LOCAL AREA NETWORK (LAN)
LOCAL AREA NETWORK (LAN):
Local Area Network (LAN) Can Generally Be Defined As A Broadcast Domain. Hubs, Bridges Or Switches In The Same Physical Segment Or Segments Connect All End Node Devices. End Nodes Can Communicate With Each Other Without The Need For A Router. Communications With Devices On Other LAN Segments Requires The Use Of A Router.
A Local Area Network (LAN) Was Originally Defined As A Network Of Computers Located Within The Same Area. Today, Local Area Networks Are Defined As A Single Broadcast Domain. This Means That If A User Broadcasts Information On His/Her LAN, The Broadcast Will Be Received By Every Other User On The LAN.
Broadcasts Are Prevented From Leaving A LAN By Using A Router. The Disadvantage Of This Method Is Routers Usually Take More Time To Process Incoming Data Compared To A Bridge Or A Switch. More Importantly, The Formation Of Broadcast Domains Depends On The Physical Connection Of The Devices In The Network.
So That Virtual Local Area Networks (VLAN's) Were Developed As An Alternative Solution To Using Routers To Contain Broadcast Traffic. In This Article We Examine and Discussion on The Use Of Virtual Local Area Networks (VLAN).
TRUNK LINK
ALSO KNOW WHAT A TRUNK IS?
For More About - > CISCO – PVLAN :
For More About - > CISCO - NATIVE VLAN CONFIGURATION:
For More About - > CISCO - VLAN TRUNKING PROTOCOL (VTP):
For More About - > CISCO - VLAN TRUNKS WITH INTERSWITCH LINK (ISL):
For More About - > CISCO - VLAN TRUNKS WITH IEEE 802.1Q:
VLANS AND TRUNKING :
Why We Need VLAS : Layer 2 Devices On One VLAN Cannot Communicate With Users On Another VLAN Without The Use Of Routers And Network Layer Addresses.
VLAN's Which Allow The Formation Of Virtual Workgroups, Better Security, Improved Performance, Simplified Administration, And Reduced Costs. VLAN's Are Formed By The Logical Segmentation Of A Network And Can Be Classified Into Layer1, 2, 3 And Higher Layers. Only Layer 1 And 2 Are Specified In The Draft Standard 802.1Q. Tagging And The Filtering Database Allow A Bridge To Determine The Source And Destination VLAN For Received Data. VLAN's If Implemented Effectively, Show Considerable Promise In Future Networking Solutions.
VIRTUAL LAN (VLAN)
VIRTUAL LAN (VLAN)?
VLAN's Allow A Network Manager To Logically Segment A LAN Into Different Broadcast Domains. (Since This Is A Logical Segmentation And Not A Physical One, Workstations Do Not Have To Be Physically Located Together. Users On Different Floors Of The Same Building, Or Even In Different Buildings Can Now Belong To The Same LAN).
VLAN's Also Allow Broadcast Domains To Be Defined Without Using Routers. Bridging Software Is Used Instead To Define Which Workstations Are To Be Included In The Broadcast Domain. Routers Would Only Have to Be Used to Communicate Between Two VLAN's .
VIRTUAL LANS (VLANS) Also Can Be Viewed As A Group Of Devices On Different Physical LAN Segments Which Can Communicate With Each Other As If They Were All On The Same Physical LAN Segment. VLAN Refers To Virtual Local Area Network Is A Virtual LAN That Extends Its Functionalities Beyond A Single LAN. It Is A Technology Allowing A Company Or An Individual To Extend Their LAN Over The WAN Interface, Breaching The Physical Limitations Of Regular LANS.
Through VLAN A Network Is Divided Into Different Logical Segments Known As Broadcast Domains. The Computers In The VLAN Acts As They Are Connected With The Same LAN Segment Even They Are Located On The Different Network Segments. In The VLAN, Computers Can Move From One Location To Another And They Can Still Be The Part Of The Same VLAN. VLAN Offers Many Advantages Over The Traditional Local Area Network.
NOTE : VLAN Support 802.1Q Features, IEEE 802.1Q Defines The Meaning Of A VLAN With Respect To The Specific Conceptual Model Underpinning Bridging At The MAC Layer And To The IEEE 802.1D Spanning Tree Protocol. This Protocol Allows For Individual VLANS To Communicate With One Another Using A Switch With Layer-3 Capabilities, Or Simply A Router.
Today There Are Many VLAN Solutions Available To LAN. Cisco Systems Offer Comprehensive VLAN Solution That Allows The Remote And Geographically Dispersed Users To Come Together And Become A Part Of The Same Network By Forming VLAN Workgroup Topologies.
Also Cisco Offers The Virtualization Solutions To All Types Of Networks Including Ethernet, FDDI, Token Ring And ATM.
ADVANTAGES :
► Help Control Broadcasts (Primarily MAC-Layer Broadcasts)
► Switch Table Entry Scaling
► Improve Network Security
► Help Logically Group Network Users
VLAN BASICS CONFIGURATION ISSUES:
► A Switch Creates A Broadcast Domain
► VLANS Help Manage Broadcast Domains
► VLANS Can Be Defined On Port Groups, Users Or Protocols
► LAN Switches And Network Management Software Provide A Mechanism To Create VLANS
USE OF VIRTUAL LANS (VLAN)
USE OF VLANS :
1. PERFORMANCE:
In Networks Where Traffic Consists Of A High Percentage Of Broadcasts And Multicasts, VLAN's Can Reduce The Need To Send Such Traffic To Unnecessary Destinations. For Example, In A Broadcast Domain Consisting Of 10 Users, If The Broadcast Traffic Is Intended Only For 5 Of The Users, Then Placing Those 5 Users On A Separate VLAN Can Reduce Traffic.
Compared To Switches, Routers Require More Processing Of Incoming Traffic. As The Volume Of Traffic Passing Through The Routers Increases, So Does The Latency In The Routers, Which Results In Reduced Performance. The Use Of VLAN's Reduces The Number Of Routers Needed, Since VLAN's Create Broadcast Domains Using Switches Instead Of Routers.
2. FORMATION OF VIRTUAL WORKGROUPS :
It Is Common To Find Cross-Functional Product Development Teams With Members From Different Departments Such As Marketing, Sales, Accounting, And Research. These Workgroups Are Usually Formed For A Short Period Of Time. During This Period, Communication Between Members Of The Workgroup Will Be High. To Contain Broadcasts And Multicasts Within The Workgroup, A VLAN Can Be Set Up For Them. With VLAN's It Is Easier To Place Members Of A Workgroup Together. Without VLAN's, The Only Way This Would Be Possible Is To Physically Move All The Members Of The Workgroup Closer Together.
However, Virtual Workgroups Do Not Come Without Problems. Consider The Situation Where One User Of The Workgroup Is On The Fourth Floor Of A Building, And The Other Workgroup Members Are On The Second Floor. Resources Such As A Printer Would Be Located On The Second Floor, Which Would Be Inconvenient For The Lone Fourth Floor User.
Another Problem With Setting Up Virtual Workgroups Is The Implementation Of Centralized Server Farms, Which Are Essentially Collections Of Servers And Major Resources For Operating A Network At A Central Location. The Advantages Here Are Numerous, Since It Is More Efficient And Cost-Effective To Provide Better Security, Uninterrupted Power Supply, Consolidated Backup, And A Proper Operating Environment In A Single Area Than If The Major Resources Were Scattered In A Building. Centralized Server Farms Can Cause Problems When Setting Up Virtual Workgroups If Servers Cannot Be Placed On More Than One VLAN. In Such A Case, The Server Would Be Placed On A Single VLAN And All Other VLAN's Trying To Access The Server Would Have To Go Through A Router; This Can Reduce Performance.
3. SIMPLIFIED ADMINISTRATION :
Seventy Percent Of Network Costs Are A Result Of Adds, Moves, And Changes Of Users In The Network. Every Time A User Is Moved In A Lan, Recabling, New Station Addressing, And Reconfiguration Of Hubs And Routers Becomes Necessary. Some Of These Tasks Can Be Simplified With The Use Of VLAN's. If A User Is Moved Within A VLAN, Reconfiguration Of Routers Is Unnecessary. In Addition, Depending On The Type Of VLAN, Other Administrative Work Can Be Reduced Or Eliminated. However The Full Power Of VLAN's Will Only Really Be Felt When Good Management Tools Are Created Which Can Allow Network Managers To Drag And Drop Users Into Different VLAN's Or To Set Up Aliases.
Despite This Saving, VLAN's Add A Layer Of Administrative Complexity, Since It Now Becomes Necessary To Manage Virtual Workgroups.
4. REDUCED COST :
VLAN's Can Be Used To Create Broadcast Domains Which Eliminate The Need For Expensive Routers.
5. SECURITY:
Periodically, Sensitive Data May Be Broadcast On A Network. In Such Cases, Placing Only Those Users Who Can Have Access To That Data On A VLAN Can Reduce The Chances Of An Outsider Gaining Access To The Data. VLAN's Can Also Be Used To Control Broadcast Domains, Set Up Firewalls, Restrict Access, And Inform The Network Manager Of An Intrusion.
HOW VIRTUAL LAN WORK’S
HOW VLAN'S WORK :
When A Lan Bridge Receives Data From A Workstation, It Tags The Data With A VLAN IDENTIFIER Indicating The VLAN From Which The Data Came. This Is Called Explicit Tagging.
It Is Also Possible To Determine To Which VLAN The Data Received Belongs Using Implicit Tagging. In Implicit Tagging The Data Is Not Tagged, But The VLAN From Which The Data Came Is Determined Based On Other Information Like The Port On Which The Data Arrived.
Tagging Can Be Based On The Port From Which It Came, The Source Media Access Control (Mac) Field, The Source Network Address, Or Some Other Field Or Combination Of Fields.
VLAN's Are Classified Based On The Method Used. To Be Able To Do The Tagging Of Data Using Any Of The Methods, The Bridge Would Have To Keep An Updated Database Containing A Mapping Between VLAN's And Whichever Field Is Used For Tagging.
FOR EXAMPLE : If Tagging Is By Port, The Database Should Indicate Which Ports Belong To Which VLAN. This Database Is Called A Filtering Database. Bridges Would Have To Be Able To Maintain This Database And Also To Make Sure That All The Bridges On The Lan Have The Same Information In Each Of Their Databases. The Bridge Determines Where The Data Is To Go Next Based On Normal Lan Operations. Once The Bridge Determines Where The Data Is To Go, It Now Needs To Determine Whether The VLAN IDENTIFIER Should Be Added To The Data And Sent.
If The Data Is To Go To A Device That Knows About VLAN IMPLEMENTATION (VLAN-AWARE), The VLAN IDENTIFIER Is Added To The Data. If It Is To Go To A Device That Has No Knowledge Of VLAN IMPLEMENTATION (VLAN-UNAWARE), The Bridge Sends The Data Without The VLAN IDENTIFIER.
In Order To Understand How VLAN's Work, We Need To Look At The Types Of VLAN's, The Types Of Connections Between Devices On VLAN's, The Filtering Database Which Is Used To Send Traffic To The Correct VLAN, And Tagging, A Process Used To Identify The VLAN Originating The Data.
VLAN STANDARD (IEEE 802.1Q) :
There Has Been A Recent Move Towards Building A Set Of Standards For VLAN Products. The Institute Of Electrical And Electronic Engineers (IEEE) Is Currently Working On A Draft Standard 802.1Q For VLAN's. Up To This Point, Products Have Been Proprietary, Implying That Anyone Wanting To Install VLAN's Would Have To Purchase All Products From The Same Vendor. Once The Standards Have Been Written And Vendors Create Products Based On These Standards, Users Will No Longer Be Confined To Purchasing Products From A Single Vendor. The Major Vendors Have Supported These Standards And Are Planning On Releasing Products Based On Them. It Is Anticipated That These Standards Will Be Ratified Later This Year.
For More About - > CISCO - VLAN TRUNKS WITH INTERSWITCH LINK (ISL):
For More About - > CISCO - VLAN TRUNKS WITH IEEE 802.1Q:
WHY VLANS REQUIRED? :
It Is Important To Point Out That You Don’t Have To Configure A VLAN Until Your Network Gets So Large And Has So Much Traffic That You Need One. Many Times, People Are Simply Using VLAN’s Because The Network They Are Working on Was Already Using Them.
Another Important Fact Is That, On A Cisco Switch, VLAN’s Are Enabled By Default And ALL Devices Are Already In A VLAN. The VLAN That All Devices Are Already In Is VLAN 1. So, By Default, You Can Just Use All The Ports On A Switch And All Devices Will Be Able To Talk To One Another.
WHEN WE NEED VLAN’S? :
• You Have More Than 200 Devices On Your LAN.
• You Have A Lot Of Broadcast Traffic On Your LAN.
• Groups Of Users Need More Security Or Are Being Slowed Down By Too Many Broadcasts?.
• Groups Of Users Need To Be On The Same Broadcast Domain Because They Are Running The Same Applications. An Example Would Be A Company That Has VOIP Phones. The Users Using The Phone Could Be On A Different VLAN, Not With The Regular Users.
• Or, Just To Make A Single Switch Into Multiple Virtual Switches.
VLAN CLASSIFICATION
VLAN CAN BE CLASSIFIED INTO THE FOLLOWING TYPES :
In A Port-Based VLAN, Such As That Illustrated In Figure, Each Computer Is Assigned To Its VLAN Based On The Port To Which The Computer Is Connected.
PORT-BASED VLAN : This VLAN Type Is Responsible For The Configuration Of Each And Every Physical Switch Port Via An Access List That Identifies Membership In A Collection Of VLANS.
For Example: Ports 1 Through 4 Can Be Assigned To The Sales VLAN, Ports 6 Through 10 To The Engineering VLAN, And Port 5 Kept Open As A Spare Port That You Can Assign To Either VLAN. Or You Can Create A Third VLAN With Port 5 As A Member. When A Computer Is Connected To Port 4, It Becomes Part Of The Sales VLAN. When That Same Computer Is Connected To Port 6, However, It Becomes Part Of The Engineering VLAN.
The Main Drawback Of Port-Based VLANS Is That You Must Reconfigure VLAN Membership When A User Moves From One Port To Another. If You Are In An Environment In Which People Are Moving Around All The Time, Port-Based VLANS Can Become Quite The Headache.
MAC-BASED VLAN : Individual MAC Addresses Are Mapped Into VLAN Membership Via Configuring A Switch With An Access List That Handles The Whole Procedure.
PROTOCOL-BASED VLAN: IP Traffic Is Filtered By This VLAN Category Using A Specific Protocol Such As IPX From Neighboring End-Stations By Configuring A Switch With A Compendium Of Mapping Layer-3 Protocol Types To VLAN Membership.
In Mac Address-Based VLAN, Such As That Illustrated In Figure, Each Computer Is Assigned To Its VLAN Based On The Media Access Control (MAC) Address Of The Computer.
VLAN MEMBERSHIP:-
VLAN Membership Can Be Classified By Port, MAC Address, And Protocol Type.- 1) LAYER 1 VLAN: MEMBERSHIP BY PORT
Membership In A VLAN Can Be Defined Based On The Ports That Belong To The Vlan. For Example, In A Bridge With Four Ports, Ports 1, 2, And 4 Belong To VLAN 1 And Port 3 Belongs To VLAN 2 (See Figure1).
| Port | VLAN |
| 1 | 1 |
| 2 | 1 |
| 3 | 2 |
| 4 | 1 |
- The Main Disadvantage Of This Method Is That It Does Not Allow For User Mobility. If A User Moves To A Different Location Away From The Assigned Bridge, The Network Manager Must Reconfigure The VLAN.
2) LAYER 2 VLAN: MEMBERSHIP BY MAC ADDRESS
Here, Membership In A VLAN Is Based On The MAC Address Of The Workstation. The Switch Tracks The MAC Addresses Which Belong To Each VLAN (See Figure2). Since MAC Addresses Form A Part Of The Workstation's Network Interface Card, When A Workstation Is Moved, No Reconfiguration Is Needed To Allow The Workstation To Remain In The Same VLAN. This Is Unlike Layer 1 VLAN's Where Membership Tables Must Be Reconfigured.
| MAC Address | VLAN |
| 1212354145121 | 1 |
| 2389234873743 | 2 |
| 3045834758445 | 2 |
| 5483573475843 | 1 |
- The Main Problem With This Method Is That VLAN Membership Must Be Assigned Initially. In Networks With Thousands Of Users, This Is No Easy Task. Also, In Environments Where Notebook PC's Are Used, The MAC Address Is Associated With The Docking Station And Not With The Notebook PC. Consequently, When A Notebook PC Is Moved To A Different Docking Station, Its VLAN Membership Must Be Reconfigured.
- 3) LAYER 2 VLAN: MEMBERSHIP BY PROTOCOL TYPE
VLAN Membership For Layer 2 VLAN's Can Also Be Based On The Protocol Type Field Found In The Layer 2 Header (See Figure3).
| Protocol | VLAN |
| IP | 1 |
| IPX | 2 |
- 4) LAYER 3 VLAN: MEMBERSHIP BY IP SUBNET ADDRESS
Membership Is Based On The Layer 3 Header. The Network IP Subnet Address Can Be Used To Classify VLAN Membership (See Figure 4).
| IP Subnet | VLAN |
| 23.2.24 | 1 |
| 26.21.35 | 2 |
- Although VLAN Membership Is Based On Layer 3 Information, This Has Nothing To Do With Network Routing And Should Not Be Confused With Router Functions. In This Method, IP Addresses Are Used Only As A Mapping To Determine Membership In VLAN's. No Other Processing Of IP Addresses Is Done.
In Layer 3 VLAN's, Users Can Move Their Workstations Without Reconfiguring Their Network Addresses. The Only Problem Is That It Generally Takes Longer To Forward Packets Using Layer 3 Information Than Using MAC Addresses.
5) HIGHER LAYER VLAN'S
It Is Also Possible To Define VLAN Membership Based On Applications Or Service, Or Any Combination Thereof. For Example, File Transfer Protocol (FTP) Applications Can Be Executed On One VLAN And Telnet Applications On Another VLAN.
HOW VLANS ARE IDENTIFIED
HOW VLANS ARE IDENTIFIED?
Since A VLAN Is A Software Concept, Identifiers And Configurations For A VLAN Must Be Properly Prepared For It To Function As Expected. Frame Coloring Is The Process Used To Ensure That VLAN Members Or Groups Are Properly Identified And Handled. With Frame Coloring, Packets Are Given The Proper VLAN ID At Their Origin So That They May Be Properly Processed As They Pass Through The Network.
The VLAN ID Then Enables Switching And Routing Engines To Make The Appropriate Decisions As Defined In The VLAN Configuration.
Users Need A Few Details To Define A VLAN On Most Cisco Equipment. Unfortunately, Because Cisco Sometimes Acquires The Technologies It Uses To Fill Their Switching, Routing, And Security Product Lines, Naming Conventions Are Not Always Consistent.
This Article Is Focusing On Only One Cisco Switching And Routing Product Line Running Cisco IOS.
WHAT’S PRIVATE VLANS (PVANS) Do? Is Split The Domain Into Multiple Isolated Broadcast Sub Domains. It’s A Simple Nesting Concept – VLANS INSIDE A VLAN. As We Know, Ethernet VLANS Are Not Allowed To Communicate Directly, They Need L3 Device To Forward Packets Between Broadcast Domains. The Same Concept Applies To PVLANS – Since The Sub Domains Are Isolated At Level 2, They Need To Communicate Using An Upper Level (L3 And Packet Forwarding) Entity – Such As Router. However, There Is Difference Here. Regular VLANS Usually Correspond To A Single IP Subnet. When We Split VLAN Using PVLANS, Hosts In Different PVLANS Still Belong To The Same IP Subnet, But They Need To Use Router (ANOTHER L3 DEVICE) To Talk To Each Other (For Example, By Means Of Local Proxy ARP). In Turn, Router May Either Permit Or Forbid Communications Between SUB-VLANS Using Access-Lists.
In Order To Implement Sub-VLAN Behavior, We Need To Define How Packets Are Forwarded Between Different Port Types. First Comes The Primary VLAN – Simply The Original VLAN (VLAN 100 In Our Example). This Type Of VLAN Is Used To Forward Frames Downstream From P-Ports To All Other Port Types (I And C Ports).
In Essense, Primary VLAN Entails All Port In Domain, But Is Only Used To Transport Frames From Router To Hosts (P To I And C). Next Comes Secondary VLANS, Which Correspond To Isolated And Community Port Groups. They Are Used To Transport Frames In The Opposite Direction – From I And C Ports To P-Port.
ISOLATED VLAN : Forwards Frames From I Ports To P Ports. Since Isolated Ports Do Not Exchange Frames With Each Other, We Can Use Just ONE Isolated VLAN To Connect All I-Port To The P-Port.
COMMUNITY VLANS: Transport Frames Between Community Ports (C-Ports) Within To The Same Group (Community) And Forward Frames Uptstream To The P-Ports Of The Primary VLAN.
How It Is Works :
PRIMARY VLANS IS Used To Deliver Frames Downstream From Router To All Hosts; Isolated VLAN Transports Frames From Stub Hosts Upstream To The Router; Community VLANS Allow Frames Exchange Withing A Single Group And Also Forward Frames In Upstream Direction Towards P-Port. All The Basic MAC Address Learning And Unknown Unicast Flooding Princinples Remain The Same.
VLAN MODES
ACCESS MODE IS For End Devices Or Devices That Will Not Require Multiple VLANS.
TRUNK MODE IS Used For Passing Multiple VLANS To Other Network Devices Or For End Devices That Need To Have Membership To Multiple VLANS At Once.
If Wondering What Mode To Use, Use “Mode Access.”
VLAN ARE CONNECTED BY FOLLOWING WAYS :
• Trunk Link
• Access Link
• Hybrid Link
1) TRUNK LINK :
All The Devices Connected To A Trunk Link, Including Workstations, Must Be VLAN-Aware. All Frames On A Trunk Link Must Have A Special Header Attached. These Special Frames Are Called Tagged Frames.
2) ACCESS LINK :
An Access Link Connects A VLAN-Unaware Device To The Port Of A VLAN-Aware Bridge. All Frames On Access Links Must Be Implicitly Tagged (Untagged). The VLAN-Unaware Device Can Be A LAN Segment With VLAN-Unaware Workstations Or It Can Be A Number Of LAN Segments Containing VLAN-Unaware Devices (LEGACY LAN).
3) HYBRID LINK :
This Is A Combination Of The Previous Two Links. This Is A Link Where Both VLAN-Aware And VLAN-Unaware Devices Are Attached. A Hybrid Link Can Have Both Tagged And Untagged Frames, But All The Frames For A Specific VLAN Must Be Either Tagged Or Untagged.
Note : It Must Also Be Noted That The Network Can Have A Combination Of All Three Types Of Links.
MERITS OF VLAN
BENEFITS (ADVANTAGES) OF VLAN :
1. INCREASED PERFORMANCE :
Switched Networks By Nature Will Increase Performance Over Shared Media Devices In Use Today, Primarily By Reducing The Size Of Collision Domains. Grouping Users Into Logical Networks Will Also Increase Performance By Limiting Broadcast Traffic To Users Performing Similar Functions Or Within Individual Workgroups. Additionally, Less Traffic Will Need To Be Routed, And The Latency Added By Routers Will Be Reduced.
2. IMPROVED MANAGEABILITY :
VLANS Provide An Easy, Flexible, Less Costly Way To Modify Logical Groups In Changing Environments. VLANS Make Large Networks More Manageable By Allowing Centralized Configuration Of Devices Located In Physically Diverse Locations.
3. NETWORK TUNING AND SIMPLIFICATION OF SOFTWARE CONFIGURATIONS :
VLANS Will Allow LAN Administrators To "Fine Tune" Their Networks By Logically Grouping Users. Software Configurations Can Be Made Uniform Across Machines With The Consolidation Of A Department's Resources Into A Single Subnet. IP Addresses, Subnet Masks, And Local Network Protocols Will Be More Consistent Across The Entire VLAN. Fewer Implementations Of Local Server Resources Such As BOOTP And DHCP Will Be Needed In This Environment. These Services Can Be More Effectively Deployed When They Can Span Buildings Within A VLAN.
4. PHYSICAL TOPOLOGY INDEPENDENCE :
VLANs Provide Independence From The Physical Topology Of The Network By Allowing Physically Diverse Workgroups To Be Logically Connected Within A Single Broadcast Domain. If The Physical Infrastructure Is Already In Place, It Now Becomes A Simple Matter To Add Ports In New Locations To Existing VLANs If A Department Expands Or Relocates. These Assignments Can Take Place In Advance Of The Move, And It Is Then A Simple Matter To Move Devices With Their Existing Configurations From One Location To Another. The Old Ports Can Then Be "Decommissioned" For Future Use, Or Reused By The Department For New Users On The VLAN.
5. INCREASED SECURITY OPTIONS :
VLANS Have The Ability To Provide Additional Security Not Available In A Shared Media Network Environment. By Nature, A Switched Network Delivers Frames Only To The Intended Recipients, And Broadcast Frames Only To Other Members Of The VLAN. This Allows The Network Administrator To Segment Users Requiring Access To Sensitive Information Into Separate VLANs From The Rest Of The General User Community Regardless Of Physical Location. In Addition, Monitoring Of A Port With A Traffic Analyzer Will Only View The Traffic Associated With That Particular Port, Making Discreet Monitoring Of Network Traffic More Difficult.
It Should Be Noted That The Enhanced Security That Is Mentioned Above Is Not To Be Considered An Absolute Safeguard Against Security Infringements. What This Provides Is Additional Safeguards Against "Casual" But Unwelcome Attempts To View Network Traffic.
DEMERITS OF VLAN
ALTHOUGH VLAN OFFERS MANY ADVANTAGES IT HAS FOLLOWING LIMITATIONS (DISADVANTAGES).
1. DEVICE LIMITATIONS :
The Number Of Ethernet Addresses Than Can Be Supported By Each Edge Device Is 500. This Represents A Distribution Of About 20 Devices Per Network 21 Port. These Numbers Are Actual Technical Limitations That Could Be Further Reduced Due To Performance Requirements Of Attached Devices.
These Limitations Are Above The Recommended Levels For High Performance Networking. From A Pure Performance Standpoint, The Ideal End-User Device To Network 21 Port Ratio Would Be One Device Per Port. From A Practical Point Of View, A Single Network 21 Port Could Be Shared By A Number Of Devices That Do Not Require A Great Deal Of Bandwidth And Belong To The Same VLAN. An Example Of This Would Be A Desktop Computer, Printer, And Laptop Computer For An Individual User.
2. PORT CONSTRAINTS :
If A Departmental Hub Or Switch Is Connected To A Network 21 Port, Every Port On That Hub Must Belong To The Same VLAN. Hubs Do Not Have The Capability To Provide VLANS To Individual Ports, And VLANS Can Not Be Extended Beyond The Edge Device Ports Even If A Switch Capable Of Supporting VLANS Is Attached.
3. BROADCAST LIMITATIONS :
In Order To Handle Broadcast Traffic In An ATM VLAN Environment It Is Necessary To Have A Special Server That Is An Integrated Part Of The ATM Infrastructure. This Server Has Limitations In The Number Of Broadcasts That May Be Forwarded. Some Network Protocols That Will Be Running Within Individual VLANS, Such As IPX And APPLETALK, Make Extensive Use Of Broadcast Traffic. This Has The Potential Of Impacting Thresholds On The Switches Or Broadcast Servers And May Require Special Consideration When Determining VLAN Size And Configuration.
CISCO VLAN IMPLEMENTATIONS
CISCO VLAN IMPLEMENTATIONS STEPS :
To Define A VLAN On A Cisco Device, The User Needs A VLAN ID, A VLAN NAME, Ports To Participate In The VLAN, And The Type Of Membership The Port Will Have With The VLAN.
Step 1 – > Log Into The Router Or Switch In Question And Get Into Enable Mode.
Step 2 – > Get Into Configuration Mode Using “Conf T.”
Step 3 – > Create The Vlan By Entering “Vlan X” Where X Is The Id The User Would Like To Assign The Vlan.
Step 4 – > Name The Vlan By Entering “Name.” Replace With The String That The Vlan Will Be Identified With.
Step 5 – > In Order For The New Vlan To Be A Private Vlan, Enter “Private-Vlan Primary” And “Private-Vlan Association Y” Where Y Is The Secondary Vlan To Be Associated With The Primary Vlan. For The Private Vlan To Be Community Based, Enter “Private-Vlan Community” Instead.
Step 6 – > Enter “End” To Exit Configuration Mode
Step 7 – > Save The Configuration To Memory By Entering “Wr Mem” And To The Network If Needed Using “WR Net.” The User May Have To Supply Additional Information To Write Configurations To The Network Depending On The Device Configuration.
The User Has Now Created A VLAN By Assigning It An Id And Giving It A Name. At This Point, The VLAN Has No Special Configuration To Handle Ip Traffic Nor Are There Any Ports That Are VLAN Members.
VLAN CONFIGURATION
VLAN CONFIGURATION STEPS :
A VLAN Is Not Of Much Use If It Has Not Been Assigned An Ip Address, The Subnet Netmask, And Port Membership. In Normal Network Segment Configurations On Routers, Individual Interfaces Or Groups Of Interfaces (Called Channels) Are Assigned IP Addresses.
When VLANS Are Used, Individual Interfaces Are VLAN Members, Do Not Have Individual Ip Addresses, And Generally Do Not Have Access Lists Applied To Them. Those Features Are Usually Reserved For The VLAN Interfaces. The Following Steps Detail One Method Of Creating And Configuring A VLAN Interface. Note: These Steps Have Already Assumed That The User Logged Into The Router, Got Into Enable Mode, And Entered Configuration Mode.
These Specific Examples Are Based On The Cisco Series Devices :
• Step 1 – > Enter “Interface VLANX” Where X Is The VLAN ID Used In The Vlan Definition Above.
• Step 2 – > This Step Is Optional. Enter “Description Vlan” Where Vlan Description Details What The VLAN Is Going To Be Used For. Simply Re-Use The Vlan Name Used Above If Preferred.
• Step 3 – > Enter “IP Address” Where Is The Address You Want To Assign This Device In The Vlan, Andis The Network Mask For The Subnet You Have Assigned The Vlan.
• Step 4 – > This Step Is Optional. Create And Apply An Access List To The Vlan For Inbound And Outbound Access Controls. For A Standard Access List, Enter “Access-Group Xxx In” And “Access-Group Yyy Out” Where Xxx And Yyy Corresponds To Access-Lists Previously Configured. Remember That The Terms Are Taken With Respect To The Specific Subnet Or Interface, So “In” Means From The Vlan Into The Router And “Out” Means From The Router Out To The VLAN.
• Step 5 – > This Step Is Optional. Enter The Private Vlan Mapping To Be Used If The Port Is Part Of A Private Vlan. This Should Be The Same Secondary Vlan Associated With The Primary Vlan In The Vlan Definition Above. Enter “Private-Vlan Mapping Xx” Where Xx Is The Vlan Id Of The Secondary Vlan To Be Associated With This Vlan.
• Step 6 – > This Step Is Optional. Configure Hsrp And Any Other Basic Interface Configurations Normally Used For The Cisco Device.
• Step 7 – > Enter “End” To Exit Configuration Mode.
• Step 8 – > Save The Configuration To Memory.
Now The VLAN Is Defined And Configured, But No Physical Ports Are A Member Of The Vlan, So The Vlan Is Still Not Of Much Use.
Next Port Membership In The VLAN Is Described. IOS Devices Describe Interfaces Based On A Technology And A Port Number, As With “Fastethernet3/1″ Or “Gigabitethernet8/16.”
Once The User Determines Which Physical Ports We Wants To Be Members Of The VLAN, Use The Following Steps To Configure It.
Note: These Steps Have Already Assumed That The User Logged Into The Router, Got Into Enable Mode, And Entered Configuration Mode.
CONFIGURAIN STEPS FOR PORT MEMBERSHIP
FOR ACCESS PORTS :
• Step 1 – > Enter “Interface” Where The Name Cisco Has Assigned The Interface To Be Associated With The VLAN.
• Step 2 – > This Step Is Optional. Enter “Description ” Whereis Text Describes The System Connected To The Interface In Question. It Is Usually Helpful To Provide Dns Hostname, Ip Address, Which Port On The Remote System Is Connected, And Its Function.
• Step 3 – > This Step Depends On The Equipment, Ios Version, And Requirements. Enter “Switchport” If The Interface Should Act As A Switch Port. Some Hardware Does Not Support Switchport Mode And Can Only Be Used As A Router Port. The User Should Check The Documentation If We Does Not Know The Difference Between A Router Port And A Switch Port.
• Step 4 – > Only Use This Step If Step 3 Above Was Used. Enter “Switchport Access Vlan X” Where X Is The Vlan Id Of The Vlan That The Port Should Be A Member Of.
• Step 5 – > Only Use This Step If Step 3 Above Was Used. Enter “Switchport Mode Access” To Tell The Port That It Should Be Used As An Access Port.
• Step 6 – > Enter “End” To Exit Configuration Mode.
• Step 7 – > Save The Configuration To Memory.
FOR TRUNK PORTS :
• Step 1 – > Enter “Interface” Whereis The Name Cisco Has Assigned The Interface To Be Associated With The Vlan.
• Step 2 – > This Step Is Optional. Enter “Description” Whereis Text Describing The System Connected To The Interface In Question. It Is Usually Helpful To Provide Dns Hostname, Ip Address, Which Port On The Remote System Is Connected, And Its Function.
• Step 3 – > This Step Depends On The Equipment, Ios Version, And Requirements. Enter “Switchport” If The Interface Should Act As A Switch Port. Some Hardware Does Not Support Switchport Mode And Can Only Be Used As A Router Port. The User Should Check The Documentation If He/She Does Not Know The Difference Between A Router Port And A Switch Port.
• Step 4 – > Only Use This Step If Step 3 Above Was Used. Enter “Switchport Trunk Encapsulation Dot1q.” This Tells The Vlan To Use Dot1q Encapsulation For The Vlan, Which Is The Industry Standard Encapsulation For Trunking. There Are Other Encapsulation Options, But Some Equipment May Not Operate With Non Cisco Equipment.
• Step 5 – > Only Use This Step If Step 3 Above Was Used. Enter “Switchport Trunk Allowed Vlan Xx, Yy, Zz” Where Xx, Yy, And Zz Are Vlans That The Trunk Should Include. Define One Or More Vlans To Be Allowed In The Trunk.
• Step 6 – Only Use This Step If Step 3 Above Was Used. Enter “Switchport Mode Trunk” To Tell The Port To Operate As A Vlan Trunk And Not As An Access Port.
• Step 7 – > Enter “End” To Exit Configuration Mode.
• Step 8 – > Save The Configuration To Memory.
FOR PRIVATE VLAN PORTS :
• Step 1 – Enter “Interface” Whereis The Name Cisco Has Assigned The Interface To Be Associated With The Vlan.
• Step 2 – This Step Is Optional. Enter “Description” Whereis Text Describing The System Connected To The Interface In Question. It Is Usually Helpful To Provide Dns Hostname, Ip Address, Which Port On The Remote System Is Connected, And Its Function.
• Step 3 – This Step Depends On The Equipment, Ios Version, And Requirements. Enter “Switchport” If The Interface Should Act As A Switch Port. Some Hardware Does Not Support Switchport Mode And Can Only Be Used As A Router Port. The User Should Check The Documentation If He/She Does Not Know The Difference Between A Router Port And A Switch Port.
• Step 4 – Enter “Switchport Private-Vlan Host Association Xx Yy” Where Xx Is The Primary Vlan To Be Assigned, Yy Is The Secondary Vlan To Be Associated With It.
• Step 5 – Enter “Switchport Mode Private-Vlan Host” To Force The Port To Operate As A Private-Vlan In Host Mode.
• Step 6 – Enter “End” To Exit Configuration Mode.
• Step 7 – Save The Configuration To Memory.
Note:The Vlan Should Now Be Properly Implemented On A Cisco IOS Device.
HP PROCURVE VLAN IMPLEMENTATIONS
HP VLAN:
HP’s Procurve Line Of Switchgear Is Becoming More Prevalent In Enterprise And Other Business Environments. As A Result, It Is Common To Have To Integrate Cisco And Procurve Hardware, Which Is A Challenge Because Of Terminology. Below, Some VLAN Terminologies Are Defined So There Is Less Opportunity For Confusion.
HP Vlan Id – > VLAN IDS Are Pretty Much The Same Everywhere, The Only Significant Differences Are The Range Of Ids That Can Be Used. With Procurve Devices, The Number Of VLANs Is Defined In The Configuration. The Default Maximum VLANs Supported On A Procurve Device Differs Among Models And Firmware Revisions, But Is Commonly Set To 8. Newer Procurve Hardware Supports 4,096 Vlan Ids, But Only 256 Concurrently Defined Vlans On A Single Device. VLAN ID 1 Is Reserved For The “DEFAULT_VLAN” Or The Default Administrative VLAN.
VLAN NAMES – > VLAN NAMES Are Text Fields That Assist Technicians To Identify Vlans. Procurve Allows Names Up To 32 Characters, But For It To Properly Display In Menu Configuration Mode, Limit The Name To 12 Characters.
VLAN MODES – > Procurve Has Three Modes Of Operation For Vlans On The Chassis, Untagged, Tagged, And No. Untagged Mode Is Cisco’s Access Mode. This Mode Is Used For Ports That Connect To End Nodes Or Devices That Will Not Be Passing Vlan Traffic Forward.
Tagged Mode Is The Same As Cisco’s Trunk Mode. This Mode Is Used For Ports That Are Connecting To Devices That Will Be Passing Vlan Traffic Forward Or For Trunking Multiple Vlans. No Mode Means That The Port In Question Has No Association Whatsoever With That Vlan.
SPECIAL NOTE ON “TRUNK” – > Lots Of Confusion Surrounds The Word “Trunk” When Users Go Between Vendor Equipment. In Cisco’s Case, Trunking Is Only Used With Vlans. Grouping Multiple Ethernet Ports Into A Single Logical Ethernet Group Is Called A Channel-Group. This Is Regardless Of Whether FEC OR LACP Is Used For The Channel Properties.
Procurve Uses “Trunk” To Define A Group Of Ethernet Ports Using The Hp Trunking Protocol And The Term “Tagged” For What Cisco Calls A Vlan Trunk. Of Course, These Two Technologies Have Nothing To Do With Each Other, But Confusion Arises Because Of Naming Conventions.
Hp Procurve Configuration Details Will Be Provided For The Console Configuration Mode. Aside From Enabling Vlan Support As A Whole, Vlan Definitions And Configuration Are Created In The Same Place So The Rest Of The Configuration Examples Will Be Provided Under The VLAN Configuration Topic.
HP VLAN CONFIGURATION
Hp Has Defined Its Interface Ports By Using A Module/Port Convention. If Someone Has A Non-Modular Chassis (Such As The 3448cl), Then Ports Are Numbered Only With Numbers, Such As 1 Or 36. If The Chassis Is Modular (Such As The 5308) Then The Port’s Number Is Prepended With The Module Slot, Such As A1 Or H6. No Reference To The Type Of Switch Port (Ethernet, Fast Ethernet, Gigabit Ethernet) Is Used For Port Reference.
Step 1 – > Log Into The Switch And Get Into Manager Mode. If After Logging In The User Ends Up In The Configuration Menu, Exit The Configuration Menu By Selecting Item 5 (In Most Cases) Or By Using The Arrow Keys On The Keyboard To Highlight The “Command Line (Cli)” Item.
Step 2 – > Enter “Conf T” To Get Into Terminal Configuration Mode.
Step 3 – > Enter “Vlan X” Where X Is The Vlan Id Of The Vlan To Be Created.
Step 4 – > Name The Vlan By Entering “Name” Whereis A Text String From 1 To 32 Characters (12 Characters If The Configuration Menu Display Is Important). Use Quotes When Naming The Vlan.
Step 5 – > Give The Vlan An Ip Address By Entering “Ip Address” Whereis The Ip Address To Be Assigned To This Switch In That Subnet, Andis The Network Mask For The Subnet Assigned.
Step 6 – > This Step Is Optional. To Assign Some End Node Ports To The Vlan Enter “Untagged” Whereis A List Of Ports Either Comma Delimited If They Are Non-Sequential Or Using A Dash Between List Beginning And End If They Are. An Example Of This Is “Untagged 1,3,5,7-16.” This Would Configure Ports 1, 3, 5, And 7 Through 16 To Be Untagged On That Vlan.
Step 7 – > This Step Is Optional. To Assign Some Vlan Trunk Ports To The Vlan, Enter “Tagged” Whereis A List Of Ports Either Comma Delimited If They Are Non-Sequential Or Using A Dash Between List Beginning And End If They Are. An Example Of This Is “Untagged 1,3,5,7-16.” This Would Configure Ports 1, 3, 5, And 7 Through 16 To Be Untagged On That Vlan.
Step 8 – > Enter “Exit” To Leave Vlan Configuration Mode.
Step 9 – > Exit Configuration Mode By Entering “Exit” Again.
Step 10 – > Save The Configuration By Entering “Wr Memory.”
Note:The Hp Procurve Vlan Is Now Successfully Configured.
CISCO VLAN CONFIGURATION EXAMPLES
CONFIGURING VLANS AND TRUNKS :
CREATE VLANs STEPS :
1.Create Vlans
2.Assign Ports To Vlans
3.Verify Vlan Config
4.Enable Trunking On Inter-Switch & Switch Router Links
5.Verify Trunk Configs
VERIFYING VLAN :
SWITCH1#Show Vlan
SWITCH1#Show Vlan Brief
SWITCH1##Show Vlan Name
SWITCH1#Show Vlan Summary
SWITCH1#Show Interfaces Vlan #
SWITCH1#Show Interfaces X/X
SWITCH1#Show VTP Status
MANAGING PORT MEMBERSHIP :
To Reassign A Port To Vlan1:
SWITCH1(Conf-If)#No Switchport Access Vlan 10
This Removes The Port From The Vlan But Does Not Delete The VLAN A Static Access Port Can Only Have 1 VLAN
To Change Vlan Membership Just Reassign The Vlan With
SWITCH1(Conf-If)#Switchport Access Vlan #
DELETING VLANS:
SWITCH(Config)#No Vlan Vlan-Id
Delete The Entire Vlan.Dat With Flash:Vlan.Dat
Before Deleting A Vlan First Reassign All Member Ports!!!
Any Ports Not Moved To An Active Vlan Are Unable To Communicate With Other Stations After You Delete The VLAN
Configuring Trunking
SWITCH(Conf-If)#Switchport Mode Trunk
The Interface Changes To Permanent Trunking Mode & Enters DTP Negotiation To Specify A Native Vlan Other Than 1
SWITCH(Conf-If)#Switchport Mode Trunk Native Vlan #
To Allow A Limited # Of Vlans Access To Trunk Use:
SWITCH(Conf-If)#Switchport Mode Trunk Allowed Vlan Add #
To Reset The Allowed Vlans & Native Vlan
R1(Conf-If)#No Switchport Trunk Allowed Vlan
R1(Conf-If)#No Switchport Trunk Native Vlan #
PROBLEMS WITH TRUNKS :
Native Vlan Mismatches
Trunk Mode Mismatches
Allowed Vlans On Trunks
CISCO VLAN CONFIGURATION EXAMPLES - 1
Switch#Show The Vtp Statu
Switch#Sh Vlan - > To Show All The Vlans Configured
Switch#Config T - > This Command Cause The Switch To Enter Configuration Mode, When All Configuration Is Completed, Enter Either Ctrl^Z Or End To Return To Privileged EXEC Mode
Switch(Config)#Vlan 10 Name Vlan10 - > Defines Name Of Vlan 10 As Vlan10
Switch(Config)#Int Fa0/1
Switch(Config)#Switchport Mode Access
Switch(Config)#Switchport Access Vlan 10 - > Set Port Fa0/1
Into Vlan 10
Switch(Config)#Int Fa0/2
Switch(Config)#Switchport Mode Access
Switch(Config)#Switchport Access Vlan 10
Switch(Config)#Int Fa0/3
Switch(Config)#Switchport Mode Access
Switch(Config)#Switchport Access Vlan 10 - > At This Point, Vlan 10 Has 3 Members I.E., Fa0/1, Fa0/2 And Fa0/3
Switch(Config)#Vlan 20 Name Vlan20
Switch(Config)#Int Fa0/5
Switch(Config)#Switchport Mode Access
Switch(Config)#Switchport Access Vlan 20
Switch(Config)#Int Fa0/6
Switch(Config)#Switchport Mode Access
Switch(Config)#Switchport Access Vlan 20
Switch(Config)#Int Fa0/7
Switch(Config)#Switchport Mode Access
Switch(Config)#Switchport Access Vlan 20
Switch(Config)#Int Fa0/8
Switch(Config)#Switchport Mode Access
Switch(Config)#Ctrl-Z - > Return To Privileged Mode
At This Poing Vlan 20 Has 4 Members I.E., Fa0/5, Fa0/6, Fa0/7 And Fa0/8
Switch(Config)#Int Gi0/2
Switch(Config)# Switchport Mode Trunk - > This Will Put The Port Gi0/2 To Be In Permanent
Trunking Mode
Switch(Config)#Switchport Access Vlan 40 - > Put Int Gi0/2 Into Vlan 40
Switch(Config)#Switchport Access Vlan 20
Switch(Config)#End Or Ctrl-Z - > Return To Privileged Mode
Switch#Wr Mem Or Copy Running-Config Strtup-Config
For More About - > CISCO - CONFIGURING VLANS
CONCLUSION:
The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO - VLAN CONFIGURATION". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts.
Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
No comments:
Post a Comment