NET2000 VLANs (Virtual LANs) Linda Crane Algonquin College With material adapted from slides prepared by Pat Ouellette Algonquin College, David Bray Algonquin College, Cisco website
NET2000
VLANs (Virtual LANs)
Linda Crane Algonquin College
With material adapted from slides prepared byPat Ouellette Algonquin College, David Bray Algonquin College,
Cisco website
NET2000
Virtual LANs
� Within a single VLAN, frames propagate the same way they do in any switched network where VLANs are not present.
Switch or
Linda Crane Algonquin College
� VLANs allow the logical separation of network users and resources into distinct Layer 3 networks based on organizational needs, such as department, job function, or applications access, independent of network connection point or physical location.
present.
2
NET2000
Bridging vs Routing Network Traffic
� Bridging is the forwarding of frames at Layer 2, based on MAC address.
• Switches do NOT bridge traffic between VLANs – doing so would violate the integrity of the broadcast domain.
� Routing is the forwarding of packets at Layer 3, based on network (IP) address.
• Inter-VLAN traffic must be routed from one VLAN to another –
Linda Crane Algonquin College
• Inter-VLAN traffic must be routed from one VLAN to another –this requires a router connected to both the source and destination VLANs.
� Switching is the forwarding of data at Layer 1 in from one interface out another interface
• Routers and Switches both perform switching on their packets and frames (respectively)
3
NET2000
VLAN = Subnet = Layer 3 Network
� Each VLAN is a separate LAN or Layer 3 network.
� That is, VLANs create separate network segments – a feature
previously only achievable using more expensive devices: (What
devices?)
� Because of this, VLAN deployment facilitates improved:
• scalability – broadcast filtering
Linda Crane Algonquin College
• scalability – broadcast filtering
• security – traffic segregation
• network management – traffic flow management
4
NET2000
VLAN = Broadcast Domain
Linda Crane Algonquin College
� Which server(s) can be reached by hosts in the green (VLAN 3) network?
Trunk Links
(later)
5
NET2000
VLANs, Routers & Broadcast Domains
1) Without VLANs
2) With or without VLANs
10.0.0.0/810.1.0.0/16
10.2.0.0/16
10.3.0.0/16
Linda Crane Algonquin College
� 1) No VLANs; or in other words, one LAN. Single IP network.
� 2) With or without VLANs. However, this can be an example
of no VLANS. In both examples, each group (switch) is on a
different IP network.
� 3) Using VLANs. Single switch is configured with its ports on
the appropriate VLAN.
� What are the broadcast domains in each case?
One link per VLAN or a single Trunk link (later)
3) With VLANs
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
6
NET2000
An Access Link …
� is a link on a switch port that is a member of only one
VLAN
• This VLAN can be referred to as the native VLAN of the port, though this term is most meaningful for trunk links (coming).
• Any device that is attached to the switch port is NOT aware that a VLAN exists (& should not need to be).
Linda Crane Algonquin College
a VLAN exists (& should not need to be).
7
NET2000
A Trunk Link …� does not belong to a specific VLAN
� is a single link designed to carry traffic for multiple VLANs, thereby providing connectivity from switch to router, or between switches
� can be configured to transport all VLANs or to transport a limited number of VLANs
� on a Cisco switch can be any port 100+ Mbps
A trunk link may, however, have a native VLAN.
Linda Crane Algonquin College
A trunk link may, however, have a native VLAN.
• The native VLAN of a trunk is the VLAN it uses if trunking fails for any reason (VLAN 1 by default but can be changed).
…-if)#switchport trunk native vlan vlan-id
8
NET2000
Trunk Encapsulation� Because a trunk carries multi-VLAN traffic, trunked frames
must be identified with their associated VLAN ID, or encapsulated.
� This tagging is removed before a trunked frame is forwarded out an access port.
� In Ethernet, two methods are used to identify the VLAN to which a frame belongs:
Linda Crane Algonquin College
which a frame belongs:
• ISL (Inter-Switch Link) is Cisco proprietary – now depricated� some switches, like 2950T & 4000, don't support ISL
• IEEE 802.1Q (a.k.a. dot1q) is standards-based
• …more later
9
NET2000
A Port's VLAN Membership
Linda Crane Algonquin College
� Each switch port can be assigned to a different VLAN.
� Ports assigned to the same VLAN share broadcasts.
� Ports that do not belong to that VLAN do not share these broadcasts.
10
NET2000
Static Membership
Linda Crane Algonquin College
� Static membership VLANs are called port-based and port-centricmembership VLANs.
� As a device enters the network, it automatically assumes the VLAN membership of the port to which it is attached.
� “The default VLAN for every port in the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be deleted.”
• This statement does not give the whole story. We will examine Management, Default and other VLANs later.
� All ports on the switch may be reassigned to alternate VLANs.
� More on VLAN 1 later. 11
NET2000
Port-Based
Switch 1172.30.1.21
255.255.255.0VLAN 1
172.30.2.10255.255.255.0
VLAN 2
172.30.1.23255.255.255.0
VLAN 1
172.30.2.12255.255.255.0
VLAN 2
Linda Crane Algonquin College
Important notes on VLANs:
1. VLANs are assigned on the switch port. There is no “VLAN” assignment done on the host
2. In order for a host to be configured correctly for a VLAN, it must be assigned an IP address that belongs to the proper subnet.
Remember: VLAN = Subnet
Two VLANs� Two Subnets
1 2 3 4 5 6 .1 2 1 2 2 1 .
PortVLAN
12
NET2000
Dynamic Membership
VMPS = VLAN
Management Policy Server
Linda Crane Algonquin College
� Dynamic membership VLANs are created through network management software. (Not as common as static VLANs)
� CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to create Dynamic VLANs.
� Dynamic VLANs allow for membership based on aspects such as the MAC address of the connected device.
� As a device enters the network, the server database is queried to retrieve the correct VLAN membership for the new node.
� Advantage -when you move a host from a port on one switch to another switch – the switch would dynamically assign the new port to the proper VLAN for host
13
NET2000
Approaches to Dynamic VLANs
Linda Crane Algonquin College
By Layer 3 address(or Layer 3 protocol)
14
NET2000
Benefits of VLANs
� The key benefit of VLANs is that they permit the network administrator to organize the LAN logically instead of physically.
� Note: Can be done without VLANs, but VLANs limit the broadcast domain!!
� This means that an administrator is able to do all of the following:
Linda Crane Algonquin College
� This means that an administrator is able to do all of the following:
• Easily move workstations on the LAN.
• Easily add workstations to the LAN.
• Easily change the LAN configuration.
• Easily control network traffic.
• Improve security.
15
NET2000
Common VLAN Terminologies
� Data VLAN• A data VLAN is a VLAN that is configured to carry only user-generated
traffic. • A VLAN could carry voice traffic or manage traffic, but this traffic would not
be part of a data VLAN. � It is common practice to separate voice and management traffic from data traffic.
• A data VLAN is referred to as a user VLAN.
� Default VLAN
Linda Crane Algonquin College
� Default VLAN• All switch ports become a member of the default VLAN after the initial boot
up of the switch. • The default VLAN for Cisco switches is VLAN 1.• VLAN 1 cannot be renamed and deleted. • Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will
always be associated with VLAN 1 - this cannot be changed. • It is a security best practice to change the default VLAN to a VLAN other
than VLAN 1. • VLAN trunks support the transmission of traffic from more than one VLAN.
16
NET2000
Common VLAN Terminologies
� Native VLAN
• An 802.1Q trunk port supports traffic coming from VLANs (tagged traffic) as
well as traffic that does not come from a VLAN (untagged traffic).
• The 802.1Q trunk port places untagged traffic on the native VLAN.
• Native VLANs are set out in the IEEE 802.1Q specification to maintain
backward compatibility with untagged traffic common to legacy LAN
scenarios.
Linda Crane Algonquin College
scenarios.
• It is a best practice to use a VLAN other than VLAN 1 as the native VLAN .
• The purpose of the native VLAN is to allow frames not tagged with a VID to traverse the trunk link…they are tagged with the native VLAN id.
� Management VLAN
•A management VLAN is any VLAN you configure to access the management
capabilities of a switch.
•You assign the management VLAN an IP address and subnet mask.
•The out-of-the-box configuration of a Cisco switch has VLAN 1 as the default
VLAN, the VLAN 1 would be a bad choice as the management VLAN; 17
NET2000
Common VLAN Terminologies:
Voice VLANs
� VoIP traffic requires:
• Assured bandwidth to ensure voice quality
• Transmission priority over other types of network traffic
• Ability to be routed around congested areas
• Delay of less than 150 ms across the network
� The details of how to configure a network to support VoIP are beyond
Linda Crane Algonquin College
� The details of how to configure a network to support VoIP are beyond the scope of the course, but it is useful to summarize how a voice VLAN works between a switch, a Cisco IP phone, and a computer.
18
NET2000
Common VLAN Terminologies: Voice VLANs
• In figure, VLAN 150 is designed to
carry voice traffic.
• The student computer PC5 is
attached to the Cisco IP phone, and
the phone is attached to switch S3.
• PC5 is in VLAN 20, which is used for
student data.
• The F0/18 port on S3 is configured to
Linda Crane Algonquin College
• The F0/18 port on S3 is configured to
be in voice mode
� it will tell the phone to tag voice
frames with VLAN 150. Data
frames coming through the Cisco
IP phone from PC5 are left
untagged.
• Data destined for PC5 coming from
port F0/18 is tagged with VLAN 20 on
the way to the phone, which strips
the VLAN tag before the data is
forwarded to PC5.
•
19
NET2000
More on Trunking … tagging
� ISL (Cisco Proprietary) - "External" tagging – original
frame is not altered whatsoever
� Adds 30 bytes of overhead to every frame
• a 26-byte header containing a 10-bit VLAN ID
• an additional 4-byte FCS is appended
Linda Crane Algonquin College
� can result in a "giant" frame (up to 1548 bytes)
20
NET2000
IEEE 802.1Q
� adding significantly less overhead than ISL, 802.1Q only
inserts an additional 4 bytes into the Ethernet frame
� "Internal" tagging overwrites the original frame's FCS
Linda Crane Algonquin College
21
NET2000
802.1Q Frame
4 BytesInserted
Linda Crane Algonquin College
Tag Control Info (TCI)- 3-bit frame priority- 1-bit CFI (used for Token Ring) - 12-bit VLAN ID
Ether-Type (0x8100)identifies this as aTagged Protocol frame (a.k.a. TPID)
New FCSoverwrites original
22
NET2000
Trunking Example
1. A frame is
receivedon switch Y.
2. The frame isencapsulated
x
Linda Crane Algonquin College
2. The frame isencapsulatedby Y (via ISL),sent over thetrunk link toswitch W, and propagates through X to Z.
3. The VLAN tagging is removed before being transmitted out the access link at switch Z.
23
NET2000
Without Trunking …� two switch ports would be needed to transport each configured
VLAN between two switches, AND
� every switch with a particular VLAN configured would have to be directly connected together, or two more ports would be wasted on each intermediary switch
Linda Crane Algonquin College
24
NET2000
Configuring Trunking
Note: On many switches, theswitchport trunk
encapsulation
command must be done BEFORE theswitchport mode
Linda Crane Algonquin College
� switchport encapsulation can only be set on switches that support multiple encapsulation types
switchport mode
trunk command.
25
NET2000
Trunk Modes
� switch ports may attempt to negotiate trunking status by sending Dynamic Trunking Protocol (DTP) frames to its neighbour
� Fast and Gigabit Ethernet trunking modes:
• On – periodic DTP frames
• Off – DTP frame only at the point it transitions to this mode
Linda Crane Algonquin College
• Off – DTP frame only at the point it transitions to this mode
• (Dynamic) Desirable – periodic DTP frames
• (Dynamic) Auto – periodic DTP frames
• Nonegotiate – no DTP frames sent
26
NET2000
Trunk Mode "On" (Static)
� This mode puts the port into permanent trunking mode, even if the neighbouring port does not agree.
� The port attempts to negotiate trunking by sending DTP frames to its neighbour.
� The On state does not allow for the negotiation of an encapsulation type.
Linda Crane Algonquin College
encapsulation type. • You must, therefore, explicitly configure the encapsulation
if the device supports multiple trunk encapsulations.
27
NET2000
Trunk Mode "Off" (Static)
� This permanent non-trunking mode occurs when the port is configured as an access port (…-
if)#switchport mode access).
� At the moment when the port transitions into this mode, it sends a DTP frame to its neighbour in an
Linda Crane Algonquin College
mode, it sends a DTP frame to its neighbour in an attempt to negotiate non-trunking.
� The port becomes a non-trunk (access) port even if the neighbouring port does not agree.
28
NET2000
Trunk Mode (Dynamic) "Auto"
� The port periodically sends DTP frames and listens to such frames from the neighbouring switch; if neighbour is in trunking mode (On), or would like to be (Desirable), a trunk is formed.
Linda Crane Algonquin College
• Note: This is the default setting for some switches. If this mode occurs on both sides of a link, a trunk will NOT be formed since neither will actively attempt to trunk.
• Think about being “invited” to trunk…if this port is invited (by On or Desirable) , it will accept the invitation and trunk. But it will not “invite” …
29
NET2000
Trunk Mode (Dynamic) "Desirable"
� The port attempts to negotiate trunking by sending DTP frames to its neighbour.
� Trunking succeeds if the neighbouring port is set to On, Desirable or Auto mode.
� This is the most common default mode for Ethernet
Linda Crane Algonquin College
� This is the most common default mode for Ethernet ports 100 Mbps and faster.
• Note: If this default setting is left on both sides of a link, a trunk will be formed since both will actively attempt to trunk.
30
NET2000
"Nonegotiate" Mode
� This mode stops the port from generating Dynamic Trunking Protocol (DTP) frames.
• Port in trunk mode: You must configure the neighbour manually as a trunk port in order to establish a trunk link.
• Port in access mode: Trunk link will not be established.
Linda Crane Algonquin College
• Port in access mode: Trunk link will not be established.
31
NET2000
Trunk Status (based on Ports' Modes)
Trunk Mode Auto(Trunk)
OnDynamic
Desirable
No-Negotiate (Access)
OffAccess Trunk
<Auto> A T T A ? A
<On> (Trunk) T* T ? T* ?
<Dynamic Desirable> T A ? A
Linda Crane Algonquin College
T A ? A
Noneg - Access A ? A
Noneg - Trunk T* ?
Off} (Access) A
A – Access mode (Not Trunking)
T – Trunking
T* – Trunking even if VTP domains differ
? – Inconsistent Results Page 32
NET2000
Summary of Trunking Commands
IOS-Based Switch
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode {access | trunk}
Switch(config-if)# switchport trunk encapsulation {isl |
dot1q}
Linda Crane Algonquin College
Switch(config-if)# switchport trunk allowed vlan
{ remove vlan-list explicitly disallow these VLANs
| add vlan-list explicitly allow these VLANs
| all implicitly allow ALL VLANs
| except vlan-list }implicitly allow ALL, except those listed
33
NET2000
Configuring Trunk Mode (2950T)
Auto … config-if)#switchport mode dynamic auto
On … config-if)#switchport mode trunk
Desirable … config-if)#switchport mode dynamic desirable
Nonegotiate … config-if)#switchport noneg
Linda Crane Algonquin College
Off … config-if)#switchport mode access
To verify: #show int int-type int-number switchport
• - listed as "Administrative Mode"#show interfaces trunk
34
NET2000
Verifying Trunk Mode
Switch#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Linda Crane Algonquin College
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
35
NET2000
VLAN Configuration
Linda Crane Algonquin College
With material adapted from slides prepared byCisco, David Bray and Pat Ouellette, Algonquin College
NET2000
Creating VLANs
� Explicitly create a VLAN:
Switch#config t
Switch(config)#vlan vlan_number [name vlan_name]
Linda Crane Algonquin College
Switch(config)#vlan vlan_number [name vlan_name]
Switch(config)#exit
� The maximum number of supported VLANs (typically, 4095) can vary depending upon the switch model.
� NOTE….vlan information is not processed until the exit is performed!!
� This information about VLANs is stored in vlan.dat
� The VLAN can be assigned to an access port at interface mode:
Switch(config-if)#switchport access vlan vlan_number
37
NET2000
Assigning Ports to VLANs
� Assign port fa0/9 to VLAN 10
vlan 10
Default vlan 1
Default vlan 1
Linda Crane Algonquin College
� Assign port fa0/9 to VLAN 10
Switch(config)#interface fa0/9
Switch(config-if)#switchport access vlan 10
� If vlan 10 did not exist, this automatically creates it (if allowed – more when we discuss VTP).
� This action is only meaningful for an access port since trunk ports carry traffic for multiple VLANs.
38
NET2000
Example: Creating/Assigning a VLAN
vlan 300
Default vlan 1
Default vlan 1
Linda Crane Algonquin College
39
NET2000
Configuring Multiple Ports
vlan 2
Linda Crane Algonquin College
SydneySwitch(config)#interface fastethernet 0/5
SydneySwitch(config-if)#switchport access vlan 2
SydneySwitch(config-if)#exit
SydneySwitch(config)#interface fastethernet 0/6
SydneySwitch(config-if)#switchport access vlan 2
SydneySwitch(config-if)#exit
SydneySwitch(config)#interface fastethernet 0/7
SydneySwitch(config-if)#switchport access vlan 2
40
NET2000
Affecting a Range of Ports
Switch(config)#interface range fa0/8 - fa0/12
vlan 3
Linda Crane Algonquin College
Switch(config)#interface range fa0/8 - fa0/12
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Note the spaces surrounding the "dash". Comma can also be used to specify non-consecutive interfaces.
This command does work on the 2950, but support varies by switch model.
41
NET2000
Limiting Ports to Access Mode
access ONLY
Linda Crane Algonquin College
Switch(config)#int fa0/10Switch(config-if)#switchport mode access
� Depending upon the switch model, ports default to one of two modes:
• Catalyst 2900 – Trunk Mode: Dynamic, Auto
• Catalyst 2950 or 3550 – Trunk Mode: Dynamic, Desirable(more when we discuss DTP)
� Explicitly set ports to access mode to prevent accidental trunking and to increase security.
� Also shutdown ports not in use for security.
ONLY
42
NET2000
Verifying VLANs – show vlan [brief]
vlan 3vlan 2vlan 1 default
Linda Crane Algonquin College
43
NET2000
vlan database commands
� Optional Command to add, delete, or modify VLANs.
� VLAN names, numbers, and VTP (VLAN Trunking Protocol) information can be entered which “may” affect other switches besides this one. (Discussed later).
� This does not assign any VLANs to an interface.
Switch#config t
Switch(config )#vlan ?
VLAN database editing buffer manipulation commands:
Linda Crane Algonquin College
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit Apply changes, bump revision number, and exit mode
no Negate a command or set its defaults
reset Abandon current changes and reread current database
show Show database information
vlan Add, delete, or modify values associated with a single VLAN
vtp Perform VTP administrative functions.
44
NET2000
Deleting VLANs
Linda Crane Algonquin College
Switch(config-if)#no switchport access vlan vlan_number
Switch(config-if)#end
Switch#vlan database
Switch(vlan)#no vlan vlan_number
45
NET2000
Saving VLAN Configuration
Linda Crane Algonquin College
• Back up your switch's running-config as .txt file
• show vlan brief then capture the text as a record
of your settings (you can't really save vlan.dat)46
NET2000
Trunk Switch ConfigurationSwitch(config)#interface FastEthernet0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encap dot1q(ONLY if multiple trunk encapsulations are supported)
Linda Crane Algonquin College
47
NET2000
Quick Preview of Inter-VLAN Routing
- also known as Router on a Stick
- uses subinterfaces – makes one interface virtually act like many
RTA(config)#interface fa0/0
RTA(config-if)#no ip address
Linda Crane Algonquin College
RTA(config-if)#no ip address
RTA(config-if)#interface fa0/0.1
RTA(config-subif)#encapsulation dot1q 1
RTA(config-subif)#ip address 10.1.1.1 255.255.255.0
RTA(config-subif)#int fa0/0.2
RTA(config-subif)#encapsulation dot1q 20
RTA(config-subif)#ip address 10.1.2.1 255.255.255.0
RTA(config-subif)#int fa0/0.3
RTA(config-subif)#encapsulation dot1q 30
RTA(config-subif)#ip address 10.1.3.1 255.255.255.0
48