"No Slide Title"
Chap 3 – Virtual LANs (VLANs) Learning Objectives • Explain the role of VLANs in a converged network. • Explain the role of trunking VLANs in a converged network. • Configure VLANs on the switches in a converged network topology. • Troubleshoot the common software or hardware mis-configurations associated with VLANs on switches in a converged network topology. 1 Chapter 3 Introduction to VLANs Traditional LAN Segmentation Virtual LAN Segmentation 2 Chapter 3 VLANs – Broadcast Domains Broadcast Broadcast Broadcast Domain Domain Domain 3 Chapter 3 VLANs – Broadcast Domains 4 Chapter 3 Advantages of VLANs • Security - Groups that have sensitive data can be separated from the rest of the network. • Cost reduction - Cost savings result from more efficient use of existing bandwidth and uplinks. • Higher performance - reduces unnecessary traffic on the network, boosting performance. • Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. 5 Chapter 3 VLANs – Broadcast Domains VLAN implementation on a switch causes certain actions to occur: •The switch maintains a separate bridging table for each VLAN. •If the frame comes in on a port in VLAN 1, the switch searches the bridging table for VLAN 1. •When the frame is received, the switch adds the source MAC address to the bridging table if it is currently unknown. •The destination is checked so a forwarding decision can be made. •For learning and forwarding, the search is made against the address table for that VLAN only. 6 Chapter 3 Normal Range VLANs • Used in small- and medium-sized business and enterprise networks. • Identified by a VLAN ID between 1 and 1005. • IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. • IDs 1 and 1002 to 1005 are automatically created and cannot be removed. • Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch. • The VLAN trunking protocol (VTP), which helps manage VLAN configurations between switches, can only learn normal range VLANs and stores them in the VLAN database file. 7 Chapter 3 Extended Range VLANs •Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs. •Are identified by a VLAN ID between 1006 and 4094. •Supports fewer VLAN features than normal range VLANs. •Are saved in the running configuration file. •VTP does not learn extended range VLANs. 8 Chapter 3 VLAN Types •A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. Management VLAN 99 172.17.99.10/24 Computer Fa0/4 Fa0/1 Fa0/3 Student Student VLAN 20 Fa0/18 Fa0/18 VLAN 20 172.17.20.22/24 Computer Fa0/1 Fa0/3 Computer 172.17.20.25/24 Guest Guest VLAN 30 VLAN 30 172.17.30.23/24 Fa0/6 Fa0/6 172.17.30.26/24 Computer Computer 9 Chapter 3 VLAN Types •The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that it cannot be renamed or deleted. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. Management VLAN 99 172.17.99.10/24 It is a security best practice to change the default VLAN Computer Fa0/4 to a VLAN other than VLAN 1 Fa0/1 Fa0/3 Student Student VLAN 20 Fa0/18 Fa0/18 VLAN 20 172.17.20.22/24 Computer Fa0/1 Fa0/3 Computer 172.17.20.25/24 Guest Guest VLAN 30 VLAN 30 172.17.30.23/24 Fa0/6 Fa0/6 172.17.30.26/24 Computer Computer 10 Chapter 3 VLAN Types •A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). •Trunks are used to allow the same VLAN to span different Management VLAN 99 switches 172.17.99.10/24 Computer Fa0/4 •A native VLAN serves as a common identifier on opposing Fa0/1 Fa0/3 ends of a trunk link Student Student VLAN 20 Fa0/18 Fa0/18 VLAN 20 172.17.20.22/24 Computer Fa0/1 Fa0/3 Computer 172.17.20.25/24 Guest Guest VLAN 30 VLAN 30 172.17.30.23/24 Fa0/6 Fa0/6 172.17.30.26/24 Computer Computer 11 Chapter 3 VLAN Types •A management VLAN is any VLAN configured to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. •Default configuration of a Management Cisco switch has VLAN 1 as the VLAN 99 172.17.99.10/24 default VLAN - bad choice, as arbitrary users could then Computer Fa0/4 attempt to access the switch Fa0/1 Fa0/3 IOS. Student Student VLAN 20 Fa0/18 Fa0/18 VLAN 20 172.17.20.22/24 Computer Fa0/1 Fa0/3 Computer 172.17.20.25/24 Guest Guest VLAN 30 VLAN 30 172.17.30.23/24 Fa0/6 Fa0/6 172.17.30.26/24 Computer Computer 12 Chapter 3 Voice VLAN VoIP traffic requires: • Assured bandwidth to ensure voice quality • Transmission priority over other types of network traffic • Ability to be routed around congested areas on the network • Delay of less than 150 milliseconds (ms) across the network 13 Chapter 3 Voice VLAN • The Cisco IP Phone contains an integrated three-port 10/100 switch, providing dedicated connections to: 1. Port 1 connects to the switch or other voice-over-IP (VoIP) device. 2. Port 2 is an internal 10/100 interface that carries the IP phone traffic. 3. Port 3 (access port) connects to a PC or other device. 14 Chapter 3 Port Membership Modes - Voice Configure a switch access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone •Command mls qos trust cos ensures that voice traffic is identified as priority traffic. (note that the entire network must be set up to prioritise voice traffic). •The switchport voice VLAN 150 command identifies VLAN 150 as the voice VLAN. •The switchport access VLAN 20 command configures VLAN 20 as the access mode (data) VLAN. 15 Chapter 3 Port Membership Modes - Static •Static VLAN - Ports on a switch are manually assigned to a VLAN, using the Cisco CLI. •If an interface is assigned to a VLAN that does not exist, the new VLAN is automatically created. 16 Chapter 3 Network Traffic •IP telephony traffic consists of signaling traffic and voice traffic. Signaling traffic is, responsible for call setup, progress, and teardown, and traverses the network end to end. •IP multicast traffic is sent from a particular source address to a multicast group that is identified by a single IP and MAC destination- group address pair (e.g. Cisco IP/TV broadcasts). •Normal data traffic is related to file creation and storage, print services, e-mail database access, and other shared network applications that are common to business uses. •Scavenger class is intended to provide less-than best-effort services to applications having little or no official purpose - KaZaa, Morpheus, Groekster, Napster, iMesh, Doom, Quake, Unreal Tournament) 17 Chapter 3 Connecting VLANs •Breaking up a big broadcast domain into several smaller ones using VLANs reduces broadcast traffic and improves network performance. Breaking up domains into VLANs also allows for better information confidentiality within an organisation. •A router is needed any Management time devices on different VLAN 99 172.17.99.10/24 Layer 3 networks need to communicate, regardless Computer Fa0/4 whether VLANs are used. Fa0/1 Fa0/3 Student Student VLAN 20 Fa0/18 Fa0/18 VLAN 20 172.17.20.22/24 Computer Fa0/1 Fa0/3 Computer 172.17.20.25/24 Guest Guest VLAN 30 VLAN 30 172.17.30.23/24 Fa0/6 Fa0/6 172.17.30.26/24 Computer Computer 18 Chapter 3 Connecting VLANs •Switch Virtual Interface (SVI) is a logical interface configured for a specific VLAN, and is used by layer 3 switches to route between VLANs or to provide IP host connectivity to a switch. •A Layer 3 switch has the ability to route SVI VLAN99 transmissions between VLANs. SVI VLAN30 Management VLAN 99 SVI VLAN20 •The process is the same 172.17.99.10/24 Computer as when using a separate router, except that the Layer 3 Switch SVIs act as the router interfaces for routing the Fa0/1 Fa0/3 data between VLANs. Student Student VLAN 20 Fa0/18 Fa0/18 VLAN 20 172.17.20.22/24 Computer Fa0/1 Fa0/3 Computer 172.17.20.25/24 Guest Guest VLAN 30 VLAN 30 172.17.30.23/24 Fa0/6 Fa0/6 172.17.30.26/24 Computer Computer 19 Chapter 3 VLAN Trunks •A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link. •A VLAN trunk allows extension of VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces. •A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers. 20 Chapter 3 VLAN Trunking No VLAN Trunking VLAN Trunking • VLAN Trunking is used when a single link needs to carry traffic for more than one VLAN. 21 Chapter 3 802.1Q Tagging • 802.1Q does not encapsulate the original frame, but modifies the Ethernet type field by adding a Tag Control Information (TCI) field. • A TCI contains a 12-bit VLAN identifier (VID), uniquely identifying the VLAN to which the frame belongs (4,096 VLANs max, with 0 and 4095 reserved). • Because inserting this header changes the frame, 802.1Q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer. 22 Chapter 3 Creating VLAN Trumks •S1#configure terminal •S1(config)#interface F0/1 •S1(config-if)#switchport mode trunk •S1(config-if)#switchport trunk native vlan 99 •S1(config)#end 23 Chapter 3 Creating VLAN Trumks Use the show interfaces interface-id switchport command to verify correct reconfiguration of the native VLAN from VLAN 1 to VLAN 99. 24 Chapter 3 DTP – Dynamic Trunking Protocol • Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. • Switches from other vendors do not support DTP. • DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port. 25 Chapter 3 DTP Trunking Modes •Switchport Mode Access- permanent non-trunking mode, regardless of neighbouring interface settings. •Switchport Mode Trunk – permanent trunking mode, regardless of neighbouring interface settings. •Switchport Mode Dynamic Desirable – actively tries to convert the port to a trunk if the neighbouring interface is set to trunk, desirable or auto. •Switchport Mode Dynamic Auto – port is willing to convert to a trunk if neighbouring interface is set to trunk or desirable. •Switchport Nonegotiate – port does not generate DTP frames, and must be manually configured. 26 Chapter 3 Configure VLANs & Trunks Use the following steps to configure and verify VLANs and trunks on a switched network: 1. Create the VLANs 2. Assign switch ports to VLANs statically 3. Verify VLAN configuration 4. Enable trunking on the inter-switch connections 5. Verify trunk configuration 27 Chapter 3 Creating VLANs Creating VLANs • Create Named VLAN: Switch(config)#vlan 10 Switch(config-vlan)#name Engineering Switch(config-vlan)#exit Verify: Switch#sh vlan brief 28 Chapter 3 Creating VLANs • Assigning access ports to a specific VLAN (10 in this example): Switch(config)#interface fastethernet 0/9 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Note: The switchport mode access command should be configured on all ports that the network administrator does not want to become a trunk port 29 Chapter 3 Creating VLANs VLAN 10 Switch(config)#interface range fastethernet 0/9 - 12 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config-if)#exit 30 Chapter 3 Managing Ports VLAN 10 Switch(config)#interface fa 0/9 Switch(config-if)#no switchport access vlan Switch(config-if)#exit Fa 0/9 returned to default VLAN 31 Chapter 3 Deleting VLANs VLAN 10 •Delete Named VLAN: Switch(config)#no vlan 10 Before deleting a VLAN, reassign all member ports to a different VLAN, as they are not returned to the default VLAN, and become inactive Fa 0/9-12 inactive 32 Chapter 3 Creating Trunk VLAN 10 VLAN 20 VLAN 30 VLAN 10 VLAN 20 VLAN 30 Switch(config)#interface fa 0/1 Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk native vlan 99 Switch(config-if)#switchport trunk allowed vlan add 10,20,30 Switch(config-if)#end 33 Chapter 3 Verify Trunk Switch#show interface fa 0/1 switchport 34 Chapter 3 Reset/Delete Trunk Reset Trunk to default settings: Delete Trunk: Switch(config)#interface fa 0/1 Switch(config-if)#switchport mode access 35 Chapter 3 VLAN Troubleshooting • Native VLAN mismatches - Trunk ports are configured with different native VLANs. This configuration error generates console notifications, causes control and management traffic to be misdirected. • Trunk mode mismatches - One trunk port is configured with trunk mode "off" and the other with trunk mode "on". This configuration error causes the trunk link to stop working. • VLANS and IP subnets – devices may have been configured with incorrect IP addresses, preventing devices from accessing network resoures. • Allowed VLANs on trunks - The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk. 36 Chapter 3 Chap 3 – Virtual LANs (VLANs) Learning Objectives • Explain the role of VLANs in a converged network. • Explain the role of trunking VLANs in a converged network. • Configure VLANs on the switches in a converged network topology. • Troubleshoot the common software or hardware mis-configurations associated with VLANs on switches in a converged network topology. 37 Chapter 3 Any Questions? 38 Chapter 3 Lab Topology Chapter 3.5.1 – Basic VLAN Config S1 PC1 PC4 172.17.10.21/24 Fa0/1 Fa0/2 172.17.10.24/24 Computer Computer Fa0/11 Fa0/11 S2 S3 Fa0/18 Fa0/1 Fa0/2 Fa0/18 PC5 PC2 172.17.20.22/24 172.17.20.25/24 Computer Computer Fa0/6 Fa0/6 PC3 PC6 172.17.30.23/24 Computer Computer 172.17.30.26/24 39 Chapter 3