Design Review Template - NETS

More documents

Recommendations

Info

Configuration Best Practices VLAN 1 VLAN1 has a special significance in Catalyst networks, and can be the cause of some confusion. The Catalyst Supervisor always uses the Default VLAN, 1, to tag a number of control and management protocols when trunking, such as CDP, VTP and PAgP! All ports including the internal sc0 interface are configured to be members of VLAN1 at initial boot up. All trunks carry VLAN1 by default, and in older Catalyst code, (prior to CatOS 5.3), it was not possible to block user data in VLAN1. Two other definitions are needed to help clarify some well-used terms in Catalyst networking: • The Management VLAN is where sc0 resides, and can be changed. • The Native VLAN is defined as the VLAN a port will return to when not trunking, and is the untagged VLAN on an 802.1Q trunk. There are several good reasons to tune a network and alter the behavior of ports in VLAN1: • When the diameter of VLAN1, like any other VLAN, gets large enough to be a risk to stability, particularly from an STP perspective, it needs to be pruned back. • Control plane data on VLAN1 should be kept separate from user data in other VLANs, and ideally the management VLAN, to simplify troubleshooting and maximise available CPU. • Layer-2 loops in VLAN1 must be avoided when designing Multilayer Campus networks without STP, yet trunking is still required to the access-layer multiple there are multiple VLANs and IP subnets. To do this, manually clear VLAN1 from trunk ports. Note: • CDP, VTP and PAgP updates are always forwarded with a VLAN1 tag even if VLAN1 has been cleared on trunks and is not the native VLAN. One implication is that when trunking to a router, an interface must be defined in VLAN1 to detect CDP. • DTP updates are forwarded with VLAN1 tags on ISL trunks, but use the native VLAN on 802.1Q. • 802.1Q IEEE BPDUs are forwarded untagged on the ‘Common Spanning Tree’ VLAN1 (like ISL) for interoperability with other vendors, unless VLAN1 has been cleared from the trunk. Cisco Per- VLAN Spanning tree (PVST+) BPDUs are sent and tagged for all other VLANs. Analysis NCAR Design Review and Recommendations v1.2 16
Hierarchical (MultiLayer) Network Design VLAN Trunking Protocol (VTP) Before you create VLANs you must decide what VTP mode to use in your network. With VTP you can make VLAN configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network. VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes mis-configurations and configuration inconsistencies that can result in a number of problems such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. The VLAN database built is stored in NVRAM, separately the configuration. AS recommends transparent mode. As the majority of customers do not create or delete VLANs frequently, when a new VLAN is needed it is not much effort to update all switches in a domain, usually numbering 20 or less. • This practice encourages good change control. • Limits the risk of a user error, such as deleting a VLAN, impacting the entire domain. • Eliminated the risk of any VTP bug affecting the entire network. • There is no risk from a new switch being introduced into the network with a higher VTP revision number and over-writing the entire domain's VLAN configuration. There is a positive and negative side to VTP being able to make changes very easily on a network - most enterprises prefer a cautious approach. • STP per VLAN and unnecessary flooding should be limited by explicit configuration (i.e. pruning) of what VLANs are propagated on what trunks. A per switch VLAN configuration also encourages this practice. • The extended VLAN range in CatOS 6.x, numbers1025-4094, can only be configured in this way. Trunking Mode Purpose: DTP is the second generation of DISL (Dynamic ISL) and exists to ensure that the different parameters involved in sending ISL or 802.1Q frames, like the configured encapsulation type, native VLAN, hardware capability, etc. are agreed by the Catalysts at either end of a trunk. This also helps protect against non-trunk ports flooding tagged frames, a potentially serious security risk, by ensuring ports and their neighbors are either in a safe trunking or non-trunking state. Operational Overview: DTP is a layer-2 protocol that negotiates configuration parameters between a switch port and it's neighbor. It uses another well-known multicast MAC address of 01-00-0c-cc-cc-cc and a SNAP protocol type of 0x2004. Here is a summary of the configuration modes: Note: ISL and 802.1Q encapsulation type can be set or negotiated - ISL will be preferred over dot1Q, but is recommended to be set. • DTP assumes point-to-point connection, and Cisco devices will support 802.1Q trunk ports that are only point-to-point. • During DTP negotiation, the ports will not participate in STP. Only after the port type becomes one of the three types (Access, ISL or 802.1Q), the port will be added to STP. (If PAgP is running that is the next process to run prior to the port participating in STP). • VLAN 1 will usually be there on the trunk port. If the port is trunking in ISL mode, DTP packets are sent out on VLAN 1, otherwise (for 802.1Q trunking or non-trunking ports) on the Native VLAN. NCAR Design Review and Recommendations v1.0 17
Page 1 and 2: Cisco Systems Advanced Services Nat
Page 3 and 4: Contents Contents 3 Document Contro
Page 5 and 6: About The Document Document Purpose
Page 7 and 8: About The Document and Foothills. A
Page 9 and 10: Short Term Design Enhancements Foot
Page 11 and 12: Hierarchical (MultiLayer) Network D
Page 15: Hierarchical (MultiLayer) Network D
Page 23: Corporate Headquarters Cisco System

Design Review Template - NETS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?