chapter 3 - vlans

VLANsLAN Switching and Wireless - Chapter 3Dr. Naveen Chilamkurti

Topics

The role of VLANs in a network Trunking VLANs Configure VLANs on switches Troubleshoot common VLAN problems

Some requirements of LANs

Need to split up broadcast domains to make good use of bandwidth

People in the same department may need to be grouped together for access to servers

Security: restrict access by certain users to some areas of the LAN

Provide a way for different areas of the LAN to communicate with each other

Solution using routers

Divide the LAN into subnets Use routers to link the subnets

Solution using routers

BUT Routers are expensive Routers are slower than switches Subnets are restricted to limited physical areas Subnets are inflexible

Solution using VLANs

VLAN membership can be by function and not by location VLANs managed by switches Router needed for communication between VLANs

VLANs

All hosts in a VLAN have addresses in the same subnet. A VLAN is a subnet.

Broadcasts are kept within the VLAN. A VLAN is a broadcast domain.

The switch has a separate MAC address table for each VLAN. Traffic for each VLAN is kept separate from other VLANs.

Layer 2 switches cannot route between VLANs.

Benefits of a VLANs

Benefits of a VLANs

Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches.

Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.

Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm.

Benefits of a VLANs – Cont.

Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN.

Simpler project or application management - VLANs aggregate users and network devices to support business or geographic requirements.

VLAN ID Ranges

Access VLANs are divided into either:Normal range Extended range.

VLAN ID Ranges

Types of VLAN

Data or user VLAN Default VLAN Native VLAN Management VLAN Voice VLAN

Data VLAN

Carry files, e-mails, shared application traffic, most user traffic.

Separate VLAN for each group of users.

Types of VLAN – Data VLAN

Default VLAN

VLAN 1 on Cisco switches. Carries CDP and STP (spanning tree protocol)

traffic. Initially all ports are in this VLAN. Do not use it for data, voice or management

traffic for security reasons.

Types of VLAN – Default VLAN

Native VLAN

For backward compatibility with older systems.

Relevant to trunk ports. Trunk ports carry traffic from multiple

VLANs. VLAN is identified by a “tag” in the frame. Native VLAN does not have a tag.

Types of VLAN – Native VLAN

Management VLAN

Has the switch IP address. Used for telnet/SSH or web access for

management purposes. Better not to use VLAN 1 for security reasons.

Types of VLAN – Management VLAN

Voice VLAN

Use with IP phone. Phone acts as a switch too. Voice traffic is tagged, given priority. Data not tagged, no priority.

Types of VLAN – Voice VLAN

Switch Ports

Each switch port intended for an end device is configured to belong to a VLAN.

Any device connecting to that port belongs to the port’s VLAN.

There are other ways of assigning VLANs but this is now the normal way.

Ports that link switches can be configured to carry traffic for all VLANs (trunking)

Switch Ports Modes

Static VLAN Dynamic VLAN Voice VLAN

Static VLAN

The normal type. Port configured to be on a VLAN. Connected device is on this VLAN.

VLAN can be created using CLI command, given number and name.

VLAN can be learned from another switch. If a port is put on a VLAN and the VLAN

does not exist, then the VLAN is created.

Static VLAN (Port-centric)

If VLAN 20 did not exist before – then it does now.

Voice VLAN

Dynamic VLAN

Not widely used. Use a VLAN Membership Policy Server

(VMPS). Assign a device to a VLAN based on its MAC

address. Connect device, server assigns VLAN. Useful if you want to move devices around.

Controlling Broadcast Domains with VLANs

Network Traffic Without VLANS In normal operation, when a switch receives a broadcast frame on one of

its ports, it forwards the frame out all other ports on the switch.


Network Traffic With VLANS When VLANs are implemented on a switch, the transmission of unicast,

multicast, and broadcast traffic from a host on a particular VLAN are constrained to the devices that are on the VLAN.

Traffic between VLANs

Layer 2 switch keeps VLANs separate. Router can route between VLANs. It needs to

provide a default gateway for each VLAN as VLANs are separate subnets.

Controlling Broadcast Domains with Switches and Routers

Intra-VLAN Communication Inter-VLAN Communication

Intra-VLAN Communication In the figure, PC1, wants to communicate with another device,

PC4. PC1 and PC4 are both in VLAN 10. Communicating with a device in the same VLAN is called intra-VLAN communication. The following steps describes how this process is accomplished:

Intra-VLAN Communication

Step 1-1. PC1 in VLAN 10 sends its ARP request frame (broadcast) to switch S2.


Step 1-2. Switches S2 and S1 send the ARP request frame out all ports on VLAN 10.


Step 1-3. Switch S3 sends the ARP request out port F0/11 to PC4 on VLAN 10.


Step 2-1. The switches in the network forward the ARP reply frame (unicast) to PC1.


Step 2-2. PC1 receives the reply which contains the MAC address of PC4.


Step 3-1. PC1 now has the destination MAC address of PC4 and uses this to create a unicast frame with PC4's MAC address as the destination.


Step 3-2. Switches S2, S1 and S3 deliver the frame to PC4.

Inter-VLAN Communication In the figure, PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20.

Communicating with a device in another VLAN is called inter-VLAN communication.

Note: There are two connections from switch S1 to the router: one to carry transmissions on VLAN 10, and the other to carry transmissions on VLAN 20 to the router interface.

Inter-VLAN Communication Step 1-1. PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20. PC1 sends an ARP request frame for the MAC address of the default gateway

R1.

Inter-VLAN Communication Step 2. The router R1 replies with an ARP reply frame from its interface

configured on VLAN 10. All switches forward the ARP reply frame and PC1 receives it. The ARP reply contains

the MAC address of the default gateway.

Inter-VLAN Communication Step 3-1. PC1 then creates an Ethernet frame with the MAC address of the

Default Gateway. The frame is sent from switch S2 to S1.

Inter-VLAN Communication Step 3-2. The frame is sent from switch S2 to S1.

Inter-VLAN Communication Step 4. The router R1 sends an ARP request frame on VLAN 20 to determine

the MAC address of PC5.

Inter-VLAN Communication Step 4-2. Switches, S1, S2, S3, broadcast the ARP request frame out ports

configured for VLAN 20. PC5 on VLAN 20 receives the ARP request frame from router R1.

Inter-VLAN Communication Step 5-1. PC5 on VLAN 20 sends an ARP reply frame to switch S3.

Inter-VLAN Communication Step 5-2. Switches S3 and S1 forward the ARP reply frame to router R1 with the

destination MAC address of interface F0/2 on router R1.

Inter-VLAN Communication Step 6-1. Router R1 sends the frame received from PC1 though S1.

Inter-VLAN Communication Step 6-2. S1send the frame to S3 to send it to PC5 (on VLAN 20).


Switch Virtual Interface (SVI)SVI is a logical interface configured for a specific

VLAN. You need to configure an SVI for a VLAN if you want

to route between VLANs or to provide IP host connectivity to the switch.

By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration.

Controlling Broadcast Domains with VLANs and Layer 3 Forwarding

Layer 3 Forwarding A Layer 3 switch has the ability to route transmissions between

VLANs. The procedure is the same as described for the inter-VLAN

communication using a separate router, except that the SVIs act as the router interfaces for routing the data between VLANs.

Layer 3 Forwarding Example

In this Example, PC1 wants to communicate with PC5. The following steps outline the communication through the Layer 3 switch S1:

Layer 3 Forwarding Example – Step 1 -1

Step 1 - 1. PC1 sends an ARP request broadcast on VLAN10.

Layer 3 Forwarding Example – Step 1 - 2

Step 1 - 2. S2 forwards the ARP request out all ports configured for VLAN 10.


Step 2 - 1. Switch S1 forwards the ARP request out all ports configured for VLAN 10, including the SVI for VLAN 10.


Step 2 - 2. Switch S3 forwards the ARP request out all ports configured for VLAN 10.


Step 3 - 1. The SVI for VLAN 10 in switch S1 knows the location of VLAN 20. The SVI for VLAN 10 in switch S1 sends an ARP reply back to PC1 with this information.


Step 3 -2 . The SVI for VLAN 10 in switch S1 knows the location of VLAN 00. The SVI for VLAN 10 in switch S1 sends an ARP reply back to PC1 with this information.


Step 4 - 1 . PC1 sends data, destined for PC5, as a unicast frame through switch S2 to the SVI for VLAN 10 in switch S1.


Step 4 - 2 . PC1 sends data, destined for PC5, as a unicast frame through switch S2 to the SVI for VLAN 10 in switch S1.


Step 5 - 1 . The SVI for VLAN 20 sends an ARP request broadcast out all switch ports configured for VLAN 20.


Step 5 - 2 . Switch S3 sends that ARP request broadcast out all switch ports configured for VLAN 20.


Step 6 - 1 . PC5 on VLAN 20 sends an ARP reply.


Step 6 - 2 . Switch S3 sends that ARP reply to S1.


Step 6 - 3 . Switch S1 forwards the ARP reply to the SVI for VLAN 20.


Step 7 - 1 . he SVI for VLAN 20 forwards the data, sent from PC1, in a unicast frame to PC5 using the destination address it learned from the ARP reply in step 6.


Step 7 - 2 . he SVI for VLAN 20 forwards the data, sent from PC1, in a unicast frame to PC5 using the destination address it learned from the ARP reply in step 6.

VLAN Trunks

What is a Trunk?

Definition of a VLAN Trunk A trunk is a point-to-point link between two network

devices that carries more than one VLAN. A VLAN trunk allows you to extend the VLANs across an

entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces.

A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.

VLAN Trunks

What Problem Does a Trunk Solve?

8021Q Frame Tagging

Layer 2 devices, they only use the Ethernet frame header information to forward packets.

The frame header does not contain information about which VLAN the frame should belong to.

Subsequently, when Ethernet frames are placed on a trunk they need additional information about the VLANs they belong to.

This is accomplished by using the 802.1Q encapsulation header. This header adds a tag to the original Ethernet frame specifying the VLAN to which the frame belongs.

VLAN Frame Tagging Overview

When the switch receives a frame on a port configured in access mode with a static VLAN, the switch takes apart the frame and inserts a VLAN tag, recalculates the FCS and sends the tagged frame out a trunk port.

VLAN Tag Field Details

The VLAN tag field consists of an EtherType field, a tag control information field,and the FCS field.

VLAN Tag Field Details

EtherType field Set to the hexadecimal value of 0x8100. This value is called the tag protocol ID (TPID)

value. Tag control information field

The tag control information field contains:

3 bits of user priority - Used by the 802.1p standard, which specifies how to provide expedited transmission of Layer 2 frames.

1 bit of Canonical Format Identifier (CFI) - Enables Token Ring frames to be carried across Ethernet links easily.

12 bits of VLAN ID (VID) - VLAN identification numbers; supports up to 4096 VLAN IDs.

FCS field After the switch inserts the EtherType and tag control information fields, it

recalculates the FCS values and inserts it into the frame.

Native VLANs and 802.1Q Trunking

Native VLANs Configuration

Native VLANs Verification

Trunking Operation

A Trunk in Action – Step 1

A Trunk in Action – Step 3 -1

A Trunk in Action – Step 3 - 2

Trunking Modes

A switch port on a Cisco switch supports a number of trunking modes. The trunking mode defines how the port negotiates using DTP to set up a trunk link with its peer port. As follows:

On (default) Dynamic auto Dynamic desirable

Initial Port Configuration

Which Link will be trunk?

VLANs &TrunksConfiguration

Configuring VLANs& Trunks

Add a VLAN

Added VLAN Verification

Assign a Switch Port

Assign a Switch Port Verification

Managing VLANs

Manage Port Memberships

Delete VLANs

Configure a Trunk - Example

Verify Trunk Configuration

Managing a Trunk Configuration

Common Problems with Trunks

Native VLAN Mismatches - Example

Trunk Mode Mismatches

Incorrect VLAN List

chapter 3 - vlans

Documents

separate vlan

vlan id rangesaccess

vlans benefits

multiple vlans

vlans cont

management traffic

voice traffic

user traffic