1. Virtual LAN
2019/6/14

2. VLAN
What is VLAN?
簡言之, VLAN 就是以軟體的方式, 讓 Switch 能夠切割網路為 “不同的 Broadcast Domains”
HOW?
分屬不同 VLAN 的 PCs 間無法經由 Switch 溝通
對網路規劃與管理者而言, VLAN 是傳統 Switch 與 Router 外之另一 “工具”, “觀念” 或 “武器”
VLAN 不是一個 “裝置”, VLAN 的達成, 仍需仰賴 Switch 與 Router
2019/6/14

3. 傳統 LAN 架構與 VLAN 之不同
2019/6/14

4. VLAN (更詳細 …)
A VLAN is a logical grouping of network devices or users that are not restricted to a physical switch segment.
2019/6/14

5. VLAN (更詳細 …)
The devices or users in a VLAN can be grouped by function, department, project teams, applications, and so on, regardless of the physical location or connections to the network
A VLAN creates a single broadcast domain that is not restricted to a physical segment and is treated like a subnet.
Packets are only switched between ports that are designated for the same VLAN.
VLAN setup is done in the switch by software.
2019/6/14

6. VLAN (更詳細 …)
2019/6/14

7. 2019/6/14

8. 傳統 LANs & broadcast domains
2019/6/14

9. VLANs & Broadcast Domains
2019/6/14

10. Relationship between ports, VLANs & Broadcast
Each switch port can be assigned to a VLAN.
Ports assigned to the same VLAN share broadcasts.
Ports that do not belong to that VLAN do not share these broadcasts. This improves the overall performance of the network.
2019/6/14

11. VLAN makes workstations addition, moves & changes easier
Without VLANs, moving a user from one office to another might require a router to be reconfigured, changes in the patch cables in the wiring closet, and IP address reconfiguration on the host.
A host connected to a VLAN-capable switch, however, simply stays in the same VLAN (i.e., same broadcast domain and subnetwork), with no router changes, patch cable changes or IP address changes.
This may not sound like a big deal when 1 host is moved; but when many hosts are moving over the course of a year the savings in time and trouble is tremendous.
2019/6/14

12. VLAN Configuration VLAN 的運作 (or 設定) 方式 Static Dynamic
port-centric (port-based)
Dynamic
2019/6/14

13. Static (Port-Based/Centric) VLAN
2019/6/14

14. Static (port-centric) VLAN
Port
VLAN
2019/6/14

15. Port-Baesd/Centric Users are assigned by port.
VLANs are easily administered.
It provides increased security between VLANs.
Packets do not "leak" into other domains.
2019/6/14

16. Dynamic VLAN
2019/6/14

17. A Scenario …
2019/6/14

18. A small college
Faculty & student LAN, each has different security features
2019/6/14

19. A year later …
What if we still want each has different security features?
2019/6/14

20. VLAN can be the rescue …
2019/6/14

21. More details …
2019/6/14

22. Benefits of VLAN
2019/6/14

23. Security
Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches.
Faculty computers are on VLAN 10 and completely separated from student and guest data traffic.
2019/6/14

24. More on Security with VLAN
Restrict the number of users in a VLAN group
Prevent another user from joining without first receiving approval from the VLAN network management application 
Configure all unused ports to a default low-service VLAN
2019/6/14

25. 2019/6/14

26. Cost reduction
Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
2019/6/14

27. Higher performance
Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
2019/6/14

28. Broadcast storm mitigation
Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm.
2019/6/14

29. Improved IT staff efficiency
VLANs make it easier to manage the network because users with similar network requirements share the same VLAN.
When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned.
It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name.
2019/6/14

30. Simpler project or application management
VLANs aggregate users and network devices to support business or geographic requirements.
Having separate functions makes managing a project or working with a specialized application easier
2019/6/14

31. Types of VLAN Data VLAN Default VLAN Native VLAN Management VLAN
Voice VLAN
2019/6/14

32. Data VLAN
A data VLAN is a VLAN that is configured to carry only user-generated traffic
A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN.
It is common practice to separate voice and management traffic from data traffic
A data VLAN is sometimes referred to as a user VLAN.
2019/6/14

33. Default VLAN
All switch ports become a member of the default VLAN after the initial boot up of the switch
Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain.
The default VLAN for Cisco switches is VLAN 1
VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it.
Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed.
VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches.
It is a security best practice to change the default VLAN to a VLAN other than VLAN 1
2019/6/14

34. Default VLAN
2019/6/14

35. Native VLAN A native VLAN is assigned to an 802.1Q trunk port.
An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).
The 802.1Q trunk port places untagged traffic on the native VLAN.
Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios.
It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.
2019/6/14

36. Management VLAN
A management VLAN is any VLAN you configure to access the management capabilities of a switch.
VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN.
You assign the management VLAN an IP address and subnet mask.
A switch can be managed via HTTP, Telnet, SSH, or SNMP.
Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN
an arbitrary user connecting to a switch to default to the management VLAN.
2019/6/14

37. And, one more …
2019/6/14

38. Voice VLAN details
2019/6/14

39. 2019/6/14

40. VLAN Switch Port Modes
2019/6/14

41. Static Mode Setup
2019/6/14

42. Voice Mode Setup
The configuration command # mls qos trust cos // cos : class of service
ensures that voice traffic is identified as priority traffic.
Remember that the entire network must be set up to
prioritize voice traffic.
By default, the Cisco IP Phone forwards the voice traffic
with an 802.1Q priority of 5
2019/6/14

43. Voice VLAN Verification
2019/6/14

44. Controlling broadcast w/o VLAN
2019/6/14

45. Controlling broadcast with VLAN
2019/6/14

46. Controlling Broadcast Domains with Switches and Routers
Breaking up broadcast domains can be performed either with VLANs (on switches) or with routers.
A router is needed any time devices on different Layer 3 networks need to communicate, regardless whether VLANs are used.
2019/6/14

47. VLAN Trunking
2019/6/14

48. 目前為止, 我們主要討論的是一個 Switch 下的 VLAN
2019/6/14

49. VLAN 跨越兩個以上 Switches 時 …
VLAN Trunking
2019/6/14

50. Trunking? (電話線路的例子)
2019/6/14

51. Trunking Concept
One physical link for each VLAN (will need 10 links for 10 VLANs  not practical)
With VLAN Trunking
2019/6/14

52. VLAN Trunking
A trunk is a physical and logical connection between two switches across which network traffic travels
2019/6/14

53. Definition of a VLAN Trunk
A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch.
Ethernet trunks carry the traffic of multiple VLANs over a single link.
A VLAN trunk allows you to extend the VLANs across an entire network.
Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces.
A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.
2019/6/14

54. Trunking Mechanisms (機制)
Frame Filtering
Frame Tagging
IEEE 802.1Q
2019/6/14

55. Frame Filtering
2019/6/14

56. Frame Tagging
2019/6/14

57. IEEE 802.1q Frame Format
Re-Calculated FCS
VLAN ID (12-bit)
2019/6/14

58. 802.1Q Frame Tagging
2019/6/14

59. VLAN Trunk
2019/6/14

60. Trunk Configuration
2019/6/14

61. Trunk Configuration
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol.
Switches from other vendors do not support DTP. DTP is automatically
enabled on a switch port when certain trunking modes are configured
on the switch port.
DTP manages trunk negotiation only if the port on the other switch
is configured in a trunk mode that supports DTP.
2019/6/14

62. Trunk Configuration
2019/6/14

63. Configuring VLAN & Trunk
2019/6/14

64. VLAN ID Ranges
2019/6/14

65. Create a VLAN
2019/6/14

66. Command Syntax
2019/6/14

67. Add a VLAN
2019/6/14

68. Add a VLAN - verification
2019/6/14

69. Assign a Switch Port
2019/6/14

70. Command Syntax
2019/6/14

71. Assign a Switch Port
2019/6/14

72. Delete a Switch Port - verification
2019/6/14

73. Port Memberships Deletion
2019/6/14

74. Verify VLANs and Port Memberships
2019/6/14

75. Command Syntax
2019/6/14

76. Verify VLANs and Port Memberships
2019/6/14

77. Verify VLANs and Port Memberships
2019/6/14

78. Verify VLANs and Port Memberships
2019/6/14

79. Configure Trunking
2019/6/14

80. Command Syntax
2019/6/14

81. Configure an 802.1Q Trunk - Topology
2019/6/14

82. Configure an 802.1Q Trunk - example
2019/6/14

83. Configure an 802.1Q Trunk - verification
2019/6/14

84. Reset Trunking
2019/6/14

85. Common Problems with Trunks
2019/6/14

86. Native VLAN mismatches
Trunk ports are configured with different native VLANs
for example, if one port has defined VLAN 99 as the native VLAN and the other trunk port has defined VLAN 100 as the native VLAN.
This configuration error
generates console notifications, causes control and management traffic to be misdirected, poses a security risk.
2019/6/14

87. Trunk mode mismatches
One trunk port is configured with trunk mode "off" and the other with trunk mode "on".
This configuration error causes the trunk link to stop working.
2019/6/14

88. Allowed VLANs on trunks
The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk.
2019/6/14

89. Trouble Shooting – Native VLAN Mismatches
2019/6/14

90. Trouble Shooting – S3 configuration
2019/6/14

91. Trouble Shooting – Solution
2019/6/14

92. Trouble Shooting – Trunk Mode Mismatches
2019/6/14

93. Trouble Shooting – S1 & S3 configuration
2019/6/14

94. Trouble Shooting – Solution
2019/6/14

95. Trouble Shooting – Incorrect VLAN List
2019/6/14

96. Trouble Shooting – S1 & S3 configuration
2019/6/14

97. Trouble Shooting – Solution
2019/6/14

98. Trouble Shooting – VLAN and IP Subnets
2019/6/14

99. Trouble Shooting – S1 & S3 configuration
2019/6/14

100. Trouble Shooting – Solution
2019/6/14