Wandering's Blog

.

( 原文链接 http://www.lanarchitect.net/Articles/VLANTrunking/Implementation/ )

Implementing VLAN trunking George Ou Network Systems Architect June 2003

Contents

• Introduction
• Cisco switch configurations
• Cisco router configurations
• Windows configuration with Intel Pro Series adapters

Introduction
In my last article “Introduction to VLAN trunking”, I wetted your appetite for a hot new technology that is revolutionizing the way network topology are being designed and interconnected.   In this piece, I will show you how to actually implement this new technology in the three most common types of equipment you will come across.   The three types of equipment are Cisco switches, routers, and Servers or Workstations running the Windows operating system.   The only prerequisite for this article is a basic working knowledge of Switches, Routers, and PCs running Windows for their respective sections.    Click here for a network diagram of the lab environment created in this article.   Note that the examples I use are on based on the 802.1q standard.


Cisco switch configurations
Cisco switches primarily come in two flavors, CatOS (Catalyst OS) and IOS (Internetworking OS).   Although Cisco is trying to migrate almost everything to the IOS type operating system on their equipment, there is still a large install base for CatOS switches.   Cisco’s flag ship 6500 series switch can actually run CatOS or IOS, but most people I know run CatOS on the 6500s.   Smaller switches like the 2950 and the 3550 all run IOS.   Then there is the odd ball 2948g-L3 that really is more of a router than a switch (2948 without the “L3” is a normal IOS switch) and you should refer to the next section on routers for it’s configuration.

Note: In many ways, I personally love the CatOS over IOS for it’s UI’s (User Interface) superior method of entering system configuration.   For example, if you ever need to apply a common configuration to 48 Ethernet ports on module 4, you simply need to apply a command to “4/1-48”.   On the IOS UI, you would need to enter each interface for all 48 ports and apply 96 individual commands vs.  one command on the CatOS! Viewing the configuration on IOS is equally bloated.


Here is a breakdown of trunking support for the various Cisco switches

IOS	CatOS
2900 Series (on some IOS versions)	2980 (Same IOS image as the 4000)
2948 (Non L3)	4000 Series
2950 Series	5000 and 5500 Series
3548	6000 and 6500 Series
3550 Series
6500 running IOS

To set up the CatOS or IOS on Cisco Switches, the port that needs to trunked must be configured for the right kind of VLAN trunking (Note that not every module and interface on a switch support trunking and will give you an error message if you try to set it for trunking, this may require you look up the port capabilities for each port).  


Here is the configuration guide for both IOS and CatOS.

Configuring and locking down IOS switches:

IOS Command	Description
Enable	Switch to enable mode
Configure Terminal	Enter global configuration mode
Interface FastEthernet0/1	Entering interface configuration for port 0/1.  This is where you pick the port you want to trunk.
Switchport mode trunk	Set port to trunking mode.
Switchport trunk encapsulation dot1q	Set trunk type to 802.1q.  If your switch only supports either ISL or 802.1q, this command does not exist because there is nothing to specify.  This command only works when you can choose between the two.
Switchport trunk allow vlan 10-15,20	Allow only VLANs 10 through 15 and VLAN 20.   It is important that you restrict the VLANs to only the ones you need for security best practices.
Exit	Exit interface
Exit	Exit global configuration
Write memory	Commit changes to NVRAM

Locking down CatOS for security:

CatOS Command	Description
Enable	Switch to enable mode
Clear trunk 1/1-2 1-1005 Clear trunk 2/1-2 1-1005 Clear trunk 3/1-24 1-1005 …fill in the pieces… Clear trunk 12/1-24 1-1005 Set trunk 1/1-2 off Set trunk 2/1-2 off Set trunk 3/1-24 off Set trunk 4/1-24 off …fill in the pieces… Set trunk 9/1-24 off	This is an example of how to lock down a Cisco 6500 switch.   First it clears VLANs from all ports on a 6500 switch, and then it explicitly disables trunking from every single port.  Whether you intend to use trunking on your CatOS switch or not, you would be very wise to implement this lock down on all of your CatOS switches.  Otherwise, a hacker can bypass all Layer 3 (firewall) security by simply hopping VLANs.  I included this section before the “Configuring CatOS” section because the lockdown needs to be done before any custom configuration is entered.

Although this section is not really mandatory for trunking to function, I felt irresponsible not to include this layer 2 security lockdown procedure.  Although the CatOS switch has a far more streamlined UI compared to the IOS switches, it is notoriously promiscuous with it’s default settings on VLAN trunking.  The trunking auto-negotiation is equally alarming on both the IOS and CatOS switches, which if left default will automatically connect switches as fully enabled and wide open.  You would be shocked to see the sloppy Layer 2 security on most networks.  If left unchecked, you are not only opened to malicious hacks, but someone could accidentally plug in a Cisco switch with a VTP engine and accidentally nuke your network by changing your VLAN configuration.


Configuring CatOS switches:

CatOS Command	Description
Enable	Switch to enable mode
Set trunk 1/1 on dot1q 10-15,20	The “on” switch enables trunking on this port.   “Dot1q” sets the port to 802.1q mode.  “10-15,20” enables VLAN 10-15 and 20 to be supported on this trunking interface.

You may find it funny that it was so much work to lock down your switch while it only took one command to enable trunking.  If you didn’t bother to follow the lockdown procedure shown above, specifying the “10-15, 20” VLAN IDs are useless because it simply adds them to the existing 1-1005 pool which remains wide open.   This behavior of the CatOS is very annoying and insecure by default.  The IOS switches on the other hand only permit the VLANs you enter last, which also has it’s user friendliness downside.  On an IOS switch, if you enter “10-15,20” with your “allow VLAN” statement, it nullifies any other allowed VLAN out side of 10-15 and 20.  The big plus to this is default security.


Cisco router configurations
Cisco router configuration for trunking is fundamentally different from Cisco Switch configuration.  A router encapsulates traffic to be carried on the switch infrastructure and behaves as a multi-home node on the network just like a Server, Workstation, or Firewall.  A switch performs as the infrastructure to carry traffic for VLANs (for those that are allowed) on the Layer 2 infrastructure as the VLAN traffic director where as the router performs a higher layer function as a network gateway that can route Layer 3 traffic.  You can basically configure a router with number of desired virtual interfaces (AKA sub-interface) from a single interface and designate the VLAN you want those interfaces to be switched to.  The switch determines where the traffic from that router’s virtual interface will wind up based on the VLAN ID portion of the 802.1q tag that was inserted in to the Ethernet frame header by the router.


Configuring Cisco Routers:

IOS Command	Description
Enable	Switch to enable mode
Configure terminal	Switch to global configuration mode
Interface FastEthernet0/0.1	Creates first sub-interface for FastEthernet0/0
Encapsulation dot1q 10	Injects 802.1q tag with VLAN ID 10 into every frame coming from first sub-interface.
IP address 10.1.1.1 255.255.255.0	Defines IP/mask for this first sub-interface
Exit	Exits first sub-interface
Interface FastEthernet0/0.2	Creates second sub-interface for FastEthernet0/0
Encapsulation dot1q 11	Injects 802.1q tag with VLAN ID 11 into every frame coming from second sub-interface.
IP address 10.1.2.1 255.255.255.0	Defines IP/mask for this second sub-interface
Exit	Exits second sub-interface
Exit	Exit global config
Write memory	Commits changes to NVRAM

You can continue to add any number of sub-interfaces you need.  Once FastEthernet0/0 is connected to a switched port configured for 802.1q trunking as shown in the above switch examples, all the sub-interfaces of FastEthernet0/0 becomes a routable node (can be default gateway) on the subnets that correspond to their VLAN.


---
Wandering: 为啥要转这篇文章泥？今天突然看到"Router Trunking"这个词，一下子想不起来有过印象，问了其他朋友，也说不出所以然，但是"one arm routing"的概念到是引出来了，但还是很迷糊，在网上一搜索，真还找到了这篇文章，对router trunk讲得比较清楚。保存下来，与友共赏！

......