VLANs
advertisement
Switching Topic 2 VLANs Agenda • VLANs – – – – – – – – – Benefits Components Trunking and 802.1q VLAN types VLAN operations VLAN modes Voice VLAN DTP Troubleshooting VLANs • Virtual LAN or ‘virtualised’ LAN • VLANs divide switches by business function – Departments, project teams, locations • Multiple VLANs exist on multiple switches in the switched infrastructure – Each VLAN is a different IP network • VLANs are configured on the switch – Switchports are each assigned to a single VLAN – Hosts connected to the switchport can communicate with other hosts in the same VLAN – Hosts in different VLANs are on different networks and can only communicate with each other via a routing process • VLANs can span multiple switches so hosts can be located anywhere and connect to any switch VLANs Benefits of VLANs • Separate large broadcast domains into smaller ones • Separate the network into business functional groups – Security • Segmenting functional groups means policy can be applied – Cost • More efficient use of switches and links as the infrastructure shared by different VLANs – Controlled network traffic • Performance is maintained as there is less broadcast traffic • Broadcast storms and errors are contained within the VLAN – Management efficiency • Simple moves, adds, and changes for hosts • Users with the same needs can be grouped and assigned to a VLAN Components • Switches – VLANs are created on the switch – VLANs are identified by number, VID and described by name – Ports are assigned to specific VLANs, PVID • Trunk links – Links between switches which carry all VLAN traffic – Links between switches and routers which carry all VLAN traffic for routing between the VLANs • Trunking protocol 802.1q – Tags frames arriving at ports with their VLANID – Tagged frames travel down trunk links with their VLANID tags – Tags are stripped from frames when leaving a port to go to the host • Router or layer 3 switch routes frames between VLANs Trunking • Trunking extends the VLAN • VLAN trunk is a point to point link between two switches that carries tagged frames from more than one VLAN • VLAN trunks extends VLANs across the network using the IEEE 802.1q standard • Without VLAN trunks a separate link between switches would be required for each VLAN Types of VLANs • Data VLAN – user and application traffic • Voice VLAN – Requires assured bandwidth and delay of less than 150 milliseconds • Management VLAN – Used to remotely access and manage the switch (telnet, http, ssh, snmp) – The management VLAN is assigned an IP address and a subnet mask – By default is VLAN 1, best practice is to create a separate management VLAN • Default VLAN – VLAN 1 – – – – All ports by default are members of VLAN 1 Cannot be deleted or renamed Layer 2 control traffic such as CDP and STP traffic Best practise is to assign all ports on the switch to VLAN other than one and leave VLAN 1 for layer 2 control traffic Native VLAN • The native VLAN is assigned to switchports that are trunking • Untagged frames – Frames that originate on the switch (such as cdp and stp and other control traffic) are untagged (they did not arrive through a switchport) – Untagged frames received by a trunk port are sent down trunks with native VLAN tags • Control traffic should be untagged – Some vendor’s switches, tag control traffic and this traffic is dropped on the native VLAN • The native VLAN is by default VLAN 1 and should be assigned to another VLAN VLAN tagging 802.1q • Each port is assigned the PVID of their VLAN • 802.1q ports (trunk ports) are assigned the PVID of the native VLAN • Ingress rules: – Untagged traffic that arrives at the port is tagged with the PVID – Tagged traffic that arrives at the port is not altered • Forwarding rules: – Flood, forward or filter and MAC address table lookup • Egress rules: – Frame is untagged if its destination is a host – Frame sent as tagged if its destination is a trunk or IP phone Tag frame format • Dot1q inserts a tag into the Ethernet header of frames (just after source MAC): – Switchport with a PVID assigned receives a frame – Switch inserts VLAN tag and recalculates FCS – Switch sends tagged frame out of trunk port • EtherType field value set to 0x8100 – the TPID value • Tag Control Information field is inserted that contains: – Priority information – CFI to enable token ring frames on Ethernet links – VID VLAN ID (up to 4096) • FCS field in the trailer gets a recalculated FCS value VLAN operation • Broadcast frames: – Switch forwards broadcast frames: • out of all ports on the same VLAN except the originating port • as tagged frames on trunk links which allow the VLAN. • Unicast frames: – Switch forwards the frame to destination host on current switch – or if the destination MAC is on another switch, as a tagged frame using the trunk link. VLAN operation VLAN modes • Static (port-based VLAN) – Switchports can be manually assigned to a VLAN • Switchport mode access • Switchport access VLAN 20 • Dynamic – Switchports can be assigned to a VLAN based on the MAC address of the attached host – VLAN policy membership server VMPS contains mappings of MAC to VLANs – Hosts can move around and use any port and get put into the correct VLAN Switchport modes • Access mode – Configures a switchport as an access port – Has hosts attached to it – Maintains the PVID of the VLAN associated with it • Trunk mode – Configures a switchport as an trunk port – Has switches or routers attached to it – Forwards tagged frames from multiple VLANs – Forwards untagged frames on the native VLAN Dynamic Trunking Protocol (DTP) • Cisco® proprietary used to allow switchports to negotiate to trunk • Four modes: – On (always a trunk) – Dynamic auto (able to trunk but only if the other end of link is ON or desirable) – Dynamic desirable (able to trunk and will if other end is ON or desirable or auto) – Nonegotiate (DTP is off and switchport trunks) • Use Nonegotiate when trunking to switch from another vendor • If both links are set to dynamic auto, they will negotiate to stay in their default state which is access mode • For 2950, the default switchport mode is dynamic desirable • For 2960, the default switchport mode is dynamic auto VLAN IDs • Normal range VLANs – VLAN ID between 1 and 1005 – 1002 to 1005 reserved for token ring and fddi – VLAN 1 and 1002–1005 are created automatically and cannot be removed – Configurations stored in the VLAN.dat file in flash – Supports VTP to propagate VLANs • Extended range VLANs – – – – VLAN ID between 1006–4094 Fewer features Saved in running config Does not supports VTP to propagate VLANs • Cisco® Catalyst® 2960 can support up to 255 VLANs Voice VLAN • Voice traffic needs priority classification and can only tolerate 150 ms delay • Cisco® phones contain a 3 port switch • • • • • – Port 1 connects to the switch – Port 2 is an internal 10/100 interface that carries the IP phone traffic – Port 3 (access port) connects to a PC Switchport is configured with a voice VLAN (VLAN 150) and a data VLAN Switchport uses CDP to send the voice VLAN ID to the phone The phone tags voice frames with the voice VLAN ID The phone does not tag frames from the PC Data frames are tagged with the data VLAN ID when they arrive at the switchport Configuring VLANs • Demo Deleting VLANs VLAN configuration is stored in VLAN.dat file in flash (config) no VLAN VLANid #delete flash:VLAN.dat #delete VLAN.dat Troubleshooting • Native VLAN mismatches – different native VLANs on each end of links causes errors and causes traffic to be misdirected (security risk) • Trunk mode mismatches – one switchport is off and the other switchport is on • VLANs and IP subnets – incorrect IP addresses, gateways, subnet masks • Allowed VLANs on trunks – VLAN hasn’t been added as ‘allowed’ on trunk Agenda • VLANs – – – – – – – – – Benefits Components Trunking and 802.1q VLAN types VLAN operations VLAN modes Voice VLAN DTP Troubleshooting Switching Topic 2 VLANs
