Virtual LAN

Virtual LAN (VLAN) is used for divide the switch into different logical parts you can say it can segregate the broadcast domain into different parts.
VLANs simplify network management:

  1. Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN.
  2. A group of users that need an unusually high level of security can be put into its own VLAN so that users outside of the VLAN can’t communicate with them.
  3. VLANs can be considered independent from their physical or geographic locations.
  4. VLANs greatly enhance network security.
  5. VLANs increase the number of broadcast domains while decreasing their size.

VLAN Memberships

Most of the time, VLANs are created by a sys admin who proceeds to assign switch ports to each VLAN. VLANs of this type are known as static VLANs

  • Static VLANs

    Creating static VLANs is the most common way to create a VLAN, and one of the reasons for that is because static VLANs are the most secure. This security stems from the fact that any switch port you’ve assigned a VLAN association to will always maintain it unless you change the port assignment manually.
  • Dynamic VLANs

    A dynamic VLAN determines a node’s VLAN assignment automatically.Using intelligent management software, We can base VLAN assignments on hardware (MAC) addresses, protocols, or even applications that create dynamic VLANs.
  • Access ports

    An access port belongs to and carries the traffic of only one VLAN. Traffic is both received and sent in native formats with no VLAN tagging whatsoever. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port
  • Trunk Ports

    isa point-to-point link between two switches, between aswitch and router, or even between a switch and server, and it carries the traffic of multiple VLANs—from 1 to 4,094 at a time (though it’s really only up to 1,005 unless you’re going with extended VLANs). Trunking can be a real advantage because with it, you get to make a single port part of a whole bunch of different VLANs at the same time.
  • VLAN Identification Methods

    VLAN identification is what switches use to keep track of all those frames as they’re traversing a switch fabric. It’s how switches identify which frames belong to which VLANs, and there’s more than one trucking method.
  • Inter-Switch Link (ISL)

    Inter-Switch Link (ISL)is a way of explicitly tagging VLAN information onto an Ethernetframe. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method (ISL), which allows the switch to identify the VLAN membership of a frame over the trunked link.this is proprietary to Cisco.
  • IEEE 802.1Q

    Created by the IEEE as a standard method of frame tagging, IEEE 802.1Q actually inserts afield into the frame to identify the VLAN.

Trunking with the Cisco Catalyst 3560 switch

  • Core(config-if)#switchport trunk encapsulation ?
    dot1q      Interface uses only 802.1q trunking encapsulation when trunking
    isl        Interface uses only ISL trunking encapsulation when trunking
    negotiate  Device will negotiate trunking encapsulation with peer on

    Core(config-if)#switchport trunk encapsulation dot1q

    Core(config-if)#switchport mode trunk

Defining the Allowed VLANs on a Trunk

  • As I’ve mentioned, trunk ports send and receive information from all VLANs by default, and if a frame is untagged, it’s sent to the management VLAN. This applies to the extended range VLANs as well.But we can remove VLANs from the allowed list to prevent traffic from certain VLANs from traversing a trunked link. Here’s how you’d do that:

    S1#config t
    S1(config)#int f0/1
    S1(config-if)#switchport trunk allowed vlan ?
    WORD    VLAN IDs of the allowed VLANs when this port is in
    trunking mode
    add     add VLANs to the current list
    all     all VLANs
    except  all VLANs except the following
    none    no VLANs
    remove  remove VLANs from the current list

    S1(config-if)#switchport trunk allowed vlan remove ?
    WORD  VLAN IDs of disallowed VLANS when this port is in trunking mode

    S1(config-if)#switchport trunk allowed vlan remove 4

    The preceding command stopped the trunk link configured on S1 port f0/1, causing it to drop all traffic sent and received for VLAN 4. You can try to remove VLAN 1 on a trunk link, but it will still send and receive management like CDP, PAgP, LACP, DTP, and VTP, so what’s the point?

    To remove a range of VLANs, just use the hyphen:

    S1(config-if)#switchport trunk allowed vlan remove 4-8

    If by chance someone has removed some VLANs from a trunk link and you want to set the trunk back to default, just use this command:

    S1(config-if)#switchport trunk allowed vlan all

    Or this command to accomplish the same thing:

    S1(config-if)#no switchport trunk allowed vlan

    Next, I want to show you how to configure pruning for VLANs before we start routing between VLANs.


Changing or Modifying the Trunk Native VLAN

  • S1#config t
    S1(config)#int f0/1
    S1(config-if)#switchport trunk ?
    allowed  Set allowed VLAN characteristics when interface is
    in trunking mode
    native   Set trunking native characteristics when interface
    is in trunking mode
    pruning  Set pruning VLAN characteristics when interface is
    in trunking mode

    S1(config-if)#switchport trunk native ?
    vlan  Set native VLAN when interface is in trunking mode

    S1(config-if)#switchport trunk native vlan ?
    < 1-4094 > VLAN ID of the native VLAN when this port is in trunking mode
    S1(config-if)#switchport trunk native vlan 40

    Actually, this is a good, non-cryptic error, so either we go to the other end of our trunk link(s) and change the native VLAN or we set the native VLAN back to the default. Here’s how we’d do that:

    S1(config-if)#no switchport trunk native vlan
    Now our trunk link is using the default VLAN 1 as the native VLAN. Just remember that all switches must use the same native VLAN or you’ll have some serious problems.

Configuring Inter-VLAN Routing

  • By default, only hosts that are members of the same VLAN can communicate. To change this and allow inter-VLAN communication, We need a router or a layer 3 switch. To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface is divided into logical interfaces one for each VLAN. These are called sub-interfaces. From a Fast Ethernet or Gigabit interface, you can set the interface to trunk with the encapsulation command:

    ISR#config t
    ISR(config)#int f0/0.1
    ISR(config-subif)#encapsulation ?
    dot1Q  IEEE 802.1Q Virtual LAN

    ISR(config-subif)#encapsulation dot1Q ?

    < 1-4094 > IEEE 802.1Q VLAN ID Notice that my 2811 router (named ISR) only supports 802.1Q. We’d need an older-model router to run the ISL encapsulation.

    Keep in mind that the commands can vary slightly depending on what type of switch you’re dealing with. For a 2960 switch, use the following:

    2960#config t
    2960(config)#interface fa0/1
    2960(config-if)#switchport mode trunk


Inter-VLAN example 

  • The configuration of the switch would look something like this:
    2960#config t
    2960(config)#int f0/1
    2960(config-if)#switchport mode trunk
    2960(config-if)#int f0/2
    2960(config-if)#switchport access vlan 1
    2960(config-if)#int f0/3
    2960(config-if)#switchport access vlan 1
    2960(config-if)#int f0/4
    2960(config-if)#switchport access vlan 3
    2960(config-if)#int f0/5
    2960(config-if)#switchport access vlan 3
    2960(config-if)#int f0/6
    2960(config-if)#switchport access vlan 2

    Before we configure the router, we need to design our logical network:
    VLAN 1:
    VLAN 2:
    VLAN 3:

    The configuration of the router would then look like this:
    ISR#config t
    ISR(config)#int f0/0
    ISR(config-if)#no ip address
    ISR(config-if)#no shutdown
    ISR(config-if)#int f0/0.1
    ISR(config-subif)#encapsulation dot1q 1
    ISR(config-subif)#ip address
    ISR(config-subif)#int f0/0.2
    ISR(config-subif)#encapsulation dot1q 2
    ISR(config-subif)#ip address
    ISR(config-subif)#int f0/0.3
    ISR(config-subif)#encapsulation dot1q 3
    ISR(config-subif)#ip address
    The hosts in each VLAN would be assigned an address from their subnet range, and the default gateway would be the IP address assigned to the router’s sub-interface in that VLAN.

h4 ExamMATE

Online Personalised Exam Preparation Tool to score higher using Assessment, Analytics & Artificial Intelligence

Copyright ©2015, All Rights Reserved. h4 ExamMATEâ„¢ is registered trademark of Hub4tech Portal Services Pvt. Ltd.
All trademarks and logos appearing on this website are the property of their respective owners.
Need help? Ask h4 ExamMATE Bot