(Newbie question) spanning vlan: should be avoided?

[penghon]

What would be a better idea: Spanning the vlan across different switches or avoid spanning vlan across switches (especially when there is only one user in the vlan that is spanned across a different switch?

Is spanning used only when the different switches are located physically apart?

 

[ADB100]

Avoid spanning vlans wherever possible is my preference. This used to be the way everyone designed campus LANs but with since everyone has (or at least should have....) migrated to a purely IP environment I cannot see any real reason for spanning VLANs.
With stackable switches where there is a total of 24-ports it may be a bit OTT breaking IP into small (/27) subnets just so each switch has its own VLAN, BUT I would try my hardest do the extra work to achieve this. Usually Infrastructure fibre cabling and budget would be the only reasons to force me to start spanning VLANs across switches.
There is one exception to this and that is with Servers and Redundant NICs. In this scenario I would allow VLANs to span, but ONLY over a MAXIMUM of 2 switches that were redundantly connected (NO STP loops, EtherChannel).

Follow the Cisco 'Core', 'Distribution' and 'Access' Layer designs with Layer-3 Core & Distribution and Layer-2 Access.

Andy

 

[baddos]

VTP pruning should take away your fears. Of course if it's a pure Cisco network.

I personally love having VLANS tunnelled through all my switches... One good example is if I want to through a box on a restricted web only VLAN, then I can simply hop into the switch and set the port to that vlan. No need to setup addition vlans or have a separate switch.

 

[ADB100]

I just need to stress my dislike of spanning VLANs a bit more.....

There is a MAJOR drawback of spanning VLANs everywhere and that is this: The Layer-3 device these VLANs terminate on (such as a Catalyst 6500) will have VLAN interfaces configured - these will be in an 'UP/UP' state if ANY of the VLAN trunks where these VLANs are allowed are connected. If these Layer-3 devices are advertising routes to these VLANs into an IP network and a Trunk goes down they will keep the interface up and keep advertising the routes - if traffic is forwarded to them for devices that were accessed through the failed trunk they will not have a path to the destination and the packets will be black-holed.
Additionally people who configure HSRP on networks with spanning VLANs will tell you the failover times will be 8-10 seconds using HSRP default timers (you can get this down to sub-1-seconds by reducing timers). BUT they will not explain that there will be further disruption when Spanning-Tree has to re-converge - probably about 45-seconds later where HSRP will fail-back.

Design your network around Layer-3 and you won't regret it - keep thinking in Layer-2 terms and all the holes appear; believe me I have been doing this for years.

Andy

 

[penghon]

Ouch...one of my networks happens to be almost purely layer 2 with cat 3548s and 4003s with only one 3550-SMI.

 

[clahnum]

Lan Switching
Cisco's philosophy about switches is "do no harm". All ports are by default in the same vlan, vlan1 to be exact. So you can plug in the switch and plug in the cables and now every port is in a separate collision domain.
Switches work at layer 2 of the OSI model. They listen on each port and write down the source MAC address of every Ethernet frame they hear. This is put in what Cisco calls a CAM table, it's a listing of every port and what machines can be found on each port. These ports are not connected to one another. The switch can connect them when it wants to but otherwise they are not connected.
The switch is just a series of ports that are not normally connected.
Under what circumstances does the switch connect all the ports?
You would have to be more specific, is there any multicasting going on? Are there different vlans?
Why would the switch decide to connect 2 ports together?
We're only talking one vlan right now. Remember the switch pretty much knows what machines are on what ports, it's been listening and creating these entries in the CAM table. So it receives a frame coming in on port number 1. It looks at the frame and reads the MAC address of the destination and checks it's CAM table to see if it has already heard that machine on another port, if it has, it will forward that frame out the port that the destination machine resides on. No other ports will hear this transmission.
On a single switch in a single vlan you could have a machine on port 3 sending a file to a machine on port 21, a machine on port 17 sending file to a machine on port 9, a machine on port 11 logging in to a server located on port 16, all at the same time. If you tried to do that with a hub, you would have collisions as only one data stream could travel the Ethernet at one time.
What if the switch looks in the CAM table but there is no entry listing the MAC address of the destination machine? Does the switch just drop the packet?
You just said "packet"! A packet is a layer 3 data unit. We use frames. And no, the switch will not drop the frame. If the switch does not have an entry in it's CAM table, it will copy the frame and send it out all ports at once. When it gets a response it will add that machine to the CAM table and all future frames will be switched to that port.
What about broadcasts, what does the switch do with them? You know, ARP broadcast and stuff like that?
Broadcasts are always flooded out all ports that are members of the same vlan.
What's a vlan?
A vlan or "virtual lan" is simply a group of ports that you have put in the same broadcast domain. Take a 24 port switch for example, by default all ports can hear broadcasts from all other ports. The switch is maintaining a CAM table of all 24 ports so that it can switch frames between ports. This is a single lan, or vlan if you like, now take a hacksaw and saw the switch in half. Now you have 2 vlans. Computers in one vlan cannot talk or hear broadcasts from the other vlan.
You can administratively create different vlans and assign ports to these vlans
On a Catalyst you create these separate vlans from the command line. Each port can only be a member of one vlan though, there are exceptions like SPANning a port and trunking but for now, the rule is one vlan per port.
How does this really work in the real world? How do subnets figure in?
Every vlan is a separate subnet! You create a vlan called Accounting, all the computers in that vlan have IP addresses that place them in the same subnet. All machine on the same subnet (vlan) hear broadcasts from the other machines on the same vlan.
Does the switch route traffic from one vlan to another?
NO!
How do the packets get routed?
The switch always needs a router connected to it if it's going to route packets between vlans!
A serious problem with switches.
Switches by default forward broadcasts. If your switch topology contains redundant paths or bridge loops, a broadcast storm of Biblical proportions could result.
· Routers on the other hand, do not have this problem because they do not forward broadcasts.
· Switches use something called the Spanning Tree Protocol to ensure a loop free topology.
The world of Spanning Tree has two warring factions, each bent on the destruction of the other. The two factions are the IEEE and DEC. These two spanning tree protocols are not compatible and should never be enabled on the same network simultaneously. Use the IEEE version of Spanning Tree unless you work at DEC.
Problems relating to spanning tree can easily create broadcast storms the lock up routers so bad you can't even get a console connection!
A switch is really a group of bridges that are wired up in a star pattern. Every port on a switch is a bridge and every behind every port they are wired together. So you can say switch port or bridge but you are talking about the same thing.
Spanning tree is a bridging protocol and as such is applied to individual ports on a switch.
The switch is a box that houses the bridge ports. It's the bridge ports that use Spanning Tree to talk to other bridge ports. When Spanning Tree is running on your switch, what is going on behind the scenes is that every active port on your switch is sending out little packets called Bridge Protocol Data Units or BDPUs. Sometimes BDPUs are called "hello messages". These BDPUs are beaconed out every 2 seconds by default. When you introduce a port into a spanning tree environment, it listens for these BDPUs to learn about the spanning tree topology.
How is the topology created by spanning tree?
The entire topology must resemble a tree to work properly and avoid loops. A tree has small branches that flow downward into larger branches to a common, single root. If you have your switches wired together that contains multiple paths or that is "meshy", spanning tree will run what's called the Spanning Tree Algorithm and choose which ports offer the best path to the root of the tree. Those ports which spanning tree selects as the way out of the local network will be put in a forwarding state and the other, non optimal ports will be put in a blocking state.
Is there a central SPT server that does this calculation, then tells all the ports in the enterprise what state to become?
No, as long as each switch is using the same version of spanning tree, IEEE for example, they all know the rules and can read the BDPUs and determin which ports are blocked and which ports can forward.
When a port comes up it goes int the Listening State. It listens for BDPUs and by examing the contents of the BDPUs and figures out the topology of the existing network.
After the listening state, the port may decide that it should go into a Blocking State. In the blocking state, no data can pass through the port but it is still examining BDPUs.
The port remains in the Listening State for however long a duration is specified by the Forward Delay Timer. The Forward Delay Timer is set to 15 seconds by default.
After the 15 second listening state, if the port does not go into blocking state, it then spends another leisurely 15 seconds in the Learning State. In the Learning State the port is learning MAC addresses and adding those entries into it's CAM table. After the Learning State is complete, then the port goes into Forwarding State and can transmit data.
30 seconds before the port will send data?!?!? That just won't do!
There's a work around! When you have a single workstation or endpoint plugged into a port, you can selectively disable the spanning tree protocol on that port. After all, spanning tree's only job is to prevent loops by shutting off redundant paths in the network. But your endpoint only has one path to the network, through that port!
So we can turn off spanning tree?
Were not going to turn off spanning tree, we'll just disable it on this one port. But now that you mention it, it very possible that you are the administrator of a network that by physical design, does not have any loops in the topology. Nearly all small networks are like that. If that's the case, yes, you can disable spanning tree network wide and save the bandwidth and CPU cycles that STP would use to do a job you don't need.
If my network has redundant paths, I'll use spanning tree, but can you tell me exactly how to shut it off on a single port, so my endpoint can access the network immediately?
Cisco calls it PortFast and you enter the following command:
set spantree portfast <module>/<port> enable
So if you plug your workstation into the 12th port on the 2nd slot in your Catalyst 5505, you would enter the command:
set spantree portfast 2/12 enable
To disable PortFast on this port:
set spantree portfast 2/12 disable
As you can see, those engineers at Cisco made this easy.
You call that easy? Cisco should provide a mouse and a graphical interface like Microsoft does, now that's what I'd call easy...
There's a wonderful page at Cisco that explains how to Configure Spanning Tree .
What did we learn?
1.Learning technical material is easy when it is being taught by a curvaceous redhead in a lowcut outfit.

 

[Nettekkie1010]

Don't extend the broadcast domain via trunking.
Why flood unnecessary packets across inter-switch links?
Keep all VLAN's local to each switch and route between them.
Clean.
Easy to troubleshoot.
Less link traffic.

Nettekkie1010