Scaling the Switch Block
First introduced in Chapter 1, 'The Campus Network,' switch blocks represent a switch or group of switches providing access to users. These switches then connect to distribution-layer switches, which in turn handle routing issues and VLAN distribution.
To understand how many VLANs can be configured in a switch block, you must understand the following factors:
-
Traffic patterns
-
Applications used
-
Network management
-
Group commonality
-
IP addressing scheme
Cisco recommends a one-to-one ratio between VLANs and subnets. For example, if you have 2000 users in a building, then you must understand how they are broken up by subnets to create your VLANs. If you had 1000 users in a subnet-which is ridiculous-you would create only 2 VLANs. If you had only 100 users in a subnet, you would create about 20 VLANs or more.
It is actually better to create your broadcast domain groups (VLANs) and then create a subnet mask that fits the need. That is not always possible, and you usually have to create VLANs around an already-configured network.
| Note | VLANs should not extend past the distribution switch on to the core. |
Defining VLAN Boundaries
When building the switch block, you need to understand two basic methods for defining the VLAN boundaries:
-
End-to-end VLANs
-
Local VLANs
End-to-End VLANs
An end-to-end VLAN spans the switch-fabric from end to end; all switches with ports configured in end-to-end VLANs understand about any and all VLANs that may be configured on the network. End-to-end VLANs are configured to allow membership based on function, project, department, and so on.
The best feature of end-to-end VLANs is that users can be placed in a VLAN regardless of their physical location. The administrator defines the port the user is connected to as a VLAN member. If the user moves, the administrator defines their new port as a member of their existing VLAN. In accordance with the 80/20 rule, the goal of an administrator in defining end-to- end VLANs is to maintain 80 percent of the network traffic as local, or within the VLAN. Only 20 percent or less should extend outside the VLAN.
Local VLANs
Unlike an end-to-end VLAN, a local VLAN is configured by physical location and not by function, project, department, and so on. Local VLANs are used in corporations that have centralized server and mainframe blocks because end-to-end VLANs are difficult to maintain in this situation. In other words, when the 80/20 rule becomes the 20/80 rule, end-to-end VLANs are more difficult to maintain, so you will want to use a local VLAN.
In contrast to end-to-end VLANs, local VLANs are configured by geographic location; these locations can be a building or just a closet in a building, depending on switch size. Geographically configured VLANs are designed around the fact that the business or corporation is using centralized resources, such as a server farm. The users will spend most of their time utilizing these centralized resources and 20 percent or less on the local VLAN. From what you have read in this book so far, you must be thinking that 80 percent of the traffic is crossing a layer 3 device. That doesn't sound efficient, does it?
Because many modern applications are not very tolerant of delay (a bit like users), you must design a geographic VLAN with a fast layer 3 device (or devices) for interconnecting your VLANs and for general site-to-site connectivity. Fortunately, layer 3 devices themselves are becoming faster. The benefit of this design is that it will give the users a predetermined, consistent method of getting to resources. But you can not create this design with a lower-end layer 3 model. In the past, these network types were only possible in large corporations with plenty of spending power, but as technology develops, the price is going down.
Assigning VLAN Memberships
After your VLANs are created, you need to assign switch ports to them. There are two types of VLAN port configurations: static and dynamic. A static VLAN requires less work initially but is more difficult for an administrator to maintain. A dynamic VLAN, on the other hand, takes more work up front but is easier to maintain.
Static VLANs
In a static VLAN, the administrator creates a VLAN and then assigns switch ports to it. The association does not change until the administrator changes the port assignment. This is the typical way of creating VLANs and it is the most secure. This type of VLAN configuration is easy to set up and monitor, working well in a network where the movement of users within the network is maintained by basically just locking the network closet doors. Using network management software to configure the ports can be helpful but is not mandatory.
Dynamic VLANs
If the administrator wants to do a little more work up front and add all devices' hardware addresses to a database, hosts in an internetwork can be assigned VLAN assignments dynamically. By using intelligent management software, you can enable hardware (MAC) addresses, protocols, or even applications to create dynamic VLANs. A dynamic VLAN will tell the switch port which VLAN it belongs to, based on the MAC address of the device that connects to the port.
For example, suppose MAC addresses have been entered into a centralized VLAN management application. If a node is then attached to an unassigned switch port, the VLAN management database can look up the hardware address and assign and configure the switch port to the correct VLAN. This can make management and configuration easier for the administrator. If a user moves, the switch automatically assigns them to the correct VLAN. However, more administration is needed initially to set up the database than to set up static VLANs, and additional administration is required for upkeep of the database.
Cisco administrators can use the VLAN Management Policy Server (VMPS) service to set up a database of MAC addresses that can be used for dynamic addressing of VLANs. VMPS is a MAC-address-to-VLAN mapping database.
Configuring Static VLANs
For the Switching exam, Cisco is primarily interested in static VLAN configuration. We'll show you how to configure VLANs on a Catalyst 4000 switch and a range of Catalyst IOS-based switches.
It is important to understand the difference between the Catalyst 4000 series VLAN configuration and the IOS-based VLAN configuration.
Catalyst 4000 Series
To configure VLANs on a Catalyst 4000 switch, use the set vlan vlan# name vlan_name command. Then, after your VLANs are configured, assign the ports to each VLAN:
Terry_4000> (enable) set vlan 2 name Sales Vlan 2 configuration successful
After the VLAN is configured, use the set vlan vlan# slot/ports command:
Terry_4000> (enable) set vlan 2 2/1-2 VLAN Mod/Ports ---- ----------------------- 2 1/1-2 2/1-2 Please configure additional information for VLAN 2. Terry_4000> (enable)
The additional information the switch wants you to configure is the VLAN Trunk Protocol (VTP) information. (VTP and trunking are covered in more detail at the end of this chapter, where we will continue with the 4000 switch VLAN configuration.) The 4000 series switch enables you to configure as many ports as you wish to a VLAN at one time.
Catalyst 2950 and 3550 Series
To configure VLANs on an IOS-based switch, first you need to enter the VLAN database. This mode is entered by typing the command vlan database. This command changes the prompt, as can be seen from the example shown next. Once in this new privileged mode, use the vlan vlan# name vlan_name. Note that you do not enter the standard configuration mode to enter this configuration.
Terry_2950#vlan database Terry_2950(vlan)#vlan ? <1-1005> ISL VLAN index Terry_2950(vlan)#vlan 2 ? are Maximum number of All Route Explorer hops for this VLAN backupcrf Backup CRF mode of the VLAN bridge Bridging characteristics of the VLAN media Media type of the VLAN mtu VLAN Maximum Transmission Unit name Ascii name of the VLAN parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs ring Ring number of FDDI or Token Ring type VLANs said IEEE 802.10 SAID state Operational state of the VLAN ste Maximum number of Spanning Tree Explorer hops for this VLAN stp Spanning tree characteristics of the VLAN tb-vlan1 ID number of the first translational VLAN for this VLAN (or zero if none) tb-vlan2 ID number of the second translational VLAN for this VLAN (or zero if none) <cr> Terry_2950(vlan)#vlan 2 name ? WORD The ascii name for the VLAN Terry_2950(vlan)#vlan 2 name marketing VLAN 2 added: Name: marketing Terry_2950(vlan)#vlan 3 name production VLAN 3 added: Name: production Terry_2950(vlan)#exit APPLY completed. Exiting….
| Note | Remember that a created VLAN is unused until it is mapped to a switch port or ports, and that all ports are always in VLAN 1 unless set otherwise. |
After you create the VLANs that you want, you use the show vlan command to see the configured VLANs. However, notice that, by default, all ports on the switch are in VLAN 1. To change that, you need to go to each interface and tell it what VLAN to be a part of:
Terry_2950#show vlan VLAN Name Status Ports ---- -------------- ------- -------------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 2 marketing active 3 production active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ------- ---- ---- ------ -------- --- ------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 2 enet 100002 1500 - - - - - 0 0 3 enet 100003 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---- ---- ------ ------ -------- --- -------- ------ ------ 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 Remote SPAN VLANs --------------------------------------------------------------------------- Primary Secondary Type Ports ------- --------- ----------------- ---------------------------------------
Configuring the interfaces on the 2950 and 3550 is very different. After the VLANs have been created, the interface needs to be made a member of the appropriate VLAN. The command switchport mode access is used to tell the port that it will be a member of a single VLAN. It is told what VLAN it is a member of with the command switchport access vlan vlan#.
Terry_2950(config-if)#switchport ? access Set access mode characteristics of the interface host Set port host mode Set trunking mode of the interface nonegotiate Device will not engage in negotiation protocol on this interface port-security Security related command priority Set appliance 802.1p priority protected Configure an interface to be a protected port trunk Set trunking characteristics of the interface voice Voice appliance attributes Terry_2950(config-if)#switchport access ? vlan Set VLAN when interface is in access mode Terry_2950(config-if)#switchport mode access Terry_2950(config-if)#^Z Terry_2950#co conf t Enter configuration commands, one per line. End with CNTL/Z. Terry_2950(config)#int fa 0/2 Terry_2950(config-if)#switchport ? access Set access mode characteristics of the interface host Set port host mode Set trunking mode of the interface nonegotiate Device will not engage in negotiation protocol on this interface port-security Security related command priority Set appliance 802.1p priority protected Configure an interface to be a protected port trunk Set trunking characteristics of the interface voice Voice appliance attributes Terry_2950(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally Terry_2950(config-if)#switchport mode access Terry_2950(config-if)#switchport access ? vlan Set VLAN when interface is in access mode Terry_2950(config-if)#switchport access vlan 2 Terry_2950(config-if)#^Z
Now you need to confirm that the configuration has been accepted and the port to VLAN relationship established. You can use the show vlan command we used earlier, but the VLANs will also be shown in the running configuration:
Terry_2950#show run 00:49:36: %SYS-5-CONFIG_I: Configured from console by consolesho run Building configuration… Current configuration : 1512 bytes version 12.1 [output cut] interface FastEthernet0/2 switchport access vlan 2 switchport mode access no ip address
Now, type show vlan to see the ports assigned to each VLAN:
Terry_2950#show vlan VLAN Name Status Ports ---- --------------- ------- --------- --------- ----------------- 1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24 2 marketing active Fa0/2 3 production active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active [output truncated] Terry_2950#
EAN: 2147483647
Pages: 174