v5 Written and Lab: VLAN Notes
v5 Written: 2.1.c Implement and troubleshoot VLAN
2.1.c [i] Access ports
2.1.c [ii] VLAN database
2.1.c [iii] Normal, extended VLAN, voice VLAN
v5 Lab: 1.1.c Implement and troubleshoot VLAN
1.1.c [i] Access Ports
1.1.c [ii] VLAN database
1.1.c [iii] Normal, extended VLAN, voice VLAN
Documents:
Catalyst 3750-X and 3560-X Software Configuration Guide, Release 15.0(1)SE,
Chapter 15: Configuring VLANs, pgs. 15-1 to 15-14
Catalyst 3750-X and 3560-X Software Configuration Guide, Release 15.0(1)SE,
Chapter 17: Configuring Voice VLAN, pgs. 17-1 to 17-8
Catalyst 3750-X and 3560-X Software Configuration Guide, Release 15.0(1)SE,
Chapter 14: Configuring Interface Characteristics, pgs. 14-1 to 14-52
LAN Switching Configuration Guide, Cisco IOS Release 15M&T,
Chapter 3: Configuring Routing Between VLANs, pgs. 119 – 192
Books:
Cisco LAN Switching; Chapter 5: VLANs, pgs. 112 – 152
CCIE Routing and Switching Exam Certification Guide 4th Ed; Chapter 2 Virtual LANs and VLAN
Trunking, pgs. 31 – 48
INE:
A VLAN is a switched network that is logically segmented
Packets destined for systems that do not belong to the VLAN must be forwarded through a
router or a switch supporting fallback bridging
VLANs are often associated with IP subnetworks
Interface VLAN membership is configured manually on an interface-by-interface basis
A switch can route traffic between VLANs by using siwtch virtual interfaces (SVIs)
An SVI must be assigned an IP address to route traffic between VLANs
A switch supports VLANs in VTP client, server, and transparent modes
– there must be at least one trunk port to participate in VTP
Normal-range VLANs: 1 – 1005
– 1002 – 1005 are reserved for TOken Ring and FDDI VLANs
– VTP version 1 and 2
Extended-range VLANs: 1006 – 4094
– in VTP versions 1 and 2, VTP transparent mode must be configured
VTP version 3 supports the entire VLAN range (1 – 4094)
– supported in both VTP server and transparent modes
IP base or IP Services feature set
– supports a total of 1005 VLANs
– routed ports count toward the total number of VLANs
LAN base feature set
– supports a total of 255 VLANs
– routed ports count toward the total number of VLANs
Switches support PVST+ or rapid-PVST+ with a maximum of 128 spanning-tree instances
– STP will be disabled on any VLANs over 128
– STP is enabled on extended-range VLANs by default
VLAN port membership modes:
– static-access
– trunk
– dynamic access
– voice VLAN
Static-access:
– one VLAN
– manually configured
– VTP not required
Trunk:
– ISL or 802.1Q
– member of all VLANs by default, including the extended-range VLANs
– VTP recommended but not required
Dynamic access:
– belong to one VLAN and is dynamically assigned by a VMPS (VLAN Membership Policy Server)
– VTP is required
– configure the VMPS and the client with the same VTP domain name
Voice VLAN:
– used with Cisco IP Phones
– a port can be configured for one voice VLAN and one data VLAN
– VTP is not required
Configurations for VLAN IDs 1 – 1005 are written to a file vlan.dat
– VLAN database
– stored in flash
– flash:/vlan.dat
In VTP transparent mode, the VTP and VLAN configurations are also saved in the running-
config
– also called VTP disabled
– extended-range VLANs are not saved in the VLAN database and are not propogated
VLAN types:
– ethernet
– FDDI
– token ring
– token ring-net
– TrBRF
– TrCRF
Parameters that can be set for a normal-range VLAN:
– VLAN ID
– VLAN name
– VLAN type
– VLAN state (active or suspended)
– MTU
– Security Association Identifier (SAID)
– Bridge indentification number for TrBRF VLANs
– Ring number for FDDI and TrCRF VLANs
– Parent VLAN number for TrCRF VLANs
– STP type for TrCRF VLANs
– VLAN number to used when translating from one VLAN type to another
To create a VLAN, the switch must be in VTP server or transparent mode
VTP server mode, the VTP domain must be configured for VTP to function
Since the switch supports Ethernet interfaces exclusively, only FDDI and Tolken Ring
media-specific characteristics are supported for VTP global advertisements to other
switches
conf t
vlan 20
name test20
show vlan
Deleting a VLAN in VTP server mode, the VLAN is removed from the VLAN database for all
switches in the VTP domain
Deleting a VLAN in VTP transparent mode, the VLAN is deleted only from that switch
When a VLAN is deleted, any ports assigned to that VLAN become inactive.
conf t
no vlan 20
sh vlan brief
If a VLAN is configured on an interface and the VLAN does not exist, the new VLAN is
created
conf t
int fa0/1
switchport mode access
swithport access vlan 20
show run int fa0/1
show int fa0/1 switchport
To return an interface to it’s default configuration:
conf t
default int fa0/1
Each routed port on the switch creates an internal VLAN for use. These internal VLANs use
extended-range VLAN numbers. This internal VLAN cannot be configured for an extended-range
VLAN.
conf t
int fa0/1
no switchport
ip address 1.1.1.1 255.255.255.252
show vlan internal usage
To change the behavior of internal VLANs, whether they start at 1006 and ascend or start at
4094 and descend, use:
conf t
vlan internal allocation policy ascending
Or:
vlan internal allocation policy descending
If necessary, the routed port can be shutdown, which frees up the internal VLAN. The
Extended-range VLAN can then be created using that VLAN ID. Then re-enable the port.
Routed ports count toward the total number of VLANs on the switch. If the total number of
VLANs is reached, an error message is created
Before creating an extended-range VLAN, use:
show vlan internal usage
Entended-range VLANs:
conf t
vtp mode transparent
vlan 200
name test
show vlan id 200
To delete an extended-range VLAN:
conf t
no vlan 200
Switches running the LAN Base feature set support only static routing on SVIs.
The voice VLAN enables access ports to carry IP voice traffic from an IP phone
The IP phone sends voice traffic with:
– Layer 3 IP precedence; default value of 5
– Layer 2 class of service (CoS); default value of 5
The switch can be configured to trust or override the traffic priority assigned by the IP
phone
The IP phone has an integrated 3 port switch
– Port 1 connects to the switch
– Port 2 is an internal interface
– Port 3 connects to a PC or other device
An access port can be configured for one voice VLAN and one data VLAN
CDP must be enabled on the switch port
CDP is used to configure the IP phone to send voice traffic in any of these ways:
– voice VLAN tagged with Layer 2 CoS priority value
– access VLAN tagged with Layer 2 CoS priority value
– access VLAN untagged and no Layer 2 CoS priority value
Voice traffic Layer 3 IP precedence
– voice traffic, default value of 5
– voice control traffic, default value of 3
CDP is used to configure the IP phone’s access port
– trusted mode, all traffic received passes through unchanged
– untrusted mode, all 802.1Q and 802.1p frames receive a configured Layer 2 CoS value;
– the default CoS value is 0
– untrusted mode is the default
– untagged traffic passes through the phone unchanged, regardless of the trust state of
the access port on the phone
Do not configure a voice VLAN on a private VLAN port
Power over Ethernet (PoE) switches are capable of automatically providing power to devices
– Cisco pre-standard
– 802.3af compliant
It is recommended to enable QoS on switches before enabling a voice VLAN
– mls qos; global configuration
– mls qos trust cos; interface configuration
– the auto-QoS feature configures both
The Port Fast feature is automatically enabled when the voice VLAN is configured
– when the voice VLAN is disabled, the Port Fast feature is not automatically disabled
If the IP phone and the device attached to the phone are in the same VLAN, they must be in
the same IP subnet
Voice VLAN can be configured on the following port types:
– dynamic access port
– IEEE 802.1X authenticated port
– protected port
– the source or destination of a SPAN or RSPAN session
– secure port
Port security
– You must set the maximum allowed addresses on the port 2, plus the number allowed on the
access VLAN
– the MAC address of the IP phone may be learned on both the voice and access VLANs
conf t
int fa0/1
mls qos trust cos
switchport voice {detect cisco-phone [full-duplex] | vlan {vlan-id | dot1p | none |
untagged}}
switchport voice vlan dot1p
– configures the switch to access voice and data IEEE 802.1p priority frames tagged with
VLAN ID 0 (the native VLAN)
– by default, the switch drops all voice and data traffic tagged with VLAN 0
sh int fa0/1 switchport
conf t
int fa0/1
switchport priority extend {cos | trust}
On a router, VLANs need to be configured on subinterfaces.
conf t
ip routing
int fa0/1.2
encapsulation dot1q 2
ip address 1.1.1.1 255.255.255.0
conf t
int fa0/1.2
encapsulation dot1q 2 native
ip address 1.1.1.1 255.255.255.0
Configuring a VLAN for a Bridge Group
conf t
int fa0/1.2
encapsulation dot1q 2
bridge-group 2
Each VLAN has its own MAC address table
Switch ports are Layer 2-only interafaces associated with a physical port
– a switch port can be an access port, a trunk port, or a tunnel port
– switch ports do not handle routing or bridging
If an access port receives a tagged packet (ISL or dot1q), the packet is dropped
Port VLAN ID (PVID)
Tunnel ports are used in 802.1Q tunneling to segregate the traffic of customers in a
service-provider network from other customers who are using the same VLAN number
A routed port is a physical port that acts like a port on a router
– behaves like a regular router interface, except that it does not support VLAN
subinterfaces
A switched virtual interface (SVI) represents a VLAN of switch ports as one interface to
the routing and bridging functions in the system
– only one SVI can be associated with a VLAN
– must be configured to route between VLANs or use fallback-bridging for nonroutable
protocols between VLANs
– by default, an SVI is created for VLAN 1
– the SVI for VLAN 1 cannot be deleted
– the SVI does not become active until it is associated with a physical port and that port
is up up state
SVI autostate exclusion
– configures a port to not be included in the calculation to determine whether the VLAN is
up
– if the port configured for SVI autostate exclusion is the only port state is up in the
VLAN, the SVI will be in the down state
conf t
int gi0/1
switchport autostate exclude
show run int gi0/1
show int gi0/1 switchport
10-Gigabit Ethernet interfaces only operate in the full-duplex mode
PoE capable switch ports automatically supply power to connected devices for:
– Cisco pre-standard powered devices (Cisco IP Phones)
– IEEE 802.3af compliant powered devices
– IEEE 802.3at compliant powered devices
The switch uses these protocols to support PoE:
– CDP with power consumption
– Cisco intelligent power management
– IEEE 802.3af
– IEEE 802.3at – POE+
Power management modes
– auto
– static
– never
Macros can be used to define interface ranges
conf t
define interface-range ALL_PORTS fa0/1 – 24
int range macro ALL_PORTS
show run | in define
Management port
– a Layer 3 host port used to connect a PC
– by default, the management port is enabled
– the switch cannot route packets from the management port to a routed port
– the switch cannot route packets from a routed port to the management port
– routing protocols can be enabled on the port
If the management port and routed port are associated to the same routing process
– the routes from the management port are propogated through the routed ports
– the routes from the routed ports are propogated through the management port
Supported features on the management port:
– Express Setup
– Network Assitant
– telnet
– TFTP
– SSH
– DHCP
– SNMP
– IP ping
– CDP
– DHCP relay agent
– IPv4 and IPv6 ACLs
– routing protocols
If the management port LED is amber, the switch failed POST
TFTP and the management port
– arp
– mgmt_clr
– mgmt_init
– mgmt_show
– ping
– boot tftp:/
– copy tftp:/
Default Layer 2 Ethernet Interface Configuration
– Operating mode: Layer 2 (switchport)
– Allowed VLAN range: 1 – 4094
– Default VLAN: VLAN 1
– Native VLAN: VLAN 1
– VLAN trunking: switchport mode dynamic auto (supports DTP)
– Port enabled state: all ports are enabled
– Port description: none defined
– Speed: autonegotiate
– Duplex mode: autonegotiate
– Flow control: set to receive off
– EtherChannel (PAgP): disabled on all ports
– port blocking (unknown multicast and unknown unicast): disabled
– Broadcast, multicast, unicast storm: disabled
– Portected port: disabled
– Port security: disabled
– Port fast: disabled
– Auto-MDIX: enabled
– Power over Ethernet: enabled
Interface speed and duplex mode
– 10 Mb/s ports normally operate in half-duplex mode
– Gigabit Ethernet ports operating at 1000 Mb/s do not support half-duplex mode
– SFP ports (1000BASE-x, where x is -BX, -CWDM, -LX, -SX, or -ZX) support the nonegotiate
and speed interface commands
– SFP ports (1000BASE-x, where x is -BX, -CWDM, -LX, -SX, or -ZX) do not support duplex
options
– SFP ports (1000BASE-T) support speed and duplex options
Changing the interface speed and duplex mode might shut down and re-enable the interface
conf t
int gi0/1
speed { 10 | 100 | 1000 | auto | nonegotiate }
duplex { auto | full | half }
show int gi0/1
IEEE 802.3x flow control
– enables connected port to control traffic rates during congestion
– node sends pause link operation to the other end
– 3750-X and 3560-X ports can receive, but do not send pause frames
conf t
int gi0/1
flowcontrol { on | off | desired }
show int gi0/1
Auto-MDIX
– Automatic Medium-Dependent Interface Crossover
– allows either a straight through or crossover cable to be connected
– enabled by default
– the interface speed and duplex must be set to auto
– not supported on 1000BASE-SX or -LX SFPs
conf t
int gi0/1
speed auto
duplex auto
mdix auto
show controllers ethernet-controller gi0/1 phy
PoE management on an interface
conf t
int gi0/1
power inline { auto | never | static }
show power inline
The switch supports these types of Layer 3 interfaces
– SVIs
– Routed ports
– Layer 3 EhterChannel ports
All Layer 3 interfaces require an IP address to route traffic
conf t
int gi0/1
no switchport
ip add 1.1.1.1 255.255.255.0
no shut
show int gi0/1
show ip int gi0/1
System MTU
– the default maximum transmission unit (MTU) size for frames received and sent on all
interfaces si 1500 bytes
– jumbo frames can be configured on Gigabit and 10-Gigabit ethernet ports
– system mtu jumbo
– system routing MTU applies only to routed packets on all routed ports
– system mtu routing
– the switch does not support MTU settings on a per-interface bassis
– the command “system mtu ” can be configured on a 3750-X, but the
setting only applies to 3750 switches in the switch stack
– after changing MTU settings, the switch must be reset to take effect
– the system MTU settings is saved in the switch environmental variable in NVRAM
– the system MTU settings are not saved in the configuration file
– the maximum MTU size varies depending on if there are 3750 switches present in the
switch stack
conf t
system mtu jumbo 9198
system mtu routing 9198
system mtu 1998
reload
show system mtu
Monitoring Interface Status
show env power switch
show env ps
show int gi0/1
show int gi0/1 status
sh int status
show int gi0/1 status err-disabled
show int gi0/1 switchport
show int gi0/1 description
show ip int gi0/1
show ip int brief
show int gi0/1 stats
show int transceiver dom-supported-list
show int transceiver properties
show controllers ethernet-controller gi0/1
show power inline
show power inline consumption
show power inline police
Clearing and resetting interface counters
clear counters gi0/1
clear int gi0/1
clear line vty 1
clear line console