CS 348

CS 348. Virtual LANs (VLANs).

Introduction VLAN. By default, switches break up collision domains and routers break up broadcast domains. How do we break up broadcast domains in a pure switched internetwork? By creating a virtual local area network (VLAN), that’s how. A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. When you create VLANs, you are given the ability to create smaller broadcast domains within a layer 2 switched internetwork by assigning different ports on the switch to different subnetworks..

Introduction VLAN. A VLAN is treated like its own subnet or broadcast domain, which means that frames broadcast onto the network are only switched between the ports logically grouped within the same VLAN. So, does this mean we no longer need routers? Maybe yes; maybe no. It really depends on what you want to do. By default, no hosts in a specific VLAN can communicate with any other hosts that are members of another VLAN, so if you want inter-VLAN communication, the answer is yes—you still need a router.

VLAN Basics-short coming of L2 switched network. As shown in Figure below, layer 2 switched networks are typically designed as flat networks. Every broadcast packet transmitted is seen by every device on the network, regardless of whether the device needs to receive that data. By default, routers allow broadcasts only within the originating network, but switches forward broadcasts to all segments. The reason it’s called a flat network is because it’s one broadcast domain , not because its actual design is physically flat..

VLAN Basics-short coming of L2 switched network. Host A.

VLAN Basics. In Figure we see Host A sending a broadcast and all ports on all switches forwarding this broadcast, except the port that originally received it. Now look at Figure below, which pictures a switched network. It shows Host A sending a frame with Host D as its destination, and as you can see, that frame is only forwarded out the port where Host D is located. This is a huge improvement over the old hub networks, unless having one collision domain by default is what you really want.

VLAN Basics-short coming of L2 switched network. Host A Host D.

VLAN Basics-short coming of L2 switched network. Now you already know that the largest benefit gained by having a layer 2 switched network is that it creates individual collision domain segments for each device plugged into each port on the switch. This scenario frees us from the Ethernet distance constraints, so now larger networks can be built. But with each new advance, we often encounter new issues; the larger the number of users and devices, the more broadcasts and packets each switch must handle!.

VLAN Basics-short coming of L2 switched network. Another one—security! This one’s a real problem because within the typical layer 2 switched internetwork, all users can see all devices by default. And you can’t stop devices from broadcasting, nor users from trying to respond to broadcasts. Your security options are limited to placing passwords on the servers and other devices. But not if you create a virtual LAN (VLAN) . You can solve many of the problems associated with layer 2 switching with VLANs..

VLAN Basics-advantages. There are several ways that VLANs simplify network management; Network adds, moves, and changes are achieved by configuring a port into the appropriate VLAN . A group of users needing high security can be put into a VLAN so that no users outside of the VLAN can communicate with them. As a logical grouping of users by function, VLANs can be considered independent from their physical or geographic locations. VLANs can enhance network security. VLANs increase the number of broadcast domains while decreasing their size..

VLAN Basics. So in summary advantages of using layer 2 switch with VLAN are Broadcast Control Security Flexibility and Scalability.

Broadcast Control. Layer 2 switches only read frames for filtering—they don’t look at the Network layer protocol. And by default, switches forward all broadcasts. But if you create and implement VLANs, you’re essentially creating smaller broadcast domains at layer 2. This means that broadcasts sent out from a node in one VLAN won’t be forwarded to ports configured to be in a different VLAN. So by assigning switch ports or users to VLAN groups on a switch or group of connected switches, you gain the flexibility to add only the users you want into that broadcast domain regardless of their physical location..

Broadcast Control. When a VLAN gets too big, you can create more VLANs to keep the broadcasts from consuming too much bandwidth—the fewer users in a VLAN, the fewer users affected by broadcasts. This is well and good, but you absolutely need to keep network services in mind and understand how the users connect to these services when you create your VLAN..

Flexibility and Scalability. To understand how a VLAN looks to a switch, it’s helpful to begin by first looking at a traditional network. Figure below showing how a network was created by connecting physical LANs using hubs to a router Each node attached to a particular physical network had to match that network number in order to be able to communicate on the internetwork..

Flexibility and Scalability. Hubs Engineering Shipping Finance Sales Management Marketing.

Flexibility and Scalability. Notice that each department had its own LAN, so if you needed to add new users to Sales, for example, you would just plug them into the Sales LAN and they would automatically be part of the Sales collision and broadcast domain. This design really did work well for many years. But there was one major flaw: What happens if the hub for Sales is full and you need to add another user to the Sales LAN? Or, what do we do if there’s no more physical space in the location where the Sales team is located for this new employee? Well, let’s say there just happens to be plenty of room in the Finance section of the building..

Flexibility and Scalability. That new Sales team member will just have to sit on the same side of the building as the Finance people. Doing this obviously makes the new user part of the Finance LAN, which is bad for many reasons. First and foremost, we now have a security issue, because this new user is a member of the Finance broadcast domain and can therefore see all the same servers and network services that the Finance folks can. Secondly, for this user to access the Sales network services they need to get the job done, they would need to go through the router to log in to the Sales server—not exactly efficient!.

Flexibility and Scalability. Now let’s look at what a switch accomplishes. Figure 8.4 demonstrates how switches remove the physical boundary to solve our problem. Figure bellow shows how six VLANs (numbered 2 through 7) were used to create a broadcast domain for each department. Each switch port is then administratively assigned a VLAN membership,depending on the host and which broadcast domain it must be in. So now, if I needed to add another user to the Sales VLAN (VLAN 7), I could just assign the port used to VLAN 7, regardless of where the new Sales team member is physically located..

Flexibility and Scalability. VLAN2 VLAN3 VLAN4 VLAN2 VLAN7 VLAN3 VLAN3 VLAN6 VLAN5 VLAN5 VLAN6 VLAN4 Provides inter-VLAN communication and WAN services.

Flexibility and Scalability. In Figure above, each switch port was configured with a VLAN membership by an administrator based on which VLAN the host needed to be a member of; the device’s actual physical location doesn’t matter. The broadcast domain the hosts will become a member of is an administrative choice. Remember that each host must also have the correct IP address information. For example, each host in VLAN 2 must be configured into the 172.16.20.0/24 network. It is also important to remember that, if you plug a host into a switch, you must verify the VLAN membership of that port. If the membership is different than what is needed for that host, the host will not be able to reach the needed network services..

Flexibility and Scalability. This illustrates one of the advantages to designing your network with VLANs over the old collapsed backbone design. Now, cleanly and simply, each host that needs to be in the Sales VLAN is merely assigned to VLAN 7. Notice that VLAN numbers assignment started with VLAN number 2. The number is irrelevant, but you might be wondering: What happened to VLAN 1? That VLAN is an administrative VLAN, and even though it can be used for a workgroup, Cisco recommends that you use this for administrative purposes only. You can’t delete or change the name of VLAN 1, and by default, all ports on a switch are members of VLAN 1 until you change them..

VLAN Memberships. VLANs are usually created by an administrator, who then assigns switch ports to each VLAN. Such a VLAN is called a static VLAN . If the administrator wants to do a little more work up front and assign all the host devices’ hardware addresses into a database, the switches can be configured to assign VLANs dynamically whenever a host is plugged into a switch..

Static VLANs. Static VLANs are the usual way of creating VLANs, and they’re also the most secure. The switch port that you assign a VLAN association to always maintains that association until an administrator manually changes that port assignment. This type of VLAN configuration is comparatively easy to set up and monitor, and it works well in a network where the movement of users within the network is controlled...

Dynamic VLANs. A dynamic VLAN determines a node’s VLAN assignment automatically. Using intelligent management software, you can base VLAN assignments on hardware (MAC) addresses, protocols, or even applications to create dynamic VLANs. For example, suppose MAC addresses have been entered into a centralized VLAN management application. If a node is then attached to an unassigned switch port, the VLAN management database can look up the hardware address and assign and configure the switch port to the correct VLAN. This is very cool—it makes management and configuration easier because if a user moves, the switch will assign them to the correct VLAN.

Dynamic VLANs. Automatically. But you have to do a lot more work initially setting up the database. Cisco administrators can use the VLAN Management Policy Server (VMPS) service to set up a database of MAC addresses that can be used for dynamic addressing of VLANs. A VMPS database maps MAC addresses to VLANs..

Identifying VLANs. As frames are switched throughout the network, switches must be able to keep track of all the different types, plus understand what to do with them depending on the hardware address. And remember, frames are handled differently according to the type of link they are traversing. There are two different types of links in a switched environment. Access links This type of link is only part of one VLAN, and it’s referred to as the native VLAN of the port. Any device attached to an access link is unaware of a VLAN membership; the device just.

Identifying VLANs. assumes it’s part of a broadcast domain, but it has no understanding of the physical network. Switches remove any VLAN information from the frame before it’s sent to an access-link device. Access-link devices cannot communicate with devices outside their VLAN unless the packet is routed. Trunk links Trunks can carry multiple VLANs and originally gained their name after the telephone system trunks that carry multiple telephone conversations.

A trunk link is a 100- or 1000Mbps point-to-point link between two switches, between a switch and router, or between a switch and server. These carry the traffic of multiple VLANs—from 1 to 1005 at a time. Trunking allows you to make a single port part of multiple VLANs at the same time. This can be a real advantage. For instance, you can actually set things up to have a server in two broadcast domains simultaneously, so that your users won’t have to cross a layer 3 device (router) to log in and access it. Another benefit to trunking is when you’re connecting switches. Trunk links can carry some or all VLAN information across the link, but if the links between your switches aren’t trunked, only VLAN 1 information will be switched across the link by default..

Trunk Link Red VLAN Blue VLAN Green VLAN VLANs can span across multiple switches by using trunk links, which carry traffic for multiple VLANs Red VLAN Blue VLAN Green VLAN.

Frame Tagging. As mentioned, you can create your VLANs to span more than one connected switch. In Figure above hosts from various VLANs are spread across many switches. This flexible, power-packed capability is probably the main advantage to implementing VLANs. So there needs to be a way for each one to keep track of all the users and frames as they travel the switch fabric and VLANs. (Remember, a switch fabric is basically a group of switches sharing the same VLAN information.) This is where frame tagging comes in. This frame identification method uniquely assigns a user-defined ID to each frame. Sometimes people refer to it as a “VLAN ID” or “color.”.

Frame Tagging. Each switch that the frame reaches must first identify the VLAN ID from the frame tag, then it finds out what to do with the frame by looking at the information in the filter table. If the frame reaches a switch that has another trunked link, the frame will be forwarded out the trunk-link port. Once the frame reaches an exit to an access link matching the frame’s VLAN ID, the switch removes the VLAN identifier. This is so the destination device can receive the frames without having to understand their VLAN identification.

VLAN Identification Methods. VLAN identification is what switches use to keep track of all those frames as they’re traversing a switch fabric. It’s how switches identify which frames belong to which VLANs, and there’s more than one trunking method: Inter-Switch Link (ISL) This is proprietary to Cisco switches, and it’s used for Fast Ethernet and Gigabit Ethernet links only. ISL routing can be used on a switch port, router interfaces, and server interface cards to trunk a server. A trunked server is part of all VLANs (broadcast domains) simultaneously, so users don’t have to cross a layer 3 device to access it..

IEEE 802.1Q. Created by the IEEE as a standard method of frame tagging, it actually inserts a field into the frame to identify the VLAN. If you’re trunking between a Cisco switched link and a different brand of switch, you have to use 802.1Q for the trunk to work. It works like this: You must designate each 802.1Q port to be associated with a specific VLAN ID. The ports that populate the same trunk create a group that’s known as a native VLAN, and each port gets tagged with an identification number that reflects its native VLAN, the default being VLAN 1.

VLAN Trunking Protocol (VTP). Cisco created this one too, but this time it isn’t proprietary. The basic goals of VLAN Trunking Protocol (VTP) are to manage all configured VLANs across a switched internetwork and to maintain consistency throughout that network. VTP allows an administrator to add, delete, and rename VLANs; information that is then propagated to all other switches in the VTP domain. Here’s a list of some of the benefits VTP has to offer: Consistent VLAN configuration across all switches in the network VLAN trunking over mixed networks, such as Ethernet to ATM LANE or even FDDI.

VLAN Trunking Protocol (VTP). Accurate tracking and monitoring of VLANs Dynamic reporting of added VLANs to all switches in the VTP domain Plug-and-Play VLAN adding before you can get VTP to manage your VLANs across the network, you have to create a VTP server. All servers that need to share VLAN information must use the same domain name, and a switch can be in only one domain at a time. So this means that a switch can only share VTP domain information with other switches if they’re configured into the same VTP domain..

VLAN Trunking Protocol (VTP). You can use a VTP domain if you have more than one switch connected in a network, but if you’ve got all your switches in only one VLAN, you don’t need to use VTP. VTP information is sent between switches via a trunk port. Switches advertise VTP-management domain information, as well as a configuration revision number and all known VLANs with any specific parameters. And there’s also something called VTP transparent mode . In it, you can configure switches to forward VTP information through trunk ports, but not to accept information updates or update their VTP databases.

VLAN Trunking Protocol (VTP). Switches detect the additional VLANs within a VTP advertisement and then prepare to receive information on their trunk ports with the newly defined VLAN in tow. Updates are sent out as revision numbers that are the notification plus 1. Any time a switch sees a higher revision number, it knows the information that it’s receiving is more current, and it will overwrite the current database with that new information..

VTP Modes of Operation. There are three different modes of operation within a VTP domain Server This is the default for all Catalyst switches. You need at least one server in your VTP domain to propagate VLAN information throughout the domain. The switch must be in server mode to be able to create, add, or delete VLANs in a VTP domain. Changing VTP information must also be done in server mode, and any change made to a switch in server mode will be advertised to the entire VTP domain.

VTP Modes of Operation. Client In client mode, switches receive information from VTP servers, and they also send and receive updates. But they can’t make any changes. Plus, none of the ports on a client switch can be added to a new VLAN before the VTP server notifies the client switch of the new VLAN. It’s also good to know that VLAN information sent from a VTP server is not stored in NVRAM. This means that if the switch is reset or reloaded, the VLAN information will be deleted. Here’s a hint: If you want a switch to become a server, first make it a client so it receives all the correct VLAN information, then change it to a server.

VTP Modes of Operation. Transparent Switches in transparent mode don’t participate in the VTP domain, but they’ll still forward VTP advertisements through any configured trunk links. These switches can’t add and delete VLANs because they keep their own database, they do not share with other switches. Despite being kept in NVRAM, the VLAN database in Transparent mode is really considered locally significant only. The purpose of Transparent mode is to allow remote switches to receive the VLAN database from a VTP Server configured switch through a switch that is not participating in the same VLAN assignments.

VTP Pruning. VTP provides a way for you to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. This is called pruning. VTP pruning only sends broadcasts to trunk links that truly must have the information. Here’s an example: If Switch A doesn’t have any ports configured for VLAN 5, and a broadcast is sent throughout VLAN 5, that broadcast would not traverse the trunk link to Switch A. By default, VTP pruning is disabled on all switches. When you enable pruning on a VTP server, you enable it for the entire domain. By default, VLANs 2 through 1005 are pruning-eligible, but VLAN 1 can never prune because it’s an administrative VLAN..

Routing between VLANs. Hosts in a VLAN live in their own broadcast domain and can communicate freely. VLANs create network partitioning and traffic separation at layer 2 of the OSI, if you want hosts or any other IP-addressable device to communicate between VLANs, a layer 3 device is absolutely necessary. For this, you can use a router that has an interface for each VLAN or a router that supports ISL routing. As shown in Figure below, if you had only a few VLANs (two or three), you could get a router with two or three 10BaseT or Fast Ethernet connections. Each router interface is plugged into an access link. This means that each of the routers’ interface IP addresses would then become the default gateway address for each host in each VLAN..

Routing between VLANs. Router connecting three VLANs together for inter-VLAN communication, one interface for each VLAN-.

Routing between VLANs. If you have more VLANs available than router interfaces Instead of using a router interface for each VLAN, you use one Fast Ethernet interface and run ISL or 802.1Q trunking . Figure below shows how a Fast Ethernet interface on a router will look when configured with ISL or 802.1Q trunking . This allows all VLANs to communicate through one interface. Cisco calls this a “router on a stick.”.

Routing between VLANs. Router connecting all VLANs together allowing for inter-VLAN communication, using only one router interface (Router on a stick)..