Configuring basic switching, VLANs, and interVLAN routing are cornerstones of your role. It also appears to be one of the areas many network engineers are weakest in. You must have a strong grasp of the topics covered for the exam.
Back to book index.
Layer 2 Switching Functions
As you learned earlier (for the purposes of the CCNA exam), switches operate at layer 2 of the OSI model. Switches can only look at the MAC address of traffic and forward or block it based on that address. Historically, because switches didn’t have to waste time examining layer 3 (IP) addresses, they were considerably faster than routers. Now, due to advances in the switching and routing technology, forwarding planes are of comparable speed.
The forwarding plane is also referred to as the data plane, and on routers and switches, this is where packets or frames are switched. Forwarding planes control traffic going through the device. Forwarding planes will be covered briefly later in this guide.
LAN switching is usually referred to as layer 2 switching because more advanced switching methods have now been invented that can actually operate at layer 3 and above. These types of switches are currently included in the CCNA exam yet, but do check the latest syllabus before you book the exam. Please also check the Cisco VLAN and switching notes.
FIG 9.1 – Cisco Catalyst 2960 Switch range (Image ©Cisco Systems)
Cisco offers a huge range of switches, so please take the time to familiarize yourself with what’s available on Cisco.com.
Switches are most commonly used to separate the LAN into smaller segments (microsegmentation). In practice, they can often provide far more features such as the VLAN Trunking Protocol (VTP), Virtual LANs (VLANs), and Quality of Service (QOS), which allows various types of network traffic to be prioritized over others such as video conferencing over e-mail.
Switches perform three main functions:
- Learning MAC addresses
- Filtering and forwarding frames
- Preventing loops in the network
Learning MAC Addresses
When a switch is first powered up, it is not aware of the location of any of the hosts in the network. In a very short time, as hosts transmit data to other hosts, it learns and stores the source MAC address for each connected device. If an address is not currently in the switch’s database, it will send a broadcast message out of each port, except the port that the request was received on. When the switch receives a reply, it will add the address and source port to its database. It can take only a matter of minutes to build this database. Cisco refers to this as the CAM (content-addressable memory) table.
The switch will store a table of MAC addresses for a limited amount of time. If no traffic is heard from that port for a predefined period of time, then the entry is purged from memory. This frees up memory space on the switch and prevents entries from becoming out of date and inaccurate. This sequence of actions is known as the MAC address aging time. On the Cisco 2960 model, this time period is 300 seconds by default, but it can be configured to be between 10 and 1,000,000 seconds.
Switch#show mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
—- ———
Switch#conf t
Switch(config)#mac-address-table aging-time 600
The switch can also be configured to never purge the addresses.
The command you would use to see the CAM table of a switch is show mac-address-table (note the dashes in the command). Here is an example of the CAM table of a switch. You can add the command dynamic to the end if you only want to see the addresses learned dynamically by the switch. Infuriatingly, as you may discover for yourself, Cisco has changed the command slightly. One version has one dash and one has two, so find out which one you will need to use on your own switch.
Switch#show mac-address-table
Switch#show mac address-table
Mini-lab – Checking the MAC Address Table
In Figure 9.2 below, two PCs are connected to the switch. You need to add the IP address to each PC and then ping across the link. If you don’t have spare PCs, then use Fast Ethernet interface routers instead and connect them with a crossover cable or a switch.
FIG 9.2 – Mini-lab: Checking the MAC address table
You can see in the output below that the switch has already added the MAC addresses to the table. This will only happen when traffic passes through the switch from one interface to another. Note that the switch will not store the IP address of the attached devices because it isn’t concerned with IP addresses.
Switch#show mac-address-table
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0090.2b96.c986 DYNAMIC Fa0/1
1 00d0.ffe6.5c3e DYNAMIC Fa0/2
If you wanted to flush the CAM table on the switch, you could issue the clear mac-address-table command. The switch would then repopulate the table as traffic came into the relevant interfaces (i.e., ping across the link to repopulate the MAC address table).
Switch#clear mac-address-table
Switch#show mac-address-table
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
[END OF MINI-LAB]Note that the switch stores the MAC address and the port to which the host is connected. Do not worry about the VLAN column at the moment, as we will cover this later in the chapter. If you want to view only the dynamic MAC addresses that the switch has discovered, use the show mac-address-table dynamic command. There are actually several options you may want to try:
Switch#show mac address-table ?
address Address to look up in the table
aging-time MAC address table aging parameters
count Number of MAC addresses in the table
dynamic List dynamic MAC addresses
interface List MAC addresses on a specific interface
move MAC Move information
multicast List multicast MAC addresses
notification MAC notification parameters and history table
secure List secure MAC addresses
static List static MAC addresses
vlan List MAC addresses on a specific vlan
It’s important to note that you can see more than one MAC address allocated to a particular interface. You would also see this if the interface was a trunk (connected to another switch) or had a phone or hub attached. This is a common type of exam question.
Switch#show mac-address-table
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0001.42dd.eca1 DYNAMIC Fa0/1
1 0050.0fde.8ca1 DYNAMIC Fa0/3
1 0090.0c63.9e31 DYNAMIC Fa0/2
1 00e0.a30e.1c04 DYNAMIC Fa0/1
1 00e0.f9de.e036 DYNAMIC Fa0/1
You can see the topology for the network above in Figure 9.3 below, but my experience is that most networks have either no or out-of-date diagrams so you can’t always rely on these. The output above is for the bottom switch. Fa0/1 connects via a trunk link to the top switch, which has another three hosts connected to it.
FIG 9.3 – Checking MAC address tables
If you are troubleshooting on an unfamiliar network, you could use this method to track down which switch a particular host is attached to. You would eventually find the switch it’s directly connected to.
Please create your own network or use Packet Tracer, and then ping some devices to populate the CAM table. Next, issue the show mac-address-dynamic command. It’s worth noting that the table is comprised of source MAC addresses but not destination addresses. This is why you will never see a broadcast MAC address (all Fs) in the table.
Filtering and Forwarding Frames
Whenever a frame arrives at a switch port, the switch examines the destination address of the frame and then its database of MAC addresses. If the destination address is in the database, the frame will only be sent out of the interface the destination host is attached to. This process is known as frame filtering. If the address is not known, then the switch has no option but to flood the frame out of all ports other than the one on which it arrived.
Figure 9.4 below shows a capture of a frame. The Destination field contains the address c201:120c:0000, and this is what the switch will look for in its MAC address table. If this address isn’t present, it will broadcast for it.
FIG 9.4 – Frame capture
Preventing Loops in the Network
Having multiple paths to destinations is very desirable in a network because if one path is no longer available, the traffic can take an alternative route. However, for switches, this feature can often cause problems in the network. If a broadcast is sent out of one link, it will be flooded out of all links and could bring the network to a grinding halt due to congestion. This situation is known as a broadcast storm.
In Figure 9.5 below, Host A sends a broadcast that is forwarded out of all ports on all switches, and each switch receiving the broadcast forwards it quickly, causing a loop.
FIG 9.5 – Broadcast traveling through the LAN
The switch prevents loops using the Spanning Tree Protocol. We will look at this in depth in the STP section.
Switching Methods
In theory, a frame can be forwarded by a switch as soon as the destination MAC address is read. The more of the frame that is read, the more delay (latency) is introduced. This delay can be caused by processing time on a device or congestion in the network. Of course, if the rest of the frame isn’t read and checked for errors, you could be forwarding damaged frames across the network.
Cisco switches have three different switching modes, depending on how much processing is carried out on the frame. More processing usually equals more latency. The switching methods are:
- Cut-through
- Store-and-forward
- Fragment-free
Cut-through
This switching method is the fastest because the frame is only examined to determine its destination MAC address. As soon as the switch reads the destination MAC address, it looks up the MAC address table and forwards the frame to the right destination. The switch does not perform any error checks to ensure that the frame is not malformed in some way. However, if a frame is less than 64 bits, which is called a “runt frame”, cut-through switching eliminates it. This is also known as runt-free switching. The cut-through method is fast but less reliable.
Store-and-Forward
This method reads the entire frame, copies it into a buffer, performs a cyclic redundancy check (CRC), and then forwards the frames only if the check passes. The CRC verifies that there is no error on the frame. The switch also checks to ensure that the frame size is between 64 and 1518 bytes. Anything outside this range is dropped. Frames with errors are also discarded. Store-and-forward switching has the highest latency of all three methods.
Store-and-forward is the default setting for the Cisco 2960 model. Modern switches offer hardware-based store-and-forward operating at wire speeds with a minimum of latency. Store-and-forward is reliable and nearly as fast as the cut-through method.
Fragment-free (Modified Cut-through/Runt-free)
Because the cut-through method cannot ensure that frames are error-free and store-and-forward increases latency, we need a method that strikes a balance between being both quick and reliable. The fragment-free method examines frames for errors but does not store all their information, resulting in reliability and speed.
As a modified variety of cut-through switching, fragment-free examines the first 64 bytes of a frame (which are the most error prone) for any errors, and if none are detected the frame is passed. Moreover, frames with less than 64 bits are dropped because they are not supported. This was the default configuration on lower-level Cisco switches.
FIG 9.6 – Three switching methods
Virtual Local Area Networks – VLAN Tutorial
You learned earlier that a switch segments a collision domain and a router segments a broadcast domain. You also learned that every port (interface) on a switch will be in the same broadcast domain by default. The diagram below indicates the collision and broadcast domains in a network.
FIG 9.7 – Collision and broadcast domains
It’s very important to understand what is happening in Figure 9.7 above. Note that routers break up broadcast domains, each port on a switch (and router) is a collision domain, and a hub is one big collision domain. Collision domains were discussed earlier in this guide. Please draw your own LAN diagrams and count the number of collision and broadcast domains you see.
A LAN (or VLAN) is essentially a broadcast domain that exists on one or multiple switches and is configured by the network administrator. A VLAN is also created by the network administrator, who adds a configuration to one or more switch ports, putting them into different broadcast domains. Furthermore, you can group ports on interconnected switches to belong to subsets of the same VLANs (see Figure 9.8 below).
FIG 9.8 – Broadcast domains with VLANs
Figure 9.8 above shows a different network with four PCs all connected to the same switch. Without VLANs, all the ports are in the same broadcast domain and as such, a broadcast sent by PC-A would be received by PC-C and PC-D. With VLANs, a broadcast sent is forwarded only to the members of that VLAN, so a broadcast from PC-A would reach only PC-B and a broadcast from PC-C would be received only by PC-D.
By default, all ports on a switch are in VLAN 1 in the same broadcast domain, so it’s up to you as the network administrator to configure more VLANs and add switch ports to them.
There are many advantages to using VLANs:
- Speed – reducing the broadcast domain makes the network faster because broadcast storms are reduced
- Resource conservation – devices no longer have to process broadcasts that are not intended for them, which saves CPU and memory resources
- Bandwidth conservation – logical networks operate on the same switch(es)
- Security – segmentation between logical domains, like departments and roles, so if a segment of the network is attacked, the attack can be contained to that logical segment
- Flexibility – because VLANs are a logical construct, they can be extended beyond a physical switch (more details on this later in this chapter), so you can have members of the same VLAN on multiple switches (which means that they can be on different floors or in different buildings!) as illustrated in Figure 9.9 below
VLANS also make moves, additions, and changes simpler. For example, if you need to move someone on VLAN 2 from Floor 1 to Floor 2, all you need to do is plug it into another switch, and add a line or two of configuration at the most. Figure 9.9 below illustrates this concept:
FIG 9.9 – VLANs remove the physical boundaries from a LAN
VLANs Membership
You can associate devices with VLANs either statically or dynamically. With static assignments, the administrator assigns ports to VLANs by configuring the switch. If a user needs to move to another part of the building, the administrator has to assign the new port to the correct VLAN. We will cover this and other VLAN commands shortly. Remember that all switch ports belong to VLAN 1 by default. This is a security risk that you will learn how to resolve later in the chapter on switch security.
Dynamic VLAN assignment allows the automatic assignment of ports to VLANs based on the MAC addresses of the devices connected. This allows users to connect to any port without making any configuration changes. Automatic assignments are achieved using a VLAN Management Policy Server (VMPS), which is both rarely used and not in the CCNA syllabus.
For the purposes of the CCNA exam and best practices, each VLAN should have its own network or subnet address. This means:
- Communication is segmented between hosts in one VLAN and another VLAN
- Communication between two VLANs requires a layer 3 (routing) device because each VLAN has its own IP subnet (you will find more details on IP addressing in Chapter 6)
Finally, adding VLANs increases the number of broadcast domains but decreases the size of the domains (which is a good thing).
VLAN Numbers
Cisco switches have a range of numbers available for use as VLANs. By default, VLAN 1 is already in existence and all ports are set to use it. VLAN 0 isn’t usable and VLANs 1002 to 1005 are reserved, meaning that you have VLANs 2 to 1001 available for use.
Switch1#show vlan brief
VLAN Name Status Ports
—- —————— ——— ——————–
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig1/1
Gig1/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
There is an extended range of VLAN numbers available, from 1006 to 4094; however, these VLANs can’t be stored in switch memory and in order to use them, you must configure the switch to be in VTP transparent mode (more on this later).
VLAN Links
You have seen that a switch can have multiple VLANs and that the same VLAN can span across multiple switches. In fact, this is one of the main benefits of using switches. So how does this affect traffic from one switch to another? Looking at Figure 9.9 above, If the host in VLAN 3 on Floor 1 needs to communicate with another host on a different VLAN on Switch 2 (on Floor 2), how does Switch 1 send the message to Switch 2 without losing the VLAN information? This is accomplished using a mechanism called VLAN tagging.
The switch tags the frame with a header that contains the VLAN ID. Referring to Figure 9.9, Switch 1 tags frames from VLAN 3 with VLAN ID3 before sending them on to Switch 2. Once Switch 2 sees the tags, it knows that the frames should be kept within that VLAN.
There are two kinds of layer 2 links on a switch:
- Access links
- Trunk links
Access Links
A switch port that is defined as a member of one VLAN is referred to as an access link. When a frame is received on an access link, it is tagged with its VLAN ID. The switch strips the tag of this frame at the destination before sending it on to the recipient host, so the process is transparent to the end device.
Access links are used to connect to hosts. Most ports on a switch are already set as access links, but you can hard-set a port to be an access or trunk link and this is a common policy in commercial networks. I have shortened some of the commands below, which is common for network engineers to do:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int f0/1
Switch(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access/trunk mode
trunk Set trunking mode to TRUNK unconditionally
The dynamic setting allows the port to determine whether it should become an access or trunk link depending on the device it’s connected to. You won’t be able to leave the port in dynamic mode if you want to add port security, which we will look at later.
Trunk Links
A trunk link is used to carry traffic from multiple VLANs at the same time. Frames sent across a trunk link are tagged so they can be identified at the remote end. A trunk link can also be used to carry traffic between:
- Two switches
- A switch and a router
- A switch and a server
Trunk links are needed to forward traffic from multiple VLANs. Although you can use access links to connect two switches together, all the traffic from that access link would be treated as being in a single VLAN, which is configured on the port.
When multiple switches are connected using trunk links and they share information from the same VLANs, they are collectively called “switch fabric”.
The protocol that is used for tagging VLANs on frames in a trunk link on Cisco switches is the 802.1Q protocol.
802.1Q
802.1Q was created by the IEEE as a standard for tagging frames. 802.1Q works by inserting a 4-byte VLAN header into the original header of the Ethernet frame between the source MAC address and the Type/Length field. This 4-byte tag includes some information (including the VLAN ID of the frame).
Since 802.1Q is an IEEE standard, you can use it if you were connecting a trunk link between a Cisco switch and a non-Cisco switch. You can see 802.1Q frame tagging in action in the Wireshark capture below. Can you see the VLAN ID?
FIG 9.10 – Frame tagging
On a Cisco 3650 Multilayer Switch, the encapsulation command is still available. Previously, you could choose either 802.1Q or ISL encapsulation. On modern Cisco switches, you will still see the encapsulation option but only 802.1Q is available:
3650Switch(config-if)#switchport trunk encapsulation ?
dot1q Interface uses only 802.1q trunking encapsulation when trunking
If you had a 3550 model, you would also see ISL and negotiate as options.
3550Switch(config-if)#switchport trunk encapsulation ?
dot1q Interface uses only 802.1q trunking encapsulation when trunking
isl Interface uses only ISL trunking encapsulation when trunking
negotiate Device will negotiate trunking encapsulation with peer on
On the 2960 Switch, the encapsulation command is not available, only 802.1Q is available (you will be tested on this in the CCNA exam):
Switch(config-if)#switchport trunk ?
allowed Set allowed VLAN characteristics when interface in trunking mode
native Set trunking native characteristics when interface in trunking mode
Figure 9.11 illustrates the tag being inserted into the frame. When this is done the FCS (frame check sequence) must also be recalculated.
FIG 9.11 – Frames tagged and tags removed
All frames using 802.1Q are tagged with VLAN information. The exception to this is the native VLAN, which by default is VLAN 1. All frames inside the native VLAN remain untagged.
The native VLAN is nothing more than a default VLAN, given that any port in a (Cisco) switch has to be assigned to one VLAN. By default, all ports belong to VLAN 1, or the native VLAN. You will learn how to change the native VLAN later.
In order for a trunk link to form, the native VLAN must match on both sides of the link. Although many study guides specify that the link must be at least 100 Mbps, you can actually create an 802.1Q trunk link over a 10 Mbps connection.
Trunk Links Continued
As a network engineer, you will want to know the settings of a switch port and how it will form a trunk link with its neighbor because you may want it to become a certain port type rather than let the switch decide. This actually depends on the port mode. The possible modes are listed below:
- On – The port is configured as a trunk with the switchport mode trunk The connected device has to agree to also be a trunk; otherwise, the link will not work properly.
- Off – The port will not function as a trunk, regardless of what is configured at the remote end.
- Auto – The port is willing to be a trunk but will not initiate the negotiation, as the remote side has to initiate the negotiation. If both sides are set to auto, a trunk will not be formed.
- Desirable – The port is willing to become a trunk and will initiate the negotiation. If the remote side is desirable or auto, a trunk is formed.
- No-negotiate – Negotiation is disabled with the switchport nonegotiate The port has to be configured as a trunk or access link.
You must be familiar with all of the outcomes in Table 9-1 below for the exam:
Table 9-1: Trunk links
| Switch 1 | Switch 2 | Is a Trunk Formed? |
| On | On | Yes |
| On | Auto | Yes (only one side passive) |
| Auto | Auto | No (both sides are passive) |
| Desirable | Desirable | Yes |
| Desirable | Auto | Yes |
| Desirable | On | Yes |
We will cover how to configure the trunk links above shortly, but for now, you can use the command below to see your default settings because these differ from model to model:
Switch#show interface f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
In order to negotiate trunking, switches use Dynamic Trunking Protocol (DTP), which used to be in the CCNP syllabus but is now in the CCNA syllabus.
Dynamic Trunking Protocol
DTP is used to dynamically negotiate a trunk link between two switches (if the other switch wants to perform trunking). This is a Cisco proprietary point-to-point protocol. DTP is turned on by default on a switch, and a port can be in one of two DTP modes (see the previous IOS command output):
- Dynamic desirable
- Dynamic auto
Dynamic desirable puts the port in a state of active negotiation. If the remote end is configured for DTP (whether auto or desirable), a trunk will be formed. Dynamic auto is a passive negotiation state. A trunk will not be formed if both ends are configured to operate in dynamic auto mode.
Switch(config-if)#switchport mode dynamic ?
auto Set trunking mode dynamic negotiation parameter to AUTO
desirable Set trunking mode dynamic negotiation parameter to DESIRABLE
However, if one end of the link has been configured as a manual (static) trunk, then the other end will form a trunk as long as it receives DTP messages (i.e., the switchport nonegotiate command is not issued).
Table 9-2: DTP mode combinations
| Switch 1 | Switch 2 | Result |
| Desirable | Desirable | Trunk Forms |
| Desirable | On | Trunk Forms |
| Desirable | Auto | Trunk Forms |
| Auto | Desirable | Trunk Forms |
| Auto | Auto | No Trunk |
| No-negotiate | Trunk | No Trunk |
| Static Access | Trunk | No Trunk |
| Access | Access | No Trunk |
If you have the switchport nonegotiate command added to one or both ends, they will both have to be manually set to trunk to form a trunk link. If you wanted to turn off DTP for security reasons, for example, you would use the switchport nonegotiate command, which would allow you to manually configure the port as a trunk if you wanted it to become such.
Switch(config-if)#switchport nonegotiate
A link will only become a trunk through DTP or set manually with the switchport mode trunk command.
Switch(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunk mode to dynamically negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally
The show dtp [interface [name]] command can be used to display DTP information globally for the switch or for the specified interface. The following output shows the information printed by the show dtp command:
Switch#show dtp
Global DTP information
Sending DTP Hello packets every 30 seconds
Dynamic Trunk timeout is 300 seconds
4 interfaces using DTP
Based on the output above, the switch is sending DTP packets every 30 seconds, the DTP timeout is 300 seconds (five minutes), and four interfaces are currently using DTP. The show dtp [interface [name]] command gives DTP information about a particular interface, which includes the type of interface (trunk or access), the current port DTP configuration, the trunk encapsulation, and DTP packet statistics, as shown in the output below. This is outside of what you need to know for the CCNA exam but it’s handy to know.
Switch#show dtp interface FastEthernet0/1
DTP information for FastEthernet0/1:
TOS/TAS/TNS: TRUNK/ON/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Neighbor address 1: 000000000000
[output truncated]Mini-lab – Configuring VLANs and Trunk Links
It’s time to see how VLANs are configured on Cisco switches. But first, it’s important to note that up until IOS 12.2SX, you would have used the command vlan database to create a VLAN. This command has now been retired, but if you have an old IOS version or an older switch model, then you will need to use this command.
In order to prepare for your CCNA exam, I recommend that you use a modern switch. You will be tested on the 2960 model in the exam (emulator); however, the 2950 model will do fine and will set you back around $25 ($50 for the 2960 model). If you plan to progress to the CCNP exam, then consider more powerful models that support advanced features, such as the 3560, which supports private VLANs. Cisco has full details on these features on its website.
We will configure the switches as shown in Figure 9.12 below. First, assign F0/1 on each switch to VLAN 5, and Fa0/15 will be configured as a trunk port. You already know how to change the default device name from Switch.
FIG 9.12 – Mini-lab: Configuring VLANs and trunk links
Next, you need to create the VLANs (by default, only VLAN 1 exists on a switch). VLANs are created using the vlan [vlan#] global configuration command. This takes you into VLAN configuration mode where you can give the VLAN a name.
On modern Cisco switch IOS versions, if a port is assigned to a VLAN that is not created, the switch will create the VLAN as you can see in the output below. If you put an interface into a VLAN that doesn’t exist, the command is accepted and the VLAN is created. It is also added to the vlan.dat file (it won’t show in the running configuration and VLAN data will remain present even after a switch reload). However, you should make it a habit to create your VLANs before assigning ports to them. See the output below, which demonstrates this point. I’ve truncated it to save space.
Switch1#show vlan
VLAN Name Status Ports
—- ———————- ———- ———————–
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13,Fa0/14, Fa0/15, Fa0/16
Fa0/17,Fa0/18, Fa0/19, Fa0/20
Fa0/21,Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
1002 fddi-default act/unsup
Switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)#int f0/1
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 5
% Access VLAN does not exist. Creating vlan 5
Switch1(config-if)#end
Switch1#
%SYS-5-CONFIG_I: Configured from console by console
Switch1#show vlan
VLAN Name Status Ports
—- ———————– ——— ———————–
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
[output truncated]
5 VLAN0005 active Fa0/1
1002 fddi-default act/unsup
You can also name your VLANs to easily identify them:
Switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)#vlan 5
Switch1(config-vlan)#name ADMIN
Switch1(config-vlan)#end
Switch1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————–
1 default active Fa0/2, Fa0/3, Fa0/4,
[output truncated]
5 ADMIN active Fa0/1
Next, assign port Fa0/1 to VLAN 5 using the switchport access vlan [vlan#] interface command. You will also create VLAN 5 on Switch 2.
Switch2#config t
Switch2(config)#vlan 5
Switch2(config-vlan)#name ADMIN
Switch2(config-vlan)#int fa0/1
Switch2(config-if)#switchport access vlan 5
Now, let’s take a look at the show vlan brief output:
Switch1#show vlan brief
VLAN Name Status Ports
—- ————————– ——– ————————–
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12,
Fa0/13,Fa0/14, Fa0/16,
Fa0/17,Fa0/19
5 ADMIN active Fa0/1
[output truncated]You can see that fa0/1 is now assigned to VLAN 5. The next step is to configure interface fa0/15 on both switches as trunk links. The default port mode on the switches that we are working on is dynamic auto mode, so no automatic trunk will form. This can be verified using the show interface trunk command:
Switch1#show interface trunk
Switch1#
There appears to be no trunk interfaces on either end, so you need to set the interface as a trunk. The procedure for configuring a trunk link on higher-end switches such as the 3570 is slightly different, but we will stick with the 2960 because this is the model tested in the CCNA exam. Ensure that the port is set to trunk; by default, it will be set to be accessed for use by a network host.
The configuration can be verified using the show interfaces [name] switchport command, as illustrated in the following output:
Switch1#show interface fast0/15 switchport
Name: Fa0/15
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
[output truncated]At the moment, it is set to static access, but it needs to be a trunk link. The dynamic auto setting will allow the interface to become a trunk if the other end is set as a trunk or as dynamic desirable, so all you need to do is set either end of the connection between the switches as a trunk link.
Switch1(config)#int f0/15
Switch1(config-if)#switchport mode trunk
Switch1(config-if)#end
Switch1#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/15 on 802.1q trunking 1
[output truncated]You can now repeat the earlier command to check the settings:
Switch1#show interface fast0/15 switchport
Name: Fa0/15
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Note that the settings on the other switch have changed automatically:
Switch2#show int f0/15 switchport
Name: Fa0/15
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
[END OF MINI-LAB]You will see different behavior on higher-model switches. Note the dynamic desirable setting on my Cisco 3550 switch below. Knowing seemingly small details like this will make you a very good Cisco engineer and save you a lot of trouble when installing and troubleshooting live networks.
Switch#show int f0/15 switchport
Name: Fa0/15
Switchport: Enabled
Administrative Mode: dynamic desirable
IEEE 802.1Q Native VLAN
Earlier in this chapter, you learned that 802.1Q tags frames with the VLAN ID, except for frames in the native VLAN. The native VLAN is created for backward compatibility with ports or equipment that do not understand VLAN tags.
VLAN 1 is the default native VLAN, and this can be seen in the output of the show interfaces [name] switchport command. This is a very handy command to use on your switch because it reveals a lot of useful information.
Switch#show interfaces FastEthernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
[output truncated]Management protocol traffic such as Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Dynamic Trunking Protocol (DTP), and VLAN Trunking Protocol (VTP) are transported in VLAN 1. We will cover these protocols in the relevant parts of this guide.
The native VLAN for a trunk interface can be set to any valid VLAN number. The caveat here is that this number must match on both sides; otherwise, the switch will issue a Spanning Tree Port VLAN ID (PVID) inconsistent state error. You will also see messages on the switch console indicating a VLAN mismatch.
Here is the error message on my 2960 Switch, which has been left at the default VLAN 1 for its Fast Ethernet 0/1 interface while the neighbor switch is configured to use this port for VLAN 10 as the native VLAN:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (1), with Switch FastEthernet0/1 (10).
Cisco error messages almost always tell you exactly what the nature of the problem is. So long as the error remains, you will see the message appear every few seconds.
The native VLAN can be changed using the switchport trunk native vlan [number] interface configuration command, as shown below. If I changed the switch interfaces above to be in the same native VLAN, the error message would cease.
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport trunk native vlan ?
[1-4094] VLAN ID of the native VLAN when this port is in trunking mode
We will discuss this command again in this guide when we cover network security issues.
InterVLAN Routing
As mentioned, hosts in one VLAN cannot communicate with hosts in another VLAN without a layer 3 device. This is because the VLANs are, in effect, separate networks, and traffic needs to be routed from one network to the other. Being able to route information between VLANs is referred to as interVLAN routing.
For the CCNA exam, you not only need to know about the available methods but also how to configure them. Because one of the methods involves configuring a layer 3 switch, I doubt that you will have a hands-on lab; however, Cisco may present you with sample configurations and ask you to choose the correct one or to spot a configuration error when shown the configurations on various switches.
There are three main methods to create interVLAN routing:
- Using physical router interfaces
- Using subinterfaces
- Using switched virtual interfaces
It’s much easier to understand this process through practice labs.
Mini-lab – InterVLAN Routing Using Physical Router Interfaces
The first method to routing between VLANs is to connect a router interface to each VLAN. The router interface will serve as the default gateway for each VLAN. The router will then route between the networks because it is directly connected to both networks. This method is shown in the diagram below. You can swap the PCs for router Fast Ethernet interfaces and just use one per VLAN instead of two if you want.
FIG 9.13 – Mini-lab: InterVLAN routing using physical router interfaces
Figure 9.13 shows a single switch with two VLANS. VLAN 10 has subnet 192.168.10.0/24 and VLAN 20 has subnet 192.168.20.0/24. Packets going from one subnet to the other will use their default gateway. The default gateway of VLAN 10 is R1’s Fa0/0 physical interface. Similarly, the default gateway of VLAN 20 is R1’s Fa0/1 physical interface.
If the host needs to reach a device in its VLAN (same subnet), the host just ARPs for its MAC address and sends the traffic to that MAC address, letting the switch handle the rest. For hosts outside its subnet, they send traffic to the default gateway, which routes the packets to the appropriate destination.
The default gateway is the address to which all traffic with an unresolved destination is sent (otherwise, it would be dropped). IP addressing, subnetting, and routing will be covered in detail in subsequent chapters of this book.
From the switch’s perspective, the router is just another host, so the port where the router is connected is assigned to the VLAN for which it serves as the default gateway. The switch configuration for this method is shown below:
Switch(config)#vlan 10
Switch(config-vlan)#name Example-VLAN-10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name Example-VLAN-20
Switch(config-vlan)#exit
Switch(config)#interface range FastEthernet0/1 – 2, 23
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#exit
Switch(config)#interface range FastEthernet0/3 – 4, 24
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#exit
Note that I have used the interface range command, which is a time-saving method available on late-model switches. You have already seen that the VLAN will be created if you attempt to put ports into a non-existent VLAN. If that doesn’t work for you, then configure each interface individually.
Switch(config-if-range)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
The router’s configuration is shown below:
R1(config)#interface fast0/0
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#interface fast0/1
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
You can add IP addresses to the hosts yourself. If you don’t have hosts handy, then use router Ethernet interfaces, or use just one router for each site and add IP addresses from the correct subnet, such as:
192.168.10.2 (for VLAN 10)
192.168.10.3 (for VLAN 10)
192.168.20.2 (for VLAN 20)
192.168.20.3 (for VLAN 20)
You will need to add a default gateway for your hosts, which will be the router interface for the correct VLAN. If you find this lab to be a bit hard, come back to it later when you have more hands-on experience with the other labs.
In the output below, a PC in VLAN 10 with the IP address 192.168.10.2 is pinging a host in VLAN 20 (you can see that the first ping timed out due to an ARP lookup):
PC>ping 192.168.20.2
Pinging 192.168.20.2 with 32 bytes of data:
Request timed out. ï Timeout due to ARP lookup
Reply from 192.168.20.2: bytes=32 time=0ms TTL=127
Reply from 192.168.20.2: bytes=32 time=0ms TTL=127
Reply from 192.168.20.2: bytes=32 time=0ms TTL=127
Ping statistics for 192.168.20.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round-trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
[END OF MINI-LAB]The advantage of this method is its ease. All you need to do is assign an IP address to the interface of a router and make that IP address the gateway of the VLAN and you are done! The disadvantage is that it is not scalable. So, what happens when you have 5 or 20 or more VLANS? Buying routers with multiple interfaces or multiple routers is not a viable option, both technically and economically.
This brings us to the next method of InterVLAN routing.
Mini-lab – InterVLAN Routing Using Router Subinterfaces
This method is often referred to as “router on a stick”. Instead of using a physical interface for each VLAN, you can use a single physical interface for all the VLANs on the switch. The single physical interface is logically divided into subinterfaces, and a subinterface is assigned to each VLAN. This helps to address the scalability concern of the previous method. InterVLAN routing using router subinterfaces is illustrated below in Figure 9.14:
FIG 9.14 – Mini-lab: InterVLAN routing using router subinterfaces
The diagram above shows the same network as the previous one, with the difference being that rather than using a physical interface for each VLAN, now one physical interface is used with subinterfaces on each VLAN. There are three steps to configuring the subinterface:
- Create the subinterface using the interface [name].[subinterface number] configuration command.
- Specify the VLAN and the encapsulation protocol using the encapsulation [isl|dot1Q] [vlan] subinterface configuration command. You will only see ISL as an option on older switch models.
- Assign an IP address to the subinterface.
On the switch end, you now need to send traffic from multiple VLANs to the router, so you need a trunk link. You need to specify the encapsulation protocol if you are using a higher model switch and native VLAN (if you do not want to use the default). If a native VLAN other than VLAN 1 is used, then it needs its own subinterface on the router too. The configurations for the switch and router are shown below:
Switch(config)#vlan 10
Switch(config-vlan)#name Example-VLAN-10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name Example-VLAN-20
Switch(config-vlan)#exit
Switch(config)#vlan 30
Switch(config-vlan)#name Management-VLAN
Switch(config-vlan)#exit
Switch(config)#interface range FastEthernet0/1 – 2
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#exit
Switch(config)#interface range FastEthernet0/3 – 4
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#exit
Switch(config)#interface FastEthernet0/24
Switch(config-if)#switchport trunk encapsulation dot1q – Won’t work on a 2960 Switch
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk native vlan 30
Switch(config-if)#exit
Switch(config)#interface vlan 30
Switch(config-if)#description “This is the Management Subnet”
Switch(config-if)#ip address 192.168.30.2 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#ip default-gateway 192.168.30.1
None of this will work without the default gateway (i.e., where to send traffic for which no specific route exists) for IP traffic being configured on the switch because it’s unable to route (we will cover this in detail later). Because VLAN 30 was created as the management VLAN and used as the native VLAN, you need a subinterface for VLAN 30 too. The router configuration is shown below:
R1(config)#interface FastEthernet0/0
R1(config-if)#no ip address
R1(config-if)#exit
R1(config)#interface fast0/0.10
R1(config-subitf)#description “Subinterface For VLAN 10”
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip add 192.168.10.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fast0/0.20
R1(config-subitf)#description “Subinterface For VLAN 20”
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip add 192.168.20.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fast0/0.30
R1(config-subitf)#description “Subinterface For Management”
R1(config-subif)#encapsulation dot1Q 30 native
R1(config-subif)#ip add 192.168.30.1 255.255.255.0
R1(config-subif)#exit
Note that each router subinterface is in a different subnet and it matches the VLAN subnet. You must also configure the correct encapsulation type (dot1Q) and the tag number for the VLAN, such as encapsulation dot1Q 10.
 |
It is not mandatory for the subinterface number to match the tag number, but it is considered a good practice. |
Once again, set IP addresses on the hosts in the correct VLANs and set the default gateway to the router subinterface in the respective VLAN. Ping across the VLANs now.
[END OF MINI-LAB]Clearly, this option is more scalable than the previous one. However, this solution causes all interVLAN traffic to flow through the same interface. This can quickly lead to bandwidth constraints and create a bottleneck in the network. You would not need a routing protocol on the router because all of the networks are directly connected. Issue a show ip route to verify this for yourself.
Note that routers are backward compatible with older switches, so they offer both ISL and 802.1Q encapsulation.
R1(config-subif)#encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
isl Inter Switch Link – Virtual LAN encapsulation
Mini-lab – InterVLAN Routing Using Switched Virtual Interfaces
You saw earlier that modern switches can now operate at layer 3 (and above in fact). This means switches can now route. And if switches can route, you no longer need a router just to route between two VLANs. This feature is not available on the 2960 range of switches. If you want to configure the commands below, you will need to find a 3550 or later model, or use a layer 3 switch in Packet Tracer.
Multilayer switches can support switch ports and routed ports. A routed port acts in the same manner as an Ethernet port on your router, allowing you to add an IP address, for example. You can make a port operate at layer 3 by issuing the no switchport command (not available on the 2960 model). This disables the port at layer 2 (and enables it at layer 3). After this, you can configure layer 3 features such as IP addressing on the port/interface.
Switches also support logical interfaces known as switched virtual interfaces (SVIs). These interfaces are logical layer 3 interfaces (they can have an IP address). You might have noticed that I configured interface vlan 30 in the previous mini-lab. This is an example of an SVI. You can configure an SVI for each VLAN on a multilayer switch. Because the switch can route traffic from one VLAN to the other, you only need to set the SVI’s IP address as the default gateway for the VLANs.
One final step to ensuring that traffic is routed from one VLAN to another is to configure IP routing on the switch. This turns on the routing features of a multilayer switch. It’s worth noting that not all Cisco switches support interVLAN routing using SVIs. It is both model and IOS (release # and feature set) dependent. Check your documentation first. According to Cisco:
“Catalyst switch models 3560, 3750, Catalyst 4500/4000 Series with Sup II+ or later, or Catalyst 6500/6000 Series that run Cisco IOS system software support basic InterVLAN routing features in all their supported software versions. Before you attempt this configuration on a 3550 series switch, ensure that you meet these prerequisites.” (See Table 9-3 below.)
Table 9-3: ©Cisco Systems
| Image Type and Version | InterVLAN Routing Capability |
| Enhanced Multilayer Image (EMI) – All Versions |
Yes |
| Standard Multilayer Image (SMI) – Prior to Cisco IOS Software Release12.1(11)EA1 |
No |
| Standard Multilayer Image (SMI) – Cisco IOS Software Release 12.1(11)EA1 and Later |
Yes |
FIG 9.15 – Mini-lab: InterVLAN routing using SVIs
The output below shows the configuration required to support interVLAN routing on a single switch. The ip routing command is of particular importance to ensure that the layer 3 switch can route the traffic.
Switch(config)#ip routing
Switch(config)#vlan 10
Switch(config-vlan)#name Example-VLAN-10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name Example-VLAN-20
Switch(config-vlan)#exit
Switch(config)#interface range FastEthernet0/1 – 2
Switch(config-if-range)#switchport
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range FastEthernet0/3 – 4
Switch(config-if-range)#switchport
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#interface vlan 10
Switch(config-if)#description “SVI for VLAN 10”
Switch(config-if)#ip address 192.168.10.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 20
Switch(config-if)#description “SVI for VLAN 20”
Switch(config-if)#ip address 192.168.20.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
It’s very easy to miss, but ensure that you add the ip routing command. I’ve made this mistake many times personally and have also supported top-level Cisco experts who did the same. You should now be able to add IP addresses to the hosts in each VLAN and ping across VLANs 10 and 20.
SVIs are the preferred method for implementing interVLAN routing on a switch. As its name suggests, the switch virtual interface is virtual, meaning this interface doesn’t physically exist; instead, it’s logically defined on the switch’s routing logic (in its Routing Engine).
Like any other interface, you can verify the interface state using the show interface command. A sample output is shown below:
Switch#show interface vlan 10
Vlan10 is up, line protocol is down
Hardware is EtherSVI, address is c200.06c8.0000 (bia c200.06c8.0000)
Internet address is 192.168.10.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, Loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
[END OF MINI-LAB]SVI versus Routed Port
I don’t expect this to come up in the CCNA exam, but because I’m guessing you want to be a good Cisco engineer, it’s worth considering the difference between a physical routed port and an SVI.
Table 9-4: SVI versus routed port
| Characteristics | SVI | Routed Port |
| Logic | Virtual layer 3 interface working behind layer 2 interfaces. Advanced router on a stick. | True layer 3 interface |
| Capable of Routing | Yes | Yes |
| Physically Exists | No | Yes |
| Sample Configuration | Sw(config)#vlan 10
Sw(config)#int vlan 10 Sw(config-if)#ip address 10.0.0.10 255.255.255.0 |
Sw(config)#interface f0/3
Sw(config-if)#no switchport Sw(config-if)#ip address 10.0.0.10 255.255.255.0 Sw(config-if)#no shut |
By default, a 2960 Switch cannot route IP packets. This model is at the low end of Cisco’s product range. It can’t actually route packets because the Switch Database Management (SDM) template does not support routing by default. You need to change the SDM template before routing can be supported. The output below shows your options but these will differ based on the model and IOS installed:
Switch(config)#sdm prefer ?
access Access bias
default Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6
ipe IPe bias
lanbase-routing Unicast bias
vlan VLAN bias
You need the lanbase-routing SDM template to support IP routing on the 2960 Switch. Also, note that a change in the SDM template requires a reload to take effect. You can check the SDM template by using the show sdm prefer command. A sample output from a switch is shown below:
Switch#show sdm prefer
The current template is desktop default template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
A very important point to note is that the 2960 Switch supports only static and default routing (more on this later). It is NOT a multilayer switch because it doesn’t support the ip routing command. You cannot configure routing protocols on the 2960. Please Google “Configuring static IP unicast routing Cisco 2960” for more information, but feel free to ignore that search if you want to focus only on the CCNA exam topics.
You will configure advanced VLANs in the CCNP ENCOR course.
End of Chapter Questions
Please visit www.howtonetwork.com/ccnasimplified to take the free Chapter 9 exam.
Chapter 9 Labs
Lab 1: InterVLAN Routing
Lab Exercise
Your task is to configure the network such that PC-A in VLAN 2 can ping PC-B in VLAN 3 across the switches. In the topology shown in Figure 9.16 below, you can always swap the PCs for routers and use Fast Ethernet interfaces to connect to the switches.
Purpose
This topology is known as a router on a stick. When you have VLANs in your network, they must each reside in their own subnet. In order for subnets to be able to communicate, you must have a layer 3 device.
FIG 9.16 – InterVLAN routing
VLAN 2 – 192.168.2.0/24, PC-A 192.168.2.2/24
VLAN 3 – 192.168.3.0/24, PC-B 192.168.3.2/24
Because you may have only one available Fast Ethernet interface on your router, you will need to divide the physical interface into logical subinterfaces. For example, if your router interface is Fast Ethernet 0/0, then the subinterface would be 0/0.1. It is common practice to name your subinterface to match your VLANs, so you would name the subinterface for VLAN 2 Fast Ethernet 0/0.2.
In order to use the router Ethernet interface as a trunk connection to the switches, the encapsulation type must be set to dot1q. Depending on your switch model, this may be your only encapsulation choice, so the encapsulation command may not work (this applies to 2960 Switches).
One last note: in this lab, you may swap PCs for Fast Ethernet interfaces on routers. You will need to add static routes on the routers though (see below).
Lab Objectives
- Configure Switch A to trunk with Switch B and Router 1 using 802.1Q.
- Configure Switch B to trunk to Switch A using 802.1Q.
- Configure port fa0/3 to be in the correct VLANs on both switches.
- Configure Router 1’s fa0/0 interface with two subinterfaces in the correct VLANs and with correct IP addresses (.1 in the respective subnets).
- Configure the PCs with respective gateway addresses (address of the subinterface on Router 1).
- Ping from PC-A to PC-B.
Lab Walk-through
- Configure Switch A for trunking on relevant ports. You need trunking ports because they can carry multiple VLAN information. Do the following:
Switch#configure terminal
Switch#(config)#hostname SwitchA
SwitchA(config)#interface range fa0/1 – 2
SwitchA(config-if-range)#switchport mode trunk
Please note: You need a space between the interface numbers if you are using the range command, and the command may not work if your IOS version does not support it. If you are using different switch models, your interfaces may show as 1/1, etc.
|
This is platform/IOS version-dependent. Some platforms/versions require a space before and after the hyphen, some require it only before the hyphen, and some don’t require a space at all. |
You can check the encapsulation type with the show interface trunk command:
SwitchA#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
- To configure Switch B for trunking, do the following:
Switch#config t
Switch#(config)#hostname SwitchB
SwitchB(config)#int fa0/1
SwitchB(config-if)#switchport mode trunk
- Access ports are used to connect hosts to the switch. They should actually be access ports by default, but it is useful to know the command. To configure the access ports, do the following:
SwitchA(config)#interface fa0/3
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport access vlan 2
SwitchB(config)#interface fa0/3
SwitchB(config-if)#switchport mode access
SwitchB(config-if)#switchport access vlan 3
Please note: You have put the interfaces into the respective VLANs 2 and 3 with the commands above. Also, if VLAN 2 or 3 is not already created on the switch, you may see:
SwitchB(config-if)#switchport access vlan 2
% Access VLAN does not exist. Creating vlan 2
You can see from earlier labs that VLANs are created with the Switch(config)#vlan 2 command.
- To configure the router port, you need to add subinterfaces and configure dot1q encapsulation so the interface can trunk the VLANs. Do the following:
Router#config t
Router(config)#hostname Router1
Router1(config)#interface fa0/0
Router1(config-if)#no shut
Router1(config-if)#interface fa0/0.2
Router1(config-subif)#encapsulation dot1q 2
Router1(config-subif)#ip address 192.168.2.1 255.255.255.0
Router1(config-subif)#interface fa0/0.3
Router1(config-subif)#encapsulation dot1q 3
Router1(config-subif)#ip address 192.168.3.1 255.255.255.0
(Please note: Interface fa0/0.2 is used for VLAN 2. The correct VLAN number after the dot1q command was also added. You can see the output the router expects below.)
Router1(config-subif)#encap dot1q ?
[1-4095] IEEE 802.1Q VLAN ID required, range 1 – 0xFFF.
- (Optional) Depending on the operating system of the PCs, configure their gateway to be 192.168.2.1 and 192.168.3.1, respectively.
In this example, I used the switching rack at https://www.howtonetwork.com and used two routers (connected to Switches A and B) with Fast Ethernet interfaces instead of PCs. They are only required to prove that the VLANs can communicate. Fast Ethernet 0/0 on Router A is given an IP address in VLAN 2 and Router B in VLAN 3. If you do use routers, please remember to add a static route (e.g., on the router with the IP address 192.168.3.2, add static route 0.0.0.0 0.0.0.0 192.168.3.1.).
Router(config)#hostname RouterA
RouterA(config)#int fast0/0
RouterA(config-if)#ip add 192.168.2.2 255.255.255.0
RouterA(config-if)#no shut
RouterA(config-if)#^Z
RouterA#
RouterB:
Router(config)#hostname RouterB
RouterB(config)#int fast0/0
RouterB(config-if)#ip add 192.168.3.2 255.255.255.0
RouterB(config-if)#no shut
RouterB(config-if)#^Z
RouterB#
- Now ping 192.168.3.2 from PC-A (or Router A if you are using routers):
RouterA#ping 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Show Runs
Running Configuration
Router1#sh run
Building configuration…
[output truncated]
hostname Router1
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
!
SwitchA#sh run
Building configuration…
[output truncated]
hostname SwitchA
!
interface FastEthernet1/0
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
switchport mode access
switchport access vlan 2
!
!
SwitchB#sh run
Building configuration…
[output truncated]hostname SwitchB
!
interface FastEthernet1/0
!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
!
interface FastEthernet1/3
switchport mode access
switchport access vlan 3
!
[END OF MINI-LAB]
