Chapter 11 – Implementing Ethernet Virtual LANs

Virtual LAN Concepts

• LAN includes all the user devices, servers, switches, routers, cables, and wireless access points in one location 
• Better formula for LAN would be – LAN includes all devices in the same broadcast domain 
• LAN and broadcast domain are basically the same thing when we talk about packet forwarding 
• Without VLAN, switch considers all its interfaces to be in the same broadcast domain 
• Meaning that when broadcast frame enters one switch’s port, it will forward it to all other ports. 
• With VLANs, switch can configure some interfaces into one broadcast domain, and some into another, creating multiple broadcast domains. 
• These individual broadcast domains created by switch are called VLANs 

The following list explains why to choose VLAN and creating smaller broadcast domains (VLANs)

• to reduce CPU overhead on each device by reducing the number of devices that receive a broadcast frame 
• to reduce security risks by reducing the number of hosts that receive copies of frames 
• to improve security for hosts that send sensitive data by keeping those hosts on separate VLAN 
• to create more flexible designs that group users by department, by groups, by physical location 
• to solve problems more quickly 
• to reduce workload for the Spanning Tree Protocol by limiting a VLAN to a single access switch. 

Creating multi-switch VLANs using trunking

• VLAN trunking creates one link between each switch that supports as many VLANs as you need.  
• As a VLAN trunk, the switches treat the link as if it were a part of all the VLANs 
• The trunk keeps the VLAN traffic separate, so frames in VLAN10 would not go to devices in VLAN20 and vice versa  
• To do so, frames need to be identified by VLAN number as it crosses the trunk.  
• The uses of trunking allows switches to pass frames from multiple VLANs over a single physical connection by adding a small header to the Ethernet frame. 

• In the example above, PC 11 sends a broadcast frame, and because there is VLAN10 on SW2, SW1 will create VLANID of 10, and stick it to the Ethernet frame and send to SW2 
• SW2 knows that this frame is for VLAN10 and therefore broadcasts the frame to all VLAN10 ports 

The 802.1Q and ISL VLAN trunking protocols

• Cisco supported two different trunking protocols over the years: 
  • Inter-Switch Link (ISL) 
  • IEEE 802.1Q 

• Cisco created the ISL long before 802.1Q because the IEEE had not yet defined a VLAN trunking standard 
• ISL was beaten by 802.1Q because it is more popular 
• The ISL and 802.1Q are doing the same thing, tagging each frame with VLAN ID, the details differ 
• 802.1Q inserts an extra 4 byte 802.1Q VLAN header into the original Ethernet frame header. 
• Cisco switches break the range of VLAN IDs (1-4094) into two ranges: 
• Normal range (1-1005) 
• Extended range (1006-4094) (some switches) 
• 802.1Q defines one special VLAN ID on each trunk as the native VLAN (defaulting to VLAN1) 
• 802.1Q does not add the header to frames in the native VLAN 
• When the switch receives a frame that does not have 802.1Q header, it assumes it is for VLAN1 (native VLAN) 
• Both switches must agree on which VLAN is native VLAN 

Forwarding data between VLANs

Routing packets between VLANs with a router: 

• When including VLANs in a campus LAN design, the devices in a VLAN need to be in the same subnet. 
• Devices in different VLANs need to be in different subnets. 

• In this example, DINO cannot communicate with WILMA because this switch is layer 2 switch and VLANs cannot communicate 

• The layer 2 logic does not let the layer 2 switch forward the Ethernet frame between VLANs 
• However, routers can route layer 3 packets between subnets as their normal job in their miserable life 
• For example, the image below shows a router that can route packets between subnets 10 and 20 

• The image above shows a router that can route packets between subnets 10 and 20.  
• The image shows the same layer 2 switch with two VLANs that separate switch, and with the same PCs in the same VLAN and subnets.  
• Now, R1 has one LAN interface connected to VLAN1 and other to VLAN 20 
• With an interface connected to each subnet, the layer 2 switch can keep doing its job forwarding frames inside a VLAN, 
• While the router can do its job, routing IP packets between two subnets 

• The topology above works but it uses too many ports and interfaces 
• To replace this topology, we can use trunking as a method of forwarding 

• Trunking can work between any two devices that choose to support it: 
  • between two switches 
  • between a router and a switch 
  • between server hardware and a switch 

BECAUSE THE ROUTER HAS A SINGLE PHYSICAL LINK CONNECTED TO A LAN SWITCH, THIS DESIGN IS CALLED ROUTER ON A STICK 

Routing packets with a layer 3 switch

• Layer 3 switches (multilayer switches) 
• Layer 3 switch can be configured to act as layer 2 switch or layer 2 switching and layer 3 routing 
• Many medium to large-sized enterprise campus LANs use layer 3 switches to route packets between subnets in a campus 

VLAN and VLAN trunking configuration and verification: 

• Creating VLANs and assigning access VLANs to an interface 
• Configuring interfaces that do use VLAN trunking 

Creating VLANs and assigning access VLANs to an interface: 

• section shows how to create VLAN, give it a name, assign interfaces to VLAN 

CONFIGURATION CHECKLIST: 

1. from configuration mode, use # vlan <vlan_id> command to create and to move the user into VLAN configuration mode 
2. use # name <name> command in VLAN config mode to list a name for the VLAN 

For each access interface follow these steps: 

1. # interface <type number>  move into interface (interface fa 0/1 for example) 
2. # switchport access vlan <id-number>  specify the VLAN number associated with the interface 
3. # switchport mode access  make that port as access port and NOT trunk port. 

VLAN CONFIGURATION EXAMPLE 1:  

SW1# show vlan brief 
SW1# configure terminal  
SW1(config)# name <vlan_name> 
SW1(config-vlan)# exit 
SW1(config)# interface range fastethernet 0/13 - 14 
SW1(config-if)# switchport access vlan 2 
SW1(config-if)# switchport mode access 
SW1(config-if)# end 

Checking done work: 

SW1# show vlan brief 
SW1# show running-config 
SW1# show vlan id 2 

VLAN Trunking protocol

• VLAN Trunking Protocol (VTP) 
• VTP is Cisco proprietary tool on Cisco switches that advertises each VLAN configured in one switch so that all other switches in LAN learn about that VLAN 
• Check VTP status with show vtp status command. If the switch uses VTP server or client mode, you will find: 
• Server switches can configure VLANs in the standard range only (1-1005) 
• Client switches cannot configure VLANs 
• Both servers and clients may be learning new VLANs from other switches, and seeing their VLANs deleted by other switches, because of VTP 
• Show running-config command does not list any VLAN commands 

In lab switch to VTP transparent mode and ignore VTP until ICND2 

VLAN trunking configuration

• Trunking can be simple if you just statically configure trunking 
• Trunking configuration on Cisco switches has many options, including several options for dynamically negotiating various trunking settings. 
• Cisco switches that support ISL and 802.1Q can negotiate which type to use, using the Dynamic Trunking Protocol (DTP) 
• If both switches support both protocols, they use ISL, otherwise they use the protocol that both support. 
• Today, many switches do not support the ISL trunking protocol 

802.1Q Dominates.

• Switches that support both types of trunking use switch port trunk encapsulation (dot1q, isl, negotiate) interface subcommand to either configure the type or allow DTP to negotiate the type 
• DTP can also negotiate whether the two devices on the link agree to trunk at all 
• Cisco switches use switch port mode interface subcommand to define the administrative trunking mode 

• The example above, switches use gigabit trunk link.  
• In this case, the trunk does not dynamically form by default because both switches default to an administrative mode of dynamic auto, meaning that neither switch initiates the trunk negotiation process 
• By changing one switch to use dynamic desirable mode, which does initiate the negotiation, the switches will negotiate to use trunking, specifically 802.1Q because the 2960 supports only that trunking protocol 

#show interfaces trunk - to verify whether trunking is working now 

• Cisco recommends disabling trunk negotiation on most ports for better security 
• The majority of switch ports on most switches will be used to connect to users 
• As a matter of habit, you can disable DTP negotiations using the switchport nonegotiate interface subcomand 

Implementing interfaces connected to phones: 

Data and voice VLAN concepts

• Cisco embedded small three-port switches into each phone 
• IP telephones have small LAN switch 

Configuring the Voice and Data VLAN on ports connected to phones:

SW1# configure terminal
SW1(config)# vlan 10
SW1(config-vlan)# vlan 11
SW1(config-vlan)# interface range FastEthernet0/1 - 4
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport voice vlan 11
SW1(config-if)# ^Z
SW1#