<CHAPTEROBJECTIVE>Defining the difference between local and end-to-end VLANs</CHAPTEROBJECTIVE>
<CHAPTEROBJECTIVE>Configuring static VLANs on both set-based and IOS-based Catalyst switches</CHAPTEROBJECTIVE>
<CHAPTEROBJECTIVE>Describing and configuring Virtual Trunk Protocol on both set-based and IOS-based switches</CHAPTEROBJECTIVE>
<CHAPTEROBJECTIVE>Describing and configuring trunking on both set-based and IOS-based switches</CHAPTEROBJECTIVE>
<CHAPTEROBJECTIVE>Frame tagging and the different VLAN identification methods</CHAPTEROBJECTIVE></CHAPTEROBJECTIVEBLOCK>
<PARA><DROPCAP>A</DROPCAP> virtual local area network (VLAN) is a logical grouping of network users and resources connected to administratively defined ports on a layer 2 switch. By creating VLANs, you are able to create smaller broadcast domains within a switch by assigning different ports in the switch to different subnetworks. A VLAN is treated as its own subnet or broadcast domain. This means that when frames are broadcast, they are switched between ports only within the same VLAN.</PARA>
<PARA>Using virtual LANs, you're no longer confined to creating workgroups by physical locations. VLANs can be organized by location, function, department, or even the application or protocol used, regardless of where the resources or users are located.</PARA>
<PARA>In this chapter, you'll learn about the following:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>What a VLAN is.</PARA></LISTITEM>
<LISTITEM><PARA>How to configure VLANs on both set-based and IOS-based switches.</PARA></LISTITEM>
<LISTITEM><PARA>VLAN trunking and VLAN Trunk Protocol (VTP) configurations. </PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Trunking allows you to pass information about more than one VLAN on the same link.</PARA></LISTITEM>
<LISTITEM><PARA>VTP is used to send VLAN configuration information between switches.</PARA></LISTITEM>
</LIST></LISTITEM>
<LISTITEM><PARA>Frame tagging and identification methods.</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Identification methods both encapsulate a frame and insert a new field in a frame to identify it as it traverses a switched internetwork fabric.</PARA></LISTITEM>
</LIST></LISTITEM>
</LIST>
<SECTION ID="3.1"><TITLE>The Benefits of Virtual LANs</TITLE>
<PARA><DROPCAP>R</DROPCAP>emember that layer 2 switches break up collision domains and that only routers can break up broadcast domains. However, virtual LANs can be used to break up broadcast domains in layer 2 switched networks. Routers are still needed in a layer 2 virtual LAN switched internetwork to allow the different VLANs to communicate with each other. </PARA>
<PARA>There are many benefits to creating VLANs in your internetwork. Remember that in a layer 2 switched network, the network is a <KEYTERM>flat network</KEYTERM>, as shown in Figure 3.1. Every broadcast packet transmitted is seen by every device on the network, regardless of whether the device needs to receive the data or not. </PARA>
<SLUG NUM="3.1">Figure 3.1: A flat network structure [f0301.eps]</SLUG>
<PARA>In a flat network, your only security consists of passwords, and all users can see all devices. You cannot stop devices from broadcasting or users from trying to respond to broadcasts. Your security consists of passwords on the servers and other devices. </PARA>
<PARA>By creating VLANs, you can solve many of the problems associated with layer 2 switching.</PARA>
<PARA>Broadcasts occur in every protocol, but how often they occur depends upon the protocol, the application(s) running on the internetwork, and how these services are used. VLANs can define smaller broadcast domains, which means that it is possible to stop application broadcasts to segments that do not use the application.</PARA>
<PARA>Although some older applications have been rewritten to reduce their bandwidth needs, there is a new generation of applications that are bandwidth greedy,<SYBEXSYMBOL> </SYBEXSYMBOL>consuming all they can find. These are multimedia applications that use broadcasts and multicasts extensively. Faulty equipment, inadequate segmentation, and poorly designed firewalls can also add to the problems of broadcast-intensive applications. </PARA>
<PARA>These bandwidth-gobbling applications have added a new factor to network design because broadcasts can propagate through the switched network. Routers, by default, send broadcasts only within the originating network, but layer 2 switches forward broadcasts to all segments. This is called a flat network because it is one broadcast domain.</PARA>
<PARA>As an administrator, you must make sure the network is properly segmented to keep problems on one segment from propagating through the internetwork. The most effective way of doing this is through switching and routing. Since switches have become more cost effective, a lot of companies are replacing the hub-and-router flat network with a pure switched network and VLANs. The largest benefit gained from switches with defined VLANs is that all devices in a VLAN are members of the same broadcast domain and receive all broadcasts. The broadcasts, by default, are filtered from all ports that are on a switch and are not members of the same VLAN. </PARA>
<PARA>To stop broadcasts from propagating through the entire internetwork, either a router, layer 3 switches, or Route Switch Modules (RSMs) must be used in conjunction with switches to provide connections between networks (VLANs).</PARA>
</SECTION>
<SECTION ID="3.1.2"><TITLE>Security</TITLE>
<PARA>In a flat internetwork, security is implemented by connecting hubs and switches together with routers. Security is then maintained at the router, but this causes three serious security problems:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Anyone connecting to the physical network has access to the network resources on that physical LAN. </PARA></LISTITEM>
<LISTITEM><PARA>A user can plug a network analyzer into the hub and see all the traffic in that network.</PARA></LISTITEM>
<LISTITEM><PARA>Users can join a workgroup by just plugging their workstation into the existing hub.</PARA></LISTITEM>
</LIST>
<PARA>By using VLANs and creating multiple broadcast groups, administrators now have control over each port and user. Users can no longer just plug their workstation into any switch port and have access to network resources. The administrator controls each port and whatever resources it is allowed to use.</PARA>
<PARA>Because groups can be created according to the network resources a user requires, switches can be configured to inform a network management station of any unauthorized access to network resources. If inter-VLAN communication needs to take place, restrictions on a router can also be implemented. Restrictions can also be placed on hardware addresses, protocols, and applications.</PARA>
</SECTION>
<SECTION ID="3.1.3"><TITLE>Flexibility and Scalability</TITLE>
<PARA>VLANs also add more flexibility to your network by limiting or adding only the users you want in the broadcast domain regardless of their physical location. Layer 2 switches read frames only for filtering; they do not look at the Network layer protocol. This can cause a switch to forward all broadcasts. However, by creating VLANs, you are essentially creating separate broadcast domains. Broadcasts sent out from a node in one VLAN will not be forwarded to ports configured in a different VLAN. By assigning switch ports or users to VLAN groups on a switch-or group of connected switches (called a <KEYTERM>switch-fabric</KEYTERM>)-you have the flexibility to add only the users you want in the broadcast domain regardless of their physical location. This can stop broadcast storms caused by a faulty network interface card (NIC) or an application from propagating throughout the entire internetwork.</PARA>
<PARA>When a VLAN gets too big, you can create more VLANs to keep the broadcasts from consuming too much bandwidth. The fewer users in a VLAN, the fewer are affected by broadcasts.</PARA>
</SECTION>
<SECTION ID="3.1.4"><TITLE>The Collapsed Backbone and the VLAN</TITLE>
<!-- <PARA>To understand how a VLAN looks to a switch, it's helpful to begin by first looking at a traditional collapsed backbone. Figure 3.2 shows a collapsed backbone created by connecting physical LANs to a router.</PARA> -->
<SLUG NUM="3.2">Figure 3.2: Physical LANs connected to a router [f0302.eps]</SLUG>
<!-- <PARA>Each network is attached to the router, and each network has its own logical network number. Each node attached to a particular physical network must match that network number to be able to communicate on the internetwork. Now let's look at what a switch accomplishes. Figure 3.3 shows how switches remove the physical boundary.</PARA> -->
<!-- <PARA>Switches create greater flexibility and scalability than routers can by themselves because they define the network VLANs and VLAN port assignments. You can group users into communities of interest, which are known as VLAN organizations.</PARA>
<PARA>Because of switches, we don't need routers anymore, right? Wrong. In Figure 3.3, notice that there are four VLANs, or broadcast domains. The nodes within each VLAN can communicate with each other but not with any other VLAN or node in another VLAN. When configured in a VLAN, the nodes think they are actually in a collapsed backbone, as in Figure 3.2. What do these hosts in Figure 3.2 need to do in order to communicate to a node or host on a different network? They need to go through the router, or other layer 3 device, just as they do when they are configured for VLAN communication, as shown in Figure 3.3. Communication between VLANs, just as in physical networks, must go through a layer 3 device.</PARA> -->
</SECTION>
</SECTION>
<SECTION ID="3.2"><TITLE>Scaling the Switch Block</TITLE>
<PARA><DROPCAP>F</DROPCAP>irst introduced in <NOBR REF="1">Chapter 1</NOBR>, switch blocks represent a switch or group of switches providing access to users. These switches then connect to distribution layer switches, which in turn handle routing issues and VLAN distribution.</PARA>
<PARA>To understand how many VLANs can be configured in a switch block, you must understand the following factors:</PARA>
<PARA>Cisco recommends a one-to-one ratio between VLANs and subnets. For example, if you have 2,000 users in a building, then you must understand how they are broken up by subnets to create your VLANs. If you had 1,000 users in a subnet, which is ridiculous, you would create only 2 VLANs. If you had only 100 users in a subnet, you would create around 20 VLANs or more.</PARA>
<PARA>It is actually better to create your broadcast domain groups (VLANs), then create a subnet mask that fits the need. That is not always possible, and you usually have to create VLANs around an already configured network. </PARA>
<NOTE>VLANs should not extend past the distribution switch on to the core. </NOTE>
<PARA><KEYTERM>End-to-end VLANs</KEYTERM> are VLANs that span the switch-fabric from end to end; all switches in end-to-end VLANs understand about all configured VLANs. End-to-end VLANs are configured to allow membership based on function, project, department, and so on.</PARA>
<PARA>The best feature of end-to-end VLANs is that users can be placed in a VLAN regardless of their physical location. The administrator defines the port the user is connected to as a VLAN member. If the user moves, the administrator defines their new port as a member of their existing VLAN. In accordance with the 80/20 rule, the goal of an administrator in defining end-to-end VLANs is to maintain 80 percent of the network traffic as local, or within the VLAN. Only 20 percent or less should extend outside the VLAN. </PARA>
</SECTION>
<SECTION ID="3.2.1.2"><TITLE>Local VLANs</TITLE>
<PARA><KEYTERM>Local VLANs</KEYTERM> are configured by physical location and not by function, project, department, and so on as with end-to-end VLANs. Local VLANs are used in corporations that have centralized server and mainframe blocks because end-to-end VLANs are difficult to maintain in this situation. In other words, when the 80/20 rule becomes the 20/80 rule, end-to- end VLANs are more difficult to maintain, and so you will want to use a local VLAN.</PARA>
<PARA>In contrast to end-to-end VLANs, local VLANs are configured by geographic location; these locations can be a building or just a closet in a building, depending on switch size. Geographically configured VLANs are designed around the fact that the business or corporation is using centralized resources, such as a server farm. The users will spend most of their time utilizing these centralized resources and 20 percent or less on the local VLAN. From what you have read in this course so far, you must be thinking that 80 percent of the traffic is crossing a layer 3 device. That doesn't sound efficient, does it? </PARA>
<PARA>Because layer 3 devices are becoming faster and faster, you must design a geographic VLAN with a fast layer 3 device (or devices). The benefit of this design is that it will give the users a deterministic, consistent method of getting to resources. However, you cannot create this design with a lower-end layer 3 model. This is not for the poor. </PARA>
<PARA>Once your VLANs are created, you need to assign switch ports to them. There are two types of VLAN port configurations: static and dynamic. A static VLAN requires less work initially but is more difficult for an administrator to maintain. A dynamic VLAN, on the other hand, takes more work up front but is easier to maintain. </PARA>
<SECTION ID="3.2.2.1"><TITLE>Static VLANs</TITLE>
<PARA>In a <KEYTERM>static VLAN</KEYTERM>, the administrator assigns switch ports to the VLAN, and the association does not change until the administrator changes the port assignment. This is the typical way of creating VLANs, and it is the most secure. This type of VLAN configuration is easy to set up and monitor, working well in a network where the movement of users within the network is maintained by basically just locking the network closet doors. Using network management software to configure the ports can be helpful but is not mandatory.</PARA>
<PARA>If the administrator wants to do a little more work up front and assign all devices' hardware addresses into a database, hosts in an internetwork can be assigned VLAN assignments dynamically. Using intelligent management software, you can enable hardware (MAC) addresses, protocols, or even applications to create <KEYTERM>dynamic VLANs</KEYTERM>.</PARA>
<PARA>For example, suppose MAC addresses have been entered into a centralized VLAN management application. If a node is then attached to an unassigned switch port, the VLAN management database can look up the hardware address and assign and configure the switch port to the correct VLAN. This can make management and configuration easier for the administrator. If a user moves, the switch will automatically assign them into the correct VLAN. However, more administration is needed initially to set up the database.</PARA>
<PARA>Cisco administrators can use the VLAN Management Policy Server (VMPS) service to set up a database of MAC addresses that can be used for dynamic addressing of VLANs. VMPS is a MAC-address-to-VLAN mapping database.</PARA>
<PARA>The Cisco Switching exam is interested only in static VLAN configuration. We'll show you how to configure VLANs on a Catalyst 5000 switch as well as a Catalyst 1900 switch.</PARA>
<PARA>It is important to understand the difference between the Catalyst 5000 series VLAN configuration and the IOS-based VLAN configuration.</PARA>
<PARA>To configure VLANs on a Catalyst 5000 switch, use the <INLINECODE>set vlan [vlan#] [name]</INLINECODE>command. Then, after your VLANs are configured, assign the ports to each VLAN: </PARA>
<CODESNIPPET><CODELINE>Todd5000> (enable) set vlan 2 name Sales</CODELINE>
<PARA>The additional information the switch wants you to configure is the VLAN Trunk Protocol (VTP) information. (VTP and trunking is covered in more detail at the end of this chapter, where we will continue with the 5000 switch VLAN configuration.) The 5000 series switch allows you to configure as many ports as you wish to a VLAN at one time. However, the 1900 switch allows you to configure only one interface at a time to a VLAN. </PARA>
<NOTE>Remember that a created VLAN is unused until it is mapped to a switch port or ports and that all ports are always in VLAN 1 unless set otherwise.</NOTE>
<PARA>After you create the VLANs that you want, you use the <INLINECODE>show vlan</INLINECODE> command to see the configured VLANs. However, notice that, by default, all ports on the switch are in VLAN 1. To change that, you need to go to each interface and tell it what VLAN to be a part of: </PARA>
<PARA>You can configure each port to be in a VLAN by using the <INLINECODE>vlan-membership</INLINECODE> command. You can only configure VLANs port by port (there is no command to assign more than one port to a VLAN at a time): </PARA>
<PARA><DROPCAP>V</DROPCAP>LANs can span multiple connected switches, which Cisco calls a switch-fabric. Switches within the switch-fabric must keep track of frames as they are received on the switch ports, and they must keep track of the VLAN they belong to as the frames traverse the switch-fabric. Frame tagging performs this function. Switches can then direct frames to the appropriate port.</PARA>
<PARA>There are two different types of links in a switched environment:</PARA>
<RUNINBLOCK><RUNINHEAD>Access link</RUNINHEAD>
<RUNINPARA>An <KEYTERM>access link</KEYTERM> is a link that is part of only one VLAN and referred to as the native VLAN of the port. Any device attached to an access link is unaware of a VLAN membership. This device just assumes it is part of a broadcast domain, with no understanding of the physical network. Switches remove any VLAN information from the frame before it is sent to an access link device. Access link devices cannot communicate with devices outside of their VLAN unless the packet is routed through a router. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Trunk link</RUNINHEAD>
<RUNINPARA>Trunks can carry multiple VLANs. Originally named after the trunks of the telephone system, which carries multiple telephone conversations, <KEYTERM>trunk links</KEYTERM> are used to connect switches to other switches, to routers, or even to servers. Trunked links are supported on FastEthernet or Gigabit Ethernet only. To identify the VLAN that a frame belongs to, Cisco switches support two different identification techniques: Inter-Switch Link (ISL) and 802.1q. Trunk links are used to transport VLANs between devices and can be configured to transport all VLANs or just a few VLANs. Trunk links still have a native VLAN, and that VLAN is used if the trunk link fails.</RUNINPARA></RUNINBLOCK>
<PARA>The switch in an internetwork needs a way to keep track of users and frames as they travel the switch-fabric and VLANs. Frame identification (<KEYTERM>frame tagging</KEYTERM>) uniquely assigns a user-defined ID to each frame. This is sometimes referred to as a VLAN ID or color. </PARA>
<PARA>Cisco created frame tagging to be used when a frame traverses a trunked link. The VLAN tag is removed before the frame exits trunked links. Each switch that the frame reaches must identify the VLAN ID, then make a determination on what to do with the frame based on the filter table. If the frame reaches a switch that has another trunked link, the frame will be forwarded out the trunk link port. Once the frame reaches an exit to an access link, the switch removes the VLAN identifier. The end device will receive the frames without having to understand the VLAN identification. </PARA>
<PARA>If you are using NetFlow switching hardware on your Cisco switches, this will allow devices on different VLANs to communicate after taking just the first packet through the router. This means that communication can occur from port to port on a switch, rather than port to router to port, when traversing VLANs.</PARA>
<!-- <PARA>To keep track of frames traversing a switch-fabric, VLAN identification is used to identify which frames belong to which VLAN. There are multiple trunking methods:</PARA>
<RUNINBLOCK><RUNINHEAD>Inter-Switch Link (ISL)</RUNINHEAD>
<RUNINPARA>Proprietary to Cisco switches, it is used for FastEthernet and Gigabit Ethernet links only. Can be used on switch ports and router interfaces as well as server interface cards to trunk a server. Server trunking is good if you are creating functional VLANs and don't want to break the 80/20 rule. The server that is trunked is part of all VLANs (broadcast domains) simultaneously. The users do not have to cross a layer 3 device to access a company shared server. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>IEEE 802.1q</RUNINHEAD>
<RUNINPARA>Created by the IEEE as a standard method of frame tagging. It actually inserts a field into the frame to identify the VLAN. </RUNINPARA></RUNINBLOCK>
<RUNINPARA>Used to communicate with multiple VLANs over ATM. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>802.10 (FDDI)</RUNINHEAD>
<RUNINPARA>Used to send VLAN information over FDDI. Uses a SAID field in the frame header to identify the VLAN. This is proprietary to Cisco devices. </RUNINPARA></RUNINBLOCK> -->
<SLUG NONUM="a1"/>
<!-- <NOTE>The Cisco Switching exam covers only the ISL and 802.1q methods of VLAN identification.</NOTE> -->
<SECTION ID="3.3.2.1"><TITLE>Inter-Switch Link Protocol (ISL)</TITLE>
<PARA>Inter-Switch Link Protocol (ISL) is a way of explicitly tagging VLAN information onto an Ethernet frame. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. </PARA>
<PARA>Cisco created the ISL protocol, and therefore ISL is proprietary in nature to Cisco devices only. If you need a nonproprietary VLAN protocol, use the 802.1q, which is covered next in this chapter. </PARA>
<PARA>ISL is an external tagging process, which mean the original frame is not altered but instead is encapsulated with a new 26-byte ISL header. It also adds a second frame check sequence (FCS) field at the end of the frame. Because the frame is encapsulated with information, only ISL-aware devices can read the frame. Also, the size of the frame can be up to 1,522 bytes long.</PARA>
<PARA>On multi-VLAN (trunk) ports, each frame is tagged as it enters the switch. ISL network interface cards (NICs) allow servers to send and receive frames tagged with multiple VLANs so the frames can traverse multiple VLANs without going though a router, which reduces latency. This technology can also be used with probes and certain network analyzers. In addition, it makes it easy for users to attach to servers quickly and efficiently without going through a router every time they need to communicate with a resource. Administrators can use the ISL technology to simultaneously include file servers in multiple VLANs, for example.</PARA>
<PARA>It is important to understand that ISL VLAN information is added to a frame only if the frame is forwarded out a port configured as a trunk link. The ISL encapsulation is removed from the frame if the frame is forwarded out an access link.</PARA>
</SECTION>
<SECTION ID="3.3.2.2"><TITLE>Standard for Virtual Bridged Local Area Networks (IEEE 802.1q)</TITLE>
<PARA>Unlike ISL, which uses an external tagging process and encapsulates a frame with a new ISL encapsulation, 802.1q uses an internal tagging process by modifying the existing internal Ethernet frame. To access both links and trunk links, the frame looks as if it is just a standard Ethernet frame because it is not encapsulated with VLAN information. The VLAN information is added to a field within the frame itself.</PARA>
<PARA>Like ISL, the purpose of 802.1q is to carry the traffic of more than one subnet down a single cable. 802.1q tags the frame in a standard VLAN format, which allows for the VLAN implementations of multiple vendors. The standard tag allows for an open architecture and standard services for VLANs and a standard for protocols in the provision of these services. Because adding VLAN information to a frame affects the frame length, two committees were created to deal with this issue: 802.3ac and 802.1q. </PARA>
<PARA>The VLAN frame format defined in both the 802.1q and 802.3ac is a 4-byte field that is inserted between the original Ethernet frame Source address field and the Type or Length field. The CRC of the frame must be recomputed whenever the VLAN information is inserted or removed from the frame. The Ethernet frame size can now be up to 1,522 bytes if a tag is inserted. </PARA>
<!-- <PARA>The VLAN Tag Protocol Identifier (TPID) is globally assigned and uses an EtherType field value of 0x81-00. The Tag Control Information (TCI) is a 16-bit value and has three fields contained within:</PARA>
<RUNINBLOCK><RUNINHEAD>User Priority</RUNINHEAD>
<RUNINPARA>A 3-bit field used to assign up to eight layers of priority. The highest priority is 0, and 7 is the lowest (specified in 802.1q).</RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Canonical Format Indicator (CFI) </RUNINHEAD>
<RUNINPARA>A 1-bit field that is always a 0 if running an 802.3 frame. This field was originally designed to be used for Token Ring VLANs, but it was never implemented except for some proprietary Token Ring LANs.</RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>VLAN ID (VID) </RUNINHEAD>
<RUNINPARA>The actual VLAN number the frame is assigned upon entering the switch (12 bits). The reserved VLAN IDs are as follows:</RUNINPARA>
<RUNINBLOCK><RUNINHEAD>0x0-00</RUNINHEAD>
<RUNINPARA>Null, or no VLAN ID, which is used when only priority information is sent </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>0x0-01</RUNINHEAD>
<RUNINPARA>Default VLAN value of all switches</RUNINPARA></RUNINBLOCK>
<PARA>Because Ethernet frames cannot exceed 1,518 bytes and ISL and 802.1q frames can be up to 1,522 bytes, the switch may record the frame as a baby giant frame. </PARA>
</SECTION>
</SECTION>
</SECTION>
<SECTION ID="3.4"><TITLE>Trunking</TITLE>
<PARA><DROPCAP>T</DROPCAP>runk links are point-to-point, 100 or 1000Mbps links between two switches, between a switch and a router, or between a switch and a server. Trunked links carry the traffic of multiple VLANs, from 1 to 1,005 at a time. You cannot run trunked links on 10Mbps links.</PARA>
<PARA>Cisco switches use the Dynamic Trunking Protocol (DTP) to manage trunk negation in the Catalyst switch engine software release 4.2 or later, using either ISL or 802.1q. DTP is a point-to-point protocol and was created to send trunk information across 802.1q trunks. Dynamic ISL (DISL) was used to support trunk negation on ISL links only before DTP was released in software release 4.1, and before DISL, auto-negotiation of trunk links was not allowed. </PARA>
<PARA>This section will show you how to configure trunked links on both the 5000 series and 1900 series switches. </PARA>
<SECTION ID="3.4.1.1"><TITLE>5000 Switch </TITLE>
<PARA>To configure a trunk on a 5000 series switch, use the <INLINECODE>set trunk</INLINECODE> command, and on the IOS-based switch, use the <INLINECODE>trunk on</INLINECODE> command:</PARA>
<CODESNIPPET><CODELINE>Console> (enable<EMPHASIS FORMAT="bold">) set trunk 2/12 ?</EMPHASIS></CODELINE>
<CODELINE>Usage: set trunk <mod_num/port_num> </CODELINE>
<CODELINE>Console> (enable) <EMPHASIS FORMAT="bold">set trunk 2/12 on isl</EMPHASIS></CODELINE>
<CODELINE>Port(s) 2/12 trunk mode set to on.</CODELINE>
<CODELINE>Port(s) 2/12 trunk type set to isl.</CODELINE>
<CODELINE>Console> (enable) 1997 Mar 21 06:31:54 </CODELINE>
<CODELINE>%DTP-5-TRUNKPORTON:Port 2/12 has become k</CODELINE></CODESNIPPET>
<PARA>Port 2/12 has become a trunk port using ISL encapsulation. Notice that we did not specify the VLANs to trunk. By default, all VLANs would be trunked. Take a look at a configuration in which we specified the VLANs to use:</PARA>
<CODESNIPPET><CODELINE>Console> (enable<EMPHASIS FORMAT="bold">) set trunk 2/12 on 1-5 isl</EMPHASIS></CODELINE>
<CODELINE>Adding vlans 1-5 to allowed list.</CODELINE>
<CODELINE>Please use the 'clear trunk' command to remove </CODELINE>
<CODELINE>vlans from allowed list.</CODELINE>
<CODELINE>Port(s) 2/12 allowed vlans modified to 1-1005.</CODELINE>
<CODELINE>Port(s) 2/12 trunk mode set to on.</CODELINE>
<CODELINE>Port(s) 2/12 trunk type set to isl.</CODELINE></CODESNIPPET>
<PARACONTINUED>Notice that, even though we told the switch to just use VLANs 1-5, it added 1-1005 by default. To remove VLANs from a trunk port, use the <INLINECODE>clear VLAN</INLINECODE> command. We'll do that in a minute. </PARACONTINUED>
<!-- <PARA>We need to explain the different options for turning up a trunk port:</PARA>
<RUNINBLOCK><RUNINHEAD>On</RUNINHEAD>
<RUNINPARA>The switch port is a permanent trunk port regardless of the other end. If you use the on state, you must specify the frame tagging method because it will not negotiate with the other end. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Off</RUNINHEAD>
<RUNINPARA>The port becomes a permanent non-trunk link.</RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Desirable</RUNINHEAD>
<RUNINPARA>The port you want to trunk becomes a trunk port only if the neighbor port is a trunk port set to on, desirable, or auto. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Auto</RUNINHEAD>
<RUNINPARA>The port wants to become a trunk port but becomes a trunk only if the neighbor port asked the port to be a trunk. This is the default for all ports. However, because auto switch ports will never ask (they only respond to trunk requests), two ports will never become a trunk if they are both set to auto. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Nonegotiate</RUNINHEAD>
<RUNINPARA>Makes a port a permanent trunk port, but the port does not use DTP frames for communication. If you're having DTP problems with a switch port connected to a non-switch device, then use the <INLINECODE>nonegotiate</INLINECODE> command when using the <INLINECODE>set trunk</INLINECODE> command. This will allow the port to be trunked, but you won't be sent any DTP frames. </RUNINPARA></RUNINBLOCK> -->
<SLUG NONUM="a3"/>
</SECTION>
<SECTION ID="3.4.1.2"><TITLE>1900 Switch</TITLE>
<PARA>The 1900 switch has the same options but runs only the DISL encapsulation method: </PARA>
<SECTION ID="3.4.2"><TITLE>Clearing VLANs from Trunk Links</TITLE>
<PARA>As demonstrated in the preceding sections, all VLANs are configured on a trunk link unless cleared by an administrator. If you want a trunk link to not carry VLAN information because you want to stop broadcasts on a certain VLAN from traversing the trunk link, or because you want to stop topology change information from being sent across a link where a VLAN is not supported, use the <INLINECODE>clear trunk</INLINECODE> command. </PARA>
<PARA>This section will show you how to clear VLANs from trunked links on both the 5000 and 1900 series of switches. </PARA>
<SECTION ID="3.4.2.1"><TITLE>5000 Series</TITLE>
<PARA>The command to clear a VLAN from a trunked link is <INLINECODE>clear trunk slot/port vlans</INLINECODE>. Here is an example: </PARA>
<PARA>Per Cisco documentation, you can clear up to 10 VLANs at once. The syntax is <INLINECODE>no trunk-vlan <vlan-list></INLINECODE>. The VLANS must be separated by spaces. Typically, you wouldn't clear more than a few VLANs anyway, because functionally, it makes no difference if they are turned on or not. If you have security, broadcast, or routing update issues, you need to consider clearing VLANs from a trunked link. </PARA>
<PARA>To verify your trunk ports, use the <INLINECODE>show trunk</INLINECODE> command. If you have more than one port trunking and want to see statistics on only one trunk port, you can use the <INLINECODE>show trunk [port_number]</INLINECODE> command:</PARA>
<PARA>On the 1900 switch, it is the same command, but it can be run only on FastEthernet ports 26 and 27. For some reason, when the <INLINECODE>show trunk</INLINECODE> command is used, the IOS calls these ports A and B:</PARA>
<PARA><DROPCAP>V</DROPCAP>LAN Trunk Protocol (VTP) was created by Cisco to manage all the configured VLANs across a switched internetwork and to maintain consistency throughout the network. VTP allows an administrator to add, delete, and rename VLANs, and these changes would then be propagated to all switches.</PARA>
<PARA>VTP provides the following benefits to a switched network:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Consistent configuration of VLANs across all switches in the network</PARA></LISTITEM>
<LISTITEM><PARA>Allowing VLANs to be trunked over mixed networks, like Ethernet to ATM LANE or FDDI</PARA></LISTITEM>
<LISTITEM><PARA>Accurate tracking and monitoring of VLANs</PARA></LISTITEM>
<LISTITEM><PARA>Dynamic reporting when VLANs are added to all switches</PARA></LISTITEM>
<LISTITEM><PARA>Plug-and-play VLAN adding to the switched network </PARA></LISTITEM>
</LIST>
<PARA>To allow VTP to manage your VLANs across the network, you must first create a VTP server. All servers that need to share VLAN information must use the same domain name, and a switch can be in only one domain at a time. This means that a switch can share VTP domain information only with switches configured in the same VTP domain. </PARA>
<PARA>A VTP domain can be used if you have more than one switch connected in a network. If all switches in your network are in only one VLAN, then VTP doesn't need to be used. VTP information is sent between switches via a trunk port between the switches. </PARA>
<PARA>Switches advertise VTP management domain information as well as a configuration revision number and all known VLANs with any specific parameters. </PARA>
<PARA>You can configure switches to forward VTP information through trunk ports but not accept information updates nor update their VTP database. This is called VTP transparent mode. </PARA>
<PARA>You can set up a VTP domain with security by adding passwords, but remember that every switch must be set up with the same password, which may be difficult. However, if you are having problems with users adding switches to your VTP domain, then a password can be used. </PARA>
<PARA>Switches detect the additional VLANs within a VTP advertisement and then prepare to receive information on their trunk ports with the newly defined VLAN in tow. The information would be VLAN ID, 802.10 SAID fields, or LANE information. Updates are sent out as revision numbers that are notification +1. Anytime a switch sees a higher revision number, it knows the information it receives is more current and will overwrite the current database with the new one. </PARA>
<PARA>Do you remember the <INLINECODE>clear config all</INLINECODE> command we talked about in <NOBR REF="2">Chapter 2</NOBR>? Well, guess what? It really doesn't "clear all" after all. It seems that VTP has its own NVRAM, which mean that VTP information as well as the revision number would still be present if you perform a <INLINECODE>clear config all</INLINECODE> and think that the configuration is gone. You can clear the revision number by power-cycling the switch.</PARA>
<SECTION ID="3.5.1" POS="1"><TITLE>VTP Modes of Operation</TITLE>
<!-- <PARA>There are three different modes of operation within a VTP domain: server, client, and transparent. Figure 3.4 shows the three VTP modes.</PARA> -->
<PARA>VTP server mode is the default for all Catalyst switches. You need at least one server in your VTP domain to propagate VLAN information throughout the domain. The following must be completed within server mode:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>Create, add, or delete VLANs on a VTP domain. </PARA></LISTITEM>
<LISTITEM><PARA>Change VTP information. Any change made to a switch in server mode is advertised to the entire VTP domain. </PARA></LISTITEM>
</LIST>
</SECTION> -->
<!-- <SECTION ID="3.5.1.2"><TITLE>Client</TITLE>
<PARA>VTP clients receive information from VTP servers and send and receive updates, but they cannot make any changes. No ports on a client switch can be added to a new VLAN before the VTP server notifies the client switch about the new VLAN. If you want a switch to become a server, first make it a client so that it receives all the correct VLAN information, then change it to a server. </PARA>
<PARA>VTP transparent switches do not participate in the VTP domain, but they will still forward VTP advertisements through the configured trunk links. However, for a transparent switch to advertise the VLAN information out the configured trunk links, VTP version 2 must be used. If not, the switch will not forward anything. VTP transparent switches can add and delete VLANs because they keep their own database and do not share it with other switches. Transparent switches are considered locally significant.</PARA>
<!-- <PARA>Once the different types of VTP switches are defined, the switches can start advertising VTP information between them. VTP switches advertise information they know about only on their trunk ports. They advertise the following:</PARA>
<LISTITEM><PARA>VLANs the switch knows about</PARA></LISTITEM>
<LISTITEM><PARA>Parameters for each VLAN</PARA></LISTITEM>
</LIST>
<PARA>The switches use multicast addresses so all neighbor devices receive the frames. A VTP server creates new VLANs, and that information is propagated through the VTP domain. </PARA>
<PARA>Figure 3.5 shows the three different VTP advertisements: client, summary, and subset.</PARA> -->
<RUNINPARA>Clients can send requests for VLAN information to a server. Servers will respond with both summary and subset advertisements. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Summary</RUNINHEAD>
<RUNINPARA>These advertisements are sent out every 300 seconds on VLAN 1 and every time a change occurs. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>Subset</RUNINHEAD>
<RUNINPARA>These advertisements are VLAN specific and contain details about each VLAN. </RUNINPARA></RUNINBLOCK>
<PARA>The summary advertisements can contain the following information:</PARA>
<RUNINPARA>May or may not be used.</RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>MD5Digest</RUNINHEAD>
<RUNINPARA>The key sent with update when a password is assigned to the domain. If the key doesn't match, the update is ignored. </RUNINPARA></RUNINBLOCK>
<PARA>The subset advertisements contain specific information about a VLAN. Once an administrator adds, deletes, or renames a VLAN, the switches are notified that they are about to receive a VLAN update on their trunk links via the VLAN-info field 1. Figure 3.6 shows the VTP subset advertisement inside this field.</PARA> -->
<!-- <PARA>The revision number is the most important piece in the VTP advertisement. Figure 3.7 shows an example of how a revision number is used in an advertisement.</PARA> -->
<SLUG NUM="3.7">Figure 3.7: VTP revision number [f0307.eps]</SLUG>
<!-- <PARA>Figure 3.7 shows a configuration revision number as N. As a database is modified, the VTP server increments the revision number by 1. The VTP server then advertises the database with the new configuration revision number.</PARA>
<PARA>When a switch receives an advertisement that has a higher revision number, then the switches will overwrite the database in NVRAM with the new database being advertised.</PARA> -->
<PARA>There are several options that you need to be aware of before attempting to configure the VTP domain: </PARA>
<LIST MARK="number">
<LISTITEM><PARA>Consider the revision number of the VTP you will run.</PARA></LISTITEM>
<LISTITEM><PARA>Decide if the switch is going to be a member of an already existing domain or if you are creating a new one. To add it to an existing domain, find the domain name and password, if used. </PARA></LISTITEM>
<LISTITEM><PARA>Choose the VTP mode for each switch in the internetwork.</PARA></LISTITEM>
</LIST>
<SECTION ID="3.5.4.1"><TITLE>Configure the VTP Version</TITLE>
<!-- <PARA>There are two different versions of VTP that are configurable on Cisco switches. Version 1 is the default VTP version on all switches and is typically used. No VTP version configuration is needed if you will be running version 1. Version 1 and version 2 are not compatible, so it is an all-or-nothing configuration for your switches. However, if all of your switches are VTP version 2 compatible, changing one switch changes all of them. Be careful if you are not sure if all of your switches are version 2 compatible. </PARA>
<PARA>You would configure version 2 for the following reasons:</PARA>
<RUNINBLOCK><RUNINHEAD>Token Ring VLAN support</RUNINHEAD>
<RUNINPARA>In order to run Token Ring, you must run version 2 of the VTP protocol. This means that all switches must be capable of running version 2. </RUNINPARA></RUNINBLOCK>
<RUNINBLOCK><RUNINHEAD>TLV support</RUNINHEAD>
<RUNINPARA>Unrecognized type-length-value (TLV) support. If a VTP advertisement is received and has an unrecognized type-length-value, the version 2 VTP switches will still propagate the changes through their trunk links. </RUNINPARA></RUNINBLOCK>
<RUNINPARA>Switches can run in transparent mode, which means that they will only forward messages and advertisements, not add them to their own database. In version 1, the switch will check the domain name and version before forwarding, but in version 2, the switches will forward VTP messages without checking the version. </RUNINPARA></RUNINBLOCK>
<RUNINPARA>Consistency checks are run when an administrator enters new information in the switches, either with the CLI or other management software. If information is received by an advertisement or read from NVRAM, a consistency check is not run. A switch will check the digest on a VTP message, and if it is correct, no consistency check will be made. </RUNINPARA></RUNINBLOCK>
<PARA>To configure VTP version 2, use the <INLINECODE>set vtp v2 enable</INLINECODE> command:</PARA>
<SECTION ID="3.5.4.2"><TITLE>Configure the Domain</TITLE>
<PARA>After you decide which version to run, set the VTP domain name and password on the first switch. The VTP name can be up to 32 characters long. On the 5000, you can set the VTP domain password (the password is a minimum of 8 characters with a maximum of 64): </PARA>
<SECTION ID="3.5.4.3"><TITLE>Configure the VTP Mode</TITLE>
<PARA>Create your first switch as a server, and then create the connected switches as clients, or whatever you decided to configure them as. You don't have to do this as a separate command as we did; you can configure the VTP information in one line, including passwords, modes, and versions: </PARA>
<SECTION ID="3.5.4.4"><TITLE>Verifying the VTP Configuration</TITLE>
<PARA>You can verify the VTP domain information by using the commands <INLINECODE>show vtp domain</INLINECODE> and <INLINECODE>show vtp statistics</INLINECODE>. However, you cannot run a <INLINECODE>show vtp domain</INLINECODE> command on a 1900. </PARA>
<PARA>The <INLINECODE>show VTP domain</INLINECODE> command will show you the domain name, mode, and pruning information: </PARA>
<PARA>The <INLINECODE>show VTP statistics</INLINECODE> command shows a summary of VTP advertisement messages sent and received. It also will show configuration errors if detected:</PARA>
<SECTION ID="3.5.5"><TITLE>Adding to a VTP Domain</TITLE>
<PARA>You need to be careful when adding a new switch into an existing domain. If a switch is inserted into the domain and has incorrect VLAN information, the result could be a VTP database propagated throughout the internetwork with false information. </PARA>
<PARA>Before inserting a switch, make sure that you follow these thee steps:</PARA>
<LIST MARK="number">
<LISTITEM><PARA>Perform a <INLINECODE>clear config all</INLINECODE> to remove any existing VLAN configuration on a set-based switch. On the 1900, use the <INLINECODE>delete NVRAM</INLINECODE> command. </PARA></LISTITEM>
<LISTITEM><PARA>Power-cycle the switch to clear the VTP NVRAM. </PARA></LISTITEM>
<LISTITEM><PARA>Configure the switch to perform the mode of VTP that it will participate in. Cisco's rule of thumb is that you create several VTP servers in the domain, with all the other switches set to client mode.</PARA></LISTITEM>
</LIST>
</SECTION>
<SECTION ID="3.5.6"><TITLE>VTP Pruning</TITLE>
<PARA>To preserve bandwidth, you can configure the VTP to reduce the amount of broadcasts, multicasts, and other unicast packets. This is called <KEYTERM>VTP pruning</KEYTERM>. VTP restricts broadcasts to only trunk links that must have the information. If a trunk link does not need the broadcasts, the information is not sent. VTP pruning is disabled by default on all switches. </PARA>
<PARA>For example, if a switch does not have any ports configured for VLAN 5 and a broadcast is sent throughout VLAN 5, the broadcast would not traverse the trunk link going to the switch without any VLAN 5 members. </PARA>
<PARA>Enabling pruning on a VTP server enables pruning for the entire domain, and by default, VLANs 2 through 1005 are eligible for pruning. VLAN 1 can never prune. </PARA>
<PARA>Use the following command to set VLANs to be eligible for pruning: </PARA>
<PARA>Notice, once again, that when you enable a VLAN for pruning, by default, it configures all of the VLANs. Use the following command to clear the unwanted VLANs:</PARA>
<PARA>To verify the pruned state of a trunk port, use the <INLINECODE>show trunk</INLINECODE> command.</PARA>
</SECTION>
</SECTION>
<SECTION ID="3.6"><TITLE>Summary</TITLE>
<PARA><DROPCAP>I</DROPCAP>n this chapter, you learned how to break up broadcast domains in layer 2 switched networks: by creating virtual LANs. When you create VLANs, you are able to create smaller broadcast domains within a switch by assigning different ports in the switch to different subnetworks. </PARA>
<PARA>We showed you how to configure VLANs on both set-based and IOS-based switches. It is important to understand how to configure VLANs on both types of switch as well as how to set the configuration of VLANs on individual interfaces.</PARA>
<PARA>We also showed you how to configure trunking between links on an access layer switch and a distribution layer switch, where trunking allows you to send information about multiple VLANs down one link, in contrast to an access link that only can send information about one VLAN. </PARA>
<PARA>The chapter ended with a discussion of VLAN Trunk Protocol (VTP), which really doesn't have much to do with trunking other than the fact that VTP information is sent down trunked links only. VTP is used to update all switches in the internetwork with VLAN information.</PARA>
<TABULARENTRY>Shows the VTP domain configurations</TABULARENTRY>
</TABULARROW>
</TABULARBODY>
</TABULARDATA>
</SECTION>
</SECTION>
<TESTSECTION ID="3.7"><TITLE>Written Lab</TITLE>
<!-- <PARA>Answer the following questions by writing out the answer. </PARA>
<TESTDATA>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command will create VLAN 35 on a 5000 series switch named Sales using ports 5 through 9 on card 3?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command will set the VTP domain name to Acme and the switch to a VTP client on a set-based switch?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command would you use on a 1900 switch and a set-based switch to see the configured VLANs?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What type of frame tagging places a VLAN identifier into the frame header?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What type of frame tagging encapsulates the frame with VLAN information?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What protocol handles the negotiation of trunked links?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>How do you configure trunking on a set-based switch, port 1/1, using ISL tagging?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command would you use to clear VLANs 10 through 14 from the trunked link 1/1 on a 5000 switch?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>What command will display the VTP statistics on a 5000 series switch?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
<TESTBLOCK><QUESTIONBLOCK><QUESTION>If the VTP domain is already configured, how would you set a VTP password on a 5000 switch to cisco?</QUESTION></QUESTIONBLOCK></TESTBLOCK>
</TESTDATA> -->
<SLUG NONUM="w1"/>
</TESTSECTION>
<SECTION ID="3.8"><TITLE>Hands-On Lab</TITLE>
<PARA>In this lab, you will continue to configure the network used in the hands-on lab in <NOBR REF="2">Chapter 2</NOBR>. This lab will configure the network with VTP domain information and trunking. Figure 3.8 is a review of the lab we are configuring. </PARA>
<SLUG NUM="3.8">Figure 3.8: Switched internetwork for hands-on lab [f0308.eps]</SLUG>
<LIST MARK="number">
<LISTITEM><PARA>Start with the 5000 series switch and configure the VTP domain as Routersim:</PARA>
<LISTITEM><PARA>The default VTP mode is server, which is what you want the 5000 series switch to be. The 1900 switch will be a VTP client. Create three VLANs on the 5000 series switch:</PARA>
<LIST MARK="bullet">
<LISTITEM><PARA>VLAN 1 is the default; it will be used for management.</PARA></LISTITEM>
<LISTITEM><PARA>VLAN 2 will be the Sales VLAN and will use IP network 172.16.20.0. Ports 1 and 2 on card 2 will be used. </PARA></LISTITEM>
<LISTITEM><PARA>VLAN 3 will be the Mrkt VLAN and will use IP network 172.16.30.0. Ports 3 and 4 on card 2 will be used. </PARA></LISTITEM>
<LISTITEM><PARA>VLAN 4 will be the Accnt VLAN and will use IP network 172.16.40.0. Ports 5 and 6 on card 2 will be used. </PARA></LISTITEM>
</LIST>
<PARA>Here is the configuration:</PARA>
<CODESNIPPET>
<CODELINE><EMPHASIS FORMAT="bold">Set vlan 2 name Sales </EMPHASIS></CODELINE>
<CODELINE><EMPHASIS FORMAT="bold">Set vlan 3 name Mrkt </EMPHASIS></CODELINE>
<CODELINE><EMPHASIS FORMAT="bold">Set vlan 4 name Accnt </EMPHASIS></CODELINE>
<LISTITEM><PARA>Because you want VLAN information to be propagated to the 1900 switch, a trunked link needs to be configured between both the switches. Set the trunked link on port 1/1 and port 1/2 of the 5000 switch. These are your connections to the access layer switch (1900A). Remember that the 1900 switch can use only ISL trunking, so the 5000 needs to be configured with ISL trunking:</PARA>
<CODESNIPPET><CODELINE><EMPHASIS FORMAT="bold">set trunk 1/1 on isl</EMPHASIS></CODELINE>
<CODELINE>set trunk 1/2 on isl</CODELINE></CODESNIPPET></LISTITEM>
<LISTITEM><PARA>Type the command to view the trunked link:</PARA>
<LISTITEM><PARA>Before any VLAN information will be propagated through the internetwork, you need to make both interface f0/26 and f0/27 a trunked link: </PARA>
<PARA>You should see all configured VLANs.</PARA></LISTITEM>
<LISTITEM><PARA>Once you have the trunked link working and have received the VLAN information, you can assign VLANs to individual ports on the switch. Assign ports 1 and 2 to VLAN 2, ports 3 and 4 to VLAN 3, and ports 5 and 6 to VLAN 4:</PARA>
<TESTSECTION ID="3.9"><TITLE>Answers to Written Lab</TITLE>
<TESTDATA>
<TESTBLOCK><ANSWERBLOCK><ANSWER><CODESNIPPET><CODELINE>set vlan 35 name Sales set vlan 35 3/5-9</CODELINE></CODESNIPPET></ANSWER></ANSWERBLOCK></TESTBLOCK>
