Cisco Configuring and Verifying VLAN

Overview

This section details the configuration and verification commands for VLANs on Cisco IOS.When creating a VLAN, the key is to imagine the association between the VLAN and the port inside the Layer 2 switch.

VLAN Configuration Process

First, let’s review the overall configuration flow. The following is the configuration flow for VLANs on Catalyst switches.

By default, VLAN1 is present on the switch. All ports are in a specific DTP mode, depending on the model of the Catalyst; on the Catalyst 3560/3750, the mode is Dynamic auto. Therefore, when no Catalyst switch is connected, all ports will act as access ports. When operating as an access port, the VLAN membership is VLAN1.

From here, you can create a new VLAN or change the DTP mode as needed to make it work as an access port/trunk port. For access ports, determine the VLAN membership, and for trunk ports, specify the trunk encapsulation protocol, etc.

Related articl

Please refer to the following articles for more information about access ports and trunk ports.

ネットワークのおべんきょしませんか？

Access port : Port to be assigned to only one VLAN

https://www.n-study.com/en/vlan-detail/accessport/

There are two types of ports on a switch: access ports and trunk ports, depending on how the ports and VLANs are assigned. This section explains access ports in detail.

ネットワークのおべんきょしませんか？

Trunk port : Port assigned to multiple VLANs

https://www.n-study.com/en/vlan-detail/trunkport/

A trunk port is a port that can be assigned to multiple VLANs. When you want to create VLANs across switches, it is efficient to use trunk ports to connect between switches.

Create VLANs

To create new VLANs on the switch, use the following command in global configuration mode.

The VLAN name configuration is optional. If omitted, the default name is “VLANxxxx” (xxxx: 4-digit VLAN number string).There are two types of VLAN ID: standard VLAN ID and extended VLAN ID.

• standard VLAN ID
  • 1 to 1005
  • 1002 to 1005 are reserved for Token Ring or FDDI
• extended VLAN ID
  • 1006～4094
  • To create a VLAN with an extended VLAN ID, you need to be in VTP transparent mode.
  • VLANs with extended VLAN ID will not be advertised in VTP and will not be synchronized with other switches.
  • VLANs with extended VLAN ID are not stored in the VLAN database.

Multiple VLANs can also be created in a batch. Multiple VLANs with consecutive VLAN numbers can be created in a batch by using “-” (hyphen). Multiple VLANs with non-consecutive VLAN numbers separated by “,” (comma) can be created in a batch. For example, to create VLAN 5 and VLAN 10 from VLAN 2 in one batch, enter the following command.

vlan 2-5,10

Deleting VLANs

Since VLANs are created by configuration, they can of course be deleted; to delete a VLAN, simply follow Cisco’s command delete format and enter the command with a “no”.

You can also delete multiple VLANs at once by using “- (hyphen)” or “, (comma)”. Note that deleting a VLAN will disable the access port for that VLAN.

Related article

The following article explains in detail what to do when deleting a VLAN.

N-Study

Notes on deleting VLANs | N-Study

https://www.n-study.com/en/vlan-detail/notes-on-deleting-vlans/

Even if a VLAN is deleted, the configuration of the ports assigned to that VLAN will remain.This section explains the precautions to be taken when deleting a VLAN.

Switchport Configuration

DTP mode can be configured in interface configuration mode with the following command. This means assigning ports to virtual Layer 2 switch.

Configure the DTP mode appropriately to operate as an access port or trunk port. Most configurations will be static access ports/trunk ports rather than setting the DTP mode to dynamic auto/desirable and dynamically determining the access port/trunk port.

Related article

The following article explains DTP mode in detail.

N-Study

Cisco DTP | N-Study

https://www.n-study.com/en/vlan-detail/cisco-dtp/

Cisco Catalyst switches can automatically determine the trunk port/access port according to the opposite port with DTP (Dynamic Trunking Protocol).

Access port

To make a port on the switch a static access port and determine its VLAN membership, configure it in interface configuration mode as follows

If you want to use a static access port, it is better to disable DTP.

Trunk port

To configure a port on the switch as a static trunk port, configure it as follows.

The switchport trunk encapsulation command is required only when both 1Q and ISL trunk protocols are supported. Also, it is still better to disable DTP when static trunk ports are used.

The trunk port is connected to all VLANs inside the switch by default. If necessary, you can limit the VLANs that are connected to the trunk port. The command to do so is as follows

Also, for IEEE802.1Q trunks, specify the native VLAN. To specify the native VLAN, configure it in interface configuration mode as follows

In addition, the following command adds a VLAN tag to the Ethernet frame of the native VLAN.

Related article

Native VLANs are explained in the following article.

ネットワークのおべんきょしませんか？

Native VLAN

https://www.n-study.com/en/vlan-detail/native-vlan/

Ethernet frames with native VLANs do not have a VLAN tag added when they are forwarded over the trunk. This section explains how native VLANs work.

Verify the VLAN and switchport configuration.

The following table lists the commands for verifying the VLAN and access port and trunk port configurations.

Example of VLAN and switchport configuration

The following figure models the internal structure of a Catalyst switch in its default state, assuming a Catalyst 2970 series switch.

Configure the following on the Catalyst switch in the default state.

• Create VLAN2
• Make Fa0/2 the access port for VLAN2
• Make Fa0/3 a trunk port for IEEE802.11Q

Create VLAN2

First, create VLAN2.

vlan 2

This configuration creates a virtual VLAN 2 switch inside the switch. You can name the VLAN for clarity if you want.

Make Fa0/2 the access port for VLAN2

Then, assign ports to the virtual switch of VLAN2 that you created. To make Fa0/2 the access port for VLAN2, use the following command.

interface FastEthernet0/2
 switchport mode access
 switchport access vlan 2

This configuration will connect Fa0/2 and VLAN2.

Make Fa0/3 a trunk port for IEEE802.11Q

To make Fa0/3 a trunk port for IEEE802.1Q, configure as follows.

interface FastEthernet0/3
 switchport mode trunk

Then Fa0/3 will be connected to both VLAN1 and VLAN2, and the frame can be forwarded with the identification information of each VLAN added.The Catalyst 2970 series supports only IEEE802.1Q. switchport trunk The encapsulation command is not required.

With the configuration so far, the internal connections of the Catalyst switch are shown in the following figure.

Looking at the internal connections in this way, it is easy to see why Fa0/1, the access port for VLAN1, and Fa0/2, the access port for VLAN2, cannot communicate directly with each other. This is because although they are ports on the same switch, Fa0/1 and Fa0/2 are not connected inside the switch.

In order to allow ports of different VLANs to communicate with each other, it is necessary to use a Layer 3 switch or router to perform inter-VLAN routing.

Related article

See also the following article regarding inter-VLAN routing.

N-Study

Inter VLAN routing overview | N-Study

https://www.n-study.com/en/vlan-detail/intervlanrouting-overview/

When Layer 2 switches divide a network by VLANs, communication between VLANs becomes impossible, and inter-VLAN routing is used to interconnect VLANs and enable communication between them.

Sample output of verification command

Let’s look at the actual verification command for the above configuration.

show vlan brief

First, use the show vlan brief command to verify the VLANs and access ports inside the switch.

Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
2    VLAN0002                         active    Fa0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

You can see that VLAN2 exists and Fa0/2 is its access port.

Note that Fa0/3 is not included as an access port in the default VLAN1; Fa0/3 will not appear in the show vlan brief because it is configured as a trunk port.

show interface trunk

To verify the trunk ports, use the show interface trunk command. With this command, you can verify the summary information of all trunk ports on the switch. The sample output in the configuration example is shown below.

Switch#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/3       on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/3       1-4094

Port        Vlans allowed and active in management domain
Fa0/3       1-2

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/3       1-2

You can see the trunk protocol of Fa0/3 configured on the trunk port and the VLAN information to be forwarded on the trunk port. Each item in the command output represents the following information.

• Vlans allowed on trunk
  The contents of the switchport trunk allowed vlan command will be reflected. The default is all VLANs from 1-4094.
• Vlans allowed and active in management domain
  Of the allowed VLANs, the active VLANs that are actually connected to the trunk port will be displayed.
• Vlans in spanning tree forwarding state and not pruned
  The VLAN IDs that are actually forwarded from the trunk port, based on the spanning tree calculation and VTP pruning, is displayed. To verify the VLANs that will be forwarded from the trunk port, look at this part

show interface switchport

Also, to verify the detailed information as a switch port, use the show interface switchport command. show interface switchport command for Fa0/2 and Fa0/3 is as follows

Switch#show interfaces fa 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
-- omitted --

Switch#show interfaces fa 0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
-- omitted --
Trunking VLANs Enabled: ALL
-- omitted --

In addition to the information as an access port or trunk port, you can verify various Layer 2 level functions, which are displayed differently depending on the Catalyst switch model and IOS version, but the main items are explained below.

• Administrative Mode
  Indicates the configured DTP mode.
• Operational Mode
  Indicates whether the port is actually operating as a trunk port or as an access port.
• Administrative Trunking Encapsulation
  Indicates the trunk protocol configuration.
• Operational Trunking Encapsulation
  Indicates the trunk protocol that is actually being used.
• Negotiation of Trunking
  Indicates whether negotiation by DTP is enabled.
• Access Mode VLAN
  Indicates the VLAN ID for VLAN membership when that port becomes an access port.
• Trunking Native Mode VLAN
  Indicates the VLAN number of the native VLAN for 1Q trunks. The native VLAN is meaningful only for IEEE802.1Q trunks.
• Voice VLAN
  Indicates the VLAN ID of the Voice VLAN to which the IP Phone is connected.
• Trunking VLANs Enabled
  Indicates the VLAN IDs allowed by the switchport trunk allowed vlan command. The default is 1-4904 (all).

まとめ