Vlans+and+Trunking

=**Private Vlans**= toc

Allows the separate of ports into different vlans while using only a single subnet

There are two ideas of separation
 * Primary Vlan - Used for commonly accessed devices such as servers. Can communicate will both primary and secondary ports. Also called promiscuous ports
 * Secondary Vlan -
 * Community - Can talk to ports in the same secondary vlan and ports in the primary vlan
 * Isolated - Can only talk to ports in the primary vlan

Configuration
>>
 * 1) Create secondary vlans (Community/Isolated)
 * 2) Create primary vlan and associate the secondary vlans to it.
 * 3) Define port as primary or secondary
 * 4) //**#switchport private-vlan {promiscuous|host}**//
 * 5) Assign port to primary and secondary vlans
 * 6) Promiscuous ports assign vlans with the mapping command

Switches must not be participating in VTP (Or transparent)

vlan 100 private-vlan primary private-vlan 1000,2000,3000

vlan 1000 private-vlan [community|isolated]

interface FastEthernet0/1 switchport private-vlan mapping 100 1000,2000,3000 switchport mode private-vlan promiscuous ! interface FastEthernet0/3 switchport private-vlan host-association 100 1000 switchport mode private-vlan host ! interface FastEthernet0/5 switchport private-vlan host-association

=Protected ports=

Protected ports prevent layer 2 information from behing exchanged between 2 or more ports in the same vlan. Traffic sent in 1 protected port also cannot be sent out another protected port.

=Vlan Trunking=

Two different types exist. 802.1q (IEEE) and ISL (Cisco).

There are some slight differences in these, but they are mostly similar. These can be specified by //**(config-if)#switchport trunk encapsulation (802.1q|ISL)**//


 * ISL** - Encapsulates frames and does not support the native vlan
 * 802.1q** - Tags frames and supports native vlan

DTP
Dynamic trunking protocol is used to negotiate the parameters of a trunk link. DTP is configured via the "//**(config-if)#switchport mode**//" command.

Vlans flowing over this trunk can be restricted two ways:
 * VTP Pruning
 * //**(config-if)#switchport trunk allowed**//

Establishment of a trunk is controlled by two commands:
 * //**(config-if)#switchport mode**//
 * Trunk - Will always trunk
 * Dynamic - Will decide on how to negotiate trunking
 * Desirable - Will send DTP messages to negotiate trunking. Falls back to access port if it fails
 * Auto - Will *only* reply to DTP messages. Trunk if succeed, access if fail
 * Access - Will never trunk
 * //**(config-if)#switchport nonegotiate**// - Prevents sending of any DTP messages. Used only with Trunk and Access mode links. When disabling DTP you must set the encap explictly

Q in Q Tunnel
Vlan trunking can be achieved accross a WAN with the use of 802.1Q in Q tunneling. This basically just adds a second 802.1Q header to allowed SP switches to differentiate traffic between customers and retain the original 802.1Q header. CDP and VTP traffic can be passed transparent across a tunnel of this type.

To configure,


 * 1) Set the subinterfaces on the endpoint devices to have dot1q encapsulation.
 * 2) Changed the system mtu on the switches with tunnels: //**#system mtu 1504**//
 * 3) Set interface modes to tunnel: //**#switchport mode dot1q-tunnel**//
 * 4) Tunnel cdp: //**#l2protocol-tunnel cdp**//
 * 5) Set an access vlan on the tunnel interfaces (a new vlan)

Vlan Trunking Protocol
Used to dynamically distribute vlan configuration across devices



VTP will not start sending updates until a domain has been configured. Updates are propagated only out active trunk interfaces.

Normal range Vlans: **1-1005** Extended range: **1006-4094** (Cannot be configured in VLAN database mode)

Normal range vlans can be advertised by VTP version 1 and 2. Vlans 1006-1024 should be avoided to ensure compatibility with CAtOS switches.

Common commands
 * **>sh vtp status**
 * **#vtp mode**
 * **#vtp domain**


 * VTP pruning list is configured under the interface trunk options. VTP primary mode can be activated in enable mode.**

=**SPAN**=

Span is used to copy traffic and send it to another port. Cant be enabled on trunk ports


 * 1) monitor session 1 source vlan 146
 * 2) monitor session 1 destination interface fa0/0

Remote span
Remote span is used when the source being monitor is on a different device