VLANs

LAN Switching and Wireless - Chapter 3

Dr. Naveen Chilamkurti

Topics
The

role of VLANs in a network

Trunking VLANs
Configure VLANs on switches
Troubleshoot common VLAN problems

Some requirements of LANs

Need

to split up broadcast domains to make

good use of bandwidth
People in the same department may need to be
grouped together for access to servers
Security: restrict access by certain users to
some areas of the LAN
Provide a way for different areas of the LAN
to communicate with each other

Solution using routers

Divide the LAN into subnets

Use routers to link the subnets

Solution using routers

BUT
Routers are expensive
Routers are slower than switches
Subnets are restricted to limited physical
Subnets are inflexible

areas

Solution using VLANs

VLAN membership can be by function and not by location

VLANs managed by switches
Router needed for communication between VLANs

VLANs
All

hosts in a VLAN have addresses in the same

subnet. A VLAN is a subnet.
Broadcasts are kept within the VLAN. A VLAN
is a broadcast domain.
The switch has a separate MAC address table for
each VLAN. Traffic for each VLAN is kept
separate from other VLANs.
Layer 2 switches cannot route between VLANs.

VLANs

Benefits of a VLANs

Benefits of a VLANs
Security - Groups that have sensitive data are separated from
the rest of the network, decreasing the chances of confidential
information breaches.

Higher performance - Dividing flat Layer 2 networks

into multiple logical workgroups (broadcast domains) reduces
unnecessary traffic on the network and boosts performance.

Broadcast storm mitigation - Dividing a network into

VLANs reduces the number of devices that may participate in a
broadcast storm.

Benefits of a VLANs Cont.

Improved

IT staff efficiency - VLANs make it easier

to manage the network because users with similar network

requirements share the same VLAN.

Simpler project

or application management -

VLANs aggregate users and network devices to support business

or geographic requirements.

VLAN ID Ranges
Access

VLANs are divided into either:

Normal range
Extended range.

VLAN ID Ranges

Types of VLAN
Data

or user VLAN
Default VLAN
Native VLAN
Management VLAN
Voice VLAN

Data VLAN
Carry

files, e-mails, shared application traffic,

most user traffic.
Separate VLAN for each group of users.

Types of VLAN Data VLAN

Default VLAN
VLAN

1 on Cisco switches.
Carries CDP and STP (spanning tree protocol)
traffic.
Initially all ports are in this VLAN.
Do not use it for data, voice or management
traffic for security reasons.

Types of VLAN Default VLAN

Native VLAN
For

backward compatibility with older

systems.
Relevant to trunk ports.
Trunk ports carry traffic from multiple
VLANs.
VLAN is identified by a tag in the frame.
Native VLAN does not have a tag.

Types of VLAN Native VLAN

Management VLAN
Has

the switch IP address.

Used for telnet/SSH or web access for
management purposes.
Better not to use VLAN 1 for security reasons.

Types of VLAN Management VLAN

Voice VLAN
Use with IP phone.
Phone acts as a switch

too.
Voice traffic is tagged, given priority.
Data not tagged, no priority.

Types of VLAN Voice VLAN

Switch Ports
Each

switch port intended for an end device is

configured to belong to a VLAN.
Any device connecting to that port belongs to
the ports VLAN.
There are other ways of assigning VLANs but
this is now the normal way.
Ports that link switches can be configured to
carry traffic for all VLANs (trunking)

Switch Ports Modes

Static VLAN
Dynamic VLAN
Voice VLAN

Static VLAN
The

normal type. Port configured to be on a

VLAN. Connected device is on this VLAN.
VLAN can be created using CLI command,
given number and name.
VLAN can be learned from another switch.
If a port is put on a VLAN and the VLAN
does not exist, then the VLAN is created.

Static VLAN (Port-centric)

If VLAN

now.

20 did not exist before then it does

Voice VLAN

Dynamic VLAN
Not

widely used.
Use a VLAN Membership Policy Server
(VMPS).
Assign a device to a VLAN based on its MAC
address.
Connect device, server assigns VLAN.
Useful if you want to move devices around.

Controlling Broadcast Domains with VLANs

Network Traffic Without VLANS
In normal operation, when a switch receives a broadcast frame on one of
its ports, it forwards the frame out all other ports on the switch.

Controlling Broadcast Domains with VLANs

Network Traffic With VLANS
When VLANs are implemented on a switch, the transmission of unicast,
multicast, and broadcast traffic from a host on a particular VLAN are
constrained to the devices that are on the VLAN.

Traffic between VLANs

Layer

2 switch keeps VLANs separate.

Router can route between VLANs. It needs to
provide a default gateway for each VLAN as
VLANs are separate subnets.

Controlling Broadcast Domains with Switches and

Routers
Intra-VLAN Communication
Inter-VLAN Communication

Intra-VLAN Communication

In the figure, PC1, wants to communicate with another device,

PC4. PC1 and PC4 are both in VLAN 10. Communicating with a
device in the same VLAN is called intra-VLAN communication.
The following steps describes how this process is accomplished:

Intra-VLAN Communication

Step 1-1. PC1 in VLAN 10 sends its ARP request frame

(broadcast) to switch S2.

Intra-VLAN Communication

Step 1-2. Switches S2 and S1 send the ARP request frame out all
ports on VLAN 10.

Intra-VLAN Communication

Step 1-3. Switch S3 sends the ARP request out port F0/11 to PC4
on VLAN 10.

Intra-VLAN Communication

Step 2-1. The switches in the network forward the ARP reply
frame (unicast) to PC1.

Intra-VLAN Communication

Step 2-2. PC1 receives the reply which contains the MAC
address of PC4.

Intra-VLAN Communication

Step 3-1. PC1 now has the destination MAC address of PC4 and
uses this to create a unicast frame with PC4's MAC address as the
destination.

Intra-VLAN Communication

Step 3-2. Switches S2, S1 and S3 deliver the frame to PC4.

Inter-VLAN Communication

In the figure, PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20.
Communicating with a device in another VLAN is called inter-VLAN
communication.
Note: There are two connections from switch S1 to the router: one to carry
transmissions on VLAN 10, and the other to carry transmissions on VLAN 20 to
the router interface.

Inter-VLAN Communication

Step 1-1. PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20.
PC1 sends an ARP request frame for the MAC address of the default gateway
R1.

Inter-VLAN Communication

Step 2. The router R1 replies with an ARP reply frame from its interface
configured on VLAN 10.

All switches forward the ARP reply frame and PC1 receives it. The ARP reply contains
the MAC address of the default gateway.

Inter-VLAN Communication

Step 3-1. PC1 then creates an Ethernet frame with the MAC address of the
Default Gateway. The frame is sent from switch S2 to S1.

Inter-VLAN Communication

Step 3-2. The frame is sent from switch S2 to S1.

Inter-VLAN Communication

Step 4. The router R1 sends an ARP request frame on VLAN 20 to determine

the MAC address of PC5.

Inter-VLAN Communication

Step 4-2. Switches, S1, S2, S3, broadcast the ARP request frame out ports
configured for VLAN 20. PC5 on VLAN 20 receives the ARP request frame
from router R1.

Inter-VLAN Communication

Step 5-1. PC5 on VLAN 20 sends an ARP reply frame to switch S3.

Inter-VLAN Communication

Step 5-2. Switches S3 and S1 forward the ARP reply frame to router R1 with the
destination MAC address of interface F0/2 on router R1.

Inter-VLAN Communication

Step 6-1. Router R1 sends the frame received from PC1 though S1.

Inter-VLAN Communication

Step 6-2. S1send the frame to S3 to send it to PC5 (on VLAN 20).

Controlling Broadcast Domains with VLANs

Switch

Virtual Interface (SVI)

SVI is a logical interface configured for a specific

VLAN.
You need to configure an SVI for a VLAN if you want
to route between VLANs or to provide IP host
connectivity to the switch.
By default, an SVI is created for the default VLAN
(VLAN 1) to permit remote switch administration.

Controlling Broadcast Domains with VLANs

and Layer 3 Forwarding

Layer 3 Forwarding
A Layer 3 switch has the ability to route transmissions between

VLANs.
The procedure is the same as described for the inter-VLAN
communication using a separate router, except that the SVIs act
as the router interfaces for routing the data between VLANs.

Layer 3 Forwarding Example

In this Example, PC1 wants to communicate with PC5. The

following steps outline the communication through the Layer 3
switch S1:

Layer 3 Forwarding Example Step 1 -1

Step 1 - 1. PC1 sends an ARP request broadcast on VLAN10.

Layer 3 Forwarding Example Step 1 - 2

Step 1 - 2. S2 forwards the ARP request out all ports configured

for VLAN 10.

Layer 3 Forwarding Example Step 2 - 1

Step 2 - 1. Switch S1 forwards the ARP request out all ports

configured for VLAN 10, including the SVI for VLAN 10.

Layer 3 Forwarding Example Step 2 - 2

Step 2 - 2. Switch S3 forwards the ARP request out all ports

configured for VLAN 10.

Layer 3 Forwarding Example Step 3 - 1

Step 3 - 1. The SVI for VLAN 10 in switch S1 knows the location of VLAN
20. The SVI for VLAN 10 in switch S1 sends an ARP reply back to PC1 with
this information.

Layer 3 Forwarding Example Step 3 - 2

Step 3 -2 . The SVI for VLAN 10 in switch S1 knows the location of VLAN
00. The SVI for VLAN 10 in switch S1 sends an ARP reply back to PC1 with
this information.

Layer 3 Forwarding Example Step 4 - 1

Step 4 - 1 . PC1 sends data, destined for PC5, as a unicast frame through
switch S2 to the SVI for VLAN 10 in switch S1.

Layer 3 Forwarding Example Step 4 - 2

Step 4 - 2 . PC1 sends data, destined for PC5, as a unicast frame through
switch S2 to the SVI for VLAN 10 in switch S1.

Layer 3 Forwarding Example Step 5 - 1

Step 5 - 1 . The SVI for VLAN 20 sends an ARP request broadcast out all
switch ports configured for VLAN 20.

Layer 3 Forwarding Example Step 5 - 2

Step 5 - 2 . Switch S3 sends that ARP request broadcast out all switch ports
configured for VLAN 20.

Layer 3 Forwarding Example Step 6 - 1

Step 6 - 1 . PC5 on VLAN 20 sends an ARP reply.

Layer 3 Forwarding Example Step 6 - 2

Step 6 - 2 . Switch S3 sends that ARP reply to S1.

Layer 3 Forwarding Example Step 6 - 3

Step 6 - 3 . Switch S1 forwards the ARP reply to the SVI for VLAN 20.

Layer 3 Forwarding Example Step 7 - 1

Step 7 - 1 . he SVI for VLAN 20 forwards the data, sent from PC1, in a
unicast frame to PC5 using the destination address it learned from the ARP reply
in step 6.

Layer 3 Forwarding Example Step 7 - 2

Step 7 - 2 . he SVI for VLAN 20 forwards the data, sent from PC1, in a
unicast frame to PC5 using the destination address it learned from the ARP reply
in step 6.

VLAN Trunks

What is a Trunk?
Definition

of a VLAN Trunk

A trunk is a point-to-point link between two network

devices that carries more than one VLAN.

A VLAN trunk allows you to extend the VLANs across an
entire network. Cisco supports IEEE 802.1Q for
coordinating trunks on Fast Ethernet and Gigabit Ethernet
interfaces.
A VLAN trunk does not belong to a specific VLAN, rather
it is a conduit for VLANs between switches and routers.

VLAN Trunks

What Problem Does a Trunk Solve?

What Problem Does a Trunk Solve?

8021Q Frame Tagging

Layer 2 devices, they only use the Ethernet frame header
information to forward packets.
The frame header does not contain information about
which VLAN the frame should belong to.
Subsequently, when Ethernet frames are placed on a trunk
they need additional information about the VLANs they
belong to.
This is accomplished by using the 802.1Q encapsulation
header. This header adds a tag to the original Ethernet
frame specifying the VLAN to which the frame belongs.

VLAN Frame Tagging Overview

When the switch receives a frame on a port configured in access

mode with a static VLAN, the switch takes apart the frame and
inserts a VLAN tag, recalculates the FCS and sends the tagged
frame out a trunk port.

VLAN Tag Field Details

The VLAN tag field consists of an EtherType field, a tag control

information field,and the FCS field.

VLAN Tag Field Details

EtherType field
Set to the hexadecimal value of 0x8100. This value is called the tag protocol ID (TPID)

value.

Tag control information field

The tag control information field contains:

3 bits of user priority - Used by the 802.1p standard, which specifies how to
provide expedited transmission of Layer 2 frames.
1 bit of Canonical Format Identifier (CFI) - Enables Token Ring frames to be
carried across Ethernet links easily.
12 bits of VLAN ID (VID) - VLAN identification numbers; supports up to
4096 VLAN IDs.

FCS field

After the switch inserts the EtherType and tag control information fields, it
recalculates the FCS values and inserts it into the frame.

Native VLANs and 802.1Q Trunking

Native VLANs Configuration

Native VLANs Verification

Trunking Operation

A Trunk in Action Step 1

A Trunk in Action Step 2

A Trunk in Action Step 3 -1

A Trunk in Action Step 3 - 2

A Trunk in Action Step 4

Trunking Modes
A switch port on a Cisco switch supports a number of
trunking modes. The trunking mode defines how the
port negotiates using DTP to set up a trunk link with
its peer port. As follows:
On (default)
Dynamic auto
Dynamic desirable

Initial Port Configuration

Which Link will be trunk?

VLANs &Trunks
Configuration

Configuring VLANs& Trunks

Add a VLAN

Added VLAN Verification

Assign a Switch Port

Assign a Switch Port Verification

Managing VLANs

Manage Port Memberships

Delete VLANs

Delete VLANs

Configure a Trunk - Example

Configure a Trunk - Example

Verify Trunk Configuration

Managing a Trunk Configuration

Common Problems with Trunks

Native VLAN Mismatches - Example

Native VLAN Mismatches - Example

Native VLAN Mismatches - Example

Trunk Mode Mismatches

Trunk Mode Mismatches

Trunk Mode Mismatches

Incorrect VLAN List

Incorrect VLAN List

Incorrect VLAN List