Scenario 2-3: Configuring VLANs


VLANs represent one of the most important and fundamental concepts of LAN switching, so it is important that you have a firm grasp of how to implement them. Before configuring VLANs, you need to plan exactly how many VLANs you are going to create, the parameters associated with each, and the switch ports that are going to be assigned to each VLAN. After the correct planning, you can then configure your VLAN requirements. The planning and configuration of VLANs can be split into the following tasks:

  • Determine VLANs required

  • Determine VLAN parameters

  • Determine VLAN port assignments

  • Configuring VLANs

Determine VLANs Required

Before you configure VLANs, you must determine how many VLANs you need for your network. The number of VLANs required is normally driven by high-level policy that requires VLANs to facilitate specific requirements of the policy. VLANs are the vessel for implementing high-level network policyfor example, a company may require separation of the sales, marketing, and engineering department information. Users from different departments may be co-located and connected to the same switching infrastructure, but their workstation should not be permitted to communicate directly across functional lines.

To extend this requirement to the LAN, VLANs can be createdone for each department. Users from the same department belong to the same VLAN, which allows Layer 2 communications within the same department. Users from different departments belong to different VLANs, which means inter-departmental communications must be sent via a Layer 3 router or firewall, which allows for policy to be applied at a single point in the network to control inter-departmental communications. Even if a user from sales is connected to port 1 on a switch (port 1 belongs to the sales VLAN) and a user from marketing is connected to port 2 on the same switch (port 2 belongs to the marketing VLAN), there is no way in which these two users can communicate unless the packets are sent to a router that connects to both VLANs. Figure 2-11 shows the concept of using VLANs to separate groups of users in a network.

Figure 2-11. LAN Topology with Multiple VLANs


The requirement for VLANs can also be driven by other reasons, such as ensuring the network can perform appropriately by addressing existing network performance problems. A common issue with large VLANs is broadcasts; many network protocols use broadcasts periodically to maintain certain functions of the protocol. When a broadcast is sent, all hosts on the network must process the broadcast, even if the information contained within bears no importance to the host. An excessive number of broadcasts can degrade PC performance by expending CPU resources.

Certain guidelines exist as to the maximum number of devices per VLAN that should be used based upon the Layer 3 protocol used. Table 2-4 shows the recommended maximum devices per VLAN for Layer 3 protocols.

Table 2-4. Maximum Devices per VLAN

Layer 3 Protocol

Maximum Number of Devices

IP

500

IPX

300

AppleTalk

200

NetBIOS

200

Mixed

200


It is important to note that the numbers specified in Table 2-4 are guidelines only and were defined by Cisco several years ago. Today, CPUs are literally tens of times faster, and these limits may be extended. If you are looking to exceed the limits defined in Table 2-4, monitor the network regularly to ensure the network is performing appropriately. If you find that network performance is poor, consider splitting your network into more VLANs to reduce the number of broadcasts and increase network performance. As a rule of thumb, broadcast and multicast traffic should not account for more than 20 percent of the network utilization.

Once you have determined the list of VLANs required, you should also consider allocating a separate VLAN for device management purposes. This VLAN is commonly referred to as the management VLAN (as in network management, not workstations belonging to the corporate management of the company), and it is recommended that you keep all network management traffic separate from the data traffic by implementing this dedicated management VLAN. The most common VLAN used for management is VLAN 1. Separating management traffic from data traffic keeps network utilization to a minimum on the management VLAN, ensuring management communications are not affected by congestion or errors that may occur on the data VLAN.

Determine VLAN Parameters

Each VLAN has a list of parameters that you need to understand and configure to control the behavior of the VLAN. The following lists common Ethernet VLAN parameters supported on Cisco Catalyst switches:

  • ID Numeric ID that uniquely identifies the VLAN to the switch. By default a single Ethernet VLAN exists (VLAN 1), and all ports on the switch belong to this VLAN.

  • Name An alphanumeric string that describes the VLAN for human recognition purposes. For example, you might assign a name of marketing to a VLAN that connects marketing users.

  • Media Type Describes the media type of the VLAN. These media include Ethernet (the default), Token Ring, and Fiber Distributed Data Interface (FDDI).

  • MTU Describes the maximum transmission unit (MTU) in bytes that can be sent on the VLAN. The default MTU for Ethernet is 1500 bytes, meaning the largest frame sent on the VLAN contains 1500 bytes of data plus the Ethernet header.

  • State Defines the current operational state of the VLAN. When the VLAN is functioning and forwarding traffic, the state is said to be active. You can also suspend a VLAN, and the VLAN does not forward any traffic.

For Ethernet VLANs, you normally will only configure VLAN ID and name, as the defaults for the remaining parameters typically never require modification.

Referring back to the topology of Figure 2-8, you can see that for this scenario you need to create three new VLANs (VLAN 1 already exists by default and cannot be deleted). Table 2-5 describes each VLAN that will exist in the topology of Figure 2-8.

Table 2-5. VLANs Used for Scenarios

VLAN ID

Name

Description

1

VLAN0001

Default VLAN

10

Engineering

Engineering users

20

Sales

Sales users

30

Marketing

Marketing users


Determine VLAN Port Assignments

Now that have generated a list of VLANs, your final step is to determine which ports should be assigned each VLAN.

You can configure two basic roles for a port on a Catalyst switch:

  • Access port Belongs to a single VLAN and is designed to provide connectivity for an end device such as a server, PC, or printer.

  • Trunk port Transports traffic from multiple VLANs over a single connection. This port is normally used for interconnecting switches and sometimes routers. Trunks allow VLANs to be distributed over multiple switches. Chapter 3 discusses trunk ports in detail.

This chapter discusses only access ports, which are easy to understand because the port belongs only to a single VLAN. You place end devices in the correct VLAN by assigning each access port to the correct VLAN. Obviously, you need to know the port that each user connects to so that you can place the user (port) in the appropriate VLAN. Table 2-6 shows the port assignments required for the topology of Figure 2-8.

Table 2-6. VLAN Port Assignments

VLAN ID

VLAN Name

Port Assignment (Switch-A)

Interface Assignment (Switch-B)

1

10

Engineering

2/12/16

Fa0/1Fa0/16

20

Sales

2/172/32

Fa0/17Fa0/32

30

Marketing

2/332/48

Fa0/33Fa0/48


Configuring VLANs

Once you have configured the appropriate VTP mode (server, transparent, or off), you can begin configuring VLANs. When you configure VLANs, you must first create a VLAN and then assign the applicable switch ports to the VLAN.

NOTE

You must create a VLAN first before assigning ports to the VLAN. You cannot create a VLAN and assign ports in the same configuration command.


Creating VLANs on CatOS

To create VLANs on CatOS, use the set vlan command as shown below:

 set vlan vlan-id [name name] [type type] [state {active | suspend}] 

When you create a VLAN, you must configure the vlan-id parameter, and you also normally configure a name that describes the VLAN. By default, the type parameter is set to ethernet (i.e., an Ethernet VLAN) and the state is set with active, meaning the VLAN is active (if this is set to suspend, the VLAN is not active but still exists).

Example 2-15 shows how to create each of the VLANs indicated in Figure 2-8 (see Table 2-5 also) on Switch-A.

Example 2-69. Creating VLANs on Switch-A
 Switch-A> (enable) set vlan 10 name Engineering Vlan 10 configuration successful Switch-A> (enable) set vlan 20 name Sales Vlan 20 configuration successful Switch-A> (enable) set vlan 30 name Marketing Vlan 30 configuration successful 

After you have created your VLANs, you can then assign ports to the appropriate VLAN. Before you assign ports to a VLAN, you need to understand the default port mode on CatOS switches. By default, each port is configured in a dynamic auto mode, which means the port can negotiate to become a trunk port if the remote party connected to the port is configured appropriately (you learn about this in Chapter 3). If you wish to hard code a port to be only an access port (as is applicable for ports that are connected to end devices, such as workstations and printers), use the set trunk command to disable trunking all together:

 set trunk mod/port off 

NOTE

You should always hard code all access ports because it reduces the amount of delay introduced by Dynamic Trunking Protocol (DTP) negotiation when a port is first initialized. DTP is used to negotiate whether or not a trunk will form and adds a small amount of delay before a port moves into a forwarding state.


To assign ports to the appropriate VLAN on CatOS, you use the following variation of the set vlan command:

 set vlan vlan-id mod/ports 

Example 2-16 shows how to hard code each port as an access port and then assign each of the ports to the appropriate VLANs as indicated in Figure 2-8 (see Table 2-6 also) on Switch-B.

Example 2-70. Configuring Access Ports and Assigning Ports to VLANs on Switch-A
 Switch-A> (enable) set trunk 2/1-48 off Port(s) 2/1-48 trunk mode set to off. Switch-A> (enable) set vlan 10 2/1-16 VLAN 10 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 10    2/1-16 Switch-A> (enable) set vlan 20 2/17-32 VLAN 20 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 20    2/17-32 Switch-A> (enable) set vlan 20 2/33-42,2/43-48 VLAN 30 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 30    2/33-48 

The first command in Example 2-16 ensures that ports 2/1-48 are access ports, meaning that they can belong only to a single VLAN. Notice in Example 2-16 that CatOS permits you to specify ranges of ports, which means you can allocate multiple ports to a VLAN in a single command. You can also specify non-contiguous ports by using a comma to separate each port, and you can mix commas and hyphens as demonstrated in the shaded output of Example 2-16. Notice also that each command output shows that VLAN 1 has been modified, which indicates the ports configured were previously in VLAN 1.

Once you have completed your VLAN configuration, you can use the show vlan command to verify the VLAN configuration, as shown in Example 2-17.

Example 2-71. Verifying VLAN Configuration on Switch-A
 Switch-A> (enable) show vlan VLAN Name                             Status    IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------ 1    default                          active    4       1/1-2 10   Engineering                      active    59      2/1-16 20   Sales                            active    60      2/17-32 30   Marketing                        active    61      2/33-48 1002 fddi-default                     active    5 1003 token-ring-default               active    8 1004 fddinet-default                  active    6 1005 trnet-default                    active    7 ... (Output abbreviated) ... 

Notice that the output indicates that each of the ports on the switch is assigned to the correct VLAN.

Creating VLANs on Cisco IOS

To create VLANs on Cisco IOS, you can use either VLAN configuration mode or global configuration mode. In older versions of Cisco IOS, you must use the following VLAN configuration command to create a VLAN:

 Switch(vlan)# vlan vlan-id [name name] [type type] [state {active | suspend}] 

Example 2-18 shows how to create each of the VLANs indicated in Figure 2-8 on Switch-B using VLAN configuration mode.

Example 2-72. Creating VLANs via VLAN Configuration Mode on Switch-B
 Switch-B# vlan database Switch-B(vlan)# vlan 10 name Engineering VLAN 10 added:     Name: Engineering Switch-B(vlan)# vlan 20 name Sales VLAN 20 added:     Name: Sales Switch-B(vlan)# vlan 30 name Marketing VLAN 30 added:     Name: Marketing Switch-B(vlan)# exit APPLY completed. Exiting.... 

You must exit VLAN configuration mode, as shown in Example 2-18, for the new VLAN configuration to take effect.

In newer versions of Cisco IOS, you can also use global configuration mode to configure VLANs. When you use this method, each VLAN that you create has its own config-vlan configuration mode, as demonstrated in Example 2-19.

Example 2-73. Creating VLANs via Global Configuration Mode on Switch-B
 Switch-B# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-B(config)# vlan 10 Switch-B(config-vlan)# name Engineering Switch-B(config-vlan)# exit Switch-B(config)# vlan 20 Switch-B(config-vlan)# name Sales Switch-B(config-vlan)# exit Switch-B(config)# vlan 30 Switch-B(config-vlan)# name Marketing Switch-B(config-vlan)# exit 

In Example 2-19, notice that you use the vlan vlan-id global configuration mode command to create/modify a VLAN, which then places you into config-vlan configuration mode for that VLAN. From here, you can configure the various VLAN parameters, and once you have completed this configuration, you must exit this mode for the changes to take effect. Once you exit, the configuration changes are written and applied to the VLAN database file.

You might be wondering whether or not the configuration of Example 2-19 is stored in the switch configuration file; the answer is yes, but only if the switch is configured in VTP transparent mode. When configured in transparent mode the switch saves global configuration mode VLAN configuration in the switch configuration file. When the switch boots, the VLAN database file is cleared; the VLAN configuration stored in the switch configuration file is read, which then populates the VLAN database. If you configure the VTP mode of the switch to server or client, the VLAN configuration is stored only in the VLAN database and is removed from the switch configuration file.

NOTE

If you configure a Cisco IOS switch using VLAN configuration mode (as shown in Example 2-18) or configure a Cisco IOS switch that is configured as a VTP server or VTP client in global configuration mode, ensure that you back up the VLAN.DAT file as well as the switch configuration file. If you don't back up the VLAN.DAT file, if you have to restore the switch, you need to recreate all VLANs, even if you have the original switch configuration file.


After you have created your VLANs, you can assign interfaces to the appropriate VLANs. Before you assign interfaces to a VLAN, you need to understand the default interface mode on Cisco IOS switches. By default, each interface is configured in a dynamic desirable mode, which is similar to CatOS in that an interface can negotiate to become a trunk port if the remote party connected to the interface is configured appropriately (you learn about this in Chapter 3). If you wish to hard code an interface to be only an access interface, use the switchport mode access command to disable trunking all together and configure the interface as an access interface.

 Switch(config-if)# switchport mode access 

NOTE

By default, on native IOS Catalyst 6000/6500 switches each interface is configured as a routed interface (identical to an interface on a router) as opposed to a switch (Layer 2) interface. You must use the switchport interface configuration command to configure an interface to become a switch interface.


To assign interfaces to the appropriate VLAN on Cisco IOS, you use the following interface configuration mode on a per-interface basis:

 Switch(config-if)# switchport access vlan vlan-id 

Example 2-20 demonstrates configuring a couple of interfaces as access interfaces and then assigning the interfaces to VLAN 10 on Switch-B.

Example 2-74. Configuring Access Interfaces and Assigning Interfaces to VLANs on Switch-B
 Switch-B# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-B(config)# interface fa0/1 Switch-B(config-if)# switchport mode access Switch-B(config-if)# switchport access vlan 10 Switch-B(config-if)# exit Switch-B(config)# interface fa0/2 Switch-B(config-if)# switchport mode access Switch-B(config-if)# switchport access vlan 10 Switch-B(config-if)# exit 

If you use the method demonstrated in Example 2-20 to configure access interfaces and VLAN port assignments, you can see that you need to individually configure each interface, which clearly will take a lot longer than the performing the equivalent configuration on a CatOS switch (see Example 2-16). Cisco has recognized the administrative overhead of this common task on Cisco IOS-based switches and has introduced a new global configuration command interface range that allows you to apply commands to a range or list of interfaces at the same time. This command is actually a macro, which means that when used, the macro actually invokes a series of commands. This process is transparent to the administrator. The configuration file contains no reference to the interface range macro; instead it displays each of the configuration commands invoked by the macro.

NOTE

You can configure any interface configuration command when using the interface range macro, as long as the command is applicable to each interface in the range specified.


When you use the interface range macro, you must adhere to strict syntax rules. The following shows these rules applied for defining a contiguous range of interfaces (interface fa0/1 through fa0/16):

 Switch(config)# interface range fa0/1 - 16 

When specifying a range, you must ensure that a space is present between the lower bound (fa0/1), the hyphen, and the upper bound (16). The lower bound must be the full module/interface designation (e.g., fa0/1) while the upper bound can be only an interface number (e.g., 16) and cannot be a full module/interface designation. Example 2-21 demonstrates the incorrect use of the interface range macro, where the upper bound of the range is configured as a full module/interface designation.

Example 2-75. Illegal Use of the Interface Range Macro
 Switch(config)# interface range fa0/1  fa0/16                                         ^ % Invalid input detected at '^' marker. 

When you wish to specify a non-contiguous list of interfaces, you must use a comma to separate each interface, and you must use the full module/interface designation for each interface. The following shows an example of specifying interfaces fa0/1, fa0/3, fa0/7, and interfaces fa0/13 through fa0/20:

 Switch(config)# interface range fa0/1 , fa0/3 , fa0/7 , fa0/13 - 20 

Notice that a space is required between each interface and comma and that the full module/interface designation is required for each non-contiguous interface. If you include a range within the list, the upper bound of the range must specify the interface designation only (not the full module/interface designation).

Example 2-22 demonstrates the use of the interface range macro to assign each of the interfaces on Switch-B to the appropriate VLANs, as indicated in Table 2-6.

Example 2-76. Using the Interface Range Macro
 Switch-B# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-B(config)# interface range fa0/1 - 16 Switch-B(config-if-range)# switchport mode access Switch-B(config-if-range)# switchport access vlan 10 Switch-B(config-if-range)# exit Switch-B(config)# interface range fa0/17 - 32 Switch-B(config-if-range)# switchport mode access Switch-B(config-if-range)# switchport access vlan 20 Switch-B(config-if-range)# exit Switch-B(config)# interface range fa0/33 , fa0/34 - 48 Switch-B(config-if-range)# switchport mode access Switch-B(config-if-range)# switchport access vlan 30 Switch-B(config-if-range)# exit 

The shaded line in Example 2-22 demonstrates combining a list and range of interfaces.

Once you have completed your VLAN configuration, you can use the show vlan command to verify the VLAN configuration, as shown in Example 2-23.

Example 2-77. Verifying VLAN Configuration on Switch-B
 Switch-B# show vlan LAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Gi0/1, Gi0/2 10   Engineering                      active    Fa0/1, Fa0/2, Fa0/3, Fa0/4                                                 Fa0/5, Fa0/6, Fa0/7, Fa0/8                                                 Fa0/9, Fa0/10, Fa0/11, Fa0/12                                                 Fa0/13, Fa0/14, Fa0/15, Fa0/16 20   Sales                            active    Fa0/17, Fa0/18, Fa0/19, Fa0/20                                                 Fa0/21, Fa0/22, Fa0/23, Fa0/24                                                 Fa0/25, Fa0/26, Fa0/27, Fa0/28                                                 Fa0/29, Fa0/30, Fa0/31, Fa0/32 30   Marketing                        active    Fa0/33, Fa0/34, Fa0/35, Fa0/36                                                 Fa0/37, Fa0/38, Fa0/39, Fa0/40                                                 Fa0/41, Fa0/42, Fa0/43, Fa0/44                                                 Fa0/45, Fa0/46, Fa0/47, Fa0/48 1002 fddi-default                     active 1003 token-ring-default               active 1004 fddinet-default                  active 1005 trnet-default                    active ... (Output abbreviated) ... 

Removing VLANs

Sometimes you need to remove VLANs, and it is important that you understand how to do this and the implications of removing a VLAN.

When you remove a VLAN, you must understand that any ports assigned to that VLAN are placed into an inactive state because they still belong to the removed VLAN. Each port is effectively orphaned, and you need to reassign the ports to active VLANs to re-enable them. If you recreate the VLAN, any ports still configured to belong to the removed VLAN are automatically joined to the new VLAN once again.

To remove a VLAN completely on CatOS, use the clear vlan command, as demonstrated in Example 2-24.

Example 2-78. Removing a VLAN on CatOS
 Switch-A> (enable) clear vlan 30 This command will deactivate all ports on vlan(s) 30 Do you want to continue(y/n) [n]?y Vlan 30 deleted 

Notice that you are warned that all ports on VLAN 30 will be deactivated by removing VLAN 30. If you issue a show vlan command, you will notice that all ports previously assigned to VLAN 30 have disappeared, as shown in Example 2-25.

Example 2-79. Displaying VLAN Configuration after Removing a VLAN on CatOS
 Switch-A> (enable) show vlan VLAN Name                             Status    IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------ 1    default                          active    4       1/1-2 10   Engineering                      active    59      2/1-16 20   Sales                            active    60      2/17-32 1002 fddi-default                     active    5 1003 token-ring-default               active    8 1004 fddinet-default                  active    6 1005 trnet-default                    active    7 ... (Output abbreviated) 

Notice that VLAN 30 has disappeared from the VLAN database and that the ports previously assigned to that VLAN (ports 2/33-48) no longer appear.

To remove a VLAN completely on Cisco IOS, use the no vlan vlan-id command in either VLAN configuration mode or global configuration mode, as demonstrated in Example 2-26.

Example 2-80. Removing a VLAN on Cisco IOS
 Switch-B# vlan database Switch-B(vlan)# no vlan 20 Deleting VLAN 20... Switch-B(vlan)# exit APPLY completed. Exiting.... Switch-B# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-B(config)# no vlan 30 Switch-B(config)# end 

In Example 2-26, VLAN 20 is deleted using the older VLAN configuration method, while VLAN 30 is deleted using the global configuration method. Just as for CatOS switches, any ports assigned to removed VLANs are placed into an inactive state and must be assigned to a new VLAN if they are to be used.




CCNP Self-Study CCNP Practical Studies. Switching
CCNP(R) Practical Studies: Switching (CCNP Self-Study)
ISBN: 1587200600
EAN: 2147483647
Year: 2002
Pages: 135
Authors: Justin Menga

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net