Monday, December 19, 2016

Leave a Comment

Trunking & Pruning Configuration

                  Now the we talked about the Theory of Trunking, let’s see how to set up couple of Trunks, we wanna set up trunk in this session between Switches Sw1 and Sw2 and another Trunk between Sw1 and Sw3, first see now things are configured now on Sw1, let’s do a
Ø  Sw1#show interfaces fastetherent 1/0/13 switchport
                            It tell us right now we acting as an Access Port that’s our Operational Mode, we are not Trunking currently our mode is set to Dynamic Auto, we willing to form a Trunk if we receive a DTP frame, but it looks like we haven’t received a DTP frame because we are operating in Access mode, and we can also see that Encapsulation Type, if Trunk were to come up is gonna be negotiated that’s probably not what we want, we probably want to hard cod Dot1Q as the Encapsulation Type, also if we formed a Trunk the Native vlan would be Vlan 1 and let’s see how to set that to a non-default Vlan, keeping in mind that both ends of a Trunk need to agree on the Native Vlan.
                       Let’s hard cod the Trunking Encapsulation to be Dot1Q on both of these ports, let’s also set the Native Vlan to be 100 something other than the default we need to make that match on far end Switches.
                  And let’s set up fastethernet 1/0/13 on Switch Sw1 with a mode of Dynamic Desirable that will cause to send DTP frames down to Switch Sw2 which is configured for Dynamic Auto that gonna cause the formation of Trunk and just illustrate that settings, the Trunking mode to Trunk also sends those DTP frames we set the mode to Trunk on fastetherent 1/0/14 and we see that Trunk is formed there is well.

To see if we have any Trunks currently on a Switch, we can do a
Ø  Sw1#show interfaces trunk

Let’s go into the interface Configuration mode and set the Encapsulation type to Dot1Q
Ø  Sw1(config)#interface fastetherent 1/0/13
Ø  Sw1(config-if)#switchport trunk encapsulation dot1q

Let’s also change the Native Vlan to non-default value, we say we make it to 100
Ø  Sw1(config-if)#switchport trunk native vlan 100
Now let set the mode to Dynamic Desirable
Ø  Sw1(config-if)#switchport mode dynamic desirable

Now configure interface fastetherent 1/0/14
Ø  Sw1(config)#interface fastetherent 1/0/14
Ø  Sw1(config-if)#switchport trunk encapsulation dot1q
Ø  Sw1(config-if)#switchport trunk native vlan 100
Ø  Sw1(config-if)#switchport mode trunk
                     Instead of Dynamic Desirable, Trunk mode gonna also send DTP frames that also gonna bring up Trunk because the other end is set to Dynamic Auto.

Now go to Switch Sw2 and make changes on them
Ø  Sw2(config)#interface fastethernet 0/3
Ø  Sw2(config-if)#switchport trunk native vlan 100

Let’s do same thing on Switch Sw3
Ø  Sw3(config)#interface fastethernet 0/3
Ø  Sw3(config-if)#switchport trunk native vlan 100

                Now the Trunks should be happy, let’s go back to Switch Sw1 and let’s give that command to show up what Trunks we have currently on the Switch.
Ø  Show interfaces trunk
                             Notice that our Native Vlan is 100 for each of these Ports, notice that we hard coded Encapsulation to be 802.1Q and we are currently Trunking for both of these ports.

And that’s the look at the couple of ways of configuring an Ethernet Trunk

                           We have now created Vlans on our Switch we created Trunks, set the Trunking encapsulation type to 802.1Q, we set the Native Vlan to a non-default value but something else we might want to do Trunks is to limit what Vlan’s are gonna be allowed flow over those Trunks, this can help us from a Security Prospective because by default all Vlan’s are allowed over a Trunk this means that Unknown unicast, Broadcast and Multicast traffic for all the Vlans flow over a Trunk by default, this might open up the opportunity for the Malicious user to capture packets.
                         They should not be seeing and also eliminating the Vlan’s allowed over trunks can help us from Quality of Service prospective because we don’t have an unnecessary packet flowing across the Trunk containing from the Trunks Bandwidth, rather alongside traffic that does need to flow across the trunk and here on Sw1 let’s take a look at, what Vlan’s are allowed over the Trunks we created.
Let’s do a Show command
Ø  Sw1#show interfaces trunk
                        And we can see that for both of are Ports we allowing all Vlans and range of 1 through 4094 but right now the only Vlans that we have on the Switch are Vlan’s 1, 100 and 200 and we see that, they are allowed an Active in Management Domain, let say for some reason, we do not want to allow Vlan 200 to flow across that Trunk Port, how can we do that, let’s go into interface
Ø  Sw1(config)#interface fastetherent 1/0/13
Ø  Sw1(config-if)#switchport trunk allowed vlan
ü  Word: - is specify the individual Vlans, that are going to be allowed over this trunk Port and we just separate the Vlan with a (,) Comma, we could say 1,100,200 and that would be allowed those 3 Vlans across this Trunk Port.
ü  Add: - if we just want to add Vlan in existing or Current Vlan list, we can give the Keyword ADD
ü  All: - we could say “allow all of Vlans”.
ü  Except: - we could say, “allowed Vlan except” the following Vlans.
ü  None: - Don’t allow any one, block all Vlans on this Trunk Port
ü  Remove: - if we got our current list, we can surgically remove individual Vlans from Existing or Current Vlan list, if we wanted to.

There is couple of ways of Pruning Vlans, first let’s use first(Word) approach to we just enter the individual Vlan numbers
Ø  Sw1(config-if)#switchport trunk allowed vlan 1,100

Now let’s go back and take a look at what Vlans are allowed on that Port.
Ø  Sw1#show interface fastetherent 1/0/3 trunk
                   Currently though, it’s only 1 and 100 allowed and we can see Vlan 200 is no longer allowed over this Trunk port it’s only Vlans 1 and 100, that’s one way of setting this up.

Let’s go back into interface and make that Command go away
Ø  Sw1(config)#interface fastetherent 1/0/13
Ø  Sw1(config-if)# no switchport trunk allowed vlan
Now let’s try this in a different way, let’s say
Ø  Sw1(config-if)#switchport trunk allowed vlan except 200
ü  Allow all vlan except specific Vlan (200)

Now take a look
Ø  Sw1#show interface fastetherent 1/0/3 trunk
                     And we can see, we looking at the allowed Vlan’s on this trunk, it’s 1-199 and 201-4094, the only Vlan that’s not allowed is Vlan 200, and the only Vlans that are currently allowed an Active are 1 and 100 because we said allow everything except 200 and that only leaves us with these 2 Vlans.

That’s the look at couple of ways, we can go into a Trunk and Prun of unnecessary Vlan traffic, which we said could help us with Security as well as Quality of Service.



                     If You Like the Post. Don’t forget 
            to “Subscribe/Share/Comment”. Thank You.
                                                                                                               

0 comments:

Post a Comment