VLANs
Virtual LAN (VLAN) Concepts
Using VLANs creates smaller broadcast domains. There are many reasons why you would want to do this. You reduce CPU overhead on each device. And reduce security risks by using different security policies on each VLAN.
You can also use more flexible designs that group users by department instead of by physical location. Using VLANs helps you solve problems more quickly. As the failure point for many problems would include devices in a single broadcast domain.
-
reduce the workload for the Spanning Tree Protocol (STP)
-
by limiting a VLAN to a single access switch
802.1q and ISL
802.1Q
- inserts a 4-byte 802.1Q VLAN header into the Ethernet header
12-bit VLAN ID field inside the 802.1Q header
-
supports a theoretical maximum of 212 (4096) VLANs, but in practice it supports a maximum of 4094.
-
Both 802.1Q and ISL use 12 bits to tag the VLAN ID, with two reserved values [0 and 4095].
-
802.1q header includes Type, priority, Flag, Vlan ID
-
Cisco switches break the range of VLAN IDs (1–4094) into the normal range and the extended range.
normal-range
- 1 to 1005.
- all switches can use
Extended range
Only some switches can use
1006 to 4094
depends on the configuration of the VLAN Trunking Protocol (VTP)
231852+
- 802.1Q simply does not add an 802.1Q header to frames in the native VLAN
#show vlan brief
VLAN Trunking Protocol (VTP)
vtp mode transparent
vtp mode off
show vtp status
If your switch uses VTP server or client mode
- The server switches can configure VLANs in the standard range only (1–1005).
- The client switches cannot configure VLANs.
- Both servers and clients may be learning new VLANs from other switches and seeing their VLANs deleted by other switches because of VTP.
show running-config
-
does not list any vlan commands
-
If possible in the lab, switch to disable VTP and ignore VTP for your switch configuration practice until you decide to learn more about VTP for other purposes.
VLAN Trunking Configuration
Dynamic Trunking Protocol (DTP).
-
negotiate ISL or 802.1q
-
If both switches support both protocols, they use ISL;
-
otherwise, they use the protocol that both support.
switchport trunk encapsulation {dot1q | isl | negotiate}
- configure the type or allow DTP to negotiate the type.
Access
- always access
trunk
- always trunk
dynamic desirable
- initiates negotiation messages and responds to negotiation messages
- Access if other side is access, otherwise trunk
dynamic auto
-
passively waits to receive trunk negotiation messages
-
default setting
-
access if both ends use this
-
trunk if other end is trunk or Dynamic desirable
-
On a switch that supports both ISL and 802.1Q, this value would by default list “negotiate,” to mean that the type of encapsulation is negotiated.
-
Cisco recommends disabling trunk negotiation on most ports for better security
(config-if) switchport nonegotiate
Disable DTP
Data and Voice VLAN Concepts
switchport voice vlan 11
-
can configure on the same access port that has a normal vlan assigned
-
CDP must be enabled*
-
Voice Data is tagged with 802.1Q header
show interfaces FastEthernet 0/4 switchport
- see the voice vlan
- administrative and operational mode
- access mode vlan
show interfaces trunk
show interfaces f0/4 trunk
-
vlans allowed on trunk
-
1-4094
-
minus vlans removed by the switchport trunk allowed command
-
vlans allowed and active in management domain
-
the first list minus vlans that are not configured
-
minus vlans that are shutdown
-
vlans in spanning tree forwarding state and not (VTP) pruned
-
minus vlans that are in a STP blocking state
-
minus vlans that are VTP pruned
-
Show interfaces trunk will not show the voice VLAN as a trunk, it will only show it if you specify the interface.
Troubleshooting VLANS and VLAN trunks
Confirm that all VLANs are both defined and active.
show vlan
Show vlan brief
Check the allowed VLAN lists on both ends of each trunk
show interfaces interface-id trunk
- lists information about currently operational trunks
#switchport trunk allowed vlan
Show vlan
-
(does the vlan exist and is it active?
-
Has the vlan been vtp pruned?
-
Is the vlan in an STP forwarding state?
#show spanning-tree vlan 2
Check for incorrect trunk configuration settings that result in one switch operating as a trunk, with the neighboring switch not operating as a trunk.
#show interfaces trunk
#show interfaces switchport.
-
check administrative and operational modes
-
The trunk is in an STP forwarding state in that VLAN (as also seen in the show spanning-tree vlan vlan-id command).
#switchport trunk allowed vlan
- DTP on one switch but not the other
Check the native VLAN settings on both ends
- Native vlan must match on both switches.
#switchport trunk native vlan 2
- vlan hopping
a frame being sent in one vlan but then being believed to be in a different vlan