Administration Guide at Cisco Unified CallManager Administration Guide, Release 5.0(4)

Content 2.1 Implementing Best Practices for VLAN Topologies 2.1.6 Describing End-to-End VLANs The term end-to-end VLAN refers to a single VLAN associated with switch ports that are widely dispersed throughout an enterprise network. Traffic for the VLAN is carried throughout the switched network. If many VLANs in a network are end-to-end, special links (trunks) are required between switches to carry the traffic of all the different VLANs. An end-to-end VLAN has these characteristics:

Geographically dispersed throughout the network.
Users are grouped into the VLAN regardless of physical location.
As a user moves throughout a campus, the VLAN membership of that user remains the same.
Users are typically associated with a given VLAN for network management reasons.
All devices on a given VLAN typically have addresses on the same IP subnet.

Because a VLAN represents a Layer 3 segment, end-to-end VLANs allow a single Layer 3 segment to be geographically dispersed throughout the network. Reasons for implementing this design might include the following:

Grouping users: Users can be grouped on a common IP segment even though they are geographically dispersed.
Security: A VLAN may contain resources that should not be accessible to all users on the network, or there may be a reason to confine certain traffic to a particular VLAN.
Applying QoS: Traffic from a given VLAN can be given higher or lower access priority to network resources.
Routing avoidance: If much of the VLAN user traffic is destined for devices on that same VLAN and routing to those devices is not desirable, users can access resources on their VLAN without their traffic being routed off the VLAN, even though the traffic may traverse multiple switches.
Special purpose VLAN: Sometimes a VLAN is provisioned to carry a single type of traffic that must be dispersed throughout the campus (for example, multicast, voice, or visitor VLANs).
Poor design: For no clear purpose, users are placed in VLANs that span the campus or even WANs.

Some items should be considered when implementing end-to-end VLANS. Switch ports are provisioned for each user and associated with a given VLAN. Because users on an end-to-end VLAN may be anywhere in the network, all switches must be aware of that VLAN. This means that all switches carrying traffic for end-to-end VLANs are required to have identical VLAN databases. Also, flooded traffic for the VLAN is, by default, passed to every switch even if it does not currently have any active ports in the particular end-to-end VLAN. Finally, troubleshooting devices on a campus with end-to-end VLANs can be challenging, because the traffic for a single VLAN can traverse multiple switches in a large area of the campus. For example, in a military setting, one VLAN is designated to carry top-secret data. Users with access to that data are widely dispersed throughout the network. Because all devices on that VLAN have similar security requirements, security is handled by access lists at the Layer 3 devices that route traffic onto the segment (VLAN). Security can be applied VLAN-wide without addressing security at each switch in the network, which might have only a single user on the top-secret VLAN.

Content 2.1 Implementing Best Practices for VLAN Topologies 2.1.7 Describing Local VLANs In the past, network designers attempted to implement the 80/20 rule when designing networks. The rule was based on the observation that, in general, 80 percent of the traffic on a network segment was passed between local devices, and only 20 percent of the traffic was destined for remote network segments. Therefore, end-to-end VLANs were typically used. Designers now consolidate servers in central locations on the network and provide access to external resources such as the Internet through one or two paths on the network, since the bulk of traffic now traverses a number of segments. Therefore, the paradigm now is closer to a 20/80 proportion in which the greater flow of traffic leaves the local segment, so local VLANs have become more useful. Additionally, the concept of end-to-end VLANs was very attractive when IP address configuration was a manually administered and burdensome process. Therefore, anything that reduced this burden as users moved between networks was an improvement. But, given the ubiquity of DHCP, the process of configuring IP at each desktop is no longer a significant issue. As a result, there are few benefits to extending a VLAN throughout an enterprise. It is often more efficient to group all users of a set of geographically common switches into a single VLAN, regardless of the organizational function of those users, especially from a troubleshooting perspective. VLANs that have boundaries based upon campus geography rather than organizational function are called “local VLANs.” Local VLANs are generally confined to a wiring closet. Here are some local VLAN characteristics and user guidelines:

Local VLANs should be created with physical boundaries rather than the job functions of the users on the end devices.
Traffic from a local VLAN is routed to reach destinations on other networks.
A single VLAN does not extend beyond the Building Distribution submodule.

VLANs on a given access switch should not be advertised to all other switches in the network.

Content 2.1 Implementing Best Practices for VLAN Topologies 2.1.8 Benefits of Local VLANs in Enterprise Campus Network Local VLANs are part of the ECNM design, where VLANs used at the access layer should extend no further than their associated distribution switch. Traffic is routed from the local VLAN as it is passed from the distribution layer into the core. This design can mitigate Layer 2 troubleshooting issues that occur when a single VLAN traverses the switches throughout an enterprise campus network. Implementing the ECNM using local VLANs provides the following benefits:

Deterministic traffic flow: The simple layout provides a predictable Layer 2 and Layer 3 traffic path. In the event of a failure that was not mitigated by the redundancy features, the simplicity of the model facilitates expedient problem isolation and resolution within the switch block.
Active redundant paths: When implementing Per VLAN Spanning Tree (PVST) or Multiple Spanning Tree Protocol (MSTP), all links can be used to make use of the redundant paths.
High availability: Redundant paths exist at all infrastructure levels. Local VLAN traffic on access switches can be passed to the building distribution switches across an alternative Layer 2 path in the event of primary path failure. Router redundancy protocols can provide failover should the default gateway for the access VLAN fail. When both the Spanning Tree Protocol (STP) instance and VLAN are confined to a specific access and distribution block, Layer 2 and Layer 3 redundancy measures and protocols can be configured to failover in a coordinated manner.
Finite failure domain: If VLANs are local to a switch block and the number of devices on each VLAN is kept small, failures at Layer 2 are confined to a small subset of users.
Scalable design: Following the ECNM design, new access switches can be easily incorporated and new submodules can be added when necessary.

Content 2.1 Implementing Best Practices for VLAN Topologies 2.1.9 Mapping VLANs in a Hierarchical Network When mapping VLANs onto the new hierarchical network design, keep these parameters in mind.

Examine the subnetting scheme that has been applied to the network and associate a VLAN to each subnet.
Configure routing between VLANs at the distribution layer using multilayer switches.
Make