unidad02-redes lan virtuales

Exploration03

Curso: Enrutamiento y conmutación de redes

Equipo de Profesores del Curso

UNIDAD 3

Al término de la unidad, los alumnos estaran en condiciones de poder configurar redes inalambricas, verificar las configuraciones de los puntos de acceso y configurar los protocolos de seguridad.

Redes Inalámbricas

Temario

• LAN Virtuales

• Protocolo VTP

• Protocolo Spanning Tree

• Ruteo Inter VLAN

SESIÓN 1

Lan Virtuales

•Concepto de VLANs•Operación de las VLANs•Dominios de broadcast con VLAN y Routers

Parte 1: VLANsRequerimientos de las VLANs

• Need to split up broadcast domains to make good use of bandwidth

• People in the same department may need to be grouped together for access to servers

• Seguridad: restrict access by certain users to some areas of the LAN

• Provide a way for different areas of the LAN to communicate with each other

Solución usando routers

• Divide the LAN into subnets

• Use routers to link the subnets

Solución usando routers

PERO ….

• Routers are expensive

• Routers are slower than switches

• Subnets are restricted to limited physical areas

• Subnets are inflexible

Solución usando VLANs

• VLAN membership can be by function and not by location

• VLANs managed by switches

• Routers needed for communication between VLANs

VLANs

• All hosts in a VLAN have addresses in the same subnet. A VLAN is a subnet.

• Broadcasts are kept within the VLAN.

A VLAN is a broadcast domain.• The switch has a separate MAC address table

for each VLAN. Traffic for each VLAN is kept separate from other VLANs.

• Layer 2 switches cannot route between VLANs.

Rangos de los VLAN IDs

• Access VLANs are divided:

1. Rango Normal

2. Rango Extendido

1. Rango Normal

• Identified by a VLAN ID between 1 and 1005. • IDs 1002 through 1005 are reserved for Token Ring and FDDI

VLANs.• IDs 1 and 1002 to 1005 are automatically created and cannot be

removed. • Configurations are stored within a VLAN database file, called

vlan.dat. • The vlan.dat file is located in the flash memory of the switch.• The VLAN trunking protocol (VTP), which helps manage VLAN

configurations between switches, can only learn normal range VLANs and stores them in the VLAN database file.

2. Rango Extendido

• Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs.

• Identified by a VLAN ID between 1006 and 4094.

• Support fewer VLAN features than normal range VLANs.

• Are saved in the running configuration file.

• VTP does not learn extended range VLANs.

Tipos de VLANs

1. Data VLAN

2. Default VLAN

3. Native VLAN

4. Management VLAN

1. Data VLAN

• VLAN that is configured to carry only user-generated traffic.

• It is common practice to separate voice and management traffic from data traffic.

• A data VLAN is sometimes referred to as a user VLAN.

Data VLAN

2. Default VLAN

• All switch ports are members of the default VLAN after the initial boot up of the switch.

• The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it.

• Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed.

3. Native VLAN

• A native VLAN is assigned to an 802.1Q trunk port.

• Un puerto de enlace troncal 802.1 Q admite el tráfico que llega de muchas VLAN (tráfico etiquetado) como también el tráfico que no llega de una VLAN (tráfico no etiquetado).

• El puerto de enlace troncal 802.1Q coloca el tráfico no etiquetado en la VLAN nativa.

4. Management VLAN

• A VLAN you configure to access the management capabilities of a switch.

• VLAN 1 would serve as the management VLAN• You assign the management VLAN an IP address

and subnet mask. • A switch can be managed via HTTP, Telnet, SSH,

or SNMP.

5. Voice VLAN

El tráfico de VoIP requiere:

• Ancho de banda garantizado para asegurar la calidad de la voz

• Prioridad de la transmisión sobre los tipos de tráfico de la red

• Capacidad para ser enrutado en áreas congestionadas de la red

• Demora de menos de 150 milisegundos (ms) a través de la red

Voice VLAN• VLAN 150 is designed to carry voice traffic.• The student computer PC5 is attached to the Cisco IP phone, and

the phone is attached to switch S3.• PC5 is in VLAN 20, which is used for student data. • The F0/18 port on S3 is configured to be in voice mode so that it will

tell the phone to tag voice frames with VLAN 150. • Data frames coming through the Cisco IP phone from PC5 are left

untagged. • Data destined for PC5 coming from port F0/18 is tagged with VLAN

20 on the way to the phone, which strips the VLAN tag before the data is forwarded to PC5.

• Tagging refers to the addition of bytes to a field in the data frame which is used by the switch to identify which VLAN the data frame should be sent to. You will learn later about how data frames are tagged.

Voice VLAN

A Cisco Phone is a Switch

• The Cisco IP Phone 7960 contains an integrated three-port 10/100 switch as shown in the Figure. The ports provide dedicated connections to these devices:

1. Port 1 connects to the switch or other voice-over-IP (VoIP) device.

2. Port 2 is an internal 10/100 interface that carries the IP phone traffic.

3. Port 3 (access port) connects to a PC or other device.

8 Apr 2023 S Ward Abingdon and Witney College

Ejemplo de configuración: Voice VLAN

Static VLAN

• The normal Type Port configured to be on a VLAN. Connected device is on this VLAN.

• VLAN can be created using CLI command, given number and name.

• VLAN can be learned from another switch.

• If a port is put on a VLAN and the VLAN does not exist, then the VLAN is created.

Static VLAN (Port-centric)

• If VLAN 20 did not exist before – then it does now.

Voice VLAN

• A port is configured to be in voice mode so that it can support an IP phone attached to it. Before you configure a voice VLAN on the port, you need to first configure a VLAN for voice and a VLAN for data.

Voice VLAN

• Configured for voice VLAN and data VLAN.

Dynamic VLAN

• Not widely used.

• Use a VLAN Membership Policy Server (VMPS).

• Assign a device to a VLAN based on its MAC address.

• Connect device, server assigns VLAN.

• Useful if you want to move devices around.

Layer 3 switch• A Layer 3 switch has the ability to route transmissions

between VLANs. • The procedure is the same as described for the inter-VLAN

communication using a separate router, except that the SVIs act as the router interfaces for routing the data between VLANs.

(SVI - switch virtual interface )

Tag to identify VLAN

• Tag is added to the frame when it goes on to the trunk

• Tag is removed when it leaves the trunk

Etiqueta de la VLAN

Etiqueta de VLAN

3 bits para la prioridad del usuario:Utilizado por el estándar 802.1p, que especifica cómo proporcionar transmisión acelerada de las tramas de la Capa 2.Proporciona un mecanismo para implementar Calidad de Servicio (QoS) a nivel de MAC (Media Access Control).

1 bit of Canonical Format Identifier (CFI): Permite que las tramas Token Ring se transporten

con facilidad a través de los enlaces Ethernet.12 bits of VLAN ID (VID) :

VLAN identification numbers; supports up to 4096 VLAN IDs.

Trama etiquetadas en la VLAN Nativa

• El tráfico de control envíado en la VLAN nativa debe estar sin etiquetar.

• Si un puerto de enlace troncal 802.1Q recibe una trama etiquetada en la VLAN nativa, este descarta la trama.

• Como consecuencia, al configurar un puerto de switch en un switch Cisco, es necesario identificar estos dispositivos y configurarlos de manera que no envíen tramas etiquetadas en la VLAN nativa.

Trama sin etiquetar en la VLAN Nativa

• Cuando un puerto de enlace troncal de switch Cisco recibe tramas sin etiquetar, éste envía esas tramas a la VLAN nativa.

• La VLAN nativa predeterminada es la VLAN 1.• Si la VLAN 99 se configura como la VLAN

nativa, el PVID es 99 y todo el tráfico sin etiquetar se envía a la VLAN 99. Si la VLAN nativa no ha sido configurada nuevamente, el valor de PVID se configura para la VLAN 1.


Configuración de enlaces troncales

Untagged Frames on the Native VLAN


Parte3 :DTP (Protocolo de enlace troncal dinámico)

• Protocolo propietario de Cisco.• Switches de otros fabricantes no soportan DTP.

• El DTP es habilitado automáticamente en un puerto de switch cuando algunos modos de enlace troncal se configuran en el puerto de switch.

Trunking Modes

• The trunking mode defines how the port negotiates using DTP to set up a trunk link with its peer port.

1. ON #switchport mode trunk

2. Dynamic Auto #switchport mode auto

3. Dynamic Desirable switchport mode dynamic desirable

4. DTP off #switchport nonegotiate

ON • #switchport mode trunk

• The local switch port advertises to the remote port that it is dynamically changing to a trunking state.

• The local port then, regardless of what DTP information the remote port sends as a response to the advertisement, changes to a trunking state.

• The local port is considered to be in an unconditional (always on) trunking state.

Dynamic Auto • #switchport mode auto• The local switch port advertises to the remote

switch port that it is able to trunk but does not request to go to the trunking state.

• After a DTP negotiation, the local port ends up in trunking state only if the remote port trunk mode has been configured to be on or desirable.

• If both ports on the switches are set to auto, they do not negotiate to be in a trunking state. They negotiate to be in the access (non-trunk) mode state.

Dynamic Desirable

• Dynamic desirable: switchport mode dynamic desirable

• DTP frames are sent periodically to the remote port. The command used is switchport mode dynamic desirable.

• The local switch port advertises to the remote switch port that it is able to trunk and asks the remote switch port to go to the trunking state.

• If the local port detects that the remote has been configured in on, desirable, or auto mode, the local port ends up in trunking


DTP off

• #switchport nonegotiate

• You can turn off DTP for the trunk so that the local port does not send out DTP frames to the remote port.

• Use this feature when you need to configure a trunk with a switch from another switch vendor.

Dynamic trunking protocol

Mode trunk

Dynamic auto/des

Mode access

access

trunk

accessDynamic auto

Dynamic auto

trunk Dynamic desirable

Dynamic desirable

Dynamic auto/des

Dynamic desirable

Dynamic auto

trunk

Create a VLAN

• SW1(config)#vlan 20

• SW1(config-vlan)#name Finance

• SW1(config-vlan)#end

• VLAN will be saved in VLAN database rather than running config.

• If you do not give it a name then it will be called vlan0020.

Assign port to VLAN

• SW1(config)#int fa 0/14

• SW1(config-if)#switchport mode access

• SW1(config-if)#switchport access vlan 20

• SW1(config-if)#end

show vlan brief

• List of VLANs with ports

Show commands

• show vlan brief (list of VLANs and ports)

• show vlan summary

• show interfaces vlan (up/down, traffic etc)

• Show interfaces fa0/14 switchport (access mode, trunking)

Remove port from VLAN

• SW1(config)#int fa 0/14

• SW1(config-if)#no switchport access vlan


• The port goes back to VLAN 1.

• If you assign a port to a new VLAN, it is automatically removed from its existing VLAN.

Delete a VLAN

• SW1(config)#no vlan 20

• SW1(config)#end

• VLAN 20 is deleted.

• Any ports still on VLAN 20 will be inactive – not on any VLAN. They need to be reassigned.

Delete VLAN database

• Erasing the startup configuration does not get rid of VLANs because they are saved in a separate file.

• SW1#delete flash:vlan.dat

• Switch goes back to the default with all ports in VLAN 1.

• You cannot delete VLAN 1.

Configure trunk

• SW1(config)#int fa0/1

• SW1(config-if)#switchport mode trunk

• SW1(config-if)#switchport trunk native vlan 99

• SW1(config-if)#switchport trunk allowed vlan add 10, 20, 30


Trunk problems

• Both ends must have the same native VLAN.

• Both ends must be configured with trunking on or so that trunking is negotiated with the other end and comes on.

• Subnetting and addressing must be right.

• The right VLANs must be allowed on the trunk.

SESIÓN 2

Protocolo VTP


Benefits of VTP (VLAN Trunking Protocol)

• Before discussing VTP, it is important to understand that VTP is not necessary in order to configure VLANs or Trunking on Cisco Switches.

Benefits• VTP is a Cisco proprietary protocol that allows VLAN

configuration to be consistently maintained across a common administrative domain.

• VTP minimizes the possible configuration inconsistencies that arise when changes are made.

• Additionally, VTP reduces the complexity of managing and monitoring VLAN networks, allowing changes on one switch to be propagated to other switches via VTP.

• On most Cisco switches, VTP is running and has certain defaults already configured.

VTP • VTP (VLAN Trunking Protocol) is used to distribute and

synchronize information about VLANs that are configured throughout a switched network.

• Switches transmit VTP messages only on 802.1Q and ISL trunks.• Note: VTP is not required to configure trunking between

switches, but is used to simplify VLAN management.• VTP Server

– This is the default VTP mode. – VLANs can be created, modified, and deleted.

• VTP Client – This behaves like a VTP server without the ability to create, change,

or delete VLANs. • VTP Transparent

– Switches in the VTP Transparent mode do not participate in VTP.• VTP Pruning

–

VTP Operation – Revision Number

• VTP advertisements are transmitted out all trunk connections, including ISL, IEEE 802.1Q, IEEE 802.10, and ATM LANE trunks.

• A critical parameter governing VTP function is the VTP configuration revision number. • This 32-bit number indicates the particular revision of a VTP configuration. • A configuration revision number starts at 0 and increments by 1 with each

modification until it reaches 4,294,927,295, at which point it recycles back to 0 and starts incrementing again.

• Each VTP device tracks its own VTP configuration revision number• VTP packets contain the sender’s VTP configuration number. • This information determines whether the received information is more recent than the

current version. • If the switch receives a VTP advertisement over a trunk link, it inherits the VTP domain

name and configuration revision number. • The switch ignores advertisements that have a different VTP domain name or an

earlier configuration revision number.

VTP Operation • VTP advertisements are sent as multicast frames.

• VTP servers and clients are synchronized to the latest revision number.

• VTP advertisements are sent every 5 minutes or when there is a change.

VTP Operation

• VTP clients cannot create, modify, or delete VLAN information.

• The only role of VTP clients is to process VLAN changes and send VTP messages out all trunk ports.

• The VTP client maintains a full list of all VLANs within the VTP domain, but it does not store the information in NVRAM.

• VTP clients behave the same way as VTP servers, but it is not possible to create, change, or delete VLANs on a VTP client.

• Any changes made must be received from a VTP server advertisement.

VTP Operation

• Switches in VTP transparent mode forward VTP advertisements but ignore information contained in the message.

• A transparent switch will not modify its database when updates are received, nor will the switch send out an update indicating a change in its own VLAN status.

• Except for forwarding VTP advertisements, VTP is disabled on a transparent switch.

• There is also an “off” VTP mode in which switches behave the same as in the VTP transparent mode, except VTP advertisements are not forwarded.

VTP configuration

• VTP can be configured by using these configuration modes.– VTP Configuration in global configuration mode – VTP Configuration in VLAN configuration mode

• VLAN configuration mode is accessed by entering the vlan database privileged EXEC command.

VTP configuration - Version

• Two different versions of VTP can run in the management domain, VTP Version 1 and VTP Version 2.

• The two versions are not interoperable in the same VTP domain. • The major difference between the two versions is version 2 introduces

support for Token Ring VLANs. • If all switches in a VTP domain can run VTP Version 2, version 2 only

needs to be enabled on one VTP server switch, which propagates it to other VTP switches in the VTP domain.

• Version 2 should not be enabled unless every switch in the VTP domain supports version 2.

VTP configuration – Domain and Password

• The domain name can be between 1 and 32 characters.• The optional password must be between 8 and 64 characters long.• If the switch being installed is the first switch in the network, the management domain will

need to be created. • However, if the network has other switches running VTP, then the new switch will join an

existing management domain. • Caution: The domain name and password are case sensitive.

VTP configuration – Domain and Password

• By default, management domains are set to a nonsecure mode, meaning that the switches interact without using a password.

• Adding a password automatically sets the management domain to secure mode.

• The same password must be configured on every switch in the management domain to use secure mode.

VTP configuration – VTP mode

Switch#config terminalSwitch(config)#vtp mode [client|server|transparent]

Switch#vlan databaseSwitch(vlan)#vtp [client|server|transparent]

VTP Configuration - Overview• VTP Configuration in global configuration mode:

– Switch#config terminal– Switch(config)#vtp version 2– Switch(config)#vtp mode server– Switch(config)#vtp domain cisco– Switch(config)#vtp password mypassword

• VTP Configuration in VLAN configuration mode: – Switch#vlan database– Switch(vlan)#vtp v2-mode– Switch(vlan)#vtp server– Switch(vlan)#vtp domain cisco– Switch(vlan)#vtp password mypassword

VTP Operation

• VTP switches operate in one of three modes:– Server

– Client

– Transparent

• VTP servers can create, modify, delete VLAN and VLAN configuration parameters for the entire domain.

• VTP servers save VLAN configuration information in the switch NVRAM. VTP servers send VTP messages out to all trunk ports.

Verifying VTP

• This command is used to verify VTP configuration settings on a Cisco IOS command-based switch.

status

Verifying VTP

• This command is used to display statistics about advertisements sent and received on the switch.

Adding a switch to an existing VTP domain

• Use caution when inserting a new switch into an existing domain. • In order to prepare a switch to enter an existing VTP domain, perform the following

steps. – Delete the VLAN database – Erase the startup configuration – Power cycle the switch

• This will avoid potential problems resulting from residual VLAN configurations or adding a switch with a higher VTP configuration revision number that could result in the propagation of incorrect VLAN information.

• From the privileged mode, issue the delete vlan.dat and erase startup-config commands, then power cycle the switch.

TroubleShooting VTP

VTP Pruning• VTP pruning permits switches to negotiate which VLANs are assigned

to ports at the other end of a trunk and, hence, prune the VLANs that are not assigned to ports on the remote switch.

• Pruning is disabled by default. • VTP pruning is enabled using the vtp pruning in

global configuration command. • You need to enable pruning on only one VTP server switch in the

domain.

VTP Pruning

The VTP Pruning service is supported by both VTP1 and VTP2.VTP pruning is possible with the use of additional VTP message types.

When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not.

DHCP SNOOP

• El vtp transparente havbilita el VTP Pruning ?

Troubleshooting

SESIÓN 3

Protocolo Spanning Tree


Configuring STP

• By default, STP is enabled for every port on the switch.

• If for some reason STP has been disabled, you can reenable it.

• To re-enable STP, use the

Switch(config)#spanning-tree vlan vlan-id

• To disable STP, on a per-VLAN basis:

Switch(config)#no spanning-tree vlan vlan-id

Spanning Tree Protocol (STP)

• STP is a loop-prevention protocol

• Uses the Spanning Tree Algorithm

• STP allows L2 devices to communicate with each other to discover physical loops in the network.

• STP specifies an algorithm that L2 devices can use to create a loop-free logical topology.

• STP creates a tree structure of loop-free leaves and branches that spans the entire Layer 2 network.

STP asegura que exista sólo una ruta lógica entre todos los destinos de la red, al bloquear de forma intencional aquellas rutas redundantes que puedan ocasionar un bucle.

Redundancia Crea Lazos

Un puerto se considera bloqueado cuando el tráfico de la red no puede ingresar ni salir del puerto.

Esto sin embargo no es si para los mensajes BPDU.

Spanning Tree – Solo para evitar lazos

• Loops may occur in your network as part of a design strategy for redundancy.

• STP is not needed if there are no loops in your network.

• However, DO NOT disable STP!

• Loops can occur accidentally from network staff or even users!

Two users interconnecting the switches in their cubicles.

Disable STP: go to the interface you want to disable it onSwitch(Config-if)#spanningtree portfast

Loops de Capa 2

• Broadcasts and Layer 2 loops can be a dangerous combination.

• Ethernet frames have no TTL field.

• After an Ethernet frame starts to loop, it will probably continue until someone shuts off one of the switches or breaks a link.

IP Packet

L2 Loops - Flooded unicast frames

• Bridge loops can occur any time there is a redundant path or loop in the bridge network.

• The switches will flip flop the bridging table entry for Station A (creating extremely high CPU utilization).

• Bridge Loops can cause:

1. Broadcast storms

2. Multiple copies of Ethernet frames

3. MAC address table inestability in switches

STP Previene los Loops (Lazos)• The purpose of STP is to avoid and eliminate loops in the network by

negotiating a loop-free path through a root bridge.

• STP determines where there are loops and blocks links that are redundant.

• Ensures that there will be only one active path to every destination.

X

Spanning Tree Algorithm• STP executes an algorithm

called Spanning Tree Algorithm.

• STA chooses a reference point, called a root bridge, and then determines the available paths to that reference point.

• If more than two paths exists, STA picks the best path and blocks the rest.

X

Two-key STP Concepts• STP calculations make extensive use of two key concepts

in creating a loop-free topology:1. Bridge ID

2. Path Cost

Link SpeedCost (Revised IEEE Spec)

Cost (Previous IEEE Spec)

10 Gbps 2 1

1 Gbps 4 1

100 Mbps 19 10

10 Mbps 100 100

• Bridge ID (BID) is used to identify each bridge/switch.

• The BID is used in determining the center of the network, in respect to STP, known as the root bridge.

Bridge ID Without the Extended System ID

Bridge ID with the Extended System ID

1. Bridge ID (BID)

Bridge ID (BID)

• Spanning tree operation requires that each switch have a unique BID. • In the original 802.1D standard, the BID was composed of the Priority

Field and the MAC address of the switch, and all VLANs were represented by a CST. (Common Spanning Tree)

• Because PVST requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information. (Per VLAN Spanning Tree)

• This is accomplished by reusing a portion of the Priority field as the extended system ID to carry a VID.

Priority = Priority (Default 32,768) + VLAN

Access2#show spanning-treeVLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 23 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300<text omitted>

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 4106 Address 000b.fd13.9080 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

• Usado para elegir el root bridge (coming)• Lowest Bridge ID is the root.• If all devices have the same priority, the bridge with

the lowest MAC address becomes the root bridge.

Bridge ID (BID)

2. Path Cost – Original Spec (Linear)

• Bridges use the concept of cost to evaluate how close they are to other bridges.

• This will be used in the STP development of a loop-free topology .• Originally, 802.1D defined cost as 1 billion/bandwidth of the link in

Mbps.– Cost of 10 Mbps link = 100 or 1000/10– Cost of 100 Mbps link = 10 or 1000/100– Cost of 1 Gbps link = 1 or 1000/1000

• Running out of room for faster switches including 10 Gbps Ethernet

Modificar el costo de una interfaz

• Para configurar el costo de un puerto en una interfaz, ingrese el comando spanning-tree cost valor en modo de configuración de interfaz.

• El rango de valores puede oscilar entre 1 y 200 000 000.

Five-Step STP Decision Sequence

• When creating a loop-free topology, STP always uses the same five-step decision sequence:

Five-Step decision SequenceFive-Step decision Sequence

Step 1 - Lowest BID

Step 2 - Lowest Path Cost to Root Bridge

Step 3 - Lowest Sender BID

Step 4 – Lowest Port Priority

Step 5 - Lowest Port ID

• Bridges use Configuration BPDUs during this four-step process.• We will assume all BPDUs are configuration BPDUs until

otherwise noted.

Five-Step STP Decision Sequence

BPDU key concepts: (Bridge Protocol Data Unit)• Bridges save a copy of only the best BPDU seen on every port.• When making this evaluation, it considers all of the BPDUs

received on the port, as well as the BPDU that would be sent on that port.

• As every BPDU arrives, it is checked against this five-step sequence to see if it is more attractive (lower in value) than the existing BPDU saved for that port.

• Only the lowest value BPDU is saved.• Bridges send configuration BPDUs until a more attractive BPDU

is received.• Okay, lets see how this is used...

Elect one Root Bridge

The STP algorithm uses three simple steps to converge on a loop-free topology:

STP ConvergenceSTP ConvergenceStep 1 Elect one Root BridgeStep 2 Elect Root PortsStep 3 Elect Designated Ports

• When the network first starts, all bridges are announcing a chaotic mix of BPDUs.

• All bridges immediately begin applying the five-step sequence decision process.

• Switches need to elect a single Root Bridge.• Switch with the lowest BID wins!• Todos los switches del dominio de broadcast participan del

proceso de elección.

Elect one Root BridgeLowest BID wins!

32768-000f.2490.1380

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0


32768-000f.2490.1380

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

• Once all of the switches see that Access2 has the lowest BID, they are all in agreement that Access2 is the Root Bridge.

32768-000f.2490.1380

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

Se recomienda configurar el switch de puente raíz (root bridge) deseado con la menor prioridad para asegurar que sea elegido como tal.

Esto también asegura que el agregado de switches a la red no provoque una nueva elección de spanning-tree, lo que podría interrumpir la comunicación en la red mientras se elige un nuevo puente raíz.

Modificando el proceso de elección del Root Bridge

• The switch with the lowest BID becomes the root. • The root switch can be determined by lowering the priority on that switch,

below the default of 32768. • There are two ways to lower the priority on Switch-2 to make it the Root

Bridge

Switch-2(config)#spanning-tree vlan 1 root primary

or

Switch-2(config)#spanning-tree vlan 1 priority 4096

• The spanning-tree vlan 1 priority 4096 command lowers the priority from 32768 to 4096, thus making it the root switch.

• The spanning-tree vlan 1 root primary command lowers the priority to 24576 (on a 2950 switch), thus making it the root switch.

Switch-2(config)#spanning-tree vlan 1 root primary

La prioridad del switch se establece en el valor predefinido 24 576 o en el siguiente valor de incremento de 4096 por debajo de la menor prioridad de puente detectada en la red.

Switch-2(config)#spanning-tree vlan 1 root secondary

Para contar con un puente raíz alternativo. Este comando establece la prioridad para el switch al valor preferido 28 672.

Esto asegura que este switch se convierta en el puente raíz si el puente raíz principal falla y se produce una nueva elección de puente raíz y

Funciones de los puertos Puerto raíz

• El puerto raíz existe en los puentes que no son raíz y es el puerto de switch con el mejor camino hacia el puente raíz.

• Los puertos raíz envían el tráfico a través del puente raíz. Las direcciones MAC de origen de las tramas recibidas en el puerto raíz pueden llenar por completo la tabla MAC.

Puerto designado

• Para los puentes que no son raíz (bridge), un puerto designado es el switch que recibe y envía tramas a través del puente raíz según sea necesario.

• Sólo se permite un puerto designado por segmento.

Puerto no designado

Puerto de switch que está bloqueado, de manera que no envía tramas de datos ni llena la tabla de direcciones MAC con direcciones de origen.

Para algunas variantes de STP, el puerto no designado se denomina puerto alternativo.

Configurar prioridad del puerto

• El valor de prioridad de puerto predeterminado es 128.

• Al igual que con la prioridad de puente, los valores de prioridad de puerto menores proporcionan al puerto una mayor prioridad.

• La prioridad de puerto para el puerto F0/1 se ha establecido en 112, que está por debajo de la prioridad de puerto predeterminada, que es 128.

• Esto asegura que el puerto sea el preferido cuando compita con otro puerto para una función de puerto específica.


• Now that the Root War has been won, switches move on to selecting Root Ports.

• A bridge’s Root Port is the port closest to the Root Bridge.• Bridges use the cost to determine closeness.• Every non-Root Bridge will select one Root Port!• Specifically, bridges track the Root Path Cost, the cumulative

cost of all links to the Root Bridge.

2. Elegir los Puertos raíz (Root Ports)

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

• Root Bridge, Access2 sends out BPDUs, containing a Root Path Cost of 0.• Access1, Distribution1, and Distribution2 receives these BPDUs and adds the Path Cost of

the FastEthernet interface to the Root Path Cost contained in the BPDU.• Access1, Distribution1, and Distribution2 add Root Path Cost 0 PLUS its Port cost of 19 =

19.• This value is used internally and used in BPDUs to other switches..

BPDU

Cost=0BPDU

Cost=0+19=19

BPDU

Cost=0+19=19BPDU

Cost=0+19=19

0

0

0

19

19

19

32768-000f.2490.1380

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

Difference b/t Path Cost and Root Path CostPath Cost: • The value assigned to each port.• Added to BPDUs received on that port to

calculate Root Path Cost.

BPDU

Cost=0

BPDU

Cost=0+19=19

BPDU

Cost=0+19=19BPDU

Cost=0+19=19

0

0

0

19

19

19

Root Path Cost• Cumulative cost to the Root Bridge. • This is the value transmitted in the BPDU.• Calculated by adding the receiving port’s

Path Cost to the valued contained in the BPDU.

19

19

19

32768-000f.2490.1380

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

• Switches now send BPDUs with their Root Path Cost out other interfaces.• Note: STP costs are incremented as BPDUs are received on a port, not as they are sent

out a port.• Access 1 uses this value of 19 internally and sends BPDUs with a Root Path Cost of 19

out all other ports.

BPDU

Cost=4+19=23

BPDU

Cost=4+19=23

19

19

0

0

019

19

19

BPDU

Cost=19

BPDU

Cost=19

32768-000f.2490.1380

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

Elect Root Ports• Every non-Root bridge must select one Root Port.• A bridge’s Root Port is the port closest to the Root Bridge.• Bridges use the cost to determine closeness.

19

19

19

23

0

0

023

32768-000f.2490.1380

23

23

23

27

23

27

3838

Root PortRoot Port

Root Port

? ?

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

Elect Root Ports• Core switch has two equal Root Path Costs

to the Root Bridge.• In this case we need to look at the five-step

decision process.

19

19

19

23

0

0

023

32768-000f.2490.1380

23

23

23

27

23

27

3838

Root PortRoot Port

Root Port

? ?

Five-Step decision SequenceFive-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port Priority Step 5 - Lowest Port ID

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

Elect Root Ports• Distribution 1 switch has a lower Sender BID

than Distribution 2.• Core chooses the Root Port of G 0/1.

19

19

19

23

0

0

023

32768-000f.2490.1380

23

23

23

27

23

27

3838

Root PortRoot Port

Root Port


Lower BID Root Port


• The loop prevention part of STP becomes evident during this step, electing designated ports.

• A Designated Port functions as the single bridge port that both sends and receives traffic to and from that segment and the Root Bridge.

• Each segment in a bridged network has one Designated Port, chosen based on cumulative Root Path Cost to the Root Bridge.

• The switch containing the Designated Port is referred to as the Designated Bridge for that segment.

• To locate Designated Ports, lets take a look at each segment.• Segment’s perspective: From a device on this segment, “Which switch

should I go through to reach the Root Bridge?”– Root Path Cost, the cumulative cost of all links to the Root Bridge.– Obviously, the segment has not ability to make this decision, so the

perspective and the decision is that of the switches on that segment.

3. Elect Designated Ports

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

• A Designated Port is elected for every segment.• The Designated Port is the only port that sends and receives traffic to/from that segment to

the Root Bridge, the best port towards the root bridge.• Note: The Root Path Cost shows the Sent Root Path Cost. • This is the advertised cost in the BPDU, by this switch out that interface, i.e. this is the cost of

reaching the Root Bridge through me!

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

• A Designated Port is elected for every segment.• Segment’s perspective: From a device on this segment, “Which switch should I go through

to reach the Root Bridge?”• “I’ll decide using the advertised Root Path Cost from each switch!”

?

? ??

? ?? ?

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:

• Access 2 has a Root Path Cost = 0 (after all it is the Root Bridge) and Access 1 has a Root Path Cost = 19.

• Because Access 2 has the lower Root Path Cost it becomes the Designated Port for that segment.

? DP

What is my best path to the Root Bridge, 19 via Access 1 or 0 via

Access 2?

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:• The same occurs between Access 2 and Distribution 1 and Distribution 2 switches.• Because Access 2 has the lower Root Path Cost it becomes the Designated Port for those

segments.

?

DP

?DP

DP

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:• Segment between Distribution 1 and Access

1 has two equal Root Path Costs of 19.• Using the Lowest Sender ID (first two steps

are equal), Access 1 becomes the best path and the Designated Port.

?

DP

DP

DP


DP

What is my best path to the Root Bridge, 19

via Distribution 1 or 19 via Access 1?

They are the same! Who has the lowest

BID?

Access 1 has Lower Sender BIDDistribution1#show spanning-tree detail

Port 26 (GigabitEthernet0/2) of VLAN0001 is blocking

Port path cost 4, Port priority 128, Port Identifier 128.26.

Designated root has priority 32769, address 0009.7c0b.e7c0

Designated bridge has priority 32769, address 000b.befa.eec0

Designated port id is 128.26, designated path cost 19

Timers: message age 3, forward delay 0, hold 0

Number of transitions to forwarding state: 0

BPDU: sent 2, received 1070

Access1#show spanning-tree detail

Port 26 (GigabitEthernet0/2) of VLAN0001 is forwarding

Port path cost 4, Port priority 128, Port Identifier 128.26.

Designated root has priority 32769, address 0009.7c0b.e7c0

Designated bridge has priority 32769, address 000b.befa.eec0

Designated port id is 128.26, designated path cost 19

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

BPDU: sent 2243, received 1

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:• Segment between Distrib. 1 and Distrib. 2

has two equal Root Path Costs of 19.• Using the Lowest Sender ID (first two steps

are equal), Distribution 1 becomes the best path and the Designated Port.

?

DP

DP

DP


DP

DP

Distribution 1 has Lower Sender BIDDistribution1#show spanning-tree detail Port 5 (FastEthernet0/5) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.5. Designated root has priority 32769, address 0009.7c0b.e7c0 Designated bridge has priority 32769, address 000b.fd13.9080 Designated port id is 128.5, designated path cost 19 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 BPDU: sent 1074, received 0

Distribution2#show spanning-tree detail Port 5 (FastEthernet0/5) of VLAN0001 is blocking Port path cost 19, Port priority 128, Port Identifier 128.5. Designated root has priority 32769, address 0009.7c0b.e7c0 Designated bridge has priority 32769, address 000b.fd13.9080 Designated port id is 128.5, designated path cost 19 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 0 BPDU: sent 0, received 1097

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:• Segment between Access 1 and Distrib. 2

has two equal Root Path Costs of 19.• Using the Lowest Sender ID (first two steps

are equal), Access 1 becomes the best path and the Designated Port.

?

DP

DP

DP


DP

DP

DP

Access 1 has Lower Sender BIDDistribution2#show spanning-tree detail Port 25 (GigabitEthernet0/1) of VLAN0001 is blocking Port path cost 4, Port priority 128, Port Identifier 128.25. Designated root has priority 32769, address 0009.7c0b.e7c0 Designated bridge has priority 32769, address 000b.befa.eec0 Designated port id is 128.25, designated path cost 19 Timers: message age 3, forward delay 0, hold 0 Number of transitions to forwarding state: 0 BPDU: sent 2, received 1091

Access1#show spanning-tree detail Port 25 (GigabitEthernet0/1) of VLAN0001 is forwarding Port path cost 4, Port priority 128, Port Identifier 128.25. Designated root has priority 32769, address 0009.7c0b.e7c0 Designated bridge has priority 32769, address 000b.befa.eec0 Designated port id is 128.25, designated path cost 19 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 BPDU: sent 2240, received 1

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:• Because Distribution 1 has the lower Root Path Cost it becomes the Designated Port

for that segment.• Because Distribution 2 has the lower Root Path Cost it becomes the Designated Port

for that segment.

?

DP

DP

DPDP

DP

DP DP

?

DP

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

Segment’s perspective:• All other ports, those ports that are not Root Ports or Designated Ports, become Non-

Designated Ports.• Non-Designated Ports are put in blocking mode. (Coming)

• This is the loop prevention part of STP.

DP

DP

DPDP

DP

DP DP

NDP

NDP

NDPX

X

XX

DP

NDP

Port Cost/Port ID

• If the path cost and bridge IDs are equal (as in the case of parallel links), the switch goes to the port priority as a tiebreaker.

• Lowest port priority wins (all ports set to 32).• You can set the priority from 0 – 63.• If all ports have the same priority, the port with the lowest port number

forwards frames.

Port 0/2 would forward because it’s the lowest.

19

19

RP

DP

DP

NDP

Port Cost/Port ID• Fa 0/3 has a lower Port ID than Fa 0/4.• Multiple links can be configured (used) as a single connection, using

EtherChannel (CCNP 3).

Port Cost/Port IDDistribution1#show spanning-treeVLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 19 Port 3 (FastEthernet0/3) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300Interface Port ID Designated Port IDName Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr---------------- -------- --------- --- --------- -------------------- --------Fa0/1 128.1 19 BLK 19 32769 000b.befa.eec0 128.1Fa0/2 128.2 19 BLK 19 32769 000b.befa.eec0 128.2Fa0/3 128.3 19 FWD 0 32769 0009.7c0b.e7c0 128.1Fa0/4 128.4 19 BLK 0 32769 0009.7c0b.e7c0 128.2Fa0/5 128.5 19 FWD 19 32769 000b.fd13.9080 128.5Gi0/1 128.25 4 FWD 19 32769 000b.fd13.9080 128.25

Example:

• A network that contains 15 switches and 146 segments (every switchport is a unique segment) would result in:– 1 Root Bridge– 14 Root Ports– 146 Designated Ports

STP Convergence: Summary

Estados de los puertos y temporizadores

• El spanning tree se determina en base a la información obtenida en el intercambio de tramas de BPDU entre los switches interconectados.

• Cada puerto de switch sufre una transición a través de cinco estados posibles y tres temporizadores de BPDU.

• Los estados de los puertos aseguran la ausencia de bucles durante la creación del spanning tree lógico.

• Si un puerto de switch experimenta una transición directa desde el estado de bloqueo al estado de enviar, dicho puerto puede crear temporalmente un bucle de datos si el switch no advierte toda la información de la topología en ese momento.

• Por esta razón, STP introduce cinco estados de puertos.

• Bloqueo (Blocked)

• Escuchar (Listening)

• Aprender (Learning)

• Enviar (Forward)

• Deshabilitar (Disabled)

Temporizadores de BPDU• La cantidad de tiempo que un puerto permanece en los distintos

estados depende de los temporizadores de BPDU. • Sólo el switch con función de puente raíz puede enviar información

a través del árbol para ajustar los temporizadores.

• Hello timer: Determina la frecuencia con la que el root bridge envía los BPDUs Por defecto es de 2 segundos.

• Maximum Age (Max Age): Determina cuanto tiempo mantener los puertos en el estado de bloqueo antes de pasar al modo listening. Por defecto es 20 segundos.

• Forward Delay (Fwd Delay): Determina cuanto tiempo estar en el estado listening antes de ir al estado learning, y cuanto tiempo estar en el estado learning antes de ir al estado forwarding.

• Por defecto es 15 segundos.

• Hello timer – Hello Timer (2 seg)

• Forward Delay (Fwd Delay) – Retraso de envío (15 seg)

• Maximum Age (Max Age) – Antigüedad Máxima (20 seg)

Importante!!

• Estos valores de tiempo permiten el tiempo adecuado para la convergencia en la red con un diámetro de switch de valor siete (7).

• Un diámetro de switch de siete es el valor mayor permitido por STP debido a los tiempos de convergencia.

Spanning-Tree Port States

STP Timers

Spanning Tree Port StatesSpanning tree transitions each port through several different states.

From Blocking to Forwarding:

20 sec + 15 sec + 15 sec = 50 seconds


Blocked: • All ports start in blocked mode

in order to prevent the bridge from creating a bridging loop.

• Port are listening (receiving) BPDUs.

• No user data is being passed.

• The port stays in a blocked state if Spanning Tree determines that there is a better path to the root bridge.

• May take a port up to 20 seconds to transition out of this state (max age). - coming soon.

BPDUs sent and received


Listen: • The port transitions from the

blocked state to the listen state• Attempts to learn whether there

are any other paths to the root bridge

• Listens to frames• Port is not sending or receive

user data• Listens for a period of time

called the forward delay (default 15 seconds).

• Ports that lose the Designated Port election become non-Designated Ports and drop back to Blocking state.



Learn: • The learn state is very

similar to the listen state, except that the port can add information it has learned to its address table.

• Adds addresses to MAC Address Table

• Still not allowed to send or receive user data

• Learns for a period of time called the forward delay (default 15 seconds)



Forward: • The port can send and

receive user data. • A port is placed in the

forwarding state if:– There are no redundant

links

or – It is determined that it has

the best path to the root


Spanning-Tree Port States• Disabled: The port is shutdown.


Non-Designated Ports

Designated Ports & Root Ports

32768-000b.fd13.9080 32768-000b.fd13.cd80

32768-000b.befa.eec0 32768-0009.7c0b.e7c0

Root Bridge

19

19

19

19

0

0

019

32768-000f.2490.1380

19

19

23

19

23

19

1919

RPRP

RP

RP

DP

DP

DPDP

DP

DP DP

NDP

NDP

NDPX

X

XX

Spanning-Tree Port StatesActive links

DP

NDP

Topology Change

• Much of the detail has been omitted.

• If there is a change in the topology, a link is added or removed:1. User traffic will be disrupted until the switch

recalculates paths using the Spanning Tree Algorithm.

2. A delay of up to 50 seconds may occur before switches start forwarding frames.

Cambio en la topología de STP

Un switch considera que ha detectado un cambio en la topología:

1. Cuando un puerto que envía datos se desactiva (se bloquea, por ejemplo).

2. Cuando un puerto cambia al estado de enviar y el switch cuenta con un puerto designado.

• Cuando se detecta un cambio, el switch notifica al puente raíz del spanning tree.

• Luego, el puente raíz envía un broadcast con dicha información a toda la red.

• Cuando STP funciona de forma normal, el switch continúa recibiendo tramas de BPDU de configuración desde el puente raíz en su puerto raíz.

• Sin embargo, nunca un switch envía una BPDU hacia el puente raíz.

• Para lograr esto: se introduce una BPDU especial denominada notificación de cambio en la topología (TCN).

• Cuando un switch necesita avisar acerca de un cambio en la topología, comienza a enviar TCN en su puerto raíz. La TCN es una BPDU muy simple que no contiene información y se envía durante el intervalo de tiempo de saludo.

• Una vez que el puente raíz advierte que se ha producido un evento de cambio en la topología en la red, comienza a enviar sus BPDU de configuración con el bit de cambio de topología (TC) establecido (broadcast).

• La raíz establece el bit de TC durante un período igual a la suma de la antigüedad máxima y el retraso de envío (en segundos), que de manera predeterminada es 20+15=35.

Los switches reciben las BPDU de cambio de topología tanto en los puertos en estado de enviar como de bloqueo.

Variantes de STP

SESIÓN 4

Ruteo Inter-VLAN


Explain How Network Traffic is Routed Between VLANs in a Converged

Network • Describe the routing options between

VLANs

Explain How Network Traffic is Routed Between VLANs in a Converged

Network • Describe the role of interfaces and

subinterfaces in supporting inter-VLAN routing

Configure Inter-VLAN Routing

• Describe the steps to configure inter-VLAN routing

Troubleshoot Common Inter-VLAN Connectivity Issues

• Describe the common switch configuration Issues


• Describe the common router configuration issues


• Describe the common IP Addressing Issues

Summary

• Inter-VLAN routing is the process of routing information between VLANs

• Inter-VLAN routing requires the use of a router or a layer 3 switch

• Traditional inter-VLAN routing– Requires multiple router interfaces that are

each connected to separate VLANs

unidad02-redes lan virtuales

Documents

extended system

lowest sender

troubleshoot

0bpdu cost01919

port costport

converged

lowest port

vlan routing