vlans - anandp

8/14/2019 VLANs - Anandp

1/36

1 2003, Cisco Systems, Inc. All rights reserved.

Catalyst 6500Technical Training

November 2003

Carl Solder

Technical Marketing Engineer

Internetworking Systems Business Unit

CHAPTER 11: Virtual LANs (VLANs)


2/36


3/36


Cisco Systems

CHAPTER 11.1 Understanding VLANs


4/36


Cisco SystemsUnderstanding VLANsA Virtual LAN allows the grouping of different switch ports into the same broadcast domain as

though they were connected via the same physical switch. A VLAN can span across non

contiguous ports, across different modules and across different switchs.

Switch A Switch B

In the above diagram, there are three VLANs, Red, Green and Blue all hosts belonging to

a particular VLAN need to traverse a Layer 3 device to reach a host in another VLAN


5/36


Cisco Systems

Understanding VLANs

Broadcast Domain

A VLAN creates a broadcast domain such that any broadcasts generated by hosts within the

VLAN do not (by default) cross into another VLAN boundary

Switch A

In the above example, a broadcast sent by Red host A will be forwarded to all other

hosts in the RED VLAN, but not to hosts in the BLUE or GREEN VLAN

A


6/36


Cisco Systems

Understanding VLANs

VLANs and IP Subnets

It is common practice for a Virtual LAN to be

associated with a single IP Subnet as follows.

Switch

VLAN A - IP Subnet A

VLAN B - IP Subnet B

While not common, it is valid for multiple

subnets to exist wholly within the same

VLAN but in this case each subnet needs a

layer 3 device to communicate to anothersubnet

Switch

VLAN C - IP Subnet A & B


7/36


Cisco Systems

Understanding VLANs

VLAN Number Range

When a VLAN is created, it has to be assigned a valid number within a specified range.

Currently the VLAN number range is as follows

VLAN # Range Usage VTP Support0 Reserved System Use only N/A

1 Normal Cisco Default Usable but cannot be deleted Yes

2 - 1001 Normal Can be created, used and deleted

1002 - 1005 NormalDefaults for Token Ring and FDDI Cannot be

deleted

1006 - 4094 ExtendedFor Ethernet VLANs only - Can be created, used

and deleted

No

4095 Reserved System Use only N/A

Yes

Yes

NOTE: Configuring extended VLANs required additional configuration


8/36


Cisco Systems

Understanding VLANs

Extended VLANs

Each VLAN consumes a MAC address (used by Spanning Tree to build a bridge ID). As the

switch only has 1024 MAC addresses, using extended VLANs (1006 4024) requires users to

enable the extended system-id feature this enables switch to build a unique bridge ID for

all potential 4094 VLANs

Bridge Priority MAC Address

6 bytes 48 bits2 bytes 16 bits

Normal Spanning Tree Bridge ID is built as follows

Bridge Priority without extended system-id

configured

2 bytes 16 bits

Bridge Priority with extended system-id

configured

Bridge Priority Extended System ID (VLAN)Bridge Priority

4 bits 12 bits


9/36


Cisco Systems

Understanding VLANs

Internal VLANs

The Catalyst 6500 uses a VLAN number internally to represent a layer 3 port that being a

physical layer 3 port (like a FlexWAN or a routed Ethernet port) or a logical layer 3 port (like a

sub-interface on a FlexWAN port, etc)

STD

VLAN

1-1001

EXTD

VLAN

1006

to

4094

Standard Ethernet layer 2 port can be placed in any VLAN

VLAN interface can use any VLAN number

A layer 3 Ethernet port or a FLEXWAN/OSM layer 3 port

each consumes 1 extended VLAN number

A sub-interface consumes 1 extended VLAN number


10/36


Cisco Systems

Understanding VLANs

Internal VLANs

Once an extended VLAN is consumed by a layer 3 port, it cannot be used for other purposes

The switch can be configured to define the allocation policy that is should extended VLAN

numbers be allocated bottom up (from 1006 up) or top down (from 4094 down)

STD

VLAN

1-1001

EXTD

VLAN

1006to

4094

1006

1007

1008

1009

..

4091

4092

4093

4094

Allocation policy of ascending indicates

the VLANs allocated to layer 3

interfaces will be assigned from 1006

and upwards

Allocation policy of descending

indicates the VLANs allocated to layer 3

interfaces will be assigned from 4094

and downwards

INTERNAL VLAN ALLOCATION

POLICY


11/36


Cisco Systems

Understanding VLANs

VLAN Port Types

Switch Ports defined as an access port are placed in a VLAN. They can only belong to one

VLAN at a time. Special Switch Ports can be defined as a VLAN Trunk Port which I designed to

carry traffic from multiple VLANs Trunk ports tend to be defined for links to other switches

or routers

Switch

Port 2/2 VLAN 10

Port 2/1 VLAN 20

Port 2/3 VLAN 10

Port 2/4 VLAN 30

Port 2/5 VLAN 20

Port 2/6 VLAN 30

Access Ports

Switch

Trunk Ports


12/36


Cisco Systems

Understanding VLANs

VLAN Trunks - Tagging

A VLAN trunk will tag data with its VLAN number, so the destination switch will know which

VLAN to forward to packet to There are two technologies supported in the Catalyst 6500 to

tag VLANs and they are ISL and 802.1Q these are typically implemented in ASICs to

maximize performance

Switch SwitchVLAN 10

VLAN 20

VLAN 30

VLAN 10

VLAN 20

VLAN 30

Individual VLANs running on Access Ports

Trunk Port to carry traffic from Multiple VLANs


13/36


14/36


Cisco Systems

Understanding VLANsVLAN Tagging 802.1Q

802.1Q is an IEEE standard for VLAN Tagging - It is a one level tagging mechanism inserting

a single tag within the Ethernet frame Unlike ISL, it supports the full 4096 VLAN numbers

Switch SwitchVLAN 10

VLAN 20

VLAN 30

VLAN 10

VLAN 20

VLAN 30

Data DataData

DA SA ETH-TYPE TAG TYPE/LEN DATA

User Priority CFI VLAN Number


15/36


Cisco Systems

Understanding VLANsMapping Dot1Q to ISL VLANs

There may be occasions where a user group is split across a Dot1Q network an ISL network

in this case, to allow communication between the two disparate groups, VLAN mapping must

take place on a switch that bridges the two networks

SWITCH

Dot1Q ISL

.

.

.

.

.

Map Table

Dot1QISL

.

.

.

.

.

The switch will maintain a map table that maps a Dot1Q VLAN to anISL VLAN


16/36


Cisco Systems

Understanding VLANsMapping Dot1Q to ISL VLANs Rules

Rules for mapping Dot1Q VLANs to ISL VLANs

1. You can configure up to eight 802.1Q-to-ISL VLAN mappings on the Catalyst 6500 seriesswitch.

2. You can only map 802.1Q VLANs to Ethernet-type ISL VLANs.

3. Do not enter the native VLAN of any 802.1Q trunk in the mapping table.

4. When you map an 802.1Q VLAN to an ISL VLAN, traffic on the 802.1Q VLAN corresponding

to the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 1007 to ISL VLAN200, traffic on 802.1Q VLAN 200 is blocked.

5. VLAN mappings are local to each Catalyst 6500 series switch. Make sure you configure the

same VLAN mappings on all appropriate network devices

SWITCH

Dot1Q ISL


17/36


Cisco Systems

Configuring VLANsEthernet Default VLAN Configuration

The default VLAN configuration for Ethernet ports in the Catalyst 6500 are

Parameter RangeDefaultVLAN ID 1-40941

VLAN Name ---Default for VLAN 1, VLANvlan_idfor other

VLANs

MTU Size 576 - 181901500

Translational Bridge 1 0 - 10050

Translational Bridge 2 0 - 10050

VLAN State Active/SuspendActive

Eligible for Pruning ---Prune eligible for VLANs 2-1001, VLANs 1006-

4094 not eligible for pruning


18/36


Cisco Systems

Configuring VLANsVLAN Configuration Options

A VLAN can only be configured on a switch defined as a VTP Server or when it is in VTP

Transparent Mode VTP Clients cannot configure VLANs There are two ways to configure

VLANs in Global Configuration Mode or VLAN Database Mode (which is being deprecated)

VLAN Database Mode

Global Configuration Mode

6500# vlan database% Warning: It is recommended to configure VLAN from config mode,as VLAN database mode is being deprecated. Please consult userdocumentation for configuring VTP/VLAN in config mode.

6500(vlan)# vlan 320VLAN 320 added:

Name: VLAN0320

6500# conf tEnter configuration commands, one per line. End with CNTL/Z.6500(config)# vlan 330

6500(config-vlan)#


19/36


Cisco Systems

Configuring VLANsCreating and Modifying

Once a VLAN has been created in global configuration mode, a range of options are then

presented to the user with which to modify the VLAN from its defaults..

6500(config-vlan)#?VLAN configuration commands:

are Maximumn number of All Route Explorer hops for this VLAN (orzero if none specified)

backupcrf Backup CRF mode of the VLANbridge Bridging characteristics of the VLANexit Apply changes, bump revision number, and exit modemedia Media type of the VLAN

mtu VLAN Maximum Transmission Unitname Ascii name of the VLANno Negate a command or set its defaultsparent ID number of the Parent VLAN of FDDI or Token Ring type VLANsprivate-vlan Configure a private VLANremote-span Configure as Remote SPAN VLANring Ring number of FDDI or Token Ring type VLANssaid IEEE 802.10 SAIDshutdown Shutdown VLAN switching

state Operational state of the VLANste Maximumn number of Spanning Tree Explorer hops for this VLAN

(or zero if none specified)stp Spanning tree characteristics of the VLANtb-vlan1 ID number of the first translational VLAN for this VLAN (or

zero if none)tb-vlan2 ID number of the second translational VLAN for this VLAN (or

zero if none)

6500(config-vlan)#?VLAN configuration commands:

are Maximumn number of All Route Explorer hops for this VLAN (orzero if none specified)backupcrf Backup CRF mode of the VLANbridge Bridging characteristics of the VLANexit Apply changes, bump revision number, and exit modemedia Media type of the VLANmtu VLAN Maximum Transmission Unitname Ascii name of the VLAN

no Negate a command or set its defaultsparent ID number of the Parent VLAN of FDDI or Token Ring type VLANsprivate-vlan Configure a private VLANremote-span Configure as Remote SPAN VLANring Ring number of FDDI or Token Ring type VLANssaid IEEE 802.10 SAID

shutdown Shutdown VLAN switching

state Operational state of the VLANste Maximumn number of Spanning Tree Explorer hops for this VLAN(or zero if none specified)

stp Spanning tree characteristics of the VLANtb-vlan1 ID number of the first translational VLAN for this VLAN (or

zero if none)

tb-vlan2 ID number of the second translational VLAN for this VLAN (orzero if none)


20/36


21/36


Cisco Systems

Configuring VLANsCreating and Modifying

The maximum MTU size for this VLAN can be specified as follows...

6500(config-vlan)# mtu ?

Value of VLAN Maximum Tranmission Unit

6500(config-vlan)# mtu ?

Value of VLAN Maximum Tranmission Unit

A name other than the default VLANvlan_number can be assigned as follows...

6500(config-vlan)# name ?WORD The ascii name for the VLAN

6500(config-vlan)# name ?WORD The ascii name for the VLAN

Specify whether this VLAN is active or suspended...

6500(config-vlan)# stateactive VLAN Active Statesuspend VLAN Suspended State

6500(config-vlan)# stateactive VLAN Active Statesuspend VLAN Suspended State


22/36


Cisco Systems

Configuring VLANsAssigning VLANs to Switch Ports

Once the VLAN has been created, it can be assigned to an access port. First the port must first

be defined as a layer 2 port this is done by issuing the switchport command as shown

below

6500(config)# interface g1/146500(config-if)# switchport


Next the VLAN can be assigned to this port as follows

6500(config)# interface g1/146500(config-if)# switchport6500(config-if)# switchport access vlan ? VLAN ID of the VLAN when this port is in access mode

6500(config-if)# switchport access vlan 3306500(config-if)#



Interface G1/14 in the example above is now in VLAN 330


23/36


Cisco Systems

Configuring VLANsAssigning VLANs to Switch Ports

The VLAN assignment can be confirmed by using the following show command

6500(config)# show interface g1/14 switchport

Name: Gi1/14Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: downAdministrative Trunking Encapsulation: negotiateNegotiation of Trunking: OnAccess Mode VLAN: 330 (VLAN0330)Trunking Native Mode VLAN: 1 (default)Voice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: noneOperational private-vlan: noneTrunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALL

Unknown unicast blocked: disabledUnknown multicast blocked: disabled

6500(config)# show interface g1/14 switchportName: Gi1/14Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: downAdministrative Trunking Encapsulation: negotiateNegotiation of Trunking: OnAccess Mode VLAN: 330 (VLAN0330)

Trunking Native Mode VLAN: 1 (default)Voice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: noneOperational private-vlan: noneTrunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALL

Unknown unicast blocked: disabledUnknown multicast blocked: disabled

Port placed in VLAN 330


24/36


25/36


Cisco Systems

Configuring VLANsInternal VLAN Allocation Policy

If the Internal VLAN allocation policy needs to be changed, then the following command can

be used

6500(config)# vlan internal allocation policy ?ascending Allocate internal VLAN in ascending orderdescending Allocate internal VLAN in descending order

6500(config)# vlan internal allocation policy ?ascending Allocate internal VLAN in ascending orderdescending Allocate internal VLAN in descending order

If the policy is changed, then the switch needs to bereloaded for the change to take effect

!

10061007

1008

1009

..

4091

4092

4093

4094


26/36


Cisco Systems

Configuring VLANsCreating VLAN Trunks

A Switchport can be configured as a VLAN Trunk Port. It must first be defined as a layer 2 port

as follows



Next the interface can be enabled as a Trunk port first the VLAN trunk encapsulationmust be defined

6500(config-if)# switchport trunk encapsulation ?dot1q Interface uses only 802.1q trunking encapsulation when trunkingisl Interface uses only ISL trunking encapsulation when trunkingnegotiate Device will negotiate trunking encapsulation with peer on

interface

6500(config-if)# switchport trunk encapsulation ?dot1q Interface uses only 802.1q trunking encapsulation when trunkingisl Interface uses only ISL trunking encapsulation when trunking

negotiate Device will negotiate trunking encapsulation with peer oninterface

For the purposes of this exercise, we will assume a Dot1Q trunk has been defined


27/36


Cisco Systems


After the encapsulation type is chosen, the mode in which this trunk port is going to

operate must be defined..

6500(config-if)# switchport mode ?access Set trunking mode to ACCESS unconditionallydot1q-tunnel set trunking mode to TUNNEL unconditionallydynamic Set trunking mode to dynamically negotiate access or trunk modeprivate-vlan Set the mode to private-vlan host or promiscuoustrunk Set trunking mode to TRUNK unconditionally

6500(config-if)# switchport mode ?access Set trunking mode to ACCESS unconditionallydot1q-tunnel set trunking mode to TUNNEL unconditionallydynamic Set trunking mode to dynamically negotiate access or trunk modeprivate-vlan Set the mode to private-vlan host or promiscuoustrunk Set trunking mode to TRUNK unconditionally

Assuming we want the trunk to initiate negotiation we would choose the dynamic option

dynamic specifies a further sub category of auto and desirable to specify to finish off the

configuration of the trunk port

6500(config-if)# switchport mode dynamic ?auto Set trunking mode dynamic negotiation parameter to AUTOdesirable Set trunking mode dynamic negotiation parameter to DESIRABLE

6500(config-if)# switchport mode dynamic ?auto Set trunking mode dynamic negotiation parameter to AUTOdesirable Set trunking mode dynamic negotiation parameter to DESIRABLE


28/36


Cisco Systems


By default the trunk will allow all VLANs to be carried across the link this behavior can

be changed by specifying which VLANs are allowed..

6500(config-if)# switchport trunk allowed vlan ?WORD VLAN IDs of the allowed VLANs when this port is in trunking modeadd add VLANs to the current listall all VLANsexcept all VLANs except the followingnone no VLANsremove remove VLANs from the current list

6500(config-if)# switchport trunk allowed vlan ?WORD VLAN IDs of the allowed VLANs when this port is in trunking modeadd add VLANs to the current listall all VLANsexcept all VLANs except the followingnone no VLANsremove remove VLANs from the current list

VLANs can also be configured to be pruned from the trunk using the following command

6500(config-if)# switchport trunk pruning vlan ?

add add VLANs to the current listexcept all VLANs except the followingnone no VLANsremove remove VLANs from the current list

6500(config-if)# switchport trunk pruning vlan ?

add add VLANs to the current listexcept all VLANs except the followingnone no VLANsremove remove VLANs from the current list


29/36


Cisco Systems


If the port were to stop trunking, you can define the access vlan that the trunk port would

become a part of using the following command..

An optional command is the ability to change the default native vlan from 1 to another

number for this trunk. The native VLAN can be changed using the following command

6500(config-if)# switchport trunk native vlan ? VLAN ID of the native VLAN when this port is in trunking mode

6500(config-if)# switchport trunk native vlan ? VLAN ID of the native VLAN when this port is in trunking mode






30/36


Cisco Systems

Configuring VLANsMapping 802.1Q VLANs to ISL VLANs

Dot1Q VLANs can be manually mapped to an ISL VLAN using the following command

6500(config)# vlan mapping dot1q ?

VLAN ID of the .1Q VLAN to map from/to on all incoming/outgoing .1Q trunks

6500(config)# vlan mapping dot1q ?

VLAN ID of the .1Q VLAN to map from/to on all incoming/outgoing .1Q trunks

6500(config)# vlan mapping dot1q 3000 isl ?

VLAN ID of the ISL VLAN to map to/from on the local device

6500(config)# vlan mapping dot1q 3000 isl ?

VLAN ID of the ISL VLAN to map to/from on the local device

Specify the dot1q vlan below

Then the ISL keyword with the ISL VLAN

6500(config)# vlan mapping dot1q 3000 isl 2006500(config)# vlan mapping dot1q 3000 isl 200


31/36


Cisco Systems

Configuring VLANsMapping 802.1Q VLANs to ISL VLANs

The results of the mapping can be viewed using the following command

6500# show vlan mapping

General VLAN Translations:

Original VLAN Translated VLAN

------------- ---------------

802.1Q Trunk Remapped VLANs:

802.1Q VLAN ISL VLAN

----------- -----------

3000 2006500#

6500# show vlan mapping

General VLAN Translations:

Original VLAN Translated VLAN

------------- ---------------



----------- -----------

3000 2006500#


32/36


Cisco Systems

Configuring VLANsDisplay VLANs

Information on VLANs can be shown using a range of show commands

6500# show vlan ?access-log VACL Loggingaccess-map VLAN access-mapbrief VTP all VLAN status in briefcounters VLAN traffic counters for all VLANsdot1q Display dot1q parametersfilter VLAN filter information

id VTP VLAN status by VLAN idifindex SNMP ifIndexinternal VLAN internal usagemapping Show VLAN mappingsname VTP VLAN status by VLAN nameprivate-vlan Private VLAN information

remote-span Remote SPAN VLANssummary VLAN summary information| Output modifiers

6500# show vlan ?

access-log VACL Loggingaccess-map VLAN access-mapbrief VTP all VLAN status in briefcounters VLAN traffic counters for all VLANsdot1q Display dot1q parametersfilter VLAN filter information

id VTP VLAN status by VLAN idifindex SNMP ifIndexinternal VLAN internal usagemapping Show VLAN mappingsname VTP VLAN status by VLAN nameprivate-vlan Private VLAN informationremote-span Remote SPAN VLANs

summary VLAN summary information| Output modifiers


33/36


Cisco Systems


6500# show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/2, Gi1/5, Gi1/6, Gi1/7Gi1/8, Gi1/12, Gi1/14, Gi3/3Gi3/4, Gi3/5, Gi3/6, Gi3/7

Gi4/1, Gi4/2, Gi4/3, Gi4/4

Gi4/5, Gi4/6, Gi4/8

101 VLAN0101 active Gi3/2

300 VLAN0300 active

310 marketing active320 VLAN0320 active

330 VLAN0330 active

1002 fddi-default act/unsup

1003 trcrf-default act/unsup

1004 fddinet-default act/unsup

1005 trbrf-default act/unsup

3000 VLAN3000 active



----------- -----------

3000 200

6500# show vlan brief


---- -------------------------------- --------- -------------------------------

1 default active Gi1/2, Gi1/5, Gi1/6, Gi1/7

Gi1/8, Gi1/12, Gi1/14, Gi3/3

Gi3/4, Gi3/5, Gi3/6, Gi3/7

Gi4/1, Gi4/2, Gi4/3, Gi4/4

Gi4/5, Gi4/6, Gi4/8

101 VLAN0101 active Gi3/2

300 VLAN0300 active

310 marketing active320 VLAN0320 active

330 VLAN0330 active

1002 fddi-default act/unsup

1003 trcrf-default act/unsup

1004 fddinet-default act/unsup

1005 trbrf-default act/unsup

3000 VLAN3000 active



----------- -----------

3000 200


34/36


Cisco Systems


6500# show vlan counters

* Multicast counters include broadcast packets

Vlan Id : 1

L2 Unicast Packets : 37602

L2 Unicast Octets : 3701591

L3 Input Unicast Packets : 12025

L3 Input Unicast Octets : 12597999

L3 Output Unicast Packets : 13855

L3 Output Unicast Octets : 1662068

L3 Output Multicast Packets : 0

L3 Output Multicast Octets : 0

L3 Input Multicast Packets : 0

L3 Input Multicast Octets : 0

L2 Multicast Packets : 1942L2 Multicast Octets : 124312

6500# show vlan counters

* Multicast counters include broadcast packets

Vlan Id : 1

L2 Unicast Packets : 37602

L2 Unicast Octets : 3701591

L3 Input Unicast Packets : 12025

L3 Input Unicast Octets : 12597999

L3 Output Unicast Packets : 13855L3 Output Unicast Octets : 1662068

L3 Output Multicast Packets : 0

L3 Output Multicast Octets : 0

L3 Input Multicast Packets : 0

L3 Input Multicast Octets : 0

L2 Multicast Packets : 1942

L2 Multicast Octets : 124312

VLAN counters for each VLAN can be displayed as follows


35/36


Cisco Systems


6500# show vlan id 3000

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------

3000 Engineering active Gi1/2, Gi1/5, Gi1/6, Gi1/7

Gi1/8, Gi1/12, Gi1/14, Gi3/3

Gi3/4, Gi3/5, Gi3/6, Gi3/7

Gi4/1, Gi4/2, Gi4/3, Gi5/2

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

3000 enet 103000 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

6500#

6500# show vlan id 3000


---- -------------------------------- --------- -------------------------------3000 Engineering active Gi1/2, Gi1/5, Gi1/6, Gi1/7

Gi1/8, Gi1/12, Gi1/14, Gi3/3Gi3/4, Gi3/5, Gi3/6, Gi3/7

Gi4/1, Gi4/2, Gi4/3, Gi5/2

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------3000 enet 103000 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

6500#


36/36


Cisco Systems

vlans - anandp

Documents