A trunk is a configuration of a
link, usually between two switches but not only, allowing to carry the traffic
of several VLANs there. On
Cisco switches, by default all VLANs on the switches will be allowed to go
through the trunk in question. However, it is sometimes necessary,
from a security point of view but also performance, to limit the propagation of
VLANs on certain links ... Here is How to configure trunk on Cisco Catalyst Switch
Topology
 |
| Trunk Advance |
We
therefore have here two access switches (ASW1 and ASW2) interconnected by a
distribution switch (DSW1) to which is also connected R1 whose role will be to
support the inter-vlan routing.
As
shown in the diagram, ASW1 has machines connected only in the VLAN 10 and the
VLAN 20. For its part ASW2 has machines connected to it in the VLAN 20 and VLAN
30.
Basic configuration
The
first thing to do of course is to create the VLANs, to place the interfaces in
the right VLANs (for ASW1 and ASW2), to configure the trunks with their default
parameters (on ASW1, ASW2 and DSW1), and then Configure R1 to support
inter-vlan routing (creating sub-interfaces dot1q).
The
first thing to note is that it is not necessary in this case to create all the
vlans on all the switches. ASW1 requires only VLAN10 and
20, ASW2 only VLANS 20 and 30. However, it is not an error to configure them. On the contrary, if it is
desired to modify the topology in the future, for example to place a machine in
the VLAN30 on ASW1, it will be sufficient to place the relevant interfaces in
the VLAN in question.
Configuration of VLANs On ASW1
ASW1#configure terminal
! Création des VLANS 10, 20 et 30
ASW1(config)#vlan 10,20,30
ASW1(config-vlan)#exit
! Configuration du trunk vers DSW1
ASW1(config)#interface gigabitEthernet 1/0/1
ASW1(config-if)#switchport trunk encapsulation dot1q
ASW1(config-if)#switchport mode trunk
ASW1(config-if)#exit
! Configuration des 12 premiers interfaces fastEthernet dans le VLAN 10
ASW1(config)#interface range fastEthernet 1/0/1-12
ASW1(config-if-range)#switchport mode access
ASW1(config-if-range)#switchport access vlan 10
ASW1(config-if-range)#exit
! Configuration des 12 interfaces suivantes dans le VLAN 20
ASW1(config)#interface range fastEthernet 1/0/13-24
ASW1(config-if-range)#switchport mode access
ASW1(config-if-range)#switchport access vlan 20
ASW1(config-if-range)#end
ASW1#
Configuration of VLANs On ASW2
ASW2#configure terminal
! Création des VLANS 10,20 et 30
ASW2(config)#vlan 10,20,30
ASW2(config-vlan)#exit
! Configuration du trunk vers DSW1
ASW2(config)#interface gigabitEthernet 3/0/1
ASW2(config-if)#switchport trunk encapsulation dot1q
ASW2(config-if)#switchport mode trunk
ASW2(config-if)#exit
! Configuration des 12 premières interfaces fastEthernet dans le VLAN 20
ASW2(config)#interface range fastEthernet 3/0/1-12
ASW2(config-if-range)#switchport mode access
ASW2(config-if-range)#switchport access vlan 20
ASW2(config-if-range)#exit
! Configuration des 12 interfaces suivantes dans le VLAN 30
ASW2(config)#interface range fastEthernet 3/0/13-24
ASW2(config-if-range)#switchport mode access
ASW2(config-if-range)#switchport access vlan 30
ASW2(config-if-range)#end
ASW2#
Configuration of VLANs etc. On DSW1
DSW1#configure terminal
! Création des vlans 10,20,30
DSW1(config)#vlan 10,20,30
DSW1(config-vlan)#exit
! Configurations des interfaces vers ASW1, ASW2 et R1 en trunk dot1Q
! gigabitEthernet 1/0/1 => ASW1
! gigabitEthernet 1/0/2 => ASW2
! fastEthernet 1/0/1 => R1
DSW1(config)#interface range gigabitEthernet 1/0/1 - 2, fastEthernet 1/0/1
DSW1(config-if-range)#switchport trunk encapsulation dot1q
DSW1(config-if-range)#switchport mode trunk
DSW1(config-if-range)#end
DSW1#
Configuring R1
R1#configure terminal
! Activation de l’interface physique
R1(config)#interface fastEthernet 0/0
R1(config-if)#no shutdown
! Création de la sub-interface pour le VLAN 10
! prise en charge du tag dot1Q 10
R1(config)#interface fastEthernet 0/0.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 10.0.10.1 255.255.255.0
R1(config-subif)#exit
! Création de la sub-interface pour le VLAN 20
! prise en charge du tag dot1Q 20
R1(config)#interface fastEthernet 0/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 10.0.20.1 255.255.255.0
R1(config-subif)#exit
! Création de la sub-interface pour le VLAN 30
! prise en charge du tag dot1Q 30
R1(config)#interface fastEthernet 0/0.30
R1(config-subif)#encapsulation dot1Q 30
R1(config-subif)#ip address 10.0.30.1 255.255.255.0
R1(config-subif)#end
R1#
Limit the propagation of VLANs
The
idea here is to ensure that VLAN traffic is propagated only where necessary. For example, ASW1 must receive
traffic from VLANs 10 and 20 but not VLAN30 (it does not have a machine
connected in this VLAN). The
same applies to ASW2, which only needs traffic for VLANS 20 and 30, since it
does not have a machine connected to the VLAN 10.
Therefore,
it is possible, in the configuration of the trunks, to define which VLANs are
allowed to be conveyed thereon. Two major reasons justify this
type of configuration:
1.
Avoiding unnecessary propagation of
broadcast frames (destination: FF: FF: FF: FF: FF) as well as frames for which
the destination MAC address is not yet known to the switch, since it does not
serve For example, a broadcast (or an unknown destination frame) circulating in
the VLAN 10 arrives at ASW2, since the latter has no interface in the same VLAN.
2.
Infrastructure security is increased by
preventing access to a VLAN where it is not used.
Even
if it is sufficient to restrict the authorized VLANs only to one side of a
trunk for this to take effect, it is of course better to apply a similar
configuration to both ends of the link.
Configuring restrictions on DSW1
DSW1#configure terminal
! Limitation des VLANS autorisés vers ASW1
DSW1(config)#interface gigabitEthernet 1/0/1
DSW1(config-if)#switchport trunk allowed vlan 10,20
DSW1(config-if)#exit
! Limitation des VLANS autorisés vers ASW2
DSW1(config)#interface gigabitEthernet 1/0/2
DSW1(config-if)#switchport trunk allowed vlan 20,30
DSW1(config-if)#end
DSW1#
Configuring restrictions on ASW1
ASW1#configure terminal
! Limitation des VLANS autorisés vers DSW1
ASW1(config)#interface gigabitEthernet 1/0/1
ASW1(config-if)#switchport trunk allowed vlan 10,20
ASW1(config-if)#end
ASW1#
Configuring restrictions on ASW2
ASW2#configure terminal
ASW2(config)#interface gigabitEthernet 3/0/1
ASW2(config-if)#switchport trunk allowed vlan 20,30
ASW2(config-if)#end
ASW2#
Verification:
It
is now necessary to check whether the trunks have the desired behavior. For that, nothing like the
command " show interfaces trunk " ...
DSW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/1 on 802.1q trunking 1
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/1 1-4094
Gi1/0/1 10,20
Gi1/0/2 20,30
Port Vlans allowed and active in management domain
Fa1/0/1 1,10,20,30
Gi1/0/1 10,20
Gi1/0/2 20,30
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/1 1,10,20,30
Gi1/0/1 10,20
Gi1/0/2 20,30
DSW1#
The section of the display that
interests us here are the "Vlans allowed on trunk". As it has been configured, the
Fa1 / 0/1 interface (to R1) adopts its default behavior and therefore passes
all vlans (1-4094). In
addition, the interfaces Gi1 / 0/1 and Gi1 / 0/2 allow only the necessary
VLANs, ie VLANS 10,20 to ASW1 and VLANS 20,30 to ASW2.
A
VLAN that is not allowed on a trunk will no longer appear in the next two
sections. As
a reminder, it is the last section that represents the VLANs actually
circulating on the trunk in question, that is to say the authorized vlans,
which are also active (which have at least one active interface, including
trunks) and which Were not either blocked by Spanning-Tree to prevent a loop,
or dynamically blocked by VTP (pruned).
Important note:
During the trunks basic
configuration, I used the "switchport trunk encapsulation dot1q"
command. This
command exists only on switches that support both dot1q and ISL. If you test this configuration
on models like the WS-C2950 or WS-C2960, this command is not necessary, they
only support dot1Q.
0 comments:
Post a Comment