CoNetrix

Blog: VLAN

On newer model Cisco small business switches, the interface VLAN mode designation is different than what you might expect:

  1. The default mode is "Trunk".  This is not the same as "switchport mode trunk" on enterprise Cisco switches.  This mode can be left as is for plugging in a host, but is actually best used when setting up link aggregation.
  2. The "Access" mode is similar to the "switchport mode access" command on enterprise Cisco switches and is the mode that should be used when setting up multiple VLAN access on a switch.
  3. The "General" mode is comparable to the "switchport mode trunk" command on enterprise Cisco switches.  This is the mode an interface should be set to when Dot.1Q VLAN tagging needs to be configured.
Networking, Cisco, VLAN,
 

When working with Cisco 800 model routers (and probably any Cisco Integrated Services Router) you might run into an issue that the VLAN which is assigned to the LAN ethernet ports is in an “up/down” state.  This is because an SVI must meet all of the following conditions to transition to the full "up/up" state:

  • The VLAN must exist and be active in the VLAN database.
  • At least one switched port in the VLAN (access or trunk) must be up.
  • That port must be in the STP forwarding state.

Sometimes it is necessary to have that VLAN interface up even if there are no devices or ports using that VLAN.  [more]The most recent case that I experienced this need was when I was trying to transfer IOS images remotely across a VPN connection.  Because the transfer was traversing across the VPN I had to source the file transfer from the internal VLAN interface.   There weren’t any PC’s connected to the router so the VLAN interface was in an “up/down” state.  To resolve this issue, I could have either connected a PC or a loopback into the router or simply forced the VLAN into an “up/up” state.  Issuing the “no autostate” command on the VLAN interface will bring the interface up.  Basically, the command just tells the VLAN interface to ignore the above mentioned prerequisites.  Note: This command is only available in certain IOS images.

Networking, VPN, Cisco, routers, VLAN,
 

During a recent bank's information security audit, a coworker and I wrestled with LANguard for the better part of two days trying to figure out why LANguard would freeze during network scanning.  There were several potential culprits including a VLAN setting on the port I was using, a “switch” (which looked just like a little 4 port hub) the company had set up to allow me to use two laptops, etc.  I tried scanning from my laptop, from my VM, from the other laptop, skipping the “switch”, etc.  Finally, I set LANguard to a single thread and noted the scan stopped at the “Enumerate Trusted Domains” step.  The company had two domains, something we don’t often encounter.  I disabled this item in the scanning profile and, presto, the scan ran.  To eliminate any other variables, I turned “Enumerate Trusted Domains” back on and it stalled again.

Security and Compliance, VLAN, LANguard,
 

We have a VMWare ESXi 4 infrastructure that we wanted to have VM’s with two separated networks: DMZ and Internal. This was accomplished by using the VLAN tags within the virtual switches to separate the traffic. However, when the VLAN tags were implemented on the separate switches, then we could no longer access the host itself at it’s ip address. The reason was that we did not assign a VLAN ID to the host itself. This can be done at the configuration option of the ESXi console (F2). Alternatively, one could have a completely isolated NIC card that is just for servicing the host machine that is independent of the NIC card(s) for the embedded VM’s.

Networking, VMware, NIC, VLAN, ESX,