Implementing VLANs and Trunks
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. It is used to group end stations that have a common set of requirements, independent of their physical locations. A VLAN has the same attributes as a physical LAN, except that it lets you group end stations even when they are not physically located on the same LAN segment. A VLAN also lets you group ports on a switch so that you can limit unicast, multicast, and broadcast traffic flooding. Flooded traffic that originates from a particular VLAN floods to only the ports belonging to that VLAN.
Understanding VLANs
Understanding how VLANs operate and what the associated protocols are is important for configuring, verifying, and troubleshooting VLANs on Cisco access switches. This section describes VLAN operations and their associated protocols. A poorly designed network has increased support costs, reduced service availability, security risks, and limited support for new applications and solutions. Less-than-optimal performance affects end users and access to central resources directly. Some of the issues that stem from a poorly designed network include the following:
- Failure domains: One of the most important reasons to implement an effective network design is to minimize the extent of problems when they occur. When Layer 2 and Layer 3 boundaries are not clearly defined, failure in one network area can have a far-reaching effect.
- Broadcast domains: Broadcasts exist in every network. Many applications and network operations require broadcasts to function properly; therefore, it is not possible to eliminate them completely. In the same way that avoiding failure domains involves clearly defining boundaries, broadcast domains should have clear boundaries and include an optimal number of devices to minimize the negative impact of broadcasts.
- Large amount of unknown MAC unicast traffic: Cisco Catalyst switches limit unicast frame forwarding to ports that are associated with the specific unicast address. However, when frames arrive at a destination MAC address that is not recorded in the MAC table, they are flooded out of the switch ports in the same VLAN except for the port that received the frame. This behavior is called unknown MAC unicast flooding.
Because this type of flooding causes excessive traffic on all the switch ports, network interface cards (NIC) must contend with a larger number of frames on the wire. When data is propagated on a wire for which it was not intended, security can be compromised. - Multicast traffic on ports where it is not intended: IP multicast is a technique that allows IP traffic to be propagated from one source to a multicast group that is identified by a single IP and MAC destination-group address pair. Similar to unicast flooding and broadcasting, multicast frames are flooded out all the switch ports. A proper design allows for the containment of multicast frames while allowing them to be functional.
- Difficulty in management and support: A poorly designed network may be disorganized and poorly documented and lack easily identified traffic flows, which can make support, maintenance, and problem resolution time-consuming and arduous tasks.
- Possible security vulnerabilities: A switched network that has been designed with little attention to security requirements at the access layer can compromise the integrity of the entire network.
A poorly designed network always has a negative impact and becomes a support and cost burden for any organization. Figure 2-1 shows a network with a single broadcast domain. VLANs can help alleviate some of the problems associated with this design.
Figure 2-1 Network with Single Broadcast Domain
VLAN Overview
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. In the switched internetwork, VLANs provide segmentation and organizational flexibility. You can design a VLAN structure that lets you group stations that are segmented logically by functions, project teams, and applications without regard to the physical location of the users. You can assign each switch port to only one VLAN, thereby adding a layer of security. Ports in a VLAN share broadcasts; ports in different VLANs do not. Containing broadcasts in a VLAN improves the overall performance of the network.
In the switched internetwork, VLANs provide segmentation and organizational flexibility. Using VLAN technology, you can group switch ports and their connected users into logically defined communities, such as coworkers in the same department, a crossfunctional product team, or diverse user groups sharing the same network application.
A VLAN can exist on a single switch or span multiple switches. VLANs can include stations in a single building or multiple-building infrastructures. This is illustrated in Figure 2-2.
Figure 2-2 VLANs Can Span Multiple Switches
Grouping Business Functions into VLANs
Each VLAN in a switched network corresponds to an IP network. So VLAN design must take into consideration the implementation of a hierarchical network-addressing scheme. Hierarchical network addressing means that IP network numbers are applied to network segments or VLANs in an orderly fashion that considers the network as a whole. Blocks of contiguous network addresses are reserved for and configured on devices in a specific area of the network.
Some of the benefits of hierarchical addressing include the following:
- Ease of management and troubleshooting: A hierarchical addressing scheme groups network addresses contiguously. Because a hierarchical IP addressing scheme makes problem components easier to locate, network management and troubleshooting are more efficient.
- Fewer errors: Orderly network address assignment can minimize errors and duplicate address assignments.
- Reduced routing table entries: In a hierarchical addressing plan, routing protocols are able to perform route summarization, allowing a single routing table entry to represent a collection of IP network numbers. Route summarization makes routing table entries more manageable and provides these benefits:
- Fewer CPU cycles when recalculating a routing table or sorting through the routing table entries to find a match
- Reduced router memory requirements
- Faster convergence after a change in the network
- Easier troubleshooting
Applying IP Address Space in the Enterprise Network
The Cisco Enterprise Architecture model provides a modular framework for designing and deploying networks. It also provides the ideal structure for overlaying a hierarchical IP addressing scheme. Following are some guidelines:
- Design the IP addressing scheme so that blocks of 2n contiguous network numbers (such as 4, 8, 16, 32, 64, and so on) can be assigned to the subnets in a given building distribution and access switch block. This approach lets you summarize each switch block into one large address block.
- At the building distribution layer, continue to assign network numbers contiguously to the access layer devices.
- Have a single IP subnet correspond to a single VLAN. Each VLAN is a separate broadcast domain.
- When possible, subnet at the same binary value on all network numbers to avoid variable-length subnet masks. This approach helps minimize errors and confusion when troubleshooting or configuring new devices and segments.
Figure 2-3 shows how this architectural model is deployed and illustrates IP address allocation between various groups in the enterprise. You will notice that each building has unique subnets. Each of these subnets would be assigned to a single VLAN. Each building has been assigned a range with four IP subnets even though only two departments are shown. The additional subnets could be used from growth.
Figure 2-3 IP Addressing per VLAN
Example: Network Design
A business with approximately 250 employees wants to migrate to the Cisco Enterprise Architecture. Table 2-1 shows the number of users in each department.
Table 2-1 Users per Department
Six VLANs are required to accommodate one VLAN per user community. Following the guidelines of the Cisco Enterprise Architecture, six IP subnets are required.
The business has decided to use network 10.0.0.0 as its base address.
To accommodate future growth, there will be one block of IP addresses per building, as follows:
- Building A is allocated 10.1.0.0/16.
- Building B is allocated 10.2.0.0/16.
- Building C is allocated 10.3.0.0/16.
The sales department is the largest department, requiring a minimum of 102 addresses for its users. A subnet mask of 255.255.255.0 (/24) is chosen, which provides a maximum number of 254 hosts per subnet. Tables 2-2, 2-3, and 2-4 show the allocation of VLANs and IP subnets in the buildings.
Table 2-2 Building A: VLANs and IP Subnets
Table 2-3 Building B: VLANs and IP Subnets
Table 2-4 Building C: VLANs and IP Subnets
Some of the currently unused VLANs and IP subnets will be used to manage the network devices. If the company decides to implement IP telephony, for example, some of the unused VLANs and IP subnets are allocated to the voice VLANs.
Considering Traffic Source to Destination Paths
When you are designing and implementing networks, a key factor for VLAN deployment is understanding the traffic patterns and the various traffic types. Figure 2-4 displays some common components of a network; this along with the traffic requirements should be a baseline for designing VLANs.
Figure 2-4 Network Enterprise Components
Table 2-5 lists the common types of network traffic that should be considered before placing devices and configuring the VLAN.
Table 2-5 Traffic Types
- BPDUs = bridge protocol data units
- CDP = Cisco Discovery Protocol
- SNMP = Simple Network Management Protocol
- RMON = Remote Monitoring
- QoS = quality of service
- SMB = Server Message Block
- NCP = Netware Core Protocol
- SMTP = Simple Mail Transfer Protocol
- SQL = Structured Query Language
Voice VLAN Essentials
Some Cisco Catalyst switches offer a unique feature called a voice VLAN, which lets you overlay a voice topology onto a data network. You can segment phones into separate logical networks, even though the data and voice infrastructure are physically the same, as illustrated in Figure 2-5.
Figure 2-5 Voice VLANs
The voice VLAN feature places the phones into their own VLANs without any end-user intervention. The user simply plugs the phone into the switch, and the switch provides the phone with the necessary VLAN information.
Using voice VLANs offers several advantages. Network administrators can seamlessly maintain these VLAN assignments, even if the phones move to new locations. By placing phones into their own VLANs, network administrators gain the advantages of network segmentation and control. Voice VLANs also allow administrators to preserve their existing IP topology for the data end stations and easily assign IP phones to different IP subnets using standards-based DHCP operation.
In addition, with the phones in their own IP subnets and VLANs, network administrators can more easily identify and troubleshoot network problems and create and enforce QoS or security policies.
With the voice VLAN feature, network administrators have all the advantages of the physical infrastructure convergence, while maintaining separate logical topologies for voice and data terminals. This configuration creates the most effective way to manage a multiservice network.
VLAN Operation
A Cisco Catalyst switch operates in a network similar to a traditional bridge. Each VLAN that you configure on the switch implements address learning, forwarding and filtering decisions, and loop avoidance mechanisms as if the VLAN were a separate physical bridge.
The Cisco Catalyst switch implements VLANs by restricting traffic forwarding to destination ports that are in the same VLAN as the originating ports. So when a frame arrives on a switch port, the switch must retransmit the frame to only the ports that belong to the same VLAN. In essence, a VLAN that is operating on a switch limits transmission of unicast, multicast, and broadcast traffic. Traffic originating from a particular VLAN floods to only the other ports in that VLAN.
A port normally carries only the traffic for the single VLAN to which it belongs. For a VLAN to span across multiple switches, a trunk is required to connect two switches. A trunk can carry traffic for multiple VLANs. Figure 2-6 shows a trunk carrying multiple VLANs between two switches.
Figure 2-6 VLAN Trunk
You configure ports that belong to a VLAN with a membership mode that determines to which VLAN they belong. Figure 2-7 displays the various VLAN membership modes.
Figure 2-7 VLAN Membership Modes
The VLAN membership mode Characteristics of Cisco Catalyst switch ports are as follows:
- Static VLAN: An administrator statically configures the assignment of VLANs to ports.
- Dynamic VLAN: Cisco Catalyst switches support dynamic VLANs using a VLAN Membership Policy Server (VMPS). Some Cisco Catalyst switches can be designated as the VMPS; you can also designate an external server as the VMPS. The VMPS contains a database that maps MAC addresses to VLAN assignments. When a frame arrives at a dynamic port on the Cisco Catalyst access switch, the switch queries the VMPS server for the VLAN assignment based on the source MAC address of the arriving frame. A dynamic port can belong to only one VLAN at a time. Multiple hosts can be active on a dynamic port only if they belong to the same VLAN.
■ Voice VLAN: A voice VLAN port is an access port attached to a Cisco IP phone, configured to use one VLAN for voice traffic and another VLAN for data traffic.
Understanding Trunking with 802.1Q
A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link and allow you to extend the VLANs across an entire network.
Cisco supports IEEE 802.1Q for FastEthernet and Gigabit Ethernet interfaces. In addition, some Cisco switches support Cisco Inter-Switch Link (ISL) trunks, a prestandard trunking technology.
Figure 2-8 shows an example of trunks interconnecting Cisco Catalyst switches.
Ethernet trunk interfaces support different trunking modes. You can configure an interface as trunking or nontrunking, or you can have it negotiate trunking with the neighboring interface.
Every 802.1Q port is assigned to a trunk, and all ports on a trunk are in a native VLAN. A native VLAN is used in IEEE 802.1Q to send untagged frames to any non-802.1Q devices that might exist on the segment. Every 802.1Q port is assigned an identifier value that is based on the native VLAN ID (VID) of the port. (The default is VLAN 1.) All untagged frames are assigned to the VLAN specified in this VID parameter.
802.1Q Frame
IEEE 802.1Q uses an internal tagging mechanism that inserts a four-byte tag field into the original Ethernet frame between the Source Address and Type or Length fields. Because 802.1Q alters the frame, the trunking device recomputes the frame check sequence (FCS) on the modified frame.
It is the responsibility of the Ethernet switch to look at the four-byte tag field and determine where to deliver the frame. An Ether Type of 0x8100 indicates to devices that the frame has an 802.1Q tag. A tiny part of the four-byte tag field—three bits to be exact—is used to specify the priority of the frame. The details of this are specified in the IEEE 802.1p standard. The 802.1Q header contains the 802.1p field, so you must have 802.1Q to have 802.1p. Following the priority bit is a single flag to indicate whether the addressing is Token Ring. This is because 802.1Q tagging could also be implemented in a Token Ring environment; the flag will be 0 for an Ethernet frame. The remainder of the tag is used for the VID. Figure 2-9 shows the 802.1Q frame format.
Figure 2-9 802.1Q Frame Format
802.1Q Native VLAN
An 802.1Q trunk and its associated trunk ports have a native VLAN value. 802.1Q does not tag frames for the native VLAN. Therefore, ordinary stations can read the native untagged frames but cannot read any other frame because the frames are tagged. Figure 2-10 shows a frame from the native VLAN being distributed across the network trunks untagged.
Figure 2-10 Untagged Frame
Understanding VLAN Trunking Protocol
VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the additions, deletions, and name changes of VLANs across networks. VTP minimizes misconfigurations and configuration
inconsistencies that can cause problems, such as duplicate VLAN names or incorrect VLAN-type specifications. Figure 2-11 shows how you can use VTP to manage VLANs between switches.
Figure 2-11 VTP
A VTP domain is one switch or several interconnected switches sharing the same VTP environment. You can configure a switch to be in only one VTP domain.
By default, a Cisco Catalyst switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link or until you configure a management domain. Configurations made to a VTP server are propagated across trunk links to all the connected switches in the network.
VTP Modes
VTP operates in one of three modes: server, transparent, or client. You can complete different tasks depending on the VTP operation mode. The characteristics of the three VTP modes are as follows:
- Server: The default VTP mode is server mode, but VLANs are not propagated over the network until a management domain name is specified or learned. When you change (create, modify, or delete) the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP messages are transmitted out of all the trunk connections. A VTP server synchronizes its VLAN database file with other VTP servers and clients.
- Transparent: When you change the VLAN configuration in VTP transparent mode, the change affects only the local switch and does not propagate to other switches in the VTP domain. VTP transparent mode does forward VTP advertisements that it receives within the domain. A VTP transparent device does not synchronize its database with any other device.
- Client: You cannot change the VLAN configuration when in VTP client mode; however, a VTP client can send any VLANs currently listed in its database to other VTP switches. VTP advertisements are forwarded in VTP client mode. A VTP client synchronizes its database with other VTP servers and clients.
VTP clients that run Cisco Catalyst operating systems do not save the VLANs to NVRAM. When the switch is reloaded, the VLANs are not retained, and the revision number is zero. However, Cisco IOS VTP clients save VLANs to the vlan.dat file in flash memory, retaining the VLAN table and revision number.
CAUTION The erase startup-config command does not affect the vlan.dat file on Cisco IOS switches. VTP clients with a higher configuration revision number can overwrite VLANs on a VTP server in the same VTP domain. Delete the vlan.dat file and reload the switch to clear the VTP and VLAN information. See documentation for your specific switch model to determine how to delete the vlan.dat file.
VTP Operation
VTP advertisements are flooded throughout the management domain. VTP advertisements are sent every 5 minutes or whenever VLAN configurations change. Advertisements are transmitted over the default VLAN (VLAN 1) using a multicast frame. A configuration revision number is included in each VTP advertisement. A higher configuration revision number indicates that the VLAN information being advertised is more current than the stored information. Figure 2-12 illustrates this operation.
Figure 2-12 VTP Operation
One of the most critical components of VTP is the configuration revision number. Each time a VTP server modifies its VLAN information, the VTP server increments the configuration revision number by one. The server then sends a VTP advertisement with the new configuration revision number. If the configuration revision number being advertised is higher than the number stored on the other switches in the VTP domain, the switches overwrite their VLAN configurations with the new information being advertised.
The configuration revision number in VTP transparent mode is always zero.
A device that receives VTP advertisements must check various parameters before incorporating the received VLAN information. First, the management domain name and password in the advertisement must match those configured in the local switch. Next, if the configuration revision number indicates that the message was created after the configuration currently in use, the switch incorporates the advertised VLAN information. To reset the configuration revision number on some Cisco Catalyst switches, you can change the VTP domain to another name and then change it back. You can also change the VTP mode to transparent and then change it back to client or server.
VTP Pruning
VTP pruning uses VLAN advertisements to determine when a trunk connection is flooding traffic needlessly.
By default, a trunk connection carries traffic for all VLANs in the VTP management domain. In many enterprise networks, not every switch will have ports assigned to every VLAN.
Figure 2-13 shows a switched network with VTP pruning enabled. Only switches 2, 4, and 5 support ports configured in VLAN 3. Switch 5 does not forward the broadcast traffic from host X to switches 1 and 3 because traffic for VLAN 3 has been pruned on the links between switch 5 and switch 1 and switch 3, as indicated in the figure.
VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.
You can enable pruning only on Cisco Catalyst switches that are configured for VTP servers, and not on clients.
Figure 2-13 VTP Pruning
Configuring VLANs and Trunks
By default, all the ports on a Catalyst switch are in VLAN 1. If you want to use VLANs and trunks, you need to configure them on the switches throughout the network. The steps you use to configure and verify VLANs on a switched network include the following:
- Determine whether to use VTP. If VTP will be used, enable VTP in server, client, or transparent mode.
- Enable trunking on the inter-switch connections.
- Create the VLANs on a VTP server and have those VLANs propagate to other switches.
- Assign switch ports to a VLAN using static or dynamic assignment.
- Save the VLAN configuration.
VTP Configuration
When creating VLANs, you must decide whether to use VTP in your network. With VTP, you can make configuration changes on one or more switches, and those changes are automatically communicated to all other switches in the same VTP domain. Default VTP configuration values depend on the switch model and the software version. The default values for Cisco Catalyst switches are as follows:
- VTP domain name: Null
- VTP mode: Server
- VTP password: None
- VTP pruning: Enabled/Disabled (OS version specific)
- VTP version: Version 1
The VTP domain name can be specified or learned. By default, the domain name is not set. You can set a password for the VTP management domain. However, if you do not assign the same password for each switch in the domain, VTP does not function properly.
VTP pruning eligibility is one VLAN parameter that the VTP protocol advertises. Enabling or disabling VTP pruning on a VTP server propagates the change throughout the management domain.
Use the vtp global configuration command to modify the VTP configuration, domain name, interface, and mode:
SwitchX# configure terminal SwitchX(config)# vtp mode [ server | client | transparent ] SwitchX(config)# vtp domain domain-name SwitchX(config)# vtp password password SwitchX(config)# vtp pruning SwitchX(config)# end
Use the no form of this command to remove the filename or to return to the default settings. When the VTP mode is transparent, you can save the VTP configuration in the switch configuration file by entering the copy running-config startup-config privileged EXEC command.
Example: VTP Configuration
Example 2-1 demonstrates the commands that you would enter to configure VTP and display VTP status. The characteristics of the switch in this example are as follows:
- The switch is transparent in the VTP domain.
- The VTP domain name is ICND.
- Pruning is disabled.
- The configuration revision is 0.
Example 2-1 Configuring VTP and Displaying VTP Status
SwitchX(config)# vtp domain ICND Changing VTP domain name to ICND SwitchX(config)# vtp mode transparent Setting device to VTP TRANSPARENT mode. SwitchX(config)# end SwitchX# show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 Number of existing VLANs : 17 VTP Operating Mode : Transparent VTP Domain Name : ICND VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7D 0x6E 0x5E 0x3D 0xAF 0xA0 0x2F 0xAA Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05 SwitchX#
802.1Q Trunking Configuration
The 802.1Q protocol carries traffic for multiple VLANs over a single link on a multivendor network. 802.1Q trunks impose several limitations on the trunking strategy for a network. You should consider the following:
- Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If they are different, spanning-tree loops might result.
- Native VLAN frames are untagged.
Table 2-6 shows how 802.1Q trunking interacts with other switch features.
Table 2-6 Switch Feature Trunk Interaction
VLAN Port Assignment
Use the switchport mode interface configuration command to set a FastEthernet or Gigabit Ethernet port to trunk mode. Many Cisco Catalyst switches support the Dynamic Trunking Protocol (DTP), which manages automatic trunk negotiation. Four options for the switchport mode command are listed in Table 2-7.
Table 2-7 switchport mode Parameters
The switchport nonegotiate interface command specifies that DTP negotiation packets are not sent on the Layer 2 interface. The switch does not engage in DTP negotiation on this interface. This command is valid only when the interface switchport mode is access or trunk (configured by using the switchport mode access or the switchport mode trunk interface configuration command). This command returns an error if you attempt to execute it in dynamic (auto or desirable) mode. Use the no form of this command to return to the default setting. When you configure a port with the switchport nonegotiate command, the port trunks only if the other end of the link is specifically set to trunk. The switchport nonegotiate command does not form a trunk link with ports in either dynamic desirable or dynamic auto mode.
Table 2-8 shows the steps to configure a port as an 802.1Q trunk port, beginning in privileged EXEC mode.
Table 2-8 Configuring a Port as an 802.1Q Trunk Port
Some Cisco Catalyst switches support only 802.1Q encapsulation, which is configured automatically when trunking is enabled on the interface by using the switchport mode trunk command.
To verify a trunk configuration on many Cisco Catalyst switches, use the show interfaces interface switchport or the show interfaces interface trunk command to display the trunk parameters and VLAN information of the port, as demonstrated in Example 2-2.
Example 2-1 Verifying Trunk Configuration, Parameters, and Port VLAN Information
SwitchX# show interfaces fa0/1 1 switchport Name: Fa0/11 Switchport: Enabled Administrative Mode: trunk Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) SwitchX# show interfaces fa0/1 1 trunk Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-4094 Port Vlans allowed and active in management domain Fa0/11 1-13
VLAN Creation
Before you create VLANs, you must decide whether to use VTP to maintain global VLAN configuration information for your network.
The maximum number of VLANs is switch dependent. Many access layer Cisco Catalyst switches can support up to 250 user-defined VLANs.
Cisco Catalyst switches have a factory default configuration in which various default VLANs are preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1. Cisco Discovery Protocol and VTP advertisements are sent on VLAN 1.
For you to be able to communicate remotely with the Cisco Catalyst switch for management purposes, the switch must have an IP address. This IP address must be in the management VLAN, which by default is VLAN 1. If VTP is configured, before you can create a VLAN, the switch must be in VTP server mode or VTP transparent mode.
Table 2-9 lists the commands to use when adding a VLAN.
Table 2-9 Commands to Add VLANs
By default, a switch is in VTP server mode so that you can add, change, or delete VLANs. If the switch is set to VTP client mode, you cannot add, change, or delete VLANs. Use the vlan global configuration command to create a VLAN and enter VLAN configuration mode:
SwitchX# configure terminal SwitchX(config)# vlan 2 SwitchX(config-vlan)# name switchlab99 Use the no form of this command to delete the VLAN.
To add a VLAN to the VLAN database, assign a number and name to the VLAN. VLAN 1 is the factory default VLAN. Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs. If the switch is in VTP server or VTP transparent mode, you can add, modify, or remove configurations for VLAN 2 to 1001 in the VLAN database. (VIDs 1 and 1002 to 1005 are automatically created and cannot be removed.)
Configurations for VIDs 1 to 1005 are written to the vlan.dat file (VLAN database). You can display the VLANs by entering the show vlan privileged EXEC command. The vlan.dat file is stored in flash memory.
To add an Ethernet VLAN, you must specify at least a VLAN number. If no name is entered for the VLAN, the default is to append the VLAN number to the word vlan. For example, VLAN0004 would be the default name for VLAN 4 if no name were specified.
After you configure the VLAN, you should validate the parameters for that VLAN. Use the show vlan id vlan_number or the show vlan name vlan-name command to display information about a particular VLAN, as demonstrated in Example 2-3.
Example 2-3 Displaying VLAN Information
SwitchX# show vlan id 2 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 2 switchlab99 active Fa0/2, Fa0/12 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 2 enet 100002 1500 - - - - - 0 0 . . . SwitchX#
Use the show vlan brief command to display one line for each VLAN that displays the VLAN name, the status, and the switch ports.
Use the show vlan command to display information on all configured VLANs. The show vlan command displays the switch ports assigned to each VLAN. Other VLAN parameters that are displayed include the type (the default is Ethernet); the security association ID (SAID), used for the FDDI trunk; the maximum transmission unit (MTU) (the default is 1500 for Ethernet VLAN); the STP; and other parameters used for Token Ring or FDDI VLANs.
VLAN Port Assignment
After creating a VLAN, you can manually assign a port or a number of ports to that VLAN. A port can belong to only one VLAN at a time. When you assign a switch port to a VLAN using this method, it is known as a static-access port. On most Cisco Catalyst switches, you configure the VLAN port assignment from interface configuration mode using the switchport access command, as demonstrated in Example 2-4. Use the vlan vlan_number option to set static-access membership. Use the dynamic option to have the VLAN controlled and assigned by a VMPS.
Example 2-4 Configuring VLAN Port Assignment
SwitchX# configure terminal SwitchX(config)# interface range fastethernet 0/2 - 4 SwitchX(config-if)# switchport access vlan 2 SwitchX# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ---------------------- 1 default active Fa0/1 2 switchlab99 active Fa0/2, Fa0/3, Fa0/4
Use the show vlan brief privileged EXEC command to display the VLAN assignment and membership type for all switch ports, as demonstrated in Example 2-5.
Example 2-5 Displaying VLAN Port Assignment and Membership Type
SwitchX# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1 2 switchlab99 active Fa0/2, Fa0/3, Fa0/4 3 vlan3 active 4 vlan4 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1004 fddinet-default act/unsup 1005 trnet-default
Alternatively, use the show interfaces interface switchport privileged EXEC command to display the VLAN information for a particular interface, as demonstrated in Example 2-6.
Example 2-6 Displaying VLAN Information for a Specific Interface
SwitchX# show interfaces fa0/2 switchport Name: Fa0/2 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 2 (switchlab99) Trunking Native Mode VLAN: 1 (default) --- output omitted ----
Adds, Moves, and Changes for VLANs
As network topologies, business requirements, and individual assignments change, VLAN requirements also change. To add, change, or delete VLANs, the switch must be in VTP server or transparent mode. When you make VLAN changes from a switch that is in VTP server mode, the change is automatically propagated to other switches in the VTP domain. VLAN changes made from a switch in VTP transparent mode affect only the local switch; changes are not propagated to the domain.
Adding VLANs and Port Membership
After you create a new VLAN, be sure to make the necessary changes to the VLAN port assignments. Separate VLANs typically imply separate IP networks. Be sure to plan the new IP addressing scheme and its deployment to stations before moving users to the new VLAN. Separate VLANs also require inter-VLAN routing to permit users in the new VLAN to communicate with other VLANs. Inter-VLAN routing includes setting up the appropriate IP parameters and services, including default gateway and DHCP.
Changing VLANs and Port Membership
To modify VLAN attributes, such as VLAN name, use the vlan vlan-id global configuration command.
To move a port into a different VLAN, use the same commands that you used to make the original assignments. You do not need to first remove a port from a VLAN to make this change. After you reassign a port to a new VLAN, that port is automatically removed from its previous VLAN.
Deleting VLANs and Port Membership
When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch. Use the global configuration command no vlan vlan-id to remove a VLAN.
NOTE Before deleting a VLAN, be sure to reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN.
To reassign a port to the default VLAN (VLAN 1), use the no switchport access vlan command in interface configuration mode.
More Resources