Cisco Vlan

基本概念

交換器下的所有port預設為vlan1的成員
switch設定後,就會產生一份config.text和vlan.dat的檔案
switch的startup-config存在FLASH裡的config.text檔,因為SWITCH沒有NVRAM,所以用FLASH去模擬
switch要還原成預設值,除了殺掉startup-config還要刪除vlan.dat,否則VLAN的資訊都還會存在
步驟如下
#delete vlan.dat
#erase startup-config
#reload

…

cisco vlan type
Static VLAN configuration:主要以port決定vlan
　設定較簡單
Dynamic VLAN assignment:可用mac address決定vlan
　cisco dynamic VLANs require a VMPS(VLAN Membership Policy Server)
　A network administrator must assign(static or dynamic) the user’s MAC address to a VLAN in the database of a VMPS
ps:
For more information about VMPS, refer to the “Configuring VMPS” section in a Catalyst  

… 

vlan互連 
vlan互連需用到第三層設備,如router
方法有2種:
1使用一條線,也稱router on a stick(一根棒上的路由器)
　全部vlan用一條trunk連到router單一介面,有多少vlan就需在設定多少子界面
　ps:router介面最好要fastethernet以上,ex:2600系列以上的router
2使用多條線
　各vlan分別連到router的各介面

route on a strick缺點
The router becomes a single point of failure for the network.
There is a possibility of inadequate bandwidth for each VLAN.
Additional overhead on the router can occur.

………………………………………………………

static vlan設定 

新增vlan 

方法1(2950switch為主) 
1.
進入vlan設定模式 
#vlan database 　//進入後提示符號為(vlan) 　
2.
新增vlan 
(vlan)#[no] vlan < vlan-id> [ name < vlan-name>]  
使用no只會刪除vlan,但並不會把被刪除的vlan和port間的關聯移除
< vlan-id>可設範圍為為1-1005. 1,1002-1005是自動建立的的保留vlan,而1002-1005用於token-ring,fddi
ps:vlan-id可支援Extended-range,可將範圍擴展到4096,但需透過VTP3,且資料不存在vlan database　
[name < vlan-name>]若沒設name,則會自動建立預設名稱為vlan+id number
ex:vlan id為20,則預設名稱為vlan0020
ex:
新增vlan 2 且名稱為20vlan
(config)#vlan 2 name 20vlan
VLAN 2 added:
    Name:20vlan

方法2
(config)#vlan <1-1005> [vlan-name] 
ps:switch1900,2950,2960支援

… 

更改vlan名稱
(config)#vlan < vlan-id>
(config-vlan)#name < vlan-name> 

ps 
(vlan)#?
vlan                    Add, delete, or modify values associated with a single VLAN
vtp                     Perform VTP administrative functions.
exit                    Apply changes, bump revision number, and exit mode
help                    Description of the interactive help system
abort                   Exit mode without applying the changes
apply                   Apply current changes and bump revision number

…

指定port所屬VLAN

1.
將port mode設為access 
(config)#int < interface>
(config-if)#switchport mode access 
ps:port預設是access mode 
ps:port mode是access才可將port指到某vlan 
ps:主機要以access port連接

2.
將port指定到某vlan 
(config-if)#switchport access vlan <1-1005> 
ex:
將fastethernet0/1介面指定到vlan2 
(config)#int fa0/1 
(config-if)#switchport mode access 
(config-if)#switchport access vlan 2 

ps:
1900switch的指令為
(config-if)#vlan-membership static <1-1005>
static若改為dynamic則由vmps動態配置 
ps:vmps(vlan membership policy server)主要功能是對應mac位置到vlan

ps:
2950(config-if)#switchport ?
nonegotiate             Set trunking to nonegotiate
trunk                   Set trunking characteristics of the interface
access                  Set access mode characteristics of the interface
mode                    Set trunking mode of the interface
port-security           Security related command

2950(config-if)#switchport mode ?
trunk                   Set trunking mode to TRUNK unconditionally
access                  Set trunking mode to ACCESS unconditionally
dynamic                 Set trunking mode to dynamically negotiate access or trunk mode

2950(config-if)#switchport mode dynamic ?
auto                    Set trunking mode dynamic negotiation parameter to AUTO
desirable               Set trunking mode dynamic negotiation parameter to DESIRABLE

…………………………………………. 

vlan其他設定 

設定SVI
(config)#int vlan < vlan id>
(config-if)#ip addr < ip > < mask> 
可在vlan上設ip
若此vlan沒有任何port up,則SVI狀態會由UP變為DOWN
ps
可使用(config-if)#switchport autostate exclude 讓SVI狀態一直保持為up

在switch上設定ip 
(config)#int vlan 1
(config-if)#ip addr < ip> < mask> 
ps:由於catalyst switch系列預設的管理是vlan1,因此設定vlan1的ip,等同於設定這台switch的ip 
ps:cdp和vtp會用vlan1運作
ps:開啟瀏覽器輸入switch ip位置即可進入switch設定畫面
ps:執行no shutdown可啟動vlan1,預設己啟動

顯示vlan1的介面資訊
>show interfaces vlan1
畫面大致如下
Vlan 1 is up, line protocol is up
　Hardware is CPU Interface, address is 000C.2721.3927 (bia 000C.2721.3927)
　Internet address is 197.10.1.99 /24 //switch的ip位置
　MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
　　reliability 255/255, txload 1/255, rxload 1/255
　Auto-duplex, Auto-speed
　Encapsulation ARPA, loopback not set //封裝型態為arpa
　ARP type: ARPA, ARP Timeout 04:00:00
　Last input 02:29:44, output never, output hang never
　Last clearing of “show interface” counters never
　Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
　Queueing strategy: fifo
　Output queue :0/40 (size/max)
　　5 minute input rate 0 bits/sec, 0 packets/sec
　　5 minute output rate 0 bits/sec, 0 packets/sec
　　269 packets input, 71059 bytes, 0 no buffer
　　Received 6 broadcasts, 0 runts, 0 giants, 0 throttles
　　0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
　　7290 packets output, 429075 bytes, 0 underruns
　　0 output errors, 3 interface resets
　　0 output buffer failures, 0 output buffers swapped out 

………………………………………………………………………………………………

了解vlan狀況 

cisco建議的troubleshooting process
1check實體指示燈
2從外界check單一switch設定
3check layer1連結狀態
4check layer2連結狀態
5check vlan中的其他switch

#show interface [interface] switchport
若不指定interface則列出全部介面的switchport狀態
畫面大致如下(以show int fa0/12 switchport為例)
Name: Fa0/12
Switchport:Enabled
Administrative mode: dynamic           //指定此port為dynamic
Operational mode: trunk               //正在作業的port mode為trunk
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false
Voice vlan: none (Inactive)
Appliance trust: none

看VLAN狀態
#show vlan [id|brief]
brief:可把所有VLAN及其擁有的PORT簡單的顯示 
id:指定個別vlan
ps:
以show vlan brief為例
畫面大致如下
VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
1    default                          active    Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11
20   2950vlan                       active    Fa0/1, Fa0/12    //vlan名為2950vlan,成員有fa0/1,fa0/2              
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1    enet  100001     1500  –      –      –        –    –        0      0
1002 fddi  101002     1500  –      –      –        –    –        0      0
1003 tr    101003     1500  –      –      –        –    –        0      0
1004 fdnet 101004     1500  –      –      –        ieee –        0      0
1005 trnet 101005     1500  –      –      –        ibm  –        0      0
ps:
以show vlan id為例(show vlan 20)
畫面大致如下
VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
20   2950vlan                         active    Fa0/1, Fa0/12
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
20   enet  100020     1500  –      –      –        –    –        0      0
ps:在1900switch,要得知port在vlan的狀況,需使用show vlan-membership