Chapter 3. Cisco VLANs Implementation
Objectives
Key Terms
Introduction (3.0.1.1)
VLAN Segmentation (3.1)
VLAN Definitions (3.1.1.1)
VLANs allow an administrator to segment networks based on factors such as function, project team, or application, without regard for the physical location of the user or device. Devices within a VLAN act as if they are in their own independent network, even if they share a common infrastructure with other VLANs.
Benefits of VLANs (3.1.1.2)
- Security
- Cost reduction
- Better performance
- Shrink broadcast domains
- Improved IT staff efficiency
- Simpler project and application management
Types of VLANs (3.1.1.3)
Data VLAN: A data VLAN is sometimes referred to as a user VLAN. Data VLANs are used to separate the network into groups of users or devices.
Default VLAN: All switch ports become a part of the default VLAN after the initial boot up of a switch loading the default configuration. Switch ports that participate in the default VLAN are part of the same broadcast domain. The default VLAN for Cisco switches is VLAN 1
Native VLAN: A native VLAN is assigned to an 802.1Q trunk port. Trunk ports are the links between switches that support the transmission of traffic associated with more than one VLAN. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic), as well as traffic that does not come from a VLAN (untagged traffic).
Tagged traffic refers to traffic that has a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs. The 802.1Q trunk port places untagged traffic on the native VLAN, which by default is VLAN 1.
It is a best practice to configure the native VLAN as an unused VLAN, distinct from VLAN 1 and other VLANs. In fact, it is not unusual to dedicate a fixed VLAN to serve the role of the native VLAN for all trunk ports in the switched domain.
Management VLAN: is any VLAN configured to access the management capabilities of a switch. VLAN 1 is the management VLAN by default. To create the management VLAN, the switch virtual interface (SVI) of that VLAN is assigned an IP address and subnet mask, allowing the switch to be managed via HTTP, Telnet, SSH, or SNMP.
In the past, the management VLAN for a 2960 switch was the only active SVI. On 15.x versions of the Cisco IOS for Catalyst 2960 Series switches, it is possible to have more than one active SVI. With Cisco IOS 15.x, the particular active SVI assigned for remote management must be documented. While theoretically a switch can have more than one management VLAN, having more than one increases exposure to network attacks.
Voice VLANs (3.1.1.4)
A separate VLAN is needed to support Voice over IP (VoIP). VoIP traffic requires:
Assured bandwidth to ensure voice quality
Transmission priority over other types of network traffic
Ability to be routed around congested areas on the network
Delay of less than 150 ms across the network
VLANs in a Multiswitched Environment (3.1.2)
VLAN Trunks (3.1.2.1)
A trunk is a point-to-point link between two network devices that carries more than one VLAN. A VLAN trunk extends VLANs across an entire network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces.
VLANs would not be very useful without VLAN trunks. VLAN trunks allow all VLAN traffic to propagate between switches, so that devices which are in the same VLAN, but connected to different switches, can communicate without the intervention of a router.
A VLAN trunk does not belong to a specific VLAN; rather, it is a conduit for multiple VLANs between switches and routers. A trunk could also be used between a network device and server or other device that is equipped with an appropriate 802.1Q-capable NIC. By default, on a Cisco Catalyst switch, all VLANs are supported on a trunk port.
Controlling Broadcast Domains with VLANs (3.1.2.2)
Network Without VLANs: In normal operation, when a switch receives a broadcast frame on one of its ports, it forwards the frame out all other ports except the port where the broadcast was received.
Network with VLANs: When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host in a particular VLAN are restricted to the devices that are in that VLAN.
Tagging Ethernet Frames for VLAN Identification (3.1.2.3)
Native VLANs and 802.1Q Tagging (3.1.2.4)important
Tagged Frames on the Native VLAN
If an 802.1Q trunk port receives a tagged frame with the VLAN ID the same as the native VLAN, it drops the frame. Consequently, when configuring a switch port on a Cisco switch, configure devices so that they do not send tagged frames on the native VLAN.
Untagged Frames on the Native VLAN
When a Cisco switch trunk port receives untagged frames (which are unusual in a well-designed network), it forwards those frames to the native VLAN. If there are no devices associated with the native VLAN (which is not unusual) and there are no other trunk ports (which is not unusual), then the frame is dropped.When configuring an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value.
Voice VLAN Tagging (3.1.2.5)
An access port that is used to connect a Cisco IP phone can be configured to use two separate VLANs: one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. The link between the switch and the IP phone acts as a trunk to carry both voice VLAN traffic and data VLAN traffic.
The Cisco IP Phone contains an integrated three-port 10/100 switch. The ports provide dedicated connections to these devices:
Port 1 connects to the switch or other VoIP device.
Port 2 is an internal 10/100 interface that carries the IP phone traffic.
Port 3 (access port) connects to a PC or other device.
On the switch, the access is configured to send Cisco Discovery Protocol (CDP) packets that instruct an attached IP phone to send voice traffic to the switch in one of three ways, depending on the type of traffic:
In a voice VLAN tagged with a Layer 2 class of service (CoS) priority value.
In an access VLAN tagged with a Layer 2 CoS priority value.
In an access VLAN, untagged (no Layer 2 CoS priority value).
VLAN Implementations (3.2)
VLAN Ranges on Catalyst Switches (3.2.1.1)
Catalyst 2960 and 3560 Series switches support over 4,000 VLANs. Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1,006 to 4,094.
Normal Range VLANs
Used in small- and medium-sized business and enterprise networks.
Identified by a VLAN ID between 1 and 1005.
IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches, can only learn and store normal range VLANs.
Extended Range VLANs
Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs.
Are identified by a VLAN ID between 1006 and 4094.
Configurations are not written to the vlan.dat file.
Support fewer VLAN features than normal range VLANs.
Are, by default, saved in the running configuration file.
VTP does not learn extended range VLANs.
Creating a VLAN (3.2.1.2)
When configuring normal range VLANs, the configuration details are stored in flash memory on the switch in a file called vlan.dat.
Assigning Ports to VLANs (3.2.1.3)
After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only one VLAN at a time; one exception to this rule is that of a port connected to an IP phone, in which case, there are two VLANs associated with the port: one for voice and one for data.
The switchport mode access command is optional, but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.
Changing VLAN Port Membership (3.2.1.4)
Deleting VLANs (3.2.1.5)
Verifying VLAN Information (3.2.1.6)
VLAN Trunks (3.2.2)
Configuring IEEE 802.1Q Trunk Links (3.2.2.1)
To configure a switch port on one end of a trunk link, use the switchport mode trunk command. With this command, the interface changes to permanent trunking mode. The port enters into a Dynamic Trunking Protocol (DTP) negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change.
A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically).
Always configure both ends of a trunk link with the same native VLAN. If 802.1Q trunk configuration is not the same on both ends, Cisco IOS Software reports errors.
By default all VLANs are allowed across a trunk link. The switchport trunk allowed vlan command can be used to limit the allowed VLANs.
Resetting the Trunk to Default State (3.2.2.2)
Verifying Trunk Configuration (3.2.2.3)
The configuration is verified with the show interfaces interface-ID switchport command.
Dynamic Trunking Protocol (3.2.3)
Ethernet trunk interfaces support different trunking modes. An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices.
Introduction to DTP (3.2.3.1)
Negotiated Interface Modes (3.2.3.2)
Troubleshoot VLANs and Trunks (3.2.4)
IP Addressing Issues with VLAN (3.2.4.1)
Missing VLANs (3.2.4.2)
Introduction to Troubleshooting Trunks (3.2.4.3)
Common Problems with Trunks (3.2.4.4)
Trunk Mode Mismatches (3.2.4.5)
Incorrect VLAN List (3.2.4.6)
VLAN Security and Design (3.3)
Switch Spoofing Attack (3.3.1.1)
Double-Tagging Attack (3.3.1.2)
PVLAN Edge (3.3.1.3)
Design Best Practices for VLANs (3.3.2)
VLAN Design Guidelines (3.3.2.1)
Summary (3.4)
Practice
Class Activities
Labs
Packet Tracer Activities
Check Your Understanding Questions