Over the last week, I have done a fair amount of work segmenting a network with VLANs. VLAN, or virtual LAN, configuration is typically easy, but there are a few things that you need to know to be successful. This newsletter covers the basic configuration of VLANs on Catalyst switches. Examples are based on IOS switches. Check the links provided at the end of this article for examples of VLAN configurations using CatOS-based switches.

Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN do not receive broadcasts from devices in another VLAN. For devices on different VLANs to communicate, a layer 3 device (usually a router) must be used.

The first consideration for setting up VLANs in your network is planning your environment. Will the VLANs span multiple switches, or will you only be segmenting one switch? If you only have one switch to segment, you can just configure the VLANs with no other considerations. If you need to span multiple switches with VLAN information, you will need to decide which switches need which VLANs. You will also need to configure trunking and set up VLAN Trunking Protocol (VTP).

To configure VLANS on a single switch, you can use the following commands from privileged mode:

SwitchA# vlan database
SwitchA(vlan)# vlan 2 name vlan2
SwitchA(vlan)# exit
SwitchA# configure terminal
SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode access
SwitchA(config-if)# swichport access vlan 2
SwitchA(config-if)# end

These commands create VLAN number 2 and name it vlan2. Fast Ethernet interface 0/1 (on my Cat 2924XL-M) is then configured to use vlan2. It is important to note that VLAN 1 is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

For VLAN information to be passed between switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames travelling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations:

1) Inter-Switch Link Protocol (ISL)
Cisco proprietary trunking protocol.

2) IEEE 802.1Q (dot1q)
Industry standard trunking protocol.

3) LAN Emulation (LANE)
Used for trunking VLANs over ATM links.

4) IEEE 802.10 (dot10q)
Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To set up trunking between two switches, use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# switchport trunk encapsulation dot1q

Repeat commands on SwitchB.

This sets up fast Ethernet interface 0/1 to be a trunk port using dot1q encapsulation. It is important to note that once you change one side of a connection to trunk mode, communication between the two switches will be lost until the other side is configured for the same mode/encapsulation. If you are trying to set up trunking remotely, always change the far side of a connection first. The port is currently passing information for all VLANs (1-1005). To limit which VLANs will be allowed to pass information on the port you can use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005
SwitchA(config-if)# switchport trunk allowed vlan add 1-3

Repeat commands on SwitchB.

This removes the default of all VLANs, and adds back support for VLANs 1-3. It is good practice to remove everything and only add support for the VLANs that are required. We now have two switches happily passing VLAN traffic for VLANs 1-3. This process is great for a small number of switches with a limited number of VLANs. In a large environment that has a large number of switches, and requires several VLANs, it can be difficult to maintain the configuration on each switch.