How to Configure, Verify and Troubleshoot a VLAN
Virtual LANs within a switched local area network provide segmentation and effective network management as well as security. Network Engineers have the flexibility of segmenting their network into separate VLANs according to work groups, department differentiation or even application usage without worrying about the physical location of the hosts. What’s more, due to the fact that each host is applied to a single VLAN on the switch, added security is achieved.
Each VLAN consists of a separated broadcast domain. Which means that only ports belonging to a specific VLAN share broadcasts eliminating unnecessary traffic from flooding the entire network; hence improving the overall performance of the network.
By now, you’re probably thinking that your VLANs can spread through a couple of building infrastructures. Well get this … VLANs can also extend their existence across Wide Area Networks (WANs) using a layer 2 tunnel. This is why VLANs can be designed without regard of the physical location of the hosts. This is also why VLANs are virtually the coolest LANs out there.
In this article, I’ll explain some basic concepts behind VLAN operation on Cisco catalyst switches. I’ll also give you the steps to configuring, verifying and troubleshooting a VLAN.
Cisco catalyst switches support Dynamic VLANs by using a VLAN Management Policy Server in order to assign specific VLAN IDs to corresponding MAC addresses. Usually, Static assignment of VLANs to switch ports is configured. To be able to do so, first, all different VLAN subnets need to be defined. Afterwards, VLAN IDs can be assigned to switch ports and a host that attaches on a given port automatically assumes the VLAN membership of that port.
Once a VLAN membership is granted, a host can communicate to other hosts within the same VLAN. If routing between different VLANs is required then a router needs to be incorporated in the network. A host link can have access to only one VLAN. A link that is able to carry more than one VLAN tagged frame is called a trunk and the method of identifying several different VLANS on a trunk is called tagging.
Cisco used to support its own proprietary trunking protocol for VLAN tagging – ISL, or InterSwitch Link Protocol. However, ISL is not supported anymore and Cisco suggests using IEEE 802.1Q protocol instead.
The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte protocol identifier (TPID) and 2-byte control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information.
The TCI contains the following elements:
- Three-bit user priority
- One-bit canonical format indicator (CFI)
- Twelve-bit VLAN identifier (VID) which uniquely identifies the VLAN to which the frame belongs
A schematic diagram of the 802.1Q frame is shown below:
Configuring VLANs is actually very easy. The difficulty is to decide which users should belong to which VLAN. Once you’ve decided this and visualized the VLAN enabled network, then you are ready to create your VLANs on the Cisco catalyst switch. Take a look at this example:
How to Assign Switch Ports to a VLAN
The following commands indicate how you can assign interface fastethernet 2 to vlan2 and fastethernet 3 to vlan 3:
Configuring 802.1Q Trunking
To set a Fast Ethernet port or even a Gigabit Ethernet port to trunk mode use the switchport mode interface configuration command:
The switchport mode command can be configured using 4 different options:
- Trunk: The interface is configured into permanent trunking mode and negotiates with the partner site interface to set up the into trunk mode.
- Access: Disables port trunk mode; no trunking negotiation takes place.
- Dynamic desirable: Enables interfaces continuous attempt to convert the link to a trunking link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. This is the default mode for all Ethernet interfaces.
- Dynamic auto: Makes the interface to become a trunk only if the connected port is set to trunk or desirable.
How to Verify a VLAN Configuration
Use the show vlan command to verify your VLAN configuration. This command displays all switchports and their associated VLAN as well as the VLAN status and some extra parameters that relate to Token Ring and FDDI trunks.
You can use the show vlan id [vlan#] command to see information about a particular VLAN. Below you can see a sample output of the show vlan command.
You can also use the show interface [interface name-number] switchport command to display the VLAN
information on the particular interface as well as the interfaces administrative and operational mode (access or trunk mode).
A sample output of this command is presented below:
Use the show ip interface vlan [vlan#] command to display ip related information on a particular VLAN as well as status and MAC address. Here is a sample output of this command:
How to Troubleshoot a VLAN Configuration
Three main steps need to be followed when troubleshooting VLAN problems:
- The first thing you need to do is to make sure that your cable and switch port are good. Always start your troubleshooting procedure by investigating your physical connectivity. Test your cable and make sure it’s working. Check the swith ports link LED to make sure that layer 1 is working properly.
- Next, check your switche’s interface configuration. Use the command show interface [interface name-number] to check whether there are CRC errors or late collisions perceived on the interface.These errors are usually the result of physical problems such as bad cable or NIC but can also indicate duplex mismatch with the attached device. If you notice that collisions are increasing continuously, then look for a duplex mismatch problem or even for congestion on the link.
- If two hosts cannot communicate then check whether they are in the same VLAN. If they are positioned into different VLANS then you definitely need a router to be able to enable communication between the two hosts. If a host is not able to connect to the switch, make sure the host belongs to the same subnet as the switchs VLAN.
Organize and Secure Your Network with a VLAN
It’s always a good habit to differentiate hosts in a network either based on departmental differentiation, expertise classification or anything else you think would work. What you end up with are groups that need isolation for better network performance and stronger security.
VLANS are able to accomodate both: better network performace and improved security. VLANs will help you administer your network in a more efficient way, at the same time conserving network resources by preventing flooding of unnecessary traffic within the network.