Implement VLANs

VLAN

Although switches do not propagate Layer 2 broadcasts between VLANs, VLANs can exist anywhere in the switch network. Because a VLAN is a single broadcast domain, campus design best practices recommend mapping a VLAN generally to one IP subnet. To communicate  between VLANs, packets need to pass through a router or Layer 3 device. Generally, a port carries traffic only for the single VLAN. For a VLAN to span multiple switches, switches use trunks. A trunk carries traffic for multiple VLANs by using Inter-Switch Link (ISL)
encapsulation or IEEE 802.1Q.

A VLAN in essentially a layer 2 broadcast domain. All devices in a VLAN are members of the same broadcast domain. If an end device transmits a Layer 2 broadcast, all other members of the VLAN receive the broadcast. When it comes to designing a campus network, you will use one of two models: end-to-end VLANs or local VLANs.

The term end-to-end VLAN refers to a single VLAN that is stretched throughout an enterprise network on multiple switches. A Layer 2 switched campus network carries traffic for this VLAN throughout the network.

An end-to-end VLAN model has the following;

  • Each VLAN is dispersed geographically throughout the network
  • Users are grouped into each VLAN regardless of the physical location
  • As a user moves throughout a campus, the VLAN membership of that user remains the same, regardless of the physical switch to which this user attaches.
  • Users are typically associated with a given VLAN for network management reasons.
  • All devices on a given VLAN typically have addresses on the same IP subnet.

In a local VLAN model, all users of a set of geographically common switches are grouped into a single VLAN. Local VLANs are generally confined to a wiring closet, that VLANs are local to one access switch and trunking to the distribution switch. If users move from one location to another in the campus, their connection changes to the new VLAN at the new physical location. In the local VLAN model, Layer 2 switching is implemented at the access level and routing is implemented at the distribution and core level.

The following are some local VLAN guidelines;

  • You should create local VLANs with physical boundaries in mind rather than the job functions of the users on the end devices
  • Generally, local VLANs exist between the access and distribution levels.
  • Traffic from a local VLAN is routed at the distribution and core levels to reach destinations on other networks.

In the past, network designers have attempted to implement the 80/20 rule when designing networks. The rule was based on the observation that, in general, 80 percent of the traffic on a network segment was passed between local devices, and only 20 percent of the traffic was destined for remote network segments. Therefore, network architecture used to prefer end-to-end VLANs. To avoid the complications of end-to-end VLANs, designers now consolidate servers in central locations on the network and provide access to external resources, such as the Internet, through one or two paths on the network because the bulk of traffic now traverses a number of segments. Therefore, the paradigm now is closer to a 20/80 proportion, in which the greater flow of traffic leaves the local segment, so local VLANs have become more efficient.

Best design practices for Layer 2 end-to-end VLAN mode;

  1. Understand the existing network flow. Know you VLAN numbers, names, purposes and associate VLAN to the IP mapping scheme.
  2. Determine the traffic flow across your network. This will help you to design which VLANs need to be presented on which switch across the network.
  3. VLANs are mostly assigned statically to a port. You must determine how you present unused ports on the switch ie; left to their default configuration, assigned to an unused VLAN for security purposes, or assigned to a default VLAN
  4. You will need to know where to place your trunks, what switches need to communicate these VLANs to each other across the network.

Switches support up to 4096 VLANs depending on the platform and software version.

VLAN Range Range Usage Propagated via VTP
0, 4095 Reserved For system use only. You cannot
see or use these VLANs.
1 Normal Cisco default. You can use this
VLAN but you cannot delete it
Yes
2 – 1001 Normal For Ethernet VLANs. You can
create, use and delete these
VLANs
Yes
1002 – 1005 Normal Cisco defaults for FDDI and
Token Ring. You cannot delete
VLANs 1002 – 1005.
Yes
1006 – 1024 Reserved For system use only. You cannot
see or use these VLANS.
1025 – 4095 Extended For Ethernet VLANs only Not supported in VTP
versions 1 and 2. The
switch must be in VTP
transparent mode to
configure extended range
VLANS. Only
supported in version 3.

Create a new VLAN configuration as follows,

Global configuration mode;

Switch(config)# vlan vlan-id

Switch(config-vlan)# name vlan-name

Vlan database mode;

Switch#vlan database

Switch(vlan)#vlan vlan-id name vlan-name

Apply the Vlan to the running configuration;

Switch(vlan)#exit {apply}

Assign a switch port to a previously created VLAN;

Switch(config-if)# switchport mode access

Or you could use the following command, This feature is a macro for enabling Spanning Tree PortFast and disabling EtherChanneling on a per-port basis.

Switch(config-if)# switchport host

Place the port in a particular VLAN;

Switch(config-if)# switchport access vlan vlan-id

The output form the show vlan command

Switch# show vlan id 3
VLAN Name Status Ports
—- ——————————– ——— ——————————-
3 VLAN0003 active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
3 enet 100003 1500 – – – – – 0 0
——- ——— —————– ——————————————-
Show vlan Field Descriptions;

  • VLAN – VLAN number
  • Name – Name, if configured, of the VLAN
  • Status – Status of the VLAN (active or suspended)
  • Ports – Ports that belong to the VLAN
  • Type – Media type of the VLAN
  • SAID – Security association ID value for the VLAN
  • MTU – Maximum transmission unit size for the VLAN
  • Parent – Parent VLAN, if one exists
  • RingNo – Ring number for the VLAN, if applicable
  • BridgNo – Bridge number for the VLAN, if applicable
  • STP – Spanning Tree Protocol type used on the VLAN
  • BridgMode – Bridging mode for this VLAN
  • Trans1 – Translation bridge 1
  • Trans2 – Translation bridge 2
  • AREHops – Maximum number of hops for All-Routes Explorer frames
  • STEHops – Maximum number of hops for Spanning Tree Explorer frames

Another good command to give you lots of information about interface;

Switch# show interfaces FastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 5 (VLAN0005)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Voice VLAN: none (Inactive)
Appliance trust: none

When troubleshooting Vlan issues they will always relate to one of the following, so by starting at these points could save you some time;

  • Physical connections – Check your CDP, if enabled; fix any cabling or duplex problems.
  • Switch configuration – Fix any problem with inconsistent config statements
  • VLAN configuration – Fix any Vlan miss configurations

Common Vlan issues;

Slow-throughput issues within the same VLAN. A point-to-point switch link consists of two ports where the problem may exist on either side of a link. Make sure the speed and duplex settings  are consistent on both link partners. Using show interface commands, check to see what types of errors exist on the suspected interfaces. Combinations of frame check sequence (FCS)  errors, alignment errors, and runts generally point to a duplex mismatch; auto-negotiation is the usual culprit, but it could also be a mismatched manual setting. If the number of collisions is increasing rapidly, under the show interface command, the problem might be an  oversubscribed half-duplex link, faulty hardware, a bad cable, or a duplex mismatch.