Scribd
Upload
33 views41 pages

Itnet02 Module 03 Vlans

Uploaded by

Reaven Manuelle Roque
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views41 pages

Itnet02 Module 03 Vlans

Uploaded by

Reaven Manuelle Roque
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Module 3

Virtual LANs

ITNET02

Basic Routing and Switching


Module Objectives

Module Title: Virtual LANs


Module Objectives:
▪ Explain the purpose of VLANs in a switched network.

▪ Explain how a switch forwards frames based on VLAN configuration in a multi-switch environment.

▪ Implement VLANs and trunking in a switched network based on requirements.

Module References:
▪ CCNAv7 SRWE – Modules 3.1, 3.2

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.1 Overview of VLANs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Overview of VLANs
Traditional LANs
Separate Broadcast
▪ In traditional switched LANs, the physical
Domains
topology is closely related to the logical
topology.
• e.g. hosts connected through contiguous
switches belong to the same subnet
▪ Generally, workstations must be grouped by
their physical proximity to a switch.
▪ To communicate among LANs, each
segment must have a separate port on the
backbone device or a connection to a
common backbone.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Overview of VLANs
Traditional LANs

How to implement:
Requirements: - 3 hubs / switches per floor
- Different department on each floor. - 1 router per floor with 4
- Three different LANs per floor. ports each
- Separate networks -10 Broadcast domains
- Inefficient traffic flow
Ex₱ensive!

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Overview of VLANs
VLAN Definitions
Separate Broadcast
▪ A VLAN is a logical partition of a Layer 2 network.
Domains
• The partitioning of the Layer 2 network takes place inside a
Layer 2 device, usually via a switch.
• Each VLAN is an independent network that can span
multiple physical LAN segments.
▪ Placing devices into various VLANs have the following
characteristics:
• Allows segmentation of the various groups of devices on the
same switches
• Improves network manageability and performance for
organizations
• Broadcasts, multicasts and unicasts are isolated in the
individual VLAN
• Each VLAN is will have its own unique range of IP
addressing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Overview of VLANs
Benefits of a VLAN Design
Benefits of using VLANs are as follows:

Benefits Description
Smaller Broadcast Dividing the LAN reduces the size of broadcast domains
Domains
Improved Security Only users in the same VLAN can communicate together
Improved IT Efficiency VLANs can group devices with similar requirements, e.g. faculty vs.
students regardless of their physical location
Reduced Cost One switch can support multiple groups or VLANs
Better Performance Small broadcast domains reduce traffic, improving bandwidth
Simpler Management Similar groups will need similar applications and other network resources

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Overview of VLANs
Benefits of a VLAN Design

With VLANs:
- 1 switch per floor
- 1 Router for the entire LAN
- 3 Broadcast Domains
- Efficient traffic flow
- More scalable
- Easier to manage

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Overview of VLANs
Types of VLANs
Default VLAN
VLAN Name Status Ports
VLAN 1 is the following: ---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
• The default VLAN Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
• The default Native VLAN Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
• The default Management Gig0/1, Gig0/2
1002 fddi-default active
VLAN 1003 token-ring-default active
1004 fddinet-default active
• Cannot be deleted or 1005 trnet-default active
renamed

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Overview of VLANs
Types of VLANs (Cont.)
Data VLAN
• Dedicated to user-generated traffic (email and web traffic).
• Commonly created for specific groups of users or devices
Native VLAN
• This is used for trunk links only.
• All frames are tagged on an 802.1Q trunk link except for those on the native VLAN. (More on this later)
• Commonly used for backwards compatibility with older networking devices
Management VLAN
• This is used for accessing the administrative interfaces of network infrastructure devices
• Commonly used for SSH/Telnet VTY traffic and should not be carried with end user traffic for security
reasons.
• Typically, the SVI (VLAN interface) of a Layer 2 switch is assigned to this VLAN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Overview of VLANs
Types of VLANs (Cont.)
Voice VLAN
• A separate VLAN created for exclusively
carrying voice traffic to cater to its unique
requirements
• Voice traffic requires:
• Assured bandwidth
• High QoS priority
• Ability to avoid congestion
• Delay less that 150 ms from source to
destination
• The entire network must be designed to
support voice.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
3.2 VLAN Implementation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
VLAN Configuration
VLAN Ranges on Catalyst Switches
▪ VLANs are split into two categories:
• Normal range VLANs
• VLAN numbers from 1 to 1,005
• Configurations saved in the vlan.dat (in the flash memory)
• IDs 1002 through 1005 are reserved for legacy Token Ring
and Fiber Distributed Data Interface (FDDI) VLANs,
automatically created and cannot be removed.
• Can be synchronized across multiple switches using VTP
(to be discussed next time)
• Extended Range VLANs
• VLAN numbers from 1,006 to 4,096
• Configurations saved in running / startup configuration (NVRAM)
• Supports fewer VLAN features
• Commonly used by service providers or large organizations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
VLAN Configuration
Creating a VLAN
Task IOS Command
Enter global configuration mode. Switch# configure terminal
Create a VLAN with a valid ID number. Switch(config)# vlan vlan-id
Specify a unique name to identify the VLAN. (Optional) Switch(config-vlan)# name vlan-name
Return to global config mode Switch(config-vlan)#exit

S1(config)# vlan 20
S1(config-vlan)# name student
S1(config-vlan)# exit
S1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
VLAN Configuration
Assigning Ports to VLANs
Task Command

Enter interface configuration mode. Switch(config)# interface interface-id

Set the port to access mode. Switch(config-if)# switchport mode access

Assign the port to a VLAN. Switch(config-if)# switchport access vlan vlan-id

S1(config)# interface Fa0/18


S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20

Note: To change the port VLAN membership, simply reassign it


to another VLAN or use the ‘no switchport access vlan’
command to return it to the default VLAN (VLAN1)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
VLAN Configuration
Quick VLAN Configuration
▪ To configure multiple VLANs, a series of VLAN IDs can be entered separated by commas,
or a range of VLAN IDs separated by hyphens.
• vlan 100,102,105-107

▪ Use the interface range command to simultaneously configure multiple interfaces.


• interface range Fa0/1-10

▪ E.g.: Configure a switch as follows: S1(config)# vlan 10,20,30


S1(config-vlan)# exit
• VLAN 10 – Fa0/1-5 S1(config)# interface range Fa0/1-5
• VLAN 20 – Fa0/6-10 S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
• VLAN 30 – Fa0/11-15
S1(config)# interface range Fa0/6-10
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 20
S1(config)# interface range Fa0/11-15
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
VLAN Configuration
Data and Voice VLANs
▪ An access port may only be assigned to one data VLAN. However it may also be assigned to
one Voice VLAN for when a phone and an end device are sharing the same switchport.
▪ Network devices can be configured with QoS to provide special handling to the voice VLAN
traffic
S1(config)# interface Fa0/18
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
S1(config-if)# switchport voice vlan 150
S1(config-if)# mls qos trust cos

Note: QoS-related command but out of scope


of our course

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
VLAN Configuration
The Management VLAN and Switch SVIs
▪ It is common practice to create a management VLAN exclusively for membership of network infrastructure devices
such as routers, switches and firewalls through which their administrative interfaces can be accessed

▪ To avoid unauthorized access to network device management facilities, regular users are normally not assigned to
the management VLAN

▪ To set up a management VLAN and assign the switch as a member, create a VLAN for management then enable
and assign an IP address to the SVI with an interface ID that matches the management VLAN ID

Task Command

Create a VLAN for management with a valid ID number. Switch(config)# vlan vlan-id

Enter SVI configuration mode. Switch(config)# interface vlan interface-id

Assign an IP address and mask Switch(config-if)# ip address address mask

Enable the SVI Switch(config-if)# no shutdown

▪ Note: For the switch VLAN interface to be active, there needs to be hosts, such as a network administrator’s
workstation, connected to ports assigned to the management VLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
VLAN Configuration
Assigning Switch Management Interfaces to VLANs
To set up a management VLAN and assign the switch as a member, create a VLAN for management then
enable and assign an IP address to the SVI with an interface ID that matches the management VLAN ID
Task Command

Create a VLAN for management with a valid ID number. Switch(config)# vlan vlan-id

Enter SVI configuration mode. Switch(config)# interface vlan interface-id

Assign an IP address and mask Switch(config-if)# ip address address mask

Enable the SVI Switch(config-if)# no shutdown

S1(config)# vlan 10
S1(config-vlan)# name management
S1(config-vlan)# interface vlan 10
S1(config-if)# ip address 192.168.10.2 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# interface Fa0/24
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
VLAN Assignment
Verifying VLAN Configurations
▪ show vlan or show vlan brief – Displays the list of VLANs on the switch with the ports assigned to
them.
S1#show vlan brief

VLAN Name Status Ports


---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Gig0/1, Gig0/2
10 management active Fa0/24
20 student active Fa0/1, Fa0/18
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
VLAN Assignment
Verifying VLAN Configurations
▪ show interface interface-id switchport - Displays the data and voice VLAN membership of a port

S1#show int fa0/18 switchport


Name: Fa0/18
Switchport: Enabled
Administrative Mode: static access
Operational Mode: access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: 150
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
...

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
VLAN Assignment
Verifying VLAN Configurations
▪ show interface interface-id - Displays the configurations and status of the switch SVI.

S1#show interface vlan 10


Vlan10 is up, line protocol is up
Hardware is CPU Interface, address is 000a.4150.9801 (bia 000a.4150.9801)
Internet address is 172.17.10.2/24
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:40:21, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
...

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
VLAN Configuration
Delete VLANs
Delete VLANs with the no vlan vlan-id command.

Caution: Before deleting a VLAN, reassign all member ports to a different VLAN.

• Delete all VLANs with the delete flash:vlan.dat or delete vlan.dat commands (even if you did not
save the rest of your configurations)

• Reload the switch when deleting all VLANs.

Note: To restore to factory default – unplug all data cables, erase the startup-configuration and delete
the vlan.dat file, then reload the device.
S1# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1#delete vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
S1#reload
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
3.3 VLANs in a
Multi-Switched Environment

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
VLANs in a Multi-Switched Environment
Defining VLAN Trunks
• The concept of trunking began with the
telephone industry.
• Multiple calls were moved between
customers and central offices or
between the offices themselves over a
single physical connection.

▪ The same principle was applied to data


communications to make better use of
the communication line.

▪ Additional advantages and cost savings


were gained by using the same
approach as with voice communications.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
VLANs in a Multi-Switched Environment
Defining VLAN Trunks
No trunk

Trunk

▪ The same principle of trunking is applied to network switching technologies.

▪ A trunk is a physical and logical connection between two switches across which network
traffic travels.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
VLANs in a Multi-Switched Environment
Defining VLAN Trunks

▪ A VLAN trunk is a point-to-


point link that carries
network traffic of more than
one VLAN.
• Usually connects between
switches to support intra
VLAN communication
across the entire network.
• A VLAN trunk or trunk
ports are not associated to
any VLANs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
VLANs in a Multi-Switched Environment
Networks without VLANs
▪ Without VLANs, all devices connected to the switches will receive all unicast, multicast, and broadcast
traffic.

▪ Broadcasts can easily consume the network’s capacity because the network is one broadcast domain.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
VLANs in a Multi-Switched Environment
Networks with VLANs
▪ With VLANs, unicast, multicast, and broadcast traffic is confined to a VLAN, controlling the reach of
broadcast frames and their impact in the network.

▪ Without a Layer 3 device to connect the VLANs, devices in different VLANs cannot communicate.

How do you ensure that the data frames of each VLAN still arrive at the
correct VLAN after they pass through the trunks?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
VLANs in a Multi-Switched Environment
VLAN Identification with a Tag
• IEEE 802.1Q is a protocol used to define how
Ethernet frames will be carried across switch trunks
in a network using VLANs

• Uses a 4-byte tag inserted after the frame header

• When the tag is created the FCS must be


recalculated.

• When sent to end devices, this tag must be removed


and the FCS recalculated back to its original number.

802.1Q VLAN Tag Field Function


Type • 2-Byte field with hexadecimal 0x8100
• This is referred to as Tag Protocol ID (TPID)
User Priority • 3-bit value that used to support QoS
Canonical Format Identifier (CFI) • 1-bit value that can support token ring frames on Ethernet
VLAN ID (VID) • 12-bit VLAN identifier that labels the frame with which VLAN it belongs to
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
VLANs in a Multi-Switched Environment
Native VLANs and 802.1Q Tagging
• Tagging is typically done on all VLANs.

• A native VLAN is a VLAN whose traffic remains


untagged while passing through trunks
• The use of a native VLAN was designed for
legacy use that don’t support VLAN tagging, like
the hub in the example.
• Unless changed, VLAN1 is the native VLAN.
• Each trunk can have only 1 native VLAN; and both
ends of a trunk link must be configured with the
same native VLAN ID.

• Each trunk is configured separately, so it is possible


to have a different native VLANs on separate trunks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
VLANs in a Multi-Switched Environment
Voice VLAN Tagging
The VoIP phone is a three port
switch:
• The switch will use CDP to inform
the phone of the Voice VLAN.

• The phone will tag its own traffic


(Voice) and can set QoS
prioritization

• The phone may or may not tag


frames from the PC.

Traffic Tagging Function


Voice VLAN Tagged with an appropriate Layer 2 class of service (CoS) priority value
Access VLAN Can remain untagged by the phone or tagged with a Layer 2 CoS priority value

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
3.4 VLAN Trunk Implementation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
VLAN Trunks
Trunk Configuration Commands
Configure and verify VLAN trunks. Trunks are layer 2 and carry traffic for all VLANs.
Task IOS Command

Enter interface configuration mode. Switch(config)# interface interface-id

Set the port to permanent trunking mode. Switch(config-if)# switchport mode trunk

Sets the native VLAN to something other than VLAN 1.


Switch(config-if)# switchport trunk native vlan vlan-id
(Optional but good practice)
Specify the list of VLANs to be allowed on the trunk link
Switch(config-if)# switchport trunk allowed vlan vlan-list
(Optional but good practice)

Notes:

▪ Ports on switches of both ends of the trunk connection must be configured with the same native VLAN and
allowed VLAN settings.

▪ A VLAN must be created on a switch before its traffic can cross the trunk links

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
VLAN Trunks
Trunk Configuration Example
The subnets associated with each VLAN are:
• VLAN 10 - Faculty/Staff - 172.17.10.0/24
• VLAN 20 - Students - 172.17.20.0/24
• VLAN 30 - Guests - 172.17.30.0/24
• VLAN 99 - Native - 172.17.99.0/24
F0/1 ports on S1 and S2 will serve as the trunk link
S1(config-vlan)# interface Fa0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# switchport trunk allowed vlan 10,20,30,99

S2(config-vlan)# interface Fa0/1


S2(config-if)# switchport mode trunk
S2(config-if)# switchport trunk native vlan 99
S2(config-if)# switchport trunk allowed vlan 10,20,30,99
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
VLAN Trunks S1(config)#do show interface fa0/1 switchport
Name: Fa0/1
Verifying Trunk Switchport: Enabled
Administrative Mode: trunk
Configurations Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
▪ show interface interface-id Operational Trunking Encapsulation: dot1q
switchport - Displays mode Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
and trunking and tagging
Trunking Native Mode VLAN: 99
info of a port Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20,30,99
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: non © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
VLAN Trunks
Verifying Trunk Configurations
▪ show interfaces trunk - Displays all active trunk links of the switch

S1(config)#do show interfaces trunk


Switch#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 99

Port Vlans allowed on trunk


Fa0/1 1-1005

Port Vlans allowed and active in management domain


Fa0/1 1,10,20,30,99

Port Vlans in spanning tree forwarding state and not pruned


Fa0/1 1

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
VLAN Trunks
Reset the Trunk to the Default State
• Reset the default trunk settings with the no command.
• All VLANs allowed to pass traffic
• Native VLAN = VLAN 1

S1(config-vlan)# interface Fa0/1


S1(config-if)# no switchport trunk allowed vlan
S1(config-if)# no switchport trunk native vlan

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Questions?
Module Summary
What did you learn in this module?
• VLANs are based on logical instead of physical connections and can segment
networks based on function, team, or application.
• Each VLAN is considered a separate logical network.
• A separate voice VLAN is required to support VoIP.
• Normal range VLAN configurations are stored in the vlan.dat file in flash.
• An access port can belong to one data VLAN at a time, but may also have a
Voice VLAN.
• A trunk is a point-to-point link that carries traffic from multiple VLAN across a
dingle connection.
• Frames are tagged as they are carried across trunk links. VLAN tag fields
include the type, user priority, CFI and VID.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

You might also like