Virtual LAN 2019/6/14

VLAN What is VLAN? 簡言之, VLAN 就是以軟體的方式, 讓 Switch 能夠切割網路為 “不同的 Broadcast Domains” HOW? 分屬不同 VLAN 的 PCs 間無法經由 Switch 溝通 對網路規劃與管理者而言, VLAN 是傳統 Switch 與 Router 外之另一 “工具”, “觀念” 或 “武器” VLAN 不是一個 “裝置”, VLAN 的達成, 仍需仰賴 Switch 與 Router 2019/6/14

傳統 LAN 架構與 VLAN 之不同 2019/6/14

VLAN (更詳細 …) A VLAN is a logical grouping of network devices or users that are not restricted to a physical switch segment. 2019/6/14

VLAN (更詳細 …) The devices or users in a VLAN can be grouped by function, department, project teams, applications, and so on, regardless of the physical location or connections to the network A VLAN creates a single broadcast domain that is not restricted to a physical segment and is treated like a subnet. Packets are only switched between ports that are designated for the same VLAN. VLAN setup is done in the switch by software. 2019/6/14

VLAN (更詳細 …) 2019/6/14

2019/6/14

傳統 LANs & broadcast domains 2019/6/14

VLANs & Broadcast Domains 2019/6/14

Relationship between ports, VLANs & Broadcast Each switch port can be assigned to a VLAN. Ports assigned to the same VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts. This improves the overall performance of the network. 2019/6/14

VLAN makes workstations addition, moves & changes easier Without VLANs, moving a user from one office to another might require a router to be reconfigured, changes in the patch cables in the wiring closet, and IP address reconfiguration on the host. A host connected to a VLAN-capable switch, however, simply stays in the same VLAN (i.e., same broadcast domain and subnetwork), with no router changes, patch cable changes or IP address changes. This may not sound like a big deal when 1 host is moved; but when many hosts are moving over the course of a year the savings in time and trouble is tremendous. 2019/6/14

VLAN Configuration VLAN 的運作 (or 設定) 方式 Static Dynamic port-centric (port-based) Dynamic 2019/6/14

Static (Port-Based/Centric) VLAN 2019/6/14

Static (port-centric) VLAN 1 2 3 4 5 6 . 1 2 1 2 2 1 . Port VLAN 2019/6/14

Port-Baesd/Centric Users are assigned by port. VLANs are easily administered. It provides increased security between VLANs. Packets do not "leak" into other domains. 2019/6/14

Dynamic VLAN 2019/6/14

A Scenario … 2019/6/14

A small college Faculty & student LAN, each has different security features 2019/6/14

A year later … What if we still want each has different security features? 2019/6/14

VLAN can be the rescue … 2019/6/14

More details … 2019/6/14

Benefits of VLAN 2019/6/14

Security Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. Faculty computers are on VLAN 10 and completely separated from student and guest data traffic. 2019/6/14

More on Security with VLAN Restrict the number of users in a VLAN group Prevent another user from joining without first receiving approval from the VLAN network management application  Configure all unused ports to a default low-service VLAN 2019/6/14

2019/6/14

Cost reduction Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. 2019/6/14

Higher performance Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance. 2019/6/14

Broadcast storm mitigation Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. 2019/6/14

Improved IT staff efficiency VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. 2019/6/14

Simpler project or application management VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier 2019/6/14

Types of VLAN Data VLAN Default VLAN Native VLAN Management VLAN Voice VLAN 2019/6/14

Data VLAN A data VLAN is a VLAN that is configured to carry only user-generated traffic A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic A data VLAN is sometimes referred to as a user VLAN. 2019/6/14

Default VLAN All switch ports become a member of the default VLAN after the initial boot up of the switch Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. The default VLAN for Cisco switches is VLAN 1 VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1 2019/6/14

Default VLAN 2019/6/14

Native VLAN A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN. 2019/6/14

Management VLAN A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN an arbitrary user connecting to a switch to default to the management VLAN. 2019/6/14

And, one more … 2019/6/14

Voice VLAN details 2019/6/14

2019/6/14

VLAN Switch Port Modes 2019/6/14

Static Mode Setup 2019/6/14

Voice Mode Setup The configuration command # mls qos trust cos // cos : class of service ensures that voice traffic is identified as priority traffic. Remember that the entire network must be set up to prioritize voice traffic. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5 2019/6/14

Voice VLAN Verification 2019/6/14

Controlling broadcast w/o VLAN 2019/6/14

Controlling broadcast with VLAN 2019/6/14

Controlling Broadcast Domains with Switches and Routers Breaking up broadcast domains can be performed either with VLANs (on switches) or with routers. A router is needed any time devices on different Layer 3 networks need to communicate, regardless whether VLANs are used. 2019/6/14

VLAN Trunking 2019/6/14

目前為止, 我們主要討論的是一個 Switch 下的 VLAN 2019/6/14

VLAN 跨越兩個以上 Switches 時 … VLAN Trunking 2019/6/14

Trunking? (電話線路的例子) 2019/6/14

Trunking Concept One physical link for each VLAN (will need 10 links for 10 VLANs  not practical) With VLAN Trunking 2019/6/14

VLAN Trunking A trunk is a physical and logical connection between two switches across which network traffic travels 2019/6/14

Definition of a VLAN Trunk A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link. A VLAN trunk allows you to extend the VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces. A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers. 2019/6/14

Trunking Mechanisms (機制) Frame Filtering Frame Tagging IEEE 802.1Q 2019/6/14

Frame Filtering 2019/6/14

Frame Tagging 2019/6/14

IEEE 802.1q Frame Format Re-Calculated FCS VLAN ID (12-bit) 2019/6/14

802.1Q Frame Tagging 2019/6/14

VLAN Trunk 2019/6/14

Trunk Configuration 2019/6/14

Trunk Configuration Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other vendors do not support DTP. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port. DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. 2019/6/14

Trunk Configuration 2019/6/14

Configuring VLAN & Trunk 2019/6/14

VLAN ID Ranges 2019/6/14

Create a VLAN 2019/6/14

Command Syntax 2019/6/14

Add a VLAN 2019/6/14

Add a VLAN - verification 2019/6/14

Assign a Switch Port 2019/6/14

Command Syntax 2019/6/14

Assign a Switch Port 2019/6/14

Delete a Switch Port - verification 2019/6/14

Port Memberships Deletion 2019/6/14

Verify VLANs and Port Memberships 2019/6/14

Command Syntax 2019/6/14

Verify VLANs and Port Memberships 2019/6/14

Verify VLANs and Port Memberships 2019/6/14

Verify VLANs and Port Memberships 2019/6/14

Configure Trunking 2019/6/14

Command Syntax 2019/6/14

Configure an 802.1Q Trunk - Topology 2019/6/14

Configure an 802.1Q Trunk - example 2019/6/14

Configure an 802.1Q Trunk - verification 2019/6/14

Reset Trunking 2019/6/14

Common Problems with Trunks 2019/6/14

Native VLAN mismatches Trunk ports are configured with different native VLANs for example, if one port has defined VLAN 99 as the native VLAN and the other trunk port has defined VLAN 100 as the native VLAN. This configuration error generates console notifications, causes control and management traffic to be misdirected, poses a security risk. 2019/6/14

Trunk mode mismatches One trunk port is configured with trunk mode "off" and the other with trunk mode "on". This configuration error causes the trunk link to stop working. 2019/6/14

Allowed VLANs on trunks The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk. 2019/6/14

Trouble Shooting – Native VLAN Mismatches 2019/6/14

Trouble Shooting – S3 configuration 2019/6/14

Trouble Shooting – Solution 2019/6/14

Trouble Shooting – Trunk Mode Mismatches 2019/6/14

Trouble Shooting – S1 & S3 configuration 2019/6/14

Trouble Shooting – Solution 2019/6/14

Trouble Shooting – Incorrect VLAN List 2019/6/14

Trouble Shooting – S1 & S3 configuration 2019/6/14

Trouble Shooting – Solution 2019/6/14

Trouble Shooting – VLAN and IP Subnets 2019/6/14

Trouble Shooting – S1 & S3 configuration 2019/6/14

Trouble Shooting – Solution 2019/6/14