bluegooseexchangeNetworking and Communications

Oct 26, 2013 (4 years and 8 months ago)



Virtual LANs


An important feature of Ethernet switching is the virtual local
area network (VLAN). A VLAN is a
logical grouping of devices or users. These devices or users can be grouped by function, department,
or application despite the

physical LAN segment location. Devices on a VLAN are restricted to only
communicating with devices that are on their own VLAN. Just as routers provide connectivity
between different LAN segments, routers provide connectivity between different VLAN segment
Cisco is taking a positive approach toward vendor interoperability, but each vendor has developed its
own proprietary VLAN product and it
may not be entirely compatible.

VLANs increase overall network performance by logically grouping users and resource
s together.
Businesses often use VLANs as a way of ensuring that a particular set of users are logically grouped
regardless of the physical location. Therefore, users in the Marketing department are placed in the
Marketing VLAN, while users in the Engineer
ing Department are placed in the Engineering VLAN.

VLANs can enhance scalability, security, and network management. Routers in VLAN topologies
provide broadcast filtering, security, and traffic flow management.

VLANs are powerful tools for network administ
rators when properly designed and configured.
VLANs simplify tasks when additions, moves, and changes to a network are necessary. VLANs
improve network security and help control Layer 3 broadcasts. However, improperly configured
VLANs can make a network fu
nction poorly or not function at all. Understanding how to implement
VLANs on different switches is important when designing a network.

Students completing this module should be able to:

Define VLANs

List the benefits of VLANs

Explain how VLANs are used


create broadcast domains

Explain how routers are used
for communication between VLANs

List the common VLAN types

Define ISL and 802.1Q

the concept of geographic VLANs

Configure static VLANs o
n 29xx series Catalyst switches

Verify and save

VLAN con

Delete VLANs from a switch configuration


VLAN Concepts


VLAN introduction

A VLAN is a group of network services not restricted to a physical segment or LAN switch.

VLANs logically segment switched networks based on the functions, proj
ect teams, or applications
of the organization regardless of the physical location or connections to the network. All
workstations and servers used by a particular workgroup share the same VLAN, regardless of the
physical connection or location.

ion or reconfiguration of VLANs is done through software. Physically connecting or
moving cables and equipment is unnecessary when configuring VLANs.

A workstation in a VLAN group is restricted to communicating with file servers in the same VLAN
group. VLA
Ns function by logically segmenting the network into different broadcast domains so
that packets are only switched between ports that are designated for the same VLAN. VLANs
consist of hosts or networking equipment connected by a single bridging domain. Th
e bridging
domain is supported on different networking equipment. LAN switches operate bridging protocols
with a separate bridge group for each VLAN.

VLANs are created to provide segmentation services traditionally provided by physical routers in
LAN confi
gurations. VLANs address scalability, security, and network management. Routers in
VLAN topologies provide broadcast filtering, security, and traffic flow management. Switches may
not bridge any traffic between VLANs, as this would violate the integrity of

the VLAN broadcast
domain. Traffic shoul
d only be routed between VLANs.


Broadcast domains with VLANs and routers

A VLAN is a broadcast domain created by one or more switches. The network design in Figures
requires three separate

broadcast d

shows how three separate broadcast domains are created using three separate switches.
Layer 3 routing allows the router to send packets to the three different broadcast domains.

In Figure
, a VLAN is created using one router and one switc
h. However, there are three separate
broadcast domains.

In this scenario there is one router and one switch, but there are still th
separate broadcast domains.

In Figure
, three separate broadcast domains are created. The router routes traffic between

VLANs using Layer 3 routing.

The switch in Figure

forwards frames to the router interfaces:

If it is a broadcast frame.

If it is in route to one of t
he MAC addresses on the router.

If Workstation 1 on the Engineering VLAN wants to send frames to Wor
kstation 2 on the Sales
VLAN, the frames are sent to the Fa0/0 MAC address of the router. Routing occurs through the IP
address on the Fa0/0 router interface for the Engineering VLAN.

If Workstation 1 on the Engineering VLAN wants to send a frame to Workst
ation 2 on the same
VLAN, the destination MAC address of the frame is the MAC address for Workstation 2.

Implementing VLANs on a switch causes the following to occur:

The switch maintains a separat
e bridging table for each VLAN.

If the frame comes in on a
port in VLAN 1, the switch searches

the bridging table for

When the frame is received, the switch adds the source address to the bridging ta
ble if it is
currently unknown.

The destination is checked so a forwarding decision can b
e made.

For learnin
g and forwarding the search is made against the ad
dress table for that VLAN


VLAN operation

Each switch port could be assigned to a different VLAN. Ports assigned to the same VLAN
share broadcasts.

Ports that do not belong to that VLAN do not s
hare these broadcasts. This
improves the over
all performance of the network.

Static membership VLANs are called port
based and port
centric membership VLANs. As a device
enters the network, it automatically assumes the VLAN membership of the port to which
it is

Users attached to the same shared segment, share the bandwidth of that segment. Each additional
user attached to the shared medium means less bandwidth and deterioration of network performance.
VLANs offer more bandwidth to users than a sha
red network.
The default VLAN for every port in
the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be

All other ports on the switch may be reassigned to alternate VLANs.

Dynamic membership VLANs are created through

network management software. CiscoWorks
2000 or CiscoWorks for Switched Internetworks is used to create Dynamic VLANs. Dynamic
VLANs allow for membership based on the MAC address of the device connected to the switch port.
As a device enters the network,
it queries a database within the switch for a VLAN membership.

In port
based or port
centric VLAN membership, the port is assigned to a specific VLAN
membership independent of the user or system attached to the port. When using this membership
method, all
users of the same port must be in the same VLAN. A single user, or multiple users, can
be attached to a port and never realize that a VLAN exists. This approach is easy to manage because
no complex lookup tables are
required for VLAN segmentation.

administrators are responsible for configuring VLANs both manually and statically.

Each interface on a switch behaves like a port on a bridge. Bridges filter traffic that does not need to
go to segments other than the source segment. If a frame needs to cr
oss the bridge, the bridge
forwards the frame to the correct interface and to no others. If the bridge or switch does not know the
destination, it floods the frame to all ports in the broadcast domain or VLAN, except the source port.


Benefits of VLA

The key benefit of VLANs is that they permit the network administrator to organize the LAN
logically instead of physically. This means that an administrator is able to do all of the following:

Easily move workstations on the LAN.

Easily add workstations

to the LAN.

Easily change the LAN configuration.

Easily control network traffic.

Improve security.


VLAN types

There are three basic VLAN memberships for determining and controlling how a packet gets

based VLAN

MAC address based VLAN

Protocol based VLANs

The frame headers are encapsulated or modified to reflect a VLAN ID before the frame is sent over
the link between switches. Before forwarding to the destination device, the frame header is changed
back to the original format.

The nu
mber of VLANs in a switch var
y depending on several factors:

Traffic patterns

Types of applications

Network management needs

Group commonality

In addition, an important consideration in defining the size of the switch and the number of VLA
is the IP addr
essing scheme.

For example, a network using a 24
bit mask to define a subnet has a total of 254 host addresses
allowed on one subnet. Given this criterion, a total of 254 host addresses are allowed in one subnet.
Because a one
one correspondence between

VLANs and IP subnets is strongly recommended,
there can be no more than 254 devices in any one VLAN. It is further recommended that VLANs
should not extend outside of the Layer 2 dom
ain of the distribution switch.

There are two major methods of frame tagg
ing, Inter
Switch Link (ISL) and 802.1Q. ISL used to be
the most common, but is now being replaced by 802.1Q frame tagging.

LAN emulation (LANE) is a way to make an Asynchronous Transfer Mode (ATM) network
simulate an Ethernet network. There is no tagging
in LANE, but the virtual connection used implies
a VLAN ID. As packets are received by the switch from any attached end
station device, a unique
packet identifier is added within each header. This header information designates the VLAN
membership of each p
acket. The packet is then forwarded to the appropriate switches or routers
based on the VLAN identifier and MAC address. Upon reaching the destination node the VLAN ID
is removed from the packet by the adjacent switch and forwarded to the attached device.
tagging provides a mechanism for controlling the flow of broadcasts and applications while not
interfering with the network and applications.


VLAN Configuration


VLAN basics

In a switched environment, a station will see only traffic destin
ed for it. The switch filters traffic in
the network allowing the workstation to have full, dedicated bandwidth for sending or receiving
traffic. Unlike a shared
hub system where only one station can transmit at a time, the switched
network allows many con
current transmissions within a broadcast domain. The switched network
does this without directly affecting other stations inside or outside of the broadcast domain. Station
pairs A/B, C/D, and E/F can all communicate without affecting the other station pai

Each VLAN must have a unique Layer 3 network address assigned. This enables routers to switch
packets between VLANs.

VLANs can exist either as end
end networks or they can exist i
nside of geographic boundaries.

An end
end VLAN network comprises t
he following characteristics:

Users are grouped into VLANs independent of physical location, but depe
ndent on group or
job function.

All users in a VLAN should have the sa
me 80/20 traffic flow patterns.

As a user moves around the campus, VLAN membership f
r that user should not change.

Each VLAN has a common set of securit
y requirements for all members.

Starting at the access layer, switch ports are provisioned for each user. Each color represents a
subnet. Because people have moved around over time, each s
witch eventually becomes a member of
all VLANs. Frame tagging is used to carry multiple VLAN information between the access layer
wiring closets and t
he distribution layer switches.

ISL is a Cisco proprietary protocol that maintains VLAN information as tra
ffic flows between
switches and routers. IEEE 802.1Q is an open
standard (IEEE) VLAN tagging mechanism in
switching installations. Catalyst 2950 switches do not support ISL trunking.

Workgroup servers operate in a client/server model. For this reason, atte
mpts have been made to
keep users in the same VLAN as their server to maximize the performance of Layer 2 switching and
keep traffic localized.

In Figure
, a core layer router is being used to route between subnets. The network is engineered,
based on tra
ffic flow patterns, to have 80 percent of the traffic contained within a VLAN. The
remaining 20 percent crosses the router to the enterprise serve
rs and to the Internet and WAN.


Geographic VLANs

end VLANs allow devices to be grouped based upo
n resource usage. This includes such
parameters as server usage, project teams, and departments. The goal of end
end VLANs is to
maintain 80 percent of

the traffic on the local VLAN.

As many corporate networks have moved to centralize their resources, e
end VLANs have
become more difficult to maintain. Users are required to use many different resources, many of
which are no longer in their VLAN. Because of this shift in placement and usage of resources,
VLANs are now more frequently being created ar
ound geographic boundaries rather than
commonality boundaries.

This geographic location can be as large as an entire building or as small as a single switch inside a
wiring closet. In a VLAN structure, it is typical to find the new 20/80 rule in effect. 80

percent of the
traffic is remote to the user and 20 percent of the traffic is local to the user. Although this topology
means that the user must cross a Layer 3 device in order to reach 80 percent of the resources, this
design allows the network to provid
e for a deterministic, consistent method of accessing resources.


Configuring static VLANs

Static VLANs are ports on a switch that are manually assigned to a VLAN by using a VLAN
management application or by working directly within the switch.

ports maintain their
assigned VLAN configuration until they are changed manually. This topology means that the user
must cross a Layer 3 device in order to reach 80 percent of the resources. This design also allows the
network to provide for a deterministi
c, consistent method of accessing resources. This type of VLAN
works well in networks where the following is true:

ves are controlled and managed.

There is robust VLAN management software to configure the ports.

It is not desirable to assume the addition
al overhead required when maintaining end
MAC address
es and custom filtering tables.

Dynamic VLANs do not rely on por
ts assigned to a specific VLAN.

The following guidelines must be followed when configurin
g VLANs on Cisco 29xx switches:

The maximu
m numbe
r of VLANs is switch dependent.

VLAN 1 is on
e of the factory
default VLANs.

1 is the default Ethernet VLAN.

Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) advertisements are
t on VLAN 1.

The Catalyst 29xx IP address is in th

1 broadcast domain by default.

The switch must be in VTP server mode t
o create, add, or delete VLANs.

The creation of a VLAN on a switch is a very straightforward and simple task. If using a Cisco IOS
command based switch, enter the VLAN configurati
on mode with the privileged EXEC level

command. The steps necessary to create the VLAN are shown below. A VLAN name may
so be configured, if necessary.

vlan database



Upon exiting, the V
LAN is applied to the switch. The next step is to assign the
VLAN to one or
more interfaces:

interface fastethernet 0/9

switchport access vlan



Verifying VLAN configuration

A good practice is to verify VLA
N configuration by using the
show vlan
show vlan brief
, or
vlan id



The following facts apply to VLANs:

A created VLAN remains unused unti
l it is mapped to switch ports.

All Ethernet
ports are on VLAN 1 by default.

Refer to Figure
for a list of applicable commands.

shows the steps necessary to assign a new VLAN to a port on the Sydney switch.

list the output of the
show vlan

show vlan brief


Saving VLAN configuration

It is often useful
to keep a copy of the VLAN configuration as a text file f
or backup or auditing

The switch configuration settings may be backed up in the usual way using the
copy running

command. Alternatively, the HyperTerminal capture text feature c
an be used to store the
configuration settings.


Deleting VLANs

Removing a VLAN from a Cisco IOS command based switch interface is just like removing a
command from a router. In Figure
, VLAN 300 was created on Fastethernet 0/9 using the interface
switchport access vlan 300


To remove this VLAN from the interface,
simply use the

form of the command.

When a VLAN is deleted any ports assigned to that VLAN become inactive. The ports will, however,
remain associated with the dele
ted VLAN until assigned to a new VLAN.


Troubleshooting VLANs



VLANs are now commonplace in campus networks. VLANs give network engineers flexibility in
designing and implementing networks. VLANs also enable broadcast containment, securit
y, and
geographically disparate communities of interest. However, as with basic LAN switching, problems
can occur when VLANs are implemented. This lesson will show some of the more common
problems that can occur with VLANs, and it will provide several tool
s and techniques for

Students completing this lesson should be able to:

Utilize a systematic a
pproach to VLAN troubleshooting

Demonstrate the steps for general troubleshooting
in switched networks

Describe how spanning
tree proble
ms can le
ad to broadcast storms

Use show and debug

commands to troubleshoot VLANs


VLAN troubleshooting process

It is important to develop a systematic approach for troubleshooting switch related problems. The
following steps can assist in isolating a problem

on a switched network:


Check the physical i
ndications, such as LED status.


Start with a single configuratio
n on a switch and work outward.


Check the Layer 1 link.


Check the Layer 2 link.


Troubleshoot VL
ANs that span several switches.

When troubleshooting,

check to see if the problem is a recurring one rather than an isolated fault.
Some recurring problems are due to growth in demand for services by workstation ports outpacing
the configuration, trunking, or capacity to access server resources. For example,

the use of Web
technologies and traditional applications, such as file transfer and e
mail, is causing network traffic
growth that enterprise networks must handle.

Many campus LANs face unpredictable network traffic patterns that result from the combinati
on of
intranet traffic, fewer centralized campus server locations, and the increasing use of multicast
applications. The old 80/20 rule, which stated that only 20 percent of network traffic went over the
backbone, is obsolete. Internal Web browsing now ena
bles users to locate and access information
anywhere on the corporate intranet. Traffic patterns are dictated by where the servers are located and
not by the physical workgroup configurations with w
hich they happen to be grouped.

If a network frequently ex
periences bottleneck symptoms, like excessive overflows, dropped frames,
and retransmissions, there may be too many ports riding on a single trunk or too many requests for
global resources and access to intranet servers.

Bottleneck symptoms may also occur
because a majority of the traffic is being forced to traverse the
backbone. Another cause may be that any
any access is common, as users draw upon corporate
based resources and multimedia applications. In this case, it may be necessary to consider
ncreasing the network resources to meet the growing demand.


Preventing broadcast storms

A broadcast storm occurs when a large number of broadcast packets are received on a port.
Forwarding these packets can cause the network to slow down or to time
out. Storm control is
configured for the switch as a whole, but operates on a per
port basis. Storm
control is disabled by

Prevention of broadcast storms by setting threshold values to high or low discards excessive
broadcast, multicast, or unicas
t MAC traffic. In addition, configuration of values for rising
thresholds on a
switch will shut the port down.

STP problems include broadcast storms, loops, dropped BPDUs and packets. The function of STP is
to ensure that no logic loops occur in a network
by designating a root bridge. The root bridge is the
central point of a spanning
tree configuration that controls how the protocol operates.

The location of the root bridge in the extended router and switch is necessary for effective
troubleshooting. The

commands on both the router and the switch can display root
information. Configuration of root bridge timers set parameters for forwarding delay or maximum
age for STP information. Manually configuring a device as a root bridge i
s another config

If the extended router and switch network encounters a period of instability, it helps to minimize the
STP proce
sses occurring between devices.

If it becomes necessary to reduce BPDU traffic, put the timers on the root bridge at their maxim
values. Specifically, set the forward delay parameter to the maximum of 30 seconds, and set the

r to the maximum of 40 seconds.

A physical port on a router or switch may be part of more than one
spanning tree if it is a trunk.


runs on Catalyst switches not routers.

It is advisable to configure a Catalyst switch neighboring a router to operate in VTP transparent
mode until Cisco supports VTP on its routers.

The Spanning
Tree Protocol (STP) is considered one of the most important
Layer 2 protocols on the
Catalyst switches.

By preventing logical loops in a bridged network, STP allows Layer 2
redundancy witho
ut generating broadcast storms.

Minimize spanning
tree problems by actively developing a baseline study of the network.


Troubleshooting VLANs



commands can be extremely useful when troubleshooting VLANs. Figure
illustrates the most common problems found when troubleshooting VLANs.

To troubleshoot the operation of Fast Ethernet router connections to swit
ches, it is necessary to make
sure that the router interface configuration is complete and correct. Verify that an IP address is not
configured on the Fast Ethernet interface. IP addresses are configured on each subinterface of a
VLAN connection. Verify th
at the duplex configuration on the router matches that on the
appropriate po
rt/interface on the switch.

show vlan

command displays the VLAN information on the switch. Figure
, displays the
output from the
show vlan

command. The display shows

the VLAN

ID, na
me, status, and assigned

The CatOS
show vlan

keyword options and keyword syntax descriptions of each field are also

show vlan

displays information about that VLAN on the router. The
show vlan

followed by the VLAN number dis
plays specific information about that VLAN on the router. Output
from the command includes the VLAN ID, router subinter
face, and protocol information.

show spanning

command displays the spanning
tree topology known to the router. This
command will

show the STP settings used by the router for a spanning
tree bridge in the router and
switch network.

The first part of the
show spanning

output lists global spanning tree configuration parameters,
followed by those that are specific to given interfa

Bridge Group 1 is executing the IEEE compatible Spanning
Tree Protocol.

The following lines of output show the current operating p
arameters of the spanning tree:

Bridge Identifier has priorit
y 32768, address 0008.e32e.e600

Configured hello time 2, Max

age 20, forward delay 15

The following line of output shows that the router is the root of the spanning tree:

We are the root of the spanning tree.

Key information from the
show spanning

command cr
eates a map of the STP network.

debug sw
vlan pac

command displays general information about VLAN packets received
but not configured to support the router.

VLAN packets that the router is configured to route or
switch are counted and indicated when using the
show sw



VLAN troubl
eshooting scenarios

Proficiency at troubleshooting switched networks will be achieved after the techniques are learned
and are adapted to the company needs. Experience is the best way of improving troubleshooting

Three practical VLAN troubleshootin
g scenarios referring to the most common problems will be
described. Each of these scenarios contains an analysis of the problem to then solving the problem.
Using appropriate specific commands and gathering meaningful information from the outputs, the
gression of the troublesho
oting process can be completed.

Scenario 1:

A trunk link cannot be established between a switch and a router.

When having difficulty with a trunk connection between a switch and a router, be sure to consider

the following possible



Make sure that the port is connected and not receiving any physical
layer, alignment or
sequence (FCS) errors. This can be done with the
show interface
command on
the switch.


Verify that the duplex and speed are set properly between th
e switch and the router. This
can be done with the
show int status

command on the switch or the
show interface

command on the router.


Configure the physical router interface with one subinterface for each VLAN that will route
traffic. Verify this with the
show interface

IOS command. Also, make sure that each
subinterface on the router has the proper encapsulation type, VLAN number, IP address, and
subnet mask configured. This can be done with the
show interface

show running

IOS commands.


Confirm t
hat the router is running an IOS release that supports trunking. This can be
verified with the
show version


Scenario 2:

VTP is not correctly propagating VLAN configuration changes.

When VTP is not correctly affecting configuration updates on other

switches in the VTP domain,

the following possible causes:


Make sure the switches are connected through trunk links. VTP updates are exchanged only
over trunk links. This can be verified with the
show int status



Make sure the VTP domain nam
e is the same on all switches that need to communicate with
each other. VTP updates are exchanged only between switches in the same VTP domain.
This scenario is one of the most common VTP problems. It can be verified with the
vtp status


on the

participating switches.


Check the VTP mode of the switch. If the switch is in VTP transparent mode, it will not
update its VLAN configuration dynamically. Only switches in VTP server or VTP client
mode update their VLAN configuration based on VTP updates
from other switches. Again,
use the
show vtp status

command to verify this.


If using VTP passwords, the same password must be configured on all switches in the VTP
domain. To clear an existing VTP password, use the
no vtp password

on the V
LAN mode.

Scenario 3:

Dropped packets and loops.

tree bridges use topology change notification Bridge Protocol Data Unit packets (BPDUs)
to notify other bridges of a change in the spanning
tree topology of the network. The bridge with the
lowest i
dentifier in the network becomes the root. Bridges send these BPDUs any time a port makes
a transition to or from a forwarding state, as long as there are other ports in the same bridge group.
These BPDUs
migrate toward the root bridge.

There can be only o
ne root bridge per bridged network. An election process determines the root
bridge. The root determines values for configuration messages, in the BPDUs, and then sets the
timers for the other bridges. Other designated bridges determine the shortest path to

the root bridge
and are responsible for advertising BPDUs to other bridges through designated ports. A bridge
should have ports in the blocking state if there is a phy
sical loop.

Problems can arise for internetworks in which both IEEE and DEC spanning
e algorithms are
used by bridging nodes. These problems are caused by differences in the way the bridging nodes
handle spanning tree BPDU packets, or hello packets, an
d in the way they handle data.

In this scenario, Switch A, Switch B, and Switch C are run
ning the IEEE spanning
tree algorithm.
Switch D is inadvertently configured to use the DEC spanning
tree algorithm.

Switch A claims to be the IEEE root and Switch D claims to be the DEC root. Switch B and Switch
C propagate root information on all interfac
es for IEEE spanning tree. However, Switch D drops
IEEE spanning
tree information. Similarly, the other routers igno
re Router D's claim to be root.

The result is that in none of the bridges believing there is a loop and when a broadcast packet is sent
on t
he network, a broadcast storm results over the entire internetwork. This broadcast storm will
e Switches X and Y, and beyond.

To resolve this problem, reconfigure Switch D for IEEE. Although a configuration change is
necessary, it might not be suffic
ient to reestablish connectivity. There will be a reconvergence delay
as devices exchange BPDUs and recompute a

spanning tree for the network.


An understanding of the following key po
ints should have been achieved:

ISL and 802.1Q trunking

ic VLANs

Configuring static VLANs o
n 29xx series Catalyst switches


and saving VLAN configurations

Deleting VLANs from a switch

Definition of VLANs

The benefits of VLANs

How VLANs are u
sed to create broadcast domains

How routers are used
for commu
nication between VLANs

The common VLAN types

A systematic a
pproach to VLAN troubleshooting

The steps for general troub
leshooting in switched networks

How spanning
tree proble
ms can lead to broadcast storms



commands to troubleshoot VLAN