CCNA Training – Virtual LANs

advertisement
Chapter 4
Virtual LANs
Version 1
Introduction
By default, switches forward broadcasts, this means that all
segments connected to a switch are in one broadcast domain.
Virtual LANs or VLANs are used to control broadcasts as well
as simplify network management:
 VLANs increase the number of broadcast domains while
decreasing their size.
 Network adds, moves and changes are achieved by configuring
ports into the appropriate VLAN.
 VLANs can enhance network security. A group of users needing
high security can be placed into a VLAN so that no users outside of
the VLAN can communicate with them.
VLAN Memberships
VLANs are created by an administrator, who assigns switch
ports to each VLAN, which is called a static VLAN. A dynamic
VLAN uses a database, created by an administrator, with all
the MAC addresses of all the host devices. This allows a host
to plug into a switch and be dynamically assigned to a VLAN
based on their MAC address.
Static VLANs
Static VLANs are the usual way of creating VLANs and the
most secure. The switch port you assign to a VLAN always
maintains the association until an administrator changes the
port assignment. This type of setup is easy to configure,
monitor and control. When you plug a host into a switch port
with static VLANs, the host must have the correct IP
configuration or else it will not be able to access the network.
Dynamic VLANs
A dynamic VLAN determines a host’s VLAN assignment
automatically using intelligent management software. When
you connect a host to an unassigned port, the VLAN
management database can look up the MAC address, assign
and configure the switch port to the correct VLAN. This setup
requires more work initially, but can be beneficial when a user
moves, because the switch will assign them to the correct
VLAN automatically. Administrators use the VLAN
Management Policy Server (VMPS) to create a database of
MAC addresses that are mapped to VLANs.
Identifying VLANs
Switches must be able to keep track of all the different types of
frames as they are switched throughout the network, as well as
understand what to do with the frames depending on the MAC
address. Frames are handled differently depending on the type of link
they are traversing. There are two types of links:
 Access links - only part of 1 VLAN and it’s referred to as the native
VLAN of the port. Any device attached to an access link is unaware of
VLAN membership. Switches remove any VLAN info from the frame
before it’s sent to an access-link device. Access-link devices can’t
communicate outside the VLAN unless the packet is routed.
 Trunk links - carries multiple VLANs (between 1 and 1005) across a
point-to-point link between 2 switches or a switch and server. If the
link between 2 switches is not trunked, then only VLAN1 info will be
switched across the link. All VLANs are configured on a trunked link.
Frame Tagging
When multiple VLANs are spanning multiple switches in the
network, there needs to be a way for each switch to keep track
of all the users and frames as they travel the switch fabric.
This is where frame tagging comes in. This frame
identification method uniquely assigns a user-defined ID to
each frame, sometimes referred to as a “VLAN ID” or “color”.
Each switch that the frame reaches must first identify the
VLAN ID from the frame tag, then it looks at the info in the
filter table to determine what to do with the frame. If the frame
reaches a switch that has another trunked link, the frame will
be forwarded out the trunk-link port. When the frame reaches
an access link, the VLAN identifier is removed, so the
destination device can receive the frame without
understanding their VLAN identification.
VLAN Identification Methods
There are two trunking methods that allow switches to
identify which frames belong to which VLANs – inter-switch
VLAN communication:
 Inter-Switch Link (ISL) – proprietary to Cisco switches and
used for Fast Ethernet and Gigabit Ethernet links only.
 IEEE 802.1Q – standard method for frame tagging, if you’re
trunking between a Cisco switch and another brand of switch,
you have to use 802.1Q for the trunk link to work. You must
designate each 802.1Q port to be associated with a specific
VLAN ID. The ports that populate the same trunk create a
group known as a native VLAN and each port gets tagged with
an ID number that reflects its native VLAN - default is VLAN 1.
ISL Protocol
ISL is a Cisco proprietary protocol that tags VLAN info onto
an Ethernet frame. This tagging info allows VLANs to be
multiplexed over a trunk link through an external
encapsulation method (ISL), which allows the switch to
identify the VLAN membership of a frame. ISL functions at
layer 2 by encapsulating a data frame with a 26 byte header, 4
byte frame check sequence (FCS) and a cyclic redundancy
check (CRC). Remember, the ISL header is proprietary and can
only be read by devices running ISL.
ISL VLAN info is only added to a frame if it is forwarded out
of a trunk link. Otherwise, the info is stripped when the frame
is forwarded out of a access link.
VTP
VLAN trunking protocol (VTP) was also created by Cisco, but it isn’t
proprietary. VTP manages all configured VLANs to maintain
consistency throughout the network. VTP allows an admin to add,
delete and rename VLANs and then propagates this info to all other
switches in the VTP domain.
VLAN benefits:
 Consistent VLAN configuration across all switches.
 Allows VLANs to be trunked over mixed networks (Ethernet, FDDI).
 Accurate tracking and monitoring of VLANs.
 Dynamic reporting of added VLANs to all switches in the VTP
domain.
 Plug-and-play VLAN adding.
VTP Operation
Before you can get VTP to manage your VLANs, you have to
create a VTP server. All VTP servers that need to share VLAN
info must use the same domain name and a switch can only be
in one domain at a time.
VTP info is sent between switches over a trunk port.
Switches advertise VTP management domain info,
configuration revision number and all known VLANs with any
specific parameters.
VTP Operation Modes
There are 3 different modes of operation within a VTP domain:
 Server – this is the default for all Catalyst switches. You need at
least 1 server in your VTP domain to propagate VLAN info. The
switch must be in server mode to create, delete or rename VLANs
and those changes will be advertised to the entire VTP domain.
 Client – in client mode, switches receive info from VTP servers,
they send and receive updates, but can’t make any changes. The
ports of a client switch can be added to a new VLAN before the VTP
server notifies the client switch of the new VLAN.
 Transparent – switches in transparent mode don’t participate in the
VTP domain, but they’ll still forward VTP advertisements through
trunk links. These switches don’t share info with other switches,
because their VLAN databases are locally significant only.
VTP Pruning
VTP pruning only sends broadcasts to trunk links that need
the information, which helps preserve bandwidth. By default,
VTP pruning is disabled. When you enable VTP pruning, it will
be set for the entire domain with VLANs 2-1005 being eligible.
VLAN 1 can never be pruned because it is an administrative
VLAN.
Here’s an example of how it works: If switch A doesn’t have
any ports configured for VLAN 5 and a broadcast is sent
throughout VLAN 5, the broadcast wouldn’t traverse the trunk
link to switch A.
Routing Between VLANs
Host can communicate within their own VLAN by default, but
in order for separate VLANs to communicate, a layer 3 device
is needed.
There are two different ways to configure a router with
VLANs. One way is to have a router configured with a VLAN
per (sub)interface, so there is an individual VLAN association
to the router. The other way is to have all VLANs use one
router interface, which Cisco calls “router on a stick”.
Router With Individual VLAN Associations
Router-on-a-stick
Exam Essentials
 Know when VLANs are used and why
 Understand the term “frame tagging”
 Understand the ISL VLAN identification method
 Understand the 802.1Q VLAN identification method
 Understand VTP operation
 Know the VTP operation mode
END Chapter 4
Virtual LANs
Download