, , , , , ,

My last post was about ensuring there’s a backup for a Domain Controller, which I called the ‘brains’ of an Active Directory system. On the infrastructure side, the core of the network is typically a collection of routers and switches (perhaps in a switching room) that connect everything within the internal network. The following are just basic commands for reference, and the basic sequence of what’s happening is:
1. Configure main switch to operate as a VTP server.
2. Create a VTP domain.
3. Add switches as VTP clients.
4. Assign an interface as a trunk link.
5. Create VLANs.
6. Assign specific switch ports to the VLANs.

VLAN Trunking Setup
Of course, having all the VLANs or network segments for a large network on one switch isn’t ideal, even if there are enough ports. There should be some load balancing and redundancy, plus we might want to anticipate any expansion. Although I already understood the theory behind this, some research was needed on how it’s implemented in practice on a Catalyst system. I’m in the process of ordering the hardware, so I can experiment and get some screenshots later.

Cisco has something called ‘VLAN Trunking Protocol’ (VTP), which enables a group of interconnected switches to be managed from just one ‘VTP server’. In other words, they’d all function as a single logical switch after it’s set up.
First we enable the management mode on the first switch (the interface works just like the Cisco IOS), and use the ‘show vtp‘ command to view the current status:
Switch#show vtp ?
Switch#show vtp status

There might be several default VLANs indicated as ‘existing’, but they’re irrelevant because they aren’t assigned to a domain by default. The ‘show‘ command will list VLANs present:
Switch#show vlan

Having viewed the current setup, the next step might (or might not) be to change the configuration. This is done by exiting to the global configuration mode, entering ‘config-vlan‘ and creating whatever VLANs are needed:
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#vlan 40

When that’s done, return to the global command mode with Ctrl+C. After returning to the global configuration mode, a domain can be added. The domain is basically a group of switches that receive the updates from a VTP server:
Switch#conf t
Switch(config)#vtp domain mydomain
Switch(config)#vtp ?

Now it’s time to set the mode in which we want the main switch to run. With ‘vtp mode ?‘, there are three options listed, client, server and transparent:
Switch(config)#vtp mode ?

Transparent mode is only used where we want a switch to ignore but relay VTP updates. Since we want this to be the primary switch, a VTP server, from where all others are managed and synchronised, it must be configured to run in server mode:
Switch(config)#vtp mode server

Now the other switches must be configured to run as clients on the same domain with the following commands:
Switch#conf t
Switch(config)#vtp domain mydomain
Switch(config)#vtp mode client

By default the links between switches are for passing normal network traffic. One interface on each switche must be designated as a trunk link, and that interface could be port 1 (Fa 0/1):
Switch(config)#int fa0/1
Switch(config-if)#switchport mode trunk

The output should indicate the interface has been restarted as a trunk link, and the next command simply tells the switch that we want to manage all VLANs numbered within the range 1-99.
Switch(config-if)#switchport trunk allowed vlan 1-99

By default, the clients should automatically receive the updates on the domain. This can be confirmed by:
Switch#show vtp status
Switch#show vlan

The output should indicate that VLANs were added, and that they’re in the domain. VTP and trunking are now enabled.

Setting up VLANs
With trunking set up, the next step is to add VLANs and assign ports to them. The idea is a virtual LAN in which traffic enters a specific port on one switch and exits through a specific port on another switch.

Enter configuration mode:
Switch#conf t

It’s likely that all/most hosts in the network must communicate with the gateway router (for Internet access), so there should be a VLAN for the gateway configured as the ‘primary’. This particular VLAN operates in ‘promiscuous’ mode and therefore accepts packets from outside. Here it’s VLAN 10, and accepts packets from VLANs 20 and 30:
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 20, 30

Next up, we want to configure VLAN 20.
Switch(config-vlan)#private-vlan office1

And do the same for the other VLANs.
Switch(config-vlan)#vlan 30
Switch(config-vlan)#private-vlan office2

Now the VLANs are configured on the VTP server, and they exist logically, the switch ports must be assigned to them:
Switfch(config-vlan)#int fa 0/2
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 10 20, 30

Switch(config-if)#int fa 0/3
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 10 20

Switch(config-if)#int fa 0/5
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-assocation 10 30