Virtual LANs

Agenda

 LAN vs VLAN
 Frame Tagging Protocols.
 Inter-Vlan Routing
 DTP
 VTP
 Private-VLAN
 802.1Q-inQ
 3
Single Broadcast Domain
 4
Multiple Broadcast Domain | VLANs

 Each VLAN is a separate broadcast domain

 VLANs divide single broadcast into multiple
smaller broadcast domains
 All ports belong to VLAN 1 by default until
you change it
LAN | One Broadcast Domain
LANs | Two Broadcast Domains
LANs | L3 Connected Networks
Virtual LAN | Multiple Isolated Networks

 Multiple Broadcast domains

Virtual vs. Physical LANs| Pros & Cons

 Physically isolated LANS

 Switches type can be unmanaged (cheaper) if no other features are required
 Fixed places (immobility)
 Virtual LANs
 Switches should support VLAN (Expensive)
 Dynamic Locations (a device can move to any location and get connected to
the same VLAN very easily)
 Security risks
 VLAN | Switch MAC Table

 Switch assign each one of its ports to only one VLAN membership.
 Switches forward broadcasts to all ports member of that VLAN it received the broadcast from
except the source port.
 Switches maintain the isolation between VLANs.
MAC Address Table
VLAN Source MAC Type Ports
Address
10 0000.BD72.4870 Dynamic 0
15 0001.905E.50CD Dynamic 1
15 0002.63BC.7D67 Dynamic 2
10 0003.3D3A.FFE6 Static 3
Ports-VLAN Membership

 Static
 Dynamic
 Example: Can be achieved using VLAN Membership Policy Server (VMPS)
Question

 What if VLANs is configured across multiple switches?! How other switches

isolate VLANs traffics?

 Solution: Tagging frames to identify VLAN traffics

VLAN Tagging Protocols

 Tagging is required between switches.

 Tagging Protocols
 Cisco Inter-Switch Link (ISL): a proprietary tagging protocol (supported only by
some cisco devices)
 IEEE 802.1Q: a standard tagging protocol.
VLAN | 802.1Q
 VLAN | 802.1Q

TCI (Tag Control Info)

TPI (Tag Protocol Identifier)

0x8100=802.1q

CFI (Canonical Format Identifier)

0 for Ethernet switches
VLAN | Port Types

 Devices are either

 Understand 802.1q (e.g. managed switches, routers, servers, etc.)
 Don’t understand 802.1q

 As a result, from VLAN perspective, Switch ports are either

 Trunk (VLAN Tagging)
 Access (No tagging) 15 10 101

Trunk
DTP (Dynamic Trunk Protocol)

 DTP is a Cisco proprietary protocol for dynamically negotiating trunking

and encapsulation protocol (802.1q or ISL) on a link between two devices.
 Trunk modes
 Trunk
 Dynamic Desirable
 Auto
 To stop generating DTP frames
 switchport nonegotiate
VLAN Configuration | Cisco

 *VLAN DB creation
 Switch(config)#vlan 10
 Switch(config-vlan)#name IT_VLAN

 Access ports
 Switch(config)#interface f0/3
 Switch(config-if)#switchport mode access
 Switch(config-if)#switchport access vlan 10
 Trunk Ports
 Switch(config)#interface f0/3
 Switch(config-if)#switchport mode trunk
Native VLAN

 Default VLAN
 By default all switch ports are membered of the default VLAN (VLAN 1 for many vendors).
 As a result, all devices can communicate with each other
 Native VLAN
 Is a VLAN whose traffic traverse on the 802.1q trunk untagged(Configured per Trunk).

10 101

Trunk
Auxiliary/Voice VLAN

 IP phone requires an Ethernet port

 It is impractical to have one switch port per each computer and IP phone.
 Solution:
 Use one port for both using special featured VLAN
called voice or auxiliary VLAN.
 Voice traffic is tagged but data traffic isn’t
 Configuration (Cisco Switch):
 Switch(config)# interface ethernet0/0
 Switch(config-if)# switchport mode access
 Switch(config-if)# switchport access vlan 22
 Switch(config-if)# switchport voice vlan 33
VLAN | Performance Improvements

 VLANs are scattered among switches and multiple VLANs could be

inactive or in configured in multiple switches
 Switches will receive broadcasts for all VLANs from trunk ports even if the
VLAN isn’t configured in the switch.
 You can stop VLAN traffics from traversing through trunk ports by
configuration
 Cisco command:
 Switch(config-if)#switchport trunk allowed vlan 10,15,103-105
 VLAN | InterVlan Routing

 Routing traffics between VLANs can be done using either one of the following
 A Router with a connection to every VLAN via port access mode
 Router on stick: one trunk connection between switch and the router
 Multilayer switch: create logical interface for each VLAN
Managing VLAN DB on Switches

 VTP (VLAN Trunking Protocol)

 is a Cisco proprietary protocol
 enables you to create the VLAN only on a single switch, then propagate
information about the VLAN to every other switch on the network and cause
other switches to create it.
 Versions: 1, 2, 3
 Modes: Server, Client, Transparent
 VTP

 Domain: All switches that should share same VLAN database should belong to same VTP domain.
 Password: used to participate in the domain
Modes:
 Server: in this mode, you can create, modify, and delete VLANs. You can specify other
configuration parameters as well, such as VTP version and VTP pruning, for the entire VTP domain.
 Client: Sends/forwards VTP advertisements and Synchronizes VLAN configuration information with
other switches
 Transparent: Sends/forwards VTP advertisements but does not Synchronizes VLAN configuration
information with other switches
 VTP | Process and Revision Numbers

 VTP update process begins when a VLAN configuration is added, deleted,

or updated from a VTP server switch.

Server advertises the entire Clients accept updates

VLAN if its revision number is
increments old VLAN configuration
configuratio newer than old revision
VTP revision database along with the
n changes number
number by 1 new revision number.
VTP | Cautions

 Be careful, adding a new switch to a network can overwrite VTP vlan

configurations.
 Ensure the switch is not connected
 Configure the VTP Domain, Mode, and Password.
 Clear the VTP Revision Number and add a switch to an existing VTP Domain.
 Use show commands to verify VTP configuration, and revision number.
 Connect the switches after configuring trunk ports correctly.
 VTP Pruning | Performance Improvement

 VTP pruning forwards traffic over a trunk link only if the switch on the receiving end of the trunk link
has ports in the source VLAN.
 If VTP pruning is enabled, switches automatically communicate to each other which VLANs they
have locally assigned or are in the transit path for
 It reduces the volume of flooded traffic.
 Private-VLAN

 Private-VLAN (port isolation), is a technique in computer networking where a

VLAN contains switch ports that are restricted such that they can only
communicate with a given uplink.
 Private-VLAN uses one subnet only.
 Type of ports
 Isolated: communicate with none other
than the gateway (promiscuous port).
 Community: communicate with each port
within the same community vlan and
the gateway
 Promiscuous (connected to a gateway):
can communicate with any other port in
the private VLAN.
 Private-VLAN

 Each Private-VLAN topology has one primary VLAN.

 Primary VLANs has multiple secondary VLANs (Sub-VLANs)
 Secondary VLANs are either
 Isolated: communicate with none other
than the gateway (promiscuous port).
 Community: communicate with each port
within the same community vlan and
the gateway
 Private-VLAN

RouteXP_Switch_1(config) #vlan 100

RouteXP_Switch_1 (config-vlan) #private-vlan primary
RouteXP_Switch_1 (config-vlan) #vlan 101
RouteXP_Switch_1 (config-vlan) #private-vlan isolated
RouteXP_Switch_1 (config-vlan) #vlan 102
RouteXP_Switch_1 (config-vlan) #private-vlan community
RouteXP_Switch_1 (config-vlan) #vlan 103
RouteXP_Switch_1 (config-vlan) #private-vlan community
RouteXP_Switch_1 (config-vlan) #vlan 100
RouteXP_Switch_1 (config-vlan) #private-vlan association 101-103
 VLAN | 802.1Q-in-Q

 802.1Q-in-Q allows a Service Provider to

preserve 802.1Q VLAN tags across a WAN
service. Doing so allows a VLAN to span
multiple geographically dispersed sites.