exp3 - chapter 3 - vlans

NET2000

VLANs (Virtual LANs)

Linda Crane Algonquin College

With material adapted from slides prepared byPat Ouellette Algonquin College, David Bray Algonquin College,

Cisco website

NET2000

Virtual LANs

� Within a single VLAN, frames propagate the same way they do in any switched network where VLANs are not present.

Switch or


� VLANs allow the logical separation of network users and resources into distinct Layer 3 networks based on organizational needs, such as department, job function, or applications access, independent of network connection point or physical location.

present.

2

NET2000

Bridging vs Routing Network Traffic

� Bridging is the forwarding of frames at Layer 2, based on MAC address.

• Switches do NOT bridge traffic between VLANs – doing so would violate the integrity of the broadcast domain.

� Routing is the forwarding of packets at Layer 3, based on network (IP) address.

• Inter-VLAN traffic must be routed from one VLAN to another –


• Inter-VLAN traffic must be routed from one VLAN to another –this requires a router connected to both the source and destination VLANs.

� Switching is the forwarding of data at Layer 1 in from one interface out another interface

• Routers and Switches both perform switching on their packets and frames (respectively)

3

NET2000

VLAN = Subnet = Layer 3 Network

� Each VLAN is a separate LAN or Layer 3 network.

� That is, VLANs create separate network segments – a feature

previously only achievable using more expensive devices: (What

devices?)

� Because of this, VLAN deployment facilitates improved:

• scalability – broadcast filtering


• scalability – broadcast filtering

• security – traffic segregation

• network management – traffic flow management

4

NET2000

VLAN = Broadcast Domain


� Which server(s) can be reached by hosts in the green (VLAN 3) network?

Trunk Links

(later)

5

NET2000

VLANs, Routers & Broadcast Domains

1) Without VLANs

2) With or without VLANs

10.0.0.0/810.1.0.0/16

10.2.0.0/16

10.3.0.0/16


� 1) No VLANs; or in other words, one LAN. Single IP network.

� 2) With or without VLANs. However, this can be an example

of no VLANS. In both examples, each group (switch) is on a

different IP network.

� 3) Using VLANs. Single switch is configured with its ports on

the appropriate VLAN.

� What are the broadcast domains in each case?

One link per VLAN or a single Trunk link (later)

3) With VLANs

10.1.0.0/16

10.2.0.0/16

10.3.0.0/16

6

NET2000

An Access Link …

� is a link on a switch port that is a member of only one

VLAN

• This VLAN can be referred to as the native VLAN of the port, though this term is most meaningful for trunk links (coming).

• Any device that is attached to the switch port is NOT aware that a VLAN exists (& should not need to be).


a VLAN exists (& should not need to be).

7

NET2000

A Trunk Link …� does not belong to a specific VLAN

� is a single link designed to carry traffic for multiple VLANs, thereby providing connectivity from switch to router, or between switches

� can be configured to transport all VLANs or to transport a limited number of VLANs

� on a Cisco switch can be any port 100+ Mbps

A trunk link may, however, have a native VLAN.


A trunk link may, however, have a native VLAN.

• The native VLAN of a trunk is the VLAN it uses if trunking fails for any reason (VLAN 1 by default but can be changed).

…-if)#switchport trunk native vlan vlan-id

8

NET2000

Trunk Encapsulation� Because a trunk carries multi-VLAN traffic, trunked frames

must be identified with their associated VLAN ID, or encapsulated.

� This tagging is removed before a trunked frame is forwarded out an access port.

� In Ethernet, two methods are used to identify the VLAN to which a frame belongs:


which a frame belongs:

• ISL (Inter-Switch Link) is Cisco proprietary – now depricated� some switches, like 2950T & 4000, don't support ISL

• IEEE 802.1Q (a.k.a. dot1q) is standards-based

• …more later

9

NET2000

A Port's VLAN Membership


� Each switch port can be assigned to a different VLAN.

� Ports assigned to the same VLAN share broadcasts.

� Ports that do not belong to that VLAN do not share these broadcasts.

10

NET2000

Static Membership


� Static membership VLANs are called port-based and port-centricmembership VLANs.

� As a device enters the network, it automatically assumes the VLAN membership of the port to which it is attached.

� “The default VLAN for every port in the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be deleted.”

• This statement does not give the whole story. We will examine Management, Default and other VLANs later.

� All ports on the switch may be reassigned to alternate VLANs.

� More on VLAN 1 later. 11

NET2000

Port-Based

Switch 1172.30.1.21

255.255.255.0VLAN 1

172.30.2.10255.255.255.0

VLAN 2

172.30.1.23255.255.255.0

VLAN 1

172.30.2.12255.255.255.0

VLAN 2


Important notes on VLANs:

1. VLANs are assigned on the switch port. There is no “VLAN” assignment done on the host

2. In order for a host to be configured correctly for a VLAN, it must be assigned an IP address that belongs to the proper subnet.

Remember: VLAN = Subnet

Two VLANs� Two Subnets

1 2 3 4 5 6 .1 2 1 2 2 1 .

PortVLAN

12

NET2000

Dynamic Membership

VMPS = VLAN

Management Policy Server


� Dynamic membership VLANs are created through network management software. (Not as common as static VLANs)

� CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to create Dynamic VLANs.

� Dynamic VLANs allow for membership based on aspects such as the MAC address of the connected device.

� As a device enters the network, the server database is queried to retrieve the correct VLAN membership for the new node.

� Advantage -when you move a host from a port on one switch to another switch – the switch would dynamically assign the new port to the proper VLAN for host

13

NET2000

Approaches to Dynamic VLANs


By Layer 3 address(or Layer 3 protocol)

14

NET2000

Benefits of VLANs

� The key benefit of VLANs is that they permit the network administrator to organize the LAN logically instead of physically.

� Note: Can be done without VLANs, but VLANs limit the broadcast domain!!

� This means that an administrator is able to do all of the following:


� This means that an administrator is able to do all of the following:

• Easily move workstations on the LAN.

• Easily add workstations to the LAN.

• Easily change the LAN configuration.

• Easily control network traffic.

• Improve security.

15

NET2000

Common VLAN Terminologies

� Data VLAN• A data VLAN is a VLAN that is configured to carry only user-generated

traffic. • A VLAN could carry voice traffic or manage traffic, but this traffic would not

be part of a data VLAN. � It is common practice to separate voice and management traffic from data traffic.

• A data VLAN is referred to as a user VLAN.

� Default VLAN


� Default VLAN• All switch ports become a member of the default VLAN after the initial boot

up of the switch. • The default VLAN for Cisco switches is VLAN 1.• VLAN 1 cannot be renamed and deleted. • Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will

always be associated with VLAN 1 - this cannot be changed. • It is a security best practice to change the default VLAN to a VLAN other

than VLAN 1. • VLAN trunks support the transmission of traffic from more than one VLAN.

16

NET2000

Common VLAN Terminologies

� Native VLAN

• An 802.1Q trunk port supports traffic coming from VLANs (tagged traffic) as

well as traffic that does not come from a VLAN (untagged traffic).

• The 802.1Q trunk port places untagged traffic on the native VLAN.

• Native VLANs are set out in the IEEE 802.1Q specification to maintain

backward compatibility with untagged traffic common to legacy LAN

scenarios.


scenarios.

• It is a best practice to use a VLAN other than VLAN 1 as the native VLAN .

• The purpose of the native VLAN is to allow frames not tagged with a VID to traverse the trunk link…they are tagged with the native VLAN id.

� Management VLAN

•A management VLAN is any VLAN you configure to access the management

capabilities of a switch.

•You assign the management VLAN an IP address and subnet mask.

•The out-of-the-box configuration of a Cisco switch has VLAN 1 as the default

VLAN, the VLAN 1 would be a bad choice as the management VLAN; 17

NET2000

Common VLAN Terminologies:

Voice VLANs

� VoIP traffic requires:

• Assured bandwidth to ensure voice quality

• Transmission priority over other types of network traffic

• Ability to be routed around congested areas

• Delay of less than 150 ms across the network

� The details of how to configure a network to support VoIP are beyond


� The details of how to configure a network to support VoIP are beyond the scope of the course, but it is useful to summarize how a voice VLAN works between a switch, a Cisco IP phone, and a computer.

18

NET2000

Common VLAN Terminologies: Voice VLANs

• In figure, VLAN 150 is designed to

carry voice traffic.

• The student computer PC5 is

attached to the Cisco IP phone, and

the phone is attached to switch S3.

• PC5 is in VLAN 20, which is used for

student data.

• The F0/18 port on S3 is configured to


• The F0/18 port on S3 is configured to

be in voice mode

� it will tell the phone to tag voice

frames with VLAN 150. Data

frames coming through the Cisco

IP phone from PC5 are left

untagged.

• Data destined for PC5 coming from

port F0/18 is tagged with VLAN 20 on

the way to the phone, which strips

the VLAN tag before the data is

forwarded to PC5.

•

19

NET2000

More on Trunking … tagging

� ISL (Cisco Proprietary) - "External" tagging – original

frame is not altered whatsoever

� Adds 30 bytes of overhead to every frame

• a 26-byte header containing a 10-bit VLAN ID

• an additional 4-byte FCS is appended


� can result in a "giant" frame (up to 1548 bytes)

20

NET2000

IEEE 802.1Q

� adding significantly less overhead than ISL, 802.1Q only

inserts an additional 4 bytes into the Ethernet frame

� "Internal" tagging overwrites the original frame's FCS


21

NET2000

802.1Q Frame

4 BytesInserted


Tag Control Info (TCI)- 3-bit frame priority- 1-bit CFI (used for Token Ring) - 12-bit VLAN ID

Ether-Type (0x8100)identifies this as aTagged Protocol frame (a.k.a. TPID)

New FCSoverwrites original

22

NET2000

Trunking Example

1. A frame is

receivedon switch Y.

2. The frame isencapsulated

x


2. The frame isencapsulatedby Y (via ISL),sent over thetrunk link toswitch W, and propagates through X to Z.

3. The VLAN tagging is removed before being transmitted out the access link at switch Z.

23

NET2000

Without Trunking …� two switch ports would be needed to transport each configured

VLAN between two switches, AND

� every switch with a particular VLAN configured would have to be directly connected together, or two more ports would be wasted on each intermediary switch


24

NET2000

Configuring Trunking

Note: On many switches, theswitchport trunk

encapsulation

command must be done BEFORE theswitchport mode


� switchport encapsulation can only be set on switches that support multiple encapsulation types

switchport mode

trunk command.

25

NET2000

Trunk Modes

� switch ports may attempt to negotiate trunking status by sending Dynamic Trunking Protocol (DTP) frames to its neighbour

� Fast and Gigabit Ethernet trunking modes:

• On – periodic DTP frames

• Off – DTP frame only at the point it transitions to this mode


• Off – DTP frame only at the point it transitions to this mode

• (Dynamic) Desirable – periodic DTP frames

• (Dynamic) Auto – periodic DTP frames

• Nonegotiate – no DTP frames sent

26

NET2000

Trunk Mode "On" (Static)

� This mode puts the port into permanent trunking mode, even if the neighbouring port does not agree.

� The port attempts to negotiate trunking by sending DTP frames to its neighbour.

� The On state does not allow for the negotiation of an encapsulation type.


encapsulation type. • You must, therefore, explicitly configure the encapsulation

if the device supports multiple trunk encapsulations.

27

NET2000

Trunk Mode "Off" (Static)

� This permanent non-trunking mode occurs when the port is configured as an access port (…-

if)#switchport mode access).

� At the moment when the port transitions into this mode, it sends a DTP frame to its neighbour in an


mode, it sends a DTP frame to its neighbour in an attempt to negotiate non-trunking.

� The port becomes a non-trunk (access) port even if the neighbouring port does not agree.

28

NET2000

Trunk Mode (Dynamic) "Auto"

� The port periodically sends DTP frames and listens to such frames from the neighbouring switch; if neighbour is in trunking mode (On), or would like to be (Desirable), a trunk is formed.


• Note: This is the default setting for some switches. If this mode occurs on both sides of a link, a trunk will NOT be formed since neither will actively attempt to trunk.

• Think about being “invited” to trunk…if this port is invited (by On or Desirable) , it will accept the invitation and trunk. But it will not “invite” …

29

NET2000

Trunk Mode (Dynamic) "Desirable"

� The port attempts to negotiate trunking by sending DTP frames to its neighbour.

� Trunking succeeds if the neighbouring port is set to On, Desirable or Auto mode.

� This is the most common default mode for Ethernet


� This is the most common default mode for Ethernet ports 100 Mbps and faster.

• Note: If this default setting is left on both sides of a link, a trunk will be formed since both will actively attempt to trunk.

30

NET2000

"Nonegotiate" Mode

� This mode stops the port from generating Dynamic Trunking Protocol (DTP) frames.

• Port in trunk mode: You must configure the neighbour manually as a trunk port in order to establish a trunk link.

• Port in access mode: Trunk link will not be established.


• Port in access mode: Trunk link will not be established.

31

NET2000

Trunk Status (based on Ports' Modes)

Trunk Mode Auto(Trunk)

OnDynamic

Desirable

No-Negotiate (Access)

OffAccess Trunk

<Auto> A T T A ? A

<On> (Trunk) T* T ? T* ?

<Dynamic Desirable> T A ? A


T A ? A

Noneg - Access A ? A

Noneg - Trunk T* ?

Off} (Access) A

A – Access mode (Not Trunking)

T – Trunking

T* – Trunking even if VTP domains differ

? – Inconsistent Results

NET2000

Summary of Trunking Commands

IOS-Based Switch

Switch(config)# interface fastethernet 0/1

Switch(config-if)# switchport mode {access | trunk}

Switch(config-if)# switchport trunk encapsulation {isl |

dot1q}


Switch(config-if)# switchport trunk allowed vlan

{ remove vlan-list explicitly disallow these VLANs

| add vlan-list explicitly allow these VLANs

| all implicitly allow ALL VLANs

| except vlan-list }implicitly allow ALL, except those listed

33

NET2000

Configuring Trunk Mode (2950T)

Auto … config-if)#switchport mode dynamic auto

On … config-if)#switchport mode trunk

Desirable … config-if)#switchport mode dynamic desirable

Nonegotiate … config-if)#switchport noneg


Off … config-if)#switchport mode access

To verify: #show int int-type int-number switchport

• - listed as "Administrative Mode"#show interfaces trunk

34

NET2000

Verifying Trunk Mode

Switch#show int fa0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On


Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

35

NET2000

VLAN Configuration


With material adapted from slides prepared byCisco, David Bray and Pat Ouellette, Algonquin College

NET2000

Creating VLANs

� Explicitly create a VLAN:

Switch#config t

Switch(config)#vlan vlan_number [name vlan_name]


Switch(config)#vlan vlan_number [name vlan_name]

Switch(config)#exit

� The maximum number of supported VLANs (typically, 4095) can vary depending upon the switch model.

� NOTE….vlan information is not processed until the exit is performed!!

� This information about VLANs is stored in vlan.dat

� The VLAN can be assigned to an access port at interface mode:

Switch(config-if)#switchport access vlan vlan_number

37

NET2000

Assigning Ports to VLANs

� Assign port fa0/9 to VLAN 10

vlan 10

Default vlan 1

Default vlan 1


� Assign port fa0/9 to VLAN 10

Switch(config)#interface fa0/9

Switch(config-if)#switchport access vlan 10

� If vlan 10 did not exist, this automatically creates it (if allowed – more when we discuss VTP).

� This action is only meaningful for an access port since trunk ports carry traffic for multiple VLANs.

38

NET2000

Example: Creating/Assigning a VLAN

vlan 300

Default vlan 1

Default vlan 1


39

NET2000

Configuring Multiple Ports

vlan 2


SydneySwitch(config)#interface fastethernet 0/5

SydneySwitch(config-if)#switchport access vlan 2

SydneySwitch(config-if)#exit



SydneySwitch(config-if)#exit



40

NET2000

Affecting a Range of Ports

Switch(config)#interface range fa0/8 - fa0/12

vlan 3


Switch(config)#interface range fa0/8 - fa0/12

Switch(config-if)#switchport access vlan 3

Switch(config-if)#exit

Note the spaces surrounding the "dash". Comma can also be used to specify non-consecutive interfaces.

This command does work on the 2950, but support varies by switch model.

41

NET2000

Limiting Ports to Access Mode

access ONLY


Switch(config)#int fa0/10Switch(config-if)#switchport mode access

� Depending upon the switch model, ports default to one of two modes:

• Catalyst 2900 – Trunk Mode: Dynamic, Auto

• Catalyst 2950 or 3550 – Trunk Mode: Dynamic, Desirable(more when we discuss DTP)

� Explicitly set ports to access mode to prevent accidental trunking and to increase security.

� Also shutdown ports not in use for security.

ONLY

42

NET2000

Verifying VLANs – show vlan [brief]

vlan 3vlan 2vlan 1 default


43

NET2000

vlan database commands

� Optional Command to add, delete, or modify VLANs.

� VLAN names, numbers, and VTP (VLAN Trunking Protocol) information can be entered which “may” affect other switches besides this one. (Discussed later).

� This does not assign any VLANs to an interface.

Switch#config t

Switch(config )#vlan ?

VLAN database editing buffer manipulation commands:


VLAN database editing buffer manipulation commands:

abort Exit mode without applying the changes

apply Apply current changes and bump revision number

exit Apply changes, bump revision number, and exit mode

no Negate a command or set its defaults

reset Abandon current changes and reread current database

show Show database information

vlan Add, delete, or modify values associated with a single VLAN

vtp Perform VTP administrative functions.

44

NET2000

Deleting VLANs


Switch(config-if)#no switchport access vlan vlan_number

Switch(config-if)#end

Switch#vlan database

Switch(vlan)#no vlan vlan_number

45

NET2000

Saving VLAN Configuration


• Back up your switch's running-config as .txt file

• show vlan brief then capture the text as a record

of your settings (you can't really save vlan.dat)46

NET2000

Trunk Switch ConfigurationSwitch(config)#interface FastEthernet0/24

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk encap dot1q(ONLY if multiple trunk encapsulations are supported)


47

NET2000

Quick Preview of Inter-VLAN Routing

- also known as Router on a Stick

- uses subinterfaces – makes one interface virtually act like many

RTA(config)#interface fa0/0

RTA(config-if)#no ip address


RTA(config-if)#no ip address

RTA(config-if)#interface fa0/0.1

RTA(config-subif)#encapsulation dot1q 1

RTA(config-subif)#ip address 10.1.1.1 255.255.255.0

RTA(config-subif)#int fa0/0.2



RTA(config-subif)#int fa0/0.3



48

exp3 - chapter 3 - vlans

Documents