(CCNA) Configuring VLANs – Part One
Exercises
Introduction
Lab Topology
Exercise 1 – VLAN Creation and Management
Exercise 2 – Creating a Voice VLAN
Exercise 3 – VLAN Trunking Protocol
Review
Learning Outcomes
In this module, you will complete the following exercises:
- Exercise 1 – VLAN Creation and Management
- Exercise 2 – Creating a Voice VLAN
- Exercise 3 – VLAN Trunking Protocol
After completing this lab, you will be able to:
- Perform VLAN Creation and Management
- Securing the Default VLAN
- Create a Voice VLAN
- Know about VTP Configurations
Exam Objectives
The following exam objectives are covered in this lab:
- 2.1 Configure and verify VLANs (normal range) spanning multiple switches
Lab Topology
During your session, you will have access to the following lab configurations.
Depending on the exercises, you may or may not use all of the devices, but they are shown here in the layout to get an overall understanding of the topologies of the lab.
- NYEDGE1 – (Cisco 2911 – Internet Edge Router 1)
- NYEDGE2 – (Cisco 2911 – Internet Edge Router 2)
- NYWAN1 – (Cisco 2911 – WAN Router)
- NYCORE1 – (Cisco 3750v2 – 24PS – Core Switch 1)
- NYCORE2 – (Cisco 3750v2 – 24PS – Core Switch 2)
- NYACCESS1 – (Cisco 2960-24 – Access Switch 1)
- PLABCSCO01 – (Windows Server 2012 R2 – Cisco Tools Server)
Exercise 1 – VLAN Creation and Management
VLANs are an important part of your network design and are an indispensable tool to make your network versatile and secure. In this exercise, different VLAN’s will be created and managed. The default VLAN will also be secured by removing its interfaces to ensure the network is secure.
Learning Outcomes
After completing this exercise, you will be able to:
- Perform VLAN Creation and Management
- Securing the Default VLAN
Your Devices
You will be using the following devices in this lab. Please power these on now.
- NYEDGE1 – (Cisco 2911 – Internet Edge Router 1)
- NYWAN1 – (Cisco 2911 – WAN Router)
- NYCORE1 – (Cisco 3750v2 – 24PS – Core Switch 1)
- NYACCESS1 – (Cisco 2960-24 – Access Switch 1)
Task 1 – VLAN Creation and Management
Creation and management of VLAN’s in network infrastructure are an essential part of ensuring the network is secure and that it functions optimally. In this task, you will learn the fundamentals of VLAN creation and management as well as best practices concerning the default VLAN that will improve security.
Step 1
Connect to the NYCORE1 switch and examine the current VLANs that exist on the switch. Type the following command:
NYCORE1#
show vlan brief
Press Enter.
What you see in the output below is the default VLAN configuration of any Cisco switch.
NYCORE1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE1#
From the above output, you will notice the following:
- There are five VLANs configured by default on this switch.
- VLANs 1002 – 1005 are legacy VLANs used for specific types of networks. For the purposes of this lab, you will not use these VLANs.
- VLAN 1 is called the default VLAN and is active. This VLAN cannot be changed or removed.
- You can see that all of the ports on the switch are assigned to VLAN 1.
Step 2
You will now create two new VLANs on the NYCORE1 switch.
These VLANs will have numbers 10 and 20, and you will assign the names Management and Sales to the respectively.
To do this, type the following commands (press Enter after each command):
NYCORE1#
configure terminal
NYCORE1(config)#
vlan 10
NYCORE1(config-vlan)#
name Management
NYCORE1(config-vlan)#
exit
NYCORE1(config)#
vlan 20
NYCORE1(config-vlan)#
name Sales
NYCORE1(config-vlan)#
exit
NYCORE1(config)#
exit
The output should look like this:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#vlan 10
NYCORE1(config-vlan)#name Management
NYCORE1(config-vlan)#exit
NYCORE1(config)#vlan 20
NYCORE1(config-vlan)#name Sales
NYCORE1(config-vlan)#exit
NYCORE1(config)#exit
NYCORE1#
Step 3
Next, verify that these VLANs have been created.
Type in the following command:
NYCORE1#
show vlan brief
Press Enter.
View the VLANs on the switch once more:
NYCORE1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
10 Management active
20 Sales active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE1#
Both VLANs 10 and 20 have been created, have the proper names, and have a status of active.
Notice that there are no entries in the Ports column for VLANs 10 and 20. This is because you have not yet assigned any interfaces to these VLANs.
Step 4
Now, let’s prepare to assign the new VLANs to specific ports.
Take a look at the lab topology once again and notice that NYCORE1 is directly connected to four devices: NYEDGE1, NYWAN1, NYACCESS1, and NYCORE2.
In this next step, you will configure the NYCORE1 switch so that NYWAN1 and NYEDGE1 are connected to VLAN 10, and NYACCESS1 and NYCORE2 are connected to VLAN 20.Note: You may notice that NYCORE1 and NYCORE2 have two links between them. For the purpose of this lab, the FastEthernet 1/0/23 port has been shut down, so only FastEthernet 1/0/24 is active.
Review the lab diagram and determine which VLANs will be assigned to which ports. You should come up with the following:
- NYEDGE1 is connected to FastEthernet 1/0/1 and will be assigned to VLAN 10
- NYWAN1 is connected to FastEthernet 1/0/2 and will be assigned to VLAN 10
- NYACCESS1 is connected to FastEthernet 1/0/22 and will be assigned to VLAN 20
- NYCORE2 is connected to FastEthernet 1/0/24 and will be assigned to VLAN 20
Step 5
Before creating the VLANs, you will test connectivity between the devices you will separate.
Currently, NYEDGE1, NYWAN1, NYACCESS1, and NYCORE2 are all on the same subnet and can communicate with each other.
Confirm this by connecting to NYEDGE1 and pinging each device. For reference, the IP addresses of each device can be found below:
- NYEDGE1 – 192.168.16.1
- NYWAN1 – 192.168.16.2
- NYACCESS1 – 192.168.16.6
- NYCORE2 – 192.168.16.7
Type the following command:
NYEDGE1#
ping 192.168.16.2
Press Enter.
You will see the following output:
NYEDGE1#ping 192.168.16.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
NYEDGE1#
Ping each of the other devices from NYEDGE1 as follows.
Type the following commands (press Enter after each command):
NYEDGE1#
ping 192.168.16.2
NYEDGE1#
ping 192.168.16.6
NYEDGE1#
ping 192.168.16.7
You will see the following output:
NYEDGE1#ping 192.168.16.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
NYEDGE1#ping 192.168.16.6
Type escape sequence to abort.
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
NYEDGE1#ping 192.168.16.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.7, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
NYEDGE1#
Connectivity between all devices is achieved.
Step 6
Connect to NYCORE1 and begin to configure the ports, as described in Step 4.
You will begin by explicitly configuring the ports as access ports.Note: The ports on Cisco switches are set to auto-negotiate their switchport mode to either access or trunk using the Dynamic Trunking Protocol or DTP. According to Cisco, it is always good practice to explicitly configure the switchport mode as access or trunk ports. You will learn more about this in another module.
You will then assign each port to the appropriate VLAN. Begin by configuring the ports that will be assigned to VLAN 10.
Type the following commands (press Enter after each command):
NYCORE1#
configure terminal
NYCORE1(config)#
interface fastethernet 1/0/1
NYCORE1(config-if)#
switchport mode access
NYCORE1(config-if)#
switchport access vlan 10
NYCORE1(config-if)#
exit
NYCORE1(config)#
interface fastethernet 1/0/2
NYCORE1(config-if)#
switchport mode access
NYCORE1(config-if)#
switchport access vlan 10
NYCORE1(config-if)#
exit
You will see the following output:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#interface fastethernet 1/0/1
NYCORE1(config-if)#switchport mode access
NYCORE1(config-if)#switchport access vlan 10
NYCORE1(config-if)#exit
NYCORE1(config)#interface fastethernet 1/0/2
NYCORE1(config-if)#switchport mode access
NYCORE1(config-if)#switchport access vlan 10
NYCORE1(config-if)#exit
NYCORE1(config)#
Note: In this lab, you created the VLAN first and then assigned ports to it. If you attempt to assign a port to a VLAN that does not yet exist, you will get a message similar to the following % Access VLAN does not exist. Creating vlan XX. The VLAN would be created successfully.
Step 7
Continue configuring the ports that will be assigned to VLAN 20. Don’t forget to configure the correct switchport mode as well.
Type the following commands (press Enter after each command):
NYCORE1(config)#
interface fastethernet 1/0/22
NYCORE1(config-if)#
switchport access vlan 20
NYCORE1(config-if)#
switchport mode access
NYCORE1(config-if)#
exit
NYCORE1(config)#
interface fastethernet 1/0/24
NYCORE1(config-if)#
switchport mode access
NYCORE1(config-if)#
switchport access vlan 20
NYCORE1(config-if)#
exit
NYCORE1(config)#
exit
You will see the following output:
NYCORE1(config)#interface fastethernet 1/0/22
NYCORE1(config-if)#switchport access vlan 20
NYCORE1(config-if)#switchport mode access
NYCORE1(config-if)#exit
NYCORE1(config)#interface fastethernet 1/0/24
NYCORE1(config-if)#switchport mode access
NYCORE1(config-if)#switchport access vlan 20
NYCORE1(config-if)#exit
NYCORE1(config)#
*Mar 1 00:48:17.500: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
NYCORE1(config)#exit
NYCORE1#
You may notice a syslog message that indicates that the interface VLAN 1 changed state to down.
This is because by changing the VLAN assignments, the switch no longer has any active interfaces on VLAN 1, so the VLAN interface goes down.Note: The VLAN 1 interface is what is known as a Switched Virtual Interface or SVI. Switches, by their very nature, are layer 2 devices and thus do not function with IP addresses. However, it is necessary to connect to them and manage them remotely. IP connectivity is achieved via the SVI. A prerequisite for the SVI to be in an up state is that at least one active port must be on the VLAN of the SVI. Otherwise, the SVI goes down. SVIs are used for other purposes as well, and you can use your favorite search engine to research them further.
Step 8
Verify your configuration by viewing the VLANs on the switch once more using the following command:
NYCORE1#
show vlan brief
Press Enter.
You will see the following output:
NYCORE1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/3, Fa1/0/4, Fa1/0/5
Fa1/0/6, Fa1/0/7, Fa1/0/8
Fa1/0/9, Fa1/0/10, Fa1/0/11
Fa1/0/12, Fa1/0/13, Fa1/0/14
Fa1/0/15, Fa1/0/16, Fa1/0/17
Fa1/0/18, Fa1/0/19, Fa1/0/20
Fa1/0/21, Fa1/0/23, Gi1/0/1
Gi1/0/2
10 Management active Fa1/0/1, Fa1/0/2
20 Sales active Fa1/0/22, Fa1/0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE1#
Notice that the appropriate interfaces are assigned to the appropriate VLANs.
Step 9
Now test connectivity once again between the devices.
Looking at the output of the previous step, devices on interfaces FastEthernet 1/0/1 and 1/0/2 should be able to communicate as should those on FastEthernet 1/0/22 and 1/0/24.
Any other connectivity should be blocked. Connect to NYEDGE1 first and test this using the appropriate pings.
Type the following commands (press Enter after each command):
NYEDGE1#
ping 192.168.16.2
NYEDGE1#
ping 192.168.16.6
NYEDGE1#
ping 192.168.16.7
You will see the following output:
NYEDGE1#ping 192.168.16.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
NYEDGE1#ping 192.168.16.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NYEDGE1#ping 192.168.16.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NYEDGE1#
As expected, connectivity is only available with devices on the same VLAN.
Step 10
Connect to NYACCESS1 and attempt to ping all three of the other devices.
Type the following commands (press Enter after each command):
NYACCESS1#
ping 192.168.16.1
NYACCESS1#
ping 192.168.16.2
NYACCESS1#
ping 192.168.16.7
You will see the following output:
NYACCESS1#ping 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NYACCESS1#ping 192.168.16.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NYACCESS1#ping 192.168.16.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms
NYACCESS1#
The NYACCESS1 switch can communicate only with the NYCORE2 switch, which is on the same VLAN. The above results are as expected, and your results should be similar.Note: When creating VLANs, it is common practice to have a separate subnet within each VLAN. That is, VLAN 10, for example, would contain the 192.168.16.0/24 subnet, while VLAN 20 would contain the 192.168.17.0/24 subnet. For the purposes of this lab, all the devices were in the same subnet, that is, 192.168.16.0/24, to demonstrate how VLANs segregate a network.
Task 2 – Securing the Default VLAN
The default VLAN or VLAN 1 can be used by an attacker to gain access to otherwise inaccessible areas of your network. This is why it is considered a best practice to remove all interfaces from the default VLAN. In this section, you will perform the necessary steps to achieve this.
Step 1
Note: If you are seeing “NATIVE_VLAN_MISMATCH” messages appear, please run these commands:
NYCORE1#configure terminal
NYCORE1(config)#interface fastethernet 1/0/22
NYCORE1(config-if)#no cdp enable
Then “exit” and do the same for Interface fastethernet 1/0/23 and 1/0/24
Create a new VLAN on the NYCORE1 switch with an ID of 99 called null that will be assigned to all inactive and unused interfaces.
Type the following commands (press Enter after each command):
NYCORE1#
configure terminal
NYCORE1(config)#
vlan 99
NYCORE1(config-vlan)#
name null
NYCORE1(config-vlan)#
exit
NYCORE1(config)#
exit
The output will look like this:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#vlan 99
NYCORE1(config-vlan)#name null
NYCORE1(config-vlan)#exit
NYCORE1(config)#exit
NYCORE1#
Step 2
Determine which interfaces are currently inactive and which VLANs they are assigned to by typing the following command:
NYCORE1#
show interface status
Press Enter.
The output will look like this:
NYCORE1#show interface status
Port Name Status Vlan Duplex Speed Type
Fa1/0/1 connected 10 a-full a-100 10/100BaseTX
Fa1/0/2 connected 10 a-full a-100 10/100BaseTX
Fa1/0/3 notconnect 1 auto auto 10/100BaseTX
Fa1/0/4 notconnect 1 auto auto 10/100BaseTX
Fa1/0/5 notconnect 1 auto auto 10/100BaseTX
Fa1/0/6 notconnect 1 auto auto 10/100BaseTX
Fa1/0/7 notconnect 1 auto auto 10/100BaseTX
Fa1/0/8 notconnect 1 auto auto 10/100BaseTX
Fa1/0/9 notconnect 1 auto auto 10/100BaseTX
Fa1/0/10 notconnect 1 auto auto 10/100BaseTX
Fa1/0/11 notconnect 1 auto auto 10/100BaseTX
Fa1/0/12 notconnect 1 auto auto 10/100BaseTX
Fa1/0/13 notconnect 1 auto auto 10/100BaseTX
Fa1/0/14 notconnect 1 auto auto 10/100BaseTX
Fa1/0/15 notconnect 1 auto auto 10/100BaseTX
Fa1/0/16 notconnect 1 auto auto 10/100BaseTX
Fa1/0/17 notconnect 1 auto auto 10/100BaseTX
Fa1/0/18 notconnect 1 auto auto 10/100BaseTX
Fa1/0/19 notconnect 1 auto auto 10/100BaseTX
Fa1/0/20 notconnect 1 auto auto 10/100BaseTX
Fa1/0/21 notconnect 1 auto auto 10/100BaseTX
Fa1/0/22 connected 20 a-full a-100 10/100BaseTX
Fa1/0/23 notconnect 1 auto auto 10/100BaseTX
Fa1/0/24 connected 20 a-full a-100 10/100BaseTX
Gi1/0/1 notconnect 1 auto auto Not Present
Gi1/0/2 notconnect 1 auto auto Not Present
NYCORE1#
The interfaces that must be changed are FastEthernet 1/0/3 to 1/0/21, 1/0/23 and GigabitEthernet 1/0/1 and 1/0/2.
Step 3
Assign all inactive interfaces to VLAN 99. You can do this using the range keyword to configure multiple interfaces of the same type at the same time.
Type the following commands (press Enter after each command):
NYCORE1#
configure terminal
NYCORE1(config)#
interface range fastethernet 1/0/3 - 21, fastEthernet 1/0/23
NYCORE1(config-if-range)#
switchport access vlan 99
NYCORE1(config-if-range)#
exit
NYCORE1(config)#
interface range gigabitethernet 1/0/1 - 2
NYCORE1(config-if-range)#
switchport access vlan 99
NYCORE1(config-if-range)#
exit
NYCORE1(config)#
exit
You will see the following output:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#interface range fastethernet 1/0/3 - 21, fastEthernet 1/0/23
NYCORE1(config-if-range)#switchport access vlan 99
NYCORE1(config-if-range)#exit
NYCORE1(config)#interface range gigabitethernet 1/0/1 - 2
NYCORE1(config-if-range)#switchport access vlan 99
NYCORE1(config-if-range)#exit
NYCORE1(config)#exit
NYCORE1#
Step 4
Next, verify your configuration by viewing the VLANs on the switch by typing the following command:
NYCORE1#
show vlan brief
Press Enter.
You will see the following output:
NYCORE1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
10 Management active Fa1/0/1, Fa1/0/2
20 Sales active Fa1/0/22, Fa1/0/24
99 null active Fa1/0/3, Fa1/0/4, Fa1/0/5
Fa1/0/6, Fa1/0/7, Fa1/0/8
Fa1/0/9, Fa1/0/10, Fa1/0/11
Fa1/0/12, Fa1/0/13, Fa1/0/14
Fa1/0/15, Fa1/0/16, Fa1/0/17
Fa1/0/18, Fa1/0/19, Fa1/0/20
Fa1/0/21, Fa1/0/23, Gi1/0/1
Gi1/0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE1#
You can see that VLAN 1 no longer has any ports assigned to it. Your output should look similar to the above.
Step 5
Next, you will attempt to deactivate the default VLAN by issuing the following commands (press Enter after each command):
NYCORE1#
configure terminal
NYCORE1(config)#
vlan 1
NYCORE1(config-vlan)#
shutdown
NYCORE1(config-vlan)#
exit
You will see the following output:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#vlan 1
NYCORE1(config-vlan)#shutdown
%Command is only allowed on VLAN 2..1001.
NYCORE1(config-vlan)#exit
NYCORE1(config)#
As you can see, it is not possible to shut down VLAN 1. Attempt to delete VLAN 1 and examine the results by typing the command:
NYCORE1(config-vlan)#
no vlan 1
Press Enter.
You will see the following output:
NYCORE1(config)#no vlan 1
%Default VLAN 1 may not be deleted.
NYCORE1(config)#
VLAN 1 cannot be deleted either. There is no harm in having VLAN 1 active as long as there are no ports assigned to it.
Exercise 2 – Creating a Voice VLAN
With the advent of what is known as network convergence, networks have been designed to accommodate various types of payloads, including voice.
Voice requires special consideration because of its nature as a payload and because of its sensitivity from both a quality of service as well as a privacy standpoint. As such, Cisco has developed a special type of VLAN that accommodates the needs of voice.
Modern voice and data networks only require one port per workstation as most phones have a network port into which a computer can be connected. This way, only one network port is necessary to equip a workstation with both a telephone and a computer.
In this exercise, you will configure a voice VLAN and apply it for use with an IP telephone.
Learning Outcomes
After completing this exercise, you will be able to:
- Create a Voice VLAN
Your Devices
You will be using the following devices in this lab. Please power these on now.
- NYCORE2 – (Cisco 3750v2 – 24PS – Core Switch 2)
Task 1 – Create a Voice VLAN
Transmitting voice and data over a single connection while at the same time maintaining the quality of service and security demand VLAN mechanisms appropriate to accommodate such requirements.
In this task, you will configure a voice VLAN, and you will apply it for use with an IP telephone.
Step 1
Look at the lab topology once more. You will see that on the FastEthernet 1/0/12 interface of the NYCORE2 switch, there is a Cisco IP telephone.
Connect to the NYCORE2 switch and create two new VLANs with IDs 50 and 60, one that will be used for voice and one for data, and name them appropriately.
Type the following commands (press Enter after each command):
NYCORE2#
configure terminal
NYCORE2(config)#
vlan 50
NYCORE2(config-vlan)#
name Voice
NYCORE2(config-vlan)#
exit
NYCORE2(config)#
vlan 60
NYCORE2(config-vlan)#
name Data
NYCORE2(config-vlan)#
exit
NYCORE2(config)#
exit
You will see the following output:
NYCORE2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE2(config)#vlan 50
NYCORE2(config-vlan)#name Voice
NYCORE2(config-vlan)#exit
NYCORE2(config)#vlan 60
NYCORE2(config-vlan)#name Data
NYCORE2(config-vlan)#exit
NYCORE2(config)#exit
NYCORE2#
Note: A voice VLAN does not differ from a regular VLAN in its creation. As you can see here, you are creating both VLANs in the same way. The way the voice VLAN differs is in the method of application to the interface, which you will perform in the following steps.
Step 2
Take a look at the VLANs on the NYCORE2 switch to verify the creation of these VLANs by typing the following command:
NYCORE2#
show vlan brief
Press Enter.
You will see the following output:
NYCORE2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
50 Voice active
60 Data active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE2#
The VLANs have been created successfully.
Step 3
Next, you will assign these VLANs to the port connected to the IP telephone, that is, port FastEthernet 1/0/12.
First, you will assign the data VLAN as you would to any access port.
Remember to explicitly configure the switchport mode as access as well as this is considered good practice.
Type the following commands (press Enter after each command):
NYCORE2#
configure terminal
NYCORE2(config)#
interface fastethernet 1/0/12
NYCORE2(config-if)#
switchport mode access
NYCORE2(config-if)#
switchport access vlan 60
You will see the following output:
NYCORE2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE2(config)#interface fastethernet 1/0/12
NYCORE2(config-if)#switchport mode access
NYCORE2(config-if)#switchport access vlan 60
NYCORE2(config-if)#
Step 4
Next, you will configure the port to include a voice VLAN. This allows the port to carry both voice and data traffic on separate VLANs.
This is important because voice has a different quality of service, security, and flow control requirements than data. Also, voice conversations should not be accessible from devices other than telephones.
To configure the voice VLAN, type the following commands (press Enter after each command):
NYCORE2(config-if)#
switchport voice vlan 50
NYCORE2(config-if)#
exit
NYCORE2(config)#
exit
You will see the following output:
NYCORE2(config-if)#switchport voice vlan 50
NYCORE2(config-if)#exit
NYCORE2(config)#exit
NYCORE2#
Note: In the past, Cisco has achieved the above configuration using a trunk connection between the telephone and the switch. This way, two VLANs would transmit over the same connection and would be separated at the telephone where the voice information would terminate on the phone, and the data would be sent over the data port to the computer. The above configuration is more streamlined and easier to implement and understand, even though the result is essentially the same thing.
Step 5
To verify your configuration, take a look at the switchport information of FastEthernet 1/0/12 interface with the following command:
NYCORE2#
show interface fastethernet 1/0/12 switchport
Press Enter.
You will see the following output:
NYCORE2#show interface fastethernet 1/0/12 switchport
Name: Fa1/0/12
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 60 (Data)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 50 (Voice)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
NYCORE2#
From the above output, you can confirm that the Access Mode VLAN or the data VLAN is 60 and that the Voice VLAN is 50.
You have successfully configured a voice VLAN for a Cisco IP telephone.
Exercise 3 – VLAN Trunking Protocol
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol that is configured to maintain consistency of VLAN configurations. It works in a client/server environment. One switch is configured as a server and the other as a client. Only the VTP server switch is allowed to add, modify or delete VLANs. Other switches learn the VLAN information over VTP messages that the server sends.
In this exercise, you will configure VTP domain. To make a switch send VTP messages, you first need to configure VTP domain name. To have switches exchange VTP messages, there must be a trunk between switches.
Learning Outcomes
After completing this exercise, you will be able to:
- Know about VTP Configurations
Your Devices
You will be using the following devices in this lab. Please power these on now.
- NYCORE1 – (Cisco 3750v2 – 24PS – Core Switch 1)
- NYCORE2 – (Cisco 3750v2 – 24PS – Core Switch 2)
- NYACCESS1 – (Cisco 2960-24 – Access Switch 1)
Task 1 – VTP Configurations
All switches, by default, are in VTP server mode. In this task, you will create a VTP domain on the NYCORE1 switch, which will be a server, and you will configure NYCORE2 and NYACCESS1 as clients. VTP passwords and other configurations are optional.
Step 1
Before configuring VTP, you will first check that you have a working trunk between switches NYCORE1, NYCORE2, and NYACCESS1.
Connect to NYCORE1 and type the following command:
NYCORE1#
show interface trunk
Press Enter.
You will see the following output:
NYCORE1#show interface trunk
NYCORE1#
Now connect to NYCORE2 and type the following command:
NYCORE2#
show interface trunk
Press Enter.
The output will be as follows:
NYCORE2#show interface trunk
NYCORE2#
Next, connect to NYACCESS1 and type the following command:
NYACCESS1#
show interface trunk
Press Enter.
The output will be as follows:
NYACCESS1#show interface trunk
NYACCESS1#
From the above outputs, you can see that there is no working trunk between NYCORE1, NYCORE2 and NYACCESS1 switches.
Step 2
In this step, you will configure a trunk between NYCORE1 and NYCORE2 and NYCORE1 and NYACCESS1. Trunk between NYCORE1 and NYCORE2 should be configured on port FastEthernet1/0/24 on both switches. Trunk between NYCORE1 and NYACCESS1 should be configured on port FastEthernet1/0/22 and FastEthernet1/0/24, respectively.
Ensure you are connected to NYCORE1 and type the following commands (press Enter after each command):
NYCORE1#
configure terminal
NYCORE1(config)#
interface range fastethernet 1/0/22, fastethernet 1/0/24
NYCORE1(config-if-range)#
switchport trunk encapsulation dot1q
NYCORE1(config-if-range)#
switchport mode trunk
NYCORE1(config-if-range)#
exit
NYCORE1(config)#
exit
You will see the following output:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#interface range fastEthernet 1/0/22,fastethernet1/0/24
NYCORE1(config-if-range)#switchport trunk encapsulation dot1q
NYCORE1(config-if-range)#switchport mode trunk
NYCORE1(config-if-range)#
*Mar 1 00:23:19.538: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/22, changed state to down
*Mar 1 00:23:19.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to down
*Mar 1 00:23:22.558: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/22, changed state to up
*Mar 1 00:23:22.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to up
*Mar 1 00:23:51.574: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
NYCORE1(config-if-range)#exit
NYCORE1(config)#exit
NYCORE1#
Notice that you have changed the ports from access (VLAN 10 and VLAN 20) ports to trunk ports, which by default, allow all VLANs on it. VLAN1 is now up again.
Step 3
Verify the status of the trunk ports by issuing the following command:
NYCORE1#
show interface trunk
Press Enter.
You will see the following output:
NYCORE1#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/22 on 802.1q trunking 1
Fa1/0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/22 1-4094
Fa1/0/24 1-4094
Port Vlans allowed and active in management domain
Fa1/0/22 1,10,20
Fa1/0/24 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/22 1,10,20
Fa1/0/24 1,10,20
It is not necessary to configure the other end of the trunk since DTP (Dynamic Trunkig Protocol) has negotiated the link to be a trunk. You now have three switches connected over these trunks.
Step 4
You will now configure NYCORE2 and NYACCESS1 in VTP client mode.
First, verify VLANs on both switches.
Connect to NYCORE2 and type the following command:
NYCORE2#
show vlan brief
Press Enter.
You will see the following output:
NYCORE2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa1/0/17, Fa1/0/18, Fa1/0/19
Fa1/0/20, Fa1/0/21, Fa1/0/22
Fa1/0/23, Gi1/0/1, Gi1/0/2
50 Voice active Fa1/0/12
60 Data active Fa1/0/12
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE2#
Notice that on NYCORE2, you have VLANs 50 and 60 from the previous exercise.
Now connect to NYACCESS1 and type the following command:
NYACCESS1#
show vlan brief
Press Enter.
You will see the following output:
NYACCESS1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYACCESS1#
Step 5
You will now check the VTP status on NYCORE2 and NYACCESS1.
Connect to NYCORE2 and type the following command:
NYCORE2#
show vtp status
Press Enter.
You will see the following output:
NYCORE2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : a418.75a7.d380
Configuration last modified by 192.168.16.4 at 3-1-93 00:13:34
Local updater ID is 192.168.16.4 on interface Vl1 (lowest numbered VLAN interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 2
MD5 digest : 0x10 0xB8 0x52 0x6C 0x28 0xEE 0x86 0x06
0x7E 0x72 0x2D 0x92 0x9C 0x15 0xAD 0x6A
NYCORE2#
Now connect to NYACCESS1 and type the following command:
NYACCESS1#
show vtp status
Press Enter.
You will see the following output:
NYACCESS1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : f47f.35ea.7d80
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 192.168.16.3 on interface Vl1 (lowest numbered VLAN interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 64
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
NYACCESS1#
Notice that there is no VTP domain configured, and that both switches are by default in server mode.
Step 6
You will now configure NYCORE2 and NYACCESS1 in client mode.
Connect to NYCORE2 and type the following commands (press Enter after each command):
NYCORE2#
configure terminal
NYCORE2(config)#
vtp mode client
NYCORE2(config)#
exit
You should see the following output.
NYCORE2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE2(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
NYCORE2(config)#exit
NYCORE2#
Now connect to NYACCESS1# and type the following commands (press Enter after each command):
NYACCESS1#
configure terminal
NYACCESS1(config)#
vtp mode client
NYACCESS1(config)#
exit
The output will be as follows:
NYACCESS1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYACCESS1(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
NYACCESS1(config)#exit
NYACCESS1#
Step 7
To have a working VTP domain, you need to configure NYCORE1, which is the only one in VTP server mode, with a VTP domain name.
Type the following commands (press Enter after each command) on the NYCORE1 switch:
NYCORE1#
configure terminal
NYCORE1(config)#
vtp domain practicelabs.com
NYCORE1(config)#
exit
You will see the following output:
NYCORE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NYCORE1(config)#vtp domain practicelabs.com
Changing VTP domain name from NULL to practicelabs.com
NYCORE1(config)#
*Mar 1 04:06:04.528: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to practicelabs.com.
NYCORE1(config)#exit
NYCORE1#
The VTP domain should be read and adopted by the other two switches, and the VLANs should be propagated as well.
Step 8
Confirm that VLANs 10 and 20 are propagated to NYCORE2 and NYACCESS1.
Ensure you are connected to NYCORE2 and type the following command:
NYCORE2#
show vlan brief
Press Enter.
You will see the following output:
NYCORE2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa1/0/17, Fa1/0/18, Fa1/0/19
Fa1/0/20, Fa1/0/21, Fa1/0/22
Fa1/0/23, Gi1/0/1, Gi1/0/2
10 Management active
20 Sales active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYCORE2#
VLAN 10 and VLAN 20 does appear on NYCORE2.
Notice that you don’t have VLAN 50 and VLAN 60 on this switch anymore. This is because a client will learn all VLANs from the server switch and will overwrite the previous VLAN database.
Connect to NYACCESS1 and type the following command:
NYACCESS1#
show vlan brief
Press Enter.
You will see the following output:
NYACCESS1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 Management active
20 Sales active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
NYACCESS1#
Notice that VLAN 10 and 20 appears on NYACCESS1 as well.
Comments