What is VTP? Imagine having 20, 50, 100, or more switches on your network. If you made a VLAN change on one of the switches, you would have to configure the others manually to have the same information. This process would take many hours, and of course there would be scope for configuration errors.
As you may have already guessed, there is a way to make a change on one switch and have this change automatically propagate to the other switches. This method maintains consistency throughout the network and is known as VLAN Trunking Protocol (VTP).
VLAN Trunking Protocol
VTP is a Cisco proprietary layer 2 protocol that advertises VLAN configuration information throughout the switch infrastructure (so long as certain parameters are met). VTP advertises the VLAN name, the VLAN ID, and the type of VLAN for every VLAN. One thing VTP can’t do is decide which ports on each switch should be in which VLAN. VTP ensures that up-to-date and consistent VLAN information exists throughout the switching domain.
Version 2 of VTP introduced support for token ring networks, which are now obsolete, so you are fine with using version 1. VTP version 3 (on the 2960 Series Switch, this is supported only when the switch is running the LAN base image) supports the following features that are not supported in version 1 or version 2:
- Enhanced authentication
- The extended range of VLAN (VLANs 1006 to 4094) database propagation (VTP versions 1 and 2 propagate only VLANs 1 to 1005; if extended VLANs are configured, you cannot convert from VTP version 3 to version 1 or 2)
- Private VLAN support
- Any database in a domain
- VTP primary server and VTP secondary servers (a VTP primary server updates the database information and sends updates that are honored by all devices in the system, while a VTP secondary server can only back up the updated VTP configurations received from the primary server to its NVRAM)
- The option to turn VTP on or off on a per-trunk (per-port) basis
Each switch has to be configured to join the same VTP domain in order to exchange VTP information. To join the domain, you simply give each switch the same VTP domain name, like “Cisco”, for example (see the configuration below). Only switches in the same VTP management domain will share information. VTP information can be protected with a password. Moreover, all of the switches in the VTP domain need to have the same password in order to decrypt the VTP packets.
The benefits of using VTP include:
- Accurate monitoring and reporting of VLANs
- VLAN consistency across the network
- Ease of adding and removing VLANs
Each switch using VTP advertises the management domain, the revision number of the configuration, and known VLANs (and their parameters) out of their trunk ports. Figure 10.1 below shows a capture of a VTP frame:
FIG 10.1 – VTP frame capture
In Figure 10.2 below, you can see Switch1 sending a VTP update out of all trunk ports to switches in the same domain. It is advertising the creation of VLAN 100, and this change is propagated throughout the switch domain.
FIG 10.2 – VTP updates
In the output below, I have Switch 1 and Switch 2 connected via a trunk interface (manually set to trunk on Switch 2 with the switchport mode trunk IOS command and set to auto on Switch 1). You can see that Switch 2 has the default VLANs only (which we covered earlier). The show vlan brief command will show the VLANs and interfaces in the relevant VLANs. It will not, however, show the trunk interfaces.
Switch2#show vlan brief
VLAN Name Status Ports
—- —————— ———— ——————————
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
You can check that the interface is actually set to trunk with the command below:
Switch1#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
You can see that the encapsulation is 802.1Q and the “n” means that it was negotiated (this output is from the Cisco 3350 Switch, which also runs ISL, so we know that Switch 2 was set to 802.1Q and manually to trunk). Now issue the show vtp status command to give you a snapshot of the current VTP settings:
Switch1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
There is no name configured yet, but the default mode is server (although it will be transparent on some platforms). You can also see that no configuration modifications have occurred yet because the configuration revision is set to zero. The only VLANs present are the default ones, which total five. I’ll set a VTP domain name on Switch 2. Adding a VTP domain name triggers VTP updates to be sent from the switch. If a neighbor switch has no VTP domain name, it will accept the incoming name and add it to its own configuration (see below):
Switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch2(config)#vtp domain howtonetwork.com
Changing VTP domain name from NULL to howtonetwork.com
You can see that this change has been propagated to Switch 1 already:
Switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)#vtp domain howtonetwork.com
Domain name already set to howtonetwork.com.
I will now add VLAN 100 to Switch 1 and name it:
Switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)#vlan 100
Switch1(config-vlan)#name ADMIN
Switch1(config-vlan)#end
Switch1#
This change is propagated to Switch 2:
Switch2#show vlan brief
VLAN Name Status Ports
—- ——————– ———- ——————————
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig1/1
Gig1/2
100 ADMIN active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
You may also have noticed that the configuration revision number increased each time you made a change on a neighbor switch, and the number of VLANs increased each time a new VLAN was created. (It currently shows as 2 because I may have done some testing during the commands above but not shown them.) The VTP revision number tells the switch whether an incoming update should be accepted. If the number is higher than the current revision number, it will be accepted and applied.
Switch2#sh vtp status
VTP Version: 2
Configuration Revision: 2
Maximum VLANs supported locally: 255
Number of existing VLANs: 6
VTP Operating Mode: Server
VTP Domain Name: howtonetwork.com
VTP Pruning Mode: Disabled
VTP V2 Mode: Disabled
VTP Traps Generation: Disabled
MD5 digest: 0x2C 0x18 0xE9 0x5E 0x50 0x62 0xE2 0x92
Configuration last modified by 10.1.1.1 at 3-1-93 03:08:39
Local updater ID is 0.0.0.0 (no valid interface found)
If you add a switch to your network and it has a higher configuration revision number than your current one, you will run the risk of all your network switches accepting the new VTP information by wiping all your current VLANs. This can also happen even if the switch is set to client. Please Google “Adding a VTP client switch to a VTP domain” for more information from Cisco on this (this is probably not a CCNA exam topic, so feel free to revisit this after the exam).
It is also worth noting that if your switches have been allocated a management IP address, this will show as the originator of the VTP update as you can see in the 10.1.1.1 address in the output above. If there are faulty updates being sent, you can quickly identify the source this way.
There are other outputs on the show command above; however, they are outside the scope of the CCNA exam. I recommend that you try these commands on your home CCNA rack or a remote rack if you have access.
VTP Modes
There are three possible modes a switch in a VTP domain can be in:
- Client
- Server (default mode, but this is platform-dependent)
- Transparent
Client Mode
In client mode, the switch will receive VTP information and apply any changes, but it does not allow adding, removing, or changing VLAN information on the switch.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vtp mode client
Setting device to VTP CLIENT mode.
Switch(config)#vlan 10
%VTP VLAN configuration not allowed when device is in CLIENT mode.
The client will also send out the VTP packet received out of its trunk ports. It cannot store any VLAN information in NVRAM, so a reload will wipe any VLAN information.
Be warned that if you took the VTP client switch off the network and made it a server, added some configurations, set it back to client, and added it to the network, it would cause the changes to propagate throughout the entire VTP domain. The reason for this is that the revision number is higher AND the VTP server is also a client in that if it receives a configuration with a higher revision number, it will accept that information as correct.
Server Mode
In server mode, the switch is authorized to create, modify, and delete VLAN information for the entire VTP domain. Any changes that you make to a server are propagated throughout the whole domain. Switches are in server mode by default (platform-dependent). All VLAN information is stored in NVRAM on the VTP server in a file called “vlan.dat” and remains present after a reload (so don’t try to wipe the configuration files via reload).
You can have more than one server in a VTP domain; however, whichever one you add the configuration to will update the revision number and send all changes throughout the domain to other servers, clients, and transparent switches.
Transparent Mode
In transparent mode, the switch will forward the VTP information received out of its trunk ports but will not apply the changes. A VTP transparent mode switch can create, modify, and delete VLANs, but the changes are not propagated to other switches. All information is locally significant and not forwarded. VTP transparent mode also requires configuration of domain information. A VTP transparent switch is needed when a switch separating a VTP server and client needs to have a different VLAN database.
You would need to put a switch into transparent mode if you wanted to add VLAN numbers above 1024 or use private VLANs (a CCNP topic). The extended range of usable VLANs available is 1006 to 4094, inclusive. We will cover extended VLANs later.
 |
VTP version 3 also allows you to add VLAN numbers over 1024. |
Switch(config)#vlan 2000
Switch(config-vlan)#end
% Failed to create VLANs 2000
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.
Switch(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
Switch(config)#vlan 2000
Switch(config-vlan)#end
Table 10-1: VTP characteristics
| Capability | VTP Server | VTP Client | VTP Transparent |
| Sending VTP Messages | Yes | Yes | No |
| Listening to VTP Messages | Yes | Yes | No |
| Creating VLANs | Yes | No | Yes (locally) |
| Deleting VLANs | Yes | No | Yes (locally) |
| Modifying VLANs | Yes | No | Yes (locally) |
| Storing VLANs | Yes | No | Yes (locally) |
Figure 10.3 below shows VTP in action:
FIG 10.3 – VTP domain
Mini-lab – Configuring VTP
First, connect two switches together with a crossover cable. To enable VTP, you need to configure the VTP domain and, optionally, the VTP mode and VTP password. Note that on some platforms, I’ve noticed that no changes will propagate unless there is a password (this is the benefit of using live equipment—you get to discover certain glitches).
Configure a trunk link between the two switches with the switchport mode trunk command. Add VLAN 5 to Switch A and name it VTPTest.
FIG 10.4 – Mini-lab: Configuring VTP
The following commands accomplish this (switches will be in the server mode by default):
SwitchA(config)#vtp mode ?
client Set the device to client mode.
server Set the device to server mode.
transparent Set the device to transparent mode.
SwitchA(config)#vtp mode server
SwitchA(config)#vtp domain Cisco
SwitchA(config)#vtp password ccna
SwitchA(config)#vlan 5
SwitchA(config-vlan)#name VTPTest
The vtp mode [server|client|transparent] command can be used to set the desired mode. VTP configuration can be verified using the show vtp status command:
SwitchA#show vtp status
VTP Version: 2
Configuration Revision: 1
Maximum VLANs supported locally: 255
Number of existing VLANs: 9
VTP Operating Mode: Server
VTP Domain Name: Cisco
VTP Pruning Mode: Disabled
VTP V2 Mode: Disabled
VTP Traps Generation: Disabled
MD5 digest: 0x5D 0x16 0x1A 0x34 0x2C 0xAE 0xA5 0xB4
Configuration last modified by 0.0.0.0 at 3-1-02 00:37:56
Local updater ID is 0.0.0.0 (no valid interface found)
Now that the VTP server is configured on Switch A, let’s take a look at both Switch A and Switch B, which is connected to Switch A using an 802.1Q trunk on port fa1/1. The show vlan outputs for both switches are shown below:
SwitchA#show vlan
VLAN Name Status Ports
—- ———————- ——— —————————-
1 default active Fa1/0, Fa1/2, Fa1/3, Fa1/4
Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VTPTest active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SwitchB#show vlan
VLAN Name Status Ports
—- ———————- ——— ————————–
1 default active Fa1/0, Fa1/2, Fa1/3, Fa1/4
Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Let’s configure Switch B as a VTP client to Switch A and get the VTP configuration to match Switch A:
SwitchB(config)#vtp mode client
SwitchB(config)#vtp domain Cisco
SwitchB(config)#vtp password ccna
The output of the show vlan and show vtp status commands on Switch B now looks like this:
SwitchB#show vlan
VLAN Name Status Ports
—- ———————– ——— ————————–
1 default active Fa1/0, Fa1/2, Fa1/3, Fa1/4
Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VTPTest active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SwitchB#show vtp status
VTP Version: 1
Configuration Revision: 2
Maximum VLANs supported locally: 256
Number of existing VLANs: 9
VTP Operating Mode: Client
VTP Domain Name: Cisco
VTP Pruning Mode: Disabled
VTP V2 Mode: Disabled
VTP Traps Generation: Disabled
MD5 digest: 0x94 0xDE 0x28 0x9D 0x2D 0x95 0x96
Configuration last modified by 0.0.0.0 at 3-1-02 00:18:45
[END OF MINI-LAB]In Figure 10.5 below, I’ve connected two switches together and created a trunk link between them. Both have matching VTP domain names and passwords. Switch A has management IP address 192.168.1.1 (so we can connect to it across the network in order to manage it) and Switch B has 192.168.1.2. I added a VLAN to Switch B and the update was sent to Switch A. You can see the IP address of Switch A at the bottom of the output.
FIG 10.5 – VTP across two switches
SwitchA#show vtp status
VTP Version: 2
Configuration Revision: 1
Maximum VLANs supported locally: 255
Number of existing VLANs: 6
VTP Operating Mode: Server
VTP Domain Name: Cisco
VTP Pruning Mode: Disabled
VTP V2 Mode: Disabled
VTP Traps Generation: Disabled
MD5 digest: 0x18 0xD3 0x67 0x97 0x7E 0xD3 0xAA
Configuration last modified by 192.168.1.2 at 3-1-93 00:03:11
Local updater ID is 192.168.1.1 on interface Vl1 (lowest numbered VLAN interface found)
SwitchA#
The vlan.dat files were referred to earlier. In the output below, you can see it in flash memory (NVRAM):
Cat2960-Switch#show flash
Directory of flash:/
2 -rwx 2888547 Mar 01 1993 00:03:33 c2960-i6q4l2-mz.151-13.EA1.bin
4 -rwx 924 Mar 01 1993 02:28:44 vlan.dat
7741440 bytes total (2867200 bytes free)
If you want to remove the configuration, you can issue the delete flash:vlan.dat command and then reload the switch. If you want to remove the current configuration on a switch without rebooting, you can set it to transparent mode and then back to server mode with the vtp mode transparent command, or by changing the VTP domain name to something else and then back again with the vtp domain [name] command.
A gotcha that you may have already spotted is that if you erase vlan.dat, the switch can still add the old configuration if it receives it via VTP from a connected switch.
Switch1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
Switch1(config)#vtp domain cisco
Changing VTP domain name from howtonetwork.com to cisco
VTP Pruning
VTP information can be passed around the domain and reach the same switch from several paths. To add to this, every switch that has a trunk link forwards broadcasts to every other switch, even if it has no ports in that VLAN. The end result is broadcasts to switches that will eventually discard the traffic.
VTP pruning prevents VLAN information, broadcasts, multicasts, and unicasts from flooding other trunk ports when there is no need. It also reduces unnecessary broadcast, multicast, and flooded unicast traffic, which in turn increases available bandwidth. To understand when you would use this, let’s look at Figure 10.6. Because Switch B has ports only in VLAN 5, it would be wise to ensure that traffic not belonging to this VLAN doesn’t traverse the trunk link on Switch A.
FIG 10.6 – All VLANs advertised
VTP pruning can only be enabled from the VTP server. Once enabled there, it will automatically be enabled on all the VTP clients. VTP pruning can be enabled using the vtp pruning command on the VTP server. This, in turn, will enable the pruning capability in other switches in the VTP domain.
SwitchA#show vtp status
VTP Version: running VTP1 (VTP2 capable)
Configuration Revision: 0
Maximum VLANs supported locally: 1005
Number of existing VLANs: 5
VTP Operating Mode: Server
VTP Domain Name:
VTP Pruning Mode: Disabled
SwitchA(config)#vtp pruning
Pruning switched on
SwitchA(config)#end
SwitchA#show vtp status
VTP Version: running VTP1 (VTP2 capable)
Configuration Revision: 1
Maximum VLANs supported locally: 1005
Number of existing VLANs: 5
VTP Operating Mode: Server
VTP Domain Name:
VTP Pruning Mode: Enabled
Let’s see the output of show interface trunk on Switch A after VTP pruning is enabled:
SwitchA#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/1 1,5
Port Vlans allowed and active in management domain
Fa1/1 1,5
Port Vlans in spanning tree forwarding state and not pruned
Fa1/1 1,5
The output of the show interface trunk command shows the interfaces that are operating as trunks, as well as the VLANs that are allowed on the trunk, and the VLANs that are in forwarding state and are not pruned. You can’t prune VLAN 1.
FIG 10.7 – VLANs pruned
Note that VLANs 2, 3, and 4 are pruned on interface Fa0/1 because Switch B does not have any hosts in those VLANs. There is a manual method to prevent VLANs from crossing a trunk link, which will be covered in the switch security section.
If there is a VTP transparent switch in between the VTP server and client, then pruning will not work. This will be covered in more detail if you progress to the CCNP exam.
Configuring a Cisco Switch
Let’s cover a few basic configuration commands for your switch. Some of these commands have already been mentioned and others will be revisited as we progress through this guide. Just type them out for now, so you get some hands-on experience using them.
You can set the hostname of the switch:
Switch>enable
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname 2960
2960(config)#exit
And look at the version of IOS running on it:
2960#show version
Cisco Internetwork Operating System Software
IOS ™ C2960 Software (C2960-I6Q4L2-M), Version 15.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Mon 19-Apr-04 20:58 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000
ROM: Bootstrap program is C2960 boot loader
Switch uptime is 11 minutes
System returned to ROM by power-on
System image file is flash:/c2960-i6q4l2-mz.151-20.EA1a.bin
cisco WS-C2960G-12-EI (RC32300) processor (revision E0) with 20713K bytes of memory.
Processor board ID FHK0652X0PY
Last reset from system-reset
Running Enhanced Image
12 FastEthernet/IEEE 802.3 interface(s)
2 GigabitEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base Ethernet MAC Address: 00:0C:BE:D4:3C:40
Motherboard assembly number: 34-7410-05
Power supply part number: 34-0475-02
Motherboard serial number: FUY00LWXZ
Power supply serial number: PHI0648897W
Model revision number: E0
Motherboard revision number: A0
Model number: WS-C2960G-12-EI
System serial number: FHK0652X0PY
Configuration register is 0xF
Switches can be managed remotely in the same way a router can (using the management IP address). A default gateway can also be configured on the switch. Because the switch ports are layer 2 ports, they cannot be assigned an IP address. For this reason, an SVI is created on the switch. The SVI is a layer 3 interface, and every VLAN can have one (the number depends on your model and IOS). SVIs are named after the VLAN ID, such as “Interface VLAN 1”. SVIs can be assigned an IP address.
The default management VLAN is VLAN 1. You can, however, change this and we’ll do this later on.
For a management interface to become active, you must create the VLAN, add an interface to the VLAN, or configure a trunk link containing this particular VLAN, and then configure an IP address on the relevant SVI and a default gateway for IP traffic. You saw this earlier in the SVI configuration commands, but we’ll cover it again.
2960#conf t
Enter configuration commands, one per line. End with CNTL/Z.
2960(config)#interface vlan 2
2960(config-if)#ip address 172.16.100.1 255.255.0.0
2960(config-if)#no shut
2960(config-if)#exit
2960(config)#ip default-gateway 172.16.1.1
2960(config)#^Z
2960#
00:22:51: %SYS-5-CONFIG_I: Configured from console by console
2960#conf t
Enter configuration commands, one per line. End with CNTL/Z.
2960(config)#interface FastEthernet0/1
2960(config-if)#switchport mode access
2960(config-if)#switchport access vlan 2
2960(config-if)#exit
With the configuration above, you can ping the switch, and the switch will know to send all IP traffic to 172.16.1.1 via the ip default-gateway 172.16.1.1 command. Note that, because the switch cannot route as such, the default gateway should be in the same subnet as the SVI. You must also apply the no shut command to the SVI to make it operational. This command will also enable you to telnet to the switch in order to manage it over the network.
You can set a local username and password so that any users telnetting into the switch will need to authenticate themselves. You can also apply encryption to the password so that it won’t display if a user issues the show run command:
Switch(config)#username paul password cisco
Switch(config)#service password-encryption
If you want the console line to terminate any idle sessions, you can apply a timeout value to it:
Switch(config)#line console 0
Switch(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Switch(config-line)#exec-timeout 5
Switch(config-line)#
You can configure the port to be either an access port or a trunk port. We will take a look at the access port first.
Switch(config)#int f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 5
The first command tells the port to be an access port. This port will not try to establish a connection as a trunk. The second switchport command tells the port which VLAN it belongs to, in this case, VLAN 5.
Now, let’s configure a port for trunking. You will need to be connected to another switch at this point.
Switch(config)#int fast0/1
Switch(config-if)#switchport mode trunk
It’s worth noting that if the other side of the trunk link has been left on auto for the encapsulation type, you will see the letter “n” in front of the encapsulation type. Note that different switch models will have different default settings.
Switch2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 desirable n-802.1q trunking 1
If you wanted to telnet to the switch to configure it remotely, you would need to add line VTY configuration and enable secret/password configuration similar to a router, as well as a management IP address and default gateway (where to send all the IP traffic to). We will cover all of this as we progress through this guide, but in the meantime, please just follow along with the commands.
Mini-lab – IP Default Gateway on a Switch
Figure 10.8 below demonstrates a simple router-to-switch connection using the default VLAN 1. I added an IP address to VLAN 1 on the switch, creating an SVI and pointing all traffic to the router. I also added some basic configuration commands, which will be addressed as we progress through the guide.
FIG 10.8 – Mini-lab: IP default gateway on a switch
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip add 192.168.1.2 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#ip default-gateway 192.168.1.1 – The default gateway
Switch(config)#enable secret cisco123 – Protects enable mode
Switch(config)#line vty 0 ?
<1-15> Last Line number
<cr>
Switch(config)#line vty 0 15 – Permits Telnet
Switch(config-line)#password cisco – Protects incoming Telnet sessions
Switch(config-line)#login
Switch(config-line)#end
Switch#copy run start – Saves the configuration
Destination filename [startup-config]?
Building configuration…
[OK]
Switch#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int f0/0
Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#end
Router#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 0/0/0 ms
Router#telnet 192.168.1.2
Trying 192.168.1.2 …Open
User Access Verification
Password: – Won’t show when typed
Switch>en
Password:
Switch#
[END OF MINI-LAB]Mini-lab – Access Ports—Data and Voice
Although voice ports have not been discussed in the theory section, everything you need to know is contained in this mini-lab, which will be easiest to complete using Packet Tracer.
FIG 10.9 – Mini-lab: Access ports—data and voice
Use Packet Tracer to allocate an IP address to the PC. Any IP address will do. When you add the IP phone, you will need to drag the power cable over in order for it to boot. You will not be configuring the phone.
Normally, you would have one VLAN per access port, but IP phones are a special case. Create VLAN 10 for the access VLAN and VLAN 20 for the voice traffic:
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-if)#switchport mode access – Set the interface to access and then configure the access and voice VLANs on the interface:
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport voice vlan 20
Now check the interface settings:
Switch#show int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 20
The voice traffic will be forwarded with a tag, but the data traffic will be untagged.
[END OF MINI-LAB]Extended VLANs
Cisco has expanded the syllabus slightly to specifically include extended VLANs. Some VLAN numbers are reserved for certain protocols, the native VLAN, and system use, while some are available for normal VLANs (2–1001) and others for extended VLANs (1006–4094). Table 10-2 below illustrates VLAN allocation numbers:
Table 10-2: VLAN allocation numbers
| VLAN Number or Range | Type | Description |
| 0 | Reserved | This VLAN is reserved and is not configurable; it is for IEEE 802.1P priority tagging for voice traffic. |
| 1 | Normal | This is the default Cisco native VLAN. It can be used but cannot be deleted. |
| 2–1001 | Normal | By default, these VLANs can be created, used, and deleted on all Cisco Catalyst switches. |
| 1002–1005 | Normal | These are the default Token Ring and FDDI VLANs; they cannot be deleted. Both Token Ring and FDDI are beyond the scope of the CCNA certification requirements. |
| 1006–4094 | Extended | This extended range is used for Ethernet VLANs only. These VLANs can be created, used, and deleted. |
| 4095 | Reserved | This VLAN is reserved for system use and cannot be configured. |
Although VLANs 0 and 4095 are reserved for system use, they will not appear in the output of any show commands.
Cisco’s Catalyst 6500 Series Switches use certain VLAN numbers internally to represent layer 3 ports. These VLANs are referred to as internal VLANs and are selected from the extended VLAN range (i.e., the 1006–4094 range).
Once selected and in use by the switch, the extended VLAN can no longer be used for any other purpose. Figure 10.10 below illustrates how the different types of VLANs can be used and are allocated internally on Cisco Catalyst 6500 Series Switches:
FIG 10.10 – VLAN use and allocation
Referencing Figure 10.10, keep in mind the following when implementing or designing an internetwork using Catalyst 6500 Series Switches:
- Layer 2 Ethernet ports can be assigned to any VLAN – standard or extended
- VLAN interface numbers can use any VLAN number – standard or extended
- WAN interfaces consume one extended VLAN number
- Layer 3 Ethernet ports consume one extended VLAN number
- Sub-interfaces consume one extended VLAN number
In order to configure VLANs, the switch must be in either VTP server mode (which is the default) or VTP must be disabled. In order to configure extended range VLANs, VTP must be disabled by putting the switch into transparent mode.
Mini-lab – Configuring Extended VLANs
Packet Tracer does not support extended VLANs, so you will need to use a remote rack or a home rack if you have one.
FIG 10.11 – Configuring extended VLANs
When you try to configure extended VLANs with the switch in the default VTP mode of the server, you will see an error message like the one in the output below:
Sw1(config)#vlan 2010
Sw1(config-vlan)#
% Failed to create VLANs 2010
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.
Check the VTP status of the switch that will be the server:
Sw1#show vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Sw1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
Sw1#show vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Now create some extended VLANs:
Sw1(config)#vlan 2010
Sw1(config-vlan)#name SALES
Sw1(config-vlan)#vlan 2020
Sw1(config-vlan)#name ADMIN
Sw1(config-vlan)#int f0/11
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport access vlan 2010
Sw1(config-if)#int f0/12
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport access vlan 2020
Sw1(config-if)#end
You will see error messages until you configure Switch 2 which you can do without my help, I’m sure:
*Mar 1 00:05:15.871: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:05:21.391: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/11 (2010), with Switch FastE.
*Mar 1 00:05:21.391: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/12 (2020), with Switch FastE.
Sw1#show vlan brief
VLAN Name Status Ports
—- ———————- ——— ——————–
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
2010 SALES active Fa0/11
2020 ADMIN active Fa0/12
Sw1#
[END OF MINI-LAB]
End of Chapter Questions
Please visit www.howtonetwork.com/ccnasimplified to take the free Chapter 10 exam.
Chapter 10 Labs
Lab 1: VLANs on an IOS Switch
The physical topology is shown in Figure 10.12 below:
FIG 10.12 – IOS VLANs
Lab Exercise
Your task is to configure the network in Figure 10.12 above. All the router and switch interfaces are in VLAN 2. If you do not want to use routers, you can use PCs and configure the IP address on the Ethernet card instead. Any switch running IOS will do for this lab.
Purpose
Creating VLANs on an IOS switch is one of the core competencies of a Cisco engineer. Make sure you are very familiar with doing this.
Lab Objectives
- Configure the switch to use VLAN 2, name “Cisco”.
- Place two interfaces on the switch in VLAN 2.
- Configure the routers’ interfaces.
- Ping across the LAN on VLAN 2.
Lab Walk-through
- To configure the IP address on the routers, do the following:
Router>enable
Router#
Router#configure terminal
Router(config)#hostname RouterA
RouterA(config)#interface FastEthernet0/0
RouterA(config)#ip address 192.168.1.1 255.255.255.0
RouterA(config-if)#no shut
RouterA(config-if)#^Z
RouterA#
Router B:
Router>enable
Router#config t
Router#hostname RouterB
RouterB(config)#interface FastEthernet0/0
RouterB(config)#ip address 192.168.1.2 255.255.255.0
RouterB(config-if)#no shut
RouterB(config-if)#^Z
RouterB#
If you have plugged directly into the switch, you will be able to ping from router to router or switch to switch. This is because the switch will use VLAN 1 by default. Give the switch ports 30 seconds to come up.
RouterA#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
RouterA#
- To configure both routers to connect to VLAN 2 on the switch, enter the following commands:
Switch#config t
Switch(config)#vlan 2 – Creates VLAN 2
Switch(config-vlan)#name Cisco
Switch(config-vlan)#^z
Switch#
- To configure the interfaces on the switch to use VLAN 2, use the following commands:
Switch#config t
Switch(config)#interface FastEthernet0/1
Switch(config-if)#description ToRouterA – Sets the description
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2 – Adds to VLAN 2
Switch(config-if)#^Z
- You can try to ping from Router B to Router A now. Because you have put only one interface into VLAN 2 (Router A), the second (Router B) remains in VLAN 1 (by default) and the ping will fail:
RouterB#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
- You will now put the Ethernet interface connecting to Router B into VLAN 2:
Switch#config t
Switch(config)#interface FastEthernet0/3
Switch(config-if)#description ToRouterB
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2
Switch(config-if)#^Z
- You can now ping across the LAN from Router A to Router B. The first one or two pings will fail until the switch ports have started to forward traffic:
RouterA#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
RouterA#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/4 ms
Show Runs
RouterA#show run
Building configuration…
Current configuration: 428 bytes
!
version 15.1
!
hostname RouterA
!
ip subnet-zero
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
!
end
– – –
RouterB#show run
Building configuration…
Current configuration: 428 bytes
!
version 15.1
no service single-slot-reload-enable
service timestamps debug uptime
no service password-encryption
!
hostname RouterB
!
ip subnet-zero
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
!
end
RouterB#
– – –
Switch
Switch#show run
Building configuration…
Current configuration:
!
version 15.0
no service password-encryption
!
hostname Switch
!
ip subnet-zero
!
interface FastEthernet0/1
description ToRouterA
switchport access vlan 2
!
interface FastEthernet0/2
!
interface FastEthernet0/3
description ToRouterB
switchport access vlan 2
!
Lab 2: Trunking across IOS Switches
Lab Exercise
Your task is to configure the network below. All the router interfaces on the switch and router are in VLAN 2. You will need two switches running Cisco IOS; I have used two 2960 Switches.
If you do not want to keep swapping between switches, then follow the entire configuration for one 2960 Switch. It’s been broken down into smaller chunks to make the various stages more understandable. Also, feel free to swap the routers for PCs.
FIG 10.13 – Trunking across switches
Purpose
Being able to trunk between switches is an essential skill for a Cisco engineer.
NOTE: Issue a show run on the switches to check which interfaces they have and which one you are plugged into. You can also go through the entire switch configuration at once rather than in phases (as shown below) to save time.
Lab Objectives
- Configure the switch to use VLAN 2, name “Cisco”.
- Place two interfaces on the switch in VLAN 2 on one 2960 Switch and one interface in VLAN 2 on the other 2960 Switch.
- Configure the routers’ interfaces with the IP addresses as shown in Figure 10.13 above.
- Ping across the LAN on VLAN 2.
Lab Walk-through
- To configure the IP address on the routers, do the following:
Router>enable
Router#
Router#configure terminal
Router(config)#hostname RouterA
RouterA(config)#interface FastEthernet0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.0
RouterA(config-if)#no shut
RouterA(config-if)#^Z
RouterA#
Router B:
Router>enable
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface FastEthernet0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.0
RouterB(config-if)#no shut
RouterB(config-if)#^Z
RouterB#
Router C:
Router>enable
Router#config t
Router(config)#hostname RouterC
RouterC(config)#interface FastEthernet0
RouterC(config-if)#ip address 192.168.1.3 255.255.255.0
RouterC(config-if)#no shut
RouterC(config-if)#^Z
RouterC#
If you have plugged directly into the switch, you will be able to ping from Router A to Router B and Router C. This is because they are all in VLAN 1, by default. If you have just booted up the switch, it may take a few moments for the database to be built.
RouterB#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
RouterB#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 4/4/4 ms
RouterB#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
RouterB#
- Configure VLAN 2 on the IOS switches:
Switch>enable
Switch#config t
Switch(config)#hostname Top2960
Top2960(config)#vlan 2
Top2960(config-vlan)#name Cisco
Top2960(config-vlan)#^z
Now configure VLAN 2 on the bottom 2960 Switch:
Switch>enable
Switch#config t
Switch(config)#hostname Bottom2960
Bottom2960(config)#vlan 2
Bottom2960(config-vlan)#name Cisco
Bottom2960(config-vlan)#^z
- Put the relevant ports in VLAN 2 on each switch:
Top2960#config t
Top2960(config)#interface fast0/1
Top2960(config-if)#switchport access vlan 2
Top2960(config-vlan)#^z
Top2960#
You could also add the switchport mode access command to the interface if you want to hard-set it to access:
– – –
Bottom2960#config t
Bottom2960(config)#interface fast0/1
Bottom2960(config-if)#switchport access vlan 2
Bottom2960(config-vlan)#int fast0/3
Bottom2960(config-if)#switchport access vlan 2
Bottom2960(config-if)#^z
Bottom2960#
- Turn trunking on—on the interfaces between the switches, do the following:
Bottom2960(config-if)#interface FastEthernet0/2
Bottom2960(config-if)#switchport mode trunk
Bottom2960(config)#exit
Bottom2960#
– – –
Top2960(config-if)#interface FastEthernet0/2
Top2960(config-if)#switchport mode trunk
Top2960(config)#exit
Top2960#
- Ping from Router C to Router A:
RouterC#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!! – One ping fails due to the ARP lookup
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/4 ms
RouterC#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
RouterC#
Show Runs
RouterA#show run
Building configuration…
!
version 15.1
!
hostname RouterA
!
ip subnet-zero
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
!
end
– – –
RouterB#show run
Building configuration…
!
Current configuration: 428 bytes
!
version 15.1
!
hostname RouterB
!
ip subnet-zero
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
!
end
– – –
RouterC#show run
Building configuration…
Current configuration:
!
version 15.0
!
hostname RouterC
!
interface FastEthernet0
ip address 192.168.1.3 255.255.255.0
!
end
Switch Show Runs (truncated)
Top2960#show run
Building configuration…
Current configuration:
!
hostname Top2960
!
ip subnet-zero
!
interface FastEthernet0/1
switchport access vlan 2
!
interface FastEthernet0/2
switchport mode trunk
!
– – –
Bottom2960#show run
Building configuration…
Current configuration:
!
hostname Bottom2960
!
ip subnet-zero
!
interface FastEthernet0/1
switchport access vlan 2
!
interface FastEthernet0/2
switchport mode trunk
!
interface FastEthernet0/3
switchport access vlan 2
