Exp3 - Chapter 3 - VLANs

NET2000
VLANs (Virtual LANs)
With material adapted from slides prepared by

Pat Ouellette Algonquin College, David Bray Algonquin College,
Cisco website
Linda Crane Algonquin College

NET2000
Virtual LANs
Switch or
Within a single VLAN,

frames propagate the
same way they do in
any switched network
where VLANs are not
present.
VLANs allow the logical separation of network users and

resources into distinct Layer 3 networks based on
organizational needs, such as department, job function, or
applications access, independent of network connection point
or physical location.

NET2000
Bridging vs Routing Network

Traffic
Bridging is the forwarding of frames at Layer 2, based on
MAC address.
• Switches do NOT bridge traffic between VLANs – doing so
would violate the integrity of the broadcast domain.
Routing is the forwarding of packets at Layer 3, based
on network (IP) address.
• Inter-VLAN traffic must be routed from one VLAN to another –
this requires a router connected to both the source and
destination VLANs.
Switching is the forwarding of data at Layer 1 in from one
interface out another interface
• Routers and Switches both perform switching on their packets
and frames (respectively)

NET2000
VLAN = Subnet = Layer 3 Network
Each VLAN is a separate LAN or Layer 3 network.

That is, VLANs create separate network segments – a feature
previously only achievable using more expensive devices: (What
devices?)
Because of this, VLAN deployment facilitates improved:
• scalability – broadcast filtering
• security – traffic segregation
• network management – traffic flow management

NET2000
VLAN = Broadcast Domain
Trunk
Links
(later)
Which server(s) can be reached by hosts in the green (VLAN 3)

network? 5

NET2000
VLANs, Routers & Broadcast Domains

2) With or 10.1.0.0/16
10.0.0.0/8
1) Without without
VLANs VLANs
10.2.0.0/16
10.3.0.0/16
One link per VLAN or a single Trunk

1) No VLANs; or in other words, one LAN. Single IP network. link (later) 10.1.0.0/16
2) With or without VLANs. However, this can be an example
of no VLANS. In both examples, each group (switch) is on a 3) With
different IP network.
VLANs
3) Using VLANs. Single switch is configured with its ports on
the appropriate VLAN. 10.2.0.0/16
What are the broadcast domains in each case?
10.3.0.0/16

NET2000
An Access Link …
is a link on a switch port that is a member of only one
VLAN
• This VLAN can be referred to as the native VLAN of the port,
though this term is most meaningful for trunk links (coming).
• Any device that is attached to the switch port is NOT aware that
a VLAN exists (& should not need to be).

NET2000
A Trunk Link …
does not belong to a specific VLAN
is a single link designed to carry traffic for multiple VLANs, thereby
providing connectivity from switch to router, or between switches
can be configured to transport all VLANs or to transport a limited
number of VLANs
on a Cisco switch can be any port 100+ Mbps
A trunk link may, however, have a native VLAN.
• The native VLAN of a trunk is the VLAN it uses if trunking fails for
any reason (VLAN 1 by default but can be changed).
…-if)#switchport trunk native vlan vlan-id

NET2000
Trunk Encapsulation
Because a trunk carries multi-VLAN traffic, trunked frames
must be identified with their associated VLAN ID, or
encapsulated.
This tagging is removed before a trunked frame is forwarded
out an access port.
In Ethernet, two methods are used to identify the VLAN to
which a frame belongs:
• ISL (Inter-Switch Link) is Cisco proprietary – now depricated
some switches, like 2950T & 4000, don't support ISL
• IEEE 802.1Q (a.k.a. dot1q) is standards-based
• …more later

NET2000
A Port's VLAN Membership
Each switch port can be assigned to a different VLAN.

Ports assigned to the same VLAN share broadcasts.
Ports that do not belong to that VLAN do not share these broadcasts.
10

NET2000
Static Membership
Static membership VLANs are called port-based and port-centric

membership VLANs.
As a device enters the network, it automatically assumes the VLAN
membership of the port to which it is attached.
“The default VLAN for every port in the switch is the management VLAN.
The management VLAN is always VLAN 1 and may not be deleted.”
• This statement does not give the whole story. We will examine Management,
Default and other VLANs later.
All ports on the switch may be reassigned to alternate VLANs.
More on VLAN 1 later. 11

NET2000
Switch 1
Port- 172.30.1.21
255.255.255.0
172.30.2.12
255.255.255.0
VLAN 1
Based VLAN 2
172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
VLAN 2 VLAN 1
Two VLANs
1 2 3 4 5 6 . Port
Two Subnets
1 2 1 2 2 1 . VLAN
Important notes on VLANs:

1. VLANs are assigned on the switch port. There is no “VLAN” assignment
done on the host
2. In order for a host to be configured correctly for a VLAN, it must be
assigned an IP address that belongs to the proper subnet.
Remember: VLAN = Subnet 12

NET2000
Dynamic Membership
VMPS = VLAN
Management
Policy Server
Dynamic membership VLANs are created through network management software.

(Not as common as static VLANs)
CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to create
Dynamic VLANs.
Dynamic VLANs allow for membership based on aspects such as the MAC address
of the connected device.
As a device enters the network, the server database is queried to retrieve the correct
VLAN membership for the new node.
Advantage -when you move a host from a port on one switch to another switch
– the switch would dynamically assign the new port to the proper VLAN for 13
host
NET2000
Approaches to Dynamic VLANs
By Layer 3 address
(or Layer 3 protocol)
14

NET2000
Benefits of VLANs
The key benefit of VLANs is that they permit the network administrator
to organize the LAN logically instead of physically.
Note: Can be done without VLANs, but VLANs limit the broadcast
domain!!
This means that an administrator is able to do all of the following:

• Easily move workstations on the LAN.
• Easily add workstations to the LAN.
• Easily change the LAN configuration.
• Easily control network traffic.
• Improve security.
15

NET2000
Common VLAN Terminologies

Data VLAN
• A data VLAN is a VLAN that is configured to carry only user-generated
traffic.
• A VLAN could carry voice traffic or manage traffic, but this traffic would not
be part of a data VLAN.
It is common practice to separate voice and management traffic from data traffic.
• A data VLAN is referred to as a user VLAN.
Default VLAN
• All switch ports become a member of the default VLAN after the initial boot
up of the switch.
• The default VLAN for Cisco switches is VLAN 1.
• VLAN 1 cannot be renamed and deleted.
• Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will
always be associated with VLAN 1 - this cannot be changed.
• It is a security best practice to change the default VLAN to a VLAN other
than VLAN 1.
• VLAN trunks support the transmission of traffic from more than one VLAN.
16

NET2000
Common VLAN Terminologies

Native VLAN
• An 802.1Q trunk port supports traffic coming from VLANs (tagged traffic) as
well as traffic that does not come from a VLAN (untagged traffic).
• The 802.1Q trunk port places untagged traffic on the native VLAN.
• Native VLANs are set out in the IEEE 802.1Q specification to maintain
backward compatibility with untagged traffic common to legacy LAN
scenarios.
• It is a best practice to use a VLAN other than VLAN 1 as the native VLAN .
• The purpose of the native VLAN is to allow frames not tagged with a
VID to traverse the trunk link…they are tagged with the native VLAN id.
Management VLAN
•A management VLAN is any VLAN you configure to access the management
capabilities of a switch.
•You assign the management VLAN an IP address and subnet mask.
•The out-of-the-box configuration of a Cisco switch has VLAN 1 as the default
VLAN, the VLAN 1 would be a bad choice as the management VLAN; 17

NET2000
Common VLAN Terminologies:

Voice VLANs
VoIP traffic requires:
• Assured bandwidth to ensure voice quality
• Transmission priority over other types of network traffic
• Ability to be routed around congested areas
• Delay of less than 150 ms across the network
The details of how to configure a network to support VoIP are beyond
the scope of the course, but it is useful to summarize how a voice
VLAN works between a switch, a Cisco IP phone, and a computer.
18

NET2000
Common VLAN Terminologies: Voice VLANs
• In figure, VLAN 150 is designed to

carry voice traffic.
• The student computer PC5 is
attached to the Cisco IP phone, and
the phone is attached to switch S3.
• PC5 is in VLAN 20, which is used for
student data.
• The F0/18 port on S3 is configured to
be in voice mode
it will tell the phone to tag voice
frames with VLAN 150. Data
frames coming through the Cisco
IP phone from PC5 are left
untagged.
• Data destined for PC5 coming from
port F0/18 is tagged with VLAN 20 on
the way to the phone, which strips
the VLAN tag before the data is
forwarded to PC5. 19

•
NET2000
More on Trunking … tagging

ISL (Cisco Proprietary) - "External" tagging – original
frame is not altered whatsoever
Adds 30 bytes of overhead to every frame
• a 26-byte header containing a 10-bit VLAN ID
• an additional 4-byte FCS is appended
can result in a "giant" frame (up to 1548 bytes)
20

NET2000
IEEE 802.1Q
adding significantly less overhead than ISL, 802.1Q only
inserts an additional 4 bytes into the Ethernet frame
"Internal" tagging overwrites the original frame's FCS
21

NET2000
802.1Q Frame
4 Bytes
Inserted
Ether-Type (0x8100) New FCS

identifies this as a overwrites
Tagged Protocol frame original
Tag Control Info (TCI)
(a.k.a. TPID) - 3-bit frame priority
- 1-bit CFI (used for Token Ring)
- 12-bit VLAN ID
22

NET2000
Trunking Example
x
1. A frame is
received
on switch Y.
2. The frame is
encapsulated
by Y (via ISL),
sent over the
trunk link to
switch W, and propagates through X to Z.
3. The VLAN tagging is removed before being
transmitted out the access link at switch Z.
23

NET2000
Without Trunking …
two switch ports would be needed to transport each configured
VLAN between two switches, AND
every switch with a particular VLAN configured would have to be
directly connected together, or two more ports would be wasted
on each intermediary switch
24

NET2000
Configuring Trunking
Note: On many
switches, the
switchport trunk
encapsulation
command must be
done BEFORE the
switchport mode
trunk command.
switchport encapsulation can only be set on switches that support

multiple encapsulation types
25

NET2000
Trunk Modes
switch ports may attempt to negotiate trunking status by
sending Dynamic Trunking Protocol (DTP) frames to its
neighbour
Fast and Gigabit Ethernet trunking modes:
• On – periodic DTP frames
• Off – DTP frame only at the point it transitions to this mode
• (Dynamic) Desirable – periodic DTP frames
• (Dynamic) Auto – periodic DTP frames
• Nonegotiate – no DTP frames sent
26

NET2000
Trunk Mode "On" (Static)

This mode puts the port into permanent trunking
mode, even if the neighbouring port does not agree.
The port attempts to negotiate trunking by sending
DTP frames to its neighbour.
The On state does not allow for the negotiation of an
encapsulation type.
• You must, therefore, explicitly configure the encapsulation
if the device supports multiple trunk encapsulations.
27

NET2000
Trunk Mode "Off" (Static)

This permanent non-trunking mode occurs when the
port is configured as an access port (…-
if)#switchport mode access).
At the moment when the port transitions into this
mode, it sends a DTP frame to its neighbour in an
attempt to negotiate non-trunking.
The port becomes a non-trunk (access) port even if
the neighbouring port does not agree.
28

NET2000
Trunk Mode (Dynamic)

"Auto"
The port periodically sends DTP frames and listens
to such frames from the neighbouring switch; if
neighbour is in trunking mode (On), or would like to
be (Desirable), a trunk is formed.
• Note: This is the default setting for some switches. If this
mode occurs on both sides of a link, a trunk will NOT be
formed since neither will actively attempt to trunk.
• Think about being “invited” to trunk…if this port is invited

(by On or Desirable) , it will accept the invitation and trunk.
But it will not “invite” …
29

NET2000
Trunk Mode (Dynamic)

"Desirable"
The port attempts to negotiate trunking by sending
DTP frames to its neighbour.
Trunking succeeds if the neighbouring port is set to
On, Desirable or Auto mode.
This is the most common default mode for Ethernet
ports 100 Mbps and faster.
• Note: If this default setting is left on both sides of a link, a
trunk will be formed since both will actively attempt to trunk.
30

NET2000
"Nonegotiate" Mode
This mode stops the port from generating Dynamic

Trunking Protocol (DTP) frames.
• Port in trunk mode: You must configure the neighbour
manually as a trunk port in order to establish a trunk link.
• Port in access mode: Trunk link will not be established.
31

NET2000
Trunk Status (based on Ports' Modes)

(Trunk) Dynamic No-Negotiate (Access)
Trunk Mode Auto On Desirable Off
Access Trunk
<Auto> A T T A ? A
<On> (Trunk) T* T ? T* ?
<Dynamic Desirable> T A ? A
Noneg - Access A ? A
Noneg - Trunk T* ?
Off} (Access) A
A – Access mode (Not Trunking)

T – Trunking
T* – Trunking even if VTP domains differ
? – Inconsistent Results Page 32

NET2000
Summary of Trunking
Commands
IOS-Based Switch
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode {access | trunk}
Switch(config-if)# switchport trunk encapsulation {isl |
dot1q}
Switch(config-if)# switchport trunk allowed vlan
{ remove vlan-list explicitly disallow these VLANs
| add vlan-list explicitly allow these VLANs
| all implicitly allow ALL VLANs
| except vlan-list }implicitly allow ALL, except those listed
33

NET2000
Configuring Trunk Mode

(2950T)
Auto … config-if)#switchport mode dynamic auto
On … config-if)#switchport mode trunk
Desirable … config-if)#switchport mode dynamic desirable
Nonegotiate … config-if)#switchport noneg
Off … config-if)#switchport mode access
To verify: #show int int-type int-number switchport

• - listed as "Administrative Mode"
#show interfaces trunk
34

NET2000
Verifying Trunk Mode

Switch#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
35

NET2000
VLAN Configuration
With material adapted from slides prepared by

Cisco, David Bray and Pat Ouellette, Algonquin College

NET2000
Creating VLANs
Explicitly create a VLAN:

Switch#config t
Switch(config)#vlan vlan_number [name vlan_name]
Switch(config)#exit
The maximum number of supported VLANs (typically, 4095) can vary
depending upon the switch model.
NOTE….vlan information is not processed until the exit is performed!!
This information about VLANs is stored in vlan.dat
The VLAN can be assigned to an access port at interface mode:
Switch(config-if)#switchport access vlan vlan_number
37

NET2000
Assigning Ports to VLANs
Default vlan Default

vlan 1 10 vlan 1
Assign port fa0/9 to VLAN 10

Switch(config)#interface fa0/9
Switch(config-if)#switchport access vlan 10
If vlan 10 did not exist, this automatically creates it (if allowed – more
when we discuss VTP).
This action is only meaningful for an access port since trunk ports carry
traffic for multiple VLANs.
38

NET2000
Example: Creating/Assigning
a VLAN
Default vlan Default

vlan 1 300 vlan 1
39

NET2000
Configuring Multiple Ports
vlan 2
SydneySwitch(config)#interface fastethernet 0/5

SydneySwitch(config-if)#switchport access vlan 2
SydneySwitch(config-if)#exit
SydneySwitch(config-if)#exit
40

NET2000
Affecting a Range of Ports
vlan 3
Switch(config)#interface range fa0/8 - fa0/12

Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Note the spaces surrounding the "dash". Comma can also be used to
specify non-consecutive interfaces.
This command does work on the 2950, but support varies by switch
model.
41

NET2000
Limiting Ports to Access

Mode
access
ONLY
Switch(config)#int fa0/10
Switch(config-if)#switchport mode access
Depending upon the switch model, ports default to one of two modes:
• Catalyst 2900 – Trunk Mode: Dynamic, Auto
• Catalyst 2950 or 3550 – Trunk Mode: Dynamic, Desirable
(more when we discuss DTP)
Explicitly set ports to access mode to prevent accidental trunking and to
increase security.
Also shutdown ports not in use for security.
42

NET2000
Verifying VLANs – show vlan [brief]
vlan 1 vlan 2 vlan 3

default
43

NET2000
vlan database commands

Optional Command to add, delete, or modify VLANs.
VLAN names, numbers, and VTP (VLAN Trunking Protocol) information can be
entered which “may” affect other switches besides this one. (Discussed later).
This does not assign any VLANs to an interface.
Switch#config t
Switch(config )#vlan ?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit Apply changes, bump revision number, and exit mode
no Negate a command or set its defaults
reset Abandon current changes and reread current database
show Show database information
vlan Add, delete, or modify values associated with a single
VLAN
vtp Perform VTP administrative functions.
44

NET2000
Deleting VLANs
Switch(config-if)#no switchport access vlan vlan_number

Switch(config-if)#end
Switch#vlan database
Switch(vlan)#no vlan vlan_number
45

NET2000
Saving VLAN Configuration
• Back up your switch's running-config as .txt

file
• show vlan brief then capture the text as a record
of your settings (you can't really save vlan.dat)
46

NET2000
Trunk Switch Configuration

Switch(config)#interface FastEthernet0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encap dot1q
(ONLY if multiple trunk encapsulations are supported)
47

NET2000
Quick Preview of Inter-VLAN

Routing
- also known as Router on a Stick
- uses subinterfaces – makes one interface virtually act like
many
RTA(config)#interface fa0/0
RTA(config-if)#no ip address
RTA(config-if)#interface fa0/0.1
RTA(config-subif)#encapsulation dot1q 1
RTA(config-subif)#ip address 10.1.1.1 255.255.255.0
RTA(config-subif)#int fa0/0.2
RTA(config-subif)#int fa0/0.3
48

Exp3 - Chapter 3 - VLANs

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Exp3 - Chapter 3 - VLANs

Diunggah oleh

Hak Cipta:

Format Tersedia

NET2000

VLANs (Virtual LANs)

With material adapted from slides prepared by

Linda Crane Algonquin College

Within a single VLAN,

VLANs allow the logical separation of network users and

Linda Crane Algonquin College

Bridging vs Routing Network

Linda Crane Algonquin College

VLAN = Subnet = Layer 3 Network

Each VLAN is a separate LAN or Layer 3 network.

Linda Crane Algonquin College

VLAN = Broadcast Domain

Which server(s) can be reached by hosts in the green (VLAN 3)

Linda Crane Algonquin College

VLANs, Routers & Broadcast Domains

One link per VLAN or a single Trunk

Linda Crane Algonquin College

Linda Crane Algonquin College

…-if)#switchport trunk native vlan vlan-id

Linda Crane Algonquin College

Linda Crane Algonquin College

A Port's VLAN Membership

Each switch port can be assigned to a different VLAN.

Linda Crane Algonquin College

Static membership VLANs are called port-based and port-centric

Linda Crane Algonquin College

Important notes on VLANs:

Linda Crane Algonquin College

Dynamic membership VLANs are created through network management software.

Approaches to Dynamic VLANs

Linda Crane Algonquin College

This means that an administrator is able to do all of the following:

Linda Crane Algonquin College

Common VLAN Terminologies

Linda Crane Algonquin College

Common VLAN Terminologies

Linda Crane Algonquin College

Common VLAN Terminologies:

Linda Crane Algonquin College

Common VLAN Terminologies: Voice VLANs

• In figure, VLAN 150 is designed to

Linda Crane Algonquin College

More on Trunking … tagging

Linda Crane Algonquin College

Linda Crane Algonquin College

Ether-Type (0x8100) New FCS

Linda Crane Algonquin College

Linda Crane Algonquin College

Linda Crane Algonquin College

switchport encapsulation can only be set on switches that support

Linda Crane Algonquin College

Linda Crane Algonquin College

Trunk Mode "On" (Static)

Linda Crane Algonquin College

Trunk Mode "Off" (Static)

Linda Crane Algonquin College

Trunk Mode (Dynamic)

• Think about being “invited” to trunk…if this port is invited

Linda Crane Algonquin College

Trunk Mode (Dynamic)

Linda Crane Algonquin College

This mode stops the port from generating Dynamic