| By Sheldon L | Published at 2020-05-20 | Updated at 2020-05-20 |
ISL
802.1q
Access ports: An access port belongs to and carries the traffic of only one VLAN. Traffic is both received and sent in native formats with no VLAN information (tagging) at all. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Because an access port doesn’t look at the source address, a frame with added VLAN information can be correctly forwarded and received only on trunk ports. Switches remove any VLAN information from the frame before it’s forwarded out to an access-link device.
Voice access ports: Nowadays, most switches will allow you to add a second VLAN to an access port on a switch port for your voice traffic, called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlaid on top of the data VLAN, enabling both types of traffic to travel through the same port. Even though this is technically considered to be a different type of link, it’s still just an access port that can be configured for both data and voice VLANs. This allows you to connect both a phone and a PC device to one switch port but still have each device in a separate VLAN.
Trunk ports: A trunk link is a 100, 1,000, 10,000 Mbps, or more, point-to-point link between two switches, between a switch and router, or even between a switch and server, and it carries the traffic of multiple VLANs—from 1 to 4,094 VLANs at a time. But the amount is really only up to 1,001 unless you’re going with extended VLANs. And you can’t use, change, rename, or delete VLANs 1 (default VLAN) or 1002 through 1005 because they’re reserved. The VLAN numbers above 1005 are called extended VLANs and won’t be saved in the database unless your switch is set to what is called VLAN Trunking Protocol (VTP) transparent mode.
Router on a stick (ROAS): Instead of using a router interface for each VLAN, you can use one FastEthernet inter- face and run ISL or 802.1q trunking.
switchport mode access: The port would be a dedicated layer 2 access port.switchport mode dynamic auto: The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode.switchport mode dynamic desirable: The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.switchport mode trunk: Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link.switchport nonegotiate: Prevents the interface from generating DTP (Dynamic Trunking Protocol) frames. You can use this command only when the interface switchport mode is access or trunk. You must manually confi gure the neighboring interface as a trunk interface to establish a trunk link.S1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN
S1(config)#vlan 2
S1(config-vlan)#name Sales
S1(config-vlan)#vlan 3
S1(config-vlan)#name Marketing
S1(config-vlan)#vlan 4
S1(config-vlan)#name Accounting
S1(config-vlan)#vlan 5
S1(config-vlan)#name Voice
S1(config-vlan)#^Z
S1#
S1# sh vlan
VLAN Name Status Ports
---- ------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
2 Sales active
3 Marketing active
4 Accounting active
5 Voice active
[output cut]
! Only displays access ports,
! so where do you think ports Fa15–18 are?
! They are trunked ports.
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/15 desirable n-isl trunking 1
Fa0/16 desirable n-isl trunking 1
Fa0/17 desirable n-isl trunking 1
Fa0/18 desirable n-isl trunking 1
Port Vlans allowed on trunk
Fa0/15 1-4094
Fa0/16 1-4094
Fa0/17 1-4094
Fa0/18 1-4094
[output cut]
S1#sh interfaces fastEthernet 0/15 switchport
Name: Fa0/15
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
[output cut]
! shows us the administrative mode of dynamic desirable
S3#config t
S3(config)#int fa0/3
S3(config-if)#switchport ?
access Set access mode characteristics of the interface
autostate Include or exclude this port from vlan link up calculation
backup Set backup for the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes voice
S3(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set private-vlan mode
trunk Set trunking mode to TRUNK unconditionally
S3(config-if)#switchport mode access
S3(config-if)#switchport access vlan 3
S3(config-if)#switchport voice vlan 5
S3#show vlan
VLAN Name Status Ports
---- ------------------------ --------- -------------------------------
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11,
Fa0/12, Fa0/13, Fa0/14, Fa0/19,
Fa0/20, Fa0/21, Fa0/22, Fa0/23,
Gi0/1 ,Gi0/2
2 Sales active
3 Marketing active Fa0/3]]> 5 Voice active Fa0/3
! port Fa0/3 is now a member of VLAN 3 (access) and VLAN 5 (voice)
S3#sh int fa0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
S1(config)#int range f0/15-18
S1(config-if-range)#switchport trunk encapsulation dot1q
! dot1q = 802.1q
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#do sh int f0/15 swi
Name: Fa0/15
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
S1(config-if-range)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/15 on 802.1q trunking 1
Fa0/16 on 802.1q trunking 1
Fa0/17 on 802.1q trunking 1
Fa0/18 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/15 1-4094
Fa0/16 1-4094
Fa0/17 1-4094
Fa0/18 1-4094
S1# sh int trunk
[output cut]
Port Vlans allowed on trunk
Fa0/15 1-4094
Fa0/16 1-4094
Fa0/17 1-4094
Fa0/18 1-4094
S1(config)#int f0/15
S1(config-if)# switchport trunk allowed vlan 4,6,12,15
S1(config-if)# do show int trunk
[output cut]
Port Vlans allowed on trunk
Fa0/15 4,6,12,15
Fa0/16 1-4094
Fa0/17 1-4094
Fa0/18 1-4094
S1(config-if)# switchport trunk allowed vlan remove 4-8
S1(config-if)# do show int trunk
S1(config-if)#switchport trunk allowed vlan all
S1(config-if)# do show int trunk
S1(config)#int f0/15
S1(config-if)#switchport trunk native vlan ?
<1-4094> VLAN ID of the native VLAN when this port is in trunking mode
S1(config-if)#switchport trunk native vlan 4
! If all switches don’t have the same native VLAN configured
! on the given trunk links, then we’ll start to receive this error
1w6d: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/15 (4), with S3 FastEthernet0/1 (1).
S1#sh run int f0/15
Building configuration...
Current configuration : 202 bytes
!
interface FastEthernet0/15
description 1st connection to S3
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport trunk allowed vlan 4,6,12,15
switchport mode trunk
! set the native VLAN back to the default to fix it.
S1(config-if)#no switchport trunk native vlan
1w6d: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/15
on VLAN0004. Port consistency restored.
(X) ISR
------- F0/0: 192.168.10.1/28
|------ F0/0.2: 192.168.1.65/26
|------ F0/0.10: 192.168.1.129/27
|
| [=] 2960
|------ Port 4: VLAN 10 --------------
|------ Port 2,3: VLAN 2 ------------ |
------- Port 1: dotq1 trunk | | |
| | |
------------------------- | |
| -------------- |
| | |
[_] A [_] B [_] C
ISR#config t
ISR(config)#int f0/0.1
ISR(config-subif)#encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
ISR(config-subif)#encapsulation dot1Q ?
<1-4094> IEEE 802.1Q VLAN ID
2960# config t
2960(config)# int f0/1
2960(config-if)# switchport mode trunk
2960(config-if)# int f0/2
2960(config-if)# switchport access vlan 2
2960(config-if)# int f0/3
2960(config-if)# switchport access vlan 2
2960(config-if)# int f0/4
2960(config-if)# switchport access vlan 10
ISR#config t
ISR(config)#int fa0/0
ISR(config-if)#ip address 192.168.10.1 255.255.255.240
ISR(config-if)#no shutdown
ISR(config-if)#int f0/0.2
ISR(config-subif)#encapsulation dot1q 2
ISR(config-subif)#ip address 192.168.1.65 255.255.255.192
ISR(config-subif)#int f0/0.10
ISR(config-subif)#encapsulation dot1q 10
ISR(config-subif)#ip address 192.168.1.129 255.255.255.224
2960#config t
2960(config)#int vlan 1
2960(config-if)#ip address 192.168.10.2 255.255.255.0
2960(config-if)#no shutdown
2960(config-if)#exit
2960(config)#ip default-gateway 192.168.10.1
(X) I'm Virtual
||
----- [X] 3560 -----
| |
[=] VLAN 10 [=] VLAN 20
192.168.10.1/24 192.168.20.1/24
| |
[_] [_]
192.168.10.2/24 192.168.20.2/24
3560(config)#ip routing
3560(config)#int vlan 10
3560(config-if)#ip address 192.168.10.1 255.255.255.0
3560(config-if)#int vlan 20
3560(config-if)#ip address 192.168.20.1 255.255.255.0
[=] S1 Access
G0/1----------------------- [_] PC
G0/2----------------------- [|] Server
--------- G1/1 Access
| Trunk G1/2 ------------
| |
| |
| [=] S2 [=] S3 | Trunk
| G1/1 ------ G1/1 |
----- G1/2 G1/2 ----
Trunk
S1#sh spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.42A7.A603
This bridge is the root**
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0001.42A7.A603 him
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
------------ ---- --- ----- ---------- ------
Gi1/1 Desg FWD 4 128.25 P2p
Gi1/2 Desg FWD 4 128.26 P2p
S3#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.42A7.A603
Cost 4**
Port 26(GigabitEthernet1/2)**
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000A.41D5.7937**
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
------------ ---- --- ----- ---------- ------
Gi1/1 Desg FWD 4 128.25 P2p
Gi1/2 Root FWD 4** 128.26 P2p
Switch#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
S3 Gig 1/1 135 S 2960 Gig 1/1
S1 Gig 1/2 135 S 2960 Gig 1/1
S2#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.42A7.A603
Cost 4**
Port 26(GigabitEthernet1/2)**
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0030.F222.2794**
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
------------ ---- --- ----- ---------- ------
Gi1/1 Altn BLK 4** 128.25 P2p
Gi1/2 Root FWD 4 128.26 P2p
! Cost 4 = one Gb Eth away
S2#sh spanning-tree
S2#sh spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770**
Address 0001.42A7.A603
Cost 4
Port 26(GigabitEthernet1/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)**
Address 0030.F222.2794
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
------------ ---- --- ----- ---------- ------
Gi1/1 Altn BLK 4 128.25 P2p
Gi1/2 Root FWD 4 128.26 P2p
! This sys-id-ext is added to the bridge priority, 32768 + 2
S2(config)#spanning-tree vlan 2 ?
priority Set the bridge priority for the spanning tree
root Configure switch as root
<cr>
S2(config)#spanning-tree vlan 2 priority ?
<0-61440> bridge priority in increments of 4096
S2(config)#spanning-tree vlan 2 priority 16384
! You can set the priority to any value 0~61440 in increments of 4096.
S2(config)#spanning-tree vlan 3 root ?
primary Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
S2(config)#spanning-tree vlan 3 root primary
S2# sh spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 16386**
Address 0030.F222.2794**
This bridge is the root**
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16386 (priority 32768 sys-id-ext 2)**
Address 0030.F222.2794
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
------------ ---- --- ----- ---------- ------
Gi1/1 Desg FWD 4** 128.25 P2p
Gi1/2 Desg FWD 4** 128.26 P2p
S2# sh spanning-tree vlan 2
S2#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0002 VLAN0003
[...]
Name Blocking Listening Learning Forwarding STP Active
----- -------- --------- -------- ---------- ----------
VLAN0001 1 0 0 1 2
VLAN0002 0 0 0 2 2
VLAN0003 0 0 0 2 2
----- -------- --------- -------- ---------- ----------
3 vlans 1 0 0 5 6
S2(config)#spanning-tree mode rapid-pvst
S2#sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp**
Root ID Priority 32769
Address 0001.42A7.A603
Cost 4
Port 26(GigabitEthernet1/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
[...]
S2#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0002 VLAN0003
! PortFast
! Globally
S1(config)#spanning-tree portfast ?
bpdufilter Enable portfast bdpu filter on this switch
bpduguard Enable portfast bpdu guard on this switch
default Enable portfast by default on all access ports
! Interface
S1(config-if)#spanning-tree portfast ?
disable Disable portfast for this interface
trunk Enable portfast on the interface even in trunk mode
<cr>
S1#config t
S1#config)#int range gi0/1 - 2
S1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on GigabitEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
!
! BPDU Guard should be enable If you turn on PortFast.
! This is because if a switch port that has PortFast enabled receives a BPDU on that port,
! it will place the port into error disabled (shutdown) state,
! effectively preventing anyone from accidentally connecting another switch or hub port
! into a switch port configured with PortFast.
! Globally
S1(config)# spanning-tree portfast bpduguard default
! Interface
S1(config-if)# spanning-tree bpduguard enable
!!!!
! you would only configure this command on your access layer switches
[=] S1 [=] S2
G0/1 ------)----)---- G0/13
G0/2 ------)----)---- G0/14
! Trunking the interfaces before configure EtherChannel
S1(config)# int range g0/1 - 2
S1(config-if-range)# switchport trunk encapsulation dot1q
S1(config-if-range)# switchport mode trunk
! Configure protocol
S1(config-if-range)# channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
! To configure the IEEE LACP, use active or passive
! To configure the Cisco PAgP, use auto or desirable
S1(config-if-range)# channel-group 1 mode active
S1(config-if-range)# exit
! Create port channel interface now
S1(config)# int port-channel 1
S1(config-if)# switchport trunk encapsulation dot1q
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 1,2,3
! All parameters and configurations of the ports must be the same,
! S2 is the same as S1
S2(config)# int range g0/13 - 14
S2(config-if-range)# switchport trunk encapsulation dot1q
S2(config-if-range)# switchport mode trunk
S2(config-if-range)# channel-group 1 mode active
S2(config-if-range)# exit
S2(config)# int port-channel 1
S2(config-if)# switchport trunk encapsulation dot1q
S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk allowed vlan 1,2,3
!Varification
S2# sh etherchannel port-channel
Protocol = LACP
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gig0/2 Active 0
0 00 Gig0/1 Active 0
S2# sh etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+--------------------
1 Po1(SU) LACP Gig0/1(P) Gig0/2(P)
! You’d actually add the IP address of the bundle
! under the logical port-channel interface
Router# config t
Router(config)# int port-channel 1
Router(config-if)# ip address 20.2.2.2 255.255.255.0
! Now we need to add the physical port into port channel 1
Router(config-if)#int range g0/0-1
Router(config-if-range)#channel-group 1
Router# sh run