VLAN lets you to break up the normal LAN environment into several broadcast domains. In simple way we can say a VLAN is a broadcast domain. Wider computer networks usually set up VLANs to re-partition their network for improved traffic management.
When you connect number of PCs into a switch and assign them all IP addresses in the same network, you created a LAN. The difference is that, in VLAN (Virtual LAN) you still connect all bunch of PCs to a single switch but you make the switch behave the way that it were multiple and independent switches. A VLAN is its own broadcast domain and IP subnet. This way, you get the ability to use switches to split up broadcast domains. Segmenting a LAN into different VLANs using switches occur at layer 2 of OSI model. Each VLAN must associate with its own IP subnet.
Here are some of VLAN’s advantages:
- VLANs reduce the size of broadcast domains while increasing their numbers; traffic comes down and performance improves.
- It’s possible to configure VLANs with a single switch, without the need to buy big router with lots of ports or number of routers, so it’s less expensive and easier to administer.
- Security improvements; VLANs provide enhanced security since no device in any VLAN can communicate with any other device until you deliberately configure a way for it to do so. Example: A server in VLAN 15 that holds confidential employee files for HR might not want PCs from other VLANs to have access to those files unless you specifically configure it to do so.
- VLANs can extend across various switches using trunk links. You can create logical groups of network users by function instead of location. If you want all the finance users to be in their own broadcast domain and IP subnet, you can create a VLAN for them on the first switch; then, connect another switch using a trunk link, establish the same VLAN on that switch, and the finance users on the second switch are in the same VLAN and can communicate with the finance users on the first switch, and are isolated from other VLANs on both switches.
- The ability to trunk VLANs within multiple switches makes moving users, adding users and changing users much easier.
Two VLANs and two switches – VLANs over trunk link allowing logical grouping of users by function.
You can create VLANs in three major steps, create it, name it and assign the ports.
Commands to create a VLAN differs depending on the switch model and IOS version; we stick with the Catalyst 2960 using an IOS later than 12.2(25) as our example.
The command to create a VLAN is simply vlan [vlan_#] (eg: vlan 10). To name the VLAN, the equally simple command is name [vlan_name] (eg: name Marketting ). These commands are entered starting at the Global Config prompt.
To create VLAN 10 named HR, VLAN 20 named Marketing and VLAN 30 named Admin, the commands look like this:
In the first step when you create the first VLAN, the global config prompt changes to the config-vlan prompt; it is okay to stay in that prompt to continue creating VLANs.
With these commands, you can create all your VLANs at once, or you can go back later and add some more as needed. The VLAN configuration (names and numbers) is not stored in the Running-Config or Startup-Config file in NVRAM; rather, it is stored in Flash memory in a special file called vlan.dat. This means that it is possible to erase the Startup-Config file, reload the router, and be confused by the reappearance of VLANs that you thought you just deleted. To remove VLANs, you can do it one at a time using the no vlan [vlan_#] command, or if want to get rid of all of them at once, you can use the command delete flash:vlan.dat, which erases and resets the entire VLAN database.
Be very exact and use extra caution for the delete flash:vlan.dat command: no need of space after flash or the colon! If you put a space after flash, you could delete the entire flash contents, including your IOS. This is not good thing to do, and is actually quite an ordeal to fix.
Note that Cisco switches have a few default VLANs preconfigured; these are intended for the management and essential functionality of Ethernet, Token Ring, and FDDI LANs. VLAN 1, for example, is the management VLAN for Ethernet. All ports in switch are in VLAN 1 by default. You cannot change or delete these default VLANs.
The Cisco Catalyst 2960 will support up to 1005 VLANs defined locally.
VLANs can exist without any ports actually being added to them. Adding switch ports to a VLAN is done when you want to put a host into a particular VLAN. Make sure that which physical ports your hosts are connected to so that you can add the correct port to the correct VLAN; it would be an unpopular move to put a marketing user into the HR VLAN; these two groups are mutually hostile.
The commands to add a switch port to a VLAN are executed at the Interface Config prompt—if you think about that, it makes sense because you are putting the port itself into the VLAN. The command is switchport access vlan [vlan_#]. What you are saying is “this port will access VLAN X.”
In the following commands we puts ports Fa0/1 into VLAN 10, Fa0/4 into VLAN 20, and Fa0/6 into VLAN 30:
2960(config-if)#switchport access vlan 10
2960(config-if)#switchport access vlan 20
2960(config-if)#switchport access vlan 30
VLAN Membership Policy
In the previous section the commands assign particular ports to a particular VLAN statically. (Static VLAN assignment is sometimes called port-based VLAN membership.) When a user changes ports (moves around the office or campus), you will be expected to repeat the commands at the Switch (config-if)#prompt for the correct new interface. Imagine if there are a lot of moves, this can become an administrative pain.
There is an alternative called Dynamic VLAN Membership. This feature lets you to dynamically assign VLAN membership to switch ports based on the MAC address of the host connecting to the port. You need a little service called the VLAN Membership Policy Server (VMPS) that holds a database of all the MAC addresses and the correct VLAN for each one; then you tell the switch ports to do dynamic VLAN assignment. When a PC or a host connects to a switch port configured to do Dynamic membership, the switch checks the MAC of the host and asks the VMPS what VLAN that MAC should be in. The switch then determines and changes the VLAN membership of that port dynamically.
This definitely is a wonderful idea, but it is difficult to create the VMPS database and to maintain it when your network grows quickly. Imagine having to get and maintain certain knowledge of every MAC address of every host in your network, and then keep the VMPS database updated. Dynamic VLAN membership is a good option if you have a lot of users in a lot of different VLANs moving around to many switch ports, but be ready to wrestle with some administrative issues.
In order to extend VLANs across multiple switches, you definitely need to connect the switches to each other. Though it is possible to simply plug one switch into another using an Access port just as you would plug in a host or a hub, doing so kills the VLAN-spanning feature and a many of other useful stuff too. A switch-to-switch link must be set up as a trunk link in order for the VLAN system to work properly. A trunk link is a special connection; the key difference of an ordinary connection and a Trunk port is that although an Access port is only in one VLAN at a time, a Trunk port has the job of carrying traffic for all VLANs from one switch to another. Any time you connect a switch to another switch, you want to make it a trunk.
Some facts to remember about trunks as follows:
- A trunk needs to be created only on a Fast Ethernet or Gigabit Ethernet connection; 10Mb Ethernet ports are not able to support the increased traffic from multiple VLANs, so the commands are not available for a regular Ethernet port.
- Switches are always connected with crossover cables, not straight-through cables. In CCNA switches, there is no any “smart port” that will auto-detect a crossed connection and fix it. The Catalyst 2960 has such a feature, but the exam will test your knowledge of when to use a crossover cable. For the purposes of your exams, if two switches are not connected with a crossover cable, there will be no connectivity between them.
- By default, traffic from all VLANs is allowed on a trunk. You can determine which VLANs are permitted (or not) to cross a particular trunk if you have that requirement, but these functions are beyond the scope of the CCNA exam.
VLAN trunking protocol is the protocol that switches use to communicate with each other. A trunking protocol (VTP) adds a VLAN identification tag to frames coming into the switch. As those frames are forwarded across the trunk, the VLAN from which the frame originated is identifiable, and the data frame can be distributed to ports in the same VLAN on other switches, and not to different VLANs. This frame tagging and multiplexing function is what enables VLANs to span multiple switches and still keeps each VLAN as a separate broadcast domain.
This figure illustrates a simple trunk as it multiplexes frames from VLANs across a single Fast Ethernet Trunk. shows a simple trunk as it multiplexes frames from VLANs across a single Fast Ethernet Trunk.
ISL (Inter-Switch Link)
The ISL protocol is a Cisco-proprietary Layer 2 protocol. ISL re-encapsulates host frames as they are received by the switch port. The ISL encapsulation adds a 26-byte header and a 4-byte trailer to the original host frame. The header contains the VLAN ID (the VLAN #) and few other fields. The trailer is a new CRC to check the integrity of the ISL frame.
There are two significant concerns with ISL. The first is that it is Cisco proprietary, meaning that it will work only with Cisco switches. In a perfect world, of course, everyone would have all Cisco gear, but the reality is a lot of non-Cisco devices are out there. To complicate matters, Cisco has begun to phase out ISL in favor of 802.1Q; for example, the Cisco 2960 supports only 802.1Q and not ISL at all.
The second issue with ISL is frame size. If a frame is received that is already at the MTU, the addition of the 26-byte header and 4-byte trailer can create frames that are over the Ethernet MTU of 1,518 bytes (with ISL encapsulation, now at 1,548 bytes), which will be dropped as “Giant” frames by devices that do not recognize the ISL encapsulation.
The IEEE-standard 802.1Q trunk encapsulation has the advantage of being an industry standard, so inter-vendor operation is not a problem. Often referred to as “dot1q” (because geeks like lingo), this protocol does not re-encapsulate the original frame, but instead puts a 4-byte tag into the existing header. This means that a dot1q frame will be seen as a “baby giant” of 1,522 bytes. Most modern Network Interface Cards will not reject these frames when they mistakenly receive one.
A dot1q-tagged frame.
Dynamic Trunking Protocol
Dynamic Trunking Protocol a proprietary protocol developed by Cisco which is used to make setting up trunks easier. DTP can send and receive trunk negotiation frames to dynamically establish a trunk link between two connected switches. DTP is not necessary to establish a trunk link, and like many other automatic functions, many administrators would rather not use it and instead manually configure their trunk links.
Switches Configuration for Trunking
Prior to start configuring trunk on a switch, it’s essential to understand the five modes of a switch port as described below.
A switch port can be in one of the following modes:
- Off mode – In this mode the port is an Access port and will not trunk, even if the neighbour switch wants to. This mode is considered for connection of single hosts or hubs. DTP frames are not sent or acknowledged. The command syntax for this mode is switchport mode access.
- On mode – in this mode the port will trunk unconditionally, and trunk connectivity will happen if the neighbour switch port is set to Auto, Desirable, or NoNegotiate. DTP frames are sent but not acted upon if received. The command syntax to enable this mode is switchport mode trunk.
- NoNegotiate— Makes the port to trunk unconditionally even if the neighbour switch disagrees. A trunk will form only if the neighbour switch port is set to On, Auto, or Desirable mode. DTP frames are not sent or acknowledged. The command to enable this mode is switchport nonegotiate.
- (Dynamic)Desirable—This mode allows the port to negotiate with the neighbour. DTP frames are sent and responded to if received. A trunk will establish if the neighbour is set to On, Desirable, or Auto. If the neighbour is set to NoNegotiate, the trunk will not form because Desirable needs a response from the neighbor, which NoNegotiate will not send. The command to enable this is switchport mode dynamic desirable.
- (Dynamic)Auto—The port trunks only in response to a DTP request to do so. A trunk forms with a neighbour port if is set to on or desirable. DTP frames are not sent but are acted if received. The command to enable this is switchport mode dynamic auto.
Note that to set the switch port to permanent mode, use this command switchport mode trunk.
To start configuration of a switch port to trunk, set the mode and select a trunking protocol. The command to set the port mode is switchport mode, executed at the interface configuration prompt for the port you want to modify. Remember that to set NoNegotiate mode, the command is switchport nonegotiate:
2960(config-if)#switchport mode access
To change trunking protocol, it is important to use a different type of switch, because the catalyst 2960 only supports 802.1Q. We use a 2900 for our example:
2900(config-if)switchport trunk encapsulation [isl | dot1q]
Stay tuned for more useful articles and tutorials. You can contact Tilted Bits for more inquiries.