end-user VLANs and subnets local to a specific switch block.

Ideally, limit a VLAN to one access switch or switch stack. However, it may be necessary to extend a VLAN across multiple access switches within a switch block to support a capability such as wireless mobility.

Content 2.2 Implementing VLANs 2.2.1 VLAN Configuration Modes VLANs are created in either global configuration or VLAN database mode on most Cisco IOS software-based switches. Global configuration mode is the preferred way of creating and managing VLANs because the user interface is familiar. When a VLAN is created or deleted, the change occurs as soon as the user hits the Enter key on the VLAN configuration line. The commands in this courseware delineate VLAN creation and management using global configuration mode as shown in Figure . Note: Global configuration mode can be used to configure VLANs in the range 1 to 1005 and must be used to configure extended-range VLANs (1006 to 4094). The VLAN Trunking Protocol (VTP) configuration revision number is incremented each time a VLAN is created or changed. Alternatively, VLANs can be created and managed using VLAN database mode. VLAN database mode is session-oriented. When you add, delete, or modify VLAN parameters, the changes are not applied until you enter the apply or exit command. You can also exit VLAN database mode and not apply the changes by entering the abort command. To access this mode, the vlan database command is executed from privileged EXEC mode. From this mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005. Note: This mode has been deprecated and will be removed in some future release. The move to the global VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach.

Content 2.2 Implementing VLANs 2.2.2 Explaining VLAN Access Ports When an end system is connected to a switch port, it needs to be associated with a VLAN, in accordance with the network design. To associate a device with a VLAN, the switch port to which the device connects is assigned to a single data VLAN and thus becomes an access port. A switch port can become an access port through static or dynamic configuration. On most switches, VLAN membership results from execution of a specific switchport configuration command. In a local VLAN strategy, the switch port is associated with the same VLAN as the other devices on that same switch or switch cluster. Attributes and characteristics of access ports:

An access port is associated with a single VLAN.
The VLAN to which the access port is assigned must exist in the VLAN database of the switch; otherwise, the port will be associated with an inactive VLAN that does not forward frames.
Because an access switch port is part of a VLAN or broadcast domain, the port receives broadcasts, multicasts, unicast floods, and so forth that are sent to all ports in the VLAN.
The end device typically has an IP address in a subnet that is common to all other devices on the same access VLAN.

Dynamic Access Port Association Switch ports can be dynamically associated with a given VLAN based upon the MAC address of the device connecting on that port. This requires that the switch query a VLAN Membership Policy Server (VMPS) to determine which VLAN to associate with a switch port when a specific source MAC address is seen on the switch port. This might be beneficial with a set of workstations that rove throughout the enterprise. Regardless of what switch or switch port the workstation is connected to, that switch port becomes an access port on a single, specific VLAN. Some security situations may require dynamic VLAN associations. Dynamic VLANs require additional equipment and are not consistent with the ECNM, so they are not discussed in this course.

Content 2.2 Implementing VLANs 2.2.3 Describing VLAN Implementation Commands Figure describes the primary commands used to implement VLANs and to verify their configuration in the Cisco Catalyst switch IOS interface. Figure describes these commands.

Content 2.2 Implementing VLANs 2.2.4 Implementing a VLAN To create or configure a VLAN and associate switch ports, follow these steps : Step 1 Create the VLAN. and Before assigning a switch port to a specific VLAN, the VLAN may need to be created. The following example shows the syntax for creating a VLAN using the Cisco IOS interface. To create a VLAN or enter VLAN configuration mode, use the vlan command: Switch(config)#vlan vlan_id Step 2 Verify the VLAN configuration. and Execute the show vlan command from privileged EXEC mode. It displays information about a particular VLAN. The fields in the show vlan command output are described in the table. Step 3 Associate switch ports with the VLAN. and Switch ports that are to function at Layer 2 and carry traffic for a single VLAN are configured as access switch ports and are assigned an access VLAN. To configure a Layer 2 switch port as an access port: Switch(config-if)#switchport mode access To assign the access port to a specific VLAN: Switch(config-if)#switchport access vlan vlan_id Step 4 Verify the switch port configuration.The following commands are useful for verifying that a switch port is configured as intended: show interface type slot/port switchport
show running-config interface type slot/port
show vlan Switch# show running-config interface fastethernet 5/6
Building configuration...
!
Current configuration :33 bytes
interface FastEthernet 5/6
switchport access vlan 200
switchport mode access
end Step 5 Test VLAN connectivity. Step 1 Ensure that the connected device has a correctly configured IP address and a subnet mask that places it on the same network as the default gateway. Step 2 Ping the default gateway. Step 3 If the ping to the default gateway is successful, the VLAN configuration and the IP address configuration have been verified. Step 6 Implement switch and VLAN security measures. When implementing VLANs, you should consider a few measures to secure the VLAN and the switch itself. The security policy of the organization will likely have more detailed recommendations, but these can provide a foundation.

Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch ports in this VLAN. This VLAN may provide the user with some minimal network connectivity. (Check on the security policy of your organization before implementing.)
Disable unused switch ports, depending on the security policy of the organization.

Web Links For additional information regarding VLAN implementations, see: Cisco Systems, Inc., SAFE Blueprint

Content 2.3 Implementing Trunks 2.3.1 Explaining VLAN Trunks Multiple VLANs are supported between switches through VLAN trunks. A trunk is a Layer 2 link between switches that are running a specialized trunking protocol. Trunks carry the traffic of multiple VLANs over physical links (multiplexing) and enable the extension of a single Layer 2 VLAN between switches. If frames from a single VLAN traverse a trunk link, a trunking protocol must mark the frame to identify its associated VLAN as the frame is placed onto the trunk link. The receiving switch then knows the frame’s VLAN of origin and can process the frame accordingly. On the receiving switch, the VID is removed when the frame is forwarded onto an access link associated with its VLAN. A special protocol is required to establish a trunk link between two devices. A trunk link may exist between these devices:

Two switches
A switch and a router
A switch and a trunk-capable NIC in a node such as a server

If a single physical link