NET 224: Advanced Routers and Routing

Chapter 8: Virtual LANs (VLANs)


This chapter introduces concepts specific to VLANs:

  1. Configuring switches for VLANs
  2. Setting up a LAN
  3. Custom switch configurations
  4. Troubleshooting

Quick quiz: what does the text remind us about again at the start of this chapter?

Switches are used to break up collision domains, and routers are used to break up broadcast domains.

Mouse over the sentence above to see the answer.

The chapter tells us that a network that contains only one broadcast domain can be called a flat network. You have better throughput by using switches instead of hubs, but switches alone do nothing for creating more broadcast domains. Why do we want more broadcast domains? To keep broadcasts away from hosts that don't need to be bothered by them. The solution proposed by this chapter: Virtual LANs. VLANs are logical subdivisions of a network, and you can make them using switches. Creating VLANs can allow you to separate users who would otherwise be in the same LAN, without having to separate them with routers. You are going to use switches anyway, so this approach does not lead to greater expense.

Switches increase the number of collision domains in your network, but they do not increase broadcast domains, unless you implement VLANs. Doing so will make the network more efficient, in that broadcasts can be limited to the audiences they are intended for.

The text seems to treat routers lightly at this stage. The point is that routers should not be the only devices used for security in a network, else you are not securing the LANs themselves. The idea is that you can control what VLAN each port on a switch connects to. Before you adopt this as a general principle, however, realize that not all LANs are locked down to this degree. It is sometimes good to let there be some flexibility, and to use other, simpler means to keep intruders off your network.

The text tells us that hosts on one VLAN, by default, are not able to communicate with hosts on another VLAN, even though they are all plugged into the same switch. This is true as far as broadcast messages are concerned. The text warns us that some applications use broadcasts extensively, so limiting those applications to a VLAN will minimize the burden on your network. To communicate from one VLAN to another, you can place a router on the network that belongs to both VLANs, with programming to allow traffic between them as desired.

A complementary fact: hosts whose ports are on the same VLAN can communicate with each other, regardless of which switch they are actually plugged in to.

In the examples in the text, the author describes creating a series of VLANs that he numbers 2 through 7. Some facts are helpful in understanding his numbers and his illustration:

  • By default, all ports on a switch are members of VLAN 1 until they are changed to a different VLAN.
  • Cisco recommends that VLAN 1 be used as an administrative VLAN. Users should not be assigned to this VLAN once VLANs are enabled. VLAN 1 cannot be deleted or renamed.
  • On an IP network, each VLAN must have its own subnet number. On an IPX network, each VLAN must have its own network number.
  • To pass traffic from one VLAN to another, traffic must pass through a router.

VLANs can be static or dynamic:

  • In a static VLAN, the administrator of a network assigns each port on each switch to a VLAN. This works best when users do not typically move around the physical environment.
  • In a dynamic VLAN, a database can be created with the MAC addresses of all hosts, and the VLAN that each host should be assigned to. Network management software then assigns the host's port to a VLAN. This puts the host on the right VLAN regardless of where it physically connects to the network. A Cisco product that does this assignment is the VLAN Management Policy Server (VMPS).

The text describes two kinds of links (ports) on switches in VLAN networks:

  • access link - a link that is part of only one VLAN, which is called the native VLAN of the port.
    • Frames sent by a switch to a device through an access link have the VLAN information removed, making the frame look like the VLAN is the only LAN.
    • Access links carry information for one VLAN.
  • trunk link - a link that belongs to multiple VLANs. Ports that link switches to switches, that link switches to routers, and that link switches to servers should be trunk links.
    • A trunk link is a point-to-point connection, typically running at 100Mbps or 1Gbps, and it can carry traffic for up to 1005 VLANs.
    • If a link between two switches is not a trunk link, that link will only carry information for VLAN 1 (the default VLAN)
    • A link between two switches that is a trunk link, carries information for all VLANs by default. An administrator can limit which VLANs are carried on a trunk link.

As you might imagine, frames in a VLAN environment need to carry information about which VLAN the frame is meant for. Otherwise the switches could not decide whether to pass the frame to the next switch, or to a host on that switch. This information is called a frame tag, a VLAN ID, or a color. In the image below, I have used colors to illustrate the idea. The two boxes are switches. Each host is using an access link to its switch, and I have indicated two VLANs with light blue and light red patch cables. The green line between the two switches symbolizes a trunk link between them.

If a frame is sent from the host on the upper left to the host just to the right, that frame is tagged as being on the light red VLAN. (Both sender and receiver are on the light red VLAN, and are connected to the blue switch.) The blue switch receives the frame, and notes that it is for a host connected to it, on the same VLAN as the sender. The VLAN information is stripped off, and the frame is delivered to the addressee.

If the same host sends a frame to the host at the upper right of the image, it is still sending to another host on the light red VLAN. However, when the blue switch receives the frame, it notes that the addressee is not connected to it. The frame is sent across the trunk link to the red switch, and the VLAN tag is left on the frame. The red switch receives the frame, and notes that it is addressed to a host connected to it with an access link. The switch confirms that the frame is for a host on the same VLAN as the sender, the VLAN tag is removed, and the red switch delivers the frame to the addressee.

The text uses a new phrase in this section: switch fabric. The author means all the interconnected communication paths between all the switches in his network. You might think of it as many "threads", woven back and forth through the network, making a fabric. (It's a metaphor; don't stretch it too far.)

The text moves on to describe methods and protocols used for VLAN tagging:

  • Inter-Switch Link (ISL) - This method is proprietary to Cisco switches (Catalyst series). You may use it if your devices are all from Cisco. It can be used on switch ports, router interfaces, and server interfaces. This method uses encapsulation: an ISL wrapper is placed around each frame only if it is passed across a trunk link, and is removed just before it is passed across an access link. (In addition, to being a method, this is also the name of a protocol.)
  • IEEE 802.1Q - This method is not proprietary to Cisco devices. It allows us to connect Cisco devices to non-Cisco devices. Use this method in a mixed environment. This method puts an 802.1Q field in each frame.
  • VLN Trunking Protocol (VTP) - Not proprietary. This method uses a VTP server (actually a switch) to provide centralized management of your VLANs. VTP information is inserted into frames, like 802.1Q, but also uses encapsulation like ISL. Switches in a VTP environment must be in a common domain, otherwise they do not exchange VTP information.
    VTP switches send advertisements to a multicast address shared by other switches.
    • summary advertisements - sent by switches every five minutes to state what version of the VTP domain configuration is being used by that switch; also sent when revisions are made
    • subset advertisements - actual changes to the VTP domain
    • advertisement request - a request sent by a switch to get new changes and the new name/number of the VTP domain configuration

Under VTP, switches can operate in three modes:

  • Server - noted above, a switch that is used to manage your environment. A server is used to create, add, and delete VLANs. Servers save their VLAN information in NVRAM.
  • Client - clients can send and receive updates, but they cannot be used to make changes. Clients do not save VLAN information in Nonvolatile RAM. A client can be changed into a server. The text recommends adding a new server as a client first, then making it a server to make sure it has a copy of the existing VLAN database before it transmits any information.
  • Transparent - transparent mode switches receive VTP advertisements, and they will forward them to other switches. They are not part of the VTP environment. You might think of them as repeaters that pass network information to devices that need it.

VTP can reduce its requirements for network traffic by using VTP Pruning. This method avoids sending updates to switches that are not part of the VLAN being updated. Oddly, this feature is not turned on by default. It cannot be turned on for VLAN 1, but it can be used for VLANs 2 through 1005.

The text returns to the idea of using routers to connect your VLANs. Remember that even though they are virtual, VLANs are separate networks, so you need routers to connect them together.

  • The simple method recommended by the text is to use Cisco 2600 (or later) routers, because they support ISL routing. Earlier models do not support ISL routing. This way you can connect the switches together, and have only one (trunk) connection to your router, creating what the text calls a "router on a stick". (You could also use 802,1Q trunking, instead of ISL.)
  • Alternatively, you could connect a router to each VLAN, and connect the routers; or connect each VLAN to a different interface on as many routers as needed, and connect them.

You begin creating VLANs by giving them names. Remember that VLAN 1 is reserved, so you should begin creating a series of them by starting with VLAN 2.

Back to switches. On a Catalyst 1900 switch, enter configuration mode, and issue the command:
vlan number name its_name
where number is the VLAN's number and its_name is the VLAN's name.

This command creates a VLAN, but does not move any ports into it. All ports are in VLAN 1, by default, until you move them into other VLANs.

On a 2950 switch, naming the VLAN is optional, so the command is shorter:
vlan number
If you want to give the VLAN a name, do so on a second line:
vlan number
name its_name

To display the VLANs, use the command show vlan or show vlan brief.

Placing ports on a VLAN is done one way on a 1900 and another way on a 2950:

1900 2950
int name_of_interface int name_of_interface
vlan-membership static/dynamic number switchport access vlan number

Trunk ports must be further configured:

1900 - only uses ISL encapsulation 2950 - only uses 802.1Q encapsulation
int name_of_interface int name_of_interface

trunk option
can be one of several values:
on - becomes a trunk port
off - ceases to be a trunk port
auto - becomes a trunk port if connected to a device set to on or desireable
desireable - will negotiate a trunk link if the connected device is set to auto, on, negotiate, or nonegotiate
nonegotiate - will be a trunk port regardless of what is connected

switchport mode option
Option can be one of two values:
trunk - becomes a trunk port
access - becomes an access port

A 3550 switch supports Layer 3 processes, and it will support ISL as well as 802.1Q encapsulation. It has a new command, with three options:
switchport trunk encapsulation option
can be one of three values: dot1q for 802.1Q only, isl for ISL only, or negotiate to negotiate with the other device.

Back to routers, again. The text describes connecting a 1900 switch and a 2950 switch through a router. As noted above, these two switches use different encapsulation methods. This can still work, if we configure subinterfaces for the actual interface to the router. A subinterface is only logical: it does not physically exist. Declaring subinterfaces is like assigning multiple personalities to the same interface; we tell it to behave differently depending on who or what it is interacting with.

To configure a subinterface, first access it as you would the interface itself, but add a dot and a number. The text makes a reasonable suggestion that you should use subinterface numbers that match the VLAN the subinterface will interact with:

int f0/0.2
This command accesses interface f0/0, declares that it has a subinterface numbered 2, and accesses that subinterface.
encapsulation dot1q 2
This command sets the encapsulation mode of the subinterface to 802.1Q when interacting with VLAN 2.

The text continues with an example that confuses the issue by throwing in IP addressing. Take this as an opportunity to review the subnetting chapter in the text. Discussing the example, some observations are made that are not entirely clear:

  • You are told that you should know that a router connected to a switch should be using subinterfaces. This is incomplete: you should know this if the router is "on a stick". If the router connects to one switch only, but that switch connects to others, and VLANs are in use, the router must be receiving traffic from all VLANs, so it must be connected with subinterfaces.
  • Understanding the situation above, it is clearer that the router in question is connected to the switch by a trunk link. If it were not, it would not be receiving and sending traffic to all VLANs.
  • It has already been stated that links from switches to hosts are access links, but the discussion further states that a link from a switch to a hub is an access link.

We are told that is not actually necessary to use a different subnet for each VLAN, but is recommended, and the text follows this concept in its examples. It is important to review the lessons in previous chapters about subnetting to be able to determine the subnets, masks, and addresses that would be assigned to router interfaces and hosts in these examples.

The text reminds us that switches in VTP environments are configured as VTP servers by default. To create a VTP domain, you must use a VTP server.

  1. Enter configuration mode for the switch in question first.
  2. Use the command vtp server to make the switch a server if it is not one already.
  3. Use the command vtp domain name to set or change the name of the domain.
  4. Verify the settings with the command show vtp status. (You can also just type sh vtp)

The text turns to troubleshooting VTP. Remember key facts:

  • Switches should be connected with crossover cables, not straight through cables
  • You can't change VTP information unless the switch you are using is a server. Make a client into a server with the command vtp mode server.
  • Your switches will not share VTP information unless they are part of the same VTP domain