VLANs
A VLAN = a single broadcast domain = logical network segment (subnet)
By default, all switch ports are assigned to VLAN 1, type Ethernet, and MTU of 1500 bytes.
Create the VLAN:
Switch# conf t
Switch(config)# vlan 43
Switch(config)# name Marketing
To delete a VLAN:
Switch(config)# no vlan 43
Next, assign it to an interface:
Switch(config)# int fa 1/23
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 43
Switch(config-if)# no shut
There are two VLAN deployment models, end-to-end & local
End-to-end or campuswide VLAN deployments – every VLAN is made available to every access switch accross the network. In this option, broadcasts must cross the core and suck up valuable resources. Usually use VTP Client/Server modes.
Local uses layer three at the distribution layer to keep inter-VLAN traffic within that switch block and is better suited for environments where most traffic is not locally destined. Usually uses VTP transparent mode because you don’t want the VLANs propagated around he network (hence, “Local”). In this model, a VLAN should not extend past it’s distribution switch.
Best practices for VLAN design:
- For the local VLANs model, limit 1-3 VLANs per access switch and limit those VLANs to only a couple access switches and he distribution switches.
- Avoid using VLAN one as the “blackhole” for all unused ports.
- Try to separate voice, data, management, default, and blackhole VLANs (each assigned their own VLAN ID).
- In the local VLANs model, avoid VTP (use transparent mode).
- Turn off DTP on trunk ports and configure them manually – also use IEEE 802.1Q over ISL.
- Manually configure access ports that are not intended to be trunks.
- Prevent all data traffic from VLAN 1.
- Avoid Telnet on management VLANs, use SSH instead.
VLAN Troubleshooting Steps:
- Physical Connection OK?
No – Check with CDP; fix any cabling or duplex problems - Router and switch configuration OK?
No – compare configurations and fix inconsistencies - VLAN configuration OK?
No – Fix VLAN problems
To determine the trunking status of an interface:
# sh int fa 1/24 trunk
To determine the physical status of a link:
# sh int fa 1/24 status
To check if an interface is assigned to a specific VLAN:
# sh vlan id 100
VLAN TRUNKING
Two frame tagging methods for tunk links:
ISL – Cisco proprietary, uses own frame header and CRC
802.1Q – Open standard, tags within frame, allows for native VLANs (untagged frames to go through)
DTP (Dynamic Trunking Protocol) is a proprietary protocol for negotiating a common trunking mode between two switches.
To configure a VLAN trunk interface:
Switch(config)# int fa 1/5
Switch(config-if)# switchport
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate}
Switch(config-if)# switchport trunk native vlan 1
Switch(config-if)# switchport trunk allowed vlan {list | add list | remove list}
Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto}}
If set to dynamic, it defaults to ISL if not specified.
Trunk links by default allow all active VLANs (those that the switch knows about). Also, all dot1Q trunks use VLAN 1 as the default native VLAN.
It is recommended to only allow VLANs that cross the trunk. Because the switch will forward broadcasts out all ports on that VLAN, frames will be forwarded over the trunk too – which wastes trunk bandwith.
Trunking Modes:
Trunk – manual perminent trunking mode
Dynamic desirable (default) - the port activily tries to bring up the link as a trunk, sending negotiations with the other end
Dynamic auto – the port can be converted to a trunk link, but only if the far end requests it
Nonegotiate - puts the interface into permanent trunking mode and does not send DTP frames
Dynamic Auto Dynamic Desirable Trunk Access Dynamic Auto Access Trunk Trunk Access Dynamic Desirable Trunk Trunk Trunk Access Trunk Trunk Trunk Trunk Limited Connectivity Access Access Access Limited Connectivity Access
When troobleshooting a trunk link, all of the following must be set the same on both ends:
- trunking mode (trunk, dynamic auto, dynamic desirable )
- encapsulation
- native VLANs (For dot1Q only and will only break native VLAN traffic if missmatched)
- allowed VLANs
Native VLANs
It is important that the native VLAN is configured correctly on both sides of an 802.1Q trunk. Native VLAN is a “default” VLAN that allows frams to be passed through the trunk untagged. If there were devices in the middle of the trunk that required line access, they could use the native VLAN. This is a rare situation, but worth understanding.