Understanding VLAN 1
It is important to understand the significance of VLAN 1. By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain user traffic. It is recommended that user traffic be configured on VLANs other than VLAN 1, primarily to prevent unnecessary user broadcast and multicast traffic from being processed by the Network Management Processor (NMP) of the supervisor. Although VLAN 1 user traffic can be pruned from a trunk, it is not the case with control plane traffic. In fact, in older Cisco Catalyst Software versions (5.4 or earlier), VLAN 1 could not be removed at all from a trunk. Control plane traffic such as VTP, CDP, and PAgP protocols are tagged with VLAN 1 information and are forwarded on a trunk regardless if the trunk has pruned VLAN 1.
Management VLAN, discussed in the next section, is used to monitor and manage the switches on the network. This section also introduces best practices involving management VLAN.
The internal switch interface, sc0, is used for management of the switch. Management VLAN is used for purposes such as telnet, SNMP, and syslog. By default, VLAN 1 is the management VLAN. Ensure that there are no redundant links for the management VLAN. This practice eliminates the need to rely on the spanning-tree algorithm. This prevents the management VLAN from having any potential issues with spanning-tree loops. If the Layer 2 configuration does not provide an option to eliminate redundancy for the management VLAN, separate physical connections supporting only the management VLAN should be considered. Ensure that the management VLAN does not have any user traffic on it by only allowing switch management interfaces to be members of that VLAN.
Management VLAN Best Practices
With the introduction of Cisco's powerful switches and VLAN feature, most companies started to deploy a switched network with VLANs extending throughout the LAN campus. Perhaps the strongest driving force to deploying a Layer 2 network was that Layer 3 devices could not keep up with Layer 2 switching engines. The phrase "the network is as fast as its slowest link" comes to mind. These days Layer 3 engines are no longer bottlenecks and can keep pace with Layer 2 engines. For example, the Catalyst 6500 is not the only Layer 3/Layer 2 switching device, but it has the most features and highest switching performance on the market today.
Perhaps the biggest issue with extending VLANs across multiple switches is spanning-tree loops. Spanning Tree Protocol (STP) is a loop-avoidance protocol designed to provide redundancy in a switch fabric network. Host3 will take the path via Switch2 to send traffic to the rest of the hosts on that segment that is not on Switch3 (see Figure 4-8). This works relatively well. If a failure occurs between Switch2 and Switch3, STP can bring up the redundant link, and traffic will be forwarded again after spanning tree converges.
Consider a situation where an STP loop occurs because of a bad transceiver that maintains a link but passes traffic unidirectional, or a hardware failure that results in missed STP BPDUs. This loop will degrade the performance on the switch network, users will have intermittent connectivity, and eventually, the network will be saturated. In a spanning-tree loop, an engineer at times has to console into the device because of slow telnet sessions because of excessive traffic on the network. Any time a VLAN is extended to various switches with redundant links, the network is vulnerable to such an event.
The other chronic issue with Layer 2 design is broadcast, multicast, and unicast flooding. A broadcast message is sent to MAC address FF-FF-FF-FF-FF-FF, which is received by all hosts on the VLAN. When Host1 sends an Address Resolution Protocol (ARP) for Host2, all other devices will also receive the broadcast message. In a huge network, with a great number of users and multiple switches involved, broadcast traffic can unnecessarily eat up bandwidth. Each device will look at the packet at Layer 3 to see if the packet belongs to it; if not, the packet is thrown away. The process of looking at the packet at Layer 3 requires CPU cycles, and as result, devices are functioning sub-optimally. Typically, ARP does not really cause that much trouble, but if in-house applications exist that communicate via broadcast, the application can adversely affect the network for the aforementioned reasons. If a broadcast storm occurs, it can and will bring the segment down completely. The real solution is to keep the segment small regardless whether the discussion is based on physical or logical segment. The rule of thumb is that the broadcast traffic should not be greater than 20 percent of the total traffic on the VLAN or segment.
To prevent excessive broadcasts on a segment, especially in a broadcast storm situation, Cisco switches have a mechanism to control the upper limits of broadcast traffic on a port. Cisco switches monitor the level of broadcast activity in 1-second intervals. They do this by looking at the individual/group destination address in the Ethernet frame. This value is compared with a predefined threshold set by the user. If the sample rate per second exceeds the threshold, the suppression mechanism is enabled, which filters broadcast packets on that port for a specified period of time. By default, broadcast suppression is disabled on Catalyst switches. In this example, the threshold is set to 50%, and anything higher will be dropped.
Broadcast suppression can easily be configured on the switch. According to the following command, any broadcast traffic that exceeds 50% on port 10/1 will be dropped:
The actual threshold value is contingent up the engineer's knowledge of the traffic on that segment. This feature does not allow broadcast storms to consume all available bandwidth and melt the network down.
Pruning can also be configured on the switches to reduce the diameter of the broadcast domain. Options are available to control the broadcast domain; these would require time and strategic planning to make Layer 2 somewhat resilient to a broadcast storm.
Some engineers believe that VLANs should never leave the box. In other words, keep Layer 2 small, which can help address issues with VTP client/server mode, and more importantly, spanning tree. The practice also means that trunking is not necessary. Essentially, the engineers want to push for a Layer 3 model. A Layer 3 design has many positive and negative attributes, but it does have one big advantage: Layer 3 does a better job of controlling the spread of the outage in the network.
Avoid extending VLANs, if at all possible. If this is not possible, keep the diameter of the Layer 2 switches small. Spanning tree recommends no more than seven switches between hosts. Avoid VTP client/server mode, and if pruning is required, use manual pruning.