLAN


Switch(config-if)# switchport trunk allowed vlan {vlan-listall | {addexceptremovevlan-list}

  • vlan-list – An explicit list of VLAN numbers, separated by commas or dashes.
  • all – All active VLANs (from 1 to 4094) will be allowed
  • add vlan-list – A list of VLAN numbers will be added to the already configured list; this is a shortcut to keep from typing a long list of numbers.
  • except vlan-list – All VLANs (1 to 4094) will be allowed, except for the VLAN numbers listed; this is a shortcut to keep from typing a long list of numbers.
  • remove vlan-list – A list of VLAN numbers will be removed from the already configured list; this is a shortcut to keep from typing a long list of numbers.

Switch(config-if)# switchport mode {trunkdynamic {desirableauto}}

The switchport mode command sets the trunking mode to any of the following:

  • trunk – Sets the port in permanent trunking mode.
  • dynamic desirable (default setting) – The port attemtps to actively convert the link to trunking mode. It “asks” the other end of the trunk link to bring up a trunk. If the far-end switch prot is configured as trunk, dynamic desirable, or dynamic auto mode, trunking is negotiated successfully.
  • dynamic auto – The port turns into a trunk link only if the far-end of the switch actively requests it. If both ends are dynamic auto, the trunk does not form. If the other end of the switch is trunking mode or dynamic desirable mode, trunking is negotiated.

Verification on Interfaces…

Sh run int fa0/1

Sh int fa0/1 Trunk

Sh int fa0/1 Switchport

VTP – > VLAN trunking Protocol

Cisco proprietary

3 Different Modes of VTP

Client – > Will Waite for revisions from servers/ This will not add to the NVRAM or the VLAN.dat database file.  Clients are not capable of adding or modifying VLANs.

Server – > servers create,modify or delete VLANS.  VLANs are saved in the VLAN.Dat database and are saved into NVRAM.

Transparent – > Created and modifies its on Internal VLANS.  It will in fact forward VTP advertisements, Does not synchronize its own VLAN configuration with other switchs in the domain.  Information is saved within NVRAM / VLAN.dat.

Keep in mind depending on what version of VTP Transparent mode has two different effects..

VTP1 – > Switch Does not relay VTP information unless VTP domain name and VTP version numbers Match on other Switches

VTP2 – > They will forward VTP received advertisements out their trunk ports Regardless of what Domain they are using.

*The following have to match to accept a VTP revision.



Revision Number has to be higher than the current revision

Each time a revision has been made for VTP the increment goes up by 1.

*VTP advertisements are multicast

*VTP Servers / clients synchronize the highest Revision #

*VTP advertisements are sent out every 5 minutes or when there is a change

*VTP Pruning

VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic Needlessly.  By default a trunk connection carries traffic for all VLANs that is allows in the VTP domain.  Some Switchs do not have local ports configured for certain VLANs.

To make a long story short here, Traffic from Port 1 on Switch A goes to Switch B to Switch D.  This saves bandwith for this topology,  So Switch C and Switch E are pruned for that VLAN.  So if Port 5 on Switch B does not have that VLAN allowed it will be pruned.  In some cases this works out well like in the above topology.

This will prevent un needed traffic going to switchs C and E

*Differences in Between VTP Versions

Versions 1 & 3

VTP2 = Supports Token Ring

Transparent Mode works deifferently as noted prior.

Consistancy checks


Supports Extended VLANS 1025-4094

Advertising Private VLANS

Improved Server Authentication

Works with VTP1&2

Configurable on a per interface basis

VTP Message Types…

Summary Advertisements..

*5 minute Advertisements

*Include Domain and Revision #

Subset Advertisements

*Add,Delete or Change a VLAN

Advertisements Requests

*The switch has been reset

*VTP Domain Name has been changed.

*The Switch has received a summary advertisement with a higher configuratoion Revision than its own.

VTP Commands…

Configuring VTP

Configuring VTP Management Domain

switch(config)#vtp domain domain-name


switch(config)vtp mode {serverclienttransparent}

Server Mode= Default Mode

Each Domain Must have 1 server

Server and Server are no issue, but the Subset advertisement which has a higher revision number will be used

Switch(config)#vtp password password


Password can be configured only on servers and clients

switch(config)#vtp version {12}

VTP version 1 is Default.

VTP pruning

switch(config)#vtp pruning


If this command is used on a VTP server, it is advertised to the rest of the domain and all listening switches will also enable pruning.

switch(config-if)#switchport trunk pruning vlan {addexceptnoneremovevlan-list

Pruning is a bit odd on a Native vlan  / VLAN 1, reason why is that every non tagged trunk broadcast will be sent out to that native vlan if there is a host or a switch attached that way, so there would be no way of preventing that… atleast that I know of.

From –

Note: VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the “set vtp pruning enable” command.If this command is issued on the VTP Server(s) of your network, then pruning is enabled for the entire management domain.

VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network.

When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the “clear vtp prune-eligible vlan-range” command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: “set vtp prune-eligible vlan-range” where the ‘vlan-range’ is the actual inclusive range of VLANs e.g ‘2-20’.

By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.


*Private VLANS

Reasons for Private VLANS are for Preventing Layer 2 connectivity between end devices on a switch within the same VLAN

Private VLAN Types

Isolated – > An Isolated Port within a PVLAN has complete Layer 2 Seperation with all ports within the PVLAN except the promiscuous ports.  PVLANS Block all traffic to isolated ports, except the traffic from promiscuous ports.  Traffic received from an isolated port is forwarded only to promiscuous ports.

Green is a example of  Isolated PVLAN where it can only speak to itself in its own Broadcast domain and it can only speak with the Promiscuous PVLAN type.

Promiscuous – > This type of Port can communicate with any Device Within the PVLAN.

Community VLANS – > Community Ports Hence their names communicate with themselves.  As shown in the topology.

PVLANs are created by the following…

-Primary VLAN

-Seconday VLAN

Primary VLAN – > High level VLAN of the private VLAN.  A Primary VLAN can be composed of many secondary VLANS.

Secondary VLAN – > Every secondary VLAN is considered a Sub system or Child of a Primary VLAN.

There are 2 types of Secondary VLANs or Reasons to Run them…

#1 Community private VLANS – > Ports that belong to the community PVLANS can communicate with other Community VLANS and promiscuous ports.  Of the same Private VLAN number.

#2 Isolated VLANs – > Ports that belong to an isolated PVLAN can commncate only with Promiscuous VLANS.

Private VLAN Configuration…

A example I pulled from

Switch(config)#vlan 100

Switch(config-vlan)#private-vlan community


Switch(config)#vlan 200

Switch(config-vlan)#private-vlan community


Switch(config)#vlan 86

Switch(config-vlan)#private-vlan isolated


Switch(config)#vlan 10

Switch(config-vlan)#private-vlan primary

Switch(config-vlan)#private-vlan association 100,200,86


VLAN creation, here is where All the VLANs are created.

VLAN 100,200 – > Community VLAN

VLAN86 – > Isolated VLAN

PVLAN10 – > Primary VLAN

Switch(config)#interface gig2/1

Switch(config-if)#switchport mode private-vlan promiscuous

Switch(config-if)#private-vlan mapping 10 100,200,86

Switch(config)#interface range Gig2/2 – 3

Switch(config-if-range)#switchport private-vlan host-association 10 100

Switch(config)#interface range Gig2/4 – 5

Switch(config-if-range)#switchport private-vlan host-association 10 200

Switch(config)#interface range Gig2/6 – 7

Switch(config-if-range)#switchport private-vlan host-association 10 86

On each Gig 2/2,2/42/6 we are associating each VLAN with that interface, they are already defines as either isolated, community of promiscuous.

Ways to verify Private VLANs?

Show Vlan Private-vlan

*Port Protect feature.

Used on lower end switchs, this works similar to Private VLANS.

Protected ports are a simple version of private VLANS.  Traffice can flow only between a protected and unprotected port and unprotected and unprotected… if there both protected no traffic will flow.

*Ether Channel

*Etherchannel Provides redundancy

*up to 8 interfaces

*Load balancing is possible between the links part of the same etherchannel.

*Prevents Spanning tree seen as one interface when redundant links are used.

2 Primary protocols for Etherchannel.

PAgP – > Cisco proprietary,

LACP – > Industry standard 802.3ad,

PAgP Modes

PAgP Packets are sent out every 30 seconds.

Auto – > Places a interfaces in passive negotiating, it will respond to packets sent to it but it will not sent any.

Desirable – > Places an interface in active negotiation statem in which the interface iniates negotiations with other interfaces by sending the PAgP packets.

On – > Forces the intercace to channel without PAgP.  These do not exchange PAgP packets.

Non-Silent – > Normally used for things like servers,SPAN, Probes etc etc non switches.

LACP Modes…

Passive – > Default, Same

Active – > Sends to negotiate

On – > Forces interface to the channel without PAgP or LACP

Optional Parameters for LACP

System priority

Port priority

Administrative Key

Guidelines to creating a Portchannel / Ethernetchannel

Etherchannel support – > all interfaces on the modules support etherchannel max of 8 interfaces.
Speed and duplex – > make sure they are all the same bandwith and same duplex speed.

SPAN – Etherchannel will not form if one interface has a destination to a SPAN Node.

VLAN – > All interfaces in the port channel absolutely have to be assigned to the samw VLAN, as well as Native VLAN.

Etherchannel Load Balancing options…

Use the “Port-channel Load-balance” Command.  Theres a ton of different things load balancing can be set to… src/dest of MAC or src/dest or the IP address or Port.

Post a comment or leave a trackback: Trackback URL.


  • fidelis  On June 7, 2011 at 2:10 am

    this is a great site for all aspiring network engineers.Keep up the good work

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: