Switching Topic 2 VLANs
Agenda VLANs Benefits Components Trunking and 802.1q VLAN types VLAN operations VLAN modes Voice VLAN DTP Troubleshooting
VLANs Virtual LAN or ‘virtualised’ LAN VLANs divide switches by business function Departments, project teams, locations Multiple VLANs exist on multiple switches in the switched infrastructure Each VLAN is a different IP network VLANs are configured on the switch Switchports are each assigned to a single VLAN Hosts connected to the switchport can communicate with other hosts in the same VLAN Hosts in different VLANs are on different networks and can only communicate with each other via a routing process VLANs can span multiple switches so hosts can be located anywhere and connect to any switch
VLANs
Benefits of VLANs Separate large broadcast domains into smaller ones Separate the network into business functional groups Security Segmenting functional groups means policy can be applied Cost More efficient use of switches and links as the infrastructure shared by different VLANs Controlled network traffic Performance is maintained as there is less broadcast traffic Broadcast storms and errors are contained within the VLAN Management efficiency Simple moves, adds, and changes for hosts Users with the same needs can be grouped and assigned to a VLAN
Components Switches Trunk links Trunking protocol 802.1q VLANs are created on the switch VLANs are identified by number, VID and described by name Ports are assigned to specific VLANs, PVID Trunk links Links between switches which carry all VLAN traffic Links between switches and routers which carry all VLAN traffic for routing between the VLANs Trunking protocol 802.1q Tags frames arriving at ports with their VLANID Tagged frames travel down trunk links with their VLANID tags Tags are stripped from frames when leaving a port to go to the host Router or layer 3 switch routes frames between VLANs
Trunking Trunking extends the VLAN VLAN trunk is a point to point link between two switches that carries tagged frames from more than one VLAN VLAN trunks extends VLANs across the network using the IEEE 802.1q standard Without VLAN trunks a separate link between switches would be required for each VLAN
Types of VLANs Data VLAN – user and application traffic Voice VLAN Requires assured bandwidth and delay of less than 150 milliseconds Management VLAN Used to remotely access and manage the switch (telnet, http, ssh, snmp) The management VLAN is assigned an IP address and a subnet mask By default is VLAN 1, best practice is to create a separate management VLAN Default VLAN – VLAN 1 All ports by default are members of VLAN 1 Cannot be deleted or renamed Layer 2 control traffic such as CDP and STP traffic Best practise is to assign all ports on the switch to VLAN other than one and leave VLAN 1 for layer 2 control traffic
Native VLAN The native VLAN is assigned to switchports that are trunking Untagged frames Frames that originate on the switch (such as cdp and stp and other control traffic) are untagged (they did not arrive through a switchport) Untagged frames received by a trunk port are sent down trunks with native VLAN tags Control traffic should be untagged Some vendor’s switches, tag control traffic and this traffic is dropped on the native VLAN The native VLAN is by default VLAN 1 and should be assigned to another VLAN
VLAN tagging 802.1q Each port is assigned the PVID of their VLAN 802.1q ports (trunk ports) are assigned the PVID of the native VLAN Ingress rules: Untagged traffic that arrives at the port is tagged with the PVID Tagged traffic that arrives at the port is not altered Forwarding rules: Flood, forward or filter and MAC address table lookup Egress rules: Frame is untagged if its destination is a host Frame sent as tagged if its destination is a trunk or IP phone
Tag frame format Dot1q inserts a tag into the Ethernet header of frames (just after source MAC): Switchport with a PVID assigned receives a frame Switch inserts VLAN tag and recalculates FCS Switch sends tagged frame out of trunk port EtherType field value set to 0x8100 – the TPID value Tag Control Information field is inserted that contains: Priority information CFI to enable token ring frames on Ethernet links VID VLAN ID (up to 4096) FCS field in the trailer gets a recalculated FCS value
VLAN operation Broadcast frames: Switch forwards broadcast frames: out of all ports on the same VLAN except the originating port as tagged frames on trunk links which allow the VLAN. Unicast frames: Switch forwards the frame to destination host on current switch or if the destination MAC is on another switch, as a tagged frame using the trunk link.
VLAN operation
VLAN modes Static (port-based VLAN) Dynamic Switchports can be manually assigned to a VLAN Switchport mode access Switchport access VLAN 20 Dynamic Switchports can be assigned to a VLAN based on the MAC address of the attached host VLAN policy membership server VMPS contains mappings of MAC to VLANs Hosts can move around and use any port and get put into the correct VLAN
Switchport modes Access mode Trunk mode Configures a switchport as an access port Has hosts attached to it Maintains the PVID of the VLAN associated with it Trunk mode Configures a switchport as an trunk port Has switches or routers attached to it Forwards tagged frames from multiple VLANs Forwards untagged frames on the native VLAN
Dynamic Trunking Protocol (DTP) Cisco® proprietary used to allow switchports to negotiate to trunk Four modes: On (always a trunk) Dynamic auto (able to trunk but only if the other end of link is ON or desirable) Dynamic desirable (able to trunk and will if other end is ON or desirable or auto) Nonegotiate (DTP is off and switchport trunks) Use Nonegotiate when trunking to switch from another vendor If both links are set to dynamic auto, they will negotiate to stay in their default state which is access mode For 2950, the default switchport mode is dynamic desirable For 2960, the default switchport mode is dynamic auto
VLAN IDs Normal range VLANs Extended range VLANs VLAN ID between 1 and 1005 1002 to 1005 reserved for token ring and fddi VLAN 1 and 1002–1005 are created automatically and cannot be removed Configurations stored in the VLAN.dat file in flash Supports VTP to propagate VLANs Extended range VLANs VLAN ID between 1006–4094 Fewer features Saved in running config Does not supports VTP to propagate VLANs Cisco® Catalyst® 2960 can support up to 255 VLANs
Voice VLAN Voice traffic needs priority classification and can only tolerate 150 ms delay Cisco® phones contain a 3 port switch Port 1 connects to the switch Port 2 is an internal 10/100 interface that carries the IP phone traffic Port 3 (access port) connects to a PC Switchport is configured with a voice VLAN (VLAN 150) and a data VLAN Switchport uses CDP to send the voice VLAN ID to the phone The phone tags voice frames with the voice VLAN ID The phone does not tag frames from the PC Data frames are tagged with the data VLAN ID when they arrive at the switchport
Configuring VLANs Demo
Deleting VLANs VLAN configuration is stored in VLAN.dat file in flash (config) no VLAN VLANid #delete flash:VLAN.dat #delete VLAN.dat
Troubleshooting Native VLAN mismatches Trunk mode mismatches different native VLANs on each end of links causes errors and causes traffic to be misdirected (security risk) Trunk mode mismatches one switchport is off and the other switchport is on VLANs and IP subnets incorrect IP addresses, gateways, subnet masks Allowed VLANs on trunks VLAN hasn’t been added as ‘allowed’ on trunk
Agenda VLANs Benefits Components Trunking and 802.1q VLAN types VLAN operations VLAN modes Voice VLAN DTP Troubleshooting
Switching Topic 2 VLANs