Implementing VLAN trunking
Contents
- Introduction
- Cisco switch configurations
- Cisco router configurations
- Windows configuration with Intel Pro Series adapters
Introduction
In my last article “Introduction to VLAN trunking”, I wetted your appetite for a hot new technology that is revolutionizing the way network topology are being designed and interconnected. In this piece, I will show you how to actually implement this new technology in the three most common types of equipment you will come across. The three types of equipment are Cisco switches, routers, and Servers or Workstations running the Windows operating system. The only prerequisite for this article is a basic working knowledge of Switches, Routers, and PCs running Windows for their respective sections. Click here for a network diagram of the lab environment created in this article. Note that the examples I use are on based on the 802.1q standard.
Cisco switch configurations
Cisco switches primarily come in two flavors, CatOS (Catalyst OS) and IOS (Internetworking OS). Although Cisco is trying to migrate almost everything to the IOS type operating system on their equipment, there is still a large install base for CatOS switches. Cisco’s flag ship 6500 series switch can actually run CatOS or IOS, but most people I know run CatOS on the 6500s. Smaller switches like the 2950 and the 3550 all run IOS. Then there is the odd ball 2948g-L3 that really is more of a router than a switch (2948 without the “L3” is a normal IOS switch) and you should refer to the next section on routers for it’s configuration.
Note: In many ways, I personally love the CatOS over IOS for it’s UI’s (User Interface) superior method of entering system configuration. For example, if you ever need to apply a common configuration to 48 Ethernet ports on module 4, you simply need to apply a command to “4/1-48”. On the IOS UI, you would need to enter each interface for all 48 ports and apply 96 individual commands vs. one command on the CatOS! Viewing the configuration on IOS is equally bloated.
Here is a breakdown of trunking support for the various Cisco switches
| IOS | CatOS |
| 2900 Series (on some IOS versions) | 2980 (Same IOS image as the 4000) |
| 2948 (Non L3) | 4000 Series |
| 2950 Series | 5000 and 5500 Series |
| 3548 | 6000 and 6500 Series |
| 3550 Series | |
| 6500 running IOS |
To set up the CatOS or IOS on Cisco Switches, the port that needs to trunked must be configured for the right kind of VLAN trunking (Note that not every module and interface on a switch support trunking and will give you an error message if you try to set it for trunking, this may require you look up the port capabilities for each port).
Here is the configuration guide for both IOS and CatOS.
Configuring and locking down IOS switches:
| IOS Command | Description |
| Enable | Switch to enable mode |
| Configure Terminal | Enter global configuration mode |
| Interface FastEthernet0/1 | Entering interface configuration for port 0/1. This is where you pick the port you want to trunk. |
| Switchport mode trunk | Set port to trunking mode. |
| Switchport trunk encapsulation dot1q | Set trunk type to 802.1q. If your switch only supports either ISL or 802.1q, this command does not exist because there is nothing to specify. This command only works when you can choose between the two. |
| Switchport trunk allow vlan 10-15,20 | Allow only VLANs 10 through 15 and VLAN 20. It is important that you restrict the VLANs to only the ones you need for security best practices. |
| Exit | Exit interface |
| Exit | Exit global configuration |
| Write memory | Commit changes to NVRAM |
Locking down CatOS for security:
| CatOS Command | Description |
| Enable | Switch to enable mode |
| Clear trunk 1/1-2 1-1005 Clear trunk 2/1-2 1-1005 Clear trunk 3/1-24 1-1005 …fill in the pieces… Clear trunk 12/1-24 1-1005 Set trunk 1/1-2 off Set trunk 2/1-2 off Set trunk 3/1-24 off Set trunk 4/1-24 off …fill in the pieces… Set trunk 9/1-24 off |
This is an example of how to lock down a Cisco 6500 switch. First it clears VLANs from all ports on a 6500 switch, and then it explicitly disables trunking from every single port. Whether you intend to use trunking on your CatOS switch or not, you would be very wise to implement this lock down on all of your CatOS switches. Otherwise, a hacker can bypass all Layer 3 (firewall) security by simply hopping VLANs. I included this section before the “Configuring CatOS” section because the lockdown needs to be done before any custom configuration is entered. |
Although this section is not really mandatory for trunking to function, I felt irresponsible not to include this layer 2 security lockdown procedure. Although the CatOS switch has a far more streamlined UI compared to the IOS switches, it is notoriously promiscuous with it’s default settings on VLAN trunking. The trunking auto-negotiation is equally alarming on both the IOS and CatOS switches, which if left default will automatically connect switches as fully enabled and wide open. You would be shocked to see the sloppy Layer 2 security on most networks. If left unchecked, you are not only opened to malicious hacks, but someone could accidentally plug in a Cisco switch with a VTP engine and accidentally nuke your network by changing your VLAN configuration.
Configuring CatOS switches:
| CatOS Command | Description |
| Enable | Switch to enable mode |
| Set trunk 1/1 on dot1q 10-15,20 | The “on” switch enables trunking on this port. “Dot1q” sets the port to 802.1q mode. “10-15,20” enables VLAN 10-15 and 20 to be supported on this trunking interface. |
You may find it funny that it was so much work to lock down your switch while it only took one command to enable trunking. If you didn’t bother to follow the lockdown procedure shown above, specifying the “10-15, 20” VLAN IDs are useless because it simply adds them to the existing 1-1005 pool which remains wide open. This behavior of the CatOS is very annoying and insecure by default. The IOS switches on the other hand only permit the VLANs you enter last, which also has it’s user friendliness downside. On an IOS switch, if you enter “10-15,20” with your “allow VLAN” statement, it nullifies any other allowed VLAN out side of 10-15 and 20. The big plus to this is default security.
Cisco router configurations
Cisco router configuration for trunking is fundamentally different from Cisco Switch configuration. A router encapsulates traffic to be carried on the switch infrastructure and behaves as a multi-home node on the network just like a Server, Workstation, or Firewall. A switch performs as the infrastructure to carry traffic for VLANs (for those that are allowed) on the Layer 2 infrastructure as the VLAN traffic director where as the router performs a higher layer function as a network gateway that can route Layer 3 traffic. You can basically configure a router with number of desired virtual interfaces (AKA sub-interface) from a single interface and designate the VLAN you want those interfaces to be switched to. The switch determines where the traffic from that router’s virtual interface will wind up based on the VLAN ID portion of the 802.1q tag that was inserted in to the Ethernet frame header by the router.
Configuring Cisco Routers:
| IOS Command | Description |
| Enable | Switch to enable mode |
| Configure terminal | Switch to global configuration mode |
| Interface FastEthernet0/0.1 | Creates first sub-interface for FastEthernet0/0 |
| Encapsulation dot1q 10 | Injects 802.1q tag with VLAN ID 10 into every frame coming from first sub-interface. |
| IP address 10.1.1.1 255.255.255.0 | Defines IP/mask for this first sub-interface |
| Exit | Exits first sub-interface |
| Interface FastEthernet0/0.2 | Creates second sub-interface for FastEthernet0/0 |
| Encapsulation dot1q 11 | Injects 802.1q tag with VLAN ID 11 into every frame coming from second sub-interface. |
| IP address 10.1.2.1 255.255.255.0 | Defines IP/mask for this second sub-interface |
| Exit | Exits second sub-interface |
| Exit | Exit global config |
| Write memory | Commits changes to NVRAM |
You can continue to add any number of sub-interfaces you need. Once FastEthernet0/0 is connected to a switched port configured for 802.1q trunking as shown in the above switch examples, all the sub-interfaces of FastEthernet0/0 becomes a routable node (can be default gateway) on the subnets that correspond to their VLAN.
Windows configuration with Intel Pro Series adapters
Conceptually, trunking a Windows workstation or server to a switch is the same a trunking a router to a switch. The only difference is the procedure, and a much easier one I might add. The ubiquitous Intel Pro Series adapters provide a simple to use graphical tool called PROSet that any one can learn within a minute or even someone who is just winging it. Note that the same Intel adapters with the ANS drivers can provide similar capabilities on Linux. You can get more information on Linux here from Intel.
To get started, simply invoke the Intel PROSet or PROSet II utility (assuming PROSet is installed). This can be done by simply double clicking the PROSet icon in the system tray on the lower right hand corner of the desktop. The following utility should come up.
Next we must add a VLAN interface. Simply right click on Intel adapter with the PCI Card icon and click “Add VLAN”. Note in the following screen capture, the virtual interface for VLAN 100 is already there and we are adding an additional one.
The “Add New VLAN” window comes up. Enter the VLAN ID you want this interface to trunk in to in the ID field, then give it a name that describes the VLAN function. In this case, we will be adding VLAN 69 labeled the Wireless LAB.
Once this is completed and you click “OK”, simply click “Apply” and “OK” on the PROSet window to commit the changes and get out of the PROSet utility. The next step is to configure the virtual interfaces. Simply open up the “Network Connections” window and begin configuring the virtual interface as you would any other physical interface. Note that the interface names already correspond to the names of the VLAN interfaces you added. However, auto-naming only works in Windows XP. Windows 2000 just gives them generic names, so you must add one interface at a time and rename the interface under “Network Connections” before you add another VLAN interface. If you don’t do that, it is impossible to tell which Interface goes to which VLAN without some tedious trial and error. One other very important thing to note, the physical interface it self “Local Area Connection” is not bound to anything except for the “Intel Advance Network Services Protocol”. It is not used for anything else and only serves as a host for all of the virtual interfaces and it does not have it’s own IP address or VLAN.
Just remember that only your primary interface is registered with internal Dynamic DNS and WINS and is the only interface that can have a default gateway. This is the same as when you have multiple physical network interfaces. In both cases whether there are multiple physical or virtual interfaces, you must set manual routes to take advantage of the other non-primary interfaces. This is why in the TCP/IP configuration window above, I deliberately left the Default gateway and DNS settings blank because those settings went on to the VLAN 100 interface. If you put a default gateway on the VLAN 69 interface, it will take over and the default gateway for the VLAN 100 interface will disappear. All the default gateway means is the route for 0.0.0.0 network with mask 0.0.0.0 (which really just means any IP destination) will route to the default gateway. You can easily tell this with the “route print” command.
From this point on, you may add as many VLANs as you need using the example above. The only other thing you should be aware of when dealing with these VLAN Interfaces is that you should not “Disable or Enable” them from the “Network Connections” folder, and instead you should deal with the Interface from the PROSet tool. Doing so will cause you to encounter some strange behaviors.
Hey George,
I’ve been searching for answers as to why switchport needs to be set as trunk instead of access for a Windows Server. This article enlightens me and it’s quite clear to me now.. thanks so much!
In the VoIP world we often run one network cable to the desktop. One end of the cable is plugged into a PoE Port and the other end of the cable is plugged into one of the two Ethernet Ports of the IP Phone. The IP Phone is programmed with it’s own Voice VLan. Next the clients Desktop/Laptop Computer is plugged into the other Ethernet Port of the IP Phone. The Desktop/Laptop Computer needs to be on it’s own VLAN, independant from the the Voice VLan. The Desktop/Laptop VLAN cannot be on the “Native” VLan 1.
If the Desktop/Laptop Computers do not have have an Intel Pro Series Network Card how can I set the VLAN on the the Desktop/Laptop Computers that are daisey-chained to the IP Phone?
@Greg Pataky
Greg- Did you figure this out? I am going to be installing IP phones and have the exact same question.
Simply configure on the switchports then access vlan for the PC/Laptop clients then assign a Voice vlan for the phone e.g. :
Fa0/1
Switchport mode access
switchport access vlan 12 (PC/Laptops etc)
switchport voice vlan 812 (Phones)
@Sean
Most IP phones allow you to set the Voice VLAN to something other than the default. You would leave your “data” VLAN as 1, the default, and make your voice VLAN 20 (for example.) You configure your phone to run on VLAN 20. If you connect a trunked line to a PC it will use the default VLAN, which would be your data VLAN.
The only trick is how to assign the IP address to the phone. You can do this manually, which is a pain. With ShoreTel phones you set an option (156 I believe) that causes it to request a DHCP address from an alternate scope, which you have to then set up properly on your DHCP server. The DHCP server needs to be on the data VLAN, the phones boot on the the data VLAN, do their DHCP request, get a response with an IP address on the voice VLAN, they then reboot onto the voice VLAN. The process for other phones may vary. Remember, all of your VoIP equipment must be on the voice VLAN.
Michelle Obama gave advice. She did not give advise. Someone could as her to advise . . .