VLANs (Virtual LANs)

VLAN introduction

Default vlan 1

vlan 10

Default vlan 1

VLANs provide segmentation based on broadcast

domains. VLAN = Subnet VLANs can logically segment switched networks based on: Physical location (Example: Building) Organization (Example: Marketing) Function (Example: Staff)
2

VLAN introduction
Without VLANs
10.1.0.0/16

One link per VLAN or a single VLAN Trunk (later) 10.1.0.0/16

With VLANs
10.2.0.0/16 10.2.0.0/16

10.3.0.0/16

10.3.0.0/16

VLANs are created to provide segmentation services traditionally provided by physical routers in LAN configurations. VLANs address scalability, security, and network management.
3

Two Subnets, One Switch, No VLANs

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Layer 2 Broadcasts
What happens when 10.1.0.10 sends an ARP Request for 10.1.0.30?

Two Subnets, One Switch, No VLANs

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Layer 2 Broadcasts
Switch floods it out all ports. All hosts receive broadcast, even those on a different subnet. Layer 2 broadcast should be isolated to only that network. Note: If the switch supports VLANs, by default all ports belong to the same VLAN and it floods it out all ports that belong to the same VLAN as the incoming port (coming).
5

Two Subnets, One Switch, No VLANs

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Layer 2 Unknown Unicasts

This is the same for unknown unicasts.

Two Subnets, One Switch, No VLANs

Fa 0/0 10.1.0.1/16 Fa 0/1 10.2.0.1/16

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Even though hosts are connected to the same switch (or even hub),
devices on different subnets must communicate via a router. Remember a switch is a layer 2 device, it forwards by examining Destination MAC addresses, not IP addresses.
7

Traditional Solution: Multiple Switches

Fa 0/0 10.1.0.1/16

Fa 0/1 10.2.0.1/16

ARP Request

10.1.0.10/16 DG: 10.1.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.2.0.40/16 DG: 10.2.0.1

The traditional solution is have devices on the same subnet connected

to the same switch. This provides broadcast and unknown unicast segmentation, but is also less scalable.

Broadcast domains with VLANs and routers

Port 1 VLAN 10 Port 4 VLAN 20 Port 9 VLAN 10 Port 12 VLAN 20

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

A VLAN is a broadcast domain created by one or more switches. VLANs are assigned on the switch and correspond with the host IP
address. Each switch port can be assigned to a different VLAN.

Broadcast domains with VLANs and routers

Port 1 VLAN 10 Port 4 VLAN 20 Port 9 VLAN 10 Port 12 VLAN 20

ARP Request

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Ports assigned to the same VLAN share the same broadcast domain. Ports in different VLANs do not share the same broadcast domain.

10

VLAN Overview
For computers to communicate on the same VLAN:
Each must have an IP address and a subnet mask that is consistent for that VLAN. The switch has to be configured with the VLAN Each port in the VLAN must be assigned to the VLAN. A switch port with a singular VLAN configured on it is called an access port. Remember, just because two computers are physically connected to the same switch does not mean that they can communicate.

Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used.
11

Benefits of a VLAN
The primary benefits of using VLANs are:
Security - Groups that have sensitive data are separated from the rest of the network. Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network. Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. Improved IT staff efficiency - VLANs make it easier to manage the network. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. Simpler project or application management - Having separate functions makes working with a specialized application easier, for example, an e-learning development platform for faculty.
12

 Normal Range VLANs

2 VLAN ID Ranges
Identified by a VLAN ID between 1 and 1005. IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. IDs 1 and 1002 to 1005 are automatically created and cannot be removed. Configurations are stored within a VLAN database file, called vlan.dat.
The vlan.dat file is located in the flash memory.

The VLAN trunking protocol (VTP), can only learn normal range VLANs. Extended Range VLANs Enable service providers to extend their infrastructure to a greater number of customers. Identified by a VLAN ID between 1006 and 4094. Support fewer VLAN features. Are saved in the running configuration file. VTP does not learn extended range VLANs.
13

255 VLANs Configurable

Cisco Catalyst 2960 switch can support up to 255 normal
range and extended range VLANs, Although the number configured affects the performance of the switch hardware. Because an enterprise network may need a switch with a lot of ports, Cisco has developed enterprise-level switches that can be joined or stacked together to create a single switching unit consisting of nine separate switches. Each separate switch can have 48 ports, which totals 432 ports on a single switching unit. In this case, the 255 VLAN limit per single switch could be a constraint for some enterprise customers.
14

Common VLAN Terminologies

Data VLAN
A data VLAN is a VLAN that is configured to carry only usergenerated traffic. A VLAN could carry voice traffic or manage traffic, but this traffic would not be part of a data VLAN.
It is common practice to separate voice and management traffic from data traffic.

A data VLAN is referred to as a user VLAN. Default VLAN All switch ports become a member of the default VLAN after the initial boot up of the switch. The default VLAN for Cisco switches is VLAN 1. VLAN 1 cannot be renamed and deleted. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1. VLAN trunks support the transmission of traffic from more than one VLAN.
15

Common VLAN Terminologies

Native VLAN
An 802.1Q trunk port supports traffic coming from VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN. Management VLAN A management VLAN is any VLAN you configure to access the management capabilities of a switch. You assign the management VLAN an IP address and subnet mask. The out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, the VLAN 1 would be a bad choice as the management VLAN;

16

Explaining 802.1Q Native VLANs

The purpose of the native VLAN is to allow frames not tagged with a VID to traverse the trunk link.

An 802.1Q native VLAN is defined as the following: VLAN that a port is associated with when not in trunking operational mode
VLAN that is associated with untagged frames that are received on a switch port VLAN to which Layer 2 frames are forwarded if received untagged on an 802.1Q trunk port

Compare this to ISL, in which no frame may be transported on the trunk link without encapsulation, and any unencapsulated frames received on a trunk port are immediately dropped.

17

Network Traffic Types

IP Multicast Traffic IP multicast traffic is sent from a particular source address to a multicast group that is identified by a single IP and MAC destination-group address pair. Examples of applications that generate this type of traffic are Cisco IP/TV broadcasts. Multicast traffic can produce a large amount of data across the network. VLANs should be configured to ensure multicast traffic only goes to those user devices that use the service provided. Routers must be configured to ensure that multicast traffic is forwarded to the network areas where it is requested. Normal Data Traffic Normal data traffic is related to file creation and storage, print services, e-mail database access, and other shared network applications that are common to business uses. Data traffic should be associated with a data VLAN (other than VLAN 1), and Scavenger Class Traffic The Scavenger class is intended to provide less-than best-effort services to certain applications. Applications assigned to this class have little or no contribution to the organizational objectives of the enterprise and are typically entertainment oriented in nature. These include peer-to-peer media-sharing applications (KaZaa, Morpheus, Groekster, Napster, iMesh, and so on), gaming applications (Doom, Quake, Unreal Tournament, and so on), and any entertainment video applications.

18

VLAN operation

19

Static VLANS

Default VLAN 1
Switch(config)#interface fastethernet 0/9 Switch(config-if)#switchport access vlan 10

Default VLAN 1 VLAN 10 Configured

Static membership VLANs are called port-based and port-centric

membership VLANs. This is the most common method of assigning ports to VLANs. As a device enters the network, it automatically assumes the VLAN membership of the port to which it is attached. There is a default VLAN, on Cisco switches that is VLAN 1.

20

VLAN operation
Port 1 VLAN 10 Port 4 VLAN 20 Port 9 VLAN 10 Port 12 VLAN 20

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

VLANs are assigned on the switch port. In order for a host to be a part of that VLAN, it must be assigned an IP address that belongs to the proper subnet. Remember: VLAN = Subnet
21

VLAN operation

Dynamic membership VLANs are created through network

management software. (Not as common as static VLANs) CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to create Dynamic VLANs. Dynamic VLANs allow for membership based on the MAC address of the device connected to the switch port. As a device enters the network, it queries a database within the switch for a VLAN membership.
22

Two Types of VLANs

End-to-End or Campus-wide VLANs Geographic or Local VLANs

23

End-to-End or Campus-wide VLANs

This model is no longer recommended by Cisco and other vendors, unless there is a specific need for this method.

24

Geographic or Local VLANs

This model is the recommended method. More in CIS 187 (CCNP 3).

25

80/20 and 20/80 Rule

The network is engineered, based on traffic flow patterns, to have 80

percent of the traffic contained within a VLAN. The remaining 20 percent crosses the router to the enterprise servers and to the Internet and WAN. This is known as the 80/20 rule. Note: With todays traffic patterns, this rule is becoming obsolete. The 20/80 rule applies to many of todays networks, with 20% of the traffic within a VLAN, and 80% outside the VLAN.
26

Geographic or Local VLANs

As many corporate networks have moved to centralize their

resources, end-to-end VLANs have become more difficult to maintain. Users are required to use many different resources, many of which are no longer in their VLAN. Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.
27

Quick Introduction to Trunking

More in the next presentation.

28

VLAN Trunking/Tagging

VLAN Tagging is used when a link needs to carry traffic for more than one
VLAN. Trunk link: As packets are received by the switch from any attached endstation device, a unique packet identifier is added within each header. This header information designates the VLAN membership of each packet.

29

VLAN Trunking/Tagging

The packet is then forwarded to the appropriate switches or routers based

on the VLAN identifier and MAC address. Upon reaching the destination node (Switch) the VLAN ID is removed from the packet by the adjacent switch and forwarded to the attached device. Packet tagging provides a mechanism for controlling the flow of broadcasts and applications while not interfering with the network and applications. This is known as a trunk link or VLAN trunking.
30

VLAN Trunking/Tagging
No VLAN Tagging

VLAN Tagging

VLAN Tagging is used when a single link needs to carry

traffic for more than one VLAN.

31

VLAN Trunking/Tagging

There are two major methods of frame tagging, Cisco proprietary Inter
Switch Link (ISL) and IEEE 802.1Q. ISL used to be the most common, but is now being replaced by 802.1Q frame tagging. Cisco recommends using 802.1Q. VLAN Tagging and Trunking will be discussed in the next chapter.
32

Configuring VLANs

Default vlan 1

vlan 10

Default vlan 1

33

Configuring static VLANs

The following guidelines must be followed when configuring VLANs on

Cisco 29xx switches: The maximum number of VLANs is switch dependent. 29xx switches commonly allow 4,095 VLANs VLAN 1 is one of the factory-default VLANs. VLAN 1 is the default Ethernet VLAN. Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) advertisements are sent on VLAN 1. (later) The Catalyst 29xx IP address is in the VLAN 1 broadcast domain by default.

34

Creating VLANs

Assigning access ports (non-trunk ports) to a specific VLAN

Switch(config)#interface fastethernet 0/9 Switch(config-if)#switchport access vlan vlan_number Switch(config-if)#switchport mode access

Create the VLAN: (This step is not required and will be discussed
later.) Switch#vlan database Switch(vlan)#vlan vlan_number Switch(vlan)#exit
35

Creating VLANs

Default vlan 1

vlan 10

Default vlan 1

Assign ports to the VLAN

Switch(config)#interface fastethernet 0/9 Switch(config-if)#switchport access vlan 10 Switch(config-if)#switchport mode access

access Denotes this port as an access port and not a trunk link (later)

36

Creating VLANs

Default vlan 1

vlan 300

Default vlan 1

Switch(config)#interface fastethernet 0/9 Switch(config-if)#switchport access vlan 300 Switch(config-if)#switchport mode access

37

Configuring Ranges of VLANs

vlan 2

Switch(config)#interface fastethernet 0/5 Switch(config-if)#switchport access vlan 2 Switch(config-if)#switchport mode access Switch(config-if)#exit Switch(config)#interface fastethernet 0/6 Switch(config-if)#switchport access vlan 2 Switch(config-if)#switchport mode access Switch(config-if)#exit Switch(config)#interface fastethernet 0/7 Switch(config-if)#switchport access vlan 2 Switch(config-if)#switchport mode access
38

Configuring Ranges of VLANs

vlan 3

Switch(config)#interface range fastethernet 0/8 - 12 Switch(config-if)#switchport access vlan 3 Switch(config-if)#switchport mode access Switch(config-if)#exit

This command does not work on all 2900 switches, such as the 2900

Series XL. This format of this command may vary somewhat on various 2900 switches. It does work on the 2950.

39

Creating VLANs

Default vlan 1

vlan 300

Default vlan 1

SydneySwitch(config)#interface fastethernet 0/1 SydneySwitch(config-if)#switchport mode access SydneySwitch(config-if)#exit Note: The switchport mode access command should be configured on all ports that the network administrator does not want to become a trunk port. This will be discussed in more in the next chapter, section on DTP.

40

Creating VLANs

Default: dynamic desirable

This link will become a trunking link unless one of the ports is configured with as an access link, I.e. switchport mode access

By default, all ports are configured as switchport mode dynamic

desirable, which means that if the port is connected to another switch with an port configured with the same default mode (or desirable or auto), this link will become a trunking link. (See my article on DTP on my web site for more information.) Both the switchport access vlan command and the switchport mode access command are recommended. (later)
41

This will be discussed in more in the next chapter, section on DTP.

Verifying VLANs show vlan

vlan 1 default

vlan 2

vlan 3

42

Verifying VLANs show vlan brief

vlan 1 default

vlan 2

vlan 3

43

Deleting VLANs

Switch(config-if)#no switchport access vlan vlan_number

This command will reset the interface to VLAN 1. VLAN 1 cannot be removed from the switch.

44

Accessing/Managing the Switch

Switch(config)#interface vlan 1 Switch(config-if)#ip address 10.1.0.5. 255.255.0.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#ip default-gateway 10.1.0.1
The IP Address, Subnet Mask, and Default Gateway on a switch is for the same purposes as when you configure it for a host. Note: The switch must be configured with a vty login/password and a privileged password for telnet access. IP Address and Subnet Mask By default, VLAN 1 is the management VLAN. This is where you assign the IP Address and Subnet Mask to the switch. This address is for management purposes only and does not affect the Layer 2 switching operations of the switch. The address allows you the ability to ping the switch or telnet into the switch. Default Gateway The default gateway is also used for management purposes. Once you are telnetted into the switch, if you need to ping or telnet into a device on another network, the default-gateway is where those frames will be sent.
45

Accessing/Managing the Switch

Switch(config)# enable secret class Switch(config)#line vty 0 4 Switch(config-line)#password cisco Switch(config-line)#login Switch(config)#inter vlan 1 Switch(config-if)#ip add 10.1.0.5. 255.255.0.0 Switch(config-if)#no shut Switch(config)#ip default-gateway 10.1.0.1

46

Accessing/Managing the Switch

10.1.0.5/16 DG: 10.1.0.1

Fa 0/0 10.1.0.1/16

Fa 0/1 10.2.0.1/16

10.1.0.10/16 DG: 10.1.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.2.0.40/16 DG: 10.2.0.1

Host C:\>telnet 10.1.0.1 username:cisco password:class Switch>show vlan Switch>ping 10.2.0.20 Switch>telnet 10.1.0.1 Switch>exit

47

Erasing VLAN information

Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch#erase startup-config Switch#reload

VLAN information is kept in the vlan.dat file. The file is not erased when erasing the startup-config. To remove all VLAN information, use the command above and reload
the switch.

48

VLANs (Virtual LANs)

CIS 83 Fall 2006 CCNA 3 Rick Graziani Cabrillo College