53
VLANs LAN Switching and Wireless - Chapter 3 Dr. Naveen Chilamkurti
VLANsLAN Switching and Wireless - Chapter 3Dr. Naveen Chilamkurti
Topics
The role of VLANs in a network Trunking VLANs Configure VLANs on switches Troubleshoot common VLAN problems
Some requirements of LANs
Need to split up broadcast domains to make good use of bandwidth
People in the same department may need to be grouped together for access to servers
Security: restrict access by certain users to some areas of the LAN
Provide a way for different areas of the LAN to communicate with each other
Solution using routers
Divide the LAN into subnets Use routers to link the subnets
Solution using routers
BUT Routers are expensive Routers are slower than switches Subnets are restricted to limited physical areas Subnets are inflexible
Solution using VLANs
VLAN membership can be by function and not by location VLANs managed by switches Router needed for communication between VLANs
VLANs
All hosts in a VLAN have addresses in the same subnet. A VLAN is a subnet.
Broadcasts are kept within the VLAN. A VLAN is a broadcast domain.
The switch has a separate MAC address table for each VLAN. Traffic for each VLAN is kept separate from other VLANs.
Layer 2 switches cannot route between VLANs.
VLANs
Benefits of a VLANs
Benefits of a VLANs
Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches.
Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm.
Benefits of a VLANs – Cont.
Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN.
Simpler project or application management - VLANs aggregate users and network devices to support business or geographic requirements.
VLAN ID Ranges
Access VLANs are divided into either:Normal range Extended range.
VLAN ID Ranges
Types of VLAN
Data or user VLAN Default VLAN Native VLAN Management VLAN Voice VLAN
Data VLAN
Carry files, e-mails, shared application traffic, most user traffic.
Separate VLAN for each group of users.
Types of VLAN – Data VLAN
Default VLAN
VLAN 1 on Cisco switches. Carries CDP and STP (spanning tree protocol)
traffic. Initially all ports are in this VLAN. Do not use it for data, voice or management
traffic for security reasons.
Types of VLAN – Default VLAN
Native VLAN
For backward compatibility with older systems.
Relevant to trunk ports. Trunk ports carry traffic from multiple
VLANs. VLAN is identified by a “tag” in the frame. Native VLAN does not have a tag.
Types of VLAN – Native VLAN
Management VLAN
Has the switch IP address. Used for telnet/SSH or web access for
management purposes. Better not to use VLAN 1 for security reasons.
Types of VLAN – Management VLAN
Voice VLAN
Use with IP phone. Phone acts as a switch too. Voice traffic is tagged, given priority. Data not tagged, no priority.
Types of VLAN – Voice VLAN
Switch Ports
Each switch port intended for an end device is configured to belong to a VLAN.
Any device connecting to that port belongs to the port’s VLAN.
There are other ways of assigning VLANs but this is now the normal way.
Ports that link switches can be configured to carry traffic for all VLANs (trunking)
Switch Ports Modes
Static VLAN Dynamic VLAN Voice VLAN
Static VLAN
The normal type. Port configured to be on a VLAN. Connected device is on this VLAN.
VLAN can be created using CLI command, given number and name.
VLAN can be learned from another switch. If a port is put on a VLAN and the VLAN
does not exist, then the VLAN is created.
Static VLAN (Port-centric)
If VLAN 20 did not exist before – then it does now.
Voice VLAN
Dynamic VLAN
Not widely used. Use a VLAN Membership Policy Server
(VMPS). Assign a device to a VLAN based on its MAC
address. Connect device, server assigns VLAN. Useful if you want to move devices around.
Controlling Broadcast Domains with VLANs
Network Traffic Without VLANS In normal operation, when a switch receives a broadcast frame on one of
its ports, it forwards the frame out all other ports on the switch.
Controlling Broadcast Domains with VLANs
Network Traffic With VLANS When VLANs are implemented on a switch, the transmission of unicast,
multicast, and broadcast traffic from a host on a particular VLAN are constrained to the devices that are on the VLAN.
Traffic between VLANs
Layer 2 switch keeps VLANs separate. Router can route between VLANs. It needs to
provide a default gateway for each VLAN as VLANs are separate subnets.
Controlling Broadcast Domains with Switches and Routers
Intra-VLAN Communication Inter-VLAN Communication
Intra-VLAN Communication In the figure, PC1, wants to communicate with another device,
PC4. PC1 and PC4 are both in VLAN 10. Communicating with a device in the same VLAN is called intra-VLAN communication. The following steps describes how this process is accomplished:
Intra-VLAN Communication
Step 1-1. PC1 in VLAN 10 sends its ARP request frame (broadcast) to switch S2.
Intra-VLAN Communication
Step 1-2. Switches S2 and S1 send the ARP request frame out all ports on VLAN 10.
Intra-VLAN Communication
Step 1-3. Switch S3 sends the ARP request out port F0/11 to PC4 on VLAN 10.
Intra-VLAN Communication
Step 2-1. The switches in the network forward the ARP reply frame (unicast) to PC1.
Intra-VLAN Communication
Step 2-2. PC1 receives the reply which contains the MAC address of PC4.
Intra-VLAN Communication
Step 3-1. PC1 now has the destination MAC address of PC4 and uses this to create a unicast frame with PC4's MAC address as the destination.
Intra-VLAN Communication
Step 3-2. Switches S2, S1 and S3 deliver the frame to PC4.
Inter-VLAN Communication In the figure, PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20.
Communicating with a device in another VLAN is called inter-VLAN communication.
Note: There are two connections from switch S1 to the router: one to carry transmissions on VLAN 10, and the other to carry transmissions on VLAN 20 to the router interface.
Inter-VLAN Communication Step 1-1. PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20. PC1 sends an ARP request frame for the MAC address of the default gateway
R1.
Inter-VLAN Communication Step 2. The router R1 replies with an ARP reply frame from its interface
configured on VLAN 10. All switches forward the ARP reply frame and PC1 receives it. The ARP reply contains
the MAC address of the default gateway.
Inter-VLAN Communication Step 3-1. PC1 then creates an Ethernet frame with the MAC address of the
Default Gateway. The frame is sent from switch S2 to S1.
Inter-VLAN Communication Step 3-2. The frame is sent from switch S2 to S1.
Inter-VLAN Communication Step 4. The router R1 sends an ARP request frame on VLAN 20 to determine
the MAC address of PC5.
Inter-VLAN Communication Step 4-2. Switches, S1, S2, S3, broadcast the ARP request frame out ports
configured for VLAN 20. PC5 on VLAN 20 receives the ARP request frame from router R1.
Inter-VLAN Communication Step 5-1. PC5 on VLAN 20 sends an ARP reply frame to switch S3.
Inter-VLAN Communication Step 5-2. Switches S3 and S1 forward the ARP reply frame to router R1 with the
destination MAC address of interface F0/2 on router R1.
Inter-VLAN Communication Step 6-1. Router R1 sends the frame received from PC1 though S1.
Inter-VLAN Communication Step 6-2. S1send the frame to S3 to send it to PC5 (on VLAN 20).
