Creating and configuring VLANs on Cisco Catalyst switches
A VLAN (Virtual LAN)is a term derived from LAN (Local area network) and represents a logical grouping of hosts with the same set of requirements. All host in a VLAN communicate as if they were attached to the same broadcast domain, regardless of their physical location. By grouping several switch ports in different VLANs we are creating separate logical broadcast domains. All member ports of the same VLAN can communicate between them without using any Layer 3 routing. In order to allow communication between different VLANs we must use a layer 3 device like a router or we can use SVIs (Switched virtual interfaces). Using VLANs can provide the following benefits:
- Improved network management – adding and changing VLANs are easier and less expensive to perform.
- Scalability – ability to share information and resources between different physical locations.
- Security – users with sensitive data can be separated from the rest of the network.
- Performance enhancements – reduces overall network utilization by segmenting a physical switch into logical broadcast domains
- Cost reduction – workstations can be moved from one workgroup to another without installing new network cabling and reconfiguring routers.
When a VLAN is provided at an access-layer switch, an end user must have some means of gaining membership to it. Two membership methods exist on Cisco Catalyst switches:
- Static VLAN configuration
- Dynamic VLAN assignment
Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN with the manual intervention of the network administrator. End-user devices become members in a VLAN based on the physical switch port to which they are connected. Each port receives a Port VLAN ID (PVID) that associates it with a VLAN number.The ports on a single switch can be assigned and grouped into many VLANs. For example if we have an 24 ports Cisco switch we can split all the ports into 3 VLANs. The first 8 ports can be in VLAN 1 the next eight in VLAN 2 and the last 8 in VLAN 3. If a machine is moved from port 7 to port 20, it will effectively change VLANs.
Dynamic VLANs provide membership based on the MAC address of an end-user device. When a device is connected to a switch port, the switch must query a database to establish VLAN membership. A network administrator also must assign the user’s MAC address to a VLAN in the database of a VLAN Membership Policy Server (VMPS). If a machine is moved, it will retain the original VLAN membership regardless of it’s port number. Dynamic VLANs allow a great deal of flexibility and mobility for end users but require more administrative overhead.
In this article we will discuss only creation of static VLANs.
By default when we have an unconfigured Catalyst switch it has only one VLAN defined. This VLAN is named native vlan and usually it’s VLAN1. This VLAN being the default one cannot be removed from the switch. Frames belonging to this VLAN are not encapsulated with any tagging information.
The first step to add a new static VLAN is to create one using the vlan global configuration command followed by the vlan ID and optionally by a name.
SW01(config)# vlan name
The available VLAN ID range for this command is 1 to 4094. VLANs 1 and 1002 through 1005 automatically are created and are set aside for special uses. For example, VLAN 1 is the default VLAN for every switch port. VLANs 1002 to 1005 are reserved for legacy functions related to Token Ring and FDDI switching. Catalyst IOS switches also can support extended-range VLANs, in which the VLAN number can be 1 to 4094, for compatibility with the IEEE 802.1Q standard. The “vlan-name” represents a friendly description of the VLAN used for easy identification. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0007 is a default VLAN name for VLAN 7.
For example let’s create a vlan cu ID 5 and name Management.
SW01(config)# vlan 5 name Management
If we want to delete an already created VLAN we must use the no form of the vlan command:
SW01(config)# no vlan 5
The default VLAN 1 and 1002 to 1005 cannot be deleted. When you delete a VLAN, any ports assigned to that VLAN become inactive. There is no need to include the name when deleting.
Assigning ports to VLANs
After the VLAN is created it must be assigned to specific switch ports. In order to add a switch port to an existent VLAN the port must be configured for static access. For this we must enter in interface configuration mode and run the following set of commands on a specific interface:
SW01(config)# interface type module/number
SW01(config-if)# switchport mode access
SW01(config-if)# switchport access vlan vlan-num
The switchport mode access command forces the port to be assigned to only a single VLAN, providing VLAN connectivity to the access layer or end user. Then the port is added to the specified vlan using the switchport access vlan command. As a practical example let’s assume we want to add port 7 to a VLAN with ID 5.
SW01(config)# interface GigabitEthernet 0/7
SW01(config-if)# switchport mode access
SW01(config-if)# switchport access vlan 5
From now on, the port can communicate with other hosts in VLAN 5 but not other VLANs. In order to enable communication between separate VLANs we need to enable trunking. This is a topic for another article.
It is also possible to assign a port membership to a non-existent VLAN ID. The switch will create the VLAN for you:
SW01(config)#interface GigabitEthernet 0/7
SW01(config-if)#switchport access vlan 15
% Access VLAN does not exist. Creating vlan 15
Verifying VLANs configuration
To see a list of all the VLANs and the ports assigned to them, use the show vlan command. To narrow down the information displayed, you can use these keywords after the command: brief, id, vlan-number, or name vlan-name:
SW01#sh vlan VLAN Name Status Ports ---- -------------------------------- --------- -------------------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/5, Gi0/6, Gi0/7, Gi0/8, Gi0/9, Gi0/10, Gi0/22, Gi0/23 5 Engineering active Gi0/15, Gi0/16, Gi0/17, Gi0/18 10 Management active Gi0/19, Gi0/20, Gi0/21 15 Accounting active Gi0/11, Gi0/12, Gi0/13, Gi0/14 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
The VLAN column displays all id’s of vlans available in the switch database. The Name column shows each VLAN friendly name if it is defined. If no name is defined on vlan creation the default value is used (ex: VLAN0005 for VLAN 5). The Status column shows the status of each vlan (active or suspend, act/lshut or sus/lshut, or act/ishut or sus/ishut). The last column Ports displays all the ports which belong to each VLAN. Another useful command for displaying VLAN information on each port is show interface type module/number switchport.
SW01#show interface GigabitEthernet 0/7 switchport
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Appliance trust: none
This command displays the administrative and operational status of a switching (nonrouting) port. Here we can see that port 7 belongs to the native default VLAN 1 and its administrative mode it’s dynamic desirable which means the port can negociate a trunk link with the device connected to it.
Saving VLAN configuration
The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). You should create a backup of the vlan.dat file in addition to backing up the running-config and startup-config files. This file is stored in NVRAM and its contents is preserved across switch reboots. In order to reset the VLAN information, you have to remove the vlan.dat file and reload the switch.
Troubleshooting VLAN Issues
The following are three steps in troubleshooting VLAN problems:
- Check the physical connectivity – Make sure the cable, the network adapter, and switch port are good. Check the port’s link LED.
- Check the switch configuration – If you see FCS errors or late collisions, suspect a duplex mismatch. Also check configured speed on both ends of the link. Increasing collisions can mean an overloaded link, such as with a broadcast storm.
- Check the VLAN configuration – If two hosts cannot communicate, make sure they are both in the same VLAN. If a host cannot connect to a switch, make sure the host and the switch are in the same VLAN.
VLANs are necessary for intelligent migration from shared to switched LAN infrastructure. They introduce a significant step towards the concept of self-managed networks. Not only can VLANs be defined and used, but more important, VLANs can be reliably managed, here and now.