interVLA _Diagram

Cisco ICND2 – Configure, verify, and troubleshoot interVLAN routing

In this topic I will discuss how to configure interVLAN routing typically known as Router on a Stick.

This is the setup we will be working with in packet tracer:

interVLA _Diagram

Notice that PC1 and PC2 are in different VLANs and different IP subnets. We are going to allow them to communicate with each other via Router A.

First we are going to configure the trunk links between each of the switches and between switch C and Router A. I will use the range command to save keep typing the individual interfaces.

Switch A

configure terminal
interface range fa0/1-fa0/2
switchport mode trunk

Switch B

configure terminal
interface range fa0/1-fa0/2
switchport mode trunk

Switch C

configure terminal
interface range fa0/1-fa0/3
switchport mode trunk

We will come back to Router A a little later on to finish the trunk configuration.

We need to configure the access ports and VLANs between the switches connected to PCs.

Switch A:

configure terminal
interface fa0/3
switchport access vlan 10

Switch B:

configure terminal
interface fa0/3
switchpport access vlan 20

We will configure PC1 and PC2 with an IP address and default gateway.

PC1:
IP Address: 10.0.0.2
Subnet: 255.255.255.0
Default Gateway: 10.0.0.1

interVLAN_PC1

PC2:
IP Address: 10.0.1.2
Subnet: 255.255.255.0
Default Gateway: 10.0.1.1

interVLAN_PC2

If we try and ping PC2 from PC1 the result will fail. Why? Because there’s no way for VLAN 10 and VLAN 20 to communicate, Also they’re in different subnets.

To allow these two PCs to communicate we need to configure Router A to route frames between VLAN 10 and VLAN 20.

If you noticed we set default gateways on PC1 and PC2, we will now configure these on Router A. This way, when PC1 or PC2 wants to send a frame to a different subnet, it will forward to the default gateway, the default gateway will lookup to see if it has an entry in its routing table if it does, it will forward otherwise it will drop the frame.

We will configure two sub interfaces on Router A under fa0/0 one for VLAN 10 and one for VLAN20. First we need to bring up the fast ethernet 0/0 interface up, otherwise the sub interfaces once configured will not work.

Router A:

configure terminal
interface fa0/0
no shutdown

Now to configure the sub interfaces on Router A:

configure terminal
interface fa0/0.10
encapsulation dot1q 10
ip address 10.0.0.1 255.255.255.0
interface fa0/0.20
encapsulation dotq1 20
ip address 10.0.1.1 255.255.255.0

I tend to create sub-interfaces that match the VLAN number, this is handy when trying to troubleshoot as you can quickly identify which VLAN belongs to which sub-interface.

The encapsulation dot1q 10/20 command defines the sub interface as a trunk link and that it expects to send/receive VLAN 10/20 traffic on this interface.

That’s pretty much it. If we try to ping PC2 from PC1 we should see a successful ping:

interVLAN_PC1_Ping

And from PC2 to PC1:

interVLAN_PC2_Ping

Verifying:

We verified that PC1 can communicate with PC2 above.

We can show the routing table on RouterA:

interVLAN_RouterA_RoutingTable

The above shows two directly connected routes, one for VLAN 10 and one for VLAN 20 this is how the router knows where to route to.

show running-config can be used on the switches and routers to ensure correct access VLAN assigned, trunk links are configured and correct IP addresses.

show vlan on the switches will show what VLANs are assigned to which ports.

Ping can we be used to verify connectivity, if you cant ping the destination IP, ensure you can ping your local default gateway and then destination gateway to try and figure where the problems lies.

Troubleshooting:

  • Ensure the links between switches and routers are trunked
  • Make sure PCs are in correct VLANs
  • Make sure PCs have correct IP Subnet / Default Gateway addresses
  • Use tracert on the PCs to see where the frames are failing
  • Check the router to make sure has the correct sub-interfaces and they match the default gateway of the PCs
  • The fast ethernet port on the router should be up (no shutdown) otherwise sub-interfaces will not work
  • Correct cables must be used between PC and switch (straight through) switch to switch (crossover) and switch to router (straight through)

Cisco ICND2 – Configure, verify, and troubleshoot trunking on Cisco switches

Configuring a trunk:

When configuring a trunk, the trunk needs to be enabled on both switches. We will configure fa0/1 as a trunk link on both Switch A and Switch B. I will be doing this via Cisco’s packet tracer program on two Cisco 2950 switches.

By default all VLANs are allowed to be received and sent across trunk links, this can be changed and will be discussed later on.

Trunk_SwitchA_SwitchB

Switch A:

configure terminal
interface fa0/1
switchport mode trunk

Switch B:

configure terminal
interface fa0/1
switchport mode trunk

That’s it!

Configuring trunk on a layer 3 switch is slightly different, you have the choice of either using 802.1Q (dot1q) or ISL as the encapsulation.  Newer routers don’t support ISL so It would be wise to use 802.1Q.

configure terminal
int fa0/1
switchport mode trunk
switchport trunk encapsulation dot1q

It is possible to do a range of interfaces to turn them into trunk links:

configure terminal
interface range fa0/1-fa0/5
switchport mode trunk

We can restrict or allow which VLANs are allowed across a trunk link using the trunk allowed command. To configure allowed VLANs make sure you’re under the interface where the trunk is enabled such as interface fa0/1.

This will reset the trunk to default allowing all VLANs across the trunk:

switchport trunk allowed vlan all

This will stop VLANs 2 through 6 from communicating over the trunk:

switchport trunk allowed vlan remove 2-6

This will allow VLAN 6 to communicate over the trunk if we removed it by mistake:

switchport trunk allowed vlan 6

Verifying a trunk:

There are few commands to verify a trunk link. The first is to run a show running-config on both switches.

show running-config

Switch A:

Trunk_Show_Run_SwitchA

Switch B:

Trunk_Show_Run_SwitchB

As shown above, we can see both the interfaces have been configured for trunking.

The next is to display the switchport information for both interfaces on the switches.

show int fa0/1 switchport

Switch A:Trunk_Show_Switchport_Trunk_SwitchA

Switch B:Trunk_Show_Switchport_Trunk_SwitchBWe can see from this information that the operational mode is trunk and the encapsulaton is dot1q.

Lastly we can display information based on all interfaces that are enabled for trunk and what VLANs are allowed across these trunk links.

show int trunk

Switch A:

Trunk_SwitchA_Show_Trunk

Switch B:

Trunk_SwitchB_Show_Trunk

Troubleshooting a trunk:

  • Make sure trunk is enabled on both connecting sides of the interfaces
  • Ensure the encapsulation at both ends meet
  • Check the cable is connected and the correct type of cable is used
  • Check to see whether any restrictions are on the trunk that are preventing a VLAN across the link (show int trunk)

Cisco ICND2 – Configure, verify, and troubleshoot VLANs

Configuring a VLAN

Configuring a VLAN is easy, within privileged mode # enter the following commands to create a VLAN, assign individual ports to a VLAN or even a range of ports:

Create a VLAN:

configure terminal
VLAN 10
Name Marketing

Assign a FastEthernet port to vlan 10:

configure terminal
interface fa0/1
switchport access vlan 10

Assign a range of ports to vlan 10:

configure terminal
interface range fa0/2-fa0/5
switchport access vlan 10

Verify a VLAN

There are a couple of ways to verify the above commands have actually worked.

The following command will show all the VLANs currently on the switch and what ports are associated with that vlan.

show vlan

ICND2_Show_VLAN

As you can see, we created VLAN 10 earlier with the name Marketing and we have Fa0/1 through to Fa0/5 in this vlan.

The next way is to check the running config, if the commands have been entered successfully we should see Fa0/1 through to Fa0/5 in VLAN 10.

show running-config

ICND2_Show_Run

As you can see from the above, the command we entered switchport access vlan 10 has been successfully assigned to ports Fa0/1 through to Fa0/5.

Another option is to run the show switchport command against the interface:

show interface fa0/1 switchport

ICND2_Show_FA01_Switchport

Troubleshooting a VLAN

  • Ensure physical connections are connected and are configured with correct IP information – Can check LEDs on switch for connectivity
  • Check whether the hosts are in the same VLAN – Remember hosts in different VLANs will not communicate without a Layer 3 device

Cisco ICND2 – Describe how VLANs create logically separate networks and the need for routing between them

VLANs

A VLAN is a virtual logical area network. VLANs allow you to logically group ports on a switch. You may want to do this to ensure the IT department cannot see traffic from the Finance department for example. VLANs can be spanned across multiple switches, meaning all you have to do is change the VLAN number on a port and bingo you’re in that VLAN (assuming VTP is enabled across the switched network). VLANs break up broadcast domains by broadcasting frames only to the same VLAN.

We have the ability with VLANs to improve our security by controlling what VLANs have access to which other VLANs on the network. We can also isolated a VLAN so it cannot communicate with any devices but just have access to the internet (handy for open areas).

By default VLANs cannot communicate with other VLANs. However this can be achieved with either a layer 3 switch (not covered in the CCNA but is in the CCNP) or by you guessed it a router, as a routers job is to route frames. This method is known as a router on a stick.

Key Info

  • VLANs 0 and 4095 For system use only
  • VLAN 1 is Cisco default VLAN, all ports are by default a member of this VLAN
  • VLANs 2-1001 You can use, create and delete VLANS within this range
  • VLANs 1002-1005 are used with FDDI and TokenRing. You cannot delete these
  • VLANs 1006-4094 These VLANs are the extended range for Ethernet, can not be propagated by VTP
  • VLAN information can be found in VLAN.DAT which is stored in Flash memory. This can be viewed using “show flash”
  • VLANs cannot send between VLANs, a Layer 3 device is needed

Taken from Cisco Configuring VLANs

Router on a stick

The way router on a stick works is, say a device on VLAN 20 wanted to communicate with a device VLAN 30 both VLAN frames would need to be sent to a router via a trunk link from the Layer 2 switch. The router will look at its sub-interfaces and see if it has a match for the VLANs, if it does it will route the frame to the correct destination. Remembering that without this method VLAN 20 will not be able to communicate with VLAN 30.

Key Info

  • Layer 3 device such as a router or switch required
  • Links between the switch and router must be in trunk mode
  • Encapsulation between the switch and router must match either 802.1Q or ISL
  • Encapsulation can only be configured on a Fast Ethernet/Gigabit interface
  • Encapsulation must be configured on the subinterface to match the VLAN
  • Subinterfaces must be configured with an IP address that is on the same subnet of the VLAN, this will also be the default gateway for that VLAN
  • the parent interface of the subinterface must be up (no shutdown) for the subinterfaces to work

Cisco ICND2 – Describe enhanced switching technologies (including: VTP, RSTP, VLAN, PVSTP, 802.1q)

VTP – VLAN Trunking Protocol:

VLAN Trunking Protocol allows you to create/delete and modify existing VLANs. This information can then be propagated to other switches that use the same VTP domain. When VTP is first configured it defaults to server mode. VTP information is sent via a trunk port. Uses revision numbers to determine whether the switch needs to update its VTP information.

A few requirements:

  1. Cannot be used on non-Cisco switches
  2. VTP domain must be the same
  3. One switch must be configured in server mode
  4. If a VTP password is used, must be configured on all switches

Three VTP modes:

  • Server

Can create, add and modify VTP information to other switches.

  • Transparent

Can create, add and modify VLANs but this isn’t advertised to other switches in the VTP domain, instead these are only local to that switch but a transparent switch will forward VTP advertisements out of trunk ports.

  • Client

Client mode only receives and forwards VTP updates. Can not create, delete or modify existing VLANs

VTP Pruning:

Do not use on transparent switches.

VTP Pruning stops broadcasts of VLANs to other switches that isn’t necessarily.

For example, Switch A forwards a broadcast for VLAN20, Switch B and switch C do not have any access ports for VLAN 20, Switch B and Switch C have let switch A know this information, if VTP pruning is enabled Switch A will not forward the broadcast as it has been informed that switch B and Switch C do not have any hosts on VLAN 20. This helps to preserve bandwidth.

Saving bandwidth with VTP Pruning by Keith Barker explains this perfectly.

STP – Spanning Tree Protocol 802.1d

Spanning Tree Protocol prevents switching loops at layer 2. It elects a root bridge and a root port and does this by sending out BPDUs (bridge protocol data units), a blocked port will still receive BPDUs and needs to receive them in case it needs to come out of the blocked state (link failure, bandwidth changes).

Terms

  • BPDU – Bridge Protocol Data Unit  – Ethernet frame sent across the switch network to select the root switch. Each switch compares the BPDUs that it receives from other switches to determine if it should be the root bridge.
  • Root – Switch with the lowest BID
  • BID/Bridge ID – Bridge priority (32768 by default) + MAC address

STP Election

  • Root bridge determined by lowest BID (priority + MAC)
  • All root bridge ports that are connected are placed into designated forwarding state
  • Switches will elect one root port to the root bridge. This is calculated by speed cost, if a tie break then the port with the lowest port ID will be the root port.
  • Root ports can not be designated ports
  • If more than one switch connected to the root bridge, one will be elected the designated bridge based on cost to the root or lowest BID
  • The ports on the designated bridge will forward whilst the port on the non designated bridge will block

STP Port Stats

  • Blocking – Does not forward frames, receives BPDUs. When a switch is first powered on, all ports are in the blocking state.
  • Listening – Receives BPDUs and checks to ensure no loops occur. Prepares to forward frames. Mac address table not built yet.
  • Learning – Receives BPDUs and learns all the paths of the network. Builds the MAC address table but doesn’t forward any frames.
  • Forwarding – Starts forwarding frames if it is the designated port or root port.
  • Disabled – Not really a state, but if the switch is in administratively down (shutdown) then it will not forward frames or receive BPDUs updates.

Port Speeds cost

  • 10Mbps = 100
  • 100Mbps = 19
  • 1Gbps = 4
  • 10Gbps = 2

Timers

  • Hello Timer: 2 seconds
  • Max Age: 20 seconds by default
  • Forward Delay: 15 seconds

STP Selects a root bridge with the lowest bridge ID, this calculation is based on bridge priority + MAC address, by default the bridge priority is 32768 unless changed. So if Switch A has a bridge priority of 32768 and mac address 01111.1111.1111 and Switch B has a bridge priority of 32768 and mac address 0000.0000.0000. Switch B would be elected the root bridge as it has the lowest value. It may be good practice to manually change the bridge priority on a switch to a much lower value to ensure that is always the root bridge. The bridge priority can only be set in increments of 4096.

Next STP will elect root ports and designated ports. All connected ports on the root bridge are designated ports. One root port is elected on each switch except for the root bridge. The root port is the port that has the best path to the root bridge, this is calculated by speed cost, if a tie break then the port with the lower port numbers wins.

A designated bridge is elected if there are two or more switches connected to the root bridge, this is based on the lower BID or lower port number. All ports on the designated bridge are put into designated mode. The ports on the non-designated bridge except the root port are put into non-designated mode (blocking) this is to prevent switching loops.

STP detects a link failure between 30-60 seconds this is based on the STP port states.

RSTP – Rapid Spanning Tree 802.1w:

Rapid spanning-tree protocol 802.1w. Faster convergence than spanning-tree protocol hence the ‘rapid’.

RSTP can detect a link failure in 6 seconds (3 hello timers, 2 seconds each)

Port States:

  • Discarding – Compared to disabled/blocking/listening state of STP
  • Listening – Same as STP
  • Forwarding –  Same as STP

PVSTP – Per VLAN Spanning Tree:

Default for catalyst switches. Cisco proprietary protocol, allows for creation of per VLAN spanning tree.

802.1q:

802.1q enables tagging of VLANs over a trunk link.

802.1q and trunking 101 by Keith Barker explains this.

EtherChannel

Two types. Cisco version: Port Aggregation Protocol (PAgP) and IEEE 802.3ad Line Aggregation Control Protocol (LCAP).

  • Allows grouping of 2-8 server physical Ethernet links to create one logical Ethernet link. This is to allow fault tolerance and high speed links.
  • EtherChannel seen as one link to STP

Port Fast

Enabls the port to come up much quicker by bypassing the STP process. This can only be used on end user devices (access ports), not for trunk links.

* If there is anything you’d like to add or feel there’s a mistake, please feel free to comment and contribute.

VMware VCP5-DV Resources

As mentioned in a previous blog post, I managed to pass the VCP5-DV exam (second attempt) and thought I would give a list of the resources I used.

Its worth noting before becoming VCP5-DV certified you need to attend a course, see here for my  review on the course I did via the 360gsp college.

The most important place to start studying is checking out the VMware VCP5-DV Exam Blue Print. Be expected to know everything on the blueprint. You get 85 questions with a time limit of 90 minutes for the exam.

When looking at articles/documentation I tend to clip them to Evernote and tag them so I can reference them later. I use Google Chrome with an Evernote plugin to achieve this.

VMware Documentation:

http://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html
http://pubs.vmware.com/vsphere-50/index.jsp

Books:

Scott Lowe – Mastering VMware vSphere 5
VMware vSphere 5 Clustering Technical Deepdive by Duncan Epping and Frank Denneman 

Videos:

TrainSignal – VMware vSphere 5 Training
YouTube has some good videos.

Blogs:

http://www.vmfocus.com/
http://www.yellow-bricks.com/

http://www.techhead.co.uk/
http://blog.scottlowe.org/
http://frankdenneman.nl/
http://vmwaretraining.blogspot.co.uk/
http://blog.mwpreston.net/

Forums:

The VMware forums are worth contributing to whilst studying and afterwards.

AutoLab:

Whilst I didn’t use the AutoLab, it seems like a great resource. The AutoLab pre-configures a vSphere5 environment.

Practice Questions:

Once you have completed the VMware course, VMware have a mock exam via the VMware learn portal.

http://www.simonlong.co.uk/blog/
http://blog.mwpreston.net/vcp-5/practice-quiz/

Flashcards:

I would recommend AnkiDroid as a flashcard app for Android, you can download a VCP5 pack which includes maximums and some practise questions, you can also create your own flashcards. Very useful on the go. I have been using this method of flashcards since my ICND1 stuides. There are other flashcard packs for CCNA etc.

And finally…

Google google google! I found googling topics/errors/etc brought me to loads of VMware blogs, reading articles after articles helped with learning and also the real word stuff.

Most of the people that have blogs are on twitter, I would highly recommend getting into Twitter and following bloggers, its a great way to keep an eye on whats happening quickly. I use Tweetdeck and have multiple lists and columns for bloggers – it’s just a fantastic way to easily filter out the noise on twitter.

You can follow me on twitter @ChrisLStark

So whats next for me? Well, I was studying towards the Cisco ICND2 for the CCNA before I saw the excellent offer by 360gsp college so snapped that up. I shall now continue with my Cisco ICND2 studies and when I have time get more familiar with the vSphere 5 PowerCLI.

Passed – Cisco CCENT (ICND 1)

On Tuesday 12th June this week I took the Cisco ICND 1 and managed to pass luckily. I was studying this on and off for a year! One thing I was mostly worried about was hearing other people’s stores about running out of time. I found I had 50 minutes left (this may be because of the intense studying I did) – I also have some Cisco experience.

I used the following materials:

Books:
Videos:
  • Trainsignal – There is additional content which allows you to copy the material to an Apple/Android device – The videos are reduced in quality – but makes studying on the go, listening in the car etc much easier. Every bit of studying helps!
  • CBT Nuggets
Labs:
Cisco Material:
Forums:
Extras:
There are some apps on the Android play store that can also help:

Now for the ICND 2 (CCNA), I ‘plan’ on doing this in the next couple of months.