IS 081

Virtual LANs
(VLANs)
 Introduction VLAN
■ By default, switches break up collision domains and routers break
up broadcast domains.
■ How do we break up broadcast domains in a pure switched
internetwork? By creating a virtual local area network (VLAN),
that’s how.
■ A VLAN is a logical grouping of network users and resources
connected to administratively defined ports on a switch. When
you create VLANs, you are given the ability to create smaller
broadcast domains within a layer 2 switched internetwork by
assigning different ports on the switch to different subnetworks.
 Introduction VLAN
■ A VLAN is treated like its own subnet or broadcast domain,
which means that frames broadcast onto the network are only
switched between the ports logically grouped within the same
VLAN.
■ So, does this mean we no longer need routers? Maybe yes;
maybe no. It really depends on what you want to do. By
default, no hosts in a specific VLAN can communicate with
any other hosts that are members of another VLAN, so if you
want inter-VLAN communication, the
■ answer is yes—you still need a router
 VLAN Basics-short coming
of L2 switched network
■ As shown in Figure below, layer 2 switched networks are
typically designed as flat networks. Every broadcast packet
transmitted is seen by every device on the network, regardless of
whether the device needs to receive that data.
■ By default, routers allow broadcasts only within the originating
network, but switches forward broadcasts to all segments. The
reason it’s called a flat network is because it’s one broadcast
domain, not because its actual design is physically flat.
VLAN Basics-short coming
of L2 switched network
 VLAN Basics-short coming
of L2 switched network
■ Another one—security! This one’s a real problem because
within the typical layer 2 switched internetwork, all users can
see all devices by default. And you can’t stop devices from
broadcasting, nor users from trying to respond to broadcasts.
Your security options are limited to placing passwords on the
servers and other devices.
■ But not if you create a virtual LAN (VLAN) . You can solve
many of the problems associated with layer 2 switching with
VLANs.
 VLAN Basics-advantages
■ There are several ways that VLANs simplify network management;
■ Network adds, moves, and changes are achieved by configuring a port
into the appropriate VLAN.
■ A group of users needing high security can be put into a VLAN so that
no users outside of the VLAN can communicate with them.
■ As a logical grouping of users by function, VLANs can be considered
independent from their physical or geographic locations.
■ VLANs can enhance network security.
■ VLANs increase the number of broadcast domains while decreasing their
size.
VLAN Basics
■ So in summary advantages of using
layer 2 switch with VLAN are
■ Broadcast Control
■ Security
■ Flexibility and Scalability
 Flexibility and Scalability
■ Layer 2 switches only read frames for filtering—they don’t look
at the Network layer protocol. And by default, switches forward
all broadcasts. But if you create and implement VLANs, you’re
essentially creating smaller
■ broadcast domains at layer 2.
■ This means that broadcasts sent out from a node in one VLAN
won’t be forwarded to ports configured to be in a different
VLAN. So by assigning switch ports or users to VLAN groups
on a switch or group of connected switches, you gain the
flexibility to add only the users you want
■ into that broadcast domain regardless of their physical location.
 Flexibility and Scalability
■ Another advantage is that when a VLAN gets too big, you can
create more VLANs to keep the broadcasts from consuming too
much bandwidth—the fewer users in a VLAN, the fewer users
affected by broadcasts. This is well and good, but you absolutely
need to keep network
■ services in mind and understand how the users connect to these
services when you create your VLAN.
■ To understand how a VLAN looks to a switch, it’s helpful to
begin by first looking at a traditional network. Figure below
shows how a network was created by connecting physical LANs
using hubs to a router
Flexibility and Scalability
 Flexibility and Scalability
■ Each node attached to a particular physical network had to match that
network number in order to be able to communicate on the
internetwork. Notice that each department had its own LAN, so if you
needed to add new users to Sales, for example, you would just plug
them into the Sales LAN and they would automatically be part of the
Sales collision and broadcast domain. This design really did work well
for many years.
■ But there was one major flaw: What happens if the hub for Sales is
full and you need to add another user to the Sales LAN? Or, what do
we do if there’s no more physical space in the location where the
Sales team is located for this new employee? Well, let’s say there just
happens to be plenty of room in the Finance section of the building.
Flexibility and Scalability
■ That new Sales team member will just have to sit on the
same side of the building as the Finance people.
■ Doing this obviously makes the new user part of the
Finance LAN, which is bad for many reasons. First and
foremost, we now have a security issue, because this new
user is a member of the Finance broadcast domain and can
therefore see all the same servers and network services that
the Finance folks can. Secondly, for this user to access the
Sales network services they need to get the job done, they
would need to go through the router to log in to the Sales
server—not exactly efficient!
 Flexibility and Scalability
■ Now let’s look at what a switch accomplishes. Figure 8.4
demonstrates how switches remove the physical boundary to
solve our problem. Figure below shows how six VLANs
(numbered 2 through 7) were used to create a broadcast
■ domain for each department. Each switch port is then
administratively assigned a VLAN membership depending on the
host and which broadcast domain it must be in.
■ So now, if I needed to add another user to the Sales VLAN
(VLAN 7), I could just assign the port used to VLAN 7,
regardless of where the new Sales team member is physically
located.
Flexibility and Scalability
 Flexibility and Scalability
■ This illustrates one of the advantages to designing your network
with VLANs over the old collapsed backbone design. Now,
cleanly and simply, each host that needs to be in the Sales VLAN
is merely assigned to VLAN 7.
■ Notice that VLAN numbers assignment started with VLAN
number 2. The number is irrelevant, but you might be wondering:
What happened to VLAN 1? That VLAN is an administrative
VLAN, and even though it can be used for a workgroup, Cisco
recommends that you use this for administrative purposes only.
You can’t delete or change the name of VLAN 1, and by default,
all ports on a switch are members of VLAN 1 until you change
them.
 VLAN Memberships
■ VLANs are usually created by an administrator, who then
assigns switch ports to each VLAN. Such a VLAN is called a
static VLAN . If the administrator wants to do a little more work
up front and assign all the host devices’ hardware addresses into
a database, the switches can be configured to assign VLANs
dynamically whenever a host is plugged into a switch.
 Static VLANs
■ Static VLANs are the usual way of creating VLANs, and they’re
also the most secure. The switch port that you assign a VLAN
association to always maintains that association until an
administrator manually changes that port assignment.
■ This type of VLAN configuration is comparatively easy to set up
and monitor, and it works well in a network where the movement
of users within the network is controlled. And although it can be
helpful to use network management software to configure the
ports, it’s not mandatory.
 Dynamic VLANs
■ A dynamic VLAN determines a node’s VLAN assignment
automatically. Using intelligent management software, you can
base VLAN assignments on hardware (MAC) addresses,
protocols, or even applications to create dynamic VLANs.
■ For example, suppose MAC addresses have been entered into a
centralized VLAN management application. If a node is then
attached to an unassigned switch port, the VLAN management
database can look up the hardware address and assign and
configure the switch port to the
■ correct VLAN. This is very cool—it makes management and
configuration easier because if a user moves, the switch will
assign them to the correct VLAN
Dynamic VLANs
■ Automatically. But you have to do a lot more work initially
setting up the database.
■ Cisco administrators can use the VLAN Management
Policy Server (VMPS) service to set up a database of MAC
addresses that can be used for dynamic addressing of
VLANs. A VMPS database maps MAC addresses to
VLANs.
 Identifying VLANs
■ As frames are switched throughout the network, switches must be
able to keep track of all the different types, plus understand what to
do with them depending on the hardware address. And remember,
frames are handled differently according to the type of link they are
traversing.
■ There are two different types of links in a switched environment.

■ Access links
■ This type of link is only part of one VLAN, and it’s referred to as
the native VLAN of the port. Any device attached to an
■ access link is unaware of a VLAN membership; the device just
■ assumes it’s part of a broadcast domain, but it has no
understanding of the physical network.
■ Switches remove any VLAN information from the frame before
it’s sent to an access-link device. Access-link devices cannot
communicate with devices outside their VLAN unless the packet
is routed.

■ Trunk links
■ Trunks can carry multiple VLANs and originally gained their
name after the telephone system trunks that carry multiple
telephone conversations
■ A trunk link is a 100- or 1000Mbps point-to-point link between two
switches, between a switch and router, or between a switch and
server. These carry the traffic of multiple VLANs—from 1 to 1005
at a time. Trunking allows you to make a single port part of
multiple VLANs at the same time. This can be a real advantage.
Another benefit to trunking is when you’re connecting switches.
Trunk links can carry some or all VLAN information across the
link, but if the links between your switches aren’t trunked, only
VLAN 1 information will be switched across the link by default.
 Frame Tagging
■ As mentioned, you can create your VLANs to span more than
one connected switch. In Figure above hosts from various
VLANs are spread across many switches. This flexible,
power-packed capability is probably the main advantage to
implementing VLANs.
■ So there needs to be a way for each one to keep track of all the
users and frames as they travel the switch fabric and VLANs.
(Remember, a switch fabric is basically a group of switches
sharing the same VLAN information.) This is where frame
tagging comes in. This frame identification method uniquely
assigns a user-defined ID to each frame. Sometimes people refer
to it as a “VLAN ID” or “color.”
 Frame Tagging
■ Each switch that the frame reaches must first identify the VLAN
ID from the frame tag, then it finds out what to do with the frame
by looking at the information in the filter table. If the frame
reaches a switch that has another trunked link, the frame will be
forwarded out the trunk-link port.
■ Once the frame reaches an exit to an access link matching the
frame’s VLAN ID, the switch removes the VLAN identifier.
This is so the destination device can receive the frames without
having to understand their VLAN identification
 VLAN Identification Methods
■ VLAN identification is what switches use to keep track of all
those frames as they’re traversing a switch fabric. It’s how
switches identify which frames belong to which VLANs, and
there’s more than one trunking method:

Inter-Switch Link (ISL)

■ This is proprietary to Cisco switches, and it’s used for Fast
Ethernet and Gigabit Ethernet links only. ISL routing
■ can be used on a switch port, router interfaces, and server
interface cards to trunk a server.
 IEEE 802.1Q
■ Created by the IEEE as a standard method of frame tagging, it
actually inserts a field into the frame to identify the VLAN. If
you’re trunking between a Cisco switched link and a different
brand of switch, you have to use 802.1Q for the trunk to work.
 VLAN Trunking Protocol (VTP)
■ Cisco created this one too, but this time it isn’t proprietary. The
basic goals of VLAN Trunking Protocol (VTP) are to manage all
configured VLANs across a switched internetwork and to maintain
consistency throughout that network. VTP allows an administrator to
add, delete, and rename VLANs; information that is then propagated
to all other switches in the VTP domain. Here’s a list of some of the
benefits VTP has to offer:
■ Consistent VLAN configuration across all switches in the network
■ VLAN trunking over mixed networks, such as Ethernet to ATM
LANE or even FDDI
 VLAN Trunking Protocol (VTP)
■ Accurate tracking and monitoring of VLANs
■ Dynamic reporting of added VLANs to all switches in the VTP
domain
■ Plug-and-Play VLAN adding before you can get VTP to manage
your VLANs across the network, you have to create a VTP
server. All servers that need to share VLAN information must
use the same domain name, and a switch can be in only one
domain at a time. So this means that a switch can only share
VTP domain information with other switches if they’re
configured into the same VTP domain.
 VLAN Trunking Protocol (VTP)
■ You can use a VTP domain if you have more than one switch
connected in a network, but if you’ve got all your switches in
only one VLAN, you don’t need to use VTP. VTP information is
sent between switches via a trunk port.
■ Switches advertise VTP-management domain information, as
well as a configuration revision number and all known VLANs
with any specific parameters. And there’s also something called
VTP transparent mode . In it, you can configure switches to
forward VTP information through trunk ports, but not to accept
information updates or update their VTP databases
VLAN Trunking Protocol (VTP)
■ Switches detect the additional VLANs within a VTP
advertisement and then prepare to receive information on
their trunk ports with the newly defined VLAN in tow.
Updates are sent out as revision numbers that are the
notification plus 1. Any time a switch sees a higher
revision number, it knows the information that it’s
receiving is more current, and it will overwrite the current
database with that new information.
 VTP Modes of Operation
■ There are three different modes of operation within a VTP
domain

Server
■ This is the default for all Catalyst switches. You need at least
one server in your VTP domain to propagate VLAN
information throughout the domain. The switch must be in
server mode to be able to create, add, or delete VLANs in a
VTP domain. Changing VTP information must also be done in
server mode, and any change made to a switch in server mode
will be advertised to the entire VTP domain
 VTP Modes of Operation
■ Client
■ In client mode, switches receive information from VTP servers,
and they also send and receive updates. But they can’t make any
changes. Plus, none of the ports on a client switch can be added
to a new VLAN before the VTP server notifies the client switch
of the new VLAN. It’s also good to know that VLAN
information sent from a VTP server is not stored in NVRAM.
This means that if the switch is reset or reloaded, the VLAN
information will be deleted. Here’s a hint: If you want a switch to
become a server, first make it a client so it receives all the correct
VLAN information, then change it to a server
 VTP Modes of Operation
■ Transparent
■ Switches in transparent mode don’t participate in the VTP
domain, but they’ll still forward VTP advertisements through any
configured trunk links. These switches can’t add and delete
VLANs because they keep their own database—one they do not
share with other switches. Despite being kept in NVRAM, the
VLAN database in Transparent mode is really considered locally
significant only. The purpose of Transparent mode is to allow
remote switches to receive the VLAN database from a VTP Server
configured switch through a switch that is not participating in the
same VLAN assignments
 VTP Pruning
■ VTP provides a way for you to preserve bandwidth by configuring
it to reduce the amount of broadcasts, multicasts, and unicast
packets. This is called pruning. VTP pruning only sends broadcasts
to trunk links that truly must have the information. Here’s an
example: If Switch A doesn’t have any ports configured for VLAN
5, and a broadcast is sent throughout VLAN 5, that broadcast
would not traverse the trunk link to Switch A. By default, VTP
pruning is disabled on all switches. When you enable pruning on a
VTP server, you enable it for the entire domain. By default,
VLANs 2 through 1005 are pruning-eligible, but VLAN 1 can
never prune because it’s an administrative VLAN.
 Configuring VLANs
■ Configuring VLANs is actually pretty easy. Figuring out which
users you want in each VLAN is not. It’s super time-consuming,
but the first step is to decide on the number of VLANs you want
to create, and established the users you want to belong to each
one, then to bring your first VLAN into existence!
■ Creating VLANs for the 2950, You configure them from global
configuration mode and name them on a separate line.
 Configuring VLANs
■ Switch>
■ Switch>en
■ Switch#config t
■ Enter configuration commands, one per line. End with CNTL/Z.
■ Switch(config)#vlan 2
■ Switch(config-vlan)# name Engineering
■ Switch(config-vlan)#vlan 3
■ Switch(config-vlan)#name Sales
■ Switch(config-vlan)#vlan 4
■ Switch(config-vlan)#name Finance
■ Switch(config-vlan)#^Z
■ Switch#
■ You can’t change, delete, or rename VLAN 1, because it’s the default VLAN .
It’s the native VLAN of all switches by default, and Cisco recommends that you
use this as your administrative VLAN. Native VLAN basically means that any
packets that aren’t specifically assigned to a different VLAN will be sent down
the native VLAN
 Configuring VLANs
■ To see the VLAN database, use the show vlan command or the
show vlan brief command.
 Configuring VLANs
■ Now that we can see the VLANs created, we can assign switch
ports to specific ones. Each port can be part of only one VLAN.
With the trunking mentioned earlier, you can make a port
available to traffic from all VLANs.
Assigning Switch Ports to VLANs
■ To configure a switch with VLANs, use the following
commands.
■ Switch(config-if)#int f0/2
■ Switch(config-if)#switchport access vlan 2
■ Switch(config-if)#int f0/3
■ Switch(config-if)#switchport access vlan 3
■ Switch(config-if)#int f0/4
■ Switch(config-if)#switchport access vlan 4
■ Switch(config-if)#
■ If you want to verify your configuration, just use the show
vlan or show vlan brief command to show you the VLANs
with port assignments.
Assigning Switch Ports to VLANs
Configuring Trunk Ports
■ Note that, some switches support only one trunking
protocol, some supports all. E.g the 3550 can both ISL and
the IEEE 802.1Q trunking encapsulation method—the
2950 can only run 802.1Q And 1900 can run only ISL.
With all this in mind, let’s start with 2950 and then just
take a quick look at the VLAN encapsulation difference
regarding the 3550 switch.
 Configuring Trunk Ports
■ Switch#config t
■ Enter configuration commands, one per line. End with CNTL/Z.
■ Switch(config)#int f0/12
■ Switch(config-if)#switchport mode trunk
■ Switch(config-if)#^Z
■ Switch#
■ As shown in the previous section, to trunk a port on a 2950
switch, it’s pretty straightforward:
■ To disable trunking on an interface, use the switchport mode
access command.
■ You can verify your configuration with the show
running-config command
Configuring Trunk Ports
■ interface FastEthernet0/2
■ switchport access vlan 2
■ no ip address
■ interface FastEthernet0/3
■ switchport access vlan 3
■ no ip address
■ interface FastEthernet0/4
■ switchport access vlan 4
■ no ip address
■ interface FastEthernet0/12
■ switchport mode trunk
■ no ip address
■ !
■ [output cut]
 Trunking with the Cisco
Catalyst 3550 switch
■ Let’s take a look at one more switch—the Cisco Catalyst 3550.
With this switch, the configuration is pretty much the same as it
is for a 2950. The exception is that the 3550 can provide layer 3
services and the 2950 can’t. Plus, the 3550 can run both ISL and
the IEEE 802.1Q trunking
■ encapsulation method—the 2950 can only run 802.1Q. With all
this in mind, let’s just take a quick look at the VLAN
encapsulation difference regarding the 3550 switch.
■ As shown in the previous section, to trunk a port on a 2950
switch, it’s pretty straightforward:
 Trunking with the Cisco
Catalyst 3550 switch
■ Switch#config t
■ Enter configuration commands, one per line. End with CNTL/Z.
■ Switch(config)#int f0/12
■ Switch(config-if)#switchport mode trunk
■ For the 3550, you have the encapsulation command that the 2950
switch does not:

■ As you can see, we can add either the IEEE 802.1Q (dot1q)
encapsulation or the ISL encapsulation to the 3550 switch.
■ Now, let’s get a look at connecting a router to our network and
configuring inter-VLAN communication