Understanding Virtual LANs
Agenda What Is a VLAN? How Does it Work? VLAN Technologies
Constraints of Shared LANs Users are physically bound Subnets are tied to hubs Users are grouped by location No security on segment Addressing is constrained Moves require address changes Router ports are expensive
Virtual LANs One broadcast domain within a switch VLANs help manage broadcast domain Can be defined on port groups, users, or protocols LAN switches and network management software provide a mechanism to create VLANs Server Farm VLAN 1 VLAN 2 VLAN 3
Remove the Physical Boundaries Group users by department, team, or application Routers provide communication between VLANs EngineeringMarketingAcctg. Floor 3 Floor 2 Floor 1
VLAN Benefits Reduced administrative costs Simplify moves, adds, and changes Efficient bandwidth utilization Better control of broadcasts Improved network security Separate VLAN group for high-security users Relocate servers into secured locations Scalability and performance Microsegment with scalability Distribute traffic load
Approaches Can Vary Performance Port-Based VLAN 1 VLAN 2 VLAN 3 Layer 3-Based Subnet xx VLAN 1VLAN 2 Subnet xx VLAN 2 MAC-Based VLAN 1 MAC Addresses Establishing VLAN Membership Port driven MAC address driven Network address driven Application type driven
Multiple VLANs per Port Broadcast Outgoing Mac 1 Mac 2 Mac 3 Mac 4 Mac 5 Mac 6 Mac 7 Mac 8 Mac 9 Mac 10 Mac 11 Mac 12 Broadcast Incoming Does This Make Sense in Switched/Shared LANs? Requested when multiple clients are attached Requires address lookups Cannot filter broadcasts on shared segment Results in lots of administration, little return Hub
Two Physical Topology Approaches Communicating Between VLANs Layer 3 links VLANs together Adds additional security and management Logical links conserve physical ports Multimode, depending on protocol Controls access by VLAN Up to 255 VLANs per router VLAN 2 VLAN 3 VLAN 1 Cisco Internetworking Software VLANs 1, 2, 3 Logical Communication Physical Link per VLAN
VLAN Technologies
Inter-Switch Link VLAN Tag Added at Incoming Port VLAN Tag Stripped by Forwarding Port Inter-Switch Link (ISL) Carries VLAN Identifier Interconnects multiple switches and maintains VLAN information as traffic goes between switches Establishes membership through ASICs Labels each packet as received (“packet tagging”) Eliminates lookups and tables Transports multiple VLANs across links Protocol, endstation-independent Easily managed ISLISL 802.1Q LANE
Wide vendor endorsement for 802.1Q tagging standard Cisco supports across Fast Ethernet, Gigabit uplinks Cisco maps ISL to 802.1Q dynamically with VTP Packet Tagging as Common VLAN Exchange VLAN Standardization Level-1 Explicit Tagging SRC DESSRC Data DES SRC FCS FCS DESSRCFCS VLAN ID
802.1Q VLAN Standard Implementation Cisco environment uses ISL Vendor environment uses an existing, yet different packet tagging method Interdomain communication based on 802.1Q standard Si Cisco Domain Vendor X Domain ISL ? Company ABC Typical Environment
VLAN administration and configuration protocol Reduces VLAN setup and administration Eliminates configuration errors Decreases network manager’s time adding and managing VLANs Maintains security between VLANs Virtual Trunk Protocol (VTP)
(config)#hostname uniti_1900 uniti_1900(config)#vlan 2 name sales uniti_1900(config)#vlan 3 name marketing uniti_1900(config)#exit uniti_1900#sh vlan VLAN Name Status Ports default Enabled 1-12, AUI, A, B 2 sales Enabled 3 marketing Enabled 1002 fddi-default Suspended 1003 token-ring-defau Suspended 1004 fddinet-default Suspended 1005 trnet-default Suspended [ output cut] 1900 Series (1)
uniti_1900(config)#int e0/2 uniti_1900(config-if)#vlan-membership ? dynamic Set VLAN membership type as dynamic static Set VLAN membership type as static uniti_1900(config-if)#vlan-membership static ? ISL VLAN index uniti_1900(config-if)#vlan-membership static 2 uniti_1900(config-if)#int e0/3 uniti_1900(config-if)#vlan-membership static 3 uniti_1900(config-if)# uniti_1900 #sh vlan VLAN Name Status Ports default Enabled 1, 4-12, AUI, A, B 2 sales Enabled 2 3 marketing Enabled fddi-default Suspended [output cut] 1900 Series (2)
uniti_1900 (config)#int f0/26 uniti_1900 (config-if)#trunk ? auto Set DISL state to AUTO desirable Set DISL state to DESIRABLE nonegotiate Set DISL state to NONEGOTIATE off Set DISL state to OFF on Set DISL state to ON uniti_1900 (config-if)#trunk on uniti_1900 (config-if)# uniti_1900 #sh trunk ? A Trunk A B Trunk B uniti_1900 #sh trunk a DISL state: On, Trunking: Off, Encapsulation type: Unknown uniti_1900 #sh trunk b DISL state: Off, Trunking: Off, Encapsulation type: Unknown uniti_1900 # 1900 Series (3)
uniti_1900(config)#vtp ? client VTP client domain Set VTP domain name password Set VTP password pruning VTP pruning server VTP server transparent VTP transparent trap VTP trap uniti_1900(config)#vtp server uniti_1900(config)#vtp domain uniti uniti_1900(config)#vtp password cisco uniti_1900(config)# 1900 Series (4)
uniti_1900 #sh vtp VTP version: 1 Configuration revision: 4 Maximum VLANs supported locally: 1005 Number of existing VLANs: 7 VTP domain name : uniti VTP password : cisco VTP operating mode : Server VTP pruning mode : Disabled VTP traps generation : Enabled Configuration last modified by: at :00:00 uniti_1900 # 1900 Series (5)
2950 Series (1) uniti_2950#vlan database uniti_2950(vlan)#vlan 1 name sales A default VLAN may not have its name changed. uniti_2950(vlan)#vlan 2 name marketing VLAN 2 added: Name: marketing uniti_2950(vlan)#vlan 3 name accounting VLAN 3 added: Name: accounting uniti_2950(vlan)#apply APPLY completed. uniti_2950(vlan)#
2950 Series (2) uniti_2950#sh vlan brief VLAN Name Status Ports default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 …, Fa0/22, Fa0/23, Fa0/24 2 marketing active 3 accounting active 10 vlan10 active 20 vlan20 active 30 vlan30 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
2950 Series (3) uniti_2950#conf t Enter configuration commands, one per line. End with CNTL/Z. uniti_2950(config)#int f0/2 uniti_2950(config-if)#switchport access vlan 2 uniti_2950(config-if)#int f0/3 uniti_2950(config-if)#switchport access vlan 3 uniti_2950(config-if)#^Z
2950 Series (4) uniti_2950#sh vlan brief VLAN Name Status Ports default active Fa0/1, Fa0/4, Fa0/5, Fa0/6 …, Fa0/23, Fa0/24 2 marketing active Fa0/2 3 accounting active Fa0/3 10 vlan10 active 20 vlan20 active 30 vlan30 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
2950 Series (5) uniti_2950(config)#int f0/24 uniti_2950(config-if)#switchport mode trunk uniti_2950#sh run [output cut] ! interface FastEthernet0/2 switchport access vlan 2 no ip address … interface FastEthernet0/24 switchport mode trunk no ip address ! [output cut]
2950 Series (6) uniti_2950(config)#vtp mode ? client Set the device to client mode. server Set the device to server mode. transparent Set the device to transparent mode. uniti_2950(config)#vtp mode server Device mode already VTP SERVER. uniti_2950(config)#vtp domain uniti Changing VTP domain name from NULL to uniti uniti_2950(config)#vtp password cisco Setting device VLAN database password to cisco uniti_2950#sh vtp ? counters VTP statistics password VTP password status VTP domain status
2950 Series (7) uniti_2950#sh vtp status VTP Version : 2 Configuration Revision : 2 Maximum VLANs supported locally : 64 Number of existing VLANs : 10 VTP Operating Mode : Server VTP Domain Name : uniti VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x80 0x44 0xF2 0x33 0x2B 0x87 0x56 0x80 Configuration last modified by at :10:15 Local updater ID is (no valid interface found) uniti_2950#
router(config)#int f0/0.1 router(config-subif)#ip address router(config-subif)#encapsulation dot1q vlan# router(config)#int f0/0 router(config-if)#no ip address router(config-if)#no shut router(config-if)#int f0/0.1 router(config-subif)#ip address router(config-subif)#encapsulation isl 1 router(config)#int f0/0.2 router(config-subif)#ip address router(config-subif)#encapsulation isl 2 Inter-VLAN Routing
Summary VLANs enable logical (instead of physical) groups of users on a switch VLANs address the needs for mobility and flexibility VLANs reduce administrative overhead, improve security, and provide more efficient bandwidth utilization