2016/2/261 Virtual LAN 2016/2/262 VLAN What is VLAN? , VLAN , Switch Broadcast Domains HOW? VLAN PCs Switch , VLAN Switch Router , VLAN , VLAN , Switch Router 2016/2/263 LAN VLAN 2016/2/264 VLAN ( ) A VLAN is a logical grouping of network devices or users that are not restricted to a physical switch segment. 2016/2/265 VLAN ( ) The devices or users in a VLAN can be grouped by function, department, project teams, applications, and so on, regardless of the physical location or connections to the network A VLAN creates a single broadcast domain that is not restricted to a physical segment and is treated like a subnet. Packets are only switched between ports that are designated for the same VLAN. VLAN setup is done in the switch by software. 2016/2/266 VLAN ( ) 2016/2/267 8 LANs & broadcast domains 2016/2/269 VLANs & Broadcast Domains 2016/2/2610 Relationship between ports, VLANs & Broadcast Each switch port can be assigned to a VLAN. Ports assigned to the same VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts. This improves the overall performance of the network. 2016/2/2611 VLAN makes workstations addition, moves & changes easier Without VLANs, moving a user from one office to another might require a router to be reconfigured, changes in the patch cables in the wiring closet, and IP address reconfiguration on the host. A host connected to a VLAN-capable switch, however, simply stays in the same VLAN (i.e., same broadcast domain and subnetwork), with no router changes, patch cable changes or IP address changes. This may not sound like a big deal when 1 host is moved; but when many hosts are moving over the course of a year the savings in time and trouble is tremendous. 2016/2/2612 VLAN Configuration VLAN (or ) Static port-centric (port-based) Dynamic 2016/2/2613 Static (Port-Based/Centric) VLAN 2016/2/2614 Static (port-centric) VLAN Port VLAN 2016/2/2615 Port-Baesd/Centric Users are assigned by port. VLANs are easily administered. It provides increased security between VLANs. Packets do not "leak" into other domains. 2016/2/2616 Dynamic VLAN 2016/2/2617 A Scenario 2016/2/2618 A small college Faculty & student LAN, each has different security features 2016/2/2619 A year later What if we still want each has different security features? 2016/2/2620 VLAN can be the rescue 2016/2/2621 More details 2016/2/2622 Benefits of VLAN 2016/2/2623 Security Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. Faculty computers are on VLAN 10 and completely separated from student and guest data traffic. 2016/2/2624 More on Security with VLAN Restrict the number of users in a VLAN group Prevent another user from joining without first receiving approval from the VLAN network management application Configure all unused ports to a default low- service VLAN 2016/2/2625 2016/2/2626 Cost reduction Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. 2016/2/2627 Higher performance Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance. 2016/2/2628 Broadcast storm mitigation Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. 2016/2/2629 Improved IT staff efficiency VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. 2016/2/2630 Simpler project or application management VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier 2016/2/2631 Types of VLAN Data VLAN Default VLAN Native VLAN Management VLAN Voice VLAN 2016/2/2632 Data VLAN A data VLAN is a VLAN that is configured to carry only user-generated traffic A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic A data VLAN is sometimes referred to as a user VLAN. 2016/2/2633 Default VLAN All switch ports become a member of the default VLAN after the initial boot up of the switch Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. The default VLAN for Cisco switches is VLAN 1 VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1 2016/2/2634 Default VLAN 2016/2/2635 Native VLAN A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN. 2016/2/2636 Management VLAN A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN an arbitrary user connecting to a switch to default to the management VLAN. 2016/2/2637 And, one more 2016/2/2638 Voice VLAN details 2016/2/2639 2016/2/2640 VLAN Switch Port Modes 2016/2/2641 Static Mode Setup 2016/2/2642 Voice Mode Setup The configuration command # mls qos trust cos // cos : class of service ensures that voice traffic is identified as priority traffic. Remember that the entire network must be set up to prioritize voice traffic. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5 2016/2/2643 Voice VLAN Verification 2016/2/2644 Controlling broadcast w/o VLAN 2016/2/2645 Controlling broadcast with VLAN 2016/2/2646 Controlling Broadcast Domains with Switches and Routers Breaking up broadcast domains can be performed either with VLANs (on switches) or with routers. A router is needed any time devices on different Layer 3 networks need to communicate, regardless whether VLANs are used. 2016/2/2647 VLAN Trunking 2016/2/2648 , Switch VLAN 2016/2/2649 VLAN Trunking VLAN Switches 2016/2/2650 Trunking? ( ) 2016/2/2651 Trunking Concept One physical link for each VLAN (will need 10 links for 10 VLANs not practical) With VLAN Trunking 2016/2/2652 VLAN Trunking A trunk is a physical and logical connection between two switches across which network traffic travels 2016/2/2653 Definition of a VLAN Trunk A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link. A VLAN trunk allows you to extend the VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces. A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers. 2016/2/2654 Trunking Mechanisms ( ) Frame Filtering Frame Tagging IEEE 802.1Q 2016/2/2655 Frame Filtering 2016/2/2656 Frame Tagging 2016/2/2657 IEEE 802.1q Frame Format VLAN ID (12-bit) Re-Calculated FCS 2016/2/ Q Frame Tagging 2016/2/2659 VLAN Trunk 2016/2/2660 Trunk Configuration 2016/2/2661 Trunk Configuration Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other vendors do not support DTP. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port. DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. 2016/2/2662 Trunk Configuration 2016/2/2663 Configuring VLAN & Trunk 2016/2/2664 VLAN ID Ranges 2016/2/2665 Create a VLAN 2016/2/2666 Command Syntax 2016/2/2667 Add a VLAN 2016/2/2668 Add a VLAN - verification 2016/2/2669 Assign a Switch Port 2016/2/2670 Command Syntax 2016/2/2671 Assign a Switch Port 2016/2/2672 Delete a Switch Port - verification 2016/2/2673 Port Memberships Deletion 2016/2/2674 Verify VLANs and Port Memberships 2016/2/2675 Command Syntax 2016/2/2676 Verify VLANs and Port Memberships 2016/2/2677 Verify VLANs and Port Memberships 2016/2/2678 Verify VLANs and Port Memberships 2016/2/2679 Configure Trunking 2016/2/2680 Command Syntax 2016/2/2681 Configure an 802.1Q Trunk - Topology 2016/2/2682 Configure an 802.1Q Trunk - example 2016/2/2683 Configure an 802.1Q Trunk - verification 2016/2/2684 Reset Trunking 2016/2/2685 Common Problems with Trunks 2016/2/2686 Native VLAN mismatches Trunk ports are configured with different native VLANs for example, if one port has defined VLAN 99 as the native VLAN and the other trunk port has defined VLAN 100 as the native VLAN. This configuration error generates console notifications, causes control and management traffic to be misdirected, poses a security risk. 2016/2/2687 Trunk mode mismatches One trunk port is configured with trunk mode "off" and the other with trunk mode "on". This configuration error causes the trunk link to stop working. 2016/2/2688 Allowed VLANs on trunks The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk. 2016/2/2689 Trouble Shooting Native VLAN Mismatches 2016/2/2690 Trouble Shooting S3 configuration 2016/2/2691 Trouble Shooting Solution 2016/2/2692 Trouble Shooting Trunk Mode Mismatches 2016/2/2693 Trouble Shooting S1 & S3 configuration 2016/2/2694 Trouble Shooting Solution 2016/2/2695 Trouble Shooting Incorrect VLAN List 2016/2/2696 Trouble Shooting S1 & S3 configuration 2016/2/2697 Trouble Shooting Solution 2016/2/2698 Trouble Shooting VLAN and IP Subnets 2016/2/2699 Trouble Shooting S1 & S3 configuration 2016/2/26100 Trouble Shooting Solution