Home > Intel, Microsoft, Networking, Security, Servers, Windows XP > Implementing VLAN trunking

Implementing VLAN trunking

Contents

  • Introduction
  • Cisco switch configurations
  • Cisco router configurations
  • Windows configuration with Intel Pro Series adapters

Introduction
In my last article “Introduction to VLAN trunking”, I wetted your appetite for a hot new technology that is revolutionizing the way network topology are being designed and interconnected. In this piece, I will show you how to actually implement this new technology in the three most common types of equipment you will come across. The three types of equipment are Cisco switches, routers, and Servers or Workstations running the Windows operating system. The only prerequisite for this article is a basic working knowledge of Switches, Routers, and PCs running Windows for their respective sections. Click here for a network diagram of the lab environment created in this article. Note that the examples I use are on based on the 802.1q standard.

Cisco switch configurations
Cisco switches primarily come in two flavors, CatOS (Catalyst OS) and IOS (Internetworking OS). Although Cisco is trying to migrate almost everything to the IOS type operating system on their equipment, there is still a large install base for CatOS switches. Cisco’s flag ship 6500 series switch can actually run CatOS or IOS, but most people I know run CatOS on the 6500s. Smaller switches like the 2950 and the 3550 all run IOS. Then there is the odd ball 2948g-L3 that really is more of a router than a switch (2948 without the “L3” is a normal IOS switch) and you should refer to the next section on routers for it’s configuration.

Note: In many ways, I personally love the CatOS over IOS for it’s UI’s (User Interface) superior method of entering system configuration. For example, if you ever need to apply a common configuration to 48 Ethernet ports on module 4, you simply need to apply a command to “4/1-48”. On the IOS UI, you would need to enter each interface for all 48 ports and apply 96 individual commands vs. one command on the CatOS! Viewing the configuration on IOS is equally bloated.

Here is a breakdown of trunking support for the various Cisco switches

IOS CatOS
2900 Series (on some IOS versions) 2980 (Same IOS image as the 4000)
2948 (Non L3) 4000 Series
2950 Series 5000 and 5500 Series
3548 6000 and 6500 Series
3550 Series
6500 running IOS

To set up the CatOS or IOS on Cisco Switches, the port that needs to trunked must be configured for the right kind of VLAN trunking (Note that not every module and interface on a switch support trunking and will give you an error message if you try to set it for trunking, this may require you look up the port capabilities for each port).

Here is the configuration guide for both IOS and CatOS.

Configuring and locking down IOS switches:

IOS Command Description
Enable Switch to enable mode
Configure Terminal Enter global configuration mode
Interface FastEthernet0/1 Entering interface configuration for port 0/1. This is where you pick the port you want to trunk.
Switchport mode trunk Set port to trunking mode.
Switchport trunk encapsulation dot1q Set trunk type to 802.1q. If your switch only supports either ISL or 802.1q, this command does not exist because there is nothing to specify. This command only works when you can choose between the two.
Switchport trunk allow vlan 10-15,20 Allow only VLANs 10 through 15 and VLAN 20. It is important that you restrict the VLANs to only the ones you need for security best practices.
Exit Exit interface
Exit Exit global configuration
Write memory Commit changes to NVRAM

Locking down CatOS for security:

CatOS Command Description
Enable Switch to enable mode
Clear trunk 1/1-2 1-1005
Clear trunk 2/1-2 1-1005
Clear trunk 3/1-24 1-1005
…fill in the pieces…
Clear trunk 12/1-24 1-1005
Set trunk 1/1-2 off
Set trunk 2/1-2 off
Set trunk 3/1-24 off
Set trunk 4/1-24 off
…fill in the pieces…
Set trunk 9/1-24 off
This is an example of how to lock down a Cisco 6500 switch. First it clears VLANs from all ports on a 6500 switch, and then it explicitly disables trunking from every single port. Whether you intend to use trunking on your CatOS switch or not, you would be very wise to implement this lock down on all of your CatOS switches. Otherwise, a hacker can bypass all Layer 3 (firewall) security by simply hopping VLANs. I included this section before the “Configuring CatOS” section because the lockdown needs to be done before any custom configuration is entered.

Although this section is not really mandatory for trunking to function, I felt irresponsible not to include this layer 2 security lockdown procedure. Although the CatOS switch has a far more streamlined UI compared to the IOS switches, it is notoriously promiscuous with it’s default settings on VLAN trunking. The trunking auto-negotiation is equally alarming on both the IOS and CatOS switches, which if left default will automatically connect switches as fully enabled and wide open. You would be shocked to see the sloppy Layer 2 security on most networks. If left unchecked, you are not only opened to malicious hacks, but someone could accidentally plug in a Cisco switch with a VTP engine and accidentally nuke your network by changing your VLAN configuration.

Configuring CatOS switches:

CatOS Command Description
Enable Switch to enable mode
Set trunk 1/1 on dot1q 10-15,20 The “on” switch enables trunking on this port. “Dot1q” sets the port to 802.1q mode. “10-15,20” enables VLAN 10-15 and 20 to be supported on this trunking interface.

You may find it funny that it was so much work to lock down your switch while it only took one command to enable trunking. If you didn’t bother to follow the lockdown procedure shown above, specifying the “10-15, 20” VLAN IDs are useless because it simply adds them to the existing 1-1005 pool which remains wide open. This behavior of the CatOS is very annoying and insecure by default. The IOS switches on the other hand only permit the VLANs you enter last, which also has it’s user friendliness downside. On an IOS switch, if you enter “10-15,20” with your “allow VLAN” statement, it nullifies any other allowed VLAN out side of 10-15 and 20. The big plus to this is default security.

Cisco router configurations
Cisco router configuration for trunking is fundamentally different from Cisco Switch configuration. A router encapsulates traffic to be carried on the switch infrastructure and behaves as a multi-home node on the network just like a Server, Workstation, or Firewall. A switch performs as the infrastructure to carry traffic for VLANs (for those that are allowed) on the Layer 2 infrastructure as the VLAN traffic director where as the router performs a higher layer function as a network gateway that can route Layer 3 traffic. You can basically configure a router with number of desired virtual interfaces (AKA sub-interface) from a single interface and designate the VLAN you want those interfaces to be switched to. The switch determines where the traffic from that router’s virtual interface will wind up based on the VLAN ID portion of the 802.1q tag that was inserted in to the Ethernet frame header by the router.

Configuring Cisco Routers:

IOS Command Description
Enable Switch to enable mode
Configure terminal Switch to global configuration mode
Interface FastEthernet0/0.1 Creates first sub-interface for FastEthernet0/0
Encapsulation dot1q 10 Injects 802.1q tag with VLAN ID 10 into every frame coming from first sub-interface.
IP address 10.1.1.1 255.255.255.0 Defines IP/mask for this first sub-interface
Exit Exits first sub-interface
Interface FastEthernet0/0.2 Creates second sub-interface for FastEthernet0/0
Encapsulation dot1q 11 Injects 802.1q tag with VLAN ID 11 into every frame coming from second sub-interface.
IP address 10.1.2.1 255.255.255.0 Defines IP/mask for this second sub-interface
Exit Exits second sub-interface
Exit Exit global config
Write memory Commits changes to NVRAM

You can continue to add any number of sub-interfaces you need. Once FastEthernet0/0 is connected to a switched port configured for 802.1q trunking as shown in the above switch examples, all the sub-interfaces of FastEthernet0/0 becomes a routable node (can be default gateway) on the subnets that correspond to their VLAN.

Windows configuration with Intel Pro Series adapters
Conceptually, trunking a Windows workstation or server to a switch is the same a trunking a router to a switch. The only difference is the procedure, and a much easier one I might add. The ubiquitous Intel Pro Series adapters provide a simple to use graphical tool called PROSet that any one can learn within a minute or even someone who is just winging it. Note that the same Intel adapters with the ANS drivers can provide similar capabilities on Linux. You can get more information on Linux here from Intel.

To get started, simply invoke the Intel PROSet or PROSet II utility (assuming PROSet is installed). This can be done by simply double clicking the PROSet icon in the system tray on the lower right hand corner of the desktop. The following utility should come up.

Next we must add a VLAN interface. Simply right click on Intel adapter with the PCI Card icon and click “Add VLAN”. Note in the following screen capture, the virtual interface for VLAN 100 is already there and we are adding an additional one.

The “Add New VLAN” window comes up. Enter the VLAN ID you want this interface to trunk in to in the ID field, then give it a name that describes the VLAN function. In this case, we will be adding VLAN 69 labeled the Wireless LAB.

Once this is completed and you click “OK”, simply click “Apply” and “OK” on the PROSet window to commit the changes and get out of the PROSet utility. The next step is to configure the virtual interfaces. Simply open up the “Network Connections” window and begin configuring the virtual interface as you would any other physical interface. Note that the interface names already correspond to the names of the VLAN interfaces you added. However, auto-naming only works in Windows XP. Windows 2000 just gives them generic names, so you must add one interface at a time and rename the interface under “Network Connections” before you add another VLAN interface. If you don’t do that, it is impossible to tell which Interface goes to which VLAN without some tedious trial and error. One other very important thing to note, the physical interface it self “Local Area Connection” is not bound to anything except for the “Intel Advance Network Services Protocol”. It is not used for anything else and only serves as a host for all of the virtual interfaces and it does not have it’s own IP address or VLAN.

Just remember that only your primary interface is registered with internal Dynamic DNS and WINS and is the only interface that can have a default gateway. This is the same as when you have multiple physical network interfaces. In both cases whether there are multiple physical or virtual interfaces, you must set manual routes to take advantage of the other non-primary interfaces. This is why in the TCP/IP configuration window above, I deliberately left the Default gateway and DNS settings blank because those settings went on to the VLAN 100 interface. If you put a default gateway on the VLAN 69 interface, it will take over and the default gateway for the VLAN 100 interface will disappear. All the default gateway means is the route for 0.0.0.0 network with mask 0.0.0.0 (which really just means any IP destination) will route to the default gateway. You can easily tell this with the “route print” command.

From this point on, you may add as many VLANs as you need using the example above. The only other thing you should be aware of when dealing with these VLAN Interfaces is that you should not “Disable or Enable” them from the “Network Connections” folder, and instead you should deal with the Interface from the PROSet tool. Doing so will cause you to encounter some strange behaviors.

  1. newbie
    October 24th, 2009 at 10:52 | #1

    Hey George,
    I’ve been searching for answers as to why switchport needs to be set as trunk instead of access for a Windows Server. This article enlightens me and it’s quite clear to me now.. thanks so much!

  2. Greg Pataky
    January 8th, 2010 at 06:29 | #2

    In the VoIP world we often run one network cable to the desktop. One end of the cable is plugged into a PoE Port and the other end of the cable is plugged into one of the two Ethernet Ports of the IP Phone. The IP Phone is programmed with it’s own Voice VLan. Next the clients Desktop/Laptop Computer is plugged into the other Ethernet Port of the IP Phone. The Desktop/Laptop Computer needs to be on it’s own VLAN, independant from the the Voice VLan. The Desktop/Laptop VLAN cannot be on the “Native” VLan 1.

    If the Desktop/Laptop Computers do not have have an Intel Pro Series Network Card how can I set the VLAN on the the Desktop/Laptop Computers that are daisey-chained to the IP Phone?

  3. Sean
    January 14th, 2010 at 06:49 | #3

    @Greg Pataky
    Greg- Did you figure this out? I am going to be installing IP phones and have the exact same question.

  4. Simon B
    February 1st, 2010 at 07:55 | #4

    Simply configure on the switchports then access vlan for the PC/Laptop clients then assign a Voice vlan for the phone e.g. :

    Fa0/1
    Switchport mode access
    switchport access vlan 12 (PC/Laptops etc)
    switchport voice vlan 812 (Phones)

  5. Mike Burroughs
    February 23rd, 2010 at 19:17 | #5

    @Sean
    Most IP phones allow you to set the Voice VLAN to something other than the default. You would leave your “data” VLAN as 1, the default, and make your voice VLAN 20 (for example.) You configure your phone to run on VLAN 20. If you connect a trunked line to a PC it will use the default VLAN, which would be your data VLAN.

    The only trick is how to assign the IP address to the phone. You can do this manually, which is a pain. With ShoreTel phones you set an option (156 I believe) that causes it to request a DHCP address from an alternate scope, which you have to then set up properly on your DHCP server. The DHCP server needs to be on the data VLAN, the phones boot on the the data VLAN, do their DHCP request, get a response with an IP address on the voice VLAN, they then reboot onto the voice VLAN. The process for other phones may vary. Remember, all of your VoIP equipment must be on the voice VLAN.

  6. Bob Caulk
    March 3rd, 2010 at 14:49 | #6

    Michelle Obama gave advice. She did not give advise. Someone could as her to advise . . .

  7. March 24th, 2010 at 04:22 | #7

    Can someone help with the reasons for network trunking.They should be brief…..

  8. Dani Cailin
    March 30th, 2010 at 11:35 | #8

    You use Vlans to logically separate networks and network traffic. You use trunks to send multiple vlans down a single port/cable to a location where you need access to more than one vlan. Data and voice separation are a common use. Large network configs may have hundreds of vlans on a ten gig trunk between core routers, and then smaller trunks out to various distribution routers.

    In a PC world you may have a PC used for remote administration that needs access to several different logical networks. You do not want a separate NIC for each network so bringing those vlans in on a trunk port allows it to be on a single fiber or cat 5 to the PC.

  9. Andy Raven
    April 9th, 2010 at 13:44 | #9

    @Mike Burroughs
    It’s option 191 with dhcp, although it’s a horrible way to do it because it pollutes the arp cache on the router (assuming it’s performing as a dhcp server proxy with an ip helper address), the default arp refresh for cisco is normally 4 hours.

  10. Scott
    May 1st, 2010 at 06:26 | #10

    I’ve had a situation in the past where we could change the ip address of a pc to another vlan ip range and it would connect on whatever vlan we changed the ip to. This would be very handy for configuring new pc’s to be placed on the network, but was noticed as a oddity and was corrected. I know the Cisco IOS switch port was trunked in some way, but I’m having trouble replicating it. Is there a way to do this, or was it something that shouldn’t have ever worked in the first place?

  11. NetEng
    May 11th, 2010 at 08:43 | #11

    @Mike Burroughs
    We use this configuration in our enterprise network for literally hundreds of phones. The IP phone is on the PoE Cisco switch and the PC is plugged into the phone. Mike B is correct, when our phone boot they actually use the data Vlan that the PC will eventually use, and the phone gets options passed to it that tell it various information about the voice Vlan settings. I believe it is option 176 though in DHCP. The phone is told to switch to tagging the same as the voice vlan, its tftp server for its image, its Clan its supposed to talk to, etc. Then its drops from the data vlan and connects on the voice vlan, meanwhile it starts passing the data vlan information for the PC so it can get DHCP and get on the network. The trick is, both the data and the voice Vlans need to have the same 176 settings, since the phone comes up initially using the data vlan, the voice options, need to be there, and then when it changes to the voice Vlan, they need to be there in case the phone goes into discovery mode and the DHCP needs to answer it on the voice vlan. Hope that clears some things up for some, granted tho this may not be the norm everywhere. Implementations will always vary.

  12. NetEng
    May 11th, 2010 at 08:45 | #12

    We use this configuration in our enterprise network for literally hundreds of phones. The IP phone is on the PoE Cisco switch and the PC is plugged into the phone. Mike B is correct, when our phone boot they actually use the data Vlan that the PC will eventually use, and the phone gets options passed to it that tell it various information about the voice Vlan settings. I believe it is option 176 though in DHCP. The phone is told to switch to tagging the same as the voice vlan, its tftp server for its image, its Clan its supposed to talk to, etc. Then its drops from the data vlan and connects on the voice vlan, meanwhile it starts passing the data vlan information for the PC so it can get DHCP and get on the network. The trick is, both the data and the voice Vlans need to have the same 176 settings, since the phone comes up initially using the data vlan, the voice options, need to be there, and then when it changes to the voice Vlan, they need to be there in case the phone goes into discovery mode and the DHCP needs to answer it on the voice vlan. Hope that clears some things up for some, granted tho this may not be the norm everywhere. Implementations will always vary.

  13. Andy Raven
    August 14th, 2010 at 16:55 | #13

    @NetEng
    Please read my comment, otherwise my finger exercise is wasted. Option 176 seems to only apply to Avaya phones. Option 191 works for Nortel, Polycom, Cisco etc..
    However, if you use this configuration on your “enterprise network” then it really is badly organised. You miss the whole point of using this option, which is basically because you are using switches that can’t do CDP or LLDP.
    Using these options pollutes the arp cache, the phones temporarily are handed data IP addresses, these MAC-Address translations are stored in the router for a set period of time and any incoming NAT relies on this DB. For many devices to “temporarily” gain data IP addresses means you have to decrease the ARP refresh on the router, which uses up vital CPU power, this has happened on a number of voip installations we have performed where the customer thought they were being clever and it has taken days for us to diagnose the issue.
    For any “enterprise network”, CDP is the preferred way, when you state you have PoE cisco switches then you would have to be completely stupid to not use the default CDP config on the switch, or am i missing something? If your IP phones do not support CDP then you should have waiting longer to upgrade.

    I beg people to ignore the above comments and not use these data DHCP options, they are crude, primitive, and designed for companies with a lacking switch infrastructure or simply do not understand networks.
    Andy

  14. August 26th, 2010 at 07:41 | #14

    Actually, the data passed to the phones via DHCP varies from manufacturer to manufacturer and how they implement various settings.

    Here’s a fairly complete list:
    http://www.networksorcery.com/enp/protocol/bootp/options.htm

  15. Mark Levy
    October 28th, 2010 at 12:22 | #15

    You wrote:
    On the IOS UI, you would need to enter each interface for all 48 ports and apply 96 individual commands vs. one command on the CatOS!

    Actually, on IOS switches, that’s not correct: For example, if you wanted to set all 48 ports on a 2960S to access ports for vlan 120 (or as many common commands for all interfaces that you wanted), you would simply enter a range like this:

    config t
    int range gi1/0/1 – 48
    switchport mode access
    switchport access vlan 120
    exit

    But thanks so much for your articles!

  16. xtropx
    December 12th, 2010 at 11:25 | #16

    So wait? If the NICs on your PCs do not support adding the VLAN tag, VLAN’s do not work? Seems kind of pointless to have that extra configuration step….

  17. lsf
    December 20th, 2010 at 12:32 | #17

    @xtropx
    That is why you have vlan acess ports.
    A access port adds the vlan tag on packets entering that port and strips the vlan tag on packets leaving the same port.

  18. Kysersosai
    January 27th, 2011 at 12:44 | #18

    does anyone know where i can get the proset drivers for x64

    thanks

  19. Mike
    July 22nd, 2011 at 10:01 | #19

    I have an issue where ive a 1900 series router and the isp has configured a L2 link to hq.
    there are 3 vlans on the one port that they have presented to me.

    normally id just do suinterfaces on router port and then configure those interfaces wiith vlan tag and encapsulation dot1.q. however the isp say that they just need the vlan numbers an no encapsulation. i dont know how to do this short of just connecting a switch.

    i have to use the router as the client has bought it.
    i have a wic 4esw
    i must route subnets, any ideas?

  20. bharat
    August 19th, 2011 at 08:57 | #20

    good one

  21. keyvan
    May 31st, 2012 at 22:56 | #21

    hi
    what’s different between :

    Switchport trunk allow vlan 10-15,20

    &

    Switchport trunk allow vlan add 10-15,20

  22. Rakesh
    November 11th, 2012 at 13:23 | #22

    Switchport trunk allow vlan 10-15,20
    will overwrite any existing configuration on the trunk port

    Switchport trunk allow vlan add 10-15,20
    this will add to existing vlans

    Careful using the first [without the add] on production switch trunks as it will stop the traffic off all vlans currently traversing the trunk

  23. January 16th, 2013 at 14:35 | #23

    It’s very effortless to find out any matter on web as compared to books, as I found this piece of writing at this web site.

  24. Lawrence
    February 28th, 2014 at 09:42 | #24

    Hi. My name Lawrence, and a student. I am having problem configuring switch on packet tracer. I keep getting CDP mismatch messages. What can i do to resolve this issue?
    Lawrence

  1. August 4th, 2009 at 03:01 | #1
  2. August 20th, 2010 at 22:21 | #2
  3. September 1st, 2011 at 16:53 | #3