A VLAN allows a network administrator to create groups of logically networked devices that act as if they are on their own independent network, even if they share a common infrastructure with other VLANs. Using VLANs, you can logically segment switched networks based on functions, departments, or project teams. You can also use a VLAN to geographically structure your network to support the growing reliance of companies on home-based workers.
A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network. For computers to communicate on the same VLAN, each must have an IP address and a subnet mask that is consistent for that VLAN. The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN. A switch port with a singular VLAN configured on it is called an access port. Remember, just because two computers are physically connected to the same switch does not mean that they can communicate. Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used.
Benefits of a VLAN
The primary benefits of using VLANs are as follows:
- Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches
- Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
- Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
- Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm
- Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN.
- Simpler project or application management - VLANs aggregate users and network devices to support business or geographic requirements.
Normal Range VLANs
- Used in small- and medium-sized business and enterprise networks.
- Identified by a VLAN ID between 1 and 1005.
- IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
- IDs 1 and 1002 to 1005 are automatically created and cannot be removed
- Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
- The VLAN trunking protocol (VTP), which helps manage VLAN configurations between switches, can only learn normal range VLANs and stores them in the VLAN database file.
Extended Range VLANs
- Enable service providers to extend their infrastructure to a greater number of customers
- Are identified by a VLAN ID between 1006 and 4094.
- Support fewer VLAN features than normal range VLANs.
- Are saved in the running configuration file.
- VTP does not learn extended range VLANs.
Types of VLANs
In the network there are a number of terms for VLANs. Some terms define the type of network traffic hey carry and others define a specific function a VLAN performs. The following describes common VLAN terminology:
Data VLAN
A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic. The importance of separating user data from switch management control data and voice traffic is highlighted by the use of a special term used to identify VLANs that only carry user data - a "data VLAN". A data VLAN is sometimes referred to as a user VLAN.
Default VLAN
All switch ports become a member of the default VLAN after the initial boot up of the switch. Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. This allows any device connected to any switch port to communicate with other devices on other switch ports. The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it. By default, Layer 2 control traffic, such as CDP and spanning tree protocol traffic, are associated with VLAN 1. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1
Native VLAN
A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.
Management VLAN
A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP.
Voice VLANs
It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP).
The F0/18 port on S3 is configured to be in voice mode so that it will tell the phone to tag voice frames with VLAN 150. Data frames coming through the Cisco IP phone from PC5 are left untagged. Data destined for PC5 coming from port F0/18 is tagged with VLAN 20 on the way to the phone, which strips the VLAN tag before the data is forwarded to PC5. Tagging refers to the addition of bytes to a field in the data frame which is used by the switch to identify which VLAN the data frame should be sent to.
A Cisco Phone is a Switch
The Cisco IP Phone contains an integrated three-port 10/100 switch. The ports provide dedicated connections to these devices:
- Port 1 connects to the switch or other voice-over-IP (VoIP) device.
- Port 2 is an internal 10/100 interface that carries the IP phone traffic.
- Port 3 (access port) connects to a PC or other device.
The voice VLAN feature enables switch ports to carry IP voice traffic from an IP phone. When the switch is connected to an IP Phone, the switch sends messages that instruct the attached IP phone to send voice traffic tagged with the voice VLAN ID 150. The traffic from the PC attached to the IP Phone passes through the IP phone untagged. When the switch port has been configured with a voice VLAN, the link between the switch and the IP phone acts as a trunk to carry both the tagged voice traffic and untagged data traffic.
VLAN Switch Port Modes
When you configure a VLAN, you must assign it a number ID, and you can optionally give it a name. The purpose of VLAN implementations is to judiciously associate ports with particular VLANs. You configure the port to forward a frame to a specific VLAN. As mentioned previously, you can configure a VLAN in voice mode to support voice and data traffic coming from a Cisco IP phone. You can configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the VLANs to which it can belong. A port can be configured to support these VLAN types:
- Static VLAN - Ports on a switch are manually assigned to a VLAN.
- Dynamic VLAN - A dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). With the VMPS, you assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. The benefit comes when you move a host from a port on one switch in the network to a port on another switch in the network, the switch dynamically assigns the new port to the proper VLAN for that host.
- Voice VLAN - A port is configured to be in voice mode so that it can support an IP phone attached to it. Before you configure a voice VLAN on the port, you need to first configure a VLAN for voice and a VLAN for data
Intra-VLAN Communication
Communicating with a device in the same VLAN is called intra-VLAN communication
Inter-VLAN Communication
Communicating with a device in another VLAN is called inter-VLAN communication.
VLAN Trunks
VLAN trunks transmitted traffic to different parts of the network configured in one VLAN. In the figure, the links between switches S1 and S2, and S1 and S3, are configured to transmit traffic coming from VLAN 10, 20, 30, and 99. This network simply could not function without VLAN trunks
A trunk is a point-to-point link between two network devices that carries more than one VLAN. A VLAN trunk allows you to extend the VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces. A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.
In the figure, you see the standard topology used in this chapter, except instead of the VLAN trunk that you are used to seeing between switches S1 and S2, there is a separate link for each subnet. There are four separate links connecting switches S1 and S2, leaving three fewer ports to allocate to end-user devices. Each time a new subnetwork is considered, a new link is needed for each switch in the network.
In the figure, the network topology shows a VLAN trunk connecting switches S1 and S2 with a single physical link. This is the way a network should be configured.
802.1Q Frame Tagging
Remember that switches are Layer 2 devices. They only use the Ethernet frame header information to forward packets. The frame header does not contain information about which VLAN the frame should belong to. Subsequently, when Ethernet frames are placed on a trunk they need additional information about the VLANs they belong to. This is accomplished by using the 802.1Q encapsulation header. This header adds a tag to the original Ethernet frame specifying the VLAN to which the frame belongs.
Tagged Frames on the Native VLAN
Some devices that support trunking tag native VLAN traffic as a default behavior. Control traffic sent on the native VLAN should be untagged. If an 802.1Q trunk port receives a tagged frame on the native VLAN, it drops the frame. Consequently, when configuring a switch port on a Cisco switch, you need to identify these devices and configure them so that they do not send tagged frames on the native VLAN.
Untagged Frames on the Native VLAN
When a Cisco switch trunk port receives untagged frames it forwards those frames to the native VLAN. As you may recall, the default native VLAN is VLAN 1. When you configure an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value. For example, if VLAN 99 is configured as the native VLAN, the PVID is 99 and all untagged traffic is forward to VLAN 99. If the native VLAN has not been reconfigured, the PVID value is set to VLAN 1.
Trunking Modes - ISL
Although a Cisco switch can be configured to support two types of trunk ports, IEEE 802.1Q and ISL, today only 802.1Q is used. However, legacy networks may still use ISL, and it is useful to learn about each type of trunk port.
- An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default PVID, and all untagged traffic travels on the port default PVID. All untagged traffic and tagged traffic with a null VLAN ID are assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. All other traffic is sent with a VLAN tag.
- In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received from an ISL trunk port are dropped.
DTP
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other vendors do not support DTP. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port.
DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. DTP supports both ISL and 802.1Q trunks. Switches do not need DTP to do trunking, and some Cisco switches and routers do not support DTP
DTP Switchport Mode Interactions
- On (default) - The switch port periodically sends DTP frames, called advertisements, to the remote port. The command used is switchport mode trunk. The local switch port advertises to the remote port that it is dynamically changing to a trunking state. The local port then, regardless of what DTP information the remote port sends as a response to the advertisement, changes to a trunking state. The local port is considered to be in an unconditional (always on) trunking state.
- Dynamic auto - The switch port periodically sends DTP frames to the remote port. The command used is switchport mode dynamic auto. The local switch port advertises to the remote switch port that it is able to trunk but does not request to go to the trunking state. After a DTP negotiation, the local port ends up in trunking state only if the remote port trunk mode has been configured to be on or desirable. If both ports on the switches are set to auto, they do not negotiate to be in a trunking state. They negotiate to be in the access (non-trunk) mode state.
- Dynamic desiderable - DTP frames are sent periodically to the remote port. The command used is switchport mode dynamic desirable. The local switch port advertises to the remote switch port that it is able to trunk and asks the remote switch port to go to the trunking state. If the local port detects that the remote has been configured in on, desirable, or auto mode, the local port ends up in trunking state. If the remote switch port is in the nonegotiate mode, the local switch port remains as a nontrunking port.
Turn off DTP
You can turn off DTP for the trunk so that the local port does not send out DTP frames to the remote port. Use the command switchport nonegotiate. The local port is then considered to be in an unconditional trunking state. Use this feature when you need to configure a trunk with a switch from another switch vendor.
Example:
In the figure, the F0/1 ports on switches S1 and S2 are configured with trunk mode on. The F0/3 ports on switches S1 and S3 are configured to be in auto trunk mode.
The link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements and come up and stay in trunk port mode. The F0/3 ports on switches S1 and S3 are set to auto, so they negotiate to be in the default state, the access (non-trunk) mode state. This results in an inactive trunk link. When you configure a trunk port to be in trunk port mode, there is no ambiguity about which state the trunk is in-it is always on. It is also easy to remember which state the trunk ports are in-if the port is supposed to be a trunk, trunk mode is on.
Configuring VLANs and Trunks Overview
Add a VLAN
There are two different modes for configuring VLANs on a Cisco Catalyst switch, database configuration mode and global configuration mode. You will configure VLANs with IDs in the normal range. Recall there are two ranges of VLAN IDs. The normal range includes IDs 1 to 1001, and extended range consists of IDs 1006 to 4094. VLAN 1 and 1002 to 1005 are reserved ID numbers. When you configure normal range VLANs, the configuration details are stored automatically in flash memory on the switch in a file called vlan.dat
Note: In addition to entering a single VLAN ID, you can enter a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command, for example: switch(config)#vlan 100,102,105-107.
Assign a Switch Port
After you have created a VLAN, assign one or more ports to the VLAN. When you manually assign a switch port to a VLAN, it is known as a static access port. A static access port can belong to only one VLAN at a time.
Managing VLANs
Manage Port Memberships
To reassign a port to VLAN 1, you can use the no switchport access vlan command in interface configuration mode
Notice how VLAN 20 is still active. It has only been removed from interface F0/18. In the show interfaces f0/18 switchport command, you can see that the access VLAN for interface F0/18 has been reset to VLAN 1.
A static access port can only have one VLAN. With Cisco IOS software, you do not need to first remove a port from a VLAN to change its VLAN membership. When you reassign a static access port to an existing VLAN, the VLAN is automatically removed from the previous port
Delete VLANs
Note: Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN.
Configure 802.1Q Trunk
To configure a trunk on a switch port, use the switchport mode trunk command. When you enter trunk mode, the interface changes to permanent trunking mode, and the port enters into a DTP negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change.
The Cisco IOS command syntax to specify a native VLAN other than VLAN 1 is shown in the figure. In the example, you configure VLAN 99 as the native VLAN.
Example:
The VLANs 10, 20, and 30 will support the Faculty, Student, and Guest computers, PC1, PC2, and PC3. The F0/1 port on switch S1 will be configured as a trunk port and will forward traffic for VLANs 10, 20, and 30. VLAN 99 will be configured as the native VLAN.
The example configures port F0/1 on switch S1 as the trunk port. It reconfigures the native VLAN as VLAN 99.
The figure displays the configuration of switch port F0/1 on switch S1. The command used is the show interfaces interface-ID switchport command.
The first highlighted area shows that port F0/1 has its administrative mode set to Trunk-the port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99, the management VLAN. At the bottom of the output, the last highlighted area shows that the enabled trunking VLANs are VLANs 10, 20, and 30.
Managing a Trunk Configuration
Common Problems with Trunks
Nessun commento:
Posta un commento