Cisco Networking Academy Switched Networks Companion Guide: VLANs

This chapter is from the book 

VLAN Implementations (3.2)

Network administrators who are responsible for portions of the switched network are familiar with the basic configuration tasks related to creating VLANs, configuring trunk links, associating voice and data VLANs with ports, and securing the VLAN implementation. This section describes the major tasks required to configure VLANs and trunks on switches in the network infrastructure.

VLAN Assignment (3.2.1)

The first step in configuring VLANs is to create the VLANs and to associate switch ports with VLANs.

VLAN Ranges on Catalyst Switches (3.2.1.1)

Different Cisco Catalyst switches support various numbers of VLANs. The number of supported VLANs is large enough to accommodate the needs of most organizations. For example, the Catalyst 2960 and 3560 Series switches support over 4000 VLANs. Normal-range VLANs on these switches are numbered 1 to 1005, and extended-range VLANs are numbered 1006 to 4094. Catalyst 2960 switches running Cisco IOS Release 15.x support extended-range VLANs.

Normal-Range VLANs

Normal range VLANs are usually the ones utilized in switched networks, because most networks do not need over 1000 VLANs!

• Used in small- and medium-sized business and enterprise networks.
• Identified by a VLAN ID between 1 and 1005.
• IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
• IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
• Configurations are stored within a VLAN database file called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
• The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches, can only learn and store normal-range VLANs.

Extended-Range VLANs

Extended range VLANs are primarily used in metropolitan service provider networks requiring over 1000 VLANs to support the various customers.

• Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended-range VLAN IDs.
• Are identified by a VLAN ID between 1006 and 4094.
• Configurations are not written to the vlan.dat file.
• Support fewer VLAN features than normal-range VLANs.
• Are, by default, saved in the running configuration file.
• VTP does not learn extended-range VLANs.

Creating a VLAN (3.2.1.2)

When configuring normal-range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat. Flash memory is persistent and does not require the copy running-config startup-config command. However, because other details are often configured on a Cisco switch at the same time that VLANs are created, it is good practice to save running configuration changes to the startup configuration.

Table 3-1 displays the Cisco IOS command syntax used to add a VLAN to a switch and give it a name. Naming each VLAN is considered a best practice in switch configuration.

Table 3-1 Creating a VLAN

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Create a VLAN with a valid ID number.	S1(config)# vlan vlan-id
Specify a unique name to identify the VLAN.	S1(config-vlan)# name vlan-name
Return to privileged EXEC mode.	S1(config-vlan)# end

Figure 3-10 shows how the student VLAN (VLAN 20) is configured on switch S1. In the topology example, the student computer (PC2) has not been associated with a VLAN yet, but it does have an IP address of 172.17.20.22.

In addition to entering a single VLAN ID, a series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command. For example, use the following command to create VLANs 100, 102, 105, 106, and 107:

S1(config)# vlan 100,102,105-107

Assigning Ports to VLANs (3.2.1.3)

After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only one VLAN at a time. One exception to this rule is that of a port connected to an IP phone, in which case there are two VLANs associated with the port: one for voice and one for data.

Table 3-2 displays the syntax for defining a port to be an access port and assigning it to a VLAN. The switchport mode access command is optional but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.

Table 3-2 Assign Ports to VLANs

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Set the port to access mode.	S1(config-if)# switchport mode access
Assign the port to a VLAN.	S1(config-if)# switchport access vlan vlan-id
Return to the privileged EXEC mode.	S1(config-if)# end

In Figure 3-11, VLAN 20 is assigned to port F0/18 on switch S1; therefore, the student computer (PC2) is in VLAN 20. When VLAN 20 is configured on other switches, the network administrator knows to configure the other student computers to be in the same subnet as PC2 (172.17.20.0/24).

The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch. For example, VLAN 30 is not present in the show vlan brief output of the switch. If the switchport access vlan 30 command is entered on any interface with no previous configuration, the switch displays

% Access VLAN does not exist. Creating vlan 30

Changing VLAN Port Membership (3.2.1.4)

There are a number of ways to change VLAN port membership. Table 3-3 shows the syntax for changing a switch port to VLAN 1 membership with the no switchport access vlan interface configuration mode command.

Table 3-3 Removing a VLAN Assignment

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Remove the VLAN assignment from the port.	S1(config-if)# no switchport access vlan
Return to the privileged EXEC mode.	S1(config-if)# end

Interface F0/18 was previously assigned to VLAN 20. The no switchport access vlan command is entered for interface F0/18. Examine the output in the show vlan brief command, as shown in Example 3-3. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. The show vlan brief command displays one line for each VLAN. The output for each VLAN includes the VLAN name, status, and switch ports.

Example 3-3 Sample VLAN Assignment Removal

S1(config)# interface f0/18
S1(config-if)# no switchport access vlan
S1(config-if)# do show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- --------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
20   student                          active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN 20 is still active, even though no ports are assigned to it. In Example 3-4, the show interfaces f0/18 switchport output verifies that the access VLAN for interface F0/18 has been reset to VLAN 1.

Example 3-4 Verification of VLAN Assignment Removal

S1# show interfaces f0/18 switchport
Name: Fa0/18
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
<output omitted>

A port can easily have its VLAN membership changed. It is not necessary to first remove a port from a VLAN to change its VLAN membership. When an access port has its VLAN membership reassigned to another existing VLAN, the new VLAN membership simply replaces the previous VLAN membership. In Example 3-5, port F0/11 is assigned to VLAN 20.

Example 3-5 Changing VLAN Assignment

S1(config)# interface f0/11
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# end
*Mar  31 09:33:26.058: %SYS-5-CONFIG_I: Configured from console by console
S1# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
20   student                          active    Fa0/11
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
S1#

Deleting VLANs (3.2.1.5)

In Example 3-6, the no vlan vlan-id global configuration mode command is used to remove VLAN 20 from the switch. Switch S1 had a minimal configuration with all ports in VLAN 1 and an unused VLAN 20 in the VLAN database. The show vlan brief command verifies that VLAN 20 is no longer present in the vlan.dat file after using the no vlan 20 command.

Example 3-6 Deleting a VLAN

S1(config)# no vlan 20
S1(config)# end
S1#
*Mar  1 07:37:55.785: %SYS-5-CONFIG_I: Configured from console by console
S1# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- --------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Alternatively, the entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command. The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, the previously configured VLANs are no longer present. This effectively places the switch into its factory default condition concerning VLAN configurations.

Verifying VLAN Information (3.2.1.6)

After a VLAN is configured, VLAN configurations can be validated using Cisco IOS show commands.

Table 3-4 displays the show vlan command options.

Table 3-4 show vlan Command

Cisco IOS CLI Command Syntax
show vlan [brief | id vlan-id | name vlan-name | summary]
Display one line for each VLAN with the VLAN name, status, and its ports.	brief
Display information about a single VLAN identified by VLAN ID number. For vlan-id, the range is 1 to 4094.	id vlan-id
Display information about a single VLAN identified by VLAN name. The VLAN name is an ASCII string from 1 to 32 characters.	name vlan-name
Display VLAN summary information.	summary

Table 3-5 displays the show interfaces command options.

Table 3-5 show interfaces Command

Cisco IOS CLI Command Syntax
show interfaces [interface-id | vlan vlan-id] | switchport
Valid interfaces include physical ports (including type, module, and port number) and port channels. The port-channel range is 1 to 6.	interface-id
VLAN identification. The range is 1 to 4095.	vlan vlan-id
Display the administrative and operational status of a switching port, including port blocking and port protection settings.	switchport

In Example 3-7, the show vlan name student command produces output that is not easily interpreted. The preferable option is to use the show vlan brief command. The show vlan summary command displays the count of all configured VLANs. The output in Example 3-7 shows seven VLANs.

Example 3-7 Using the show vlan Command

S1# show vlan name student

VLAN Name                             Status    Ports
---- -------------------------------- --------- --------------------------
20   student                          active    Fa0/11
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20   enet  100020     1500  -      -      -        -    -        0      0

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- -------------------------------------

S1# show vlan summary
Number of existing VLANs           : 7
 Number of existing VTP VLANs      : 7
 Number of existing extended VLANs : 0

The show interfaces vlan vlan-id command displays details that are beyond the scope of this course. The important information appears on the second line in Example 3-8, indicating that VLAN 20 is up.

Example 3-8 Using the show interfaces vlan Command

S1# show interfaces vlan 20
Vlan 20 is up, line protocol is down
  Hardware is EtherSVI, address is 0021.a1e0.78c1 (bia 0021.a1e0.78c1)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
S1#

VLAN Trunks (3.2.2)

In this section, the elements of VLAN trunk configuration are explored. Remember that VLAN trunks carry all the control traffic between switches. VLAN trunks enable the communication between switches required for many of the technologies specific to the LAN switched environment.

Configuring IEEE 802.1Q Trunk Links (3.2.2.1)

A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically). To enable trunk links, configure the ports on either end of the physical link with parallel sets of commands.

To configure a switch port on one end of a trunk link, use the switchport mode trunk command. With this command, the interface changes to permanent trunking mode. The port enters into a Dynamic Trunking Protocol (DTP) negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change. DTP is described in the next topic. In this course, the switchport mode trunk command is the only method implemented for trunk configuration.

The Cisco IOS command syntax to specify a native VLAN (other than VLAN 1) is shown in Table 3-6.

Table 3-6 802.1Q Trunk Configuration

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Force the link to be a trunk link.	S1(config-if)# switchport mode trunk
Specify a native VLAN for 802.1Q trunks.	S1(config-if)# switchport trunk native vlan vlan-id
Specify the list of VLANs to be allowed on the trunk link.	S1(config-if)# switchport trunk allowed vlan vlan-list
Return to the privileged EXEC mode.	S1(config-if)# end

Use the Cisco IOS switchport trunk allowed vlan vlan-list command to specify the list of VLANs to be allowed on the trunk link.

In Figure 3-12, VLANs 10, 20, and 30 support the Faculty, Student, and Guest computers (PC1, PC2, and PC3). The native VLAN should also be changed from VLAN 1 and changed to another VLAN such as VLAN 99. By default, all VLANs are allowed across a trunk link. The switchport trunk allowed vlan command can be used to limit the allowed VLANs.

In Example 3-9, the F0/1 port on switch S1 is configured as a trunk port, assigns the native VLAN to VLAN 99, and specifies the trunk to only forward traffic for VLANs 10, 20, 30, and 99.

Example 3-9 Sample Trunk Configuration

S1(config)# interface FastEthernet0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# switchport trunk allowed vlan 10,20,30
S1(config-if)# end

Resetting the Trunk to the Default State (3.2.2.2)

Table 3-7 shows the commands to remove the allowed VLANs and reset the native VLAN of the trunk. When reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN.

Table 3-7 Resetting Configured Values on Trunk Links

Cisco Switch IOS Commands
Enter global configuration mode.	S1# configure terminal
Enter interface configuration mode.	S1(config)# interface interface-id
Force the link to be a trunk link.	S1(config-if)# no switchport trunk allowed vlan
Specify a native VLAN for 802.1Q trunks.	S1(config-if)# no switchport trunk native vlan
Return to the privileged EXEC mode.	S1(config-if)# end

Example 3-10 shows the commands used to reset all trunking characteristics of a trunking interface to the default settings. The show interfaces f0/1 switchport command reveals that the trunk has been reconfigured to a default state.

Example 3-10 Resetting Trunk Link

S1(config)# interface f0/1
S1(config-if)# no switchport trunk allowed vlan
S1(config-if)# no switchport trunk native vlan
S1(config-if)# end
S1# show interfaces f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
<output omitted>
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
<output omitted>

In Example 3-11, the sample output shows the commands used to remove the trunk feature from the F0/1 switch port on switch S1. The show interfaces f0/1 switchport command reveals that the F0/1 interface is now in static access mode.

Example 3-11 Return Port to Access Mode

S1(config)# interface f0/1
S1(config-if)# switchport mode access
S1(config-if)# end
S1# show interfaces f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
<output omitted>

Verifying Trunk Configuration (3.2.2.3)

Example 3-12 displays the configuration of switch port F0/1 on switch S1. The configuration is verified with the show interfaces interface-id switchport command.

Example 3-12 Verifying Trunk Configuration

S1(config)# interface f0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# end
S1# show interfaces f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (VLAN0099)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
<output omitted>

The top highlighted area shows that port F0/1 has its administrative mode set to trunk. The port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99. Farther down in the output, the bottom highlighted area shows that all VLANs are enabled on the trunk.

Dynamic Trunking Protocol (3.2.3)

Networking technologies often involve both manual and automatic implementations. For example, routing, speed/duplex port configuration, and cable selection versus auto-MDIX illustrate this dichotomy of manual versus automatic. In LAN switching, Dynamic Trunking Protocol (DTP) is one of the first examples one encounters of manual versus automatic. With DTP, network administrators have the option to let neighboring switches autonegotiate trunk formation.

Introduction to DTP (3.2.3.1)

Ethernet trunk interfaces support different trunking modes. An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only between network devices.

DTP is a Cisco-proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches. Switches from other vendors do not support DTP. DTP manages trunk negotiation only if the port on the neighbor switch is configured in a trunk mode that supports DTP.

The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto, as shown in Figure 3-13 on interface F0/3 of switches S1 and S3.

To enable trunking from a Cisco switch to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration mode commands. This causes the interface to become a trunk, but not generate DTP frames.

In Figure 3-14, the link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements, and to come up in and stay in trunk port mode. The F0/3 ports on switches S1 and S3 are set to dynamic auto, so the negotiation results in the access mode state. This creates an inactive trunk link. When configuring a port to be in trunk mode, use the switchport mode trunk command. There is no ambiguity about which state the trunk is in; it is always on. With this configuration, it is easy to remember which state the trunk ports are in; if the port is supposed to be a trunk, the mode is set to trunk.

Negotiated Interface Modes (3.2.3.2)

Ethernet interfaces on Catalyst 2960 and Catalyst 3560 Series switches support different trunking modes with the help of DTP:

• switchport mode access: Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface, regardless of whether the neighboring interface is a trunk interface.
• switchport mode dynamic auto: Makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. The default switch port mode for all Ethernet interfaces is dynamic auto.
• switchport mode dynamic desirable: Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. This is the default switch port mode on older switches, such as the Catalyst 2950 and 3550 Series switches.
• switchport mode trunk: Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface.
• switchport nonegotiate: Prevents the interface from generating DTP frames. You can use this command only when the interface switch port mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.

Table 3-8 illustrates the results of the DTP configuration options on opposite ends of a trunk link connected to Catalyst 2960 switch ports.

Table 3-8 DTP-Negotiated Interface Modes

	Dynamic Auto	Dynamic Desirable	Trunk	Access
Dynamic Auto	Access	Trunk	Trunk	Access
Dynamic Desirable	Trunk	Trunk	Trunk	Access
Trunk	Trunk	Trunk	Trunk	Limited Connectivity
Access	Access	Access	Limited Connectivity	Trunk

Configure trunk links statically whenever possible. The default DTP mode is dependent on the Cisco IOS Software version and on the platform. To determine the current DTP mode, issue the show dtp interface command, as shown in Example 3-13.

Example 3-13 Verifying DTP Mode

S1# show dtp interface f0/1
DTP information for FastEthernet0/1:
  TOS/TAS/TNS:                              TRUNK/ON/TRUNK
  TOT/TAT/TNT:                              802.1Q/802.1Q/802.1Q
  Neighbor address 1:                       0CD996D23F81
  Neighbor address 2:                       000000000000
  Hello timer expiration (sec/state):       12/RUNNING
  Access timer expiration (sec/state):      never/STOPPED
  Negotiation timer expiration (sec/state): never/STOPPED
  Multidrop timer expiration (sec/state):   never/STOPPED
  FSM state:                                S6:TRUNK
  # times multi & trunk                     0
  Enabled:                                  yes
  In STP:
<output omitted>

Troubleshoot VLANs and Trunks (3.2.4)

A network administrator responsible for portions of the switched infrastructure is able to quickly diagnose and solve problems. Troubleshooting VLANs and VLAN trunks is standard practice in a switched environment.

IP Addressing Issues with VLAN (3.2.4.1)

Each VLAN must correspond to a unique IP subnet. If two devices in the same VLAN have different subnet addresses, they cannot communicate. This is a common problem, and it is easy to solve by identifying the incorrect configuration and changing the subnet address to the correct one.

In Figure 3-15, PC1 cannot connect to the Web/TFTP server shown.

A check of the IP configuration settings of PC1 shown in Example 3-14 reveals the most common error in configuring VLANs: an incorrectly configured IP address. PC1 is configured with an IP address of 172.172.10.21, but it should have been configured with 172.17.10.21.

Example 3-14 Problem: Incorrect IP Address

PC1> ipconfig
   IPv4 Address. . . . . . . . . . . : 172.172.10.21
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 0.0.0.0

The PC1 Fast Ethernet configuration dialog box shows the updated IP address of 172.17.10.21. In Figure 3-16, the output on the bottom reveals that PC1 has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30.

Missing VLANs (3.2.4.2)

If there is still no connection between devices in a VLAN, but IP addressing issues have been ruled out, refer to the flowchart in Figure 3-17 to troubleshoot:

• Step 1. Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned.
• Step 2. If the VLAN to which the port is assigned is deleted, the port becomes inactive. Use the show vlan or show interfaces switchport command.

To display the MAC address table, use the show macaddress-table command. Example 3-15 shows MAC addresses that were learned on the F0/1 interface. It can be seen that MAC address 000c.296a.a21c was learned on interface F0/1 in VLAN 10. If this number is not the expected VLAN number, change the port VLAN membership using the switchport access vlan command.

Example 3-15 Missing VLAN

S1# show mac address-table interface FastEthernet 0/1
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    000c.296a.a21c    DYNAMIC     Fa0/1
  10    000f.34f9.9181    DYNAMIC     Fa0/1
Total Mac Addresses for this criterion: 2
S1# show interfaces FastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Inactive)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Each port in a switch belongs to a VLAN. If the VLAN to which the port belongs is deleted, the port becomes inactive. All ports belonging to the VLAN that was deleted are unable to communicate with the rest of the network. Use the show interface f0/1 switchport command to check whether the port is inactive. If the port is inactive, it is not functional until the missing VLAN is created using the vlan vlan-id command.

Introduction to Troubleshooting Trunks (3.2.4.3)

A common task of a network administrator is to troubleshoot trunk link formation or links incorrectly behaving as trunk links. Sometimes a switch port can behave like a trunk port even if it is not configured as a trunk port. For example, an access port might accept frames from VLANs different from the VLAN to which it is assigned. This is called VLAN leaking.

Figure 3-18 displays a flowchart of general trunk troubleshooting guidelines.

To troubleshoot issues when a trunk is not forming or when VLAN leaking is occurring, proceed as follows:

• Step 1. Use the show interfaces trunk command to check whether the local and peer native VLANs match. If the native VLAN does not match on both sides, VLAN leaking occurs.
• Step 2. Use the show interfaces trunk command to check whether a trunk has been established between switches. Statically configure trunk links whenever possible. Cisco Catalyst switch ports use DTP by default and attempt to negotiate a trunk link.

To display the status of the trunk and to display the native VLAN used on that trunk link, and to verify trunk establishment, use the show interfaces trunk command. Example 3-16 shows that the native VLAN on one side of the trunk link was changed to VLAN 2. If one end of the trunk is configured as native VLAN 99 and the other end is configured as native VLAN 2, a frame sent from VLAN 99 on one side is received on VLAN 2 on the other side. VLAN 99 leaks into the VLAN 2 segment.

Example 3-16 Troubleshooting Trunks

S1# show interfaces f0/1 trunk

Port        Mode             Encapsulation  Status              Native vlan
Fa0/1       auto             802.1q         trunking            2
<output omitted>

CDP displays a notification of a native VLAN mismatch on a trunk link with this message:

*Mar 1 06:45:26.232: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/1 (2), with S2 FastEthernet0/1 (99).

Connectivity issues occur in the network if a native VLAN mismatch exists. Data traffic for VLANs, other than the two native VLANs configured, successfully propagates across the trunk link, but data associated with either of the native VLANs does not successfully propagate across the trunk link.

As shown in Example 3-16, native VLAN mismatch issues do not keep the trunk from forming. To solve the native VLAN mismatch, configure the native VLAN to be the same VLAN on both sides of the link.

Common Problems with Trunks (3.2.4.4)

Trunking issues are usually associated with incorrect configurations. When configuring VLANs and trunks on a switched infrastructure, the following types of configuration errors are the most common:

• Native VLAN mismatches: Trunk ports are configured with different native VLANs. This configuration error generates console notifications, and causes control and management traffic to be misdirected. This poses a security risk. For example, one port might be configured with VLAN 99 and the other with VLAN 100.
• Trunk mode mismatches: One trunk port is configured in a mode that is not compatible for trunking on the corresponding peer port. This configuration error causes the trunk link to stop working. For example, both local and peer switch port modes might be configured as dynamic auto.
• Allowed VLANs on trunks: The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk. For example, the list of allowed VLANs might not support current VLAN trunking requirements.

If an issue with a trunk is discovered and if the cause is unknown, start troubleshooting by examining the trunks for a native VLAN mismatch. If that is not the cause, check for trunk mode mismatches, and finally check for the allowed VLAN list on the trunk. The next several sections examine how to fix the common problems with trunks.

Trunk Mode Mismatches (3.2.4.5)

Trunk links are normally configured statically with the switchport mode trunk command. Cisco Catalyst switch trunk ports use DTP to negotiate the state of the link. When a port on a trunk link is configured with a trunk mode that is incompatible with the neighboring trunk port, a trunk link fails to form between the two switches.

In the scenario illustrated in Figure 3-19, PC4 cannot connect to the internal web server. The topology indicates a valid configuration. Why is there a problem?

Check the status of the trunk ports on switch S1 using the show interfaces trunk command. The output shown in Example 3-17 reveals that interface Fa0/3 on switch S1 is not currently a trunk link. Examining the F0/3 interface reveals that the switch port is actually in dynamic auto mode. An examination of the trunks on switch S3 reveals that there are no active trunk ports. Further checking reveals that the Fa0/3 interface is also in dynamic auto mode. This explains why the trunk is down.

Example 3-17 Mismatched DTP Modes

S1# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/1       on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       10,99

Port        Vlans allowed and active in management domain
Fa0/1       10,99

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       10,99
S1# show interfaces f0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: dynamic auto
<output omitted>
S3# show interfaces trunk
S3# show interfaces f0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: dynamic auto
<output omitted>

To resolve the issue, reconfigure the trunk mode of the F0/3 ports on switches S1 and S3, as shown in Example 3-18. After the configuration change, the output of the show interfaces command indicates that the port on switch S1 is now in trunking mode. The output from PC4 indicates that it has regained connectivity to the Web/TFTP server found at IP address 172.17.10.30.

Example 3-18 Corrected Trunk Modes

S1(config)# interface f0/3
S1(config-if)# switchport mode trunk
S1(config-if)# end
S1# show interfaces f0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
<output omitted>
S3(config)# interface f0/3
S3(config-if)# switchport mode trunk
S3(config-if)# end
S3# show interfaces f0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
<output omitted>
S3# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/3       on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/3       10,99

Port        Vlans allowed and active in management domain
Fa0/3       10,99

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/3       10,99
PC4> ping 172.17.10.30
Pinging 172.17.10.30 with 32 bytes of data:
Reply from 172.17.10.30: bytes=32 time=147ms TTL=128
<output omitted>

Incorrect VLAN List (3.2.4.6)

For traffic from a VLAN to be transmitted across a trunk, it must be allowed on the trunk. To do so, use the switchport trunk allowed vlan vlan-id command.

In Figure 3-20, VLAN 20 (Student) and PC5 have been added to the network. The documentation has been updated to show that the VLANs allowed on the trunk are 10, 20, and 99. In this scenario, PC5 cannot connect to the student email server.

Check the trunk ports on switch S1 using the show interfaces trunk command, as shown in Example 3-19. The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10, 20, and 99. An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 only allow VLANs 10 and 99. Someone updated the documentation but forgot to reconfigure the ports on the S1 switch.

Example 3-19 Missing VLANs

S3# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/3       on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/3       10,20,99

Port        Vlans allowed and active in management domain
Fa0/3       10,20,99

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/3       10,20,99
S1# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/1       on               802.1q         trunking      99
Fa0/3       on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       10,99
Fa0/3       10,99
<output omitted>

Reconfigure F0/1 and F0/3 on switch S1 using the switchport trunk allowed vlan 10,20,99 command, as shown in Example 3-20. The output shows that VLANs 10, 20, and 99 are now added to the F0/1 and F0/3 ports on switch S1. The show interfaces trunk command is an excellent tool for revealing common trunking problems. PC5 has regained connectivity to the student email server found at IP address 172.17.20.10

Example 3-20 Corrected VLAN List

S1(config)# interface f0/1
S1(config-if)# switchport trunk allowed vlan 10,20,99
S1(config-if)# interface f0/3
S1(config-if)# switchport trunk allowed vlan 10,20,99
S1(config-if)# end
S1# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/1       on               802.1q         trunking      99
Fa0/3       on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       10,20,99
Fa0/3       10,20,99
<output omitted>
PC5> ping 172.17.20.10
Pinging 172.17.10.30 with 32 bytes of data:
Reply from 172.17.10.30: bytes=32 time=147ms TTL=128
<output omitted>