Wednesday, 31 May 2017

CISCO - VLAN TRUNKS WITH IEEE 802.1Q


FIRST UNDERSTAND IEEE 802 STANDARD



When We Talk About Local Area Network (LAN) Technology The IEEE 802 Standard May Be Heard. This Standard Defines Networking Connections For The Interface Card And The Physical Connections, Describing How They Are Done. The 802 Standards Were Published By The Institute Of Electrical And Electronics Engineers (IEEE). The 802.3 Standard Is Called Ethernet, But The IEEE Standards Do Not Define The Exact Original True Ethernet Standard That Is Common Today. There Is A Great Deal Of Confusion Caused By This. There Are Several Types Of Common Ethernet Frames. Many Network Cards Support More Than One Type. 

The Ethernet Standard Data Encapsulation Method Is Defined By RFC 894. RFC 1042 Defines The IP To Link Layer Data Encapsulation For Networks Using The IEEE 802 Standards.

The 802 Standards Define The Two Lowest Levels Of The Seven Layer Network Model And Primarily Deal With The Control Of Access To The Network Media. The Network Media Is The Physical Means Of Carrying The Data Such As Network Cable. The Control Of Access To The Media Is Called Media Access Control (MAC). 


CISCO ROUTERS SUPPORT TWO MAIN TRUNKING PROTOCOLS



This Article Describes The Required And Optional Tasks For Configuring Routing Between VLANs With IEEE 802.1q Encapsulation. 

IEEE 802 Local Area Networks (LANs) Of All Types May Be Connected Together With Media Access Control (MAC) Bridges, As Specified In ISO/IEC 15802-3. This Standard Defines The Operation Of Virtual LAN (VLAN) Bridges That Permit The Definition, Operation And Administration Of Virtual LAN Topologies Within A Bridged LAN Infrastructure. 

The Configuration For 802.1q Trunks Is Almost Identically To The ISL Configuration We Discussed In. Please Refer To That Recipe For A More Detailed Discussion Of Trunking In General. 

The Most Important Difference Between ISL And 802.1q Trunks Is That 802.1q Is An IEEE Open Standard. If All Of Your Switches And Routers Were Manufactured By Cisco, You Can Easily Use ISL Without Fear Of Conflict. 

However, If You Ever Need To Connect A Trunk Link To A Piece Of Equipment From A Different Vendor, You May Find That 802.1q Is The Only Option. 

Further, Many Organizations Prefer To Use Open Standard Protocols As A Matter Of Policy, Even If All Of Their Equipment Happens To Come From The Same Vendor. 

One Of The Important But Subtle Differences Between ISL And 802.1q Is The Number Of VLANS Supported. ISL Supports VLAN ID Numbers 1 Through 1000, While 802.1q Allows Values From 1 Through 4095. 

While It Is Unlikely That You Will Ever Run Out Of VLAN Numbers With Either Scheme, Some Early IOS Versions, And Many Early Switch Versions, Implemented 802.1q As If It Were ISL Under The Covers. 

The Result Is That Some Older Devices May Only Support 802.1q VLAN ID Numbers Between 1 And 1000. So You May Find That You Are Not Able To Use Any Of The Higher Range Of Values. This Limitation Does Not Exist On Newer Versions Of Cisco Equipment, But We Recommend Being Careful To Avoid Interoperability Problems. 


IEEE 802.1Q



IEEE 802.1Q :


The IEEE 802.1q Protocol Is Used To Interconnect Multiple Switches And Routers, And For Defining VLAN Topologies. The IEEE 802.1q Standard Is Extremely Restrictive To Untagged Frames. The Standard Provides Only A Per-Port VLANS Solution For Untagged Frames.

IEEE 802.1Q Is The Networking Standard That Supports VIRTUAL LANS (VLANs) On An Ethernet Network. The IEEE 802.1Q Specification Establishes A Standard Method For Tagging Ethernet Frames With VLAN Membership Information. 

The IEEE 802.1Q Standard Defines The Operation Of VLAN Bridges That Permit The Definition, Operation And Administration Of Virtual LAN Topologies Within A Bridged LAN Infrastructure. The 802.1Q Standard Is Intended To Address The Problem Of How To Break Large Networks Into Smaller Parts So Broadcast And Multicast Traffic Would Not Grab More Bandwidth Than Necessary. 

The Standard Defines A System Of VLAN Tagging For Ethernet Frames And The Accompanying Procedures To Be Used By Bridges And Switches In Handling Such Frames. The Standard Also Contains Provisions For A Quality Of Service Prioritization Scheme Commonly Known As IEEE 802.1p And Defines The Generic Attribute Registration Protocol. 

For Example, Assigning Untagged Frames To VLANS Takes Into Consideration Only The Port From Which They Have Been Received. Each Port Has A Parameter Called A Permanent Virtual Identification (Native VLAN) That Specifies The VLAN Assigned To Receive Untagged Frames. 

THE MAIN CHARACTERISTICS OF IEEE 802.1Q ARE AS FOLLOWS:


• Assigns Frames To VLANs By Filtering. 

• The Standard Assumes The Presence Of A Single Spanning Tree And Of An Explicit Tagging Scheme With One-Level Tagging. 

FRAME TAGGING IN IEEE 802.1Q:


Portions Of The Network Which Are VLAN-Aware (I.E., IEEE 802.1Q Conformant) Can Include VLAN Tags. Traffic On A VLAN-Unaware (I.E., IEEE 802.1D Conformant) Portion Of The Network Will Not Contain VLAN Tags. When A Frame Enters The VLAN-Aware Portion Of The Network, A Tag Is Added To Represent The VLAN Membership Of The Frame's Port Or The Port/Protocol Combination, Depending On Whether Port-Based Or Port-And-Protocol-Based VLAN Classification Is Being Used. 

Each Frame Must Be Distinguishable As Being Within Exactly One VLAN. A Frame In The VLAN-Aware Portion Of The Network That Does Not Contain A VLAN Tag Is Assumed To Be Flowing On The Native (Or Default) VLAN. 

The Key For The IEEE 802.1Q To Perform The Above Functions Is In Its Tags. 802.1Q-Compliant Switch Ports Can Be Configured To Transmit Tagged Or Untagged Frames. Tag Field Containing VLAN (And/Or 802.1p Priority) Information Can Be Inserted Into An Ethernet Frame. If A Port Has An 802.1Q-Compliant Device Attached (Such As Another Switch), These Tagged Frames Can Carry VLAN Membership Information Between Switches, Thus Letting A VLAN Span Multiple Switches. However, It Is Important To Ensure Ports With Non-802.1Q-Compliant Devices Attached Are Configured To Transmit Untagged Frames. 

The IEEE 802.1Q Standard Also Helps Provide A Higher Level Of Security Between Segments Of Internal Networks. 


IEEE 802 STANDARD CONFIGURATION TASK



IEEE 802.1Q ENCAPSULATION VLANS CONFIGURATION TASK LIST :


You Can Configure Routing Between Any Number Of VLANs In Your Network. 

This Section Documents The Configuration Tasks For Each Protocol Supported With Ieee 802.1q Encapsulation. The Basic Process Is The Same, Regardless Of The Protocol Being Routed. 

It Involves The Following Tasks: 

• Enabling The Protocol On The Router 

• Enabling The Protocol On The Interface 

• Defining The Encapsulation Format As IEEE 802.1q 

• Customizing The Protocol According To The Requirements For Your Environment 

CONFIGURING IP ROUTING OVER IEEE 802.1Q :


IP Routing Over IEEE 802.1Q Extends IP Routing Capabilities To Include Support For Routing IP Frame Types In VLAN Configurations Using The IEEE 802.1Q Encapsulation. 

To Route IP Over IEEE 802.1Q Between Vlans, You Need To Customize The Subinterface To Create The Environment In Which It Will Be Used. Perform These Tasks In The Order In Which They Appear: 

• Enabling IP Routing

• Defining The VLAN Encapsulation Format

• Assigning IP Address To Network Interface

DEFINING THE VLAN ENCAPSULATION FORMAT :


Step 1:

Router(config-if)# interface fastethernet slot/port.subinterface-number - > Specifies The Subinterface The VLAN Will Use. 

Steps 2:

Router(config-if)# encapsulation dot1q vlan-identifier - > Defines The Encapsulation Format As IEEE 802.1Q (Dot1q), And Specifies The VLAN Identifier. 

DEFINING THE IP ADDRESS : 

Router(Config-If)# Ip Address Ip-Address Mask [Secondary] - > Specifies The IP Address For The Subnet On Which IEEE 802.1q Will Be Used. 

MONITORING:

Router# show vlans - > Displays VLAN Subinterfaces. 


IEEE 802.1Q CONFIGURATION EXAMPLE



TO CONNECT AN 802.1Q TRUNK TO YOUR ROUTER, USE THE FOLLOWING SET OF COMMANDS :


Router2#Configure Terminal 
Enter Configuration Commands, One Per Line. End With Cntl/Z. 

Router2(Config)#Interface Fastethernet1/0
Router2(Config-If)#No Ip Address
Router2(Config-If)#Speed 100
Router2(Config-If)#Full-Duplex
Router2(Config-If)#Exit

Router2(Config)#Interface Fastethernet1/0.1
Router2(Config-Subif)#Encapsulation Dot1q 1 Native
Router2(Config-Subif)#Ip Address 172.25.1.47 255.255.255.0
Router2(Config-Subif)#Exit

Router2(Config)#Interface Fastethernet1/0.2
Router2(Config-Subif)#Encapsulation Dot1q 2
Router2(Config-Subif)#Ip Address 172.25.22.4 255.255.255.0
Router2(Config-Subif)#Exit

Router2(Config)#Interface Fastethernet1/0.3
Router2(Config-Subif)#Encapsulation Dot1q 548
Router2(Config-Subif)#Ip Address 172.20.1.1 255.255.255.0
Router2(Config-Subif)#Exit
Router2(Config)#End
Router2#

Note: That To Support 802.1q Features, Your Router Must Have An Ios Level Of At Least 12.0(5)T, With The Ip Plus Feature Set. 

Discussion :

You Configure 802.1q By Creating Subinterfaces And Using The Encapsulation Command With The Dot1q Keyword To Assign The Subinterface To A Particular VLAN: 

Router2(Config)#Interface Fastethernet1/0.2
Router2(Config-Subif)#Encapsulation Dot1q 2
Router2(Config-Subif)#Ip Address 172.25.22.4 255.255.255.0

The Number After The Dot1q Keyword Is The VLAN Number That You Wish To Associate With This Subinterface. 

The Only Tricky Part Of Configuring 802.1q Is Defining The Native VLAN. This Often Causes Problems For Network Administrators. The Native VLAN Is The Master VLAN Assigned To The Interface, And It Must Match The Native VLAN Configured On The Switch. The Native VLAN Is The Only VLAN Whose Frames Do Not Contain An 802.1q VLAN Tag In Their Layer 2 Frame Headers. So If You Connect Two Devices Through An 802.1q Trunk, And They Don't Agree On Which Is The Native VLAN, You Will Effectively Merge The Two Native VLANs Together, Which Is Almost Certainly Not What You Want To Do. 

In Our Example, VLAN 1 Is The Native VLAN, Which We Define Using The Native Keyword, As Follows:

Router2(Config)#Interface Fastethernet1/0.1
Router2(Config-Subif)#Encapsulation Dot1q 1 Native

The Default Native VLAN On Many Switches Is VLAN Number 1. But, You Can Easily Configure A Different Native VLAN. 

For Example, We Could Use The Following Set Of Commands To Reconfigure VLAN Number 2 As The Native VLAN: 

Router2(Config)#Interface Fastethernet1/0.1
Router2(Config-Subif)#Encapsulation Dot1q 1
Router2(Config-Subif)#Exit

Router2(Config)#Interface Fastethernet1/0.2
Router2(Config-Subif)#Encapsulation Dot1q 2 Native
Router2(Config-Subif)#Exit

It's Important To Remember That There Can Only Be One Native Vlan At A Time, And That Whatever You Configure On The Router Must Match What Is Configured On The Switch. It Is Not Safe To Simply Assume That VLAN Number 1 Will Always Be The Native VLAN. 

You Can Use The Show Vlans Command To See Information About All VLANS Configured On Your Router: 

Router2#Show Vlans
Virtual Lan Id: 1 (Ieee 802.1q Encapsulation) 
Vlan Trunk Interface: Fastethernet1/0.1
This Is Configured As Native Vlan For The Following Interface(S) : 
Fastethernet1/0
Protocols Configured: Address: Received: Transmitted: 
Ip 172.25.1.47 4974 3149
Virtual Lan Id: 2 (Ieee 802.1q Encapsulation) 
Vlan Trunk Interface: Fastethernet1/0.2
Protocols Configured: Address: Received: Transmitted: 
Ip 172.25.22.4 548 617
Virtual Lan Id: 548 (Ieee 802.1q Encapsulation) 
Vlan Trunk Interface: Fastethernet1/0.3
Protocols Configured: Address: Received: Transmitted: 
Ip 172.20.1.1 0 613
Router2#

This Command Output Shows The Configured Vlans And Identifies Which Vlan Is Defined As Native.

To View A Specific 802.1q Subinterface, Use The Show Interface Command :


Router2#Show Interface Fastethernet1/0.1

Fastethernet1/0.1 Is Up, Line Protocol Is Up 
Hardware Is Amdfe, Address Is 00e0.1e84.5131 (Bia 00e0.1e84.5131) 
Internet Address Is 172.25.1.47/24
Mtu 1500 Bytes, Bw 100000 Kbit, Dly 100 Usec, 
Reliability 255/255, Txload 1/255, Rxload 1/255
Encapsulation 802.1q Virtual Lan, Vlan Id 1. 
Arp Type: Arpa, Arp Timeout 04:00:00
Router2#



CONCLUSION:


The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO - VLAN TRUNKS WITH 802.1Q ". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. 

Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck. 

This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...