Objectives VLANs Explain the role of VLANs in a converged network. Explain the role of trunking VLANs in a converged network. Configure VLANs on the switches in a converged network topology topology. LAN Switching and Wireless – Chapter 3 2 ITE I Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Public Problems with large LANs VLAN (Virtual LAN) A Router is used to reduce the size of broadcast domains and implement security between workgroups A VLAN logically segments a LAN into separate broadcast domains Users are grouped geographically VLANs are configured on switches (i.e. layer 2) Each switch port is assigned to a VLAN Frames can only be switched between ports that belong to the same VLAN A better solution: Hence, a broadcast is confined to a single VLAN Implement VLANs on switches The admin configures the same VLANs on each switch Each VLAN is identified with a unique number and, optionally, a name, 3 Example: 3 VLANs on a single switch e.g. VLAN 1, VLAN 20, VLAN 99, Sales VLAN 4 Example: 3 VLANs on a single switch The switch is configured with three VLANs: 10 VLAN 10, VLAN 20, VLAN 30 Each switch port is assigned to one of these VLANs Each user device is a member of one VLAN, depending upon which switch port it is connected to 20 Change the VLAN membership by connecting the device to another port, or assigning the port to another VLAN 30 5 6 1 Example: 3 VLANs on a single switch Example: 3 VLANs on 3 switches If there is no router on the LAN, then traffic cannot pass between VLANs. All devices can be on the same IP subnet. To communicate between devices on separate VLANs,, there must be a router on the LAN and each VLAN must be configured with a different IP subnet. The Router routes packets between the VLANs and can also implement security (ACLs). Instead of a router, you could use a Layer 3 switch. 7 8 Example: 3 VLANs on 3 switches VLAN ID ranges Without VLANs, users are grouped geographically Each VLAN is identified with a number With VLANs, users can be grouped logically Normal Range VLANs VLAN ID between 1 and 1005. Configurations are stored within a VLAN database file, called vlan.dat, stored in flash. All VLANs are implemented across all switches If traffic is to be allowed between the VLANs: The LAN must include a Layer 3 network device Extended Range VLANs VLAN ID between 1006 and 4094 Intended for ISP use Support limited features Each VLAN must use a different IP subnet Each VLAN is a separate broadcast domain 9 Default configuration for Cat 2960 Creating a VLAN and assigning ports Switch#show vlan brief VLAN Name Status Ports ---- --------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch# IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. VLAN 1 and 1002 through 1005 automatically created and cannot be deleted or renamed. 10 11 ! Create VLANs vlan 10 name Faculty vlan 20 name Students exit ! ! Add ports to the VLANs int fa0/6 switchport mode access switchport access vlan 20 int fa0/11 switchport mode access switchport access vlan 20 int fa0/18 switchport mode access switchport access vlan 10 exit Computers in the same VLAN must also be configured to be in the same subnet 12 2 Some VLAN terminology Configuring a Management VLAN Data VLAN (or user VLAN) The Management VLAN is used to configure the switch remotely using Telnet or SSH Can carry only user-generated traffic Default VLAN (VLAN 1) Whichever VLAN is assigned an IP address All switch ports become a member of the default VLAN after the initial boot up of the switch. VLAN 1 is often used, but Cisco recommend using some other VLAN ID for security reasons. Layer 2 control traffic traffic, such as CDP and STP traffic traffic, uses VLAN 1 - this cannot be changed. int vlan 99 name Management ip address 172.17.99.13 255.255.255.0 exit ! ip default-gateway 172.17.99.1 Native VLAN Assigned to an 802.1Q trunk port. Default VLAN 1. Management VLAN Any VLAN you configure to access the management capabilities of a switch by assigning it an IP address 13 Types of VLAN 14 Connecting switch to switch (backbone) Static VLAN - Ports on a switch are manually assigned to a VLAN. Dynamic VLAN - Requires a VLAN Membership Policy Server (VMPS), e.g. CiscoWorks - Ports assigned to VLANs dynamically, based on the source MAC address of the device connected to the port. Voice VLAN - A port is configured to be in voice mode so that it can support an IP phone attached to it. 15 VLAN Trunks 16 Trunking VLANs A port is configured to be in one of two modes: Access mode Belongs to only one VLAN VLAN Trunk Connects a user to the switch S(config if)# switchport mode access S(config-if)# Trunk mode Connects to another switch or router Belongs to all VLANs. All frames are sent across the trunk link (backbone) to other switches S(conig-if)# switchport mode trunk 17 18 3 Using a Multilayer switch instead of a Router Frame tagging Each frame is tagged with the VLAN ID as it moves between switches on the backbone 19 The VLAN tag is removed before being forwarded to the destination device 20 Trunking modes Trunking protocols Trunking mode defines how the port negotiates using DTP to set up a trunk link with its peer port. There are two trunking protocols: Inter-switch link (ISL) Cisco proprietary, legacy trunking protocol encapsulation isl switchport mode trunk 802.1Q trunking protocol IEEE standard VLAN ID is added to Ethernet frame header Called 802.Q1 frame tagging encapsulation 802.1Q switchport mode dynamic auto The local port is unconditionally in trunking state. The local port ends up in trunking state only if the remote port trunk mode has been configured to be On or Desirable. switchport mode dynamic desirable Latest Cisco switches only support 802.1Q 21 Configuring a trunk Asks the remote switch port to go to the trunking state 22 Summary - VLANs Allows an administrator to logically group devices that act as their own network interface f0/1 switchport mode trunk switchport trunk native vlan 99 switchport trunk allowed vlan add 10, 20, 30 Used to segment broadcast domains Improves security Types of Traffic on a VLAN include Data show interfaces fa0/1 switchport Voice Network protocol Network management Communication between VLANs requires a Router 23 Trunks carry all VLAN traffic between switches 24 4