CCNP Switch Notes VLAN Implementation
VLANs are used to break large campus networks into smaller pieces. The benefit of this is to minimize the amount of broadcast traffic on a logical segment.
VLAN Overview
A virtual LAN (VLAN) is a logical LAN, or a logical subnet. It defines a broadcast domain. A physical subnet is a group of devices that shares the same physical wire. A logical subnet is a group of switch ports assigned to the same VLAN, regardless of their physical location in a switched network. VLAN membership can be assigned either statically by port, or dynamically by MAC address or username. Two types of VLANs are:
- End-to-end VLAN:VLAN members reside on different switches throughout the network. They are used when hosts are assigned to VLANs for policy reasons, rather than physical location. This provides users a consistent policy and access to resources regardless of their location. It also makes troubleshooting more complex because so many switches can carry traffic for a specific VLAN, and broadcasts can traverse many switches.
- Local VLAN:Hosts are assigned to VLANs based on their location, such as a floor in a building. This design is more scalable and easier to troubleshoot because the traffic flow is more deterministic. It enables more redundancy and minimizes failure domains. It does require a routing function to share resources between VLANs.
When planning a VLAN structure, consider traffic flows and link sizing. Take into account the entire traffic pattern of applications found in your network. For instance, IP voice media traffic travels directly between phones, but signaling traffic must pass to the Unified Communications Manager. Multicast traffic must communicate back to the routing process and possibly call upon a Rendezvous Point. Various user applications, such as email and Citrix, place different demands on the network.
Application flow influences link bandwidth. Remember that uplink ports need to handle all hosts communicating concurrently, and although VLANs logically separate traffic, traffic in different VLANs still travels over the same trunk line. Benchmark throughput for critical application and user data during peak hours; then analyze the results for any bottlenecks throughout the layered design.
User access ports are typically Fast Ethernet or faster. Access switches must have the necessary port density and can be either Layer 2 or Layer 3. Ports from user Access to the Distribution layer should be Gigabit Ethernet or better, with an oversubscription ratio of no more than 20:1. Distribution switches should be multilayer or Layer 3. Links from Distribution to the Core should be Gigabit Etherchannel or 10-Gig Ethernet, with an oversubscription of no more than 4:1.
VLAN Planning
Before beginning a VLAN implementation, you need to determine the following information:
- VLAN numbering, naming and IP addressing scheme
- VLAN placement—local or multiple switches
- Are any trunks necessary and where?
- VTP parameters
- Test and verification plan
Creating a VLAN and Assigning Ports
VLANs must be created before they can be used. Creating VLANs is easy—in global configuration mode just identify the VLAN number and optionally name it!
(config)#vlan 12 (config-vlan)#name MYVLAN
Delete a VLAN by using the same command withnoin front of it. There is no need to include the name when deleting.
When statically assigning ports to VLANs, first make the interface an access port, and then assign the port to a VLAN. At the interface configuration prompt:
(config-if)#switchport mode access (config-if)#switchport access vlan 12
Verifying VLAN Configuration
To see a list of all the VLANs and the ports assigned to them, use the commandshow vlan. To narrow down the information displayed, you can use these keywords after the command:brief,id,vlan-number, ornamevlan name:
ASW#show vlan brief VLAN Name Status Ports —— ———————————————— ————- ——————————————— 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/10,Fa0/11,Fa0/12 20 VLAN0020 active Fa0/5,Fa0/6,Fa0/7 21 VLAN0021 active Fa0/8,Fa0/9 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active
Other verification commands include:
- show running-config interfaceinterface no: Use the following to verify the VLAN membership of the port:
ASW#show run interface fa0/5 Building configuration... Current configuration 64 bytes interface FastEthernet 0/5 switchport access vlan 20 switchport mode access
- show mac address-table interfaceinterface-no.vlan-vlanno: Use the following to view MAC addresses learned through that port for the specified VLAN:
ASW#show mac address-table interface fa0/1 Mac Address Table ————————————————————— Vlan Mac Address Type Ports —— —————- —— ——- 1 0030.b656.7c3d DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 1
- show interfacesinterface-no.switchport: Use the following to see detailed information about the port configuration, such as entries in the Administrative Mode and Access Mode VLAN fields:
ASW#show interfaces fa0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Protected: false Unknown unicast blocked: false Unknown multicast blocked: false Broadcast Suppression Level: 100 Multicast Suppression Level: 100 Unicast Suppression Level: 100
VLAN Trunking
A trunk is a link that carries traffic for more than one VLAN. Trunks multiplex traffic from multiple VLANs. They typically connect switches and enable ports on multiple switches to be assigned to the same VLAN.
Two methods of identifying VLANs over trunk links are:
- Inter-Switch Link (ISL): A Cisco proprietary method that encapsulates the original frame in a header, which contains VLAN information. It is protocol-independent and can identify Cisco Discovery Protocol (CDP) and bridge protocol data unit (BPDU) frames.
- 802.1Q: Standards-based, tags the frames (inserts a field into the original frame immediately after the source MAC address field), and supports Ethernet and Token Ring networks.
When a frame comes into a switch port, the frame is tagged internally within the switch with the VLAN number of the port. When it reaches the outgoing port, the internal tag is removed. If the exit port is a trunk port, its VLAN is identified in either the ISL encapsulation or the 802.1Q tag. The switch on the other end of the trunk removes the ISL or 802.1Q information, checks the VLAN of the frame, and adds the internal tag. If the exit port is a user port, the original frame is sent out unchanged, making the use of VLANs transparent to the user.
If a nontrunking port receives an ISL-encapsulated packet, the port cannot remove the ISL header. By default, the system installs ISL system CAM entries and drops ISL packets. In special, rare circumstances, these CAM entries are installed for every active VLAN in the switch. To prevent such collisions, enter theno-isl-entries enable command on switches connected to other switches. If the ISL header and footer cause the MTU size to be exceeded, it might be counted as an error.
If a nontrunking port receives an 802.1Q frame, the source and destination MAC addresses are read, the tag field is ignored, and the frame is switched normally at Layer 2.
Configuring a Trunk Link
Ports can become trunk ports either by static configuration or dynamic negotiation using Dynamic Trunking Protocol (DTP). A switch port can be in one of five DTP modes:
- Access: The port is a user port in a single VLAN.
- Trunk: The port negotiates trunking with the port on the other end of the link.
- Non-negotiate: The port is a trunk and does not do DTP negotiation with the other side of the link.
- Dynamic Desirable: Actively negotiates trunking with the other side of the link. It becomes a trunk if the port on the other switch is set to trunk,dynamic desirable, or dynamic auto mode.
- Dynamic Auto: Passively waits to be contacted by the other switch. It becomes a trunk if the other end is set to trunk or dynamic desirable mode.
Configure a port for trunking at the interface configuration mode:
(config-if)#switchport mode {dynamic {auto | desirable} | trunk}
If dynamic mode is used, DTP negotiates the trunking state and encapsulation. If trunk mode is used, you must specify encapsulation, and you can disable all DTP negotiation:
(config-if)#switchport trunk encapsulation {isl | dot1q | negotiate} (config-if)#switchport nonnegotiate
If you use 802.1Q, specify a native VLAN for the trunk link with the command:
(config-if)#switchport trunk native vlanvlan-no
Frames from the native VLAN are sent over the trunk link untagged. Native VLAN must match on both sides of the trunk link. VLAN 1 is the default native VLAN for all ports, but best practice is to set the native VLAN to one not assigned to users. This practice also decreases the danger of having a large spanning tree instance in VLAN1.
VLANs Allowed on the Trunk
By default, a trunk carries traffic for all VLANs. You can change that behavior for a particular trunk link by giving the following command at the interface config mode:
switchport trunk allowed vlanvlans
Make sure that both sides of a trunk link enable the same VLANs.
Verifying a Trunk Link
Two commands you can use to verify your trunk configuration are
#show running-config #show interfaces[interface no.]switchport | trunk
Using the trunk keyword with the show interfaces command gives information about the trunk link:
#show interfaces fastethernet 0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 desirable n-802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-150 <further output omitted>
Best Practices for Trunking
- Change the Native VLAN to one not assigned to any users.
- On links that should be trunks, turn off trunking negotiation by setting the mode totrunk, specifying the encapsulation type, and adding the nonnegotiate command.
- On links that should never be trunks, turn off trunking negotiation by setting the switchport mode to host. This sets it as an access port, enables Portfast, and disables Ether Channel negotiation.
- Limit the VLAN traffic carried by the trunk to only those VLANs it needs to carry
VLAN Trunking Protocol
VLAN Trunking Protocol (VTP) is a Cisco-proprietary protocol that runs over trunk links and synchronizes the VLAN databases of all switches in the VTP domain. A VTP domain is an administrative group; all switches within that group must have the same VTP domain name configured, or they do not synchronize databases.
VTP works by using Configuration Revision numbers and VTP advertisements:
- All switches send out VTP advertisements every five minutes or when there is a change to the VLAN database (when a VLAN is created, deleted, or renamed).
- VTP advertisements contain a Configuration Revision number. This number is increased by one for every VLAN change.
- When a switch receives a VTP advertisement, it compares the Configuration Revision number against the one in its VLAN database.
- If the new number is higher, the switch overwrites its database with the new VLAN information and forwards the
information to its neighbor switches.
If the number is the same, the switch ignores the advertisement.
If the new number is lower, the switch replies with the more up-to-date information contained in its own database.
VTP Switch Roles
A switch can be a VTP:
- Server:The default VTP role. Servers can create, delete, and rename VLANs. They originate both periodic and triggered VTP advertisements and synchronize their databases with other switches in the domain.
- Client:Clients cannot make VLAN changes. They originate periodic VTP advertisements and synchronize their databases with other switches in the domain.
- Transparent:It can create, delete, and rename VLANs, but its VLANs are only local. It does not originate advertisements or synchronize its database with any other switches. It forwards VTP advertisements out its trunk links, however
The two versions of VTP are Version 1 and Version 2. To use Version 2, all switches in the domain must be capable of using it. Configure one server for Version 2, and the information is propagated through VTP. Version 2 has the following added features:
- It supports Token Ring VLANs.
- Transparent switches pass along messages from both versions of VTP.
- Consistency checks are performed only when changes are configured through the CLI or SNMP.
Configuring VTP
VTP configuration is done at the global config mode. To configure the switch’s VTP mode:
(config)#vtp {server | client |transparent}
To configure the VTP domain name:
(config)#vtp domain name
To configure a VTP password (all switches in the domain must use the same password):
(config)#vtp password password
To configure the switch to use VTP Version 2:
(config)#vtp version 2
Verifying and Monitoring VTP
To get basic information about the VTP configuration, use show vtp status. The example shows the default settings:
#show vtp status VTP Version : 1 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : (config)# VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest :
Adding a New Switch to a VTP Domain
Adding a new switch in client mode does not prevent it from propagating its incorrect VLAN information. A server synchronizes to a client if the client has the higher configuration revision number. You must reset the revision number back to 0 on the new switch. To be safe, follow these steps:
Step 1. With the switch disconnected from the network, set it as VTP transparent and delete the vlan.dat file from its flash memory.
Step 2. Set it to a fake VTP domain name and into client mode.
Step 3. Reboot the switch.
Step 4. Configure the correct VTP settings, such as domain, password, mode, and version.
Step 5. Connect the switch to the network, and verify that it receives the correct information
EtherChannels
An EtherChannel is a way of combining several physical links between switches into one logical connection. Normally, Spanning Tree blocks redundant links; EtherChannels get around that and enable load balancing across those links. Traffic is balanced between the channel links on the basis of such things as source or destination MAC address or IP address. The EtherChannel load-balancing method is configured at global configuration mode.
(config)#port-channel load-balance type
A logical interface—called the Port Channel interface—is created. Configuration can be applied to both the logical and physical interfaces.
Some guidelines for EtherChannels follows:
- Interfaces in the channel do not have to be physically next to each other or on the same module.
- All ports must be the same speed and duplex.
- All ports in the bundle should be enabled.
- None of the bundle ports can be a SPAN port.
- Assign an IP address to the logical Port Channel interface, not the physical ones, if using a Layer 3 EtherChannel.
- Put all bundle ports in the same VLAN, or make them all trunks. If they are trunks, they must all carry the same VLANs and use the same trunking mode.
- The configuration you apply to the Port Channel interface affects the entire EtherChannel. The configuration you apply to a physical interface affects only that interface
Configuring an EtherChannel
Basically, you should configure the logical interface and then put the physical interfaces into the channel group:
(config)#interface port-channelnumber ![any additional configuration, such as trunking for a Layer 2 EtherChannel]
For a Layer 3 EtherChannel, add the following:
(config-if)#no switchport (config-if)#ip addressaddress mask
Then, at each port that is part of the EtherChannel, use the following:
(config)#interface {number| rangeinterface – interface} (config-if)#channel-groupnumbermode {auto | desirable | on}
Putting the IP address on the Port Channel interface creates a Layer 3 EtherChannel. Simply putting interfaces into a channel group creates a Layer 2 EtherChannel, and the logical interface is automatically created.
The Cisco proprietary Port Aggregation Protocol (PAgP) dynamically negotiates the formation of a channel. There are three PAgP modes:
- On:The port channels without using PAgP negotiation. The port on the other side must also be set to On.
- Auto:Responds to PAgP messages but does not initiate them. Port channels if the port on the other end is set to Desirable. This is the default mode.
- Desirable:Port actively negotiates channeling status with the interface on the other end of the link. Port channels if the other side is Auto or Desirable
Link Aggregation Control Protocol (LACP) is an IEEE standard protocol, IEEE 802.3ad, which does the same thing. LACP modes follow:
- On:The port channels without using LACP negotiation. The port on the other side must also be set to On.
- Active:Port actively negotiates channeling with the port on the other end of the link. A channel forms if the other side is Passive or Active.
- Passive:Responds to LACP messages but does not initiate them. A channel forms only if the other end is set to Active.
If you want to use LACP, specify it under the interface and put the interface in either active or passive mode:
(config-if)#channel-protocol lacp (config-if)channel-groupnumbermode{active|passive}
Verifying an EtherChannel
Some typical commands for verifying include the following:
# show running-config interfacenumber # show interfacesnumberetherchannel # show etherchannelnumberport-channel # show etherchannel summary #show etherchannel load-balance
Troubleshooting VLAN Issues
Configuration problems can arise when user traffic must traverse several switches. The following sections list some common configuration errors. But before you begin troubleshooting, create a plan. Check the implementation plan for any changes recently made, and determine likely problem areas.
Troubleshooting User Connectivity
User connectivity can be affected by several things:
- Physical connectivity:Make sure the cable, network adapter, and switch port are good. Check the port’s link LED.
- Switch configuration:If you see FCS errors or late collisions, suspect a duplex mismatch. Check configured speed on both sides of the link. Make sure the port is enabled and set as an access port.
- VLAN configuration:Make sure the hosts are in the correct VLAN.
- Allowed VLANs:Make sure that the user VLAN is allowed on all appropriate trunk links.
Troubleshooting Trunking
When troubleshooting trunking, make sure that physical layer connectivity is present before moving on to search for configuration problems such as
- Are both sides of the link in the correct trunking mode?
- Is the same trunk encapsulation on both sides?
- If 802.1Q, is the same native VLAN on both sides? Look for CDP messages warning of this error.
- Are the same VLANs permitted on both sides?
- Is a link trunking that should not be?
Troubleshooting VTP
The following are some common things to check when troubleshooting problems with VTP:
- Make sure you are trunking between the switches. VTP is sent only over trunk links.
- Make sure the domain name matches on both switches. (The name is case sensitive.)
- If the switch is not updating its database, make sure it is not in transparent mode.
- If using passwords, make sure they all match. To remove a password, use no vtp password.
- If VLANs are missing, check the Revision number for a possible database overwrite. Also check the number of VLANs in the domain. There might be too many VLANs for VTP to update properly