Cisco® CCNP Switch Exam Cram Notes : Configuring And Verifying VLANS

1. Layer2 Technologies

1.3 Configure and Verify VLANs

A VLAN is a group of devices on one or more logically segmented LANs. All devices working on a VLAN will have same broadcast domain. Like routers, switches (Layer 2) have the ability to provide domain broadcast segmentation called a VLAN. Using VLAN technology, you can group switch ports and their connected users into logically defined communities of interest. A VLAN operating on a Catalyst switch limits transmission of unicast, multicast, and broadcast traffic to only the other ports belonging to that VLAN, thereby controlling broadcasts.

To associate a switch with a management VLAN, you need to assign an IP address to the switch. The subnet portion of the switch IP address must match the subnet number of the management VLAN. Note that switches can maintain an IP stack, which enables us to manage the switches either locally, as well as remotely by Telnet.

Frame tagging is a technique used to uniquely identify a frame as it is forwarded through the switch fabric.

The benefits of VLANS include:

1. Easy Administration resulting in reduced administration costs,

2. Increased Security due to broadcast control, if you are using simple hub, you can observe traffic corresponding to any node by simply inserting a Network analyzer.

3. Grouping based on functional requirements irrespective of physical location of nodes, Simplify moves, adds, changes,

4. Distribution of traffic thereby using the network bandwidth more efficiently.

1. ISL: A Cisco proprietary trunking protocol, associated with Ethernet.. Supported by Catalyst switches and routers.

2. 802.1Q: This is an IEEE standard for the VLAN trunking protocols, associated with Ethernet. A VLAN identifier is inserted into the frame header, a technique called frame tagging.

3. 802.10: A Cisco proprietary method for transporting VLAN information inside the standard 802.10 FDDI frames.

4. LANE: LANE stands for LAN Emulation and is associated with ATM. This is an IEEE standard for transporting frames over ATM networks.


It is important to know the difference between a collision domain and a broadcast domain.

When you use Hubs, all the nodes connected to the hub will be in the same collision domain. However, when you use switches and implement VLANs, each VLAN will be in a separate broadcast domain. The packet forwarding between VLANs is achieved through the use of routing.

You use "show vlan" or "show vlan vlan#" command to see the configuration details of VLANs. The command "sh vlan" will display the configuration information for all VLANs, where as the command "sh vlan vlan#" shows only the configuration information pertaining to that vlan. For example, if you want to see the configuration information for vlan2, you give the command "sh vlan 2

Different types of VLAN

There are different types of VLANs, viz Native VLAN, Management VLAN, and Default VLAN which may be confusing. The terms are a little confusing. By default, all three are one and the same. VLAN 1 is the default and native VLAN that is used for management functions. However, you may change the native VLAN to some other number (from VLAN 1) for security reasons. Once the native VLAN is changed (to say, VLAN 2) the the management VLAN will be VLAN2. Note that native VLAN is not tagged. Different terms are as explained below:

1. Default VLAN: It is the the native VLAN that is used for management functions by default it is VLAN 1. However, you may change the native VLAN to any other number by using the following command:

(config-if)#switchport trunk native vlan 2

You may verify the native vlan using the show command:

(config-if)#do show interface f0/8 trunk

Port Mode Encapsulation Status Native vlan
Fa0/ on 802.1q other 2
The default VLAN is still VLAN 1.

2. Native VLAN: It is an untagged VLAN. Unttaged VLAN traffic does not have a .1q tag on trunk.

3. Management VLAN: it is the native vlan used for in-band management (SNMP trap source, syslog source interface, telnet, ssh access to a device). By default, VLAN 1 is management VLAN in Cisco switches.

4. Normal VLAN traffic: All normal VLAN traffic (other than native vlan) will have a VLAN tag (.1q tag) attached while traversing the trunk ports.

Note: Trunk ports send and receive tagged frames always. If an untagged frame is received they should ideally discard it, however .1q allows you to send untagged frames on a trunk link provided, your end devices (routers and switches) know which vlan they belong to.

Inter-Switch Link (ISL) is a Cisco proprietary VLAN trunking protocols, used for switched VLAN networks. ISL encapsulates the original Ethernet frame, and a VLAN-ID is inserted into the ISL header among several other fields.

The interface configuration command used to select the voice VLAN mode that will be used is given below:

switch(config-if)# switchport voice vlan {vlan-id | dot1p | untagged | none}

vlan-id: here the PC data is carried on native VLAN and the voice packets are carried on a separate voice vlan.

Dot1p: here the PC data is carried on native vlan and voice packets are carried on vlan 0.

Untagged: here both PC data and voice packets are carried on the native vlan. No separate voice vlan is required.

The default condition for every switch port is none, where a trunk is not used. All other modes, except "none" use special 802.1Q trunk.

Three parameters are required for defining an MST region. These are:

1. The region name

2. Configuration revision number

3. Instance to VLAN mappings

1. Switch(config)# monitor session 1 source vlan 1 - 5 rx 

Sets up vlans 1 though 5 (receive traffic) for monitoring.

2. Switch(config)# monitor session 1 destination interface gigabitethernet0/2 

Sets up destination interface to which the monitored traffic is mirrored.

3. Switch(config)# monitor session 1 source vlan 10 

Vlan 10 is added to the monitored traffic.

VLAN based SPAN allows VLAN be monitored instead of a simple physical port.

An SVI (Switched Virtual Interface) is used in multilayer switching. It has no physical significance. A vlan needs to be defined and assigned an ip address by using the commands:

Switch(config)# interface vlan <vlan-id>
Switch(config-if)# ip address <ip-address> <mask>

The first command defines a vlan given by the <vlan-id>. The second command assigns an IP address to the vlan. Here the SVI is represented physically by the specified vlan.

There are two common methods of VLAN Hopping

1. Switch Spoofing: A Switch Spoofing attack is used to exploit the network by configuring an end system (such as a work station) to mimic a switch. Here, the attacker emulates an ISL or 802.1q protocol, thus signaling with Dynamic Trunk Protocol signaling. If the attack is successful, the end system will have a membership across all VLANs. Thus the attacker may gain access to any network resource.

2. Double Tagging: Here, the attacker tags transmitted frames with double headers, both of which as 802.1q headers. This will allow the frames to be forwarded into the wrong VLAN. Double Tagging works because the first switch that the frames reach strips the first of the two 802.1q headers, and then forwards the frame with the second header destined for the victim VLAN.

Prevention: It can be avoided by disabling any unused switch ports and assigning them to a VLAN that is not being used. Explicitly disable DTP on all user ports to set them to non-trunking mode and/or force it to be an access port. To do this on a cisco switch, use the switchport nonegotiate and switchport mode access interface configuration commands.

End-to-end VLANs are typically implemented when the network traffic follows 80/20 rule. That is, 80% of the traffic is within the campus, and 20% is directed towards remote resources. The following are the important characteristics of end-to-end VLANs:

1. Users are grouped into a VLAN based on function, not location.

2. The user belongs to the same VLAN no matter where he plugs his PC into the network.

3. End-to-end VLANs are typically used for security reasons or resource requirements.

4. End-to-end VLANs are difficult to implement and troubleshoot. This is because the end-to-end VLAN spans across the enterprise, and identifying a problem node would be difficult.

The important characteristics of a Local VLANs compared to End-to-end VLAN are given below:

1. They are recommended where the traffic flow follows 20/80 rule, that is 80% of the user generated traffic is remote to the campus, and only 20% is local.

2. Local LANs are easy to maintain. Local LANs are typically confined to a floor or an area in a building and do not span several areas (or floors) in a building or campus.

3. Note that if a frame in a local VLAN needs to travel to another VLAN in the campus, a layer 3 device is required, which is resource intensive. Therefore, as the interVLAN traffic increases, you should consider End-to-end VLANs.

The following are the important characteristics of Dynamic VLANs and Static VLANs:

Static VLANs : which are also known as Port-based VLANs are created by manually assigning ports to a VLAN. When a device is connected to a port it automatically assumes the VLAN that the port is assigned to. If the user changes the port and still needs to access the same VLAN, the network administrator has to manually assign the access port on the switch to the VLAN. Static VLANs are generally used to reduce broadcast and to increase the security. Since static VLANs have a small administrative overhead and provide good security than traditional switches, they are widely used. Another strong point of static VLANs is the ability to control where the user moves within a large network. By assigning specific ports on the switches in the network, the network administrators can control access and limit the network resources that can be used by the users.

Dynamic VLANs : In dynamic VLANs the VLANs are assigned to switch ports using a centralized Policy Server. The policy server will have a mapping of Physical address (like MAC address) of a host to corresponding VLAN. The Policy Server will automatically assign the designated VLAN to the switch port after looking up into the VLAN-MAC address table. Therefore, even if a host is moved from one switch to another, the host will retain the same VLAN. However, dynamic VLANs are considered to be less secure than Static VLANs. For example, an attacker may spoof your Mac address over a wireless LAN and gain access to the company's network.

Static VLANs are also known as Port based VLANs. They are created by assigning ports on a switch to specific VLANs. Any host connected to a given port on a switch is automatically assigned the VLAN of the switch port. On the other hand, in dynamic VLANs, the VLANs are assigned to switch ports using a centralized Policy Server. The policy server will have a mapping of Physical address (like MAC address) of a host to corresponding VLAN. The Policy Server will automatically assign the designated VLAN to the switch port after looking up into the VLAN-MAC address table. Therefore, even if a host is moved from one switch to another, the host will retain the same VLAN. However, dynamic VLANs are considered to be less secure than Static VLANs. For example, an attacker may spoof your Mac address over a wireless LAN and gain access to the company's network.

When switch VLAN information is modified, the VTP configuration revision number and the configuration revision database number get modified.

For communicating between VLANs, you need a layer 3 device. Note that VLANs operate at Layer-2. When the access ports are configured with two distinct VLANs, the switch will not port the frames that belong to a different VLAN.

Example: Refer to the figure. VLAN10, VLAN20, and VLAN30 have been configured on the switch ML-SW1. Host computers are on VLAN 20 (, servers are on VLAN 30 (, and the management VLAN is on VLAN10 ( Hosts are able to ping each other but are unable to communicate with the servers. What is the most likely problem?

Configuring Vlan on switch

As per the exhibit, it appears that the VLAN IP address for VLAN 30 has not been configured. You need to configure the VLAN interfaces with the IP address as below:

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface Vlan30
Switch(config-if)#ip address
Switch(config-if)#no shutdown

Roaming between LAPs and autonomous APs is NOT supported. The reason is that, when connected to LWAPP APs, traffic is passed through an LWAPP tunnel. Since there is no mobility tunnel between the Wireless LAN Controller and the autonomous APs, the roam does not work.

When using light weight access point, all the traffic goes through Access Point, then through the Wireless Controller, and then back to Access Point, and then to the destination host. Wireless encryption can still be used to secure data over the air, as with traditional WLANs. However, the encrypted data does not pass through the LWAPP or CAPWAP tunnel at all. Packets are encrypted as they leave the wireless client and unencrypted when they arrive on the LAP. The same is true for packet authentication, if it is used.

One of the key principles behind the LWAPP and CAPWAP protocol architecture is that of a split 802.11 MAC (Media Access Control). Since the real processing power is implemented in controllers, most of the functions are performed in the controller instead of the access point. This concept is called "Split-MAC" by Cisco and most other controller-based vendors. The Lightweight Access Point is mainly limited to front-end activities. Even the rf power setting is usually done by the controller.

The Lightweight AP and Wireless Controller are linked by the LWAPP/CAPWAP protocol. The protocol uses a "control" channel (port 5246) for access point management, configuration, and control, and a "data" channel (port 5247) for forwarding of user traffic between the two entities. The control messages are sent securely over LWAPP control tunnel. The user data is not encoded or secured and sent via "data" channel.

The SSID needs to be consistent for a wireless client to roam between LWAPs that are managed by the same WLC. However, if the LAPs are managed by different WLCs, then the Mobility group must be same on the WLCs. A Mobility Group is a group of Wireless LAN Controllers (WLCs) in a network with the same Mobility Group name. These WLCs can dynamically share context and state of client devices, WLC loading information, and can also forward data traffic among them, which enables inter-controller wireless LAN roaming and controller redundancy. Note that the WLCs may be in the same or different IP subnet or VLAN. WLCs use what is known as Ether-IPtunnel to transfer User traffic from one WLC to another.

Assuming that a User (or Client) originally joined the WLAN on WLC1, WLC1 will always refer to itself as the User's anchor point. Any controller that is serving the User from a different subnet is known as a foreign agent. As the client continues to roam, the anchor WLC will follow its movement by shifting the Ether-IP tunnel to connect with the User's foreign WLC.

In order for a wireless client to seamlessly roam between mobility group members (WLCs), WLAN's SSID and security configuration must be configured identically across all WLCs comprising the mobility group

The following are true about LAP operation in sequential order:

1. LAP first learns it IP address from a DHCP server.

2. LAP obtains the IP address of WLC from a DHCP server, usually using Option 43 that provides a list of available WLCs. (Alternatively, you can assign WLC IP address statically on LAP using CLI.)

3. The LAP sends a join request to the first WLC from the list of IP addresses leaned from DHCP server. If that one fails to answer, the next WLC is tried. When a WLC accepts the LAP, it sends a join reply back to the LAP, resulting in a mutual binding between the two devices.

4. The WLC compares the LAP's code image release with the one stored locally. If they differ, the LAP downloads the code image stored on the WLC and reboots itself.

5. The WLC and LAP build a secure LWAPP or CAPWAP tunnel for management traffic and wireless client data LAP client forms a LWAPP tunnel to the WLC. Therefore, the individual VLANs of the clients are not carried through the switch to the WLC. The proper configuration commands are:

1. Switch(config-if)# switchport
2. Switch(config-if)# switchport access vlan 100
3. Switch(config-if)# switchport mode access
4. switch(config-if)# spanning-tree portfast


ote that if Autonomous Access Point (instead of LAP), then it is required to configure the switch port as trunk port. This is because the VLANs are carried over the switch port to the distribution layer switch.

The switch interfaces feeding a WLC should be configured as trunk links. Some WLCs need a single interface, others have several interfaces that should be bundled into a single EtherChannel. The WLC shown in Figure has a four-interface Gigabit EtherChannel.

Note that we need to use the command "channel-group 1 mode on" because the WLC cannot negotiate an EtherChannel. Therefore, we cannot use other options like "desirable

This procedure for a LAP to register with a WLC is:

1. The LAP issues a DHCP request to a DHCP server in order to get an IP address, unless an assignment was made previously with a static IP address.

2. If Layer-2 LWAPP is supported on the LAP, the LAP broadcasts an LWAPP discovery message in a Layer-2 LWAPP frame. Any WLC that is connected to the network and that is configured for Layer-2 LWAPP mode responds with a Layer 2 discovery response. If the LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP proceeds to step 3.

3. If step 1 fails, or if the LAP or the WLC does not support Layer 2 LWAPP mode, the LAP attempts a Layer 3 LWAPP WLC discovery.

4. If step 3 fails, the LAP resets and returns to step 1

Here the client roams in the same subnet, known as layer-2 roaming. A layer-2 roam occurs when a WLAN client moves from one access point to another within the same subnet. If the client moves to a new access point on a different IP subnet, layer-3 roaming occurs. Roaming is always a client station decision and the client station is responsible for detecting, evaluating, and roaming to an alternative access point.

The following is the proper sequence of events that wireless client takes during the process of association with an accesspoint.

1. Client sends probe request

2. Access point sends probe response or beacon

3. Client initiates association process

4. Access point accepts association of the client

5. AP adds client's MAC address to association table

Unknown unicast flooding attack : To forward the incoming frames to the destination MAC address the switch looks up this address in the address table, hoping to find the switch port and VLAN where the destination address is attached. If it is found, the frame is forwarded out to the corresponding switch port. If the address is not found in the table, the switch must take more drastic action: The frame is flooded out to all switch ports assigned to the source VLAN. This is known as unknown unicast flooding , because the location of the unicast destination is unknown.

PoE Methods

Method Name Power Offered
Cisco Inline Power ILP 7W
IEEE 802.3af PoE 15.4W
IEEE 802.3at PoE+ 25.5W
Cisco Universal PoE  UPoE 60W

To telnet to a switch, the following are required:

1. Assignment of ip address and subnetmask to the management vlan,

2. Assignment of default gateway IP address.

The following are the typical steps in preparing a switch for telnet access:

Switch(config)# interface vlan <vlan-id>
Switch(config-if)# ip address <ip-address> <subnet-mask>
Switch(config-if)# ip default-gateway <ip-address>
Switch(config-if)# no shutdown

QoS: When frames (layer 2) carried from one switch boundary to another switch boundary, prioritization of traffic can be achieved by utilizing the Class of Service field (CoS) of the frame tag. For prioritization of traffic, both 802.1Q, and ISL provide a field to represent CoS of each frame. The value 0 of the CoS field indicates lowest priority, and the value 7 indicates the highest priority frame. CoS information is passed along ISL and 802.1Q trunks.

Traffic shaping is generally used for limiting the overall traffic. VOIP is a time sensitive traffic, and generic traffic shaping may not be suitable for VOIP traffic on a switch interface. Traffic policing is sensitive to the type of traffic (such as VOIP or any time critical traffic) and is suitable for use on a switch. GTS and AGTS are traffic shaping method used on Cisco routers.

Inline power is available on Catalyst 3550-24-PWR, Catalyst 4500, and Catalyst 6500 switches.

The trust boundary is an administrative boundary (normally used where external network interfaces). Here the CoS or DSCP values are either accepted or rejected based on the QoS restrictions of the switch interface.

Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure such as Internet. Tunneling is a feature designed for service providers who carry traffic of multiple customers across their networks and are required to maintain the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers.

Using the 802.1Q tunneling feature, service providers can use a single VLAN to support customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service-provider infrastructure even when they appear to be on the same VLAN. The 802.1Q tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the tagged packets. A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN that is dedicated to tunneling.

Example: Given the partial configuration

As per the configuration, VLANs 1-5 are configured for port 0/1. Therefore, these VLANs will be transported on port 0/1. The other port will be in blocked state as far as these VLANs are concerned. On the otherhand, VLANs 6-10 are configured for port 0/2. Therefore, the traffic on these VLANs will be carried through port 0/2. The other port, port 0/10 will be in blocked state as far as VLANs 6-10 are concerned. In the event of a failure to the active port, the blocked port will become active and all the traffic will be carried on that port. Note that the default port priority is 128. By setting a value of 16, the port is given higher priority (lower value=higher port priority) for given VLANs, whereas other VLANs will still be set with default port priority (128).

vlan configration example

Previous   Contents   Next

CCNP Switch Cram Notes Contents ad