WEBVTT

0:00:02.620000 --> 0:00:06.420000
 In this video, I'd like to do just
 a quick review of what VLAN Trunks

0:00:06.420000 --> 0:00:11.640000
 are and how you configure
 VLAN Trunks in Cisco iOS.

0:00:11.640000 --> 0:00:15.680000
 So first of all, let's just do a quick
 review of what a trunk port or

0:00:15.680000 --> 0:00:17.320000
 a trunk interface is.

0:00:17.320000 --> 0:00:21.780000
 A trunk interface is simply an interface
 that can carry traffic that belongs

0:00:21.780000 --> 0:00:24.620000
 to two or more VLANs,
 not just one.

0:00:24.620000 --> 0:00:29.120000
 If we have an interface that's switch
 port mode access, it only is in

0:00:29.120000 --> 0:00:33.440000
 one broadcast domain carrying traffic
 belonging to one VLAN, not so with

0:00:33.440000 --> 0:00:41.180000
 a trunk port. With a trunk port, by default,
 all the VLAN traffic is carried

0:00:41.180000 --> 0:00:45.180000
 across it. So what that means is if
 you and I are switches and we are

0:00:45.180000 --> 0:00:47.820000
 connected via trunks, if my interface
 and your interface are configured

0:00:47.820000 --> 0:00:54.580000
 for trunking, that means whatever VLANs
 I'm aware of, remember, the range

0:00:54.580000 --> 0:00:58.040000
 of VLANs is from 1 to 4,094.

0:00:58.040000 --> 0:01:01.640000
 There's about five VLANs or so in the
 middle there that you can't use,

0:01:01.640000 --> 0:01:06.040000
 but that is several thousand VLANs that
 could potentially be configured.

0:01:06.040000 --> 0:01:10.520000
 Well only the VLANs that have been configured
 that are active on me are

0:01:10.520000 --> 0:01:11.980000
 allowed across this trunk.

0:01:11.980000 --> 0:01:16.240000
 So if I'm aware of VLANs 1 through
 300 because that's what's known to

0:01:16.240000 --> 0:01:25.440000
 me when I do show VLAN, that is what
 I can carry to you on my VLAN trunk.

0:01:25.440000 --> 0:01:30.780000
 Okay, pretty much the default way that
 trunks carry VLANs these days is

0:01:30.780000 --> 0:01:36.740000
 by encapsulating or tagging those frames
 using something called 802.1q.

0:01:36.740000 --> 0:01:38.880000
 Just a quick review right here.

0:01:38.880000 --> 0:01:48.160000
 So if I have switch 1 and switch 2,
 if switch 1 is carrying a frame, now

0:01:48.160000 --> 0:01:57.040000
 maybe when that frame came in, it came
 in a port that was in VLAN 77.

0:01:57.040000 --> 0:02:01.620000
 Well as it goes across that trunk, we
 need to somehow make switch 2 aware

0:02:01.620000 --> 0:02:05.400000
 that that frame belongs to that broadcast
 to me, that belongs to VLAN

0:02:05.400000 --> 0:02:10.520000
 77. The way that 802.1q does
 that is very simple.

0:02:10.520000 --> 0:02:15.760000
 It takes your frame, which is normally
 composed of your Ethernet preamble,

0:02:15.760000 --> 0:02:20.920000
 followed by your Ethernet destination
 MAC address, followed by your Ethernet

0:02:20.920000 --> 0:02:23.100000
 source MAC address.

0:02:23.100000 --> 0:02:26.920000
 And normally what we would find right
 after the source MAC address is

0:02:26.920000 --> 0:02:31.480000
 an ether type value or an ether type
 code indicating what is this Ethernet

0:02:31.480000 --> 0:02:36.540000
 frame carrying. Is it carrying ARP,
 IPv4, IPv6, what kind of protocols

0:02:36.540000 --> 0:02:37.860000
 are it carrying?

0:02:37.860000 --> 0:02:42.240000
 Well when an Ethernet frame goes across
 a trunk, that type code is moved

0:02:42.240000 --> 0:02:56.660000
 over, so I'll just say that we insert
 a special field called 802.1q tag

0:02:56.660000 --> 0:03:08.080000
 in front of it. This 802.1q tag is divided
 into about three or four separate

0:03:08.080000 --> 0:03:16.200000
 fields. The main fields you need to be aware
 of is we have the VLAN identifier.

0:03:16.200000 --> 0:03:18.700000
 And we have a priority.

0:03:18.700000 --> 0:03:23.140000
 So the priority is used if you
 want to do quality of service.

0:03:23.140000 --> 0:03:27.400000
 If you want to QoS over your trunk and
 say, oh, well traffic on this VLAN

0:03:27.400000 --> 0:03:31.500000
 is more or less important than traffic
 on another VLAN, you can raise

0:03:31.500000 --> 0:03:34.180000
 or lower your priority bits
 to accomplish that.

0:03:34.180000 --> 0:03:38.340000
 The main thing I want to recall as
 a refresher is the VLAN field.

0:03:38.340000 --> 0:03:42.100000
 So in this particular case, we would
 populate the VLAN field with the

0:03:42.100000 --> 0:03:49.520000
 number 77 to enter and indicate that
 this frame belongs to VLAN 77.

0:03:49.520000 --> 0:03:54.460000
 So most of your traffic going across
 the trunk is going to have this 802

0:03:54.460000 --> 0:03:59.860000
.1q tag applied to it which is going
 to tell what VLAN that frame belongs

0:03:59.860000 --> 0:04:07.100000
 to. Except frames belonging to one special
 VLAN which is the native VLAN.

0:04:07.100000 --> 0:04:13.020000
 So let's do a quick review refresher
 on the native VLAN.

0:04:13.020000 --> 0:04:17.540000
 So traffic that goes across the native
 VLAN does not have that tag applied.

0:04:17.540000 --> 0:04:21.800000
 It just goes across as native
 Ethernet frames, no tag.

0:04:21.800000 --> 0:04:26.540000
 By default, VLAN 1
 is the native VLAN.

0:04:26.540000 --> 0:04:28.860000
 Now everybody knows this.

0:04:28.860000 --> 0:04:32.860000
 There have been some creative and ingenious
 network attacks that have

0:04:32.860000 --> 0:04:35.360000
 been built based on
 this knowledge.

0:04:35.360000 --> 0:04:39.120000
 So because of that, Cisco and most other
 vendors recommend that if you're

0:04:39.120000 --> 0:04:42.480000
 going to have a trunk between two switches
 or between a switch and a router

0:04:42.480000 --> 0:04:46.840000
 or even a switch and a server, you should
 not leave VLAN 1 as the native

0:04:46.840000 --> 0:04:50.840000
 VLAN. You should change it to some other
 VLAN which can be done with this

0:04:50.840000 --> 0:04:51.800000
 command right here.

0:04:51.800000 --> 0:04:55.640000
 Switch port trunk native VLAN and then
 use some other VLAN as your native

0:04:55.640000 --> 0:05:01.240000
 VLAN. Key point, if you do decide to
 change it which is recommended, the

0:05:01.240000 --> 0:05:04.740000
 native VLAN has to match on
 both sides of the trunk.

0:05:04.740000 --> 0:05:07.480000
 If it doesn't match, you
 will have problems.

0:05:07.480000 --> 0:05:08.460000
 What kind of problems, Keith?

0:05:08.460000 --> 0:05:10.600000
 Well, let's just talk
 about that real quick.

0:05:10.600000 --> 0:05:16.040000
 If I have switch one right here and
 I have switch two right here, let's

0:05:16.040000 --> 0:05:20.160000
 say I have this is
 my VLAN 1 in red.

0:05:20.160000 --> 0:05:22.520000
 So this is a bunch
 of hosts in VLAN 1.

0:05:22.520000 --> 0:05:28.240000
 Then I also have a bunch
 of hosts in VLAN 2.

0:05:28.240000 --> 0:05:34.820000
 Then I decide to trunk between these
 guys and say, oh, that's right.

0:05:34.820000 --> 0:05:38.140000
 I remember Keith telling me that I
 should not have VLAN 1 as my native

0:05:38.140000 --> 0:05:43.420000
 VLAN. So on this port right here, we
 go there and we change the native

0:05:43.420000 --> 0:05:52.740000
 VLAN to two. But we forget
 to do it on the other side.

0:05:52.740000 --> 0:06:00.680000
 So I'll just say native VLAN
 equals default, which is one.

0:06:00.680000 --> 0:06:07.780000
 Well, now we're going
 to have some issues.

0:06:07.780000 --> 0:06:11.420000
 Because if this frame is transmitted
 out here, so if a frame comes into

0:06:11.420000 --> 0:06:15.240000
 switch one belonging to VLAN 1, and he
 says, oh, I need to send that across

0:06:15.240000 --> 0:06:17.440000
 the trunk, he will not tag it.

0:06:17.440000 --> 0:06:20.480000
 He will leave it alone because from
 his perspective, that is the native

0:06:20.480000 --> 0:06:25.160000
 VLAN. But once that gets over to switch
 two, when he sees a frame without

0:06:25.160000 --> 0:06:28.940000
 a tag, he's going to assume
 it belongs to VLAN 2.

0:06:28.940000 --> 0:06:34.020000
 So that frame will now go into the wrong
 broadcast domain, basically bridge

0:06:34.020000 --> 0:06:37.840000
 together VLAN 1 and VLAN 2.

0:06:37.840000 --> 0:06:41.200000
 What about frames going in
 the opposite direction?

0:06:41.200000 --> 0:06:43.420000
 That's going to be kind
 of interesting as well.

0:06:43.420000 --> 0:06:50.420000
 For example, well, let's say
 frame comes in this way.

0:06:50.420000 --> 0:06:53.500000
 Okay, switch two says, oh,
 I have a frame from VLAN 1.

0:06:53.500000 --> 0:06:54.740000
 I need to send it across my trunk.


0:06:54.740000 --> 0:06:57.580000
 Well, VLAN 1 is not
 my native VLAN.

0:06:57.580000 --> 0:06:59.720000
 It's been configured
 to be something else.

0:06:59.720000 --> 0:07:02.740000
 So he's going to send it across this
 way, and he's going to put that tag

0:07:02.740000 --> 0:07:07.740000
 in it. Because after all,
 VLAN 1 is not the native.

0:07:07.740000 --> 0:07:10.940000
 And he's going to say, hey, this
 frame belongs to VLAN 1.

0:07:10.940000 --> 0:07:13.220000
 What's this guy going
 to do when he sees it?

0:07:13.220000 --> 0:07:14.800000
 You're going to say,
 wait a second.

0:07:14.800000 --> 0:07:15.780000
 Here comes into frame.

0:07:15.780000 --> 0:07:19.840000
 I just received with a VLAN
 tag and says VLAN 1.

0:07:19.840000 --> 0:07:21.380000
 That shouldn't happen.

0:07:21.380000 --> 0:07:22.980000
 VLAN 1 is the default VLAN.

0:07:22.980000 --> 0:07:24.040000
 He's going to drop it.

0:07:24.040000 --> 0:07:26.320000
 He's going to kill that frame.

0:07:26.320000 --> 0:07:29.280000
 So you can see having a native VLAN
 mismatch is going to cause you all

0:07:29.280000 --> 0:07:30.940000
 kinds of problems.

0:07:30.940000 --> 0:07:33.980000
 So make sure you don't do that.

0:07:33.980000 --> 0:07:39.380000
 So this is how you want to
 configure your trunks.

0:07:39.380000 --> 0:07:40.240000
 Here's the way you do it.

0:07:40.240000 --> 0:07:43.400000
 So you go into the interface
 that you're interested in.

0:07:43.400000 --> 0:07:50.680000
 Now, if you're on a Cisco switch, Cisco
 had an older proprietary way of

0:07:50.680000 --> 0:07:59.980000
 doing the sync, ISL, less and less Cisco
 switches, even support ISL anymore.

0:07:59.980000 --> 0:08:06.140000
 But if you have a switch that supports
 both ISL and 802.1Q, if you want

0:08:06.140000 --> 0:08:09.540000
 to use .1Q, which is probably what you'll
 want to do, you'll have to specify

0:08:09.540000 --> 0:08:13.220000
 that. And so that's this
 command right here.

0:08:13.220000 --> 0:08:16.900000
 Switch port trunk
 encapsulation .1Q.

0:08:16.900000 --> 0:08:22.320000
 Then to configure as a trunk, one way,
 there's more than one, but one

0:08:22.320000 --> 0:08:26.940000
 simple way that most people like to
 use is to switch port mode trunk.

0:08:26.940000 --> 0:08:30.420000
 So if you ever see a lab that says or
 someone tells you, hey, I want you

0:08:30.420000 --> 0:08:34.260000
 to configure this interface as a static
 trunk, or give me a static VLAN

0:08:34.260000 --> 0:08:37.300000
 trunk. They're saying configure
 switch port mode trunk.

0:08:37.300000 --> 0:08:41.980000
 Now if you try configuring switch port
 mode trunk and you did not configure

0:08:41.980000 --> 0:08:45.580000
 this other command, you'll actually get
 an error message on an older Cisco

0:08:45.580000 --> 0:08:49.940000
 switch. Because the Cisco switch will
 say, hey, you want me to be doing

0:08:49.940000 --> 0:08:55.300000
 trunking, but you haven't been
 doing it on oneQ, I don't know.

0:08:55.300000 --> 0:09:01.480000
 And so on some Cisco switches, you have to
 configure the switch port encapsulation

0:09:01.480000 --> 0:09:06.360000
 type first, followed by
 switch port mode trunk.

0:09:06.360000 --> 0:09:14.680000
 The other thing I want to talk about
 in this video is controlling VLAN

0:09:14.680000 --> 0:09:16.580000
 operation over trunks.

0:09:16.580000 --> 0:09:19.440000
 Like I said just a moment ago, I said,
 hey, if I'm a switch and I've got

0:09:19.440000 --> 0:09:25.420000
 300 VLANs configured in me, all 300 of
 those VLANs will be allowed across

0:09:25.420000 --> 0:09:29.920000
 my trunking interface if I need to flood
 anything or anything like that.

0:09:29.920000 --> 0:09:31.480000
 Maybe you don't want that.

0:09:31.480000 --> 0:09:35.620000
 Maybe you want this trunk only to be
 used for certain VLANs and you want

0:09:35.620000 --> 0:09:38.980000
 to exclude other VLANs
 from using it.

0:09:38.980000 --> 0:09:41.600000
 You can do that.

0:09:41.600000 --> 0:09:46.420000
 So the command for that is the switch
 port trunk allowed VLAN command.

0:09:46.420000 --> 0:09:51.520000
 So with that command, you could
 say, hey, here's what I want.

0:09:51.520000 --> 0:09:55.860000
 I want to allow VLANs
 20 through 30.

0:09:55.860000 --> 0:09:57.560000
 Oh, across the trunk.

0:09:57.560000 --> 0:09:59.100000
 Oh, let's just keep the
 native VLAN as well.

0:09:59.100000 --> 0:10:02.560000
 VLAN one. So you say switch
 port trunk allowed VLAN.

0:10:02.560000 --> 0:10:07.700000
 We wouldn't do any of this stuff.

0:10:07.700000 --> 0:10:14.080000
 We would just say switch port trunk
 allowed VLAN and then one hyphen 20

0:10:14.080000 --> 0:10:21.820000
 dash. That would allow that set of what
 is that 11, 12 or something like

0:10:21.820000 --> 0:10:25.060000
 that, VLANs across that trunk.

0:10:25.060000 --> 0:10:26.840000
 Now later on, I say,
 oh, guess what?

0:10:26.840000 --> 0:10:32.240000
 We just created VLAN 44 and I want
 that to go on the trunk as well.

0:10:32.240000 --> 0:10:34.080000
 Okay. Well, two ways
 you could do that.

0:10:34.080000 --> 0:10:38.360000
 You could go back to that and enter the
 exact same command, but down just

0:10:38.360000 --> 0:10:41.920000
 with a hyphen of 44,
 you could do that.

0:10:41.920000 --> 0:10:43.200000
 That would work.

0:10:43.200000 --> 0:10:49.920000
 Or you could say switch port
 trunk allowed VLAN add 44.

0:10:49.920000 --> 0:10:54.960000
 That will add it to whatever the existing
 list is of allowed VLANs.

0:10:54.960000 --> 0:11:02.720000
 You can also remove VLANs from the existing
 list, or you can say accept.

0:11:02.720000 --> 0:11:08.000000
 Maybe I want all VLANs allowed across
 this link except VLAN 20.

0:11:08.000000 --> 0:11:11.140000
 You could do that too.

0:11:11.140000 --> 0:11:18.860000
 Here's an example of how we
 would use that command.

0:11:18.860000 --> 0:11:20.140000
 Then we verified commands.

0:11:20.140000 --> 0:11:24.060000
 We can use the show VLANs, show interface
 trunk, show interface status,

0:11:24.060000 --> 0:11:27.320000
 or show interface switch
 port commands.

0:11:27.320000 --> 0:11:31.020000
 This is a quick review of that.

0:11:31.020000 --> 0:11:38.400000
 I'm not. If my first question is, does
 this switch have any existing trunks

0:11:38.400000 --> 0:11:45.220000
 at all? I would typically do show interfaces
 trunk and I get nothing.

0:11:45.220000 --> 0:11:51.680000
 No, he doesn't. One way I can make him
 have a trunk is interface gigabit

0:11:51.680000 --> 0:11:56.400000
 two slash one. Let's say I want
 to force this to be a trunk.

0:11:56.400000 --> 0:11:59.620000
 Switch port mode trunk.

0:11:59.620000 --> 0:12:02.220000
 Notice I'm getting
 that error message.

0:12:02.220000 --> 0:12:06.420000
 This is a situation where this particular
 switch supports both ISL and

0:12:06.420000 --> 0:12:10.680000
 802.1Q. He's saying, look, you can't
 force me to be a trunk without first

0:12:10.680000 --> 0:12:14.540000
 telling me what method of
 trunking I should use.

0:12:14.540000 --> 0:12:21.340000
 Switch port trunk
 encapsulation.1Q.

0:12:21.340000 --> 0:12:25.040000
 Now I can use the up arrow to force it
 to be trunk and now it's perfectly

0:12:25.040000 --> 0:12:29.020000
 fine. All right, so
 is it trunking?

0:12:29.020000 --> 0:12:30.340000
 Let's take a look.

0:12:30.340000 --> 0:12:34.220000
 There it is. Show
 interfaces trunk.

0:12:34.220000 --> 0:12:37.540000
 You can see the mode is on, which means
 I've statically forced it to be

0:12:37.540000 --> 0:12:40.160000
 a trunk. It's using 802.1Q.

0:12:40.160000 --> 0:12:43.420000
 It is trunking and the
 native VLAN is one.

0:12:43.420000 --> 0:12:49.420000
 By default, it will allow any and
 all VLANs that I configure.

0:12:49.420000 --> 0:12:54.620000
 Right now, the only VLANs he's
 aware of are VLANs one and 99.

0:12:54.620000 --> 0:12:58.220000
 Let's create a couple of
 few more VLANs on here.

0:12:58.220000 --> 0:13:03.660000
 How about VLANs 95 through 98?

0:13:03.660000 --> 0:13:12.000000
 All right, so now he's
 allowing all of them.

0:13:12.000000 --> 0:13:13.460000
 I say, okay, I didn't mean that.

0:13:13.460000 --> 0:13:14.840000
 I didn't want him to
 have all of them.

0:13:14.840000 --> 0:13:19.060000
 I just want that trunk to
 carry VLANs one and 99.

0:13:19.060000 --> 0:13:22.940000
 I don't want 95, 6, 7,
 and 8 on that trunk.

0:13:22.940000 --> 0:13:25.540000
 So interface gigabit
 two slash one.

0:13:25.540000 --> 0:13:34.560000
 Switch port trunk allowed VLAN
 and we'll say one comma 99.

0:13:34.560000 --> 0:13:41.120000
 And that will allow only those
 two VLANs on that trunk.

0:13:41.120000 --> 0:13:48.640000
 And now we can see that VLANs allowed
 on the trunk, one and 99.

0:13:48.640000 --> 0:13:54.380000
 So that concludes this particular video
 on a review of VLAN trunks and

0:13:54.380000 --> 0:13:56.620000
 how to configure and
 how to monitor them.