Mozzarella : splitting a VLAN

Kevin Dorrell · ‎09-30-2005

Here is a practical brain-teaser exercise : how to split a VLAN with the minimum of operational downtime.

Suppose we have a VLAN, say 64, with the address range 172.16.64.0/23, and gateway 172.16.64.1. We want to split it into two: VLAN 64 on 172.16.64.0/24 and VLAN 65 on 172.16.65.0/24, with .1 as the gateway on each. There are 250 hosts in each address range. How to split the two with only a few seconds of downtime? Clearly it will take more than a few seconds to re-configure 250 ports from VLAN 64 to VLAN 65.

Is it possible to bridge two VLANs? If you, could you do it like this:

1. Add a secondary gateway address 172.16.65.1/24 to the SVI interface VLAN 64.

2. Change the default gateway address in all the hosts 172.16.65.0 to use 172.16.65.1.

3. Create a new VLAN 65 and bridge it to VLAN 64.

4. Move all the ports used by 172.16.65.0/24 hosts to VLAN 25.

5. Change the mask on all 172.16.64.0/24 hosts from /23 to /24, including the gateway.

6. Now the few seconds downtime: remove the secondary address from SVI 64 and put it as a primary address on SVI 65, and remove the bridge.

I realise that there are all sorts of holes and pitfalls in this procedure, e.g. states of ARP caches. And probably you cannot bridge VLANs in the way I describe. So does anyone have a tried and tested procedure for splitting a VLAN in two, but with less than 4 seconds downtime?

Kevin Dorrell

Luxembourg

glen.grant · ‎09-30-2005

Hi Kev ,you don't mention what kind of box it is ? As far as setting the ports you should be able to change with just 2 commands whether it be the interface range command for IOS or a single set command on the catos boxes. If you preconfigure the 65 net in a notepad and just cut and paste once you are ready you should be able to do it pretty quick don't know if 4 seconds is possible , i'm thinking a minute or 2 by the time you put the commands and spanning tree runs and you may even have to flush the arp and route tables. Your biggest time will be doing the clients. Not sure what you mean by bridge it to 64 vlan though.

Kevin Dorrell · ‎09-30-2005

Glen,

Ah, perhaps I should have made that clear. It is a heterogeneous layer-2 network consisting of about 40 switches - IOS 4500, CatOS 4000, IOS 2900, and CatOS 5500. The VLAN is dedicated to a particular class of user, but is thinly spread over the 40 switches, so just logging into each one would take time. Yet I would prefer the big switchover to happen in one place: the 4506 in the distribution layer.

By "bridge it", I was hoping somehow to join the two halves into a single broadcast domain until the last minute. Maybe, for example, I could do it by configuring two access ports anywhere on the network, one in VLAN 64 and one in VLAN 65, and join them with a cross-cable.

I really need to prepare as much as possible in advance of the switchover.

Kevin Dorrell

Luxembourg

amit-singh · ‎09-30-2005

Kevin,

Do you have a VTP server in your N/W. I think what we can do here is Create another vlan 65 and have it propogated to all the switches. Assign the New IP range for Vlan 65 to it. As already pointed out by Glen, try moving the bunch of parts that you want to be in Vlan 65 with proper IP configured. Make sure you have Spantree portfast configured on the ports also. Let you other Vlan be running the same /23 n/w till Vlan 65 gets the proper connectivity and talks to other Vlans. Now you can assign /24 secondry IP to it and have the subnet mask changed on the Hosts too and late just take the /23 primary IP outof it.

is it really necessary to change the /23 to /24 n/w. I think if we can have it still on /23 it should not make a big diff.

regards,

-amit singh

Kevin Dorrell · ‎09-30-2005

Glen, Amit,

Thanks both for the suggestions; Amit, I shall think that through over the weekend, and post back to you on Monday.

Unfortunately it is necessary to split the two. I had changed the addresses slightly to try and strip the problem down to its essentials. In fact, there are a couple of extra complications.

The two address ranges are effectively already separate - that is I already have the situation with the VLAN 64 addresses as the primary, and the VLAN 65 addresses as the secondary at the router. But the two are physically on the same VLAN. And to add to the complication, the masks on the clients are set wide enough (/23) so that the clients find each other direct. So I need to tighten their masks before I dothe migration, so that the 64's and the 65's find each other by bouncing off the router.

I have a feeling I'm going to have to book downtime for this exercise, but I want to avoid it if I can.

Have a good weekend both.

Kevin Dorrell

Luxembourg

thisisshanky · ‎09-30-2005

Kevin,

At step 4, dont you think that ports will flap, when you change the vlan, of course with spanning-tree portfast configured, the ports should come up in <5-10 seconds.

I would really suggest to have a down time booked, in case some thing goes wrong on top of all these plans. If possible, better mock this setup you have come up with, in a lab before implementing it in practice.

Sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Kevin Dorrell · ‎10-03-2005

Yes, you are right that the ports will bump on changing the VLAN, but portfast will keep that under 5 seconds. I know from past experience that I can get away with that for the client access ports. I normally disable PagP and DTP, which speeds things up and keeps it below 3 seconds.

But of course you are right about the downtime, and trying a mockup in the lab first. Even so, it will be fun to see if I can keep the interruption down to a few seconds, even if I have booked downtime. If I work out a procedure, I'll post it here.

Kevin Dorrell

Luxembourg