Virtual LAN

Publish Date: July 9, 2015

Virtual Local Area Network (VLAN)

Virtual LAN or VLAN is layer-2 network which is partitioned into logical grouping to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via layer-3 device.

Benefits of VLANs in network:

  • Increased Performance: Grouping users into logical networks will increase performance by limiting broadcast traffic. Additionally, less traffic will need to be routed and the latency added to routers will be reduced.
  • Improved Management: VLANs provide an easy, flexible, cost effective way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices.
  • Increased Security: VLANs have the ability to provide additional security which is not available in a shared network environment. A switched network delivers packets only to the intended recipients and packets only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general users regardless of physical location.

Remember that You need a layer-3 device whenever you need to make communication possible between different VLANs.

Types of VLANs

  • Default VLAN: This is basically a VLAN where all the switchports belong to by default, this is technically VLAN 1 in Cisco switches and it can’t be deleted or renamed.
  • Data VLAN: This is a VLAN where the normal network traffic is carried.
  • Voice VLAN: The voice VLAN is where the voice traffic is carried and QoS policies are applied in order to prioritize voice traffic in the LAN.
  • Native VLAN: A native VLAN carries the untagged on an 802.1q trunk switchport.  By default VLAN 1 (which is the default VLAN) is the native VLAN on all Cisco Catalyst switches. The native VLAN and management VLAN could be the same, but for better security practice they should not be same. Native VLAN is assigned to trunk port and basically if a switch receives untagged frames on a trunk port, they are assumed to be part of the VLAN which is designated on the switchport as the native VLAN.
  • Management VLAN: This is different from Native VLAN, means that this VLAN will be used for management purpose like logging into the switch for management, monitoring the switch, collecting Syslog ans SNMP traps etc. By default VLAN 1 is the Management VLAN on all Cisco Catalyst switches but it is always a best practice and security measure to not use the default VLAN, instead use custom VLAN for management.
  • Reserved VLAN: There are some VLANs that are reserved internally on your switch in order to use them on other network environments like FDDI, Token Ring. The specific VLANs range from 1002 to 1005 and are created by default.
  • Private VLAN: Private VLAN, which is also known as Port isolation is a VLAN whcih contains switchports that are restricted such that they can only communicate with a given uplink. The restricted ports are called “private ports”. Each private VLAN typically contains many private ports, and a single uplink.

 VLAN Assignment

Switch ports are layer 2 interfaces that are associated with a physical port. A switch port can belong to only one VLAN if it is an access port or all VLANs if it is a trunk port. You can manually configure a port as an access or trunk port, or you can let the Dynamic
Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode. DTP does this by negotiating with the port on the other end of the link. You can only configure a switchport to be either an access port or a trunk port, not both.

There are two different types of links in a switched environment:

  1. Access Ports: An access port belongs to and carries the traffic of only one VLAN. Traffic is both received and sent in native formats with no VLAN tagging. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. If an access port receives a tagged frame, like IEEE 802.1q tagged, that frame would simply be dropped because an access port does not look at the source address. Switches remove any VLAN information from the frame before it is forwarded out to an access-link.
  2. Trunk Ports: The trunk ports can carry the traffic of multiple VLANs at the same time. A trunk link is a point-to-point link between two switches, between a switch and router, and it carries the traffic of multiple VLANs. Trunk links can carry various amounts of VLAN information across the link, but by default, if the links between your switches are not trunked, only information from the configured VLAN will be switched across that link.

Voice Access Port: Nowadays, most switches will allow you to add a second VLAN to an access port for your voice traffic; it’s called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlaid on top of the data VLAN, enabling both types of traffic through the same port. Even though this is technically considered to be a different type of link, it is still just an access port that can be configured for both data and voice VLANs. This allows you to connect both a phone and a PC device to one switch port but still have each device in a separate VLAN.

VLAN Tagging

Now, you know that the Trunk Links are designed to pass frames (packets) belonging to all VLANs. This allows us to connect multiple switches together and independently configure each port to a specific VLAN. But how these packets are transferred between the switches eventually finding their way to the destination port without getting lost with the rest of the frames.

VLAN Tagging, also known as Frame Tagging, is a method developed to help identify frames traveling through trunk links. When an Ethernet frame traverses a trunk link, a special VLAN tag is added to the frame and sent across the trunk link. As it arrives at the end of the trunk link, the tag is removed and the frame is sent to the correct access link port according to the switch’s filter table, so that the receiver device is unaware of any VLAN information. The Trunk links support both tagged and untagged traffic simultaneously.

VLAN Tagging Protocols

There is more than one method to ‘tag’ the frames as they are passed through the Trunk Links.

Inter-Switch Link (ISL)

ISL is a Cisco propriety protocol used only with Fast Ethernet and Gigabit Ethernet links for explicitly tagging VLAN information onto an Ethernet frame. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method (ISL). External encapsulation method means that the protocol does not alter the Ethernet frame like placing the VLAN Tag inside the Ethernet frame. Instead, it encapsulates the Ethernet frame with a new 26 byte ISL header and adds an additional 4 byte frame check sequence (FCS) field at the end of frame.

ISL is capable of supporting up to 1000 VLANs and does not introduce any delays in data transfers between Trunk Links. Ethernet’s maximum frame size is 1518 bytes but because ISL adds an ISL header and FCS field, the frame can end up being 1548 bytes long. This type of frame is known as a giant or jumbo frame.

IEEE 802.1Q

Created by the IEEE as a standard method of frame tagging, IEEE 802.1q actually inserts a field into the frame to identify the VLAN. If you are trunking between a Cisco switched link and a different brand of switch, you have to use 802.1q for the trunk link to work.

This is most popular used protocol because it is open standard protocol, inserts 4-byte VLAN Tag with no encapsulation, smaller frame size and supports 4096 VLANs as compared to ISL.

LAN Emulation (LANE)

LAN Emulation was introduced to solve the need of creating VLANs over WAN links, allowing network administrators to define workgroups based on logical function, rather than physical location. With this technology, we are now able to create VLANs between remote offices, regardless of their location and distance.

Fiber Distributed Data Interface (FDDI)

Tagging the VLAN frames on Fiber Distributed Data Interface (FDDI) networks is quite common in large scale networks. This implementation is usually found on Cisco’s high-end switches such as the Catalyst 6500 series where special modules are installed inside the switches, connecting them to an FDDI backbone. This backbone interconnects all major network switches, providing a fully redundant network.

VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol which propagates all configured VLANs across a switched network to maintain consistency throughout the network. VTP allows you to add, delete, and rename VLAN information which is then propagated to all other switches in the same VTP domain.

Features offered by VTP:

  • Consistent VLAN configuration across all switches in the network.
  • VLAN trunking over mixed networks, such as Ethernet to ATM LANE or even FDDI.
  • Accurate tracking and monitoring of VLANs.
  • Dynamic reporting of added VLANs to all switches in the VTP domain.
  • Plug and Play VLAN adding.

One switch need to be configured as VTP Server and others switches as VTP Clients for VTP to work. All switches that need to share VLAN information must use the same domain name and a switch can be in only one domain at a time. Basically, this means that a switch can only share VTP domain information with other switches if they are configured to use same VTP domain. Keep in mind that VTP information is sent between switches only via a trunk port. Switches advertise VTP management domain information as well as a configuration revision number and all known VLANs with any specific parameters.

Do you really need VTP for your network?

You can use a VTP domain if you have more than one switches connected in a network, but if you have got all your switches in only one VLAN, you do not need to use VTP. It is only needed in multi-switch and multi-VLAN network environment.

Requirements for VTP
  • VTP is only needed in multi-switch and multi-Vlan networks.
  • The VTP domain name must be same on all switches.
  • One of the switches has to be configured as a VTP server.
  • If password is configured for security purpose, it must match across all switches.
VTP Modes of Operation
  • Server — In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters, such as VTP domain, version, VTP password and pruning for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. This is the default mode for all Catalyst switches. You need at least one VTP server in your VTP domain.
  • Client — VTP clients behave the same way as VTP servers, but you can not create, change or delete VLANs on a VTP client. None of the switchports on a client switch can be added to a new VLAN before the VTP server notifies the client switch of the new VLAN. So basically, a switch in VTP client mode will forward VTP summary advertisements and process them. The switch will learn about but will neither save the VTP information in the running configuration nor in  NVRAM. Switches that are in VTP client mode will only learn about and pass along VTP information.

  • Transparent — Switches in transparent mode don’t participate in the VTP domain or share its VLAN database, but they’ll still forward VTP advertisements through any configured trunk links. They can create, modify, and delete VLANs because they keep their own database. Despite being kept in NVRAM, the VLAN database in transparent mode is actually only locally significant. The whole purpose of transparent mode is to allow remote switches to receive the VLAN database from a VTP server-configured switch through a switch that is not participating in the same VLAN assignments.

VTP Pruning

VTP Pruning is a way to preserve bandwidth by reducing the amount of broadcasts, multicasts, and unicast packets sent only to trunk links that actually needs the information.
For example, if Switch 1 does not have any ports configured for VLAN 100 and a broadcast is sent throughout VLAN 100, that broadcast would not traverse the trunk link to Switch 1 when VTP pruning in enabled.

VTP Pruning is a good feature which preserves the network bandwidth but it is not enabled by-default on Cisco switch. A good news is that you need not to enable pruning on each and every switch individually. Instead, you enable it on switch acting as VTP server and it will be enabled in entire VTP domain.

Here is how you can configure VTP pruning on VTP Server

Core#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Core(config)#int fa0/1
Core(config-if)#switchport trunk pruning vlan 100-105 

The valid VLANs that can be pruned are 2 to 1001. VLAN 1 and Extended-range VLANs (1006 to 4094) can not be pruned and these VLANs can receive a flood of traffic.



Microsoft Certified | Cisco Certified