cis83-3-8-VLANs

VLANs (Virtual LANs)

2

VLAN introduction

• VLANs provide segmentation based on broadcast domains.

• VLAN = Subnet

• VLANs can logically segment switched networks based on:– Physical location (Example: Building)– Organization (Example: Marketing)– Function (Example: Staff)

vlan 10

Default vlan 1

Default vlan 1

3

VLAN introduction

• VLANs are created to provide segmentation services traditionally provided by physical routers in LAN configurations.

• VLANs address scalability, security, and network management.

Without VLANs

10.3.0.0/16

10.2.0.0/16

10.1.0.0/16

One link per VLAN or a single VLAN Trunk (later)

With VLANs

10.1.0.0/16

10.2.0.0/16

10.3.0.0/16

4

Two Subnets, One Switch, No VLANs

• Layer 2 Broadcasts– What happens when 10.1.0.10 sends an ARP Request for

10.1.0.30?

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

5

Two Subnets, One Switch, No VLANs

• Layer 2 Broadcasts– Switch floods it out all ports.– All hosts receive broadcast, even those on a different subnet.– Layer 2 broadcast should be isolated to only that network.– Note: If the switch supports VLANs, by default all ports belong to

the same VLAN and it floods it out all ports that belong to the same VLAN as the incoming port (coming).

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

6

Two Subnets, One Switch, No VLANs

• Layer 2 Unknown Unicasts– This is the same for unknown unicasts.

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

7

Two Subnets, One Switch, No VLANs

• Even though hosts are connected to the same switch (or even hub), devices on different subnets must communicate via a router.

• Remember a switch is a layer 2 device, it forwards by examining Destination MAC addresses, not IP addresses.

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Fa 0/0 Fa 0/1

10.1.0.1/16 10.2.0.1/16

8

Traditional Solution: Multiple Switches

• The traditional solution is have devices on the same subnet connected to the same switch.

• This provides broadcast and unknown unicast segmentation, but is also less scalable.

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Fa 0/0 Fa 0/1

10.1.0.1/16 10.2.0.1/16

ARP Request

9

Broadcast domains with VLANs and routers

• A VLAN is a broadcast domain created by one or more switches. • VLANs are assigned on the switch and correspond with the host IP

address.• Each switch port can be assigned to a different VLAN.

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Port 1 VLAN 10

Port 9 VLAN 10

Port 12 VLAN 20

Port 4 VLAN 20

10

Broadcast domains with VLANs and routers

• Ports assigned to the same VLAN share the same broadcast domain.

• Ports in different VLANs do not share the same broadcast domain.

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Port 1 VLAN 10

Port 9 VLAN 10

Port 12 VLAN 20

Port 4 VLAN 20

ARP Request

11

VLAN Overview

• For computers to communicate on the same VLAN:

Each must have an IP address and a subnet mask that is consistent for that VLAN.

The switch has to be configured with the VLAN

Each port in the VLAN must be assigned to the VLAN. A switch port with a singular VLAN configured on it is called an access port.

Remember, just because two computers are physically connected to the same switch does not mean that they can communicate.

Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used.

12

Benefits of a VLAN

• The primary benefits of using VLANs are:–Security - Groups that have sensitive data are separated from the rest of the network.–Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.–Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network. –Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. –Improved IT staff efficiency - VLANs make it easier to manage the network.

•When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned.

–Simpler project or application management - Having separate functions makes working with a specialized application easier, for example, an e-learning development platform for faculty.

13

2 VLAN ID Ranges• Normal Range VLANs

–Identified by a VLAN ID between 1 and 1005. –IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.–IDs 1 and 1002 to 1005 are automatically created and cannot be removed.–Configurations are stored within a VLAN database file, called vlan.dat.

•The vlan.dat file is located in the flash memory. –The VLAN trunking protocol (VTP), can only learn normal range VLANs.

• Extended Range VLANs–Enable service providers to extend their infrastructure to a greater number of customers.–Identified by a VLAN ID between 1006 and 4094.–Support fewer VLAN features.–Are saved in the running configuration file. –VTP does not learn extended range VLANs.

14

255 VLANs Configurable

• Cisco Catalyst 2960 switch can support up to 255 normal range and extended range VLANs,

–Although the number configured affects the performance of the switch hardware. Because an enterprise network may need a switch with a lot of ports, Cisco has developed enterprise-level switches that can be joined or stacked together to create a single switching unit consisting of nine separate switches. Each separate switch can have 48 ports, which totals 432 ports on a single switching unit. In this case, the 255 VLAN limit per single switch could be a constraint for some enterprise customers.

15

Common VLAN Terminologies• Data VLAN

–A data VLAN is a VLAN that is configured to carry only user-generated traffic. –A VLAN could carry voice traffic or manage traffic, but this traffic would not be part of a data VLAN.

•It is common practice to separate voice and management traffic from data traffic.

–A data VLAN is referred to as a user VLAN.• Default VLAN

–All switch ports become a member of the default VLAN after the initial boot up of the switch. –The default VLAN for Cisco switches is VLAN 1. –VLAN 1 cannot be renamed and deleted. –Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. –It is a security best practice to change the default VLAN to a VLAN other than VLAN 1. –VLAN trunks support the transmission of traffic from more than one VLAN.

16

Common VLAN Terminologies

• Native VLAN–An 802.1Q trunk port supports traffic coming from VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). –The 802.1Q trunk port places untagged traffic on the native VLAN. –Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. –It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.

• Management VLAN–A management VLAN is any VLAN you configure to access the management capabilities of a switch. –You assign the management VLAN an IP address and subnet mask. –The out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, the VLAN 1 would be a bad choice as the management VLAN;

17

Explaining 802.1Q Native VLANs • The purpose of the native VLAN is to allow frames not

tagged with a VID to traverse the trunk link.

• An 802.1Q native VLAN is defined as the following: –VLAN that a port is associated with when not in trunking operational mode

–VLAN that is associated with untagged frames that are received on a switch port

–VLAN to which Layer 2 frames are forwarded if received untagged on an 802.1Q trunk port

• Compare this to ISL, in which no frame may be transported on the trunk link without encapsulation, and any unencapsulated frames received on a trunk port are immediately dropped.

18

Network Traffic Types• IP Multicast Traffic

–IP multicast traffic is sent from a particular source address to a multicast group that is identified by a single IP and MAC destination-group address pair.

•Examples of applications that generate this type of traffic are Cisco IP/TV broadcasts. •Multicast traffic can produce a large amount of data across the network. VLANs should be configured to ensure multicast traffic only goes to those user devices that use the service provided. •Routers must be configured to ensure that multicast traffic is forwarded to the network areas where it is requested.

• Normal Data Traffic –Normal data traffic is related to file creation and storage, print services, e-mail database access, and other shared network applications that are common to business uses. –Data traffic should be associated with a data VLAN (other than VLAN 1), and

• Scavenger Class Traffic –The Scavenger class is intended to provide less-than best-effort services to certain applications. –Applications assigned to this class have little or no contribution to the organizational objectives of the enterprise and are typically entertainment oriented in nature. –These include peer-to-peer media-sharing applications (KaZaa, Morpheus, Groekster, Napster, iMesh, and so on), gaming applications (Doom, Quake, Unreal Tournament, and so on), and any entertainment video applications.

19

VLAN operation

20

Static VLANS

• Static membership VLANs are called port-based and port-centric membership VLANs.

• This is the most common method of assigning ports to VLANs.• As a device enters the network, it automatically assumes the VLAN

membership of the port to which it is attached. • There is a default VLAN, on Cisco switches that is VLAN 1.

VLAN 10 Configured

Default VLAN 1

Default VLAN 1

Switch(config)#interface fastethernet 0/9

Switch(config-if)#switchport access vlan 10

21

VLAN operation

• VLANs are assigned on the switch port.

• In order for a host to be a part of that VLAN, it must be assigned an IP address that belongs to the proper subnet. – Remember: VLAN = Subnet

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Port 1 VLAN 10

Port 9 VLAN 10

Port 12 VLAN 20

Port 4 VLAN 20

22

VLAN operation

• Dynamic membership VLANs are created through network management software. (Not as common as static VLANs)

• CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to create Dynamic VLANs.

• Dynamic VLANs allow for membership based on the MAC address of the device connected to the switch port.

• As a device enters the network, it queries a database within the switch for a VLAN membership.

23

Two Types of VLANs

• End-to-End or Campus-wide VLANs

• Geographic or Local VLANs

.

24

End-to-End or Campus-wide VLANs

This model is no longer recommended by Cisco and other vendors, unless there is a specific need for this method.

25

Geographic or Local VLANs

This model is the recommended method. More in CIS 187 (CCNP 3).

26

80/20 and 20/80 Rule

• The network is engineered, based on traffic flow patterns, to have 80 percent of the traffic contained within a VLAN.

• The remaining 20 percent crosses the router to the enterprise servers and to the Internet and WAN.

• This is known as the 80/20 rule. • Note:

– With today’s traffic patterns, this rule is becoming obsolete.– The 20/80 rule applies to many of today’s networks, with 20% of

the traffic within a VLAN, and 80% outside the VLAN.

27

Geographic or Local VLANs

• As many corporate networks have moved to centralize their resources, end-to-end VLANs have become more difficult to maintain.

• Users are required to use many different resources, many of which are no longer in their VLAN.

• Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.

28

Quick Introduction to Trunking

• More in the next presentation.

29

VLAN Trunking/Tagging

• VLAN Tagging is used when a link needs to carry traffic for more than one VLAN.

• Trunk link: As packets are received by the switch from any attached end-station device, a unique packet identifier is added within each header.

• This header information designates the VLAN membership of each packet.

30

VLAN Trunking/Tagging

• The packet is then forwarded to the appropriate switches or routers based on the VLAN identifier and MAC address.

• Upon reaching the destination node (Switch) the VLAN ID is removed from the packet by the adjacent switch and forwarded to the attached device.

• Packet tagging provides a mechanism for controlling the flow of broadcasts and applications while not interfering with the network and applications.

• This is known as a trunk link or VLAN trunking.

31

VLAN Trunking/Tagging

• VLAN Tagging is used when a single link needs to carry traffic for more than one VLAN.

No VLAN Tagging

VLAN Tagging

32

VLAN Trunking/Tagging

• There are two major methods of frame tagging, Cisco proprietary Inter-Switch Link (ISL) and IEEE 802.1Q.

• ISL used to be the most common, but is now being replaced by 802.1Q frame tagging.

• Cisco recommends using 802.1Q. • VLAN Tagging and Trunking will be discussed in the next chapter.

33

Configuring VLANs

vlan 10

Default vlan 1

Default vlan 1

34

Configuring static VLANs

• The following guidelines must be followed when configuring VLANs on Cisco 29xx switches: – The maximum number of VLANs is switch dependent.

• 29xx switches commonly allow 4,095 VLANs – VLAN 1 is one of the factory-default VLANs. – VLAN 1 is the default Ethernet VLAN. – Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol

(VTP) advertisements are sent on VLAN 1. (later)– The Catalyst 29xx IP address is in the VLAN 1 broadcast domain

by default.

35

Creating VLANs

• Assigning access ports (non-trunk ports) to a specific VLANSwitch(config)#interface fastethernet 0/9Switch(config-if)#switchport access vlan vlan_numberSwitch(config-if)#switchport mode access

• Create the VLAN: (This step is not required and will be discussed later.)Switch#vlan databaseSwitch(vlan)#vlan vlan_numberSwitch(vlan)#exit

.

36

Creating VLANs

• Assign ports to the VLAN

Switch(config)#interface fastethernet 0/9

Switch(config-if)#switchport access vlan 10

Switch(config-if)#switchport mode access

• access – Denotes this port as an access port and not a trunk link (later)

vlan 10

Default vlan 1

Default vlan 1

.

37

Creating VLANs

vlan 300

Default vlan 1

Default vlan 1

Switch(config)#interface fastethernet 0/9

Switch(config-if)#switchport access vlan 300

Switch(config-if)#switchport mode access

38

Configuring Ranges of VLANs

Switch(config)#interface fastethernet 0/5Switch(config-if)#switchport access vlan 2Switch(config-if)#switchport mode accessSwitch(config-if)#exit Switch(config)#interface fastethernet 0/6Switch(config-if)#switchport access vlan 2Switch(config-if)#switchport mode accessSwitch(config-if)#exitSwitch(config)#interface fastethernet 0/7Switch(config-if)#switchport access vlan 2Switch(config-if)#switchport mode access

vlan 2

39

Configuring Ranges of VLANs

• This command does not work on all 2900 switches, such as the 2900 Series XL.

• This format of this command may vary somewhat on various 2900 switches.

• It does work on the 2950.

vlan 3

.

Switch(config)#interface range fastethernet 0/8 - 12Switch(config-if)#switchport access vlan 3Switch(config-if)#switchport mode accessSwitch(config-if)#exit

40

Creating VLANs

vlan 300

Default vlan 1

Default vlan 1

SydneySwitch(config)#interface fastethernet 0/1

SydneySwitch(config-if)#switchport mode access

SydneySwitch(config-if)#exit

Note: The switchport mode access command should be configured on all ports that the network administrator does not want to become a trunk port.

• This will be discussed in more in the next chapter, section on DTP.

.

41

Creating VLANs

Default: dynamic desirable

• By default, all ports are configured as switchport mode dynamic desirable, which means that if the port is connected to another switch with an port configured with the same default mode (or desirable or auto), this link will become a trunking link. (See my article on DTP on my web site for more information.)

• Both the switchport access vlan command and the switchport mode access command are recommended. (later)

• This will be discussed in more in the next chapter, section on DTP.

This link will become a trunking link unless one of the ports is configured with as an access link, I.e. switchport mode access

42

Verifying VLANs – show vlan

vlan 3vlan 2vlan 1 default

43

Verifying VLANs – show vlan brief

vlan 3vlan 2vlan 1 default

44

Deleting VLANs

Switch(config-if)#no switchport access vlan vlan_number

• This command will reset the interface to VLAN 1.

• VLAN 1 cannot be removed from the switch.

45

Accessing/Managing the Switch

The IP Address, Subnet Mask, and Default Gateway on a switch is for the same purposes as when you configure it for a host.

Note: The switch must be configured with a vty login/password and a privileged password for telnet access.

IP Address and Subnet Mask• By default, VLAN 1 is the “management VLAN”. • This is where you assign the IP Address and Subnet Mask to the switch.• This address is for management purposes only and does not affect the Layer 2 switching

operations of the switch.• The address allows you the ability to ping the switch or telnet into the switch.

Default Gateway• The default gateway is also used for management purposes.• Once you are telnetted into the switch, if you need to ping or telnet into a device on

another network, the default-gateway is where those frames will be sent.

Switch(config)#interface vlan 1Switch(config-if)#ip address 10.1.0.5. 255.255.0.0Switch(config-if)#no shutdownSwitch(config-if)#exitSwitch(config)#ip default-gateway 10.1.0.1

46

Accessing/Managing the Switch

Switch(config)# enable secret class

Switch(config)#line vty 0 4Switch(config-line)#password ciscoSwitch(config-line)#login

Switch(config)#inter vlan 1Switch(config-if)#ip add 10.1.0.5. 255.255.0.0Switch(config-if)#no shut

Switch(config)#ip default-gateway 10.1.0.1

47

Accessing/Managing the Switch

HostC:\>telnet 10.1.0.1username:ciscopassword:classSwitch>show vlanSwitch>ping 10.2.0.20Switch>telnet 10.1.0.1Switch>exit

10.1.0.10/16 DG: 10.1.0.1

10.2.0.20/16 DG: 10.2.0.1

10.1.0.30/16 DG: 10.1.0.1

10.2.0.40/16 DG: 10.2.0.1

Fa 0/0 Fa 0/1

10.1.0.1/16 10.2.0.1/16

10.1.0.5/16 DG: 10.1.0.1

48

Erasing VLAN information

• VLAN information is kept in the vlan.dat file.

• The file is not erased when erasing the startup-config.

• To remove all VLAN information, use the command above and reload the switch.

Switch#delete flash:vlan.dat

Delete filename [vlan.dat]?

Delete flash:vlan.dat? [confirm]

Switch#erase startup-config

Switch#reload

VLANs (Virtual LANs)

CIS 83

Fall 2006

CCNA 3

Rick Graziani

Cabrillo College