Solved: Re: VLANs in " sh VLAN " and running config to not match

JohnW63 · ‎03-18-2020

When I run the " sh VLAN " the command which shows the VLANs what is active and what it is described does not match what the "sh run" command shows me as defined. I have one VLAN in the " sh VLAN " command that doesn't even exist in the running config.

How does this happen ? How does the one not even defined in the running config work at all ?

Richard Burts · ‎03-19-2020

I think it would be helpful in this conversation to remember the differences between the layer 2 aspect of vlans and the layer 3 aspect of vlans. Essentially a vlan must operate as a layer 2 entity and might also operate as a layer 3 entity. Our familiar definition of vlan as defining a broadcast domain is the layer 2 definition of vlan. The layer 2 vlan information can be propagated by vtp and the layer 2 vlan information is what you see in the vlan data base. The layer 3 aspect of the vlan is defined in the interface vlan x command in running config rather than in vlan.dat. There is not any requirement that the layer 2 vlan data base be in sync with the layer 3 running config. It is quite legitimate for a vlan to exist in the vlan data base but to have no IP address. And it is quite legitimate for a layer 2 vlan to be active while its layer 3 interface is shutdown.

HTH

Rick

View solution in original post

marce1000 · ‎03-18-2020

- It can be present in vlan.dat as of learned for instance if you are you using VTP. It implies for instance that you may not use all the vlans available to your switch in the running-config.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎03-18-2020

Since we do not know much about your environment

Please provide the device model and what IOS code running

post output below to understand better :

show version

show vlan and dir flash:/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cristian Matei · ‎03-18-2020

Hi,

Unless you manually configured VTP, you still run VTP in server mode. If you run VTP in server or client mode, configured VLAN's are kept in the VLAN.dat file in flash and not in the "running-config". If you want to see the VLANs in "running-config", change over to VTP transparent "vtp mode transparent" and you'll see it in "show run".

Regards,

Cristian Matei.

JohnW63 · ‎03-18-2020

The switch is our core 9500 in our Data Center, so . I thought it was in server mode. Turns out it's in Client mode. I don't want it to be in transparent mode. Is there a way to see the VLAN details in the VLAN.dat file ? " sh vlan detail " or something ? I want to confirm what vlan numbers are in use and what IP settings each has before I change a \21 subnet into eight \24 subnets. It is rather annoying that the running config is not accurate.

balaji.bandi · ‎03-18-2020

if it is client mode all the VLAN information coming from VTP Server. So you need to look at VTP Server see what VLAN available, why it was not populated to Client

check the config on VTP Server and VTP client config. they able to communicate each other.

Most of the Dc environment - suggest to not to deploy VTP Mode, always suggest to have Transparent mode.

post show vtp status along with config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JohnW63 · ‎03-18-2020

Normally, our our MDF switch at all of our school sites is the VTP server and all the IDF switches are in client mode. Given this is the core switch in our data center, I don't think we have a VTP " server " in the room.

I looked at the content of the VLAN.dat file, and while is is not directly a text file I could see the VLAN names in the output in the right side column. How does the VLAN.dat file get it's data ? I would have thought it would be when you create VLANs in the CLI on the switch.

JohnW63 · ‎03-18-2020

In VTP transparent mode, my running config shows this, now:

!

vlan 90

name Guest-Wireless-90

!

vlan 126

name VoIP-2

!

vlan 231

name UCS-MGMT

!

vlan 232

name VMware-MGMT

!

vlan 233

name VM-Motion

!

vlan 235

name Server_LAN

!

vlan 500

name INTERNET

!

vlan 501

name FIREWALL-Deprecated

!

vlan 502

name FIREWALL-DMZ

!

vlan 505

name Untrusted

!

vlan 506

name FIREWALL-INSIDE

!

vlan 600

name PRIVATE

!

vlan 999

!

But the running config lines for the VLANs is this:

!

interface Vlan1

ip address 10.12.119.254 255.255.248.0

!

interface Vlan42

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan43

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan44

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan45

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan46

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan48

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan49

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan61

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan71

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan72

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan73

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan80

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan81

no ip address

ip helper-address 10.12.112.1

shutdown

!

interface Vlan82

no ip address

ip helper-address 10.12.112.1

no ip redirects

shutdown

!

interface Vlan90

ip address 10.15.240.254 255.255.255.0

ip helper-address 10.12.112.1

ip helper-address 10.12.112.7

ip access-group Guest-Wireless in

!

interface Vlan125

no ip address

shutdown

!

interface Vlan126

description VoIP-2

ip address 10.14.222.254 255.255.255.0

ip helper-address 10.12.112.200

!

interface Vlan200

ip address 10.1.246.230 255.255.255.248

shutdown

!

interface Vlan231

description UCS Blade and server Management VLAN

ip address 172.30.1.254 255.255.255.0

!

interface Vlan232

description VM Management VLAN

ip address 172.30.2.254 255.255.255.0

!

interface Vlan233

no ip address

!

interface Vlan235

description Server Communication VLAN

ip address 172.30.5.254 255.255.255.0

no ip redirects

!

interface Vlan310

no ip address

shutdown

!

interface Vlan500

ip address 163.150.103.254 255.255.255.0

shutdown

!

interface Vlan501

no ip address

shutdown

!

interface Vlan505

description Firewall-Inside

ip address 10.12.0.1 255.255.255.0

!

interface Vlan506

description Depricated Firewall inside

no ip address

shutdown

My concern and confusion comes from VLAN 233 shows active in the "sh vlan" list, but has no IP address in the running config. VLANS 500 and 501 show active in the VLAN command and are shut down in the running config. VLAN 502 shows active in the VLAN command but doesn't exist in the running config. VLAN 506 shows active in the VLAN command but has no IP address in the config. VLAN 600 shows in the VLAN command output, but does not exist in the running config.

This makes configuring the switch for new subnets and VLANs rather unclear.

Cristian Matei · ‎03-18-2020

Hi,

You see the VLAN database in two ways:

- readable format via "show vlan" and "show vtp status" and "show vtp password", as all of these are contained in the VLAN.dat file

- less readable format by copying it to a remote FTP/TFTP server and reading it as text, or via "more flash:/vlan.dat"

Yes, in the DC, VTP is considered vulnerability (nobody wants a complete DC blackout due to VLANs missing) and it's not used.

Regards,

Cristian Matei.

JohnW63 · ‎03-18-2020

Good info, Christian.

But... How do I reconcile what VLANs are actually on the switch and what their IPs are if the running config and the VLAN.dat don't seem to agree ? How do they get out of synch ? Since we don't have a VTP "server" switch in the Data Center, nothing should be able to over ride the settings in the running config.

Richard Burts · ‎03-19-2020

I think it would be helpful in this conversation to remember the differences between the layer 2 aspect of vlans and the layer 3 aspect of vlans. Essentially a vlan must operate as a layer 2 entity and might also operate as a layer 3 entity. Our familiar definition of vlan as defining a broadcast domain is the layer 2 definition of vlan. The layer 2 vlan information can be propagated by vtp and the layer 2 vlan information is what you see in the vlan data base. The layer 3 aspect of the vlan is defined in the interface vlan x command in running config rather than in vlan.dat. There is not any requirement that the layer 2 vlan data base be in sync with the layer 3 running config. It is quite legitimate for a vlan to exist in the vlan data base but to have no IP address. And it is quite legitimate for a layer 2 vlan to be active while its layer 3 interface is shutdown.

HTH

Rick

JohnW63 · ‎03-19-2020

Richard,

If I can submit a follow-up question...

I started looking up the difference between the two aspects ( layer 2 vs layer 3 ) and I found a recent post of yours, here:
https://community.cisco.com/t5/switching/what-is-layer-2-and-layer-3-vlan/td-p/2921946

In the above thread, you mentioned that VLANs are actually just a layer two feature and that the layer 3 is an interface feature. At least that's how I interpreted it. In the switches I've been studying and using in our network, all the Vlans had a subnet associated with it, which is why finding vlans with no IP perplexed me. Do you have a good reference doc I can check out to help clear this up for me ? I'm not sure how I could even utilize a layer 2 Vlan, since I'm used to assigning interfaces to it.

Richard Burts · ‎03-19-2020

While you were submitting your follow up question I was submitting more explanation, which I hope was helpful. Now let me try to address your follow up question. I am glad that you found that other discussion of layer 2 and 3 vlans. And it is another opportunity to recognize that sometimes we are precise in our terminology and sometimes we are not precise. If we are going to be precise we should say that a vlan is a layer 2 entity (and on many switches it shows up in the vlan database not necessarily in the running config). But a lot of the time our discussions are not so precise and we talk about vlan interfaces which provide layer 3 functionality for the layer 2 vlan. So for many of our discussion the difference is blurred and we talk and act as if a vlan was both layer 2 and layer 3. In your follow up you said "and that the layer 3 is an interface feature. At least that's how I interpreted it." I would say that your interpretation was correct, if we are going to be precise.

In many of our networks when we deploy switches we want them to do both layer 2 and layer 3 forwarding. But in some networks (especially larger networks) we might deploy some switches to do only layer 2 forwarding (like access switches in the network) while layer 3 forwarding is done on the distribution or core layer switches. If we look at earlier models of Cisco switches there were some switches which only had layer 2 forwarding capability - and they were less expensive than the layer 3 switches. In current generations of Cisco switches it is not so common to find switches which are limited to only layer 2 forwarding.

Let me describe a situation which might help you understand why you might want to have some vlans with vlan interfaces processing both layer 2 and 3 and other vlans processing only layer 2. I worked with a customer who had a site with multiple buildings. There was a switch per building. The link between the switches was a trunk which carried multiple vlans. Several vlans carried traffic for user PCs, or servers, etc and one vlan carried traffic for some other devices. These devices needed access to the Internet but needed to be separated from the user and server subnet traffic. The solution was that the switches in each building had vlan interfaces to provide layer 3 services for users and servers etc but the vlan for these other devices did not have vlan interface. So the switches did routing between the subnets for users, servers, etc but not for devices in the restricted vlan. Traffic in the restricted vlan reached the core switch that connected that vlan to a firewall which had security policies that allows those restricted devices to access the Internet but kept them separate from all user and server traffic.

HTH

Rick

Cristian Matei · ‎03-19-2020

Hi,

In order for the switch to perform the "switch" functionality, a layer2 OSI function, it needs nothing but cables plugged. Having VLAN's, was a first method, back in the old days, to limit the broadcast domain and perform a form of segmentation between devices; so, you had the option to create VLANs and put devices in separate VLAN's; inter-VLAN communication requires a layer 3 device,a router.

In order for the switch, which is multilayer switch (Spans its functionality across multiple OSI layers), to perform the "routing" function, and specifically in this case "inter-vlan routing", you add one SVI for each of the VLAN's you want the switch to a act as a default gateway, so to perform layer 3 functions, routing. This is not necessary, and if you do it, you do it only for VLAN's the you need. Other VLAN's can have a default gateway pointing to another layer 3 device (thus your switch has only the VLAN defined, no SVI, it does just switching), or can have no default gateway (which means no communication outside the VLAN).

Regards,

Cristian Matei.

JohnW63 · ‎03-19-2020

Thank you !

I hadn't seen stuff on just layer 2 VLANs. All the videos and docs just had simple " How to create VLANs ". So, if I have both layer 2 and layer 3 Vlans, I'll have to look up the reasons why you would use one vs the other. I then would think that what I am about to do, in changing a large network into 8 sub networks, won't matter to the devices in the layer 2 Vlans. I just don't want to break our network because I didn't understand all the routing.