What Is A Vlan

Copy Right: Muhammad Shakir Hussain (ADE- PTCL) Page
VLANS
WHAT IS A VLAN
A Virtual LAN (VLAN) has two important concepts:
Logical segmentation of a switched network
One broadcast domain
A VLAN is a switched network that is logically segmented by functions pro!ect teams or applications
without regard to the physical location of users" #or e$ample se%eral end stations might be grouped as
a department such as &ngineering or Accounting ha%ing the same attributes as a LAN e%en though
they are not all on the same physical LAN segment"

'o accomplish this logical grouping a VLAN(capable switching de%ice must be used" &ach switch port
can be assigned to a VLAN" Ports in a VLAN share broadcast traffic and belong to the same broadcast
domain" )roadcast traffic in one VLAN is not transmitted outside that VLAN" 'his segmentation
impro%es the o%erall performance of the network"
'he following figure shows an e$ample of VLANs segmented into logically defined networks"

VLANs pro%ide the following benefits:
*educed administration costs associated with mo%es adds and changes
+ontrolled broadcast acti%ity and better network security
Le%eraging e$isting in%estments
#le$ible and scalable segmentation
+ompanies continuously reorgani,e as they try to impro%e producti%ity" 'hese mo%es adds and
changes are one of the greatest e$penses in managing a network" VLANs pro%ide an effecti%e
mechanism to control these changes and reduce much of the cost of hub and router reconfiguration" -f
a group of VLAN users mo%e but remain in the same VLAN connected to a switch port their network
.
addresses do not change" *outer configuration is left intact/ a simple mo%e for a user from one location
to another does not create any configuration changes in the router if the user stays in the same VLAN"
0imilar to routers VLANs offer an effecti%e mechanism for setting up firewalls in a switch fabric
protecting the network against broadcast problems that are potentially dangerous and maintaining all
the performance benefits of switching" 1ou can create these firewalls by assigning switch ports or users
to specific VLAN groups in single switches and across multiple connected switches which will increase
security easily and ine$pensi%ely by segmenting the network into distinct broadcast groups" )roadcast
traffic in one VLAN is not transmitted outside that VLAN" 'his type of configuration substantially
reduces o%erall broadcast traffic frees bandwidth for real user traffic and lowers the o%erall
%ulnerability of the network to broadcast storms"
1ou can le%erage e$isting hub in%estments by assigning each hub segment connected to a switch port
to a VLAN" All the stations that share a hub segment are assigned to the same VLAN" -f an indi%idual
station must be reassigned to another VLAN the station is relocated to the appropriate corresponding
hub module" 'he interconnected switch fabric handles communication between the switching ports and
automatically determines the appropriate recei%ing segments"
1ou can also assign VLANs based on the application type and the amount of applications broadcasts"
1ou can place users sharing a broadcast(intensi%e application in the same VLAN group and distribute
the application across the
VLAN OPERATION
-n this section you will learn about the following topics:
VLAN components
'ypes of VLANs
-nter(VLAN communication
VLAN standardi,ation

Switchesthe Core of VLANs
2
0witches are a primary component of VLAN communication" 'hey perform critical VLAN functions by
acting as the entry point for end(station de%ices into the switched fabric facilitating communication
across the organi,ation and pro%iding the intelligence to group users ports or logical addresses into
common communities of interest" &ach switch has the intelligence to make filtering and forwarding
decisions by frame based on VLAN metrics defined by network managers and to communicate this
information to other switches and routers within the network"
'he criteria used to define the logical grouping of nodes into a VLAN is based on a techni3ue known as
frame tagging" 'here are two types of frame tagging4implicit and e$plicit" -mplicit tagging enables a
packet to belong to a VLAN based on the 5edia Access +ontrol (5A+) address protocol the recei%ing
port of a switch or another parameter into which nodes can be logically grouped" &$plicit tagging
re3uires the addition of a field into a frame or packet header that ser%es to classify the VLAN
association of the frame" #rame tagging functions at Layer 2 and re3uires little processing or
administrati%e o%erhead"
Routers
#or inter(VLAN communication you must use routers that e$tend VLAN communications between
workgroups" *outers pro%ide policy(based control broadcast management and route processing and
distribution" 'hey also pro%ide the communication between VLANs and VLAN access to shared
resources such as ser%ers and hosts" *outers connect to other parts of the network that are either
logically segmented into subnets or re3uire access to remote sites across wide(area links"
+onsolidating the o%erall number of physical router ports re3uired for communication between VLANs
routers use high(speed backbone connections o%er #ast &thernet #iber 6istributed 6ata -nterface
(#66-) or Asynchronous 'ransfer 5ode (A'5) for higher throughput between switches and routers"
Interoperabiit! with Pre"ious! Instae# LAN S!ste$s
VLANs pro%ide system compatibility with pre%iously installed systems such as shared hubs and
stackable de%ices" Although many of these de%ices are being replaced with newer switching
technologies pre%iously installed concentrators still perform useful functions" 7ith VLANs you can
configure de%ices such as shared hubs as a part of the VLAN architecture and can share traffic and
network resources that directly attach to switching ports with VLAN designations"
Transport Protocos that Carr! VLAN Traffic Across Share# LAN an# AT% &ac'bones
'he VLAN transport enables information e$change between interconnected switches and routers
residing on the corporate backbone" 'ransport capabilities remo%e physical boundaries increase
fle$ibility of a VLAN solution and pro%ide mechanisms for interoperability between backbone system
components" 'he backbone acts as the aggregation point for large %olumes of traffic" -t also carries
end(user VLAN information and identification between switches routers and directly attached ser%ers"
7ithin the backbone high(bandwidth high(capacity links carry the traffic throughout the enterprise"
8
'hree high(bandwidth options include #ast &thernet #iber9+opper 6istributed 6ata -nterfaces
(#66-s9+66-s) and A'5"
VLAN %ana(e$ent
Network management solutions offer centrali,ed control configuration and traffic management
functions"
&ach VLAN is of a particular type and has its own ma$imum transmission unit (5':) si,e" 'wo types
of VLANs are defined:
&thernet9;<2"8 VLANs
'oken *ing9;<2"= VLANs
0witches will allow a VLAN of one of these types to be assigned to a static9dynamic port for which the
physical 5A+ layer is of the corresponding type/ for e$ample allow a VLAN of type &thernet9;<2"8 to
be assigned to a physical .<)ase' port"
%ore about To'en Rin( VLANs
)ecause a VLAN is essentially a broadcast domain a 'oken *ing VLAN is slightly more comple$ than
an &thernet VLAN" -n transparent bridging there is only one type of broadcast frame and therefore only
one le%el of broadcast domain but in source routing there are multiple types of broadcast frames that
fall into two categories:
'hose that are confined to a single ring
'hose that tra%erse a bridged domain
'hese two categories of broadcast frames result in a broadcast domain that is hierarchical in nature
because a local ring domain can e$ist only within a domain of all the interconnected rings"
-n a 'oken *ing VLAN logical ring domains are formed by defining groups of ports that ha%e the same
ring number" 'he -&&& calls such a port group a +oncentrator *elay #unction (+*#)" On +atalyst
switches such a grouping of 'oken *ing ports is called a 'oken *ing +*# ('r+*#)"
'he domain of interconnected rings is formed using an internal multiport bridge function that the -&&&
calls a )ridge *elay #unction ()*#)" On +atalyst switches such a grouping of logical rings is called a
'oken *ing )*# ('r)*#)"
'he following figure illustrates 'r+*#s and a 'r)*# within a +atalyst> 'oken *ing switch or module"

?

)y definition Virtual LANs perform traffic separation within a shared network en%ironment"
+ommunication between VLANs is performed through routing functionality and for nonroutable
protocols switching" 'his integrated solution of high(speed scalable VLAN switching of local traffic and
efficient routing and switching of inter(VLAN traffic is becoming increasingly attracti%e in large networks"
+isco routers address this re3uirement with their ability to connect ;<2".< -0L and A'5 LAN&(based
VLANs"
-&&& ;<2".3 pro%ides for the standardi,ation of VLANs based on a three(layer approach" 'he -&&&
;<2".3 draft is e$pected to be appro%ed as a standard in .@@;"
'hough the -&&& ;<2".3 draft pro%ides for both e$plicit (for e$ample standard -&&& ;<2".3 -&&&
;<2".< -0L and so on) and implicit tagging (identification by filter) no support is pro%ided for the
implicit tagging in re%ision ." *e%ision . of the -&&& ;<2".3 draft supports only one(le%el tagging" 'he
one(le%el tagging allows the insertion of &thertype and a VLAN(-6 information in the frame after the
source 5A+ address (or *outing -nformation #ield A*-#B) but before the original &thertype9Length (or
Logical Link +ontrolALL+B) field" 'he one(le%el tagging also includes a 'oken *ing encapsulation bit so
that 'oken *ing frames can be carried across &thernet backbones without -&&& ;<2".h translation of
data contents"
+urrently se%eral different transport mechanisms are used for communicating VLAN information across
high(performance backbones" Among them are the LAN& standard that has been appro%ed by the A'5
#orum +iscoCs -nter(0witch Link (-0L) for #ast &thernet and the -&&& ;<2".< protocol which pro%ides
VLAN communication across shared #66- backbones" All these %irtual LAN technologies are supported
on the +atalyst =<<< series switches" &ach allows a single link to carry information from multiple
VLANs" 7e will learn more about -0L -&&& ;<2".< and LAN& in this module"
=
CREATING VLAN
'he common VLAN configuration options implemented today are as follows:
)y port group
)y 5A+ address
)y network layer information
)y -P multicast groups
VLAN membership is defined by assigning a specific VLAN to a port or a group of ports" 0till the most
common way of defining VLAN membership this type does not allow multiple VLANs to be assigned to
the same switch port or group of ports" 'he main disad%antage of defining VLANs by port is that the
network manager must reconfigure VLAN membership when a user mo%es from one port to another"
VLANs are defined based on the source 5A+ address of the hosts connected to the switch port"
VLANs based on 5A+ addresses enable users to mo%e to a different physical location on the network
and ha%e their workstation automatically retain its VLAN membership because 5A+(layer addresses
are hard(wired into the workstations network interface card (N-+)"
VLANs are defined based on information contained in the network layer header of the packet such as
the protocol type or the network layer address" A ma!or ad%antage of defining a VLAN based on Layer
8 information is that it enables partitioning by protocol type" Also there is no need to reconfigure each
workstationDs network address when a user mo%es to a new location"
VLAN membership is defined based on -P multicast groups" All workstations that !oin an -P multicast
group are members of the same VLAN" 'he fundamental concept of VLANs as broadcast domain still
applies here" 'he main ad%antage of multicast group based VLANs is the high degree of fle$ibility due
to the dynamic nature of the VLANs because workstations can !oin different multicast groups at
different times"
Cisco Cata!st )*** VLAN Architecture
E
'he +isco +atalyst =<<< series switches allow the following VLAN configurations:
Port(centric VLANs
6ynamic VLANs
Port+Centric VLANs
All traffic to and from the port is associated with the particular VLAN that has been statically configured
for that port regardless of the addresses9contents of the frames"
,!na$ic VLANs
'he port is assigned to only one VLAN at a time but that assignment changes dynamically according to
the frames recei%ed from the port" +isco implements this based on the source 5A+ address of the
hosts connected to that port which works in con!unction with the VLAN 5embership Policy 0er%er
(V5P0) that holds a database of 5A+ address(to(VLAN mappings"
1ou already learned briefly about the implicit and e$plicit frame(tagging methods and the e%ol%ing -&&&
;<2".3 standard"
-n this section you will learn about the -0L protocol de%eloped by +isco which is used as a VLAN
transport protocol across #ast &thernet +iscoCs implementation of the -&&& ;<2".< standard used to
pro%ide VLAN interswitch communication across #66- backbones and the LAN& standard appro%ed by
the A'5 forum which enables legacy LAN traffic to communicate %ia an A'5 backbone"
On a +atalyst switch the ports that carry the tagged frames are called trunk ports" A trunk port carries
the traffic of multiple VLANs through the use of encapsulation or another e$plicit techni3ue" &ach frame
transmitted on a trunk link is FtaggedF as belonging to one and only one VLAN" 'he following figure
illustrates these e$amples of encapsulation: LAN& -0L and ;<2".< o%er #66-"
G
ISL
'he -nter(0witch Link or -0L is a +isco(proprietary protocol used to interconnect two VLAN(capable
#ast &thernet switches using the &thernet 5A+ and &thernet media and maintaining VLAN information
as traffic goes between switches" 'he -0L protocol is essentially a packet(tagging protocol that contains
a standard &thernet frame and the VLAN information associated with that frame" 0ome additional
information is also present in the frame" An -0L trunk is like a continuation of the switching backplane"
Although the -0L link was originally designed to connect #ast &thernet de%ices together using full(
duple$ .<<(megabit (5b) links it is not limited to this application" 'he -0L specification allows for the
-0L frame to contain #66- and 'oken *ing frames as well"
7ith -0L an &thernet frame is encapsulated with a header that maintains VLAN -6s between
switches"'he -0L consists of three primary fields the header the original packet and the frame check
se3uence (#+0) at the end" 'he -0L frame encapsulation is 8< bytes which includes 2E bytes of
header containing the 2(byte VLAN -6 and ? bytes of #+0" 'he minimum #66- packet is .G bytes/
therefore the minimum -0L(encapsulated packet is ?G bytes" 'he ma$imum 'oken *ing packet is
.;<<< bytes/ therefore the ma$imum -0L packet is .;<8< bytes" -f only &thernet packets are
encapsulated the range of -0L frame si,es is from @? to .=?; bytes"
,!na$ic ISL
'he 6ynamic -0L (6-0L) protocol dynamically configures trunk ports between +atalyst =<<< series
switches/ it synchroni,es the configuration of two interconnected #ast &thernet interfaces into
becoming -0L trunks" 'he 6-0L protocol minimi,es VLAN trunk configuration procedures because only
one end of a link must be configured as a trunk or nontrunk"
;
IEEE -*./0*
-&&& ;<2".< -nteroperable LAN95AN 0ecurity (0-L0) defines a method for secure bridging of data
across a shared metropolitan(area network (5AN) backbone"
'he ;<2".< protocol incorporates a mechanism whereby LAN traffic can carry a VLAN identifier thus
allowing selecti%e switching of packets with this identifier" Originally concei%ed to address the growing
need for security within shared LAN95AN en%ironments it incorporates authentication and encryption
techni3ues to ensure data confidentiality and integrity throughout the network" Additionally the
LAN95AN 0ecurity standard functions at Layer 2 of the Open 0ystem -nterconnection (O0-) reference
model making it well(suited to high(throughput low(latency switching en%ironments"
'he ;<2".< standard defines a single protocol data unit (P6:) known as a secure data e$change
(06&) P6:" 'his is a 5A+(layer frame with an ;<2".< header inserted between the 5A+ header and
the frameCs data" 'he ;<2".< header comprises an inner and an outer header known respecti%ely as
the Fclear headerF and Fprotected headerF portions as shown below"
7hen the -&&& ;<2".< protocol is used to effect a VLAN topology VLAN -6 is the essential piece of
re3uired header information" 'he ;<2".< 0ecurity Association -dentifier (0A-6) field is used as the
VLAN -6" 'his field identifies traffic as belonging to a particular VLAN" -nternetworking de%ices with
VLAN intelligence can then make forwarding decisions based upon which ports are configured for
which VLANs" 'herefore where the goal is to establish logical VLAN topologies across a physical
network (rather than encrypting the actual data and thereby incurring performance reduction caused by
applying security algorithms) high(throughput de%ices must minimally support only the +lear Header
portion of the ;<2".< packet format" 'hat is only the F06& 6esignatorF (-&&& ;<2"2 Local 0er%ice
Ad%ertising Protocol AL0APB indicating a ;<2".< VLAN frame) and the actual VLAN -6 (0A-6 field) must
be carried which adds the ad%antage of low processing o%erhead" 'hese two fields total se%en bytes"
+urrently encryption and data security are not implemented on the +atalyst switches because of the
performance penalty associated with applying the security algorithm" -nstead the switch has only
minimal support of the +lear Header portion (G bytes) of the ;<2".< packet format"
VLAN implementation of ;<2".< trunking is defined only for #66- on the +atalyst switches"
LANE
-n a network where the backbone is an A'5 switching en%ironment VLANs are achie%ed %ia the A'5
#orumCs LAN& standard" LAN& preser%es the functionality of a LAN on the A'5 network itself so that
the A'5 backbone is transparent to the user and appears as a single connectionless broadcast(
capable LAN segment"
LAN& uses 5A+ encapsulation (O0- Layer 2) because this approach supports the largest number of
e$isting O0- Layer 8 protocols" 'he end result is that all de%ices attached to an emulated LAN appear
to be on one bridged segment" -n this way Apple'alk -nternetwork Packet &$change (-PI) and other
@
protocols should ha%e similar performance characteristics as in a traditional bridged en%ironment" -n
A'5 LAN& en%ironments the A'5 switch handles traffic that belongs to the same emulated LAN
(&LAN) and routers handle inter(&LAN traffic"
1ou will learn more about LAN& in module .= F+onfiguring A'5 LAN&"F

1ou learned about the 0panning('ree Protocol in an earlier module" +isco VLAN architecture uses one
instance of spanning tree for each VLAN" 7ith the release of the +atalyst =<<< ?". software +isco
defined a new VLAN architecture that e$tends +iscoCs per(VLAN 0panning('ree Protocol across -&&&
;<2".3Cs mono(spanning(tree region allowing interoperabilty with -&&& ;<2".3(compliant switches that
support one spanning tree for all VLANs"
VLAN Trun' Protoco
VLAN 'runk Protocol (V'P) is a Layer 2 multicast messaging protocol from +isco that pro%ides VLAN
mapping functions across %aried tagging and VLAN identification schemes so as to maintain VLAN
configuration consistency throughout the network" V'P manages the addition deletion and renaming
of VLANs at the system le%el without re3uiring manual inter%ention at each switch" 'he multicast
protocol through periodic ad%ertisements keeps track of these changes and communicates them to
other switches in the same management domain in the network" A management domain is a group of
VLANs that is under the same administrati%e responsibility"
V'P pro%ides for each switch to transmit ad%ertisements in frames on its trunk ports" 'hese
ad%ertisement frames are sent to the multicast address to be recei%ed by all neighboring de%ices" 0uch
an ad%ertisement lists the sending de%iceCs management domain its configuration re%ision number the
VLANs that it knows about and parameters for each known VLAN"
)y listening to these ad%ertisements all de%ices in the same management domain learn about any new
VLANs now configured in the transmitting de%ice" :sing this method a new VLAN needs to be created
or configured on only one de%ice in the management domain and the information is automatically
learned by all the other de%ices in the same management domain" #or e$ample when a new switch is
added to the network the added switch recei%es updates from V'P and is automatically configured for
the e$isting VLANs within the network"
.<
'he +atalyst =<<< series switches can be configured to operate in any one of the three V'P modes:
VTP ser"er4'he V'P ser%er is responsible for maintaining a full list of all VLANs e%erywhere
within the V'P domain" 'his information is stored in non%olatile *A5 (NV*A5)" 'he V'P ser%er
can add delete and rename VLANs"
VTP cient4'he V'P client will also maintain a full list of all VLANs but will not store the
information in NV*A5" 'he client can not add delete or rename VLANs" Any changes made
must be recei%ed from ser%er ad%ertisement"
VTP transparent4A switch configured in the V'P transparent mode does not participate in
V'P howe%er it will pass on the V'P ad%ertisements" A VLAN defined on the switch is local
only to the switch and is stored in non(%olatile *A5 (NV*A5)"
%ana(in( VLANs with Van,irector
Vlan6irectorJ is a VLAN management application that simplifies the creation and management of
VLANs enabling the user to easily perform configuration operations with simple drag(and(drop mouse
clicks" -t allows the administrator to create modify and delete VLANs and VLAN assignments"
Vlan6irector uses +isco 6isco%ery Protocol (+6P) to disco%er the physical connecti%ity of the de%ices
in the known network" 'he Vlan6irector software cannot manage any de%ices that do not run +6P"
..
%ANA1IN1 VLAN SWITCHES
SN%P
An 0N5P(managed network consists of the following ma!or components:
0N5P(managed de%ices
0N5P agents
Network management systems (N50s)
5anaged de%ices are hardware de%ices such as computers repeaters switches routers and terminal
ser%ers that are connected to networks"
Agents are software modules that reside in 0N5P managed de%ices" 'hey collect and store
management information such as the number of error packets recei%ed by a network element"
Network management stations sometimes called consoles e$ecute management applications that
monitor and control network managed de%ices" Physically N50s are usually engineering workstation(
caliber computers with fast +P:s memory and abundant disk space" At least one N50 must be
present in each managed en%ironment"
)ecause 0N5P is a distributed(management protocol a system can operate e$clusi%ely as an N50 or
an agent or it can perform the functions of both"
A managed ob!ect is a characteristic of something that can be managed" #or e$ample a list of currently
acti%e '+P sessions in a particular host computer is a managed ob!ect" 5anaged ob!ects differ from
%ariables which are particular ob!ect instances"
0N5P(managed de%ices are monitored and controlled using the following operations:
rea# operation 2(et3 4'he rea# command is used by an N50 to monitor the managed de%ices
by e$amining the different %ariables maintained by the managed de%ices"
write operation 2set34'he write command is used by the N50 to control the managed de%ices
by changing the %alues of %ariables stored in them"
trap operation4'he trap command is used by the managed de%ices to asynchronously report
e%ents to the N50"
'ra%ersal operations are used by the N50 to determine the %ariables supported by a managed de%ice
and to se3uentially gather information in %ariable tables such as a routing table"
Protoco Operations
'he protocol operations of 0N5P in%ol%e the issuance of re3uests by the N50 and return of responses
by the managed de%ices"
'he following fi%e protocol operations are supported by 0N5P:
1et4'he Ket operation is used by the N50 to retrie%e the %alue of one or more ob!ect
instances from an agent" -f the responding agent cannot pro%ide %alues for all the ob!ect
instances in a list it does not pro%ide any %alues"
1etNe4t4'he KetNe$t operation is used by the N50 to retrie%e the %alue of the ne$t ob!ect
instance in a table or list within an agent"
Set ( 'he 0et operation is used by the N50 to set the %alues of ob!ect instances within an agent"
.2
Trap4'he 'rap operation is used by agents to asynchronously inform the N50 of a significant
e%ent such as power failures e$cess temperatures and so on"
1etResponse4'he Ket*esponse operation is used to send responses from the agent to the
N50"
'he Ket)ulk*e3uest operation enhancement was added in 0N5P%2 to reduce the number of protocol
e$changes re3uired to retrie%e a large amount of information within the gi%en constraints on the
message si,e"
RE%OTE %ONITORIN1
'he *emote 5onitoring (*5ON) standard pro%ides a powerful distributed management architecture for
performing traffic analysis troubleshooting trend reporting and proacti%e network management"
-n traditional shared(media internetworks an *5ON probe is generally attached to each segment thus
pro%iding %isibility into all network acti%ity" Howe%er todayCs high(performance switched internetworks
re3uire new *5ON instrumentation solutions due to the dramatically increased number of segments
and new technologies such as %irtual LANs (VLANs) and #ast &thernet -nter(0witch Links (-0Ls)"
'he *5ON standards can be deployed as a distributed architecture where agents (either embedded or
in standalone probes) communicate with a central station (N50 or the management console) %ia
0N5P"
'he *5ON standard (*#+ .G=G) organi,es monitoring functions into nine groups to support &thernet
topologies and adds a tenth group in *#+ .=.8 for parameters uni3ue to 'oken *ing" #ast &thernet
link monitoring is pro%ided in the framework of the *#+ .G=G standard and #iber 6istributed 6ata
-nterface (#66-) ring monitoring is pro%ided in the framework of both *#+s .G=G and .=.8"
*5ON supports information in nine *5ON groups of monitoring elements each pro%iding specific sets
of data to meet common network monitoring re3uirements as listed below" Vendors do not ha%e to
support all the groups within the 5-)" Also some *5ON groups re3uire the support of other *5ON
groups to function properly"
R%ON 1roup 5unction Ee$ents
0tatistics
+ontains statistics for each
monitored interface on a de%ice"
Packets dropped and sent broadcast and
multicast packets cyclic redundancy check
(+*+) errors runts giants fragments
!abbers collisions and counters for %arious
packet si,es"
History
0tores periodic statistical samples for
a network"
0ample period number of samples and
items sampled"
Alarm
'akes statistical samples from
%ariables and generates an alarm
e%ent if the preconfigured thresholds
are e$ceeded"
Alarm table alarm type inter%al and start
and stop thresholds"
*e3uires the implementation of the e%ent
group"
Host +ontains statistics associated with
the hosts disco%ered in the network"
Host address packets and bytes transmitted
and recei%ed broadcast multicast and error
.8
packets"
Host'opN
Prepares tables describing hosts that
top a list ordered by one of their
statistics" 'he sample rate(based
statistics are collected o%er an
inter%al specified by the N50"
0tatistics hosts sample start(and(stop
periods rate base and duration"
5atri$
+ollects statistics for each
con%ersation between sets of two
addresses"
0ource and destination address pairs and
packets bytes and error for each pair"
#ilters
5atches packets by filter e3uation
and the matched packets form a data
stream that might be captured or
might generate e%ents"
)it(filter type filter e$pression and
conditional e$pression to other filters"
Packet +apture
&nables packets to be captured after
they flow through a channel"
)uffer(si,e for captured packets full status
and number of captured packets"
&%ents
+ontrols the generation and
notification of e%ents from this
de%ice"
&%ent type description last time e%ent sent"
*5ON alarms statistics history and host9con%ersation groups are now usable for proacti%ely
monitoring and maintaining network a%ailability based on 5edia Access +ontrol (5A+) layer traffic" 'he
*5ON2 5-) is an e$tension of *5ON and adds support for an additional nine groups" *5ON2
enables network administrators to continue their deployment of standards(based monitoring solutions to
support mission(critical ser%er(based applications"
'he following is a list of groups added in *5ON2:
Protocol directory (protocol6ir)
Protocol distribution (protocol6ist)
Address map (address5ap)
Network(layer host (nlHost)
Network layer matri$ (nl5atri$)
Application(layer host (alHost)
Application(layer matri$ (al5atri$)
:ser history collection (usrHistory)
Probe configuration (probe+onfig)
'o continuously monitor traffic conditions in a switched network it is important to populate the *5ON
0tatistics History Alarms and &%ents groups (called mini(*5ON) on a per(port basis" 7ith these four
key groups implemented in the embedded agent continuous real(time and historical traffic statistics are
a%ailable" 'he high(speed links between switches are the new backbones of switched internetworks"
+ontinuous monitoring of these links is essential for managing network traffic flows and effecti%ely
troubleshooting problems"
VLAN %onitorin(
-n a switched internetwork en%ironment users and computing resources are entities within VLANs" 'o
troubleshoot problems in this en%ironment diagnostic tools must often look beyond a single port or
switch and pro%ide aggregation and analysis of network traffic by VLAN" 'herefore it is necessary to
.?
implement critical -0Ls and identify traffic by VLAN switch and port in order to aggregate and analy,e
traffic effecti%ely"
'he *5ON2 specification dri%es *5ON standards beyond the 5A+ layer to the network and
application layers" 7ith *5ON2(based agents9probes all *5ON groups map into all the ma!or
network(layer protocols such as -P -nternetwork Packet &$change (-PI) 6&+net Apple'alk )anyan
V-N&0 and Open 0ystem -nterconnection (O0-) gi%ing a complete end(to(end %iew of network traffic"
'his setup enables administrators to analy,e and troubleshoot networked applications such as web
traffic Net7are Notes e(mail database access Network #ile 0ystem (N#0) and others"
1ou can use a network analy,er or an *5ON probe such as a 0niffer Network Analy,er to monitor the
acti%ity in any network" 7hen connecting a network analy,er or *5ON probe to a shared(media hub
you see most of the traffic on the network"
-n a switched network howe%er packets are forwarded only to the specified ports" 'his setup limits the
ability of an analy,er to capturing broadcasts multicasts or packets with unresol%ed hardware
addresses" 0o it is important to place the analy,er or *5ON probe in a strategic location such as
between a file ser%er or router and a LAN switch"
1ou can install a shared(media hub between a switch and a file ser%er to pro%ide an access point to a
network analy,er" 'his setup allows you to determine if the data connection between a user and the file
ser%er is working properly" 1ou can further impro%e your monitoring capability with a matri$ switch to
capture data on multiple connections
.=
CISCO6s NETWOR7 %ANA1E%ENT STRATE18
'o maintain the le%el of %isibility familiar to customers in traditional shared(media networks +isco has
de%eloped the following strategy for monitoring switched #ast &thernet internetworks:
&mbed *5ON agent technology into workgroup and backbone switches to gain %isibility into the
acti%ity on each switch port or segment"
Pro%ide 0witched Port Analy,er (0PAN) functionality on +isco switches"
+onnect +isco 0witchProbe> de%ices or any e$isting network analy,er to the 0PAN port on a
switch"
:se these standalone probes with network management software to monitor critical #ast
&thernet links"
+atalyst> =<<< series switch software supports an optional embedded *5ON agent" 'he embedded
*5ON 5-) supports four groups in the *5ON specification (*#+ .G=G) for both .<)ase' and
.<<)ase' pro%iding proacti%e distributed network management" 'his is sometimes referred to as the
mini(*5ON"
'here is an additional licensing fee for use of the optional +isco *5ON agent"
'he following *5ON groups are supported on all .<( and .<<(5bps &thernet ports on a +atalyst =<<<
series switch" All &thernet ports can be accessed without affecting the switching performance of the
+atalyst =<<<:
Statistics 1roup45aintains utili,ation and error statistics for the +atalyst =<<< series switch
port monitored" &$amples: +ollision +*+9alignment undersi,ed o%ersi,ed !abber fragments
broadcast multicast unicast and bandwidth utili,ation"
Histor! 1roup4Holds periodic statistical samples from the statistics section and stores them
for later retrie%al" &$amples: :tili,ation error count and frame count"
Aar$ 1roup4Allows you to set a sampling inter%al and threshold for any item recorded by the
*5ON agent" &$amples: Absolute or relati%e %alues rising or falling thresholds on the utili,ation
frame count +*+ errors"
E"ent 1roup40ends 0N5P traps to a network management station together with time and
date" &$amples: N50 can generate customi,ed reports based on the type of alarm/ e%ent can
be printed logged or both"
+isco7orks for 0witched -nternetworks (+70-) is a comprehensi%e suite of applications designed for
managing +isco +atalyst and Light0tream> switches" +70- offers e$tensi%e configuration traffic
logical %iewing and performance management capabilities on a de%ice( and network(wide basis to
dramatically ease network management of switched internetworks"
'he +70- solutions which include +iscoView Vlan6irectorJ 'raffic6irectorJ and Atm6irectorJ
software and :ser'racking deli%er a management system for growing switched internetworks" 'hese
applications perform topology mapping VLAN management and performance and configuration
management"
'he following diagram shows screen captures from the +70- applications:
.E
7hen you install +70- on an N50 workstation it disco%ers your network based on the configured
domain name and displays a map of your network in the +70- ( 5ap window" 'he network disco%ery is
done through the +isco 6isco%ery Protocol (+6P)"
'he network map displays the physical state of your network including +isco switches routers and
links" Vlan6irector software displays the VLANs in your network including VLAN 'runk Protocol (V'P)
domains and the current spanning(tree configuration" -t also ser%es as a launch point for +70-
applications and allows you to display reports about your network status"
CiscoView
+iscoView is a network de%ice management software application utili,ing a graphical user interface
(K:-) that pro%ides dynamic status statistics and comprehensi%e configuration information for +isco
switched internetworking products (switches routers concentrators and adapters)"
+iscoView graphically displays a physical %iew of +isco de%ices" Additionally this network
management tool pro%ides monitoring functions and offers basic troubleshooting" :sing +iscoView
users can easily understand the tremendous %olume of management data a%ailable for internetworking
de%ices" +iscoView organi,es this information into graphical de%ice representations presented in a
clear consistent format"
+iscoView can be integrated with se%eral of the leading 0N5P(based network management platforms
pro%iding a cohesi%e %iew of your network" Alternati%ely it can be run on :N-I workstations as a fully
functional independent management application" -t is also included within +isco7orks"
.G
Van,irector Software
Vlan6irector is a K:-(based application that helps to define communities of interests and the VLANs
across all +isco switching platforms" 'he Vlan6irector application also automatically constructs the
LAN topology using information gathered from the switches running +6P thereby facilitating the
associations of switch connection in the corporate network"
1ou can create %irtual LANs by first defining a workgroup such as 5arketing and then using the K:-
representation of switches to drag the appropriate ports into the VLAN" Vlan6irector can then
automatically4or with the guidance of the network administrator4configure the switched trunks that
interconnect the VLANs" -n this manner VLAN interconnection is completely transparent to the network
administrator as are the actual LAN or Asynchronous 'ransfer 5ode (A'5) technologies being used to
interconnect the VLANs"
'he trunking functions of the Vlandirector software also support simple rule(based options so that
trunking recommendations or decisions can be based on a%ailable bandwidth redundancy options or
shorter switched paths"
Traffic,irector Software
'he 'raffic6irector application deli%ers data(link statistics and alarms traffic flow analysis and history
tracking tools so that you can collect trend flow analysis of traffic flow patterns in your switched
network" +oupling these functions with the host traffic flow features in the 'raffic6irector application
allows you to determine which systems are using more bandwidth than others and to track information
flow" 'his ability helps you to make sensible decisions when considering whether to deli%er switched
bandwidth to specific systems or whether the system must be migrated to a higher(performance LAN
or switched technology"
'raffic6irector software also supports packet capture and decoding capabilities that allow you to collect
network data for troubleshooting purposes" 'he console applications support multiple filtering and
decoding mechanisms that allow you to %iew network traffic as you would on a popular network
analy,er"
Postcapture filters help you sift through the many captured packets to find the specific data you need"
'hese filtering schemes can also be used to perform an unattended capture of network traffic from the
switch" 'he console allows you to define a capture trigger that starts packet(capturing on the network
making it easier and more con%enient to set FtrapsF for potential network problems"
At$,irector Software
'he Atm6irector application gi%es users the ability to disco%er the A'5 topology and map the de%ices
within the topology map/ perform an end(to(end path trace analysis across %irtual circuits/ check on the
configuration of LAN &mulation (LAN&) including the synchroni,ation of databases across redundant
LAN& +onfiguration 0er%ers (L&+0s)/ and graphically configure Pri%ate Network(Network -nterface
(PNN-) settings on a per(de%ice basis"
Atm6irector software allows the disco%ery of an A'5 network that consists of +isco Light0tream .<.<
A'5 switches referred to as L0.<.< switches" 1ou can also disco%er A'5 de%ices connected to the
L0.<.< ports4for e$ample the A'5 LAN& ( LAN emulation) card for the +atalyst =<<< series
switches"
.;
'he Atm6irector application displays all disco%ered de%ices on a topology map interacts with all
disco%ered de%ices %ia pull(down menus or for 3uick na%igation %ia icons monitors the status of
disco%ered de%ices"
Atm6irector software allows you to set up soft permanent %irtual channel (0PV+) connections and soft
permanent %irtual path (0PVP) connections display A'5(VLAN topology and configuration information
identify problems and monitor performance" 1ou can also use Atm6irector software to display PNN-
topology information configure PNN- nodes monitor link status and in%oke the +iscoView application
for each de%ice on the topology map"
9serTrac'in(
'he :ser'racking application enables you to access and modify information about end(user nodes in
the +70- and VLAN 5embership Policy 0er%er (V5P0) databases in a network" 7ith :ser'racking
you can 3uery the +70- database using up to two search criteria including username -P address and
5A+ address" :ser'racking allows you to display the results of 3ueries in a table in which you can
customi,e modify add and delete port mappings and update the V5P0 ser%ers"
1ou can also use :ser'racking to manage the scheduling of network information ac3uisition" V5P0 is
a ser%er process that supports dynamic ports" 6ynamic ports enable end(user nodes to remain on the
same VLAN after being mo%ed and plugged into another physical port without the inter%ention of
manual port reconfiguration"
Pre%iously you learned about the +isco 6isco%ery Protocol (+6P)" +6P is media( and protocol(
independent and runs on all +isco(manufactured e3uipment including routers bridges access and
communication ser%ers and switches"
7ith +6P network management applications can retrie%e the de%ice type and 0N5P agent address of
neighboring de%ices by sending 0N5P 3ueries to neighboring de%ices" +6P allows +isco network
management applications to dynamically disco%er +isco de%ices that are neighbors of already(known
de%ices in particular neighbors running lower(layer transparent protocols"
+6P runs on all media that support 0ubnetwork Access Protocol including LAN and #rame *elay"
+6P runs o%er the data link layer only not the network layer" 'herefore two systems that support
different network(layer protocols can learn about each other" +ached +6P information is a%ailable to
network management applications" +isco de%ices ne%er forward a +6P packet" 7hen new information
is recei%ed old information is discarded"
'he 0witched Port Analy,er (0PAN) is an embedded management feature supported on the +atalyst
=<<< series switches" 'he 0PAN feature allows network administrators to direct traffic going to and9or
from a port on the switch to a designated monitoring port"
&nhanced 0PAN lets you monitor traffic for analysis by a network analy,er or *5ON probe" &nhanced
0PAN lets you monitor traffic from across a VLAN (multiple ports) to a single port for analysis"
&nhanced 0PAN redirects traffic from any one &thernet #ast &thernet or #66- port or VLAN at a time
to an &thernet or #ast &thernet monitor port for detailed analysis and troubleshooting" :sing a full(
.@
duple$ #ast &thernet 0witchProbe VLAN trunk links can be tapped for access to data streams in both
directions at line rate for a comprehensi%e %iew of all -0L(VLAN traffic"
1ou can monitor a single port or VLAN using a dedicated analy,er such as a Network Keneral 0niffer
or *5ON probe such as a +isco 0witchProbe de%ice" 'he 'raffic6irector management application can
access +isco 0witchProbe de%ices and the +atalyst =<<< series switch embedded *5ON agent from
the same console"
'he 0witchProbe de%ices from +isco offer dedicated enhanced LAN and 7AN *5ON probes for
comprehensi%e end(to(end se%en(layer monitoring of an enterprise network"
'he +isco 0witchProbe de%ice products pro%ide full %isibility into switch internetworks" 'o maintain the
le%el of network %isibility familiar to administrators in shared(media en%ironments a switched network
can be implemented with multiple +isco 0witchProbe de%ices with one probe connected to each critical
link or connected to a diagnostic 0PAN port of a switch for e$tended analysis"
'he &thernet half(duple$ #ast &thernet or 'oken *ing 0witchProbe models can be connected to a
0PAN port on a switch or &nhanced 0PAN on the +atalyst =<<< series switches" +atalyst switches
mirror the data to the probe from the selected ports and VLANs" 'he full *5ON capabilities of the
probe can then be applied to this selected portion of the switch traffic"
-f a 0witchProbe product is connected to the 0PAN port +70- can seamlessly pro%ide complete
*5ON and *5ON2 support for any port on the switch" 'he #ast &thernet 0witchProbe de%ices monitor
traffic at the link network and application layers and in all nine *5ON 5-) groups"
0witchProbe products are *5ON2(compliant" 'hey are capable of identifying traffic at the network
layer allowing statistics for all hosts who access that segment no matter where they are located or
how the network is connected" 'hese *5ON2(based probes map into all ma!or network layer protocols
such as -P -PI 6&+net Apple'alk and )anyan V-N&0 gi%ing a complete end(to(end %iew of network
traffic"
A 0witchProbe de%ice on a full(duple$ #ast &thernet VLAN trunk link can monitor the multiple$ed VLAN
traffic and pro%ide per(VLAN traffic statistics including utili,ation broadcast rates and errors"
2<
%ANA1IN1 CISCO )*** CATAL8ST SWITCHES
You can manage the Catalyst 5000 series switches using in-band or out-of-band management.
1ou can use the following methods for in(band management of the +atalyst switch:
+onsole port on the 0uper%isor &ngine module
Network connection ('elnet or 0N5P) to the switch
Although it is not commonly done, it is possible to use the console port to set up in-band management by way of
Telnet or S!". #t is far more common, howe$er, to ma%e a networ% connection using a line module.
You can use the following methods for out-of-band management of the Catalyst switch&
0erial port
0erial Line -nternet Protocol (0L-P) ('elnet or 0N5P)
The console port on the Catalyst 5000 series switches pro$ides for serial management by using a direct terminal
connection for out-of-band management, as shown in the following diagram.
The console port on the Super$isor 'ngine # and ## modules is an '#A(T#A-)*), data communications e+uipment
,-C'., -/-)5 receptacle. /oth data set ready ,-S0. and data carrier detect ,-C-. are acti$e when the system is
running. The 0e+uest To Send ,0TS. signal trac%s the state of the Clear To Send ,CTS. input. The console port
does not support modem control or hardware flow control.
To use the serial interface, connect a terminal that supports a fi1ed format of 2300 baud, 4 bits, 5 stop bit, and no
parity to the serial port by means of a straight-through '#A(T#A-)*) cable. The '#A(T#A-)*) was %nown as
recommended standard 0S-)*) before its acceptance as a standard by the 'lectronics #ndustry Association ,'#A.
and Telecommunications #ndustries Association ,T#A..
2.
To connect to the console port on the Super$isor 'ngine ### module, you must use a cable with an 06-75
connector. #n addition to the 06-75-to-06-75 cable, you will need either an 06-75-to--/-2 or 06-75-to--/-)5
female date terminal e+uipment ,-T'. adapter.
Connecting a terminal to the console port of the Catalyst 5000 gi$es you access to the command line interface
,C8#. of the switch. You can use the C8# to configure the Catalyst switches before connecting other networ%
de$ices. /ac%plane utili9ation information for the Catalyst 5000 series switch is a$ailable from the C8# with
0elease ).5. "rior to 0elease ).5, bac%plane utili9ation information was a$ailable only $ia S!" or by physical
e1amination of the utili9ation meter on the front panel of the etwor% !anagement "rocessor ,!"..
You can manage the Catalyst 5000 series switches using the C8# through a terminal attached to the console port
on the Super$isor 'ngine or by attaching a modem and using S8#".
The Catalyst 5000 series switches support out-of-band management through the use of a modem attached to the
console port. This out-of-band connection wor%s in con:unction with S8#". S8#" is a $ersion of #" that runs o$er
serial lin%s, enabling #" communications o$er the administrati$e interface.
You can use the out-of-band connection to&
&stablish a 'elnet session that pro%ides access to the +atalyst =<<< series switch +L-
&stablish an 0N5P management session that pro%ides the ability to use an 0N5P(based
management platform such as +70- solutions
To establish an out-of-band connection on a Catalyst 5000 series switch, connect a 500-percent ;ayes-compatible
modem by means of a straight-through cable with a )5-pin --type connector. <hen the Catalyst 5000 series
switch is switched on, it puts the modem into autoanswer mode.
9sin( Tenet to Access the Cata!st ))** Switch
1ou can also access the +L- through a 'elnet session across the network" 'he +atalyst =<<< switch is
a 'elnet ser%er and not !ust a 'elnet client" 'his feature lets you to 'elnet from the +L- of the +atalyst
=<<< series switch to other de%ices on the network that support 'elnet" :p to eight simultaneous 'elnet
sessions are possible
22
ESTA&LISHIN1 CO%%9NICATION WITH A SWITCH
To communicate with a switch and configure the switch parameters, you must connect a data terminal or a "C
running a terminal emulation program and connect it to the console port located on the Super$isor 'ngine module.
The console port is an asynchronous serial port, and any de$ices connected to this port must be capable of
asynchronous transmission. Asynchronous de$ices are the most common type of serial de$ice. =or e1ample, most
modems are asynchronous de$ices.
The console port is the local ,out-of-band. console terminal connection to the switch. The console port enables
you to use the C8# to perform the following functions&
+onfigure the switch and monitor network statistics and errors
+onfigure 0N5P agent parameters
6ownload software updates to the switch
6istribute software images in #lash memory to other de%ices remotely using network ports
'he 0uper%isor &ngine module console port is a data communications e3uipment (6+&) receptacle"
7hen connecting a terminal to the 0uper%isor &ngine --- console port connect the terminal using a thin
flat *L(?=(to(*L(?= cable and an *L(?=(to(6)(@ or *L(?=(to(6)(2= adapter" 7hen connecting a
terminal to the 0uper%isor &ngine - and -- console port use a straight(through cable with a male 6)(2=
data terminal e3uipment (6'&) connector on the network end to connect to a 6'& de%ice" 7hen
connecting a serial de%ice consider the cable as an e$tension of the switch for an e$ternal connection/
therefore use a null(modem cable to connect the switch to a remote 6+& de%ice such as a modem or
data ser%ice unit (60:)"
/efore connecting the console port, chec% the documentation for your terminal to determine its baud rate and
other settings. The baud rate of the terminal must match the default baud rate ,2300 baud. of the console port. >se
the following settings on the terminal and then turn on power to the console terminal&
@E<< baud ; data bits No parity . stop bit No flow control
Co$$an#+Line Interpreter
'he +atalyst =<<< series switch +L- is a basic command(line interpreter similar to the :N-I + shell
that pro%ides command(line editing history substitution and the creation of aliases" 1ou can access
the +L- from a terminal connected to the console port or through a 'elnet session"
<hen you install the switch and the modules, ensure that all power supply connections, line cards, and cable
connections are secure. Connect the power cord,s. and turn on the power supply unit,s.. <hen two supplies are
present, connect the second power cord to a different power source ,such as an uninterruptable power source., or
at least to a different circuit, if possible.
After both power supplies are switched ?, the "S5 and "S) light emitting diodes ,8'-s. on the Super$isor
'ngine module faceplate will be green. <hile the system initiali9es, the status 8'- on the Super$isor 'ngine
module is orange until the boot is complete. 8isten for the system fan assembly and chec% the fan 8'- on the
Super$isor 'ngine module. You should hear the fan operating.
28
"ower-up diagnostics are performed by each line module. The time re+uired to complete the test is dependent on
the line module type. System -iagnostics ,sysdiag. ta%es se$eral minutes to complete, based on the total number
of ports in the chassis.
-uring the power-up se+uence, the following tests are performed&
Port loopback on all ports is checked"
6ata paths and interfaces between line modules are checked"
)ackplane is checked"
&A*L90A-N' options are %erified"
0ome L&6s may go on and remain on or go out and go on again for a short time" Other L&6s such as
the link L&6 will stay on during the entire boot process" -f an interface is already configured the L&6s
may stay on as they detect traffic on the line" 7ait until the system boot is complete before attempting
to %erify the switching module L&6 indications"
<hen the system boot is complete ,it ta%es a few seconds., the Super$isor 'ngine module begins to initiali9e the
switching modules. -uring this initiali9ation, the 8'-s on each switching module beha$e differently ,most flash
on and off.. The status 8'- on each switching module goes on when initiali9ation has been completed, and the
console screen displays a script and Catalyst 5000 "ower >p -iagnostics banner.
!any of the switching module 8'-s will not go on until you ha$e configured the interfaces.
After showing you that the $arious hardware components are initiali9ed, the console screen connected to a
Super$isor 'ngine ### module displays a screen similar to this&
System Power On Diagnostics
NVRAM Size..............................128KB
LD !est................................Done
"D Prom !est............................Passe#
DPRAM Size..............................1$KB
DPRAM Data %&'' !est....................Passe#
DPRAM Data %&aa !est....................Passe#
DPRAM A##ress !est......................Passe#
()earing DPRAM..........................Done
System DRAM Memory Size.................1$MB
DRAM Data %&'' !est.....................Passe#
DRAM Data %&aa !est.....................Passe#
DRAM A##ress !est.......................Passe#
()earing DRAM...........................Done
ARL**..................................Present
ARL RAM !est...........................Passe#
ARL Seria) Prom !est...................Passe#
Le+e)2 (ac,e............................Present
Le+e)2 (ac,e test.......................Passe#
#n this tutorial, when you wor% on the Configuration 8ab e1ercises, you will use a console screen display
supported by the Cisco #nteracti$e !entor simulation en$ironment ,C#!-S'.. So, you will not be able to see the
power-on se+uence or the boot diagnostics display shown abo$e.
2?
At the end of the system boot process, you are instructed to enter a password with the following prompt.
nter -asswor#.
At t,e -asswor# -rom-t/ -ress Ret0rn.
Sen#ing RARP re10est wit, a##ress %%.2%.%3.$c.23.44
Sen#ing 3oot- re10est wit, a##ress %%.2%.%3.$c.23.44
53ot, )ines are re-eate# se+era) times6
(onso)e7
There are two modes of operation, both password protected& normal and pri$ileged. You can use normal-mode
commands for e$eryday system monitoring. You must use pri$ileged commands for system configuration and
basic troubleshooting.
After the boot se+uence has finished, if you don@t see any prompt, you may want to press the 0eturn or 'nter %ey
two or more times.
<hen the switch is shipped from the factory, no password is set on the switch. So, when prompted for the
password, press the 'nter %ey. ;owe$er, after a password is set, you must enter the password to log into the
system. After you log in, the system automatically enters normal mode, which gi$es you access to normal-mode
commands only.
You can then enter the pri$ileged mode by entering the enable command followed by a second password. To
return to normal mode, enter the disable command at the prompt.
#f the sc0 interface is set to 0.0.0.0 or if you used the clear config all command before rebooting, the
system will initiate a /??T or 0e$erse Address 0esolution "rotocol ,0A0". re+uest.
#f a switch has been configured with an #" address and connected to a networ%, you can access the switch console
$ia Telnet. You will learn to configure the #" address for the switch later, under AConfiguring the sc0 #nterfaceA in
the Configuration of the System "arameters section.
After connecting to the switch through a Telnet session, you see the following display&
8 te)net cata)yst1
!rying 129.29$.2:9.11...
(onnecte# to cata)yst1.
sca-e c,aracter is ;<=;.
(isco Systems (onso)e >ri Mar 1% 1??'/ 1:.'%.2'
nter -asswor#.
At this point you can access the switch in the same way as described the FAccessing +L- through
0witch +onsole PortF section"
Compared with the routers, 8A switches are considered to be simple to configure and operate. To support the
basic features of a networ%, the switch doesn@t re+uire any complicated configuration. ;owe$er, before you can
2=
start connecting de$ices to the ports of a 8A switch, you must configure some basic parameters of the switch,
such as gi$ing the switch an #" address. To help you understand the purpose of configuring these parameters and
gi$e you some practice in actually configuring them, in the ne1t section you will use C#!-S' to practice some of
the basic switch configuration tas%s
CON5I19RATION O5 S8STE% PARA%ETERS
The following configuration and troubleshooting tas%s are normally completed on a Catalyst 5000 series switch to
configure the system parameters&
+onfiguring system information
+onfiguring system time prompt and password
+onfiguring the sc< interface and default gateway
+onfiguring 0N5P parameters including community strings and traps
+onfiguring *5ON
:sing show commands for initial system troubleshooting
1ou will use +-5(0& to complete the +onfiguration Labs at the end of this tutorial" As the skills
and knowledge you learn in this tutorial are critical to a successful completion of the +onfiguration Lab
please complete this tutorial before you start the simulator"
The Catalyst 5000 series switch supports the following three command options&
set4'o configure or modify the system configuration
show4'o %iew the current system configuration or statistics
cear4'o clear or allow the o%erwriting of certain configuration settings
Though the Catalyst 5000 series switch supports a complete set of switch commands, in the interest of pro$iding
methodical learning e1perience, the simulator supports only a specified set of these commands in each
Configuration 8ab.
The system information includes the contact name and, possibly, the phone number for the system, the location of
the switch, and the name of the switch. This information is important, especially if there are switches at multiple
locations that are managed by many people.
The system time must be set correctly, especially if the switch is connected to other switches and routers in the
networ%. The correct time of networ% failures, error messages, or traps may help with a +uic% diagnosis of the
cause of the problems. #f the networ% has multiple switches, you can configure each switch with a meaningful
prompt to help identify the switch you are configuring or troubleshooting.
You already learned that there are two le$els of passwords on the Catalyst 5000 series switch. #t is important to
secure access to the switches in a networ%. 'nsure the security of the networ% by assigning proper passwords and
writing them down in a safe place for your reference.
The set interface command is used to assign #" networ% address, subnet mas% and broadcast address for the
2E
Catalyst interfaces. The same set interface command is used to assign slip and destination addresses for the slip
interfaces. #t can also be used to administrati$ely bring the interfaces up or down. There are two configurable
networ% interfaces to a Catalyst 5000 series switch& in-band ,sc0. and Serial 8ine #nternet "rotocol ,S8#". ,sl0..
After you assign an #" address to sc0, the Catalyst 5000 becomes accessible through 'thernet and =--#
interfaces. The sc0 interface is up by default. You only need to use the set interface sc0 up command after you
administrati$ely bring the interface down.
#n the Configuration 8ab, you will configure the sc0 interface type when assigning the Catalyst 5000 series switch
#" address.
#f there is a need to configure the S8#" interface, you can use this interface type when configuring a S8#"
connection on the switch. The S8#" connection ,sl0. and the console port connection ,sc0. cannot use the console
port at the same time. <hile the S8#" connection is acti$e, it will cause you to lose your console port connection.
#f you are connected to the command line through the console port and you enter the slip attach command, you
will lose the console port connection. To reestablish the console port serial connection, use Telnet to access the
command line, enter pri$ileged mode, and type slip detach to restore the console port connection. Alternately,
you can reset the switch using the reset system command to disable the slip attach.
Confi(urin( ,efaut Route an# 1atewa!
The set ip route command adds #" addresses or aliases to the #" routing table. You must do this if your Telnet
station or S!" networ% management station is on a different networ% from that of the switch. The destination in
the set ip route command refers to the #" address or #" alias of the networ% or a specific host. The gateway refers
to the #" address or #" alias of the router. The metric parameter is optional. #t indicates whether the destination
networ% is local or remote. >se 0 for local, and 5 for remote. The default configuration routes the local networ%
through the sc0 interface with metric 0 as soon as sc0 is configured.
You will also use the set ip route command to configure a default #" gateway. A default #" gateway routes #"
pac%ets that ha$e unresol$ed destination #" addresses. Setting the default gateway #" address tells the switch how
to connect to a de$ice not on the local networ%.
You can define up to three default #" gateways with Catalyst 5000 series switch software 0elease 7.5.
-efining multiple default #" gateways pro$ides redundancy. #f the primary default #" gateway fails, the Catalyst
5000 series switch uses the secondary default #" gateways in the order in which they were configured.

S!", an application-layer protocol, facilitates the e1change of !anagement #nformation /ases ,!#/s. between
networ% de$ices. S!" community strings authenticate access to the !#/ and function as embedded
Apasswords.A The S!" community strings ,passwords. are used for transmission of S!" data between
de$ices and are accessible to the networ% management station. =or an S!" message to be processed, the
community string must match one of the following three community-string modes configured in the switch&
*ead(only4'his mode gi%es read access to all ob!ects in the 5-) e$cept the community strings
but does not allow write access
*ead(write4'his mode gi%es read and write access to all ob!ects in the 5-) but does not allow
access to the community strings
*ead(write all4'his mode gi%es read and write access to all ob!ects in the 5-) including the
community strings
2G
+onfigure the 0N5P community strings on the switch to be managed using an 0N5P network
management workstation" 'he switch sends a trap to the recei%er (such as an 0N5P manager or
workstation) under %arious conditions such as when a port or module goes up or down when
temperature limitations are e$ceeded when authentication failures occur or when power supply errors
occur"
The set snmp trap command enters the #" address of the recei$ing station into the trap recei$er table, which can
hold up to ten addresses. <hen you enter addresses in the table, you must specify the community string that will
appear in the trap message. You can control whether the switch issues a trap by using the set snmp trap enable or
the set snmp trap disable ,default. commands. #f you want only some types of traps to be forwarded, you can
substitute $arious parameters for the word all in the set snmp trap enable all command.
The following implementations are supported by the set snmp rmon command&
0!? support is enabled by default in the hardware in etwor% !anagement "rocessor ,!". Bersion ).5,).
and earlier, and disabled by default in the hardware in !"$).5,*. and later. <ith all $ersions of software, access
to the 0!? information re+uires a separate software license.
0!? statistics are collected on a segment basis instead of a repeater-port basis for the Catalyst 5000 series
segment-switching 'thernet module ,50/aseT 74 ports.. The 0!? feature deinstalls all the domains for all the
interfaces on an 'thernet module that has been remo$ed from the system. 0!? can be enabled only for
'thernet ports. The embedded 0!? agent on 'thernet ports gathers statistics on the following 0!? groups,
as specified in 0=C 5C5C&
&thernet
History
Alarm
&%ents
:se of this command re3uires a separate software license"
The 0!? feature deinstalls all the domains for all the interfaces on an 'thernet module that has
been remo$ed from the system.
The show commands supported by the Catalyst 5000 series switch are $aluable tools in troubleshooting networ%
problems. #n this Configuration 8ab, you will be using the following show commands&
show confi(4'his command is used to display the system configuration being used in the
switch"
show o(4'his command is used to display the system error log"
show test4'his command is used to display the results of the system diagnostics test"
show "ersion4'his command is used to display the software and hardware %ersion
information"
2;
Though the following information is not included in the Configuration 8ab, you may find it useful in managing or
troubleshooting the switch.
Switch ,oes Not &oot
?n initial power-on, if the switch fails to boot up, chec% the following&
+heck the switch hardware and make sure that the 0uper%isor &ngine is seated properly"
-f any of the power(on diagnostics failed write down the information"
Passwor# Reco"er!
#f the password for a Catalyst 5000 series switch is lost or forgotten, you will be able to access the switch by
restarting it and pressing the 'nter %ey during the first *0 seconds of the restart process.
To reco$er a lost password on the Catalyst 5000, use the following steps&
." 5ake sure that you are connected to the console port of the switch"
2" *eboot the switch and immediatly start pressing the &nter key until you get a prompt"
8" &nter the enabe command and press the &nter key"
?" 7hen the switch prompts for a password !ust press the &nter key"
=" Now enter the set passwor# or set enabepass command depending on which password you
need to reco%er"
E" At the password prompt press the &nter key for the old password and when prompted for a new
password enter the new password and then confirm the new password"
&OOTP Confi(uration
The #" address for a switch can be set using the /??T" protocol. You can configure a /??T" ser$er with the
!edia Access Control ,!AC. and #" addresses of the switch. <hen the switch boots, it automatically retrie$es
the #" address from the /??T" ser$er.
The switch performs a /??T" re+uest only if the current #" address is set to 0.0.0.0. This is the default for a new
switch or a switch that has had its configuration file cleared using the clear config all command. To configure a
/??T" ser$er, you must determine the !AC address of the switch and add that !AC address to the /??T" file
,such as (usr(etc(bootptab. on the ser$er.
9poa#in(:,ownoa#in( Confi(uration
After ma%ing the configuration changes in a switch, you can sa$e the configuration on a ser$er for future
downloading. You can use the write command in the pri$ileged command mode to upload the current
configuration to a host ,typically in the tftpboot directory. or to display it on the terminal. The write terminal
command is e1actly the same as the show config command. The write networ command is used to upload the
configuration file to a Tri$ial =ile Transfer "rotocol ,T=T". ser$er. The write host filename command is a
shorthand $ersion of the write networ command.
You cannot use the write networ command to upload software to the AT! module.
>se the configure networ command to download a configuration file from the networ% and e1ecute each
command in that file. The following e1ample shows how to download the configuration file called system5.cfg
from the 52).5)).5C7.7) host&
2@
(onso)e7 5ena3)e6 con4ig0re 1?2.122.1:2.22 system'.c4g
You can use the download command to copy a software image from a specified host to the =lash memory of a
designated module. >se the upload command to copy a software image from a designated module to a specified
host. The Catalyst 5000 switch supports two ways to download and upload new code&
'#'P network connections through any network port
Mermit serial transfer through the console port
Only the first method applies to the A'5 module" 'he download command downloads code to the
#lash memory" +atalyst =<<< software will re!ect an image if it is not a %alid image for the module"
7hen downloading to the A'5 module the 0uper%isor &ngine module acts as a '#'P gateway
forwarding '#'P packets to the A'5 module through an in(band interprocessor communication (-P+)
method"
#f a module number is not specified for either of these commands, the default is module 5, the Super$isor
'ngine. The following e1ample shows a download of the c5000D)55).cbi file from the buell host to the super$isor
!"&
(onso)e7 5ena3)e6 #own)oa# 30e)) c'%%%@21'2.c3i
8<
CON5I19RIN1 LAN SWITCH PORTS
/efore connecting networ% de$ices to a 8A switch, you must configure the parameters for the ports on a 8A
switch, including the port speed, port priority, port transmission mode, and other port parameters.
The transmission speed of the standard 'thernet ports is 50 !bps. ;owe$er, the =ast 'thernet modules support a
speed of 500 !bps. -epending on the type of modules, some =ast 'thernet modules operate at both the 50- and
500-!bps speeds. Switching modules supporting speeds up to 5000 !bps are also being introduced into the
mar%etplace now.
As you learned earlier, 'thernet ports could be designed to operate either in half- or full-duple1 modes.
0emember that when switch ports are configured to operate in full-duple1 mode on dedicated lin%s or between
switches, the bandwidth supported by that lin% is doubled.
The Catalyst 5000 series switch 'thernet and =ast 'thernet switching modules share the following features&
Port(to(port wire(speed packet transfer
5edia(rate performance across the ."2(Kbps backplane
Half( or full(duple$ operation on dedicated switch ports
6edicated application(specific integrated circuit (A0-+) on each port with embedded *emote
5onitoring (*5ON) and standard &thernet 5anagement -nformation )ase (5-)) .@2(M) buffers
on each interface to accommodate FburstyF traffic
+onnecti%ity from switched &thernet and #ast &thernet to #iber 6istributed 6ata -nterface (#66-)
and Asynchronous 'ransfer 5ode (A'5) backbones
Hot(swappable capability
#or additional information on all commands discussed in this module refer to the Catalyst 5000 Series
Command Reference publication"
An 'thernet port on the Catalyst 5000 series switch can connect to a single wor%station or ser$er, or to a hub
through which wor%stations or ser$ers connect to the networ%. "orts on a typical 'thernet hub are all connected to
a common bac%plane within the hub, and the bandwidth of the networ% is shared by all de$ices attached to the
hub.
#f two stations establish a session that uses a significant le$el of bandwidth, the networ% performance of all other
stations attached to the hub is degraded. To reduce degradation, the Catalyst 5000 series switch treats each port as
an indi$idual segment, and when stations on different ports need to communicate, it switches frames from one
port to the other at wire speed. Switching ensures that each session recei$es the full 50-!bps bandwidth.
8.
-n this module you will be learn to configure the following port parameters on the #ast &ther+hannel
switching module on the +atalyst =<<< series switch:
Port name
Port priority
Port speed
Port transmission type
The Catalyst 5000 series switch has the following default configurations&
All the ports are enabled"
'here are no port names assigned"
'he priority le%el for the ports is set to normal"
All .<9.<<(5bps ports on the &thernet and #ast &thernet modules and the ?9.E(5bps ports on
the 'oken *ing modules are set to the auto mode"
<hen a port is in autosensing mode, both the speed and duple1 are determined by autosensing. Also, by default,
all 'thernet and =ast 'thernet ports are enabled and are placed in B8A 5, which is the management B8A.
You will be using the following configuration commands in the Configuration 8ab&
set port na$e
set port e"e
set port spee#
set port #upe4
Confi(urin( Port Na$e
You can assign names to all ports on the 'thernet and =ast 'thernet modules. #t may be particularly useful to
assign names to the =ast 'thernet ports on the Super$isor 'ngine module to facilitate switch administration. >se
the set port name command to set the port name for the Catalyst 5000 series switch modules.
Confi(urin( Port Priorit! Le"e
You can configure the priority le$el of each port to be normal or high. The priority le$el determines a port@s
priority to access the switching bus. <hen ports re+uest simultaneous access to the switching bus, the Catalyst
5000 series switch uses the port priority le$el to determine the access order of ports to the switching bus. >se the
set port le!el command to set the port priority for the Catalyst 5000 series switch modules.
The default port priority for 'thernet switching modules is normal.
Settin( the Port Spee#
You can configure the port speed for 50(500/aseTE ports on the 50(500-!bps =ast 'thernet switching module, if
desired. <hen the port speed of a 50(500-!bps =ast 'thernet switching module is set to auto, the interfaces
automatically configure themsel$es to operate at the proper speed and transmission type ,half duple1 or full
duple1.. >se the set port speed command to set the port speed for the Catalyst 5000 series switch modules.
82
?n a 50(500 module, if a port speed is set to auto, its transmission type ,duple1. will also set to auto
automaticallyF for e1ample, the duple1 of an autospeed port cannot be set.
You must first set the port speed to a fi1ed $alue ,not auto., howe$er, to be able to set the port transmission
type to half- or full-duple1 mode.
#f you %now the re+uired port speed, manually configure the port to the actual speed to a$oid possible
problems.
Confi(urin( Trans$ission %o#e
You can set the transmission type for 50(500-!bps modules to auto, full duple1, or half duple1. >nless you are
certain that both ends ,de$ices. of a port connection are capable of supporting full duple1, configure the ports for
half-duple1 operation. >nder the half-duple1 operation, transmission of data between a sending station and a
recei$ing station occurs in only one direction at a time. >se the set port duple" command to set the transmission
type for the Catalyst 5000 series switch modules.
<hen configuring a port to operate in full-duple1 mode, ensure that the de$ice that is connected to the port is not
only capable of supporting full-duple1 operation, but is also configured to full-duple1 mode.
The connection between a switch port and an 'thernet hub ,shared. cannot operate in full-duple1 mode,
because only dedicated connections can support full duple1.
The following section describes other important port configuration features. Though they may not be configured
or used in e$ery switch, there may be occasions when you are re+uired to configure them in a networ%. ;owe$er,
you will not be configuring these features in the Configuration 8abs.
Confi(uration of Port5ast 5eature
"orts can be configured to immediately enter Spanning-Tree "rotocol forwarding mode when a connection is
made, instead of following the usual se+uence of bloc%ing, learning, then forwarding. This configuration is useful
in situations where rapid access to a node, such as a ser$er, is re+uired. The port configured for the "ort=ast
feature still participates in the spanning-tree calculations.
You will not configure the "ort=ast feature in the Configuration 8ab.
You can use the set spantree portfast command to configure a port connected to a single wor%station or "C to
start faster when it is connected.
-o not use the set spantree portfast command on ports connected to networ%ing de$ices such as hubs,
routers, switches, bridges, or concentrators.
You can use the "ort=ast command only if there is no other switch or router connected to the networ%. ?therwise,
"Cs trying to connect $ia -ynamic ;ost Configuration "rotocol ,-;C". will encounter timeout problems if
trun%s are busy.
The following e1amples show how to enable the spanning-tree bridge "ort=ast on port ) on module 5&
(onso)e7 5ena3)e6 set s-antree -ort4ast
88
Amo#@n0mB-ort@n0m7Aena3)eC#isa3)e7 Dsage. set s-antree -ort4ast
(onso)e7 5ena3)e6 set s-antree -ort4ast 1B2 ena3)e
(a0tion. S-antree -ort 4ast start s,o0)# on)y 3e ena3)e# on -orts connecte# to a sing)e
,ost. (onnecting ,03s/ concentrators/ switc,es/ 3ri#ges/ etc.. to a 4ast start -ort can
ca0se tem-orary s-anning tree )oo-s. Dse wit, ca0tion.
S-antree -ort 1B2 4ast start ena3)e#.
Confi(uration of Port Securit! 5eature
!edia Access Control ,!AC. address security allows the Catalyst 5000 series switch to bloc% input to an
'thernet or =ast 'thernet port when the !AC address of a station attempting to access the port is different from
the configured !AC address.
Secure port filtering does not apply to trun% ports where the source addresses change fre+uently.
The set port securit# command allows you to set the !AC address of a specified port as the gi$en address. #f the
!AC address is not gi$en, the address is learned. After the address is learned, it remains unchanged until the
system relearns it when you reenter the command. The !AC address is stored in non$olatile random-access
memory ,B0A!. and maintained e$en after the reset.
Confi(uration E4a$pe
(onso)e7 set -ort sec0rity 9B1 ena3)e
Port 9B1 -ort sec0rity ena3)e# wit, t,e )earne# mac a##ress.
(onso)e7 set -ort sec0rity 9B1 ena3)e %1E%2E%9E%2E%'E%$
Port 9B1 -ort sec0rity ena3)e# wit, %1E%2E%9E%2E%'E%$ as t,e sec0re mac a##ress.
<hen a pac%etGs source address does not match the allowed address, the port through which the pac%et came is
disabled, and a lin%-down trap is sent to the S!" manager. <hen a source address change occurs, the port is
disabled, and the light-emitting diode ,8'-. for that port turns orange. <hen the port is reenabled, the port 8'-
turns green.
You can use the show port command to display all security information, such as !AC addresses, the port counter
$alues, and whether security is enabled or disabled. <hen the port is in learning mode, or if the security is
disabled, !AC addresses are not displayed.
To disable secure port filtering, enter the set port securit# mod$num%port$num&s' disable (mac$addr)
command.
Confi(uration of 9pin'5ast 5eature
>se the set spantree uplinfast command to enable and disable the >plin%=ast Switcho$er feature. This
command increases the path cost of all ports on the switch, ma%ing it unli%ely that the switch would become the
root switch. The stationDupdateDrate $alue represents the number of multicast pac%ets transmitted per 500
milliseconds. The default is 55 pac%ets per millisecondF if 9ero is entered, station-learning frames are not
generated.
8?
The set spantree uplinfast command when enabled affects all B8As on a Catalyst 5000 series switch.
You cannot configure the >plin%=ast feature on an indi$idual B8A.
The following e1ample shows how to enable and $erify the =ast >plin% Switcho$er feature with a station-update
rate of 70 pac%ets per 500 milliseconds&
(onso)e7 5ena3)e6 set s-antree 0-)inF4ast ena3)e rate 2%
VLANs 1E1%%% 3ri#ge -riority set to 2?1'2.
!,e -ort cost an# -ort+)ancost o4 a)) -orts increase# 3y 9%%%.
Station 0-#ate rate set to 2% -acFetsB1%%ms.
0-)inF4ast t0rne# on 4or 3ri#ge.
>se the set spantree port!lancost command to assign a lower cost to a set of B8As on a port. #f you do not
specify the B8As, the command acts on the B8As specified in prior instances of this command. #f you do not
specify a cost, the port!lancost $alue is set to one less than the current portcost $alue for the port.
<hen >plin%=ast is enabled, the bridge priority of all B8As is set to 7255), and the path cost of all ports
and B8A trun%s is increased by *000. <hen >plin%=ast is disabled, the bridge priorities of all B8As and path
costs of all ports are set to default $alues.
Confi(uration of SPAN Port 2Port %onitorin(3
"re$iously, you learned about the importance of using 0!? "robes for troubleshooting and managing switched
networ%s. You can connect a networ% analy9er or an 0!? "robe such as Cisco@s Switch"robeH to a port on the
Catalyst 5000 series switch to mirror traffic from another port or a B8A to this port. This port is %nown as the
Switched "ort Analy9er ,S"A. port.
<ith the 'nhanced S"A port feature a$ailable on the Catalyst 5000 family switches, an 'thernet or half-duple1
=ast 'thernet Switch"robe de$ice can pro$ide $isibility into B8A traffic at 50 or 500 !bps, respecti$ely. >sing
a full-duple1 =ast 'thernet Switch"robeH, B8A trun% lin%s can be tapped for access to data streams in both
directions at line rate for a comprehensi$e $iew of all #S8-B8A traffic.
A Switch"robe de$ice on a full-duple1 =ast 'thernet B8A trun% lin% can monitor the multiple1ed B8A traffic
and pro$ide per-B8A traffic statistics, including utili9ation, broadcast rates, errors, and con$ersation
information.
Confi(uration Steps
." :se the set span enabe command to enable port monitoring in the switch"
2" 'he set span src;$o#:src;port #est;$o#:#est;port <r4 = t4 =both> command is used to
configure the 0PAN port " Port monitoring can be used for monitoring a specified VLAN or port"
(at17 5ena3)e6 set span 3/1 3/8 both
8" 1ou can use the show span command to %erify the 0PAN port configuration change"
8=
TRO9&LESHOOTIN1 TIPS
You can use the following commands for troubleshooting some of the problems you may encounter when
configuring the port parameters&
show $o#ue
show port
show port channe
show $ac
'he show $o#ue command displays the module type model serial number status module 5A+
address and hardware firmware and software %ersion numbers" -f the status is not FokF you know
there is a problem with the module" Verify that the %ersion of hardware firmware and software used by
the module supports the feature you want to configure in the switch"
The show port command displays a wealth of information about the port including name, B8A, status, priority
le$el, transmission type, and speed of the port. The display also includes all the port errors, including alignment,
frame chec% se+uence ,=CS., transmit, and recei$e errors.
The show port channel command is useful in troubleshooting the =ast 'therChannel modules. The command
displays the status ,connected or not connected., channel mode ,on, off, auto, desirable., and the channeling status
indicating whether it is an 'therChannel lin% or not. The display also shows information about the port and de$ice
the channel is connected to.
The show mac command is useful in troubleshooting the !AC counters. The command displays important
counters associated with the port.
The Configuration 8abs build on the configuration completed in the pre$ious e1ercisesF therefore, you should
complete the tutorials in the order presented.
8E
*+, VLAN ,+R-.
B8As allow ports on the same or different switches to be grouped so that traffic is confined to members of that
group only. This feature restricts broadcast, unicast, and multicast traffic ,flooding. to ports included only in a
certain B8A. You can set up B8As for an entire management domain from a single Catalyst 5000 series
switch.
'he VLANs on a +atalyst =<<< series switch simplify adding and mo%ing end stations on a network" #or
e$ample when an end station is physically mo%ed to a new location its attributes can be reassigned
from a network management station %ia 0N5P or the +ommand Line -nterface (+L-)" 7hen an end
station is mo%ed within the same VLAN it retains its pre%iously assigned attributes in its new location"

'he -P address of a +atalyst =<<< series switch 0uper%isor &ngine module can be assigned to any
VLAN" 'his mobility allows a network management station and workstations on any +atalyst =<<<
VLAN to directly access another +atalyst =<<< series switch on the same VLAN without using a router"
Only one -P address can be assigned to a +atalyst =<<< series switch/ if the -P address is reassigned
to a different VLAN the pre%ious -P address assignment to a VLAN becomes in%alid"
HO7 V'P 7O*M0
VLAN 'runk Protocol (V'P) is a +isco proprietary Layer 2 messaging protocol that maintains VLAN
configuration consistency throughout the network" V'P manages the addition deletion and renaming
of VLANs at the system le%el" 'his protocol allows you to manage VLANs on a network(wide basis and
make central changes that are automatically communicated to all the other switches in the network
without re3uiring manual inter%ention at each switch"
A BT" domain is made up of one or more interconnected de$ices that share the same BT" domain name. A
switch can be configured to be in one and only one BT" domain. Catalyst switches configured as BT" ser$ers and
clients maintain all B8As e$erywhere within the BT" domain. A BT" domain defines the boundary of the
specified B8A. >sing BT", each Catalyst 5000 series switch ad$ertises its management domain, its
configuration re$ision number, and its %nown B8As and their specific parameters on its trun% ports.
BT" establishes global configuration $alues and distributes the following global configuration information&
VLAN name
VLAN -6s
&mulated LAN names
;<2".< security association identifier (0A-6) %alues
5a$imum transmission unit (5':) si,e for a VLAN
#rame format
+atalyst =<<< series switches can be configured to operate in any one of the three V'P modes:
VTP ser"er4V'P ser%er is responsible for maintaining a full list of all VLANs e%erywhere within
the V'P domain" 'his information is stored in non%olatile *A5 (NV*A5)" 0er%er can add
delete and rename VLANs"
VTP cient4V'P client will also maintain a full list of all VLANs but will not store the information
in NV*A5" V'P +lient cannot add delete or rename VLANs" Any changes made must be
recei%ed from ser%er ad%ertisement"
8G
VTP transparent4A switch configured in the V'P transparent mode does not participate in
V'P/ howe%er it will pass on the V'P ad%ertisements" A VLAN defined on the switch is only
local to the switch and is stored in NV*A5"
V'P ser%ers and clients transmit information through trunks to other attached switches and recei%e
updates from those trunks" :sing V'P ser%ers the global VLAN information can be modified through
the V'P 5anagement -nformation )ase (5-)) or the +L-"
The ad$ertisement frames are sent to a multicast address so that they can be recei$ed by all neighboring de$ices,
but they are not forwarded by normal bridging procedures. All switches in the same management domain learn
about any new B8As configured in the transmitting switch.
>sing periodic ad$ertisements, BT" trac%s configuration changes and communicates them to other switches in the
networ%. The configuration is updated and propagated to the other switches by a higher BT"-ad$ertisement
re$ision number. The switch ignores BT" ad$ertisements with a lower re$ision number. <hen new switches are
added to the networ%, the added de$ices recei$e updates from BT" and automatically configure e1isting B8As
within the networ%.
VTP Version .
Catalyst 5000 series software release *.5 supports BT" $ersion ), an e1tension to BT" that supports To%en 0ing
8A switching. BT" $ersion ) must be enabled to support To%en 0ing switching. BT" $ersion 5 and BT"
$ersion ) are not interoperable on switches in the same BT" domain.
The set !tp and set !lan commands use BT" to set up B8As across an entire management domain. #nitially, all
switched 'thernet, 'thernet repeater, and =--# ports are in the default B8A defined as B8A 5.
/y default, the Catalyst 5000 series switch is in the no-management domain state until it is configured with a
management domain or it recei$es an ad$ertisement for a domain. #f a switch recei$es an ad$ertisement, it inherits
the management domain name and configuration re$ision number. The switch ignores ad$ertisements with
different management domains or earlier configuration re$ision numbers and chec%s all recei$ed ad$ertisements
with the same domain for consistency.
The set !tp command sets up the management domain, including establishing the management domain name, the
BT" mode of operation ,ser$er, client, or transparent., and the password $alue. There is no default domain name
,the $alue is set to null.. The default ad$ertisement inter$al is fi$e minutes. The default BT" mode of operation is
set to ser$er.
/y default, the management domain is set to nonsecure mode without a password. A password sets the
management domain to secure mode. You must configure a password on each Catalyst 5000 series switch in the
management domain when in secure mode, otherwise, the switch would ignore the BT" ad$ertisements when the
configured password does not match with the password in the BT" ad$ertisement.
BT" $ersion ) is disabled by default. BT" $ersion ) must be manually enabled using the set !tp !/ 0enable 1
disable2 command. All switches in a BT" domain must be running the same $ersion of BT".
BT" is transmitted on all trun% connections, including #S8, 40).50, and 8A emulation ,8A'..
8;
The BT" pruning feature detects when a switch does not need the traffic for a particular B8A and restricts
flooded traffic to only those trun% lin%s that the traffic must use to access the appropriate networ% de$ices. BT"
pruning enhances networ% bandwidth use by reducing unnecessary flooded traffic, which includes broadcast,
multicast, un%nown, and flooded unicast pac%ets.
Confi(urin( VTP Prunin(
/y default, BT" pruning is disabled in a management domain. The pruning enable option of the set !tp
command enables pruning in the entire management domain. !a%e sure that all de$ices in the management
domain support BT" pruning before enabling it. BT" pruning, e$en if enabled, does not ta%e effect on a B8A
that is not pruning-eligible. /y default, B8A 5 is not pruning-eligible, while B8As ) through 5000 are
pruning-eligible.
To enable pruning eligibility, the set !tp pruneeligible command is used.
conso)e7 set +t- -r0nee)igi3)e 12%/1'%
V)ans 2E'/?E??/12%/1'%/2%1E1%%% e)igi3)e 4or -r0ning on t,is #e+ice.
This command specifies B8As 5)0 and 550 as eligible for pruning. #t also displays all pruning-eligible B8As.
To disable pruning eligibility, the clear !tp pruneeligible command is used.
conso)e7 c)ear +t- -r0nee)igi3)e 2/9/$E8/1%%E2%%
V)ans 1E9/$E8/1%%E2%% wi)) not 3e -r0ne# on t,is #e+ice.
"runing eligibility resides on the local de$ice only.
,8NA%IC VLAN %E%&ERSHIP
You can configure the B8A membership for a port to be static or dynamic. -ynamic ports are assigned to a
B8A based on the source !edia Access Control ,!AC. address of the hosts connected to that port. ?ne
ad$antage of dynamic ports is that you can mo$e a de$ice from a port on one switch to a port on another switch in
the networ% without changing the B8A assignment.
To configure dynamic port B8A membership, the following tas%s ha$e to be completed&
+onfigure the VLAN 5embership Policy 0er%er (V5P0)
+onfigure dynamic ports on clients
The B!"S has a database of !AC-address-to-B8A mappings necessary for setting up dynamic ports.
After you enable B!"S by entering the set !mps state enable command, the configuration information is
downloaded from a Tri$ial =ile Transfer "rotocol ,T=T". ser$er. After the B!"S successfully downloads the
ASC## configuration file, it parses the file and builds a database and begins to accept re+uests from clients.
8@
The B!"S opens a >ser -atagram "rotocol ,>-". soc%et to communicate with clients and listen to client
re+uests. As shown in the following figure, upon recei$ing a $alid re+uest from a client, the B!"S searches its
database for a !AC-address-to-B8A mapping.
#f the assigned B8A is restricted to a group of ports, the B!"S $erifies the re+uesting port against this group. #f
the B8A is legal on this port, the B8A name is passed in the response. #f the B8A is illegal on that port and
the B!"S is not in secure mode, it sends an access denied-response. #f the B!"S is in secure mode, it sends a
port shutdown response.
#f the B8A from the table does not match the current B8A on the port and there are acti$e hosts on the port,
the B!"S sends an access denied or a port shutdown response based on the secure mode of the B!"S.
You can configure a fallbac% B8A name into the B!"S. #f the re+uested !AC address is not in the table, the
B!"S sends the fallbac% B8A name in response. #f you do not configure a fallbac% B8A and the !AC
address does not e1ist in the table, the B!"S sends an Aaccess deniedA response. #f the B!"S is in secure mode,
it sends a Aport shutdownA response.
>pon subse+uent resets of the Catalyst 5000 series switches, the configuration information is downloaded
automatically from a T=T" ser$er, and the B!"S is enabled.
-ynamic ports wor% in con:unction with the B!"S. You must configure the B!"S before configuring dynamic
ports. The B!"S must be acti$e and accessible to the Catalyst 5000 series switch.
?n the current Catalyst 5000 series switch hardware platform, a dynamic ,nontrun%ing. port can belong to only
one B8A at a time. >pon lin%-up, a dynamic port is isolated from its static B8A. The source !AC address
from the first pac%et of a new host on the dynamic port is sent to the B!"S, which pro$ides the B8A number to
which this port must be assigned.
!ultiple hosts ,!AC addresses. can be acti$e on a dynamic port, pro$ided they are all in the same B8A.
<hen a port becomes dynamic, the spanning-tree "ort=ast feature is automatically enabled for that port.
This pre$ents applications on the host from timing out and entering loops caused by incorrect configurations.
Static ports that are trun%ing cannot become dynamic ports. You must first turn off trun%ing on the trun% port
before changing it from static to dynamic.
The following describes the parameters in the configuration file&
?<
1ou must define the V5P0 domain in the file" -t corresponds to the V'P domain name of the
switch" 'he mode defines the V5P0 to be either in open or secure mode" 'he fallback VLAN is
assigned to the 5A+ addresses not defined in the database"
F5A+ addressesF define the 5A+ address and the corresponding VLAN table" 'he keyword
++NONE++ specifies that the 5A+ address should be denied connecti%ity" A port is identified by
the -P address of the switch and the module9port number of the port in the form
modNnum9portNnum"
FPort groupF defines a logical group of ports" 'he keyword a+ports specifies all the ports in the
specified switch"
FVLAN groupF defines a logical group of VLANs" 'hese logical groups define the VLAN port
policies in the ne$t section"
FVLAN port policiesF define the ports associated with a restricted VLAN" 1ou can configure a
restricted VLAN by defining the set of dynamic ports on which it can e$ist"
'he V5P0 parser is a line(based parser" 0tart each entry in the file on a new line" *anges are
not allowed for the port numbers"
A sample B!"S configuration file is shown below&
G+m-s #omain A#omainEname7
G !,e VMPS #omain m0st 3e #e4ine#.
G+m-s mo#e H o-en C sec0re I
G !,e #e4a0)t mo#e is o-en.
G+m-s 4a))3acF A+)anEname7
G+m-s noE#omainEre1 H a))ow C #eny I
G
G !,e #e4a0)t +a)0e is a))ow.
+m-s #omain JBD
+m-s mo#e o-en
+m-s 4a))3acF #e4a0)t
+m-s noE#omainEre1 #eny
G
G
GMA( A##resses
G
+m-sEmacEa##rs
G
G a##ress Aa##r7 +)anEname A+)an@name7
G
a##ress %%12.2299.22'' +)anEname ,ar#ware
a##ress %%%%.$'%?.a%8% +)anEname ,ar#ware
a##ress aa33.cc##.ee44 +)anEname Kreen
a##ress 1229.'$:8.?a3c +)anEname &ecSta44
a##ress 4e#c.3a?8.:$'2 +)anEname EENONEE
a##ress 4e#c.3a29.122' +)anEname P0r-)e
G
GPort Kro0-s
G
G+m-sE-ortEgro0- Agro0-Ename7
G #e+ice A#e+iceEi#7 H -ort A-ortEname7 C a))E-orts I
G
+m-sE-ortEgro0- Jiring()oset1
#e+ice 1?8.?2.9%.92 -ort 9B2
#e+ice 1:2.2%.2$.121 -ort 2B8
+m-sE-ortEgro0- L&ec0ti+e RowL
#e+ice 1?8.2.2'2.222 -ort 1B2
#e+ice 1?8.2.2'2.222 -ort 1B9
#e+ice 1?8.2.2'2.229 a))E-orts
?.
G
G
GVLAN gro0-s
G
G+m-sE+)anEgro0- Agro0-Ename7
G +)anEname A+)anEname7
G
+m-sE+)anEgro0- ngineering
+)anEname ,ar#ware
+)anEname so4tware
G
G
GVLAN -ort Po)icies
G
G+m-sE-ortE-o)icies H+)anEname A+)an@name7 C +)anEgro0- Agro0-Ename7 I
G H -ortEgro0- Agro0-Ename7 C #e+ice A#e+iceEi#7 -ort A-ortEname7 I
G
+m-sE-ortE-o)icies +)anEgro0- ngineering
-ortEgro0- Jiring()oset1
+m-sE-ortE-o)icies +)anEname Kreen
#e+ice 1?8.?2.9%.92 -ort 2B8
+m-sE-ortE-o)icies +)anEname P0r-)e
#e+ice 1?8.2.2'2.22 -ort 1B2
-ortEgro0- L&ec0ti+e RowL
STP PARA%ETERS
<e ha$e learned that the Catalyst switch supports one instance of spanning tree per B8A. #n this section, we
will learn about some of the spanning-tree parameters that are configurable for each B8A on the switch.
The Spanning-Tree "rotocol bloc%s certain ports to pre$ent physical loops in a redundant topology. <e learned
about the spantree portcost feature in an earlier tutorial. #n this tutorial, we will learn about the spantree hello,
ma"age and fwddela# parameters.
?n a bloc%ed port, the Catalyst 5000 series switch recei$es spanning-tree bridge protocol data units ,/"->s.
periodically from its neighboring switch. The fre+uency of recei$ing /"->s is determined by the set spantree
hello command ,which is set to ) seconds by default.. #f a Catalyst 5000 switch does not recei$e a /"-> in the
time period defined by the set spantree ma"age command ,)0 seconds by default., then the bloc%ed port
transitions to listening state, then learning state, and finally to forwarding state. As it transitions, the Catalyst 5000
switch waits for the time period specified by the set spantree fwddela# command ,55 seconds by default. in each
of these intermediate states. Therefore, a bloc%ed spanning-tree port mo$es into the forwarding state if it does not
recei$e /"->s from its neighbor within appro1imately 50 seconds.
The show spantree 0VLAN2 command displays the Spanning-Tree "rotocol information for the B8A specified.
Since each B8A has its own spanning tree, these spanning-tree parameters are configurable for each B8A.
;owe$er, unless you ha$e a specific need to change the Spanning Tree "rotocol parameters, use of the default
settings for the abo$e parameters is recommended.
The spantree root, port!lanpri, and port!lancost parameters are discussed in a later tutorial.
?2
LAN SWITCH TR9N7S
A trun% is a point-to-point connection that carries traffic for multiple $irtual 8As ,B8As. between two 8A
switches or between a 8A switch and a router. #f two 8A switches are connected using regular 'thernet ports
,50- or 500-!bps., the lin% will allow the de$ices connected to the switches to communicate only if both de$ices
are in the same B8A. ;owe$er, if the same lin% is configured as a trun%, it will be able to carry traffic for
multiple B8As.
The following different types of trun%s are used in networ% en$ironments&
+iscoCs -0L trunks
-&&& ;<2".3 standard
-&&& ;<2".< standard
#66- trunks
A'5 trunks
o A'5 LAN& trunks
o *#+ .?;8
ISL TR9N7S
Cisco@s implementation of trun%s across =ast 'thernet lin%s is called #nter-Switch 8in% ,#S8. trun%s. You learned
about the #S8 and its benefits in the AConfiguring B8AsA module. You can configure =ast 'thernet ports on
Catalyst switches as #S8 trun%s to connect two Catalyst switches. A single #S8 trun% lin% is capable of carrying
traffic for multiple B8As between two Catalyst switches. This implementation reduces the need for a separate
trun% lin% for each B8A configured in the connected switches. #n the Configuration 8ab for this module, you
will configure #S8 trun%s between the Catalyst switches.
>sing #S8 or B8A trun%s, you can connect switches to each other and to routers using high-speed interfaces.
The Catalyst 5000 series switches can multiple1 up to 5000 B8As between switches and routers by using #S8
on =ast 'thernet, 8A' on AT!, or 40).50 on =iber -istributed -ata #nterface ,=--#.. You can use any
combination of these trun% technologies to form enterprise-wide B8As and choose between low-cost copper and
long-distance fiber connections for your trun%s.
The following diagram shows how two Catalyst switches connected with #S8 trun%s carry traffic for multiple
B8As&

The -ynamic #S8 ,-#S8. protocol dynamically configures trun% ports between #S8-capable Catalyst switchesF it
?8
synchroni9es two interconnected =ast 'thernet interfaces into becoming #S8 trun%s and minimi9es B8A trun%
configuration procedures because only one end of a lin% must be configured as a trun% or nontrun%.

>sing spanning-tree port-B8A priorities, you can load share B8A traffic o$er parallel trun% ports so that
traffic from some B8As tra$els o$er one trun%, while traffic from other B8As tra$els o$er the other trun%.
This configuration allows traffic to be carried o$er both trun%s simultaneously ,rather than %eeping one trun% in
bloc%ing mode., reducing the total traffic carried o$er each trun% while still maintaining a fault-tolerant
configuration.
The following figure shows a parallel trun% configuration between two Catalyst 5000 series switches, using the
=ast 'thernet uplin% ports on the Super$isor 'ngine.
/y default, the port-B8A priorities for both trun%s are e+ual ,a $alue of *).. Therefore, the Spanning-Tree
"rotocol bloc%s port 5() ,Trun% ). for each B8A on Switch 5 ,top. to pre$ent forwarding loops. Trun% ) is not
used to forward traffic unless Trun% 5 fails.
Confi(uration of VLAN+Traffic Loa# Sharin(
The following section shows how to configure the Catalyst 5000 series switches so that traffic from multiple
B8As is load balanced o$er the parallel trun%s.
To configure load sharing of B8A traffic, you can di$ide the configured B8As into two groups. You might
want traffic from half of the B8As to go o$er one trun% lin% and half o$er the other, or if one B8A has hea$ier
traffic than the others, you can ha$e traffic from that B8A go o$er one trun% and traffic from the other B8As
go o$er the other trun% lin%.
??
The top Catalyst 5500 ,Switch 5. in the figure is connected to the bottom Catalyst switch ,Switch ). $ia its
Super$isor 'ngine =ast 'thernet ports. You decide that you want B8As * and 7 to use Trun% 5 in the figure as
their primary lin% and you want B8As 2 and 50 to use Trun% ) as their primary lin%.
To effect this configuration, on Trun% 5, raise the priority of B8A * and 7 from the default of *) to a lower
numberIsay, 53. -o this by entering the following command on both switches&
(onso)e7 5ena3)e6 set s-antree -ort+)an-ri 1B1 1$ 9E2
Port 1B1 +)ans 1E2/ 'E1%%' 0sing -ort-ri 92
Port 1B1 +)ans 9E2 0sing -ort-ri 1$
e1t, on Trun% ), raise the priority of B8As 2 and 50 from the default of *) to 53. -o this by entering the
following command on both switches&
(onso)e7 5ena3)e6 set s-antree -ort+)an-ri 1B2 1$ ?E1%
Port 1B2 +)ans 1E8/ 11E1%%' 0sing -ort-ri 92
Port 1B2 +)ans ?E1%/ 0sing -ort-ri 1$
The configuration needs to be performed on the switch closest to the spanning-tree root bridge. /ecause
spanning-tree topologies change without warning, it is best to configure both switches with the same
configuration, :ust to be safe.
ow, B8A traffic from B8As * and 7 will normally tra$el on the lin% shown on the left. B8A traffic from
B8As 2 and 50 will normally tra$el on the lin% shown on the right. Should either lin% fail, the traffic that
normally tra$els on that lin% will tra$el on the other lin% instead
CON5I19RATION O5 ISL TR9N7S
Any =ast 'thernet port can be configured as a trun%. <hen a =ast 'thernet port is configured as a trun%, it is in
#S8 mode. =ast 'thernet ports use a separate instance of Spanning-Tree "rotocol on each B8A being carried
across the trun% to detect and brea% loops. The #S8 trun% can be thought of as an e1tension of the switching
bac%plane.
The #S8 frame tagging used by the Catalyst 5000 series of switches is a low-latency mechanism for passing
B8A frames across =ast 'thernet bac%bones. #t is effecti$e between switches, routers, and networ% interface
cards ,#Cs. used on other nodes, such as ser$ers. #t does not burden client stations with stripping the information
off the frame because this process is performed by the networ% de$ice with #S8 intelligence.
?=
You can configure any =ast 'thernet port on a Catalyst 5000 series switch to be a trun% port. Trun%s carry the
traffic of multiple B8As and allow you to e1tend B8As from one Catalyst switch to another. <hen configured
as a trun% port and connected to another Catalyst switch with a crosso$er cable, the trun% lin% becomes an #S8
trun%. #n an earlier module, you learned about the features of #S8.
The synergy ad$anced interface termination ,SA#T. Application Specific #ntegrated Circuits ,AS#Cs. on the
ports configured as #S8 trun%s encapsulate each frame with a )3-byte #S8 header and a 7-byte cyclic redundancy
chec% ,C0C. to ensure the accurate transmission of the frame before sending it out the trun% port. The current
$ersion of the SA#T AS#C can handle frames up to )7.5 J/, e$en though today it handles only encapsulated
'thernet and To%en 0ing frames. /ecause the #S8 technology is implemented in AS#Cs, the frames are tagged at
wire speed.
/ecause #S8 functions at ?pen System #nterconnection ,?S#. 8ayer ), it is applicable across all 8ayer * protocol
types. #t is useful for managing broadcasts, maintaining redundant lin%s using the Spanning-Tree "rotocol, and
adding security by allowing the creation of B8As.
The following is a list of the configuration and troubleshooting tas%s that are normally done when configuring
trun%s on a Catalyst 5000 series switch&
+onfiguring the trunk ports and setting the correct options
+onfiguring trunks to carry traffic from specific VLANs
+onfiguring the root and secondary root switches in the network
+learing trunk ports
+learing the VLAN traffic from specified trunks
1ou will be using +-5(0& to complete the +onfiguration Lab at the end of this tutorial" As the
skills and knowledge you learn in this tutorial are critical to a successful completion of the +onfiguration
Lab please complete this tutorial before you start the +-5(0& window"
Though the Catalyst 5000 series switch supports a complete set of switch commands, in the interest of pro$iding a
methodical learning e1perience, the simulator is designed to support only a specified set of these commands in
each lab. The audio instructions accompanying the Configuration 8ab will e1plain the commands in more detail.
Also, clic%ing the left arrow in the te1t bo1 abo$e the C#!-S' window will ta%e you to the te1t file of the
instructions for the e1ercise.
You will be using the following commands in the Configuration 8ab&
set trun'
cear trun'
show trun'
set spantree
show spantree
>se the set trun command to configure a trun% on =ast 'thernet switching module ports and set the trun% port to
one of the modes of operation shown in the command e1ample below. Though there are other trun% parameters
that you can set with the set trun command, the following are the only options you will be configuring in this
module.
?E
set trun 3mod_num/port_num4 (on1off1desirable1auto1nonegotiate) (vlans)
on40et the trunk to on to make the port a trunk port and off to make the port a nontrunk port"
'he on option places the port into a permanent -0L trunking mode" 7hen a port is configured to
be a trunk the range of allowed VLANs on the trunk is .O.<<=" VLAN . is the default VLAN"
'his mode is not allowed on -&&& ;<2".3 ports" 'his is the only possible mode for A'5 ports"
off 4'he port con%erts to a nontrunk port e%en if the other end of the link does not agree to the
change" 'his is the default mode for #66- trunks" 'he off option is not allowed for A'5 ports"
#esirabe40et the trunk to #esirabe to make the port a trunk port if the port it is connecting to
allows trunking"
auto40et the trunk to auto to make the port a trunk port if the port to which it is connected
becomes set for trunking" 7hen a +atalyst switch port that is configured to auto detects a link
bit and it determines that the other end of the link is a trunk port the +atalyst =<<< series switch
automatically con%erts the port configured to auto into trunking mode" 'his mode is not allowed
on -&&& ;<2".3 #66- and A'5 ports" Howe%er auto is the default mode for #ast &thernet
ports"
none(otiate4'his option causes the port to become a trunk but pre%ents the port from sending
6-0L frames" -t is used with -0L and -&&& ;<2".3 #ast &thernet trunks"
'he "an option is used to specify the VLAN traffic to be carried on the trunk" 'his option is
e$plained later in this section"
The trun% port re$erts to a nontrun% port if the lin% goes down. =or trun%ing to ta%e effect on =ast 'thernet ports,
the ports must be in the same Birtual Trun% "rotocol ,BT". domain. You can use the on mode, howe$er, to force
a port to become a trun%, e$en if it is in a different domain.
-ynamic #nter-switch 8in% "rotocol ,-#S8. is a "oint-to-"oint "rotocol ,""". used to negotiate =ast 'thernet #S8
trun%s. ;owe$er, some internetwor%ing de$ices may improperly forward -#S8 frames. You can a$oid this
problem by ensuring that trun%ing is turned off on ports connected to non-Catalyst 5000 series de$ices if you do
not intend to trun% across those lin%s.
<hen enabling trun%ing on a lin% to a Cisco router, enter the nonegotiate %eyword to cause the port to
become a trun% but not generate -#S8 frames. The nonegotiate %eyword is a$ailable in Catalyst 5000 series
software 0elease ).7,*. and later.
Viewin( Trun' Confi(uration
The show trun command displays the trun% configuration in the switch. You can use this command to $erify the
configuration changes you ma%e in the switch. The output displays the acti$e trun% ports, the B8As carried on
each trun%, the B8A ad$ertisement recei$ed on each trun%, etc.
Cearin( Trun' Ports
To return a trun% to its default trun% type and mode, enter the clear trun mod$num%port$num command. You
cannot change the set of B8As allowed on the route switch module ,0S!. port. #f you enter the set trun
command on a To%en 0ing port, you recei$e a message indicating that the port is Anot a trun%-capable port.A
<hen you first configure a port as a trun%, the set trun command always adds all B8As to the allowed
B8A list for the trun%, e$en if you specify a B8A range ,the specified B8A range is ignored.. To remo$e
B8As from the allowed list, enter the clear trun mod$num%port$num !lan$range command.
Specif!in( VLAN Traffic Supporte# on Trun's
You can specify a switch to be the root or primary switch to handle the traffic for specific B8As and be the
?G
secondary root switch to handle traffic for some specified B8As. This scenario allows you to load balance the
B8A traffic on trun%s that connect these switches.
The following networ% diagram shows the configuration changes that you will ma%e in the Configuration 8ab&
The Catalyst 5 switch is the root for handling traffic for B8As 5, C, and 2 between the Catalyst 5500 and the
Catalyst *)00 and )4)0 switches. The Catalyst 5 switch is also the secondary root switch for handling traffic from
B8As 4 and 50. The re$erse is true for the Catalyst ) switch. #f the Catalyst 5 switch fails for some reason, the
Catalyst ) switch will handle the B8A traffic for which the Catalyst ) switch is the secondary.
To modify the B8A traffic that could be carried by a trun%, you can use the set trun mod$num%port$num
!lan$range command.
Confi(urin( Root an# Secon#ar! Root Switches
The set spantree root command reduces the bridge priority ,the $alue associated with the switch. from the
default ,*),C34. to a significantly lower $alue, allowing the switch to become the root switch. The set spantree
root command is used to set the primary or secondary root for specific B8As or for all B8As of the switch.
<hen a switch is selected to become the primary root, the default bridge priority is modified so that it becomes
the root for the specified B8As. The bridge priority is first set to 452). #f this does not result in the switch
becoming a root, the bridge priority is then modified to be 500 less than that of the current root switch. Since
different B8As could potentially ha$e different root switches, the bridge B8A priority chosen is one that will
ma%e this switch the root for all the B8As specified.
>se the set spantree root secondar# command to configure a switch as the secondary root switch. This
command reduces the bridge priority to 53,*47, ma%ing it the probable candidate to become the root switch if the
primary root switch fails. You can run this command on more than one switch to create multiple bac%up switches
in case the primary root switch fails.
#n this module, you will learn to configure one of the Catalyst switches as the root for certain B8As and as the
secondary for certain other B8As using the set spantree root (secondar#) (!lan$list) command.
The show spantree command is used to display the spanning-tree information for a B8A.
?;
CON5I19RIN1 RO9TE SWITCH %O,9LE 2RS% IN CAT)***3
#n a pre$ious module, you learned about the operation and benefits of Birtual 8As ,B8As.. #n this module,
you will learn about the operation of the route switch module ,0S!. on a CatalystH 5000 series switch and how
to configure the 0S! for inter-B8A #" routing. You will also learn about the ;ot Standby 0outer "rotocol
,;S0"., which pro$ides fault tolerance and enhanced routing performance for #" networ%s.
#n the Configuration 8ab, you will use the Cisco #nteracti$e !entor simulation en$ironment ,C#!-S'. to
configure an #nter-Switch 8in% ,#S8. trun% between the Catalyst 5500 switch and a Cisco 7500 router for inter-
B8A #" routing. Then you will disconnect the #S8 trun% between the Catalyst switch and the Cisco 7500 router
and configure the 0S! for inter-B8A communication and for ;S0".
>pon completion of the module, you will be able to&
6escribe the purpose and use of the *05"
6escribe the operation of an *05"
&stablish a session to the *05 from the switch console"
+onfigure the *05 for inter(VLAN -P routing"
+onfigure H0*P on the *05"
#n a pre$ious module, you learned about the operation and benefits of Birtual 8As ,B8As.. /y definition,
B8As perform traffic separation within a shared networ% en$ironment. <e ha$e already learned that ports in a
B8A share broadcast traffic and that the broadcast traffic in one B8A is not transmitted outside that B8A.
Communication between B8As is achie$ed through routing for routable protocols such as #", #"E, and
AppleTal%. The 0S! on a Catalyst switch pro$ides multiprotocol layer-* routing functionality for inter-B8A
communication
OVERVIEW O5 RS%
The Cisco Catalyst 5000 series route switch module ,0S!. is a router module running normal Cisco #?SH router
software that plugs directly into the Catalyst 5000 series switch bac%plane. The 0S! builds upon the
0oute(Switch "rocessor ,0S". featured in Cisco@s multiprotocol routing platform, the Cisco C500.
The 0S! is used for inter-B8A communication for B8As configured on the Catalyst switch without the need
for e1ternal routers for each B8A segment on the switch or an #S8 trun% between the switch and an e1ternal
router. The 0S! pro$ides high-performance 8ayer * switching between switched B8As, emulated 8As
,'8As. within an AT! fabric or across mi1ed media $ia an optional Bersatile #nterface "rocessor ,B#". and
port adapters.
The protocols supported on the 0S! include #", #nternetwor% "ac%et '1change ,#"E., AppleTal%, -'Cnet,
/anyan B#'S, Eero1 etwor% Systems ,ES., and #/! Systems etwor% Architecture ,SA.. The 0S! also
supports industry-standard routing protocols, such as 0outing #nformation "rotocol ,0#"., ?pen Shortest "ath
=irst ,?S"=., and /order Kateway "rotocol ,/K".. As a $alue-add to e1isting Cisco router customers, the 0S!
supports #nterior Kateway 0outing "rotocol ,#K0"., 'nhanced #K0" ,'#K0"., and the ;S0".
?@
=rom the perspecti$e of the Catalyst 5000 series switch, the 0S! appears as a module with a single trun%ed port
and one !edia Access Control ,!AC. address.
The 0S! wor%s only with the Super$isor 'ngine ## or ### on a Catalyst switch. The following software $ersions
are recommended for the operation of the 0S! module on a Catalyst switch&
+atalyst =<<< series 0uper%isor &ngine software Version 2"8(.) or later
+isco -O0 Version .."2(.8)P or later
The Catalyst 5500 switch has 5* slots. Slot 5 is reser$ed for the Super$isor 'ngine module. #f a redundant
Super$isor 'ngine module is used, it would go in slot )F otherwise, slot ) can be used for other modules. Slot 5*
is a dedicated slot, reser$ed for the AT! Switch "rocessor ,AS". module. The 0S! can be installed in any of the
remaining slots.
'arly $ersions of the 0S! do ha$e slot restrictions when the 0S! is used with the optional Catalyst Bersatile
#nterface "rocessor ) ,B#"). module.<hen upgrading the 0S! with a hardware re$ision of ).0 or earlier with the
Catalyst B#"), the 0S! must be installed in slots * through 4, and the slot immediately abo$e it should be left
empty.
There are no slot dependencies for the 0S!(B#") in the Catalyst 5000 or Catalyst 5505.
The 0S! interface to the Catalyst switch is through the bac%plane $ia two Cisco SAK' Application Specific
#ntegrated Circuits ,AS#Cs., SAK' 0 and SAK' 5. The 0S! has two direct memory access ,-!A. channels that
transfer pac%et data between the Catalyst 5000 series switch bac%plane and the networ%@s B8As. 'ach channel is
associated with a single SAK' AS#C. SAK' 0 corresponds to -!A C;A'8 0 and SAK' 5 to C;A'8 5.
A B8A can be mapped to a specific channel to balance the load of each channel.

The 0S! supports inter-B8A routing for up to )53 B8As.
B8A 0 is mapped to C;A'8 0. B8A 0, is used for communication between the 0S! and the Catalyst
switch, is not accessible to the user.
B8A 5 is the standard Catalyst switch default B8A. B8A 5 is mapped to C;A'8 5.
Additional B8As are toggled between the two channels as they are created. =or e1ample, B8A ) is mapped to
C;A'8 0 if created after B8A 5. A B8A can be mapped to a specific channel to balance the load of each
channel. The show controller c5ip command displays the -!A channel assignment for B8As.
=or configured B8As ,other than B8As 0 and 5. the B8A number on the switch is used as the B8A
interface number which is used to create the routing interface on the 0S!. =rom the perspecti$e of the 0S!, the
B8A interface number has the following two meanings&
VLAN number used by the +atalyst switch
=<
-nterface number that the routing code uses for routing
&ach VLAN that the *05 is routing appears as a separate %irtual interface" 'herefore the configuration
file of the *05 has an interface description for each VLAN" 'he most common configuration is one
subnet per VLAN interface/ in other words the subnet address is the primary -P address for the
interface" 0econdary addressing can be used on a VLAN interface as on any other router interface"
The !AC addresses a$ailable to the 0S! are assigned as follows&
VLAN < (+HANN&L <) is assigned the 5A+ address of a programmable read(only memory
(P*O5) on the *05 line communication processor (L+P)" 'his 5A+ address is used for
diagnostics and identification of the *05 physical slot" VLAN < is not accessible to the user"
VLAN . and additional VLANs are assigned the base 5A+ address from a 5A+ address P*O5
on the *05 that contains =.2 5A+ addresses" All routing interfaces (e$cept VLAN <) use the
base 5A+ address" 1ou can o%erride this and use one of the other block addresses by using the
interface $ac+a##ress configuration command" 'he other block addresses are determined as
follows: base 5A+ address P . base 5A+ address P 2 and so on" Note that there is normally
no need to o%erride the default 5A+ address"
You can use the session mod%num command ,mod(num is the 0S! slot number. to access the 0S! from the
switchIeliminating the need to connect a terminal directly to the 0S! console port. #n some of the lab
configuration procedures, you use both Catalyst switch-specific commands and router-specific commands. Some
command names are identical within each command group ,for e1ample, show interface..
This e1ercise uses the following con$ention to distinguish between commands& #f the command is to be entered
from the Catalyst 5 switch session, you are instructed to enter it at the Cat64 prompt. #f the command is to be
entered from the router session, you are instructed to enter it at the R.764 prompt. To e1it from the router bac%
to the switch, enter e"it at the R.764 prompt.
HOT STAN,&8 RO9TIN1 PROTOCOL 2HSRP3
The 0S! supports the ;S0", which pro$ides high networ% a$ailability by routing #" traffic from hosts without
relying on the a$ailability of any single router. ;S0" allows a Cisco #?S router to monitor the operational status
of other routers and $ery +uic%ly assume pac%et forwarding responsibility in the e$ent the current forwarding
de$ice in the ;S0" group fails or is ta%en down for maintenance.
The standby mechanism remains transparent to the attached hosts and can be deployed on any 8A type. This
feature is useful for hosts that do not support a router disco$ery protocol and do not ha$e the functionality to
switch to a new router when their selected router reloads or loses power. /ecause e1isting Transmission Control
"rotocol ,TC". sessions can sur$i$e the failo$er, this protocol also pro$ides a more transparent means of reco$ery
for hosts that dynamically select a ne1t hop for routing #" traffic. <ith multiple hot-standby groups, routers can
simultaneously pro$ide redundant bac%up and perform load sharing across different #" subnets.
>sing ;S0", two 0S!s can load share across multiple B8As or AT!-based '8As, and in the e$ent of a
failure of one 0S!, the remaining 0S! ta%es on the load without any end-station session loss.
=.
;S0" allows two or more ;S0"-configured routers to use the !AC address and #" networ% address of a $irtual
router. The $irtual router does not physically e1istIinstead, it represents the common target for routers that are
configured to pro$ide bac%up to each other. 'ach actual router is configured with the !AC address and the #"
networ% address of the $irtual router. ?ne of these de$ices is selected by the protocol to be the acti$e router. The
acti$e router recei$es and routes pac%ets destined for the group@s !AC address.
;S0" detects when the designated acti$e router fails, at which point a selected standby router assumes control of
the hot-standby group@s !AC and #" addresses. A new standby router is also selected at that time.
-e$ices that are running ;S0" send and recei$e multicast >ser -atagram "rotocol ,>-".-based hello pac%ets to
detect router failure and to designate acti$e and standby routers. <hen ;S0" is configured on an interface,
#nternet control !essage "rotocol ,#C!". 0edirect messages are disabled by default for the interface.
You can configure multiple hot-standby groups on an interface, thereby ma%ing more full use of the redundant
routers. To do so, specify a group number for each hot-standby command you configure for the interface.
E"amples of a Networ Configured for *.R8
All hosts on the networ% 5.0.0.0 are configured to use the #" address of the $irtual router ,in this case, 5.0.0.*. as
the default gateway. 0outer A is the acti$e router and 0outer / is the standby router for ;S0" for networ%
5.0.0.0.
CON5I19RIN1 IP RO9TIN1 5OR RS% AN, HSRP
VLANs are created at the switch le%el using the set "an command to group ports into %irtual LANs"
VLANs are controlled at the router le%el using the interface command" Note that you must ha%e at least
one acti%e switch port in a VLAN before you can configure a %irtual interface on the *05 for that VLAN"
A list of the configuration tas%s that are done on the 0S! follows&
Associate a %irtual routing interface (VLAN interface) with a +atalyst switch VLAN"
Assign an -P address to a VLAN"
=2
&nable a routing protocol for -P and associate networks with the routing protocol"
+onfigure H0*P for fault(tolerant routing" ('his step is optional")
The $irtual routing interface has no e1ternal attributes, such as media type or speed. #t is always displayed as a
$irtual 'thernet interface, regardless of the media type of the ports in the B8A on the switch associated with that
routing interface.
<hen you are troubleshooting, if the B8A interface on the 0S! shows the status as Aline protocol
down,A ma%e sure that there is at least one acti$e port in that B8A on the switch.
The standb# ip interface configuration command enables ;S0" and establishes the #" address of the $irtual
router. The configurations of both routers include this command so that both routers share the same $irtual #"
address. The default hot-standby group is 0. #n the Configuration 8ab, 5 is used as the hot-standby group number.
The standb# preempt interface configuration command allows the router to become the acti$e router when its
priority is higher than all other ;S0"-configured routers in this hot-standby group. The configurations of both
routers include this command so that each router can be the standby router for the other router. ote that if you do
not use the standb# preempt command in the configuration for a router, that router cannot become the acti$e
router for ;S0".
The standb# priorit# interface configuration command sets the ;S0" priority of the routerF this priority status is
used in choosing the acti$e router. The router with the higher priority becomes the acti$e router. The default
;S0" priority is 500.
Though ;S0" can be configured to do load sharing, the ;S0" configuration in this module pro$ides redundancy.
You will use C#!-S' to complete the Configuration 8ab at the end of this tutorial. /ecause the s%ills and
%nowledge you learn in this tutorial are critical to a successful completion of the lab, please complete this tutorial
before you start the simulator.
Though the Catalyst 5500 switch supports a complete set of switch commands, in the interest of pro$iding a
methodical learning e1perience, the simulator is designed to support only a specified set of these commands in
each lab. The audio files accompanying the Configuration 8ab will e1plain the commands in more detail. Also,
clic%ing on the left arrow in the te1t bo1 abo$e the C#!-S' window will ta%e you to the te1t file of the
instructions for the Configuration 8ab.
You will be using the following new configuration commands in the lab&
?n the Catalyst 5500 switch&
session
On the *05:
confi( ter$ina hostna$e ip a##ress no shut#own router rip stan#b! ip
stan#b! pree$pt stan#b! priorit! cop! runnin(+confi( startup+confi(
'he following commands will be used for troubleshooting:
=8
show ip route show interface show runnin(+confi( show stan#b!
=?

What Is A Vlan

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

What Is A Vlan

Caricato da

Copyright:

Formati disponibili

Copy Right: Muhammad Shakir Hussain (ADE- PTCL) Page

Potrebbero piacerti anche