|
|
This chapter describes how to configure the following features:
For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 5000 Series Command Reference publication.
Before you create VLANs, you must decide whether to use VTP in your network. If you choose to use VTP, you must decide whether the switch will be a VTP server or a VTP client. If you choose not to use VTP, you must set the switch to transparent mode. If you use VTP, you must decide whether to use VTP version 1 or version 2. If you are using VTP in a Token Ring environment, you must use version 2.
After you decide which version of VTP to run, you must create a VTP domain (also called a VLAN management domain) before you create the desired VLANs. In a VTP domain, VLANs can only be created, changed, and deleted if the switch is in VTP server mode (the default). The VLAN configuration cannot be changed if the switch is in VTP client mode. Both clients and servers update their VTP and VLAN configuration based on the advertisements they receive over their trunk links.
VTP version 1 is supported in Catalyst 5000 series supervisor engine software release 2.1 or later and ATM software release 3.1 or later. VTP version 2, an extension to VTP that supports Token Ring LAN switching and other features, is supported in Catalyst 5000 series software release 3.1(1) and later.
For more information on VTP, see the "Understanding VTP" section in this chapter.
| Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version. |
These guidelines apply to switches within the same VTP domain:
A VTP version 2-capable switch will not run version 2 unless you manually enable it on at least one switch in the VTP domain. To enable VTP version 2, perform this task in privileged mode:
| Task | Command |
|---|---|
Enable VTP version 2. | set vtp v2 enable |
To configure the switch as a VTP server, perform these tasks in privileged mode:
| Task | Command |
|---|---|
Step 1 Define the VTP domain name. | set vtp domain name |
Step 2 Place the switch in VTP server mode. | set vtp mode server |
Step 3 (Optional) Enable VTP pruning. VTP pruning is disabled by default. | set vtp pruning enable |
Step 4 (Optional) Set a password for the VTP domain. | set vtp passwd passwd |
This example shows how to configure the switch as a VTP server:
Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode server VTP domain Lab_Network modified Console> (enable) set vtp pruning enable This command will enable the pruning function in the entire management domain. All devices in the management domain should be pruning-capable before enabling. Do you want to continue (y/n) [n]? y VTP domain Lab_Network modified Console> (enable)
To configure the switch as a VTP client, perform these tasks in privileged mode:
| Task | Command |
|---|---|
Step 1 Define the VTP domain name. | set vtp domain name |
Step 2 Place the switch in VTP client mode. | set vtp mode client |
The VTP client switch receives VTP updates from VTP servers and updates its configuration accordingly. The following example shows how to configure the switch as a VTP client:
Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode client VTP domain Lab_Network modified Console> (enable)
To configure the switch as VTP transparent (effectively disabling VTP on the switch), perform this task in privileged mode:
| Task | Command |
|---|---|
Place the switch in VTP transparent mode (disabling VTP on the switch). | set vtp mode transparent |
A VTP transparent switch does not send VTP updates, and ignores VTP updates from VTP servers. This example shows how to configure the switch as VTP transparent:
Console> (enable) set vtp mode transparent VTP domain modified Console> (enable)
To verify the VTP configuration, perform these tasks:
| Task | Command |
|---|---|
Step 1 Verify the VTP domain configuration. | show vtp domain |
Step 2 View the VTP statistics. | show vtp statistics |
This example shows the output of the show vtp domain command indicating that the switch is VTP version 2-capable and that VTP version 2 is enabled:
Console> show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- Engineering 1 2 server - Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 16 1023 0 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- ------------------------- 172.20.52.10 enabled enabled 2-1000
This example shows the output for a switch configured as a VTP server:
Console> show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- Engineering 1 2 server - Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 16 1023 0 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- -------------------------
This example shows the output for a switch configured as a VTP client:
Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- Lab_Network 1 2 client - Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 8 1023 5 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- ------------------------- 172.20.52.70 disabled enabled 2-1000 Console> (enable)
This example shows the output for a switch configured as VTP transparent:
Console> (enable) show vtp domain
Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
1 2 Transparent -
Vlan-count Max-vlan-storage Config Revision Notifications
---------- ---------------- --------------- -------------
8 1023 5 disabled
Last Updater V2 Mode Pruning PruneEligible on Vlans
--------------- -------- -------- -------------------------
172.20.52.70 disabled enabled 2-1000
Console> (enable)
To show VTP statistics, such as VTP advertisements sent and received and VTP errors, enter the show vtp statistics command:
Console> (enable) show vtp statistics
VTP statistics:
summary advts received 7
subset advts received 6
request advts received 0
summary advts transmitted 983
subset advts transmitted 35
request advts transmitted 21
No of config revision errors 0
No of config digest errors 0
VTP pruning statistics:
Trunk Join Trasmitted Join Received Summary advts received from
non-pruning-capable device
-------- --------------- ------------- ---------------------------
1/1 547 540 0
3/1
4/1-2 636 0 0
Console> (enable)
VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency throughout the network. VTP manages the addition, deletion, and renaming of VLANs on a network-wide basis, and allows you to make central changes that are automatically communicated to all the other switches in the network.
VTP minimizes possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations because VLANs cross connect when duplicate names are used and internally disconnect when VLANs are incorrectly mapped between one LAN type and another.
VTP servers and clients maintain all VLANs everywhere within the VTP domain. A VTP domain defines the boundary of a particular VLAN. Servers and clients transmit information through trunks to other attached switches and receive updates from those trunks.
VTP servers either maintain information in nonvolatile memory or access it using TFTP. Using VTP servers, you can modify the global VLAN information with either the VTP MIB via the SNMP or using the CLI. When you add or advertise VLANs, both servers and clients are notified that they should be prepared to receive traffic on their trunk ports. A VTP server can also instruct a switch to delete a VLAN and disable all ports assigned to it.
Advertisement frames are sent to a multicast address so that they can be received by all neighboring devices, but they are not forwarded by normal bridging procedures. All devices in the same management domain learn about any new VLANs configured in the transmitting device. Because of this process, you need to configure a new VLAN only on one device in the management domain. All other devices in the same management domain learn the configured information automatically. VTP is transmitted on all trunk connections, including ISL, 802.1Q, 802.10, and LANE.
A new VLAN is indicated by a VTP advertisement received by a device running VTP. Devices accept the traffic of the new VLAN and propagate it to their trunks after adding the VTP-learned VLANs to their trunks.
Using periodic advertisements, VTP tracks configuration changes and communicates them to other switches in the network. When a new switch is added to the network, the added devices receive updates from VTP and automatically configure existing VLANs within the network.
VTP also maps VLANs dynamically across multiple LAN types with unique names and internal index associations. Mapping eliminates excessive device administration required from network administrators.
VTP establishes global configuration values and distributes the following global configuration information:
VTP version 2 supports Token Ring LAN switching and the following features:
Make sure that all devices in the management domain support VTP pruning before enabling it (using the set vtp pruning enable command). VTP pruning is supported in Catalyst 5000 series software release 2.3 and later. Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning takes effect several seconds after configuration.
When enabled, VTP pruning does not prune traffic from VLANs that are not pruning-eligible. By default, VLANs 2 through 1000 are pruning-eligible. VLAN 1 is always pruning-ineligible; traffic from VLAN 1 cannot be pruned.
To make a VLAN pruning ineligible, enter the clear vtp pruneeligible command. To make a VLAN pruning eligible again, enter the set vtp pruneeligible command. You can issue these commands regardless of whether VTP pruning is enabled or disabled. Pruning eligibility resides on the local device only.
These guidelines apply to switches within the same VTP domain:
To configure VTP pruning, perform these tasks in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable VTP pruning in the management domain. | set vtp pruning enable |
Step 2 (Optional) Make specific VLANs pruning-ineligible on the device. (By default, VLANs 2-1000 are pruning-eligible.) | clear vtp pruneeligible vlan_range |
Step 3 (Optional) If necessary, make specific VLANs pruning-eligible on the device. | set vtp pruneeligible vlan_range |
This example shows how to enable VTP pruning in the management domain and how to make VLANs 2-99, 250-255, and 501-1000 pruning-eligible on the particular device:
Console> (enable) set vtp pruning enable This command will enable the pruning function in the entire management domain. All devices in the management domain should be pruning-capable before enabling. Do you want to continue (y/n) [n]? y VTP domain Lab_Network modified Console> (enable) clear vtp pruneeligible 100-500 Vlans 1,100-500,1001-1005 will not be pruned on this device. VTP domain Lab_Network modified. Console> (enable) set vtp pruneeligible 250-255 Vlans 2-99,250-255,501-1000 eligible for pruning on this device. VTP domain Lab_Network modified. Console> (enable)
To disable VTP pruning, perform this task in privileged mode:
| Task | Command |
|---|---|
Disable VTP pruning in the management domain. | set vtp pruning disable |
This example shows how to disable VTP pruning in the management domain:
Console> (enable) set vtp pruning disable This command will disable the pruning function in the entire management domain. Do you want to continue (y/n) [n]? y VTP domain Lab_Network modified Console> (enable)
To verify the VTP pruning configuration, perform these tasks:
| Task | Command |
|---|---|
Step 1 Verify the VTP pruning configuration. | show vtp domain |
Step 2 Check whether VLANs are being pruned on trunk ports. | show trunk |
This example shows how to verify the VTP pruning configuration using the show vtp domain command. The arrow shows that VTP pruning is enabled, and that VLANs 2-99, 250-255, and 501-1000 are pruning-eligible:
Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- Lab_Network 1 2 server - Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 8 1023 16 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- -------------------------
172.20.52.2 disabled enabled 2-99,250-255,501-1000 Console> (enable)
This example shows how to verify the VTP pruning configuration using the show trunk command. The arrow shows that VLANs 1 and 522-524 are in spanning-tree forwarding state and are not pruned on the trunk:
Console> (enable) show trunk Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- 1/1 auto isl trunking 523 3/1 on lane trunking 1 4/1-2 on lane trunking 1 Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1/1 1-1005 3/1 1-1005 4/1-2 1-1005 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1/1 1,522-524 3/1 4/1-2 Port Vlans in spanning tree forwarding state and not pruned -------- ---------------------------------------------------------------------
1/1 1,522-524 3/1 4/1-2 Console> (enable)
VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.
Figure 9-1 shows a switched network without VTP pruning enabled. Port 1 on Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to switch 1. Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN.
Figure 9-2 shows the same switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic from the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on Switch 4).
Two main tasks are involved with configuring VLANs:
If you are configuring Token Ring VLANs, see the section "Creating Token Ring VLANs (TrBRFs) " later in this chapter.
Enter the set vlan command to create a VLAN and enter the clear vlan command to delete a VLAN. If the switch is a VTP server, changes to the VLAN configuration are propagated to other switches in the VTP domain. If the switch is a VTP client, you cannot create or delete VLANs; you must change the VTP mode of the switch or perform the VLAN configuration on a VTP server. If the switch is in VTP transparent mode, the VLAN configuration affects the particular switch only and is not propagated to other switches in the network.
VLANs support a number of parameters, only a few of which are discussed in this section. For complete information on the set vlan command and its parameters, refer to the Catalyst 5000 Series Command Reference publication.
Before you can create a VLAN on the switch, you must do one of the following:
For information on configuring VTP, see the section "Configuring VTP" earlier in this chapter.
To create a VLAN on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Create a VLAN. If desired, assign it a name (the VLAN number is used as the name if no name is specified). | set vlan vlan_num [name name] |
This example shows how to create a VLAN on the switch:
Console> (enable) set vlan 100 name Writers Vlan 100 configuration successful Console> (enable)
To delete a VLAN on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Delete a VLAN. | clear vlan vlan_num |
This example shows how to delete a VLAN (in this case, the switch is a VTP server):
Console> (enable) clear vlan 100 This command will deactivate all ports on vlan 100 in the entire management domain Do you want to continue(y/n) [n]?y Vlan 100 deleted Console> (enable)
To verify the VLAN configuration, perform this task:
| Task | Command |
|---|---|
Verify the VLAN configuration. | show vlan |
This example shows how to verify the VLAN configuration:
Console> (enable) show vlan
VLAN Name Status Mod/Ports, Vlans
---- -------------------------------- --------- ----------------------------
1 default active 1/1-2
3/1-24
5/1-2
10 VLAN0010 active
100 Writers active
200 Editors active
300 Production active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
200 enet 100200 1500 - - - - - 0 0
300 enet 100300 1500 - - - - - 0 0
1002 fddi 101002 1500 - 0x0 - - - 0 0
1003 trcrf 101003 1500 0 0x0 - - - 0 0
1004 fdnet 101004 1500 - - 0x0 ieee - 0 0
1005 trbrf 101005 1500 - - 0x0 ibm - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7 7 off
Console> (enable)
You can assign one or more ports to a VLAN using the set vlan command. By default, all switched Ethernet and Fast Ethernet ports belong to VLAN 1.
To assign one or more switch ports to a VLAN, perform this task in privileged mode:
| Task | Command |
|---|---|
Assign one or more switch ports to a VLAN. | set vlan vlan_num mod_num/port_num |
This example shows how to assign switch ports to a VLAN:
Console> (enable) set vlan 100 3/1-8
VLAN 100 modified.
VLAN 350 modified.
VLAN Mod/Ports
---- -----------------------
100 3/1-8
4/1
7/1
Console> (enable) set vlan 200 3/9-16
VLAN 200 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
200 3/9-16
4/1
7/1
Console> (enable)
Figure 9-3 shows a switch that has ports 1 through 4 assigned to VLAN 10 (Engineering) and ports 5 through 12 assigned to VLAN 20 (Accounting).
To verify the port VLAN assignments, perform either of these tasks:
| Task | Command |
|---|---|
| show vlan |
| show port |
This example shows how to verify the port VLAN assignments using the show vlan command:
Console> (enable) show vlan
VLAN Name Status Mod/Ports, Vlans
---- -------------------------------- --------- ----------------------------
1 default active 1/2
2/1-12
5/1-2
522 VLAN0522 active
523 VLAN0523 active
524 VLAN0524 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
522 enet 100522 1500 - - - - - 0 0
523 enet 100523 1500 - - - - - 0 0
524 enet 100524 1500 - - - - - 0 0
1002 fddi 101002 1500 - 0x0 - - - 0 0
1003 trcrf 101003 1500 0 0x0 - - - 0 0
1004 fdnet 101004 1500 - - 0x0 ieee - 0 0
1005 trbrf 101005 1500 - - 0x0 ibm - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 0 0 off
Console> (enable)
This example shows how to verify the port VLAN assignments using the show port command:
Console> (enable) show port Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ 1/1 connected trunk normal half 100 100BaseTX 1/2 notconnect 1 normal half 100 100BaseTX 2/1 connected 1 normal half 100 100BaseTX 2/2 notconnect 1 normal half 100 100BaseTX 2/3 notconnect 1 normal half 100 100BaseTX 2/4 notconnect 1 normal half 100 100BaseTX 2/5 notconnect 1 normal half 100 100BaseTX 2/6 notconnect 1 normal half 100 100BaseTX 2/7 notconnect 1 normal half 100 100BaseTX 2/8 notconnect 1 normal half 100 100BaseTX 2/9 notconnect 1 normal half 100 100BaseTX 2/10 notconnect 1 normal half 100 100BaseTX 2/11 notconnect 1 normal half 100 100BaseTX 2/12 notconnect 1 normal half 100 100BaseTX 3/1 notconnect trunk normal full 155 OC3 MMF ATM 4/1 notconnect trunk normal full 45 DS3 ATM 4/2 notconnect trunk normal full 45 DS3 ATM 5/1 notconnect 1 normal half 100 FDDI 5/2 notconnect 1 normal half 100 FDDI <... output truncated ...> Console> (enable)
You must enable VTP version 2 to create Token Ring VLANs. For information on enabling VTP version 2, see the section "Configuring VTP" earlier in this chapter.
Using the set vlan command, you can configure a new TrBRF or change an existing TrBRF.
When configuring a TrBRF, note these guidelines:
To configure a new TrBRF, enter this version of the set vlan command in privileged mode:
| Task | Command |
|---|---|
Configure a new TrBRF. | set vlan vlan_num [name name] type trbrf [state {active | suspend}] [mtu mtu] |
After entering the set vlan command, you see this display:
Console> (enable) set vlan 999 name brf-999 type trbrf Vlan 999 configuration successful Console> (enable)
To change an existing TrBRF, enter this command in privileged mode, changing the appropriate parameters as necessary:
| Task | Command |
|---|---|
Change an existing TrBRF. | set vlan vlan_num [name name] [state {active | suspend}] [mtu mtu] [bridge bridge_number] |
To verify the configuration of Token Ring VLANs, enter this command:
| Task | Command |
|---|---|
Verify the configuration. | show vlan [vlan_num] |
After entering the show vlan command and specifying a TrBRF, you see this display:
Console> show vlan 1005 VLAN Name Status Mod/Ports, Vlans ---- -------------------------------- --------- ---------------------------- 1005 trbrf-default active 1003 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------ 1005 trbrf 101005 4472 - - 0xf ibm - 0 0 VLAN AREHops STEHops Backup CRF ---- ------- ------- ---------- Console>
Using the set vlan command, you can configure a new TrCRF or change an existing TrCRF. You can configure two types of TrCRFs in your network: undistributed and backup.
The undistributed TrCRF is located on one switch and has a logical ring number associated with it. Multiple undistributed TrCRFs on the same or separate switches can be associated with a single parent TrBRF. The parent TrBRF acts as a multiport bridge, forwarding traffic between the undistributed TrCRFs. Figure 9-4 illustrates the undistributed TrCRF.
You cannot distribute TrCRFs across switches as illustrated in Figure 9-5. Ports associated with a TrCRF must be located within the same Catalyst 5000 series switch. However, one exception to this rule is the default Token Ring VLAN configuration of the Token Ring module. By default, the Token Ring VLAN configuration of the Token Ring module has all ports assigned to the default TrCRF (1003). The default TrCRF is associated with the default TrBRF (1005). If you have not configured the ports of a Token Ring module to associate with a new TrCRF, traffic is passed between the default TrCRFs located on separate switches that are connected via ISL.
The backup TrCRF enables you to configure an alternate route for traffic between undistributed TrCRFs located on separate switches that are connected by a TrBRF, should the ISL connection between the switches become inactive. You can configure only one port per switch as part of a backup TrCRF and only one backup TrCRF for a TrBRF.
To create a backup TrCRF, assign one port on each switch that the TrBRF traverses to the backup TrCRF. Under normal circumstances, only one port in the backup TrCRF is active. If the ISL connection between the switches becomes inactive, the port that is a part of the backup TrCRF on each affected switch automatically becomes active, rerouting traffic between the undistributed TrCRFs through the backup TrCRF. When the ISL connection is reestablished, all but one port in the backup TrCRF is disabled. Figure 9-6 illustrates the backup TrCRF.
When configuring a TrCRF, note these guidelines:
To configure a new TrCRF, perform this task in privileged mode, ensuring that you specify each parameter that applies to the TrCRF type you are configuring:
| Task | Command |
|---|---|
Configure a new TrCRF. | set vlan vlan_num [name name] type trcrf [state {active | suspend}] [mtu mtu] |
After entering the set vlan command, you see this display:
Console> (enable) set vlan 1000 name crf-1000 type trcrf ring 001 parent 999 Vlan 1000 configuration successful Console> (enable)
To change an existing TrCRF, perform this task in privileged mode, changing the appropriate parameters as desired:
| Task | Command |
|---|---|
Change an existing TrCRF. | set vlan vlan_num [name name] [state {active | suspend}] [mtu mtu] [ring ring_number] |
To specify that a TrCRF is a backup TrCRF, perform this task in privileged mode:
| Task | Command |
|---|---|
Specify that a TrCRF is a backup TrCRF. | set vlan vlan_num backupcrf on |
After entering the set vlan command and specifying on for the backupcrf parameter, you see this display:
Console> (enable) set vlan 1000 backupcrf on Vlan 1000 configuration successful.
 | Caution If the backup TrCRF port is attached to a Token Ring MAU, it does not provide a backup path unless the ring speed and port mode are set by another device. Therefore, we recommend that you configure the ring speed and port mode for the backup TrCRF. |
You can specify the maximum hop count for All-Routes and Spanning-Tree Explorer frames for each TrCRF. This limits the maximum number of hops an explorer is allowed to traverse. If a port determines that the explorer frame it is receiving has traversed more than the number of hops specified, it does not forward the frame. The TrCRF determines the number of hops an explorer has traversed based on the number of bridge hops in the route information field.
If you are configuring maximum hop counts for a TrCRF, ensure that you specify values for the aremaxhop and stemaxhop parameters when entering the set vlan command. Valid values are 1 to 14. The default is 7.
To specify the maximum number of bridge hops to be allowed in explorer packets for a TrCRF, perform this task in privileged mode:
| Task | Command |
|---|---|
Specify the maximum number of bridge hops to be allowed in explorer packets for a TrCRF. | set vlan vlan_num aremaxhop hopcount stemaxhop hopcount |
After entering the set vlan command and specifying hopcount values, you see this display:
Console> (enable) set vlan 1000 aremaxhop 10 stemaxhop 10 Vlan 1000 configuration successful
To verify the configuration of Token Ring VLANs, perform this task:
| Task | Command |
|---|---|
Verify the configuration. | show vlan [vlan_num] |
After entering the show vlan command and specifying a TrCRF, you see this display:
Console> (enable) show vlan 1003 VLAN Name Status Mod/Ports, Vlans ---- -------------------------------- --------- ---------------------------- 1003 trcrf-default active 3/1-16 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------ 1003 trcrf 101003 4472 1005 0xccc - - srb 0 0 VLAN AREHops STEHops Backup CRF ---- ------- ------- ---------- 1003 7 7 off Console> (enable)
A TrCRF created in a management domain remains unused until it is associated with ports on the Catalyst 5000 series Token Ring module.
To group Token Ring module ports to a TrCRF, perform this task:
| Task | Command |
|---|---|
Group Token Ring module ports into a TrCRF. | set vlan vlan_num mod/ports... |
After entering the set vlan command to group ports to a TrCRF, you see this display:
Console> (enable) set vlan 1000 3/1-3 VLAN 1000 modified. Console> (enable)
To verify the configuration of Token Ring VLANs, enter this command:
| Task | Command |
|---|---|
Verify the configuration. | show vlan [vlan_num] |
After entering the show vlan command and specifying a TrCRF, you see this display:
Console> (enable) show vlan 1003 VLAN Name Status Mod/Ports, Vlans ---- -------------------------------- --------- ---------------------------- 1003 trcrf-default active 3/1-16 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------ 1003 trcrf 101003 4472 1005 0xccc - - srb 0 0 VLAN AREHops STEHops Backup CRF ---- ------- ------- ---------- 1003 7 7 off Console> (enable)
To clear the definition of a TrCRF or TrBRF, perform this task in privileged mode:
| Task | Command |
|---|---|
Delete the VLAN. | clear vlan vlan_num |
This example shows how to delete a TrCRF from the management domain:
Console> (enable) clear vlan 1000 This command will deactivate all ports on vlan 1000 in the entire management domain Do you want to continue(y/n) [n]?y Vlan 1000 deleted. Console> (enable)
| Caution When clearing a TrCRF, all the ports grouped to the TrCRF become inactive and remain inactive and associated with the TrCRF number until you assign them to a new TrCRF. |
This example shows how to delete a TrBRF from the management domain:
Console> (enable) clear vlan 999 Vlan 999 deleted Console> (enable)
When an end station is physically moved to a new location, its attributes can be reassigned from a network management station via SNMP or the CLI. When an end station moves within the same VLAN, it retains its previously assigned attributes in its new location. When an end station moves to a different VLAN, the attributes of the new VLAN are applied to the end station, according to the security levels in place.
You can assign the IP address of a Catalyst 5000 series switch supervisor engine module to any VLAN. This mobility allows a network management station and workstations on any Catalyst 5000 VLAN to access directly another Catalyst 5000 series switch on the same VLAN without a router. Only one IP address can be assigned to a Catalyst 5000 series switch; if you reassign the IP address to a different VLAN, the previous IP address assignment to a VLAN is invalid.
VLANs allow ports on the same or different switches to be grouped so that traffic is confined to members of that group only. This feature restricts broadcast, unicast, and multicast traffic (flooding) to ports only included in a certain VLAN. Traffic between VLANs must be routed. You can set up VLANs for an entire management domain from a single Catalyst 5000 series switch. A maximum of 250 VLANs can be active at any time.
Figure 9-7 shows an example of VLANs segmented into logically defined networks.
Two Token Ring VLAN types are defined in VTP version 2:
Within a Token Ring VLAN, you can form logical rings by defining groups of ports that have the same ring number. In general, a TrCRF is limited to the ports in a Catalyst 5000 series switch. For an exception to this rule, see the "Adding or Changing TrCRF Parameters" section. Within the TrCRF, source-route switching is used for forwarding based on either MAC addresses or route descriptors. Frames can be switched between ports within a single TrCRF.
Multiple TrCRFs can be interconnected using a single TrBRF. The connection between the TrCRF and the TrBRF is referred to as a logical port. For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can function as an SRB or SRT bridge running either the IBM or IEEE Spanning-Tree Protocol. If SRB is used, you can define duplicate MAC addresses on different logical rings.
Traditionally, one instance of Spanning-Tree Protocol is run for each VLAN to prevent loops in the bridge topology. However, Token Ring runs an instance of Spanning-Tree Protocol both at the TrCRF level and the TrBRF level. The Spanning-Tree Protocol at the TrCRF level removes loops in the logical ring. The TrBRF Spanning-Tree Protocol is similar to the Ethernet Spanning-Tree Protocol; it interacts with external bridges to remove loops from the bridge topology.
| Caution Certain parent TrBRF Spanning-Tree Protocol and TrCRF bridge mode configurations can place the logical ports (the connection between the TrBRF and the TrCRF) of the TrBRF in a blocked state. |
Within a Token Ring VLAN, logical rings can define port groups that have the same ring number. The IEEE calls this port group a TrCRF. A TrCRF is limited to the ports in a single Token Ring module on the Catalyst 5000 series switch. However, one exception to this rule that is discussed in the "Adding or Changing TrCRF Parameters" section.
Within the TrCRF, source-route switching is used for forwarding based on either MAC addresses or route descriptors. If desired, the entire VLAN can operate as a single ring. Frames can be switched between ports within a single TrCRF.
As shown in Figure 9-8, multiple TrCRFs can be interconnected using a single TrBRF.
For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can function as an SRB or SRT bridge running either the IBM or IEEE Spanning-Tree Protocol. If SRB is used, duplicate MAC addresses can be defined on different logical rings.
To accommodate SNA traffic, you can use a combination of SRT and SRB modes. In a mixed mode, the TrBRF considers some ports (logical ports connected to TrCRFs) to be operating in SRB mode while others are operating in SRT mode.
The TrBRF can be extended across a network of switches via high-speed uplinks between the switches. These links must be able to multiplex multiple VLANs and provide the necessary information to support logical rings.
By default, the Catalyst 5000 series switch is in the no-management domain state until it is configured with a management domain or receives an advertisement for a domain over a trunk link. If a switch receives an advertisement, it inherits the management domain name and configuration revision number. A switch ignores advertisements with a different management domain or an earlier configuration revision number and checks all received advertisements with the same domain for consistency. While a Catalyst 5000 series switch is in the no-management domain state, it is a VTP server; that is, it learns from received advertisements.
The set vtp command sets up the management domain, including establishing the management domain name, the VTP operation mode (server, client, or transparent), the interval between VLAN advertisements, and the password value. There is no default domain name (the value is set to null). The default VTP operation mode is set to server.
By default, the management domain is set to nonsecure mode without a password. A password sets the management domain to secure mode. You must configure a password on each Catalyst 5000 series switch in the management domain when in secure mode.
| Caution A management domain does not function properly if you do not assign a management domain password to each Catalyst 5000 series switch in the domain. |
The set vlan command uses the following parameters to create a VLAN in the management domain:
The Catalyst 5000 series switch uses the SAID parameter of the set vlan command to identify each VLAN on an 802.10 trunk. The default SAID for VLAN 1 is 100001, for VLAN 2 is 100002, for VLAN 3 is 100003, and so on. The default MTU is 1500 bytes. The default state is active on an 802.10 trunk.
When translating from one VLAN type (Ethernet, FDDI, FDDI NET, or TR NET) to another, the Catalyst 5000 series switch requires a different VLAN number for each media type.
VLANs consist of the following components:
A trunk is a point-to-point link between two Catalyst 5000 series switch ports or between a Catalyst 5000 series switch and a router. Trunks carry the traffic of multiple VLANs and allow you to extend VLANs from one Catalyst 5000 series switch to another. The Catalyst 5000 series switches support the following trunking methods for communicating VLAN information across high-performance backbones:
You can use any combination of these trunk technologies to form enterprise-wide VLANs and choose between low-cost copper and long-distance fiber connections for your trunks.
To create a VLAN trunk, enter the set trunk command to configure the port on each end of the link as a trunk port. You can also enter the set trunk command to change the mode of a trunk.
By default, the Dynamic ISL (DISL) protocol, which is used to negotiate ISL trunk links, is set to auto mode for all ports. In this mode, if the port is connected to another port that is either on or in desirable mode, it becomes a trunk port. Table 9-1 shows the different trunking modes and their functions.
| Mode | Function |
|---|---|
on | Puts the port into permanent trunking mode and negotiates to convert the link into a trunk port. The port becomes a trunk port even if the other end of the link does not agree to the change. This mode is not allowed on IEEE 802.1Q ports. |
off | Negotiates to convert the link into a nontrunk port. The port converts to a nontrunk port even if the other end of the link does not agree to the change. This is the default mode for FDDI trunks. This option is not allowed for ATM ports. |
desirable | Makes the port actively attempt to become a trunk port. The port becomes a trunk if the port it is connected to allows trunking and is set to on, desirable, or auto mode. This mode is not allowed on IEEE 802.1Q, FDDI, and ATM ports. |
auto | Makes the port willing to become a trunk port. The port becomes a trunk if the port it is connected to is set to on or desirable mode. This mode is not allowed on IEEE 802.1Q, FDDI, and ATM ports. This is the default mode for Fast Ethernet ports. |
nonegotiate | Makes the port a trunk port but prevents the port from generating DISL frames used with ISL and IEEE 802.1Q Fast Ethernet trunks. |
For more information about the set trunk command, refer to the Catalyst 5000 Series Command Reference publication.
To configure a port as an ISL trunk (the default for Fast Ethernet ports), perform this task in privileged mode:
| Task | Command |
|---|---|
Configure a port as an ISL trunk. | set trunk mod_num/port_num [on | desirable | auto | nonegotiate] [vlans] |
After entering the set trunk command, you see this display:
Console> (enable) set trunk 1/1 on Port(s) 1/1 trunk mode set to on. Console> (enable) 2/20/1998,23:38:35:DISL-5:Port 1/1 has become trunk
| Task | Command |
|---|---|
Configure a port as an 802.1Q trunk. | set trunk mod_num/port_num nonegotiate [vlans] dot1q |
| Caution DISL negotiation does not occur on IEEE 802.1Q trunks. You must configure the ports on both ends of the trunk link as 802.1Q trunks using the set trunk command with the nonegotiate and dot1q keywords. Expect spanning tree to block the port on the other end of the trunk link until you configure that end of the link as an 802.1Q trunk as well. Do not configure one end of a trunk as an 802.1Q trunk and the other end as an ISL trunk or a nontrunk port. Errors will occur and no traffic can pass over the link. |
After entering the set trunk nonegotiate dot1q command, you see this display:
Console> (enable) set trunk 4/5 nonegotiate dot1q Port(s) 4/5 trunk mode set to nonegotiate. Port(s) 4/5 trunk type set to dot1q. Console> (enable) 2/20/1998,23:38:35:DISL-5:Port 1/1 has become dot1q trunk
By default, all VLANs are added to the allowed VLANs list for the trunk. If you want to remove VLANs from the allowed list, enter the clear trunk command. This prevents traffic for those VLANs from passing over the trunk. You cannot remove VLAN 1, the default VLAN, from the allowed list. Entering the clear trunk command without specifying VLANs returns the port to the default trunk type and mode for that port type.
| Task | Command |
|---|---|
Remove specific VLANs from the allowed VLANs list for a trunk. | clear trunk mod_num/port_num vlans |
After entering the clear trunk command, you see this display:
Console> (enable) clear trunk 1/1 2-250 Removing Vlan(s) 2-250 from allowed list. Port 1/1 allowed vlans modified to 1,251-1005. Console> (enable)
If you want to add VLANs to the allowed list for a trunk after you removed them using clear trunk, enter the set trunk command to add the specific VLANs:
| Task | Command |
|---|---|
Add specific VLANs to the allowed VLANs list for a trunk. | set trunk mod_num/port_num vlans |
Console> (enable) set trunk 1/1 100-110 Adding vlans 100-110 to allowed list. Port(s) 1/1 allowed vlans modified to 1,100-110,251-1005. Console> (enable)
| Task | Command |
|---|---|
Return the port to the default trunking type and mode for that port type. | clear trunk mod_num/port_num |
Turn off trunking on a port. | set trunk mod_num/port_num off |
To verify the trunking configuration, perform this task:
| Task | Command |
|---|---|
Verify the trunking configuration. | show trunk [mod/port] |
This example shows how to verify the trunk configuration:
Console> (enable) show trunk Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- 4/9 auto isl trunking 1 4/10 desirable isl trunking 1 Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 4/9 1-1005 4/10 1-1005 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 4/9 1,4-5,1003,1005 4/10 1,4-5,1003,1005 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 4/9 1005 4/10 1005 Console> (enable)
If you configure an IEEE 802.1Q trunk on a port, you will see output similar to the following when you enter the show trunk command:
Console> (enable) show trunk 4/5 Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- 4/5 nonegotiate dot1q trunking 1 Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 4/5 1-1005 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 4/5 1-3,1003,1005 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 4/5 1005 Console> (enable)
This section contains examples of VLAN and VLAN trunk configurations for ISL and IEEE 802.1Q trunks on Fast Ethernet ports, and an example of load-sharing VLAN traffic over trunk ports using spanning-tree priorities.
Figure 9-9 shows an example of a Fast Ethernet ISL configuration.
IEEE 802.1Q trunks are supported in Catalyst 5000 series software release 4.1 and later. 802.1Q trunks can only be configured on 802.1Q-capable hardware. Check the documentation for your hardware to see if your hardware is 802.1Q-capable. In software release 4.1, you must manually configure IEEE 802.1Q trunk ports on both ends of the link. DISL, the protocol used to negotiate ISL trunks (the default trunk type for Fast Ethernet), does not yet support 802.1Q. To properly configure an IEEE 802.1Q trunk, the trunk type (encapsulation), trunk mode, and native VLAN must be the same on both ends of the link.
In this example, an 802.1Q trunk is configured between port 1/1 on Switch 1 and port 4/1 on Switch 2. The initial network configuration is shown in Figure 9-10. Assume that the native VLAN is VLAN 1 on both ends of the link.
To configure a port as an 802.1Q trunk, enter the set trunk command. You must use the nonegotiate keyword when configuring a port as an 802.1Q trunk.
Switch 1> (enable) set trunk 1/1 nonegotiate dot1q Port(s) 1/1 trunk mode set to nonegotiate. Port(s) 1/1 trunk type set to dot1q. Switch 1> (enable) 04/15/1998,22:02:17:DISL-5:Port 1/1 has become dot1q trunk
Switch 2> (enable) 04/15/1998,22:01:42:SPANTREE-2: Rcved 1Q-BPDU on non-1Q-trunk port 4/1 vlan 1.
04/15/1998,22:01:42:SPANTREE-2: Block 4/1 on rcving vlan 1 for inc trunk port.
04/15/1998,22:01:42:SPANTREE-2: Block 4/1 on rcving vlan 1 for inc peer vlan 2. Switch 2> (enable)
Notice that after the port on Switch 1 is configured as an 802.1Q trunk, syslog messages (indicated by the arrows) are displayed on the Switch 2 console, and port 4/1 on Switch 2 is blocked. The Spanning-Tree Protocol blocks the port because there is a port-type inconsistency on the trunk link: port 1/1 on Switch 1 is configured as an 802.1Q trunk while port 4/1 on Switch 2 is configured as an ISL trunk (see Figure 9-11). Port 4/1 would also be blocked if it were configured as a nontrunk port.
Output from the show spantree and show spantree statistics commands on Switch 2 displays the problem (indicated by the arrows). The configuration mismatch exists until the port on Switch 2 is properly configured.
Switch 2> (enable) show spantree 1 VLAN 1 Spanning tree enabled Spanning tree type ieee Designated Root 00-60-09-79-c3-00 Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1/0 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00-60-09-79-c3-00 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/1 1 not-connected 4 32 disabled 1/2 1 not-connected 4 32 disabled
4/1 1 type-pvid-inconsistent 100 32 disabled 4/2 1 not-connected 100 32 disabled <...output truncated...>
Switch 2> (enable) show spantree statistics 4/1
Port 4/1 VLAN 1
SpanningTree enabled for vlanNo = 1
BPDU-related parameters
port spanning tree enabled
state broken
port_id 0x8142
port number 0x142
path cost 100
message age (port/VLAN) 1(20)
designated_root 00-60-09-79-c3-00
designated_cost 0
designated_bridge 00-60-09-79-c3-00
designated_port 0x8142
top_change_ack FALSE
config_pending FALSE
port_inconsistency port_type & port_vlan
<...output truncated...>
Switch 2> (enable)
The misconfiguration is resolved by completing the 802.1Q configuration on Switch 2:
Switch 2> (enable) set trunk 4/1 nonegotiate dot1q Port(s) 4/1 trunk mode set to nonegotiate. Port(s) 4/1 trunk type set to dot1q. Switch 2> (enable) 2/20/1998,23:41:15:DISL-5:Port 4/1 has become dot1q trunk
Port 4/1 on Switch 2 changes from blocking mode to forwarding mode once the port-type inconsistency is resolved (see Figure 9-12). (This assumes that there is no wiring loop present that would cause the port to be blocked normally by spanning tree. In either case, the port state would change from "type-pvid-inconsistent" to "blocking" in the show spantree output.)
Verify the 802.1Q configuration on Switch 1 by entering the show trunk and show spantree commands:
Switch 1> (enable) show trunk 1/1 Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ -----------
1/1 nonegotiate dot1q trunking 1 Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1/1 1-1005 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1/1 1-3,1003,1005 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1/1 1005 Switch 1> (enable) show spantree 1 VLAN 1 Spanning tree enabled Spanning tree type ieee Designated Root 00-60-09-79-c3-00 Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1/1 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00-10-29-b5-30-00 Bridge ID Priority 49152 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------
1/1 1 forwarding 4 32 disabled 1/2 1 not-connected 4 32 disabled <...output truncated...> Switch 1> (enable)
The output shows that the port 1/1 is an IEEE 802.1Q trunk port, that its status is "trunking," and that the port-state is "forwarding" (indicated by the arrows).
Verify the configuration on Switch 2 by entering the show trunk and show spantree commands:
Switch 2> (enable) show trunk 4/1 Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ -----------
4/1 nonegotiate dot1q trunking 1 Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 4/1 1-1005 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 4/1 1-3,1003,1005 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 4/1 1005 Switch 2> (enable) show spantree 1 VLAN 1 Spanning tree enabled Spanning tree type ieee Designated Root 00-60-09-79-c3-00 Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1/0 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00-60-09-79-c3-00 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/1 1 not-connected 4 32 disabled 1/2 1 not-connected 4 32 disabled
4/1 1 forwarding 100 32 disabled 4/2 1 not-connected 100 32 disabled <...output truncated...> Switch 2> (enable)
The output shows that port 4/1 is an IEEE 802.1Q trunk port, that its status is "trunking," and that the port-state is "forwarding" (indicated by the arrows).
Verify connectivity across the trunk using the ping command:
Switch 1> (enable) ping switch_2 switch_2 is alive Switch 1> (enable)
Using spanning-tree port-VLAN priorities, you can load-share VLAN traffic over parallel trunk ports so that traffic from some VLANs travels over one trunk, while traffic from other VLANs travels over the other trunk. This configuration allows traffic to be carried over both trunks simultaneously (rather than keeping one trunk in blocking mode), which reduces the total traffic carried over each trunk while still maintaining a fault-tolerant configuration.
Figure 9-13 shows a parallel trunk configuration between two Catalyst 5000 series switches, using the Fast Ethernet uplink ports on the supervisor engine.
By default, the port-VLAN priority for both trunks is equal (a value of 32). Therefore, the Spanning-Tree Protocol blocks port 1/2 (Trunk 2) for each VLAN on Switch 1 to prevent forwarding loops. Trunk 2 is not used to forward traffic unless Trunk 1 fails.
This example shows how to configure the Catalyst 5000 series switches so that traffic from multiple VLANs is load-balanced over the parallel trunks.
Step 1 Configure a VTP domain on both Switch 1 and Switch 2 (by entering the set vtp command) so that the VLAN information configured on Switch 1 is learned by Switch 2. Make sure Switch 1 is a VTP server. You can configure Switch 2 as a VTP client or as a VTP server:
Switch_1> (enable) set vtp domain BigCorp mode server VTP domain BigCorp modified Switch_1> (enable) Switch_2> (enable) set vtp domain BigCorp mode server VTP domain BigCorp modified Switch_2> (enable)
Step 2 Create the VLANs on Switch 1 by entering the set vlan command. In this example, you see VLANs 10, 20, 30, 40, 50, and 60, as follows:
Switch_1> (enable) set vlan 10 Vlan 10 configuration successful Switch_1> (enable) set vlan 20 Vlan 20 configuration successful Switch_1> (enable) set vlan 30 Vlan 30 configuration successful Switch_1> (enable) set vlan 40 Vlan 40 configuration successful Switch_1> (enable) set vlan 50 Vlan 50 configuration successful Switch_1> (enable) set vlan 60 Vlan 60 configuration successful Switch_1> (enable)
Step 3 Verify the VTP and VLAN configuration on Switch 1 by entering the show vtp domain and show vlan commands as follows:
Switch_1> (enable) show vtp domain
Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
BigCorp 1 2 server -
Vlan-count Max-vlan-storage Config Revision Notifications
---------- ---------------- --------------- -------------
11 1023 13 disabled
Last Updater V2 Mode Pruning PruneEligible on Vlans
--------------- -------- -------- -------------------------
172.20.52.10 disabled enabled 2-1000
Switch_1> (enable) show vlan
VLAN Name Status Mod/Ports, Vlans
---- -------------------------------- --------- ----------------------------
1 default active 1/1-2
2/1-12
5/1-2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
60 VLAN0060 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
<...output truncated...>
Switch_1> (enable)
Step 4 Configure the supervisor engine uplinks on Switch 1 as ISL trunk ports by entering the set trunk command. Specifying the desirable mode on the Switch 1 ports causes the ports on Switch 2 to negotiate to become trunk links (assuming that the Switch 2 uplinks are in the default auto mode).
Switch_1> (enable) set trunk 1/1 desirable Port(s) 1/1 trunk mode set to desirable. Switch_1> (enable) 04/21/1998,03:05:05:DISL-5:Port 1/1 has become isl trunk Switch_1> (enable) set trunk 1/2 desirable Port(s) 1/2 trunk mode set to desirable. Switch_1> (enable) 04/21/1998,03:05:13:DISL-5:Port 1/2 has become isl trunk
Step 5 Verify that the trunk links are up by entering the show trunk command as follows:
Switch_1> (enable) show trunk 1 Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- 1/1 desirable isl trunking 1 1/2 desirable isl trunking 1 Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1/1 1-1005 1/2 1-1005 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1/1 1,10,20,30,40,50,60 1/2 1,10,20,30,40,50,60 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1/1 1/2 Switch_1> (enable)
Step 6 When the trunk links come up, VTP passes the VTP and VLAN configuration to Switch 2. Verify that Switch 2 has learned the VLAN configuration by entering the show vlan command on Switch 2:
Switch_2> (enable) show vlan VLAN Name Status Mod/Ports, Vlans ---- -------------------------------- --------- ---------------------------- 1 default active 10 VLAN0010 active 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active <...output truncated...> Switch_2> (enable)
Step 7 It will take one or two minutes for spanning tree to converge. Once the network stabilizes, check the spanning-tree state of each trunk port on Switch 1 by entering the show spantree command.
Trunk 1 is forwarding for all VLANs. Trunk 2 is blocking for all VLANs. On Switch 2, both trunks are forwarding for all VLANs, but no traffic passes over Trunk 2 because port 1/2 on Switch 1 is blocking.
Switch_1> (enable) show spantree 1/1 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/1 1 forwarding 19 32 disabled 1/1 10 forwarding 19 32 disabled 1/1 20 forwarding 19 32 disabled 1/1 30 forwarding 19 32 disabled 1/1 40 forwarding 19 32 disabled 1/1 50 forwarding 19 32 disabled 1/1 60 forwarding 19 32 disabled 1/1 1003 not-connected 19 32 disabled 1/1 1005 not-connected 19 4 disabled Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/2 1 blocking 19 32 disabled 1/2 10 blocking 19 32 disabled 1/2 20 blocking 19 32 disabled 1/2 30 blocking 19 32 disabled 1/2 40 blocking 19 32 disabled 1/2 50 blocking 19 32 disabled 1/2 60 blocking 19 32 disabled 1/2 1003 not-connected 19 32 disabled 1/2 1005 not-connected 19 4 disabled Switch_1> (enable)
Step 8 Divide the configured VLANs into two groups. You might want traffic from half of the VLANs to go over one trunk link and half over the other, or if one VLAN has heavier traffic than the others, you can have traffic from that VLAN go over one trunk and traffic from the other VLANs go over the other trunk link.
In this example, VLANs 10, 20, and 30 (Group 1) are forwarded over Trunk 1, and VLANs 40, 50, and 60 (Group 2) are forwarded over Trunk 2.
Step 9 On Switch 1, enter the set spantree portvlanpri command to change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to an integer value lower than the default of 32.
Switch_1> (enable) set spantree portvlanpri 1/1 1 10 Port 1/1 vlans 1-9,11-1004 using portpri 32. Port 1/1 vlans 10 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_1> (enable) set spantree portvlanpri 1/1 1 20 Port 1/1 vlans 1-9,11-19,21-1004 using portpri 32. Port 1/1 vlans 10,20 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_1> (enable) set spantree portvlanpri 1/1 1 30 Port 1/1 vlans 1-9,11-19,21-29,31-1004 using portpri 32. Port 1/1 vlans 10,20,30 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_1> (enable)
Step 10 On Switch 1, change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to an integer value lower than the default of 32.
Switch_1> (enable) set spantree portvlanpri 1/2 1 40 Port 1/2 vlans 1-39,41-1004 using portpri 32. Port 1/2 vlans 40 using portpri 1. Port 1/2 vlans 1005 using portpri 4. Switch_1> (enable) set spantree portvlanpri 1/2 1 50 Port 1/2 vlans 1-39,41-49,51-1004 using portpri 32. Port 1/2 vlans 40,50 using portpri 1. Port 1/2 vlans 1005 using portpri 4. Switch_1> (enable) set spantree portvlanpri 1/2 1 60 Port 1/2 vlans 1-39,41-49,51-59,61-1004 using portpri 32. Port 1/2 vlans 40,50,60 using portpri 1. Port 1/2 vlans 1005 using portpri 4. Switch_1> (enable)
Step 11 On Switch 2, change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to the same value you configured for those VLANs on Switch 1.
| Caution The port-VLAN priority for each VLAN must be equal on both ends of the link. |
Switch_2> (enable) set spantree portvlanpri 1/1 1 10 Port 1/1 vlans 1-9,11-1004 using portpri 32. Port 1/1 vlans 10 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_2> (enable) set spantree portvlanpri 1/1 1 20 Port 1/1 vlans 1-9,11-19,21-1004 using portpri 32. Port 1/1 vlans 10,20 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_2> (enable) set spantree portvlanpri 1/1 1 30 Port 1/1 vlans 1-9,11-19,21-29,31-1004 using portpri 32. Port 1/1 vlans 10,20,30 using portpri 1. Port 1/1 vlans 1005 using portpri 4. Switch_2> (enable)
Step 12 On Switch 2, change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to the same value you configured for those VLANs on Switch 1.
Switch_2> (enable) set spantree portvlanpri 1/2 1 40 Port 1/2 vlans 1-39,41-1004 using portpri 32. Port 1/2 vlans 40 using portpri 1. Port 1/2 vlans 1005 using portpri 4. Switch_2> (enable) set spantree portvlanpri 1/2 1 50 Port 1/2 vlans 1-39,41-49,51-1004 using portpri 32. Port 1/2 vlans 40,50 using portpri 1. Port 1/2 vlans 1005 using portpri 4. Switch_2> (enable) set spantree portvlanpri 1/2 1 60 Port 1/2 vlans 1-39,41-49,51-59,61-1004 using portpri 32. Port 1/2 vlans 40,50,60 using portpri 1. Port 1/2 vlans 1005 using portpri 4. Switch_2> (enable)
Step 13 When you have configured the port-VLAN priorities on both ends of the link, the spanning tree converges to use the new configuration.
Check the spanning-tree port states on Switch 1 by entering the show spantree command. The Group 1 VLANs should be forwarding on Trunk 1 and blocking on Trunk 2. The Group 2 VLANs should be blocking on Trunk 1 and forwarding on Trunk 2.
Switch_1> (enable) show spantree 1/1 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/1 1 forwarding 19 32 disabled 1/1 10 forwarding 19 1 disabled 1/1 20 forwarding 19 1 disabled 1/1 30 forwarding 19 1 disabled 1/1 40 blocking 19 32 disabled 1/1 50 blocking 19 32 disabled 1/1 60 blocking 19 32 disabled 1/1 1003 not-connected 19 32 disabled 1/1 1005 not-connected 19 4 disabled Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/2 1 blocking 19 32 disabled 1/2 10 blocking 19 32 disabled 1/2 20 blocking 19 32 disabled 1/2 30 blocking 19 32 disabled 1/2 40 forwarding 19 1 disabled 1/2 50 forwarding 19 1 disabled 1/2 60 forwarding 19 1 disabled 1/2 1003 not-connected 19 32 disabled 1/2 1005 not-connected 19 4 disabled Switch_1> (enable)
Figure 9-14 shows the network after you configure VLAN traffic load-sharing.
The advantage of the configuration shown in Figure 9-14 is that both trunks are utilized when the network is operating normally and, if one trunk link fails, the other trunk link acts as an alternate forwarding path for the traffic previously traveling over the failed link.
Suppose that Trunk 1 fails in the network shown in Figure 9-14. The Spanning-Tree Protocol reconverges to use Trunk 2 to forward traffic from all the VLANs, as shown in the following example:
Switch_1> (enable) 04/21/1998,03:15:40:DISL-5:Port 1/1 has become non-trunk Switch_1> (enable) show spantree 1/1 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/1 1 not-connected 19 32 disabled Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/2 1 learning 19 32 disabled 1/2 10 learning 19 32 disabled 1/2 20 learning 19 32 disabled 1/2 30 learning 19 32 disabled 1/2 40 forwarding 19 1 disabled 1/2 50 forwarding 19 1 disabled 1/2 60 forwarding 19 1 disabled 1/2 1003 not-connected 19 32 disabled 1/2 1005 not-connected 19 4 disabled Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ 1/2 1 forwarding 19 32 disabled 1/2 10 forwarding 19 32 disabled 1/2 20 forwarding 19 32 disabled 1/2 30 forwarding 19 32 disabled 1/2 40 forwarding 19 1 disabled 1/2 50 forwarding 19 1 disabled 1/2 60 forwarding 19 1 disabled 1/2 1003 not-connected 19 32 disabled 1/2 1005 not-connected 19 4 disabled Switch_1> (enable)
To configure dynamic port VLAN membership, complete these tasks:
Before configuring the VMPS, you must perform these tasks:
When you enable the VMPS, it begins to download the configuration information from the TFTP server. After a successful download, the VMPS task is started, and it accepts the VMPS requests. To enable the VMPS, use this procedure:
| Task | Command |
|---|---|
Step 1 Configure the IP address of the TFTP server on which the ASCII file resides. | set vmps tftpserver ip_addr [filename] |
Step 2 Enable VMPS. | set vmps state {enable | disable} |
The set vmps tftpserver ip_addr [filename] command specifies the VMPS database location. The filename is the name of the ASCII VMPS file.
After entering the set vmps state enable command, you see this display:
Console> (enable) set vmps state enable Vlan Membership Policy Server enable is in progress.
The set vmps state enable command sets the VMPS state in NVRAM to enable. If it is previously disabled, this command initiates a background task to begin the database download. After a successful database download, this command sets the operational status to active.
You can also enter the following VMPS-related commands:
Console> (enable) set vmps state disable All the VMPS configuration information will be lost and the resources released on disable. Do you want to continue (y/n[n]): yes Vlan Membership Policy Server disabled.
For more information, refer to the Catalyst 5000 Series Command Reference publication.
Enter these commands to verify the status of port VLAN membership:
For more information, refer to the Catalyst 5000 Series Command Reference publication.
Table 9-2 shows sample error messages and actions you need to take after entering the set vmps state {enable | disable} command.
| Error Message | Recommended Action |
|---|---|
TFTP server IP address is not configured. | Enter the set vmps tftpserver ip_addr [filename] command and configure the TFTP server address. |
Unable to contact the TFTP server 198.4.254.222. | Enter the set route command to reach the TFTP server. |
File "vmps_configuration.db" not found on the TFTP server 198.4.254.222. | Create a configuration file in the file server. |
Enable failed due to insufficient resources. | The Catalyst 5000 series switch does not have sufficient resources to run the database. You can fix this problem by increasing the dynamic random-access memory (DRAM). |
Table 9-3 shows sample error messages and actions you need to take after entering the download vmps command.
| Error Message | Recommended Action |
|---|---|
TFTP server IP address is not configured. | Enter the set vmps tftpserver ip_addr [filename] command and configure the TFTP server address. |
Unable to contact the TFTP server 198.4.254.222. | Enter the set route command to reach the TFTP server. This message is printed to the syslog server. |
File "vmps_configuration.db" not found on the TFTP server 198.4.254.222. | Create a configuration file in the file server. This message is printed to the syslog server. |
After the VMPS successfully downloads the ASCII configuration file, it parses the file and builds a database. The VMPS outputs the statistics about the total number of lines parsed and the number of parsing errors. Set the syslog level for VMPS to 3 to obtain more information on the errors.
The following describes the parameters in the configuration file:
A sample VMPS configuration file is shown below.
!vmps domain <domain-name>
! The VMPS domain must be defined.
!vmps mode { open | secure }
! The default mode is open.
!vmps fallback <vlan-name>
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
vmps domain WBU
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!
!MAC Addresses
!
vmps-mac-addrs
!
! address <addr> vlan-name <vlan_name>
!
address 0012.2233.4455 vlan-name hardware
address 0000.6509.a080 vlan-name hardware
address aabb.ccdd.eeff vlan-name Green
address 1223.5678.9abc vlan-name ExecStaff
address fedc.ba98.7654 vlan-name --NONE--
address fedc.ba23.1245 vlan-name Purple
!
!Port Groups
!
!vmps-port-group <group-name>
! device <device-id> { port <port-name> | all-ports }
!
vmps-port-group WiringCloset1
device 198.92.30.32 port 3/2
device 172.20.26.141 port 2/8
vmps-port-group "Executive Row"
device 198.4.254.222 port 1/2
device 198.4.254.222 port 1/3
device 198.4.254.223 all-ports
!
!
!VLAN groups
!
!vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!
!VLAN port Policies
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
!
vmps-port-policies vlan-group Engineering
port-group WiringCloset1
vmps-port-policies vlan-name Green
device 198.92.30.32 port 4/8
vmps-port-policies vlan-name Purple
device 198.4.254.22 port 1/2
port-group "Executive Row"
The VMPS opens a UDP socket to communicate with clients and listen to client requests. Upon receiving a valid request from a client, the VMPS searches its database for a MAC address-to-VLAN mapping.
If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group. If the VLAN is legal on this port, the VLAN name is passed in the response. If the VLAN is illegal on that port and the VMPS is not in secure mode, it sends an access denied response. If the VMPS is in secure mode, it sends a port shutdown response.
If the VLAN from the table does not match the current VLAN on the port and there are active hosts on the port, the VMPS sends an access denied or a port shutdown response based on the secure mode of the VMPS.
You can configure a fallback VLAN name into the VMPS. If the requested MAC address is not in the table, the VMPS sends the fallback VLAN name in response. If you do not configure a fallback VLAN and the MAC address does not exist in the table, the VMPS sends an access denied response. If the VMPS is in secure mode, it sends a port shutdown response.
You can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, the VMPS sends an access denied or port shutdown response.
To configure dynamic port VLAN membership on a client, use the procedure shown in this section.
These prerequisites apply to configuring dynamic ports:
To configure dynamic ports on clients, perform these steps:
| Task | Command |
|---|---|
Step 1 Configure the VMPS IP address to be queried on the client. | set vmps server ip_addr [primary] |
Step 2 Configure the VLAN membership assignment to a port. | set port membership mod_num /port_num {dynamic | static} |
To verify the status of the VMPS IP address, enter these commands:
Console> (enable) show vmps server VMPS domain server VMPS Status --------------------------------------- 192.0.0.6 192.0.0.1 primary 192.0.0.9
To verify the status of port VLAN membership, enter these commands:
Console> (enable) set port membership help Usage: set port membership < mod_num / port_num..> < dynamic | static > Console> (enable) set port membership 3/1-3 dynamic Ports 3/1-3 vlan assignment set to dynamic. Spantree port fast start option enabled for ports 3/1-3. Console> (enable) set port membership 1/2 dynamic Trunking port 1/2 vlan assignment cannot be set to dynamic. Console> (enable) set port membership 2/1 dynamic ATM LANE port 2/1 vlan assignment can not be set to dynamic.
Console> show port Port Name Status Vlan Level Duplex Speed Type 1/1 connect dyn-3 normal full 100 100 BASE-TX 1/2 connect trunk normal half 100 100 BASE-TX 2/1 connect trunk normal full 155 OC3 MMF ATM 3/1 connect dyn-5 normal half 10 10 BASE-T 3/2 connect dyn-5 normal half 10 10 BASE-T 3/3 connect dyn-5 normal half 10 10 BASE-T
Console> (enable) reconfirm vmps reconfirm process started Use 'show dvlan statistics' to see reconfirm status Console> (enable)
A port might shut down under the following circumstances:
If a dynamic port shuts down, enter the set port enable mod_num/port_num to reenable the port.
Figure 9-15 shows an example of a dynamic port configuration.
Refer to Figure 9-15. For this example, the following assumptions apply:
Use this procedure to configure the VMPS and dynamic ports:
Step 1 Configure Switch 1 as the primary VMPS, by performing these tasks on Switch 1:
(a) Configure the IP address of the TFTP server on which the ASCII file resides as follows:
Console> (enable) set vmps tftpserver 172.20.22.7 Bldg-G.db
(b) Enable the VMPS as follows:
Console> (enable) set vmps enable
After entering these commands, the file Bldg-G.db is downloaded to Switch 1. Switch 1 becomes the VMPS server.
Step 2 Configure dynamic ports on the clients, Switch 2, and Switch 9, by performing these tasks:
(a) Configure the primary VMPS IP address on Switch 2 as follows:
Console> (enable) set vmps server 172.20.26.150 primary
Entering this command on Switch 2 designates the VMPS switch to be queried. The primary switch option configures Switch 1 as the primary VMPS.
(b) Configure the secondary VMPS IP addresses on Switch 2 as follows:
Console> (enable) set vmps server 172.20.26.152 Console> (enable) set vmps server 172.20.26.159
(c) Verify the VMPS IP addresses as follows:
Console> (enable) show vmps server
Switches 1, 3, and 10 are configured as VMPSs. Switch 1 is the primary VMPS. Switches 3 and 10 are secondary servers. All the switches are clients.
(d) Configure port 3/1 on Switch 2 as dynamic as follows:
Console> (enable) set port membership 3/1 dynamic
Suppose you connect End Station 2 on port 3/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS, Switch 1. Switch 1 responds with a VLAN that is assigned to port 3/1. Because Spanning-Tree Protocol (Portfast mode) is enabled by default for dynamic ports, port 3/1 is immediately connected and enters forwarding mode.
Step 3 Configure dynamic ports on Switch 9 by repeating Step 2 for Switch 9.
Dynamic ports work in conjunction with the VMPS, which holds a database of MAC address-to-VLAN mappings.
On the Catalyst 5000 series switch hardware platform, a dynamic (nontrunking) port can belong to only one VLAN at a time. Upon link-up, a dynamic port is isolated from its static VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS, which provides the VLAN number to which this port must be assigned. When a new host sends a packet on a dynamic port, the Network Management Processor (NMP) detects the packet. The NMP, using status information from the host packet, sends a query to the VMPS, and then the VMPS responds with options. For example, suppose the NMP sends a query to the VMPS, and the VMPS response is "Place port in VLAN X." The port is then placed in VLAN X if the response is valid. At this point, the host is connected to VLAN X through the switch fabric.
Multiple hosts (MAC addresses) can be active on a dynamic port, provided they are all in the same VLAN. Upon link-down, a dynamic port moves back to a state in which it is isolated from other VLANs, and the port ends in its initial state. Any hosts that come online through this port are detected by the NMP and checked with the VMPS before these hosts are allowed network VLAN connectivity.
Dynamic port VLAN membership interacts with the following features:
Posted: Wed Aug 2 15:46:45 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.