Category: VLANs

PPPoE: Point to Point Protocol over Ethernet

Point to Point Protocol over Ethernet (PPPoE) visualizes Ethernet multiple point to point sessions between client hosts and an access concentrator….essentially turning a broadcast Ethernet domain into a point to multi-point environment.

The PPPoE client feature in IOS allows the router as opposed as an end user host workstation to serve as the client in the network.  This allows entire LANs to connect to the internet over a single PPPoE connection terminated to a router.

PPP interface IP addresses are assigned using an upstream DHCP server and the IP Configuration Protocol (IPCP), which is a sub protocol of PPP.  IP address negotiation must be enabled on the dialer interface in the router for it to obtain an IP address.

PPPoE also introduces an additional 8byte transport overhead, (2 bytes for the PPP header and 6 bytes for PPPoE)  in order to adjust for this in the 1500 byte MTU, you have to decrease the MTU to 1492 bytes so the entire encapsulated packet fits within the 1500 byte Ethernet frame.  For TCP sessions the Max segment size is reduced to 1452 this allows for 40 bytes in TCP and IP headers and 8 bytes in the PPPoE totaling 1500 bytes that fit into an ordinary Ethernet frame.

MTU mismatches can prevent a PPPoE connection from establishing or carrying large datagrams, so this is a good place to check when troubleshooting connections.


VLANs: VTP Configuration Options


This configuration option for VTP sets the domain name.  VTP messgaes received by VTP neighbors are ignored unless the domain name in the message matches what is configured on the switch.


This configuration option for VTP sets a password so unauthorized switches are unable to join the VTP domain.


This configuration option sets the role of the switch to either Server, Client, or Transparent.  In VTPv3 you can also set this to off, disabling VTP on the switch.


This configuration option allows VTP pruning which prevents flooding on a per VLAN basis to switches that have no ports participating in a specific VLAN.


This configuration option defines which IP address is used to identify the switch as an updater in the VTP update messages.  By default a configured IP with the lowest numbered VLAN SVI is used.


VLANs: VTPv3 Primary Server

A VTPv3 Primary server is the only switch in a VTP domain that is allowed to make configuration changes to the VLAN database to propagate out to the network.  VTPv3 servers and clients will only exchange VLAN database information if they agree on the domain name and the identity of the Primary Server (MAC Address).

Other switches in the VTP domain who are configured to be servers are classified as secondary servers and cannot make configuration changes to the VLAN database.  They are only there to serve as backup servers to the primary in case the existing primary server is demoted for any reason.

There are cases where there may be a conflict between switches on what each believes to be the primary server.  Conflicting switches do not synchronize their VLAN databases, this can happen when a primary server is disconnected and another server is promoted.  Then the original primary server is reconnected and comes back online, client switches then begin having a conflict as a result.

Correcting this simply means demoting one of the primary servers and allowing the other to take over as the only primary server in the VTP domain.


VLANs: VTP Update Process

In order for Client and Server switches to propagate VLAN changes to the rest of the network, here is the process by which VTP uses to disseminate VLAN configuration changes:

  1. A New VLAN is added to the VTP Server
  2. Configuration Revision Number increments up by one
  3. VTP Advertisement is sent out to all VTP neighbors
  4. VTP Clients receive higher Configuration Revision number
  5. Clients begin to sync updated VLAN database to their own



VLANs: VTP Messages


VTPv1 and VTPv2 use 4 types of messages:

  • Summary Advertisement: this message comes from the Server and Clients every 5 minutes and after each update to the VLAN database.  This message includes the VTP domain name, revision number, identity of the last updater, time stamp of the last update, MD5 sum computed over the contents of the VLAN database, and the VTP password, and the number of subset advertisements following the Summary Advertisement.
  • Subset Advertisement: This message is generated when the VLAN database is updated, it is sent out via the Server and clients in the VTP domain.   These advertisements carry the full VLAN database.
  • Advertisement request: This message is sent from Servers or clients to VTP neighbors to request the contents of the complete VLAN database or a portion of it.  These messages are sent when a Client switch is restarted, when a switch enters client mode, or when a server or client switch receives a summary advertisement with a higher revision number.
  • Join: This message is sent out of the Servers or Clients every 6 seconds if VTP pruning is active.  These messages contain a bit field that indicates whether normal VLANs configured are active or unused.

Currently there is no documentation released for VTPv3 messages.

VLANs: VTP Modes


Server Mode

  • Originates VTP Advertisements
  • Processes received advertisements to update its VLAN configuration
  • Forwards received VTP advertisements
  • Saves VLAN configuration in NVRAM or vlan.dat
  • Can create, modify, or delete VLANs

Client Mode

  • Originates VTP Advertisements
  • Processes received advertisements to update its VLAN configuration
  • Forwards received VTP advertisements
  • Saves VLAN configuration in NVRAM or vlan.dat

Transparent Mode

  • Forwards received VTP advertisements
  • Saves VLAN configuration in NVRAM or vlan.dat
  • Can create, modify, or delete VLANs

Off Mode

  • Saves VLAN configuration in NVRAM or vlan.dat
  • Can create, modify, or delete VLANs


*Off mode is supported only with VTPv3

VLANs: VLAN Trunking Protocol (VTP)

VTP advertises VLAN configuration information among a number of VTP participating switches in a LAN.  VTP advertises VLAN ID, VLAN name, and VLAN type and state for each VLAN configured to all other switches on the network.  VTP does not advertise the specific ports participating in those VLANs, so configuration associating specific switch port interfaces to specific VLANs is still required.

VTP exists in three versions, VTPv1, VTPv2, and VTPv3….

VTP versions 1 and 2 are widely supported across Cat-Os and IOS based switching platforms.  VTPv3 is still at present relatively new, VTP support starts on IOS release 12.2(52)SE.

VTPv1 is the default VTP version supported and active on IOs based switches, its only capable of supporting the dissemination of normal range VLANs only.

VTPv2 has the following new enhancements:

  • Supports token Ring concentrator Relay function and Bridge Relay Function (TrCRF and TrBRF) type VLANs: These VLANs were used to segment Token Ring networks into multiple logical rings and interconnecting bridges.  There is no use for these types of VLANs in Ethernet based networks.
  • Supports unknown Type-Length-Value (TLV) records: VTP Messages can contain additional information elements stored as TLV records.  VTPv1 usually drops all unrecognized TLVs from received messages, VTPv2 keeps all TLVs in propogated messages even if they are not recognized.
  • Optimized VLAN database consistency checking: VTPv1 only performed checks when the VLAN database was modified.  In VTPv2 the consistency checks are skipped if the change was caused by a received VTP message.

VTPv3 has the following enhancements from VTPv2:

  • The server role has been modified: There are two server types in VTPv3 primary and secondary, A primary server is allowed to modify VTP domain contents and there can only be on primary server per VTP domain at any time.
  • VTPv3 password storage has been improved.  the VTP password can now be stored in an encrypted format that cannot be displayed back as plaintext.
  • VTPv3 is capable of distributing information about the full range of VLANs including Private VLANs.  It is no longer necessary to use transparent mode when using extended range VLANs and Private VLANs.  Pruning still only applies to normal range VLANs.
  • VTPv3 supports an off mode where it will drop all received VTP messages and not participate in VTP operations.  You can also shut down VTP on specific trunks.


VLANs: 802.1Q-in-Q Tunneling

VLANs usually don’t extend past the WAN however there are new alternatives that exist today that allow VLAN traffic to pass through a WAN.

  • 802.1Q-in-Q
  • 802.1ad Provider Bridges
  • 802.1ah Provider Backbone Bridges
  • Layer 2 Tunneling Protocol (L2TPv3)
  • Ethernet over MPLS (EoMPLS)
  • VLAN Private LAN Services (VPLS)

802.1Q-in-Q allows a Service Provider to preserve 802.1Q VLAN tags across a WAN service. Doing so allows a VLAN to span multiple geographically dispersed sites.


The ingress SP switch takes the 802.1Q frame and then adds an additional tag with another 802.1Q header defining the SP VLAN that ‘tunnels’ the customer VLAN across the WAN.

S-tag = Service provider imposed 802.1Q header
C-tag = Customer provided 802.1Q header


VLAN Trunking: Allowed, Active, and Pruned VLANs

VLAN trunks are capable of supporting 1-4094 VLANs however there are several mechanisms to reduce the actual number of VLANs whose traffic flows over the trunk.

Allowed VLANs

Trunks allow all VLANs by default, however they can be filtered down by using the switchport trunk allowed command.

Allowed and Active VLANs

In order for a VLAN to be active a VLAN must be in the allowed list configured on the trunk the VLAN must exist in the configuration of the switch and it must be in an active state and not shutdown or suspended.  With PVST+ an STP instance is actively running on this trunk for the allowed VLANs on the trunk configuration.

Active and not pruned

VLANs are considered pruned when VTP detects that it does not need to forward frames on a particular trunk and ceases to do so.  The active and allowed list consists of any VTP pruned VLANs and VLANs PVST+ considers the port blocking removed.


VLAN Trunking: ISL and 802.1Q

VLAN trunking allows network devices to send  traffic for multiple VLANs over a single link.  To know what VLAN a frame belongs to, the sending switch or network device adds a header to the original Ethernet frame.  This header has a field included which defines the VLAN ID of which VLAN the frame is associated with.

Older networking devices are capable of differentiating VLANs in two ways: ISL and 802.1Q

Here are the differences between the two types of trunking protocols:


  • Supports Normal and Extended range VLANs
  • Protocol defined by Cisco
  • Encapsulates the original Ethernet frame
  • Does not understand the concept of Native VLAN



  • Supports Normal and Extended range VLANs
  • Protocol defined by IEEE
  • Inserts tag into existing Ethernet header
  • Understands the concept of a Native VLAN


The concept of the Native VLAN is that there are network devices that do not understand VLANs or VLAN trunking, so as they transmit data across a switched network they do so without encapsulating/tagging their traffic with a VLAN ID.  The default VLAN ID that handles untagged traffic traditionally is VLAN 1 however this can be configured to be something else if needed for any reason.