Switching

Topic 2VLANs

Agenda

• VLANs– Benefits– Components– Trunking and 802.1q– VLAN types– VLAN operations– VLAN modes– Voice VLAN– DTP– Troubleshooting

VLANs• Virtual LAN or ‘virtualised’ LAN• VLANs divide switches by business function

– Departments, project teams, locations• Multiple VLANs exist on multiple switches in the switched

infrastructure– Each VLAN is a different IP network

• VLANs are configured on the switch– Switchports are each assigned to a single VLAN– Hosts connected to the switchport can communicate with other

hosts in the same VLAN– Hosts in different VLANs are on different networks and can only

communicate with each other via a routing process• VLANs can span multiple switches so hosts can be located

anywhere and connect to any switch

VLANs

Benefits of VLANs• Separate large broadcast domains into smaller ones• Separate the network into business functional groups– Security

• Segmenting functional groups means policy can be applied– Cost

• More efficient use of switches and links as the infrastructure shared by different VLANs

– Controlled network traffic• Performance is maintained as there is less broadcast traffic• Broadcast storms and errors are contained within the VLAN

– Management efficiency• Simple moves, adds, and changes for hosts • Users with the same needs can be grouped and assigned to

a VLAN

Components• Switches

– VLANs are created on the switch– VLANs are identified by number, VID and described by name– Ports are assigned to specific VLANs, PVID

• Trunk links – Links between switches which carry all VLAN traffic– Links between switches and routers which carry all VLAN traffic

for routing between the VLANs• Trunking protocol 802.1q

– Tags frames arriving at ports with their VLANID– Tagged frames travel down trunk links with their VLANID tags– Tags are stripped from frames when leaving a port to go to the

host• Router or layer 3 switch routes frames between VLANs

Trunking

• Trunking extends the VLAN• VLAN trunk is a point to point link between

two switches that carries tagged frames from more than one VLAN

• VLAN trunks extends VLANs across the network using the IEEE 802.1q standard

• Without VLAN trunks a separate link between switches would be required for each VLAN

Types of VLANs• Data VLAN – user and application traffic

• Voice VLAN– Requires assured bandwidth and delay of less than 150 milliseconds

• Management VLAN– Used to remotely access and manage the switch (telnet, http, ssh,

snmp)– The management VLAN is assigned an IP address and a subnet mask – By default is VLAN 1, best practice is to create a separate management

VLAN• Default VLAN – VLAN 1

– All ports by default are members of VLAN 1– Cannot be deleted or renamed– Layer 2 control traffic such as CDP and STP traffic – Best practise is to assign all ports on the switch to VLAN other than one

and leave VLAN 1 for layer 2 control traffic

Native VLAN• The native VLAN is assigned to switchports that are

trunking• Untagged frames– Frames that originate on the switch (such as cdp and stp

and other control traffic) are untagged (they did not arrive through a switchport)

– Untagged frames received by a trunk port are sent down trunks with native VLAN tags

• Control traffic should be untagged – Some vendor’s switches, tag control traffic and this traffic

is dropped on the native VLAN• The native VLAN is by default VLAN 1 and should be

assigned to another VLAN

VLAN tagging 802.1q• Each port is assigned the PVID of their VLAN• 802.1q ports (trunk ports) are assigned the PVID of the

native VLAN• Ingress rules:– Untagged traffic that arrives at the port is tagged with the

PVID– Tagged traffic that arrives at the port is not altered

• Forwarding rules:– Flood, forward or filter and MAC address table lookup

• Egress rules:– Frame is untagged if its destination is a host– Frame sent as tagged if its destination is a trunk or IP

phone

Tag frame format

• Dot1q inserts a tag into the Ethernet header of frames (just after source MAC):– Switchport with a PVID assigned receives a frame– Switch inserts VLAN tag and recalculates FCS– Switch sends tagged frame out of trunk port

• EtherType field value set to 0x8100 – the TPID value• Tag Control Information field is inserted that contains: – Priority information– CFI to enable token ring frames on Ethernet links– VID VLAN ID (up to 4096)

• FCS field in the trailer gets a recalculated FCS value

VLAN operation

• Broadcast frames:– Switch forwards broadcast frames:• out of all ports on the same VLAN except the

originating port• as tagged frames on trunk links which allow the

VLAN.• Unicast frames:– Switch forwards the frame to destination host on

current switch – or if the destination MAC is on another switch, as a

tagged frame using the trunk link.

VLAN operation

VLAN modes

• Static (port-based VLAN)– Switchports can be manually assigned to a VLAN

• Switchport mode access• Switchport access VLAN 20

• Dynamic– Switchports can be assigned to a VLAN based on the

MAC address of the attached host– VLAN policy membership server VMPS contains

mappings of MAC to VLANs– Hosts can move around and use any port and get put

into the correct VLAN

Switchport modes

• Access mode– Configures a switchport as an access port – Has hosts attached to it– Maintains the PVID of the VLAN associated with it

• Trunk mode– Configures a switchport as an trunk port – Has switches or routers attached to it– Forwards tagged frames from multiple VLANs– Forwards untagged frames on the native VLAN

Dynamic Trunking Protocol (DTP)• Cisco® proprietary used to allow switchports to negotiate to trunk• Four modes:

– On (always a trunk)– Dynamic auto (able to trunk but only if the other end of link is ON or

desirable)– Dynamic desirable (able to trunk and will if other end is ON or desirable or

auto) – Nonegotiate (DTP is off and switchport trunks)

• Use Nonegotiate when trunking to switch from another vendor• If both links are set to dynamic auto, they will negotiate to stay in their default

state which is access mode• For 2950, the default switchport mode is dynamic desirable• For 2960, the default switchport mode is dynamic auto

VLAN IDs• Normal range VLANs

– VLAN ID between 1 and 1005– 1002 to 1005 reserved for token ring and fddi– VLAN 1 and 1002–1005 are created automatically and cannot be

removed– Configurations stored in the VLAN.dat file in flash– Supports VTP to propagate VLANs

• Extended range VLANs– VLAN ID between 1006–4094– Fewer features– Saved in running config– Does not supports VTP to propagate VLANs

• Cisco® Catalyst® 2960 can support up to 255 VLANs

Voice VLAN• Voice traffic needs priority classification and can only tolerate 150 ms delay

• Cisco® phones contain a 3 port switch– Port 1 connects to the switch– Port 2 is an internal 10/100 interface that carries the IP phone traffic – Port 3 (access port) connects to a PC

• Switchport is configured with a voice VLAN (VLAN 150) and a data VLAN• Switchport uses CDP to send the voice VLAN ID to the phone • The phone tags voice frames with the voice VLAN ID• The phone does not tag frames from the PC• Data frames are tagged with the data VLAN ID when they arrive

at the switchport

Configuring VLANs

• Demo

Deleting VLANs

VLAN configuration is stored in VLAN.dat file in flash(config) no VLAN VLANid

#delete flash:VLAN.dat

#delete VLAN.dat

Troubleshooting

• Native VLAN mismatches – different native VLANs on each end of links causes

errors and causes traffic to be misdirected (security risk)

• Trunk mode mismatches – one switchport is off and the other switchport is on

• VLANs and IP subnets – incorrect IP addresses, gateways, subnet masks

• Allowed VLANs on trunks– VLAN hasn’t been added as ‘allowed’ on trunk

Agenda

• VLANs– Benefits– Components– Trunking and 802.1q– VLAN types– VLAN operations– VLAN modes– Voice VLAN– DTP– Troubleshooting

Switching

Topic 2VLANs