VLANS
Virtual LAN's
What is a LAN?
A LAN is a single broadcast domain, including all devices in that broadcast domain. A broadcast domain is the group of devices that receives a broadcast frame (FFFF.FFFF.FFFF) sent my any one of the members
From this diagram, one can see that this is not an optimal setup as the broadcast domain includes all departments and there are performance and security issues at play here:
Performance - Lots of unnecessary broadcast traffic can reduce network performance
Security - Even within the same office, you want to limit who has access to what. You can apply security policies on a router/firewall. As this setup is one LAN, security policies on the router will have no effect as PC's can reach each other directly.
In this scenario, the different departments have been separated via different subnets. If PC1 want to send a message to PC2, PC1 knows PC2 is ion a different network so sets its destination MAC to its default gateway (R1). R1 swaps out the Src and Dst MAC as its own and PC2 respectively sends it the switch and the switch forwards it to PC2.
The issue here is that if PC1 needs to send a broadcast, the switch is L2 and doesn't understand the different networks and so broadcasts PC1's message to all ports except the port it received it on. As you can see we still have the performance issue. Even though the departments have been separated into 3 subnets (Layer 3) they are still in the SAME broadcast domain.
One way of separating the broadcast domain is via segmentation, or creating VLAN's
VLAN's are configured on switches on a per-interface basis
VLAN's logically separate end hosts at Layer 2
Switches do not forward traffic directly between hosts in different VLAN's. Only a L3 device can send traffic between VLAN's
Configuring VLAN's
SW1(config)# interface range gi1/0 - 3
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 10
% Access VLAN does not exists. Creating vlan 10
We can see that VLAN 10 was created automatically
We can see the VLAN's created above VLAN0010, VLAN0020 and VLAN0030. Lets change these names to be more specific
SW1(config)#vlan 10 ----------------> this is how you create a VLAN Manually
SW1(config-vlan)#name ENGINEERING
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name HR
SW1(config-vlan)#vlan 30
SW1(config-vlan)#name SALES
SW1(config)# do show vlan brief
LAB 1- Packet Tracer
VLAN Network Address 1st Usable Address Last Usable Address Broadcast Address
10 10.0.0.0/26 10.0.0.1 10.0.0.62 10.0.0.63
20 10.0.0.64/26 10.0.0.65 10.0.0.126 10.0.0.127
30 10.0.0.128/26 10.0.0.129 10.0.0.190 10.0.0.191
Trunk Ports
Trunk ports = multiple VLAN's on an interface (or bundled interfaces aka EtherChanell). When a frame is received on a TRUNK interface, how does it know where to forward the traffic to?
For example, PC1 wants to send data to PC2 in the same VLAN across the trunk, it sends the data to SW2 and SW2 forwards the data to SW1. The trunk port allows VLAN's 10 and 30 How does SW1 know which VLAN the traffic belongs to? It does this by VLAN Tagging. Switches will 'tag' all frames that they send over a trunk link. This allows the receiving switch to know which VLAN the frame belongs to.
There are 2 main trunking protocols:
ISL (Inter-Switch Link) - old Cisco proprietary created before the IEEE 802.1Q industry standard. Modern Cisco equipment don't support it any more.
802.1Q - commonly known as dot1q
VLAN's (802.1q) as defined by IEEE and states that 32bits (4 Bytes) are added to the Ethernet Frame in the following fields:
TPID = Tag Protocol Identifier (16bit)
This field is set to 0x8100 to identify that its a 802.1q VLAN
PCP = Priority Code Point (3bit) - 802.1p
This is the L2 CoS (Class of Service) from 0-7 (lowest to highest priority)
DEI = Drop Eligible Indicator (1bit)
If there is congestion within the network, this can be set to be dropped
VLAN ID = 12bit
This is basically the VLAN number between 0-4096. As its 12bits,
( 2^12 = 4096) . VLANS 0 and 4095 are reserved and can't be used,so it can only support 1 - 4094 VLAN'sVLAN 0 is solely used for 802.1p traffic - QoS - (Cant be modified of deleted)
VLAN 1 is the default VLAN (Cant be modified or deleted)
VLAN's 2-1001are in the 'Normal' VLAN range and CAN be modified or deletedVLAN's 1002-1005 are reserved and cannot be deleted (fddi, token-ring, fddinet, trnet)
VLAN's 1006 - 4094are in the 'Extended' VLAN range and can be added, deleted and modified as necessary
As discussed above previously, the 802.1q tag is inserted between the 'Source' and 'Type/Length Fields The tag is 4Bytes (32 bits) and is made up of 2 main fields:
Native VLAN
802.1q has a feature called 'Native VLAN' which ISL does not. The native VLAN is by default VLAN 1 which in the beginning all ports are associated to. This can be manually changed on each trunk port. The switch does not add 802.1q tags to frames received on the Native VLAN, and forward the frame normally over the trunk port (without an 802.1q tag - ie its coming through the truk port as an UNTAGGED frame. The receiving switch sees the untagged frame on the trunk port and assumes it belongs to the NATIVE VLAN (remember to ensure native VLAN's match between switches trunk ports). As mentioned, switches will still forward traffic if there is a NATIVE VLAN MISMATCH which could cause problems as traffic can change VLAN's unintentionally. Lets see some scenarios below:
PC1 wants to forward traffic to PC2 and both are in the same VLAN10 which also happens to be the configured 802.1q native vlan. Because the native vlan is 10 the frame will NOT be tagged and SW2 forwards the frame to SW1. SW1 sees it has no tag and assumes its in the native VLAN 10 and sends it to PC2. This works in this case
NATIVE VLAN MISMATCH
Here we can see a native VLAN mismatch with SW2 as VLAN10 and DW1 as VLAN30. As with the previous example the untagged frame arrives at SW1 which it then assumes it must belong to VLAN30, but the destination is VLAN10 so it drops the frame.
Here we can see that PC1 want to send data to PC2 in VLAN30. All is the same except that SW2 has marked the frame as VLAN 30 but on SW1, VLAN 30 is the native VLAN and so it wont be expecting VLAN30 tagged traffic so will then discard the frame.
All switch control plane traffic is advertised using the NATIVE VLAN. To change the default Native VLAN (for security reasons)- it is best to change it to an unused VLAN (make sure the naive VLAN matches between switches !!)
SW1(config)#interface gi1/0
SW1(config-if)#switchport trunk native vlan 1001
SW2(config)#interface gi0/0
SW2(config-if)#switchport trunk native vlan 1001
SW1#show vlan brief
SW1#show interfaces trunk
Management traffic such as:
Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDU)
Dynamic Trunking Protocol (DTP)
always use the Native VLAN. Other protocols always use VLAN1 (default Native VLAN) such as
Cisco Discovery Protocol (CDP)
VTP (VLAN Trunk Protocol)
PAgP (Port Aggregation Protocol)
UDLD (Uni Directional Link Detection)
However if the Native VLAN is NOT Vlan 1, then they will be tagged to the NATIVE VLAN
Configuring Trunk Ports
SW1(config)# interface gi0/0
SW1(config-if)# switchpost mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" cannot be configured to "trunk" mode **Switches that support both trubk protocols (ISL and 802.1q) have their trunk interfaces set to auto by default. SO have to set encapsulation 1st !!!
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# end
SW1# show interfaces trunk
Mode On = Interface was manually configured as a trunk Encapsulation = 802.1q as configured and Native VLAN is 1 as per default
SW1(config)# interface gi0/0
SW1(config-if)# switchport trunk allowed vlan ? PLEASE SEE AVAILABLE OPTIONS with ?
SW1(config-if)# switchport trunk allowed vlan 10, 30
VLAN Port Allocation
Ports are assigned to VLAN's in a number of ways:
Statically Assigned - this is where the Administrator statically assigns switch ports to their respective VLAN's
Dynamic VLAN's
Using VMPS (VLAN Membership Policy Server), whereby the ports can be dynamically updated depending on which source MAC address of the device attached to that port. For example a boardroom port, if a Director connects to a port, the VMPS dynamically assigns that port to the Directors VLAN based on his MAC address.
If the following day a Manager plugs his laptop into the same port the VMPS dynamically allocates the port to the Managers VLAN
VOICE VLAN's - specifically used by IP Phones
VTP
VLAN Trunking Protocol is a Cisco Proprietary Layer 2 Protocol which allows for the propagation of VLAN information from one switch to another rather than connecting individually to each switch, whereby you can create, add or delete or rename VLAN's and have that information propagate to other switches across TRUNK links. (Notice the name:VTP - this information can only be propagated across TRUNK links)
VTP can save a lot of time but also can be a headache:
Entire VLAN information and configuration can be wiped out due to a new Cisco switch being intro an environment without due diligence being followed and a lot of Engineers will disable VTP to mitigate these issues.
The Router (Router on a Stick) - Inter VLAN routing (Use sub-interfaces!!!)
The 3 interfaces to the router from the switch for each VLAN does not scale, so instead of 3 we have 1 physical connection with sub-interfaces to carry the 3 VLAN's.
g0/0.10 --> for vlan 10
g0/0.20 --> for vlan 20
g0/0.30 --> for vlan 30
If the router interface to the switch is gi0/0 we configure the port to the router as a normal trunk port and then on the router we do the following: (We have assigned the last userble ip address of the subnet as the IP Addrresss)
R1(config)#interface gi0/0
R1(config)#no shut
R1(config-int)#interface gi0/0.10
R1(config-int)#encapsulation dot1q 10
R1(config-int)#ip address 192.168.1.62 255.255.255.192
R1(config-int)#interface gi0/0.20
R1(config-int)#encapsulation dot1q 20
R1(config-int)#ip address 192.168.1.126 255.255.255.192
R1(config-int)#interface gi0/0.30
R1(config-int)#encapsulation dot1q 30
R1(config-int)#ip address 192.168.1.190 255.255.255.192
The sub-interface number eg. gi0/0.10, does not have to match the VLAN number but it does make it easier to understand which VLAN and sub-interface you are looking at to make it the SAME !! :)
LAB 2 - Trunks
SW1
SW2
R1
Native VLAN on a Router (ROAS)
From previous section we mentioned that is was best practise to change the Native Vlan to an unused VLAN as the native VLAN feature can cause security issues. Lest see how we can use it on a router.
The native VLAN feature does have one benefit because frames in the native VLAN are not tagged its more efficient, each frame is smaller so it allows the device to send more frames per second. In the previous section we set the native VLAN to an unused VLAN of 1001 on SW1's gi0/0 and SW2's gi0/0 and gi0/1interfaces. There are 2 methods for configuring the native VLAN on a router
R1(config-subif)# encapsulation dot1q <vlan-id> nativeThis tells the the router that this sub-interface belongs to the native VLAN and it will function just like the native VLAN on a switch
The second option is not to use a sub-interface at all but just configure the IP address for the natie VLAN on the routers physical interface (the encapsulation dot1q <vlan-id> command is not necessary.
Layer 3 (Multilayer Switches
Capable of switching and routing
Its Layer 3 aware
You can assign IP addresses like a router
You can create virtual interfaces for each VLAN and assign IP's to those interfaces
You can configure routes on it, just like a router
Can be used for inter-VLAN routing
SVI's - switch virtual interfaces are the virtual interfaces you can assign IP addresses to in a multiayer switch. Configure the PC's to use the SVI as their Default Gateway and not the router
A couple of commands first. We created the sub-interfaces on R1 when it was a ROAS. To delete interfaces and reset them to default:
Configuration of Devices
R1
R1(config)# no interface gi0/0.10
R1(config)# no interface gi0/0.20
R1(config)# no interface gi0/0.30
R1(config)# default interface gi0/0
Even though the interfaces have been deleted, they will remain here with a 'deleted' status unless we reload the router
SW2
Another command to use:
SW2# show interface status
SVI's
Pretty easy to configure:-
For a SVI to work a few pre-requisites must be enabled first. For example from the above SVI picture we added in another SVI: vlan 40 with IP address 40.40.40.40 255.255.255.0
The only issue here is that the interface is down - Why??
The VLAN must exist on the switch first
The switch must have at least one access port in the VLAN in an up/up state AND/OR one trunk port that allows the VLAN that is in the up/up state
The VLAN must not be shutdown (you can use the 'shutdown' command to disable a VLAN)
The SVI must not be shutdown (SVI's are disabled by default - just like router interfaces !!)
LAB3 - SVI's
Steps Taken
R1
Remove sub-interfaces
Ser gi0/0 to default config
Added in gi0/0 new IP address - 10.0.0.194 255.255.255.252
SW2
sh run and see that had to add in the switchport trunk encapsulation dot1q (option for ISL)
remove trunk config from gi1/0/2 - set to default and remove encapsulation dot1q
set default route to R1 0.0.0.0 0.0.0.0 10.0.0.194
no switchport
enable L3 routing ' ip routing'
check if enabled
sh ip route - can see routing tab;e with 1 connected route and 1 local route1/0/2)
create SVI's
interface vlan 10
ip address 10.0.0.62 255.255.255.192
Commands Used:
show run | section interface
sh ip int brief
no interface gi0/0.10 etc
int gi0/0 ip address
ip routing
no switchport
sh ip route
Last updated
