VLAN Design

Etherchannel

Review: Private VLANS

Used by Service providers to deploy host services and network access where all devices reside in the same subnet but only communicate to a default gateway, backup servers, or another network.

Catalyst 6500/4500/3650 switches implement private PVLANs, whereas the 2950 and 3550 support “protected ports,” which is functionality similar to PVLANs on a per-switch basis.

Advantages of pVLANs include: 1. Provides Security2. Reduces the number of IP subnets3. Reduces the VLANs’ utilisation by isolating traffic

between network devices residing in the same VLAN

Private VLANs

Computer

Computer

Computer

Computer

Computer

Computer

R1

Fa0/1

Fa0/2

Fa0/3

Primary VLAN 100(Promiscuous)

Secondary VLAN 10(Community)

Fa0/4

Fa0/5

Fa0/6

Fa0/7

Secondary VLAN 20(Community)

Secondary VLAN 30(Isolated)

No

Yes

Yes

No

192.168.10.1/24

192.168.10.2/24

192.168.10.3/24

192.168.10.4/24

192.168.10.5/24

192.168.10.6/24

192.168.10.7/24

Private VLAN Configuration

DLS2(config)#vtp mode transparent DLS2(config)#vlan 10 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 20 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 30 DLS2(config-vlan)#private-vlan isolated DLS2(config-vlan)#exit DLS2(config)#vlan 100 DLS2(config-vlan)#private-vlan primary DLS2(config-vlan)#private-vlan association 10,20,30

Create Private VLANs:

Private VLAN Configuration

DLS2(config)#int fa0/1 DLS2(config)# switchport mode private-vlan promiscuous DLS2(config)# switchport private-vlan mapping 100 10,20,30 DLS2(config)# int fa0/2 DLS2(config)# switchport mode private-vlan host DLS2(config)# switchport private-vlan host-association 100 10

Populate Private VLANs:

Verify Private VLANs:

S1#show vlan private-vlanS1#show interface switchport fa0/2

•All the links between access and distribution switches are bundled into EtherChannel and in forwarding mode.

Link Aggregation With EtherChannel

•EtherChannel is a technology that was originally developed by Cisco as a LAN switch-to-switch technique of grouping several Fast or Gigabit Ethernet ports into one logical channel.

STP with noEtherChannel

STP with EtherChannel

Link Aggregation With EtherChannel

S1S3

S2

•Allows for the creation of a very-high-bandwidth logical link

•Load balances amongst the physical links involved

•Provides automatic failover

•Simplifies subsequent logical configuration (configuration is per logical link instead of per physical link)

•EtherChannel bundles individual Ethernet links into a single logical link that provides bandwidth up to 1600 Mbps (Fast EtherChannel, full duplex) or 16 Gbps (Gigabit EtherChannel) between two Cisco Catalyst switches.

•All interfaces in each EtherChannel must be the same speed and duplex, and both ends of the channel must be configured as either a Layer 2 or Layer 3 interface.

EtherChannel Load BalancingS1S3

S2

Po1

Po2 Po3

S1(config)#port-channel load-balance src-dst-port

•EtherChannel balances the traffic load across the links in a channel by XORing last part of the addresses in the frame to a numerical value that selects one of the links in the channel.

•EtherChannel load balancing on L2-only switches can use either source-MAC or destination-MAC address forwarding.

src-mac: Source MAC address dst-mac: Destination MAC address src-dst-mac: Source and destination MAC addresses src-ip: Source IP address dst-ip: Destination IP address src-dst-ip: Source and destination IP addresses (default) src-port: Source TCP/User Datagram Protocol (UDP) port dst-port: Destination TCP/UDP port src-dst-port: Source and destination TCP/UDP ports

Fa0/1 Fa0/1

Fa0/2 Fa0/2

Configuring EtherChannel Cisco’s proprietary Port Aggregation Protocol (PAgP) and the IEEE

standard Link Aggregation Protocol (LACP) automatically create bundled Ethernet links.

PAgP packets are sent between Fast EtherChannel-capable ports in order to negotiate the forming of a channel. When PAgP identifies matched Ethernet links, PAgP groups the links into an EtherChannel. The EtherChannel is then added to the spanning tree as a single bridge port.

Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that allows several physical ports to be bundled together to form a single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer.

LACP performs a similar function as Port Aggregation Protocol (PAgP) with Cisco EtherChannel. Because LACP is an IEEE standard, it can be used to facilitate EtherChannels in mixed switch environments.

EtherChannel Configuration Commands

PAgP

LACP

• EtherChannel support: no requirement that interfaces in the EtherChannel be physically contiguous or on the same module.

• Speed and duplex: Configure all interfaces in an EtherChannel to operate at the same speed and in the same duplex mode.

• Switched port analyzer (SPAN): An EtherChannel does not form if one of the interfaces is a SPAN destination port.

• Layer 3 EtherChannels: Assign Layer 3 addresses to the port-channel logical interface, not to the physical interfaces in the channel.

• VLAN match: All interfaces in the EtherChannel bundle must be assigned to the same VLAN or be configured as a trunk.

• Range of VLANs: An EtherChannel supports the same allowed range of VLANs on all the interfaces in a trunking Layer 2 EtherChannel.

• STP path cost: Interfaces with different STP port path costs can form an EtherChannel as long as they are otherwise compatibly configured.

• Port channel vs interface configuration: any configuration that applied to the port-channel interface affects the EtherChannel. Any configuration applied to the physical interfaces affects only the specific interface.

EtherChannel Considerations

Link Aggregation With PAgP

S1S3

S2

Po1

Po2 Po3

S1(config-if-range )#interface range fa0/1 – 2S1(config-if-range )#channel-protocol pagpS1(config-if-range )#channel-group 1 mode on

S1#sh etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-------------------------------------------1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P)

Fa0/1 Fa0/1

Fa0/2 Fa0/2

Link Aggregation With PAgP

S1S3

S2

Po1

Po2 Po3 S1#sh etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-------------------------------------------1 Po1(RU) PAgP Fa0/1(P) Fa0/2(P)

Fa0/1 Fa0/1

Fa0/2 Fa0/2

S1(config)# interface range fa0/1 - 2S1(config-if-range)# no switchportS1(config-if-range)# channel-group 1 mode desirableS1(config-if-range)# interface port-channel 1S1(config-if)# no switchportS1(config-if)# ip address 10.0.0.1 255.255.255.0

S2S1 Po1

Link Aggregation With LACP

Fa0/1Fa0/2Fa0/3Fa0/4

Fa0/1Fa0/2Fa0/3Fa0/4

S1(config)# lacp system-priority 100

S1(config-if-range )#interface range fa0/1 – 2S1(config-if-range )#channel-protocol lacpS1(config-if-range )#channel-group 1 mode activeS1(config-if-range )#lacp port-priority 100

S1(config-if-range )# interface range fa0/3-4S1(config-if-range )#channel-protocol lacpS1(config-if-range )#channel-group 1 mode active

Default System Priority = 32768 Default System Priority = 32768

•LACP requires one switch to make all the decisions about the LACP channels.• This is based on the lowest MAC address if default system priority is not configured.