Vlan Networks

VLAN NETWORKS
Virtual Local Area Networks or VLANs are one of the latest and coolest network technologies
developed in the past few years, though have only recently started to gain recognition. The non-stop
growth of Local Area Networks (LANs) and the need to minimize the cost for this expensive equipment,
without sacrificing network performance and security, created the necessary soil for the VLAN seed to
surface and grow into most modern networks.
This article covers VLAN theory extensively using modern and easy-to-understand examples
accompanied by detailed diagrams to ensure the theory is understood. VLAN Design, Access and Trunk
Links, VLAN Tagging (ISL, 802.1q, LANE, IEEE 802.10), InterSwitch Link (ISL), InterVLAN Routing,
Virtual Trunk Protocol (VTP) and VTP Pruning are just a few of the topics covered over the next couple of
pages.
The truth is that VLANs are not as simple as most people perceive it to be. Instead they cover extensive
material to be a whole study in itself as they contain a mixture of protocols, rules, and guidelines that a
network administrator should be well aware of. Unfortunately, most documentation provided by vendors
and other sites is inadequate or very shallow. They lightly touch upon the VLAN topic and fail to give the
reader a good understanding on how VLANs really work and the wonderful things one can do when
implementing them.
Like most topics covered on our site, VLANs have been broken down into a number of pages, each one
focusing on specific areas to help the reader build up their knowledge as preparation for designing and
building their own VLAN network.
Since VLANs is a topic that requires strong background knowledge of certain areas, as they contain a lot
of information at the technical and protocol level, we believe that the reader should be familiar and
comfortable with the following concepts:
 Switches and hubs

 Broadcast and collision domains
 Internet Protocol (IP)
 IP routing
As we cover all the theory behind VLANs and how they are implemented within various network
topologies, we will finally demonstrate the configuration of a Cisco powered network utilizing VLANs!
Protocols such as Spanning Tree Protocol (STP) are essential when implementing VLANs within a mid to
large sized network, so we will briefly touch upon the topic, without thoroughly analyzing it in great detail
because STP will be covered as a separate topic.
So What's Covered?
Before we begin our journey into the VLAN world, let's take a look at what we will be covering:
Section 1: The VLAN Concept. This page explains what a VLAN is and how it differs from a normal
switched environment. Be sure to find our well known diagrams along with illustrations to help cover your
questions. In short, it’s a great introductory page for the topic.
Section 2: Designing VLANs. (Subcategory)

Section 2.1: Designing VLANs - A Comparison with Old Networks. This subsection will give you an
insight to the different VLAN implementations: Static and Dynamic VLANs. The subsection begins with an
introduction page to help you 'see' the actual difference in the network infrastructure between the old
boring networks and VLAN powered networks. This way, you will be able to appreciate the technology
much better!
Section 2.2: Designing VLANs - Static VLANs. Definitely the widest spread VLAN implementation. The
popular Static VLANs are analysed here. We won't be covering any configuration commands here as this
page serves as an introduction to this VLAN implementation. As always, cool 3D diagrams and examples
are included to help you understand and process the information.
Section 2.3: Designing VLANs - Dynamic VLANs. Dynamic VLANs are less common to most networks
but offer substantial advantages over Static VLANs for certain requirements. Again, this page serves as
an introduction to the specific VLAN implementation.
Section 3: VLAN Links: Access Links & Trunk Links. Access links are used to connect hosts, while
Trunk links connect to the network backbone. Learn how Access & Trunk links operate, the logic which
dictates the type of link and interface used and much more.
Section 4: VLAN Tagging - ISL, 802.1q, LANE and IEEE 802.10. To tag or not to tag! Understand the
VLAN tagging process and find out the different tagging methods available, which are the most popular
and how they differentiate from each other. Neat diagrams and examples are included to ensure no
questions are left unanswered!
Section 5: Analyzing Popular Tagging Protocols.
Section 5.1: InterSwitch Link Analysis (ISL): Analysis of Cisco's proprietary ISL protocol. We take a
look at how it is implemented and all available fields it contains.
Section 5.2: IEEE 802.1q Analysis: IEEE's 802.1q protocol is the most widely spread trunking protocol.
Again, we take a look at its implementation with an analysis of all its fields.
Section 6: InterVLAN Routing. A very popular topic, routing between VLANs is very important as it
allows VLANs to communicate. We'll examine all possible InterVLAN routing methods and analyse each
one's advantages and disadvantages. Needless to say, our cool diagrams also make their appearance
here!
Section 7: Virtual Trunk Protocol (VTP) (Subcategory)
Section 7.1: Introduction to The VTP Protocol. The introductory page deals with understanding the VTP
concept. Why it's required and what are its advantages.
Section 7.2: In-Depth Analysis of VTP. Diving deeper, this page will analyse the VTP protocol structure.
It includes 3d diagrams explaining each VTP message usage and much more.
Section 7.3: Virtual Trunk Protocol Prunning (VTP Pruning). VTP Prunning is an essential service in
any large network to avoid broadcast flooding over trunk links. This page will explain what VTP Prunning
does and how it works by reading through our excellent examples. The diagrams used here have been
given extra special attention!
Section 8: VLAN Security: This article covers VLAN Security best practices. Originally written for the
U.S FedTech Magazine, it tackles a lot of important issues regarding VLAN Security.
THE VLAN CONCEPT - INTRODUCTION TO VLANS
WRITTEN BY ADMINISTRATOR. POSTED IN VLAN NETWORKS
We hear about them everywhere, vendors around the world are constantly trying to push them into every
type of network and as a result, the Local Area Network (LAN) we once knew starts to take a different
shape. And yet, for some of us, the concept of what VLANs are and how they work might still be a bit
blurry.
To help start clearing things up we will define the VLAN concept not only through words, but through the
use of our cool diagrams and at the same time, compare VLANs to our standard flat switched network.
We will start by taking a quick look at a normal switched network, pointing out its main characteristics and
then move on to VLANs.
THE TRADITIONAL SWITCHED NETWORK

Almost every network today has a switch interconnecting all network nodes, providing a fast and reliable
way for the nodes to communicate. Switches today are what hubs were a while back - the most common
and necessary equipment in our network, and there is certainly no doubt about that.
While switches might be adequate for most type of networks, they prove inadequate for mid to large sized
networks where things are not as simple as plugging a switch into the power outlet and hanging a few
Pc's from it!
For those of you who have already read our "switches and bridges" section, you will be well aware that
switches are layer 2 devices which create a flat network:
The above network diagram illustrates a switch with 3 workstations connected. These workstations are
able to communicate with each other and are part of the same broadcast domain, meaning that if one
workstation were to send a broadcast, the rest will receive it.
In a small network multiple broadcast might not be too much of a problem, but as the size of the network
increases, so will the broadcasts, up to the point where they start to become a big problem, flooding the
network with garbage (most of the times!) and consuming valuable bandwidth.
To visually understand the problem, but also the idea of a large flat network, observe the diagram below:
The problem here starts to become evident as we populate the network with more switches and
workstations. Since most workstations tend to be loaded with the Windows operating system, this will
result in unavoidable broadcasts being sent occasionally on the network wire - something we certainly
want to avoid.
Another major concern is security. In the above network, all users are able to see all devices. In a much
larger network containing critical file servers, databases and other confidential information, this would
mean that everyone would have network access to these servers and naturally, they would be more
susceptible to an attack.
To effectively protect such systems from your network you would need to restrict access at the network
level by segmenting the existing network or simply placing a firewall in front of each critical system, but
the cost and complexity will surely make most administrators think twice about it. Thankfully there is a
solution..... simply keep reading.
INTRODUCING VLANS
Welcome to the wonderful world of VLANs!
All the above problems, and a lot more, can be forgotten with the creation of VLANs...well, to some extent
at least.
As most of you are already aware, in order to create (and work with) VLANs, you need a layer 2 switch
that supports them. A lot of people new to the networking field bring the misconception that it's a matter of
simply installing additional software on the clients or switch, in order to "enable" VLANs throughout the
network - this is totally incorrect!
Because VLANs involve millions of mathematical calculations, they require special hardware which is built
into the switch and your switch must therefore support VLANs at the time of purchase, otherwise you will
not be able to create VLANs on it!
Each VLAN created on a switch is a separate network. This means that a separate broadcast domain is
created for each VLAN that exists. Network broadcasts, by default, are filtered from all ports on a switch
that are not members of the same VLAN and this is why VLANs are very common in today's large
network as they help isolate network segments between each other.
To help create the visual picture on how VLANs differentiate from switches, consider the following
diagram:
What we have here is a small network with 6 workstations attached to a VLAN capable switch. The switch
has been programmed with 2 VLANs, VLAN1 and VLAN2 respectfully, and 3 workstations have been
assigned to each VLAN.
VLAN Configuration for Cisco Layer 3 switches is covered at the following article: Basic & Advanced
Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing (SVI), VLAN Security – VLAN
Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements for SVI Routing.
VLANS = SEPARATE BROADCAST DOMAINS

With the creation of our VLANs, we have also created 2 broadcast domains. This mean that if any
workstation in either VLAN sends a broadcast, it will propagate out the ports which belong to the same
VLAN as the workstation that generated the broadcast:
This is clearly illustrated in the diagram above where Workstation 1, belonging to VLAN1, sends a
network broadcast (FF:FF:FF:FF:FF:FF). The switch receives this broadcast and forwards it to
Workstation 2 and 3, just as it would happen if these three workstations were connected to a normal
switch, while the workstations belonging to VLAN2 are totally unaware of the broadcast sent in VLAN1 as
they do not receive any packets flowing in that network.
To help clear any questions or doubts on how the above setup works, the diagram below shows the
logical equivalent setup of our example network:
By this stage, you should begin seeing the clear advantages offered by the use of VLANs within your
network. Security, cost and network traffic are reduced as more hosts are added to the network and the
number of VLANs are increased.
VLANS HELP REDUCE THE COST
To briefly touch upon the financial side of things, let's take an example to see exactly how we are saving
money by using VLANs.
Consider you're the network administrator for a large company and you have been asked to split the
existing network infrastructure into 12 separate networks, but without the possibility of these new
networks to communicate between each other. Since the cabling is already in place, we need to simply
group the ports of each network we create to one physical switch and for the 12 network, a total of 12
switches will be required.
By using VLANs, the above task would be possible with one or more VLAN capable switches that will
cover the number of hosts we need to connect to them, and the cost would surely be a lot less than that
compared to 12 switches.
During the implementation of the above task, you would connect all workstations to the switch and then
assign the appropriate workstations/nodes to their respectful VLAN, creating a total of 12 VLANs. It is
worth noting here that most entry level VLAN switches e.g Cisco 2900 series, are capable of handling up
to 64 VLANs, so if we were to use these switches, we would still have plently of room to create more.
Maximum
VLAN Trunking
Switch Model VLANs
Supported
Supported
Catalyst 2912 XL, Catalyst 2924 XL &
64 yes
Catalyst 2924C XL
Catalyst 2900 LRE XL 250 yes
Catalyst 2912M and Catalyst 2924M modular 250 yes
Catalyst 3500 XL, 3550, 3560, 3750, 4500, 6500 250 yes
There are a lot more examples one can use to show how these new generation switches are able to solve
complex network designs, security issues and at the same time, keep the budget low. Lastly, the best
example is one that is able to solve your own requirements, so take a minute to think about it and you will
surely agree.
SUMMARY
This page introduced the concept of VLANs and indicated the differences existing between them and
normal switched networks. We also briefly examined their efficiency in terms of cost, security and
implementation.
The information here serves as an introduction to the VLAN technology and we will now start diving
deeper into the topic, analysing it in greater detail. Having said that, our next page deals with the design
of VLANs, showing different logical and physical configurations of VLANs within networks. So, make
yourself comfortable and let's continue because there is still so much to cover!
VLANS - ACCESS & TRUNK LINKS

If you've read our previous article The VLAN Concept - Introduction to VLANs then you should feel
comfortable with terms such as 'VLAN', 'Static & Dynamic VLANs', however this is just the beginning in
this complex world. This article will start to slowly expand on these terms to help understand how VLANs
are implemented inside an enterprise network.
To begin with, we will take a closer look at the port interfaces on these smart switches and then start
moving towards the interfaces connecting to the network backbone where things become slightly more
complicated, though do not be alarmed since our detailed and easy to read diagrams are here to ensure
the learning process is as enjoyable as possible.
VLAN LINKS - INTERFACES
When inside the world of VLANs there are two types of interfaces, or if you like, links. These links allow us
to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN
network. Depending on their configuration, they are called Access Links, or Trunk Links.
VLAN Configuration, InterVLAN routing,Trunk Link configuration for Cisco Layer 3 switches (3550, 3560
series, 3750 series, 4500 series and 6500 series switches) is covered extensively at the following
article: Basic & Advanced Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing
(SVI), VLAN Security – VLAN Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements
for SVI Routing.
ACCESS LINKS
Access Links are the most common type of links on any VLAN switch. All network hosts connect to the
switch's Access Links in order to gain access to the local network. These links are your ordinary ports
found on every switch, but configured in a special way, so you are able to plug a computer into them and
access your network.
Here's a picture of a Cisco Catalyst 3550 series switch, with its Access Links (ports) marked in the Green
circle:
We must note that the 'Access Link' term describes a configured port - this means that the ports above
can be configured as the second type of VLAN links - Trunk Links. What we are showing here is what's
usually configured as an Access Link port in 95% of all switches. Depending on your needs, you might
require to configure the first port (top left corner) as a Trunk Link, in which case, it is obviously not called a
Access Link port anymore, but a Trunk Link!
When configuring ports on a switch to act as Access Links, we usually configure only one VLAN per port,
that is, the VLAN our device will be allowed to access. If you recall the diagram below which was also
present during the introduction of the VLAN concept, you'll see that each PC is assigned to a specific
port:
In this case, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 3 have
been assigned to VLAN 1 while ports 4, 5 and 6 to VLAN 2.
In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 3, while
ports 4, 5 and 6 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any
traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly
configured the switch to route traffic between the two VLANs.
It is equally important to note at this point that any device connected to an Access Link (port) is totally
unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast
domain, just as it happens with any normal switch. During data transfers, any VLAN information or data
from other VLANs is removed so the recipient has no information about them.
The following diagram illustrates this to help you get the picture:
As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are
understood by the network device connected to the port. There is nothing special about these packets,
other than the fact that they belong only to the VLAN the port is configured for.
If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this
port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0
with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned
to VLAN 1 must be configured with the appropriate network address so they may communicate with all
other hosts in the same VLAN.
TRUNK LINKS
What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port.
There is, however, one more type of port configuration which we mentioned in the introductory section on
this page - the Trunk Link.
A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are
usually found in connections between switches. These links require the ability to carry packets from all
available VLANs because VLANs span over multiple switches.
The diagram below shows multiple switches connected throughout a network and the Trunk Links are
marked in purple colour to help you identify them:
As you can see in our diagram, our switches connect to the network backbone via the Trunk Links. This
allows all VLANs created in our network to propagate throughout the whole network. Now in the unlikely
event of Trunk Link failure on one of our switches, the devices connected to that switch's ports would be
isolated from the rest of the network, allowing only ports on that switch, belonging to the same VLAN, to
communicate with each other.
So now that we have an idea of what Trunk Links are and their purpose, let's take a look at an actual
switch to identify a possible Trunk Link:
As we noted with the explanation of Access Link ports, the term 'Trunk Link' describes a configured port.
In this case, the Gigabit ports are usually configured as Trunk Links, connecting the switch to the network
backbone at the speed of 1 Gigabit, while the Access Link ports connect at 100Mbits.
In addition, we should note that for a port or link to operate as a Trunk Link, it is imperative that it runs at
speeds of 100Mbit or greater. A port running at speeds of 10Mbit's cannot operate as a Trunk Link and
this is logical because a Trunk Link is always used to connect to the network backbone, which must
operate at speeds greater than most Access Links!
SUMMARY
This page introduced the Access and Trunk links. We will be seeing a lot of both links from now on, so it's
best you get comfortable with them! Configuration of these links is covered later on, because there is still
quite a bit of theory to cover!
VLAN TAGGING - UNDERSTANDING VLANS

ETHERNET FRAMES
We mentioned that Trunk Links are designed to pass frames (packets) from all VLANs, allowing us to
connect multiple switches together and independently configure each port to a specific VLAN. However,
we haven't explained how these packets run through the Trunk Links and network backbone, eventually
finding their way to the destination port without getting mixed or lost with the rest of the packets flowing
through the Trunk Links.
This is process belongs to the world of VLAN Tagging!
VLAN TAGGING
VLAN Tagging, also known as Frame Tagging, is a method developed by Cisco to help identify packets
travelling through trunk links. When an Ethernet frame traverses a trunk link, a special VLAN tag is added
to the frame and sent across the trunk link.
As it arrives at the end of the trunk link the tag is removed and the frame is sent to the correct access link
port according to the switch's table, so that the receiving end is unaware of any VLAN information.
The diagram below illustrates the process described above:

Here we see two 3500 series Catalyst switches and one Cisco 3745 router connected via the Trunk
Links. The Trunk Links allow frames from all VLANs to travel throughout the network backbone and reach
their destination regardless of the VLAN the frame belongs to. On the other side, the workstations are
connected directly to Access Links (ports configured for one VLAN membership only), gaining access to
the resources required by VLAN's members.
Again, when we call a port 'Access Link' or 'Trunk Link', we are describing it based on the way it has been
configured. This is because a port can be configured as an Access Link or Trunk Link (in the case where
it's 100Mbits or faster).
This is stressed because a lot of people think that it's the other way around, meaning, a switch's uplink is
always a Trunk Link and any normal port where you would usually connect a workstation, is an Access
Link port!
VLAN Configuration, InterVLAN routing,Trunk Link configuration for Cisco Layer 3 switches (3550, 3560
series, 3750 series, 4500 series and 6500 series switches) is covered extensively at the following
article: Basic & Advanced Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing
(SVI), VLAN Security – VLAN Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements
for SVI Routing.
VLAN TAGGING PROTOCOL

We're now familiar with the term 'Trunk Link' and its purpose, that is, to allow frames from multiple VLANs
to run across the network backbone, finding their way to their destination. What you might not have
known though is that there is more than one method to 'tag' these frames as they run through the Trunk
Links or ... the VLAN Highway as we like to call it.
INTERSWITCH LINK (ISL)
ISL is a Cisco propriety protocol used for FastEthernet and Gigabit Ethernet links only. The protocol can
be used in various equipments such as switch ports, router interfaces, server interface cards to create a
trunk to a server and much more. You'll find more information on VLAN implementations on our last page
of the VLAN topic.
Being a propriety protocol, ISL is available and supported naturally on Cisco products only:) You may also
be interested in knowing that ISL is what we call, an 'external tagging process'. This means that the
protocol does not alter the Ethernet frame as shown above in our previous diagram - placing the VLAN
Tag inside the Ethernet frame, but encapsulating the Ethernet frame with a new 26 byte ISL header and
adding an additional 4 byte frame check sequence (FCS) field at the end of frame, as illustrated below:
Despite this extra overhead, ISL is capable of supporting up to 1000 VLANs and does not introduce any
delays in data transfers between Trunk Links.
In the above diagram we can see an ISL frame encapsulating an Ethernet II frame. This is the actual
frame that runs through a trunk link between two Cisco devices when configured to use ISL as their trunk
tagging protocol.
The encapsulation method mentioned above also happens to be the reason why only ISL-aware devices
are able to read it, and because of the addition of an ISL header and FCS field, the frame can end up
being 1548 bytes long! For those who can't remember, Ethernet's maximum frame size is 1518 bytes,
making an ISL frame of 1548 bytes, what we call a 'giant' or 'jumbo' frame!
Lastly, ISL uses Per VLAN Spanning Tree (PVST) which runs one instance of the Spanning Tree Protocol
(STP) per VLAN. This method allows us to optimise the root switch placement for each available VLAN
while supporting neat features such as VLAN load balancing between multiple trunks.
Since the ISL's header fields are covered on a separate page, we won't provide further details here.
IEEE 802.1Q
The 802.1q standard was created by the IEEE group to address the problem breaking large networks into
smaller and manageable ones through the use of VLANs. The 802.1q standard is of course an alternative
to Cisco's ISL, and one that all vendors implement on their network equipment to ensure compatibility and
seamless integration with the existing network infrastructure.
As with all 'open standards' the IEEE 802.1q tagging method is by far the most popular and commonly
used even in Cisco oriented network installations mainly for compatability with other equipment and future
upgrades that might tend towards different vendors.
In addition to the compatability issue, there are several more reasons for which most engineers prefer this
method of tagging. These include:
 Support of up to 4096 VLANs

 Insertion of a 4-byte VLAN tag with no encapsulation
 Smaller final frame sizes when compared with ISL
Amazingly enough, the 802.1q tagging method supports a whopping 4096 VLANs (as opposed to 1000
VLANs ISL supports), a large amount indeed which is merely impossible to deplet in your local area
network.
The 4-byte tag we mentioned is inserted within the existing Ethernet frame, right after the Source MAC
Address as illustrated in the diagram below:
Because of the extra 4-byte tag, the minimum Ethernet II frame size increases from 64 bytes to 68 bytes,
while the maximum Ethernet II frame size now becomes 1522 bytes. If you require more information on
the tag's fields, visit our protocol page where further details are given.
As you may have already concluded yourself, the maximum Ethernet frame is considerably smaller in size
(by 26 bytes) when using the IEEE 802.1q tagging method rather than ISL. This difference in size might
also be interpreted by many that the IEEE 802.1q tagging method is much faster than ISL, but this is not
true. In fact, Cisco recommends you use ISL tagging when in a Cisco native environment, but as outlined
earlier, most network engineers and administrators believe that the IEEE802.1q approach is much safer,
ensuring maximum compatability.
And because not everything in this world is perfect, no matter how good the 802.1q tagging protocol
might seem, it does come with its restrictions:
 In a Cisco powered network, the switch maintains one instance of the Spanning Tree Protocol (STP)
per VLAN. This means that if you have 10 VLANs in your network, there will also be 10 instances of
STP running amongst the switches. In the case of non-Cisco switches, then only 1 instance of STP is
maintained for all VLANs, which is certainly not something a network administrator would want.
 It is imperative that the VLAN for an IEEE 802.1q trunk is the same for both ends of the trunk link,
otherwise network loops are likely to occur.
 Cisco always advises that disabling a STP instance on one 802.1q VLAN trunk without disabling it on
the rest of the available VLANs, is not a good idea because network loops might be created. It's best
to either disable or enable STP on all VLANs.
LAN EMULATION (LANE)

LAN Emulation was introduced to solve the need of creating VLANs over WAN links, allowing network
managers to define workgroups based on logical function, rather than physical location. With this new
technology (so to speak - it's actually been around since 1995!), we are now able to create VLANs
between remote offices, regardless of their location and distance.
LANE is not very common and you will most probably never see it implemented in small to mid-sized
networks, however, this is no reason to ignore it. Just keep in mind that we won't be looking at it in much
depth, but briefly covering it so we can grasp the concept.
LANE has been supported by Cisco since 1995 and Cisco's ISO release 11.0. When implemented
between two point-to-point links, the WAN network becomes totally transparent to the end users:
Every LAN or native ATM host, like the switch or router shown in the diagram, connects to the ATM
network via a special software interface called 'LAN Emulation Client'. The LANE Client works with the
LAN Emulation Server (LES) to handle all messages and packets flowing through the network, ensuring
that the end clients are not aware of the WAN network infrastructure and therefore making it transparent.
The LANE specification defines a LAN Emulation Configuration Server (LECS), a service running inside
an ATM switch or a physical server connected to the ATM switch, that resides within the ATM network
and allows network administrators to control which LANs are combined to form VLANs.
The LAN Emulation Server with the help of the LANE Client, maps MAC addresses to ATM addresses,
emulating Layer 2 protocols (DataLink layer) and transporting higher layer protocols such as TCP/IP,
IPX/SPX without modification.
802.10 (FDDI)
Tagging VLAN frames on Fiber Distributed Data Interface (FDDI) networks is quite common in large scale
networks. This implementation is usually found on Cisco's high-end switch models such as the Catalyst
5000 series where special modules are installed inside the switches, connecting them to an FDDI
backbone. This backbone interconnects all major network switches, providing a fully redundant network.
The various modules available for the Cisco Catalyst switches allow the integration of Ethernet into the
FDDI network. When intalling the appropriate switch modules and with the use of the 802.10 SAID field, a
mapping between the Ethernet VLAN and 802.10 network is created, and as such, all Ethernet VLANs
are able to run over the FDDI network.
The diagram above shows two Catalyst switches connected to a FDDI backbone. The links between the
switches and the backbone can either be Access type links (meaning one VLAN passes through them) or
Trunk links (all VLANs are able to pass through them). At both ends, the switches have an Ethernet port
belonging to VLAN 6, and to 'connect' these ports we map each switch's Ethernet module with its FDDI
module.
Lastly, the special FDDI modules mentioned above support both single VLANs (non-trunk) and multiple
VLANs (trunk).
To provide further detail, the diagram below shows the IEEE 802.10 frame, along with the SAID field in
which the VLAN ID is inserted, allowing the frame to transit trunk links as described:
It's okay if your impressed or seem confused with the structure of the above frame, that's normal:) You'll
be suprised to find out that the Cisco switch in the previous diagram must process the Ethernet II frame
and convert it before placing it on the IEEE 802.10 backbone or trunk.
During this stage, the original Ethernet II frame is converted to an Ethernet SNAP frame and then finally
to an IEEE 802.10 frame. This conversion is required to maintain compatability and reliability between the
two different topologies. The most important bit to remember here is the SAID field and its purpose.
SUMMARY
This page introduced four popular VLAN tagging methods, providing you with the frame structure and
general details of each tagging method. Out of all, the IEEE 802.1q and ISL tagging methods are the
most popular, so make sure you understand them quite well.
VLAN INTERSWITCH LINK (ISL) PROTOCOL

ANALYSIS
4.2511111 Rating 4.25 (8 Votes)
inShare
INTRODUCTION
Deciding whether to use ISL or IEEE 802.1q to power your trunk links can be quite confusing if you
cannot identify the advantages and disadvantages of each protocol within your network.
This page will cover the ISL protocol in great detail, providing an insight to its secrets and capabilities
which you probably were unaware of. In turn, this will also help you understand the existence of certain
limitations the protocol has, but most importantly allow you to decide if ISL is the tagging process you
require within your network.
INTERSWITCH LINK (ISL)

ISL is Cisco's propriety tagging method and supported only on Cisco's equipment through Fast & Gigabit
Ethernet links. The size of an ISL frame can be expected to start from 94 bytes and increase up to 1548
bytes due to the overhead (additional fields) the protocol places within the frame it is tagging.
These fields and their length are also shown on the diagram below:
We will be focusing on the two purple coloured 3D blocks, the ISL header and ISL Frame Check
Sequence (FCS) respectively. The rest of the Ethernet frame shown is a standard Ethernet II frame as we
know it. If you need more information, visit our Ethernet II page.
THE ISL HEADER
The ISL header is 26 byte field containing all the VLAN information required (as one would expect), to
allow a frame traverse over a Trunk Link and find its way to its destination.
Here is a closer look at the header and all the fields it contains:
You can see that the ISL header is made out of quite a few fields, perhaps a lot more than what you might
have expected, but this shouldn't alarm you as only a handful of these fields are important. As usual, we
will start from the left field and work our way to the far right side of the header. First up...... the DA field:
DESTINATION ADDRESS (DA) FIELD
The 'DA' field is a 40 bit destination address field that contains a multicast address usually set to "0x01-
00-0C-00-00" or "0x03-00-0C-00-00". This address is used to signal to the receiver that the packet is in
ISL format.
TYPE FIELD
The 'Type' field is 4 bits long and helps identify the encapsulated original frame. Depending on the frame
type, the ISL 'Type' field can take 4 possible values as outlined in the table below:
Type Value Encapsulated Frame
0000 Ethernet
0001 Token-Ring
0010 FDDI
0011 ATM
The 4 bits of space assigned to the 'Type Value' field allow a maximum of 2^4=16 different values. Since
all combinations are not used, there is plenty of room for future encapsulations that might be developed.
USER DEFINED FIELD
The 'User' field occupying 4 bits serves as an extension to the previous 'Type' field and is mostly used
when the original encapsulated frame is an Ethernet II type frame. When this happens, the first two bits of
the 'User' field act as a prioritisation mechanism, allowing the frames to find their way to the destination
much faster.
Currently, there are 4 different priorities available, as shown in the table below:
Type Value Frame Priority
XX00 Normal Priority

XX01 Priority 1
XX10 Priority 2
XX11 Highest Priority
We should also note that the use of priorities is optional and not required.
SOURCE ADDRESS (SA) FIELD

The 'SA' field is the source MAC address of the switch port transmitting the frame. This field is -as
expected- 48 bits long. The receiving device can choose to ignore this field. It is worth noting that while
the Destination Address field located at the beginning of the header contains a multicast MAC Address,
the Source MAC address field we are looking at here contains the MAC address of the sending device -
usually a switch.
LENGTH FIELD
The 'Length' field is 16 bits long and contains the whole ISL frame's length minus the DA, Type, User, SA,
LEN and FCS fields. If you're good at mathematics, you can easily calculate the total length of the
excluded fields, which is 18 bytes. With this in mind, a quick way to find this field's value is to take the
total frame size and subtract 18 bytes :)
Length fields are used in frames to help the receiving end identify where specific portions of the frame
exist within the frame received.
AAAA03 (SNAP) FIELD

The SNAP field is a 24 bit long field with a value of "0xAAAA03".
HIGH BITS SOURCE ADDRESS (HSA) FIELD
The 'HSA' field is a 24 bit value. This field represents the upper three bytes of the SA field (the
manufacturers ID portion) and must contain the value "0x00-00-0C". Since the SA field is 48 bits long or 6
bytes, the upper 3 bytes of the SA field would translate to 24 bits, hence the length of the HSA field.
VLAN - DESTINATION VIRTUAL LAN ID FIELD

The 'VLAN' field is the Virtual LAN ID of the frame. This is perhaps the most important field of all as our
frame moves between trunk links because it allows all trunk links to identify the VLAN this frame belongs
to. The VLAN ID field is 15 bits long and often referred to as the "color" of the frame.
Without this field, there would be no way of identifying which VLAN the frame transitting a trunk link
belongs to.
BRIDGE PROTOCOL DATA UNIT (BPDU) & CISCO DISCOVERY PROTOCOL (CDP)
INDICATOR
The 'BPDU' field is only 1 bit long but very important as it is set for all BPDU packets encapsulated by the
ISL frame. For those unaware, BPDU's are used by the Spanning Tree Protocol (STP) to shut down
redundant links and avoid network loops. This field is also used for CDP and Virtual Trunk Protocol (VTP)
frames that are encapsulated.
INDEX FIELD
The 'Index' field is a 16 bit value and indicates the port index of the source of the packet as it exits the
switch. It is used for diagnostic purposes only and may be set to any value by other devices.
RES FIELD - RESERVED FOR TOKEN RING AND FIBER DISTRIBUTED DATA INTERFACE
(FDDI)
The 'RES' field is a 16 bit value and used when Token Ring or FDDI packets are encapsulated with an
ISL frame. In the case of Token Ring frames, the Access Control (AC) and Frame Control (FC) fields are
placed here whereas in the case of FDDI, the FC field is placed in the Least Significant Byte (LSB) of this
field (as in a FC of "0x12" would have a RES field of "0x0012"). For Ethernet packets, the RES field
should be set to all zeros.
FRAME CHECK SEQUENCE (ISL FCS)
Coming to the end of the ISL protocol analysis, we met the 'FCS' field which consists of four bytes. The
FCS contains a 32-bit CRC value, which is created by the sending MAC (switch) and is recalculated by
the receiving MAC (switch) to check for corrupt frames. In an Ethernet II frame, the FCS is generated
using the Destination MAC, Source MAC, Ethertype, and Data fields while ISL's FCS is calculated based
on the entire ISL frame and added to the end of it.
SUMMARY
This page analysed all fields of the ISL header and FCS. The next page deals with the popular IEEE
802.1q, an alternative to Cisco's ISL tagging protocol.
VLANS - IEEE 802.1Q TRUNK LINK PROTOCOL

ANALYSIS
3.6363636363611111 Rating 3.64 (11 Votes)
inShare
INTRODUCTION
Our VLAN Tagging page briefly covered the IEEE 802.1q protocol and we are about to continue its
analysis here. As mentioned previously, the IEEE 802.1q tagging method is the most popular as it allows
the seemless integration of VLAN capable devices from all vendors who support the protocol.
So, without any more delay, let's get right into the protocol.
IEEE 802.1q Analysis
The IEEE 802.1q tagging mechanism seems quite simple and efficient thanks to its 4-byte overhead
squeezed between the Source Address and Type/Length field of our Ethernet II frame:
The process of inserting the 802.1q tag into an Ethernet II frame results in the original Frame Check
Sequence (FCS) field to become invalid since we are altering the frame, hence it is essential that a new
FCS is recalculated, based on the new frame now containing the IEEE 802.1q field. This process is
automatically performed by the switch, right before it sends the frame down a trunk link. Our focus here
will be the pink 3D block, labeled as the IEEE 802.1q header.
The IEEE 802.1q Header

As noted, the 802.1q header is only 4 bytes or 32 bits in length while within this space there is all the
necessary information required to successfully identify the frame's VLAN and ensure it arrived to the
correct destination. The diagram below analyses all fields contained in a 802.1q header:
The structure is quite simple as there are only 4 fields when compared with the 11 ISL has. We will
continue by analysing each of these fields in order to discover what the protocol is all about.
TPID - Tag Protocol IDentifier
The TPID field is 16 bit long with a value of 0x8100. It is used to identify the frame as an IEEE 802.1q
tagged frame.
Note: The next three fields, Priority, CFI and VLAN ID are also known as the TCI (Tag Control
Information) field and are often represented as one single field (TCI Field).
Priority
The Priority field is only 3 bits long but used for prioritisation of the data this frame is carrying.
Data Prioritisation is a whole study in itself but we won't be analysing it here since it's well beyond the
scope of our topic. However, for those interested, data prioritisation allows us to give special priority to
time-latency sensitive services, such as Voice Over IP (VoIP), over normal data. This means that the
specified bandwidth is allocated for these critical services to pass them through the link without any delay.
The IEEE 802.1p priority protocol was developed to provide such services and is utilised by the IEEE
802.1q tagging protocol.
The Priority field is approximately 3 bits long, allowing a total of 2^3=8 different priorities for each frame,
that is, level zero (0) to seven (7) inclusive.
CFI - Canonical Format Indicator
The CFI field is only 1 bit long. If set to '1', then it means the MAC Address is in non-canonical format,
otherwise '0' means it is canonical format. For Ethernet switches, this field is always set to zero (0). The
CFI field is mainly used for compatibility reasons between Ethernet and Token Ring networks.
In the case where a frame arrives to an Ethernet port and the CFI flag is set to one (1), then that frame
should not be forwarded as it was received to any untagged port (Access Link port).
VLAN ID - Virtual Local Area Network Identifier
The VLAN ID field is perhaps the most important field out of all because we are able to identify which
VLAN the frame belongs to, allowing the receiving switch to decide which ports the frame is allowed to
exit depending on the switch configuration.
For those who recall our VLAN Tagging page, we mentioned that the IEEE 802.1q tagging method
supports up to 4096 different VLANs. This number derives from the 12 bit VLAN ID field we are analysing
right now and here are the calculations to prove this: 2^12=4096, which translates from VLAN 0 to VLAN
4095 inclusive.
Summary
That completes our analysis on the IEEE 802.1q protocol. As a last note, you should remember that this
protocol is the most wide spread tagging method used around the world that supports up to 4096 VLANs
INTERVLAN ROUTING - ROUTING BETWEEN VLAN

NETWORKS
This article deals with the popular topic of InterVLAN routing, which is used to allow routing &
communication between VLAN networks. Our article analyses InterVLAN routing and provides 4 different
methods of InterVLAN routing to help understand the concept
VLAN Configuration and InterVLAN routing for Cisco Layer 3 switches (3550, 3560 series, 3750 series,
4500 series and 6500 series switches) is covered extensively at the following article: Basic & Advanced
THE NEED FOR ROUTING
Each network has it's own needs, though whether it's a large or small network, internal routing, in most
cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus reducing
network broadcasts and increasing your security, is a tactic used by most engineers. Popular setups
include a separate broadcast domain for critical services such as File Servers, Print servers, Domain
Controllers e.t.c, serving your users non-stop.
The issue here is how can users from one VLAN (broadcast domain), use services offered by another
VLAN?
Thankfully there's an answer to every problem and in this case, its VLAN routing:
The above diagram is a very simple but effective example to help you get the idea. Two VLANs consisting
of two servers and workstations of which one workstation has been placed along with the servers in
VLAN 1, while the second workstation is placed in VLAN 2.
In this scenario, both workstations require access to the File and Print servers, making it a very simple
task for the workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2.
As you might have already guessed, we need to somehow route packets between the two VLANs and the
good news is that there is more than one way to achieve this and that's what we'll be covering on this
page.
VLAN ROUTING SOLUTIONS
While the two 2924 Catalyst switches are connected via a trunk link, they are unable to route packets
from one VLAN to another. If we wanted the switch to support routing, we would require it to be a layer 3
switch with routing capabilities, a service offered by the popular Catalyst 3550 series and above.
Since there are quite a few ways to enable the communcation between VLANs (InterVLAN Routing being
the most popular) there is a good chance that we are able to view all possible solutions. This follows our
standard method of presenting all possible solutions, giving you an in-depth view on how VLAN routing
can be setup, even if you do not have a layer 3 switch.
Note: The term 'InterVLAN Routing' refers to a specific routing method which we will cover as a last
scenario, however it is advised that you read through all given solutions to ensure you have a solid
understanding on the VLAN routing topic.
VLAN ROUTING SOLUTION NO.1: USING A ROUTER WITH 2 ETHERNET INTERFACES
A few years ago, this was one of the preferred and fastest methods to route packets between VLANs.
The setup is quite simple and involves a Cisco router e.g 2500 series with two Ethernet interfaces as
shown in the diagram, connecting to both VLANs with an appropriate IP Address assigned to each
interface. IP Routing is of course enabled on the router and we also have the option of applying access
lists in the case where we need to restrict network access between our VLANs.
In addition, each host (servers and workstations) must either use the router's interface connected to their
network as a 'default gateway' or a route entry must be created to ensure they use the router as a
gateway to the other VLAN/Network. This scenario is however expensive to implement because we
require a dedicated router to router packets between our VLANs, and is also limited from an expandability
prospective.
In the case where there are more than two VLANs, additional Ethernet interfaces will be required, so
basically, the idea here is that you need one Ethernet interface on your router that will connect to each
VLAN.
To finish this scenario, as the network gets bigger and more VLANs are created, it will very quickly get
messy and expensive, so this solution will prove inadequate to cover our future growth.
VLAN ROUTING SOLUTION NO.2: USING A ROUTER WITH ONE ETHERNET (TRUNK)
INTERFACE
This solution is certainly fancier but requires, as you would have already guessed, a router that supports
trunk links. With this kind of setup, the trunk link is created, using of course the same type of
encapsulation the switches use (ISL or 802.1q), and enabling IP routing on the router side. This method
of InterVLAN routing is also known as 'Router on a Stick'. You can read more on its configuration under
our Cisco Router Knowledgebase
The downside here is that not many engineers will sacrifice a router just for routing between VLANs when
there are many cheaper alternatives, as you will soon find out. Nevertheless, despite the high cost and
dedicated hardware, it's still a valid and workable solution and depending on your needs and available
equipment, it might be just what you're looking for!
Closing this scenario, the router will need to be configured with two virtual interfaces, one for each VLAN,
with the appropriate IP Address assigned to each one so routing can be performed.
VLAN ROUTING SOLUTION NO.3: USING A SERVER WITH TWO NETWORK CARDS
We would call this option a "Classic Solution". What we basically do, is configure one of the servers to
perform the routing between the two VLANs, reducing the overal cost as no dedicated equipment is
required.
In order for the server to perform the routing, it requires two network cards - one for each VLAN and the
appropriate IP Addresses assigned, therefore we have configured one with IP Addresses 192.168.1.1
and the other with 192.168.2.1. Once this phase is complete, all we need to do is enable IP routing on the
server and we're done.
Lastly, each workstation must use the server as either a gateway, or a route entry should be created so
they know how to get to the other network. As you see, there's nothing special about this configuration,
it's simple, cheap and it gets the job done.
VLAN ROUTING SOLUTION NO.4: INTERVLAN ROUTING
And at last, InterVLAN routing! This is without a doubt the best VLAN routing solution out of all of the
above. InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable,
and acceptable cost routing solution.
The Cisco Catalyst 3550 series switches used here are layer 3 switches with built-in routing capabilities,
making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is
only a small part of a large scale network where switches such as the Catalyst 3550 are usually placed as
core switches, connecting all branch switches together (2924's in this case) via superfast fiber Gigabit or
Fast Ethernet links, ensuring a fast and reliable network backbone.
VLAN Configuration and InterVLAN routing for Cisco Layer 3 switches (3550, 3560 series, 3750 series,
4500 series and 6500 series switches) is covered extensively at the following article: Basic & Advanced
We should also note that InterVLAN routing on the Catalyst 3550 has certain software requirements
regarding the IOS image loaded on the switch as outlined on the table below:
InterVLAN Routing
Image Type & Version
Capability
Enhanced Multilayer Image (EMI) - All

YES
Versions
Standard Multilayer Image (SMI) - prior
NO
to 12.1(11)EA1
Standard Multilayer Image (SMI) -
YES
12.1(11)EA1 and later
If you happen to have a 3550 Catalyst in hand, you can issue the Show version command to reveal your
IOS version and find out if it supports IP routing.
In returning to our example, our 3550 Catalyst will be configured with two virtual interfaces, one for each
VLAN, and of course the appropriate IP Address assigned to them to ensure there is a logical interface
connected to both networks. Lastly, as you might have guessed, we need to issue the 'IP Routing'
command to enable the InterVLAN Routing service!
The diagram above was designed to help you 'visualise' how switches and their interfaces are configured
to specific VLAN, making the InterVLAN routing service possible. The switch above has been configured
with two VLANs, VLAN 1 and 2. The Ethernet interfaces are then assigned to each VLAN, allowing them
to communicate directly with all other interfaces assigned to the same VLAN and the other VLAN, when
the internal routing process is present and enabled.
ACCESS LISTS & INTERVLAN ROUTING
Another common addition to the InterVLAN routing service is the application of Access Lists (packet
filtering) on the routing switch,to restrict access to services or hosts as required.
In modern implementations, central file servers and services are usually placed in their own isolated
VLAN, securing them from possible network attacks while controlling access to them. When you take into
consideration that most trojans and viruses perform an initial scan of the network before attacking, an
administrator can smartly disable ICMP echoes and other protocols used to detect a live host, avoiding
possible detection by an attacker host located on a different VLAN.
SUMMARY
InterVLAN is a terrific service and one that you simply can't live without in a large network. The topic is a
fairly easy one once you get the idea, and this is our aim here, to help you get that idea, and extend it
further by giving you other alternative methods.
The key element to the InterVLAN routing service is that you must have at least one VLAN interface
configured with an IP Address on the InterVLAN capable switch, which will also dictate the IP network for
that VLAN. All hosts participating in that VLAN must also use the same IP addressing scheme to ensure
communication between them. When the above requirements are met, it's then as simple as enabling the
IP Routing service on the switch and you have the InterVLAN service activated
VLAN SECURITY - MAKING THE MOST OF VLANS

4.312511111 Rating 4.31 (16 Votes)
inShare
Take a look under the hood of this powerful networking tool so that
your agency can reap the benefits of bandwidth, availability and security.
It's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical
terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a
single organization — without the headache of managing multiple cable plants and switches.
Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic
from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and
security.
Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally
well. The market has been flooded by thousands of switches that seem to do the job, but special
consideration must be taken before making a purchase.
A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports.
Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything
runs smoothly. The tasks of these switches include prioritizing network packets based on their source and
destination (essentially Q uality of S ervice), ensuring all edge switches are aware of the VLANs
configured in the network, continuously monitoring for possible network loops on every VLAN, switching
packets between VLANs as required and ensuring network security according to their configuration .
Edge switches, also known as access switches, are dedicated to the end devices: user workstations ,
network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers
directly to the core- backbone switches). The edge switches must be compatible with the VLAN features
that the core backbone switches support, otherwise unavoidable problems will arise because of
incompatibilities among the switch devices.
This is one reason many organizations standardize when it comes to network equipment from companies
that include Cisco Systems, HP and Juniper Networks.
When deploying VLANs, here are five key considerations to address:

1. LINKS ON VLAN SWITCHES
VLAN switches have two main types of links: access links and trunk links.
Access Links are the most common type of links on any VLAN capable switch. All network hosts connect
to the switch's Access Links to gain access to the local network. These links are the ordinary ports found
on every switch, but configured to access a particular VLAN.
Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is
configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all
available VLANs.
2. NATIVE VLAN, ISL AND 802.1Q

When a port on a switch is configured as an access link (http://www.firewall.cx/networking-topics/vlan-
networks/218-vlan-access-trunk-links.html) , it has access to one specific VLAN. Any network device
connecting to it will become part of that VLAN.
Ethernet frames entering or exiting the port are standard Ethernet II type frames
(http://www.firewall.cx/networking-topics/ethernet/ethernet-frame-formats/201-ethernet-ii.html), which are
understood by the network device connected to the port. Because these frames belong only to one
network, they are said to be “untagged” — meaning that they do not contain any information as to which
VLAN they are assigned.
Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's
necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging.
Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q.
Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors
supporting VLAN trunking.
What might come as a surprise is that a trunk link can also be configured to act as an access link when a
device (computer or switch) that does not support VLAN trunking connects to it. This means that if you
have a trunk link on a switch and connect a computer, the port will automatically provide access to a
specific VLAN. The VLAN in this case is known as the “native VLAN,” a common term that refers to the
VLAN a trunk port is configured for when acting as an access link.
3.VIRTUAL TRUNK PROTOCOL AND VTP PRUNING
VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the
core switch, is propagated to all network switches within the VTP domain.
During initial network configuration, all switches are configured members of the same VTP domain. With
the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All
information is then automatically sent to all members of the VTP domain. The VTP equivalent for other
vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-
tuned in the recent years and includes many features implemented previously only in Cisco's VTP
Protocol .
VTP pruning (http://www.firewall.cx/networking-topics/vlan-networks/virtual-trunk-protocol.html), an

extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This
is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the
receiving end of the trunk has ports assigned to that VLAN.
In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular
switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its
trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in
a VLAN network.
4. INTER-VLAN ROUTING
Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one
of the most important features found on advanced switches. Because inter-VLAN routing
(http://www.firewall.cx/networking-topics/vlan-networks/222-intervlan-routing.html) directs packets based
on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3
switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases
where a Layer 3 switch is not available, this function can also be performed by a server with two or more
network cards or a router, a method often referred to as “router on a stick.”
Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a
fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing
protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a
VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.
5. SECURING VLAN DEVICES
Even though many administrators and IT managers are aware of VLAN technologies and concepts, that
doesn't necessarily hold true when it comes to VLAN security.
The first principle in securing a VLAN network is physical security. If an organization does not want its
devices tampered with, physical access must be strictly controlled. Core switches are usually safely
located in a data center with restricted access, but edge switches are often located in exposed areas.
Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security
requires the use of special tools and following a few best security practices to achieve the desired result.
These best practices include:
 Removing console-port cables and introducing password-protected console or virtual terminal access with
specified timeouts and restricted access policies;
 Applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-
list to restrict telnet/SHH access from specific networks and hosts;
 Avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ;
 Disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD);
 Deploying VTP domain, VTP pruning and password protections;
 Controlling inter-VLAN routing through the use of IP access lists.
For hands-on details about each of these practices, read through our Basic & Advanced Catalyst
Layer3 Switch Configuration Guide.
RAISING THE THROTTLE
VLAN technology offers numerous enhancements to the network and provides paths to run multiple
services in isolated environments without sacrificing speed, quality and network availability. If the
necessary basic security guidelines are taken into consideration during initial implementation and then
during ongoing administration, a VLAN can dramatically reduce administrative overhead.
Perhaps the most serious mistake that can be made is to underestimate the importance of the data link
layer and of VLANs in particular in the architecture of switched networks.
It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal
amount of attention needs to be given to every layer to assure the soundness of the entire structure.
COMPARING OLD FLAT NETWORKS & VLAN

NETWORKS
WRITTEN BY ADMINISTRATOR. POSTED IN DESIGNING VLANS
4.4444444444411111 Rating 4.44 (9 Votes)
inShare
INTRODUCTION
Designing and building a network is not a simple job. VLANs are no exception to this rule, in fact they
require a more sophisticated approach because of the variety of protocols used to maintain and
administer them.
Our aim here is not to tell you how to setup your VLANs and what you should or shouldn't do, this will be
covered later on. For now, we would like to show you different physical VLAN layouts to help you
recognise the benefits offered when introducing this technology into your network, regardless of its size.
The technology is available and we simply need to figure out how to use it and implement it using the best
possible methods, in order to achieve outstanding performance and reliability.
We understand that every network is unique as far as its resources and requirements are concerned,
which is another reason why we will take a look at a few different VLAN implementations. However, we
will not mention the method used to set them up - this is up to you to decide once you've read the
following pages!
DESIGNING YOUR FIRST VLAN
Most common VLAN setups involve grouping departments together regardless of their physical
placement through the network. This allows us to centralise the administration for these departments,
while also limiting unwanted incidents of unauthorised access to resources of high importance.
As always, we will be using neat examples and diagrams to help you get a visual on what we are talking
about.
Let's consider the following company: Packet Industries
Packet Industries is a large scale company with over 40 workstations and 5 servers. The company deals
with packet analysis and data recovery and has labs to recover data from different media that require
special treatment due to their sensitivity. As with every other company, there are quite a few different
departments that deal with different aspects of the business and these are:
 Management/HR Department
 Accounting Department
 Data Recovery & IT Department
These five departments are spread throughout 3 floors in the building the company is situated. Because
the IT department takes confidentiality of their own and customer's data seriously, they have decided to
redesign their network and also take a look at the VLAN solutions available, to see if they are worth the
investment.
We are going to provide two different scenarios here, the first one will not include VLANs, while the
second one will. Comparing the two different solutions will help you see the clear advantages of VLANs
and also provide an insight to how you can also apply this wonderful technology with other similar
networks you might be working with.
SOLUTION 1 - WITHOUT VLANS
The IT department decided that the best way to deal with the security issue would be to divide the
existing network by partitioning it. Each department would reside in one broadcast domain and access
lists would be placed between each network's boundaries to ensure access to and from them are limited
according to the access policies.
Since there are three departments, it is important that three new networks had to be created to
accommodate their new design. The budget, as in most cases, had to be controlled so it didn't exceed the
amount granted by the Accounting Department.
With all the above in mind, here's the proposal the IT department created:
As you can see, each department has been assigned a specific network. Each level has a dedicated
switch for every network available. As a result, this will increase the network security since we have
separate physical networks and this solution also seems to be the most logical one. These switches are
then grouped together via the network backbone which, in its turn, connects to the network's main router.
The router here undertakes the complex role of controlling access and routing between the networks and
servers with the use of access lists as they have been created by the IT Department. If needed, the router
can also be configured to allow certain IP's to be routed between the three networks, should there be
such a requirement.
The above implementation is quite secure as there are physical and logical restrictions placed at every
level. However, it is somewhat restrictive as far as expanding and administering the network since there is
no point of central control. Lastly, if you even consider adding full redundancy to the above, essentially
doubling the amount of equipment required, the cost would clearly be unreasonable...
So let's now take a look at the second way we could implement the above, without blowing the budget,
without compromising our required security level and also at the same time create a flexible and easily
expandable network backbone.
SOLUTION 2 - WITH VLANS

The solution we are about to present here is surely the most preferred and economical. The reasons
should be fairly straight forward: We get the same result as the previous solution, at almost half the cost
and as a bonus, we get the flexibility and expandability we need for the future growth of our network,
which was very limited in our previous example.
By putting the VLAN concept we covered on the previous page into action, you should be able to
visualise the new setup:
As you can see, the results in this example are a lot neater and the most apparent change would be the
presence of a single switch per level, connecting directly to the network backbone. These switches of
course are VLAN capable, and have been configured to support the three separate logical and physical
networks. The router from the previous solution has been replaced by what we call a 'layer 3 switch'.
These type of switches are very intelligent and understand layer 3 (IP Layer) traffic. With such a switch,
you are able to apply access-lists to restrict access between the networks, just like you normally would on
a router, but more importantly, route packets from one logical network to another! In simple terms, layer 3
switches are a combination of a powerful switch, with a built-in router :)
SUMMARY
If the above example was interesting and provided a insight into the field of VLANs, we can assure you -
you haven't seen anything yet. When unleashing the power of VLANs, there are amazing solutions given
for any problem or need that your network requires.
It's now time to start looking at the VLAN technology in a bit more detail, that is, how it's configured, the
postive and negative areas for each type of VLAN configuration and more much.
The next page analyses Static VLANs which are perhaps the most popular implementation of VLANs
around the world. Take a quick break for some fresh air if needed, otherwise, gear up and let's move!
STATIC VLANS
4.2307692307711111 Rating 4.23 (13 Votes)
inShare
INTRODUCTION
VLANs are usually created by the network administrator, assigning each port of every switch to a VLAN.
Depending on the network infrastructure and security policies, the assignment of VLANs can be
implemented using two different methods: Static or Dynamic memberships - these two methods are also
known as VLAN memberships.
Each of these methods have their advantages and disadvantages and we will be analysing them in great
depth to help you decide which would best suite your network.
Depending on the method used to assign the VLAN membership, the switch may require further
configuration, but in most cases it's a pretty straight forward process. This page deals with Static VLANs
while Dynamic VLANs are covered next.
STATIC VLANS
Static VLAN membership is perhaps the most widely used method because of the relatively small
administration overhead and security it provides. With Static VLANs, the administrator will assign each
port of the switch to one VLAN. Once this is complete, they can simply connect each device or
workstation to the appropriate port.
The picture below depicts an illustration of the above, where 4 ports have been configured for 4 different
VLANs:
The screenshot above shows a Cisco switch (well, half of it :>) where ports 1, 2, 7 and 10 have been
configured and assigned to VLANs 1, 5, 2 and 3 respectively.
At this point, we should remind you that these 4 VLANs are not able to communicate between each other
without the use of a router as they are treated as 4 separate physical networks, regardless of the network
addressing scheme used on each of them. However, we won't provide further detail on VLAN routing
since it's covered later on.
Static VLANs are certainly more secure than traditional switches while also considerably easy to
configure and monitor. As one would expect, all nodes belonging to a VLAN must also be part of the
same logical network in order to communicate with one another. For example, on our switch above, if we
assigned network 192.168.1.0/24 to VLAN 1, then all nodes connecting to ports assigned to VLAN 1 must
use the same network address for them to communicate between each other, just as if this was an
ordinary switch.
In addition, Static VLANs have another strong point - you are able to control where your users move
within a large network. By assigning specific ports on your switches throughout your network, you are
able to control access and limit the network resources to which your users are able to use.
A good example would be a large network with multiple departments where any network administrator
would want to control where the users can physically connect their workstation or laptop and which
servers they are able to access.
The following diagram shows a VLAN powered network where the switches have been configured with
Static VLAN support.
The network diagram might look slightly complicated at first, but if you pay close attention to each switch,
you will notice that it's quite simple - six switches with 6 VLANs configured- one VLAN per department, as
shown. While each VLAN has one logical network assigned to it, the IT department has, in addition,
placed one workstation in the following departments for support purposes: Management, R&D, and HR
department.
The network administrator has assigned Port 1 (P1) on each department switch to VLAN 5 for the
workstation belonging to the IT department, while the rest of the ports are assigned to the appropriate
VLAN as shown in the diagram.
This setup allows the administrator to place any employee in the IT department, anywhere on the
network, without worrying if the user will be able to connect and access the IT department's resources.
In addition, if a user in any of the above departments e.g the Management department, decided to get
smart by attempting to gain access to the IT department's network and resources by plugging his
workstation to Port 1 of his department's switch. He surely wouldn't get far because his workstation would
be configured for the 192.168.1.0 network (VLAN 1), while Port 1 requires him to use a 192.168.5.0
network address (VLAN 5). Logically, he would have to change his IP address to match the network he is
trying to gain access to, and in this case this would be network 192.168.5.0.
SUMMARY
To sum up, with Static VLANs, we assign each individual switch port to a VLAN. The network addresses
are totally up to us to decide. In our example, the switches do not care what network address is used for
each VLAN as they totally ignore this information unless routing is performed (this is covered in the
InterVLAN routing page). As far as the switches are concerned, if you have two ports assigned to the
same VLAN, then these two ports are able to communicate between each other as it would happen on
any normal layer 2 switch.
DYNAMIC VLANS
4.3333333333311111 Rating 4.33 (12 Votes)
inShare
INTRODUCTION
Dynamic VLANs were introduced to grant the flexibility and complexity(!) that Static VLANs did not
provide. Dynamic VLANs are quite rare because of their requirements and initial administrative overhead.
As such, most administrators and network engineers tend to prefer Static VLANs.
DYNAMIC VLANS
Dynamic VLANs, as opposed to Static VLANs, do not require the administrator to individually configure
each port, but instead, a central server called the VMPS (VLAN Member Policy Server). The VMPS is
used to handle the on-the-spot port configuration of every switch participating on the VLAN network.
The VMPS server contains a database of all workstation MAC addresses, along with the associated
VLAN the MAC address belongs to. This way, we essentially have a VLAN-to-MAC address mapping:
The above diagram works as an aim to help us understand the mapping relationship that exists in the
VMPS server. As shown, each MAC address, which translates to a host on the network, is mapped to a
VLAN, allowing this host to move inside the network, connecting to any switch that is part of the VMPS
network and maintain its VLAN configuration.
You can now start to imagine the initial workload involved when configuring a VMPS server for a network
of over 300 workstations:)
As one would expect, the above model works very well and also requires the switches to be in constant
contact with the VMPS server, requesting configuration information everytime a host connects to a switch
participating in the VLAN network. Of course, there is a lot more information we can use to configure the
VMPS database, but we won't be covering that just as yet.
Like all network services offered, Cisco has cleverly designed this model to be as flexible as our network
might require. For example, you are able to connect more than one host on one dynamically configured
port, as long as all hosts are part of the same VLAN:
The diagram above shows us a VLAN capable switch that has been configured to support Dynamic
VLANs. On port No.5, we have connected a simple switch (not VLAN aware) from which another 4
workstations are connected.
As mentioned previously, this type of configuration is valid and therefore supported, but it also has its
restrictions and limitations.
One of the restrictions, which by the way can also be considered as a semi-security feature, is that all
workstations connected to the same port, must be configured in the VMPS server as part of the same
VLAN, otherwise the port is
most likely to shut down as a security precaution.
To consider the limitations of this configuration: if the switch detects more than 20 active hosts (20 MAC
addresses) on the port, it will once again shut it down, leaving the workstations without any network
connection. When this happens, the port that shuts down will return into an isolated state, not belonging
to any VLAN.
The fact is that Dynamic VLANs are really not suitable for every network, even though they allow a great
deal of flexibility and security. If you consider the advantage one single feature of Dynamic VLANs can
provide you with, then it might be all you need to implement them.
Because each host connected to the switch is checked against the VMPS database for its VLAN
membership before the port is activated and assigned to a VLAN, this gives the network administrator the
ability to ensure no foreign host is able to walk up to a wall socket and simply plug their workstation to
access the network, if his MAC address is not stored in the VMPS database. For a large scale network,
this could be considered an ACE card under your sleeve.
CHOOSING CORRECT SWITCHES

One important factor we haven't yet mentioned is that you cannot run the VMPS server on a Cisco
Catalyst 2900 or 3500 series. The Catalyst 4500 and upwards are able to act as a VMPS, and at the time
of writing, this switch has reached its end of retail life. For those who have dealt with Cisco Catalyst
switches in the past, you would know that a Catalyst 4500 is not the type of switch you would use in a 20
or 50 node network!
The Catalyst 4500, 6500 series, are switches designed for enterprise networks, as such, they are built to
be modular, easily expandable depending on your needs, and lastly, fully redundant because you can't
have your core backbone switch failing when all other switches and network equipment are directly
connected to it.
We've added a few pictures of the Catalyst 6500 series for you to admire :)
You can clearly see the slots available that allow the Catalyst switches to expand and grow with your
network. In the likely event you require more ports as your network expands, you simply buy a
Fastethernet blade (some people call them 'slices') and insert it into an available slot!
DYNAMIC VLANS & FALLBACK VLANS

Another very interesting and smart feature Dynamic VLANs support is the fallback VLAN. This neat
feature allows you to automatically configure a port to a VLAN specially created for workstations whose
MAC address is not in the VMPS server. Consider company visitors or clients who require specific or
restricted access to your network, they can freely connect to the network and have Internet access,
alongside with limited rights on public directories.
In the event the fallback VLAN has not been configured and the MAC address connected to the switch's
port is unknown, the VMPS server will send an 'access-denied' response, blocking access to the network,
but the port will remain active. If the VMPS server is running in 'secure-mode', it will proceed and
shutdown the port as an additional security measure.
The above diagram represents a portion of a large scale network using a Cisco 6500 Catalyst as the core
switch. The switch has been configured to support Dynamic VLANs, therefore a VMPS server has been
configured inside the switch, alongside with a DHCP server for each created VLAN. The administrator
has already assigned the 3 workstations MAC addresses to the VLANs shown and also created the
fallback VLAN for any MAC address that does not exist in the database.
Now consider this interesting scenario: One morning a visitor arrives in the office and requires Internet
connection so he can demonstate a new product to the management. As an administrator, you've already
configured a fallback VLAN with a DHCP server activated for the VLAN, pushing the necessary settings
to the clients so they may obtain Internet access services.
The visitor finds a free RJ-45 socket on the wall, which connects to a Catalyst 3550 switch nearby, and
plugs in his laptop. Before the user is allowed to access the network, the Cisco 3550 switch checks the
laptop's MAC address and reads 4B:63:3F:A2:3E:F9. At this point, the port is blocked, not allowing the
laptop computer to send or receive data. The Cisco 3550 switch sends the MAC address to the 6500
Catalyst switch which is acting as the VMPS server and it checks for an entry that matches the specified
MAC address but is unable to find one.
Naturally, it determines that this a visitor, so it creates an entry for that MAC address to the fallback VLAN
and sends the information back to the Cisco 3550 switch. The switch will then enable access to the port
our visitor is connected to by configuring the port to the fallback VLAN.
If the visitor's computer is configured to obtain an IP Address automatically, it will do so, once the
operating system has booted. When this happens, the visitor's DHCP request will arrive to the 6500
Catalyst switch and its DHCP server will send the requested information, enabling the client (our visitor) to
configure itself with all the parameters required to access the VLAN. This will also mean our visitor is now
able to access the Internet!
Finishing, if the computer is not configured for DHCP, the client must be advised with the correct network
settings or asked to enable automatic IP configuration in their network properties.
SUMMARY
The past pages could be considered as an 'eye-opener' for people who are new to the VLAN concept,
and at the same time a 'quick-overview' for those who are well aware of their existence! We hope all your
questions to this point have been answered, if not, they are most likely too advanced and will surely be
answered in the pages that follow.
VTP INTRODUCTION & MODES

WRITTEN BY ADMINISTRATOR. POSTED IN VIRTUAL TRUNK PROTOCOL (CISCO VTP)
4.211111 Rating 4.20 (15 Votes)
inShare
INTRODUCTION
The invention of VLANs was very much welcomed by all engineers and administrators, allowing them to
extend, redesign and segment their existing network with minimal costs, while at the same time making it
more secure, faster and reliable!
If you're responsible for a network of up to 4-6 switches that include a few VLANs, then you'll surely agree
that it's usually a low overhead to administer them and periodically make changes - most engineers can
live with that:)
Ask now an engineer who's in charge of a medium to a large scale network and you will definately not
receive the same answer, simply because these small changes can quickly become a nightmare and if
you add the possibility of human error, then the result could be network outages and possibly downtime.
WELCOME TO VIRTUAL TRUNK PROTOCOL (VTP)

VTP, a Cisco proprietary protocol, was designed by Cisco with the network engineer and administrator in
mind, reducing the administration overhead and the possibility of error as described above in any
switched network environment.
When a new VLAN is created and configured on a switch without the VTP protocol enabled, this must be
manually replicated to all switches on the network so they are all aware of the newly created VLAN. This
means that the administrator must configure each switch separately, a task that requires a lot of time and
adds a considerable amount of overhead depending on the size of the network.
The configuration of a VLAN includes the VLAN number, name and a few more parameters which will be
analysed further on. This information is then stored on each switch's NVRAM and any VLAN changes
made to any switch must again be replicated manually on all switches.
If the idea of manually updating all switches within your network doesn't scare you because your network
is small, then imagine updating more than 15-20 switches a few times per week, so your network can
respond to your organisation's needs....have we got you thinking now? :)
With the VTP protocol configured and operating, you can forget about running around making sure you
have updated all switches as you only need to make the changes on the nominated VTP server
switch(es) on your network. This will also ensure these changes are magically propagated to all other
switches regardless of where they are.
INTRODUCING THE VTP MODES
The VTP protocol is a fairly complex protocol, but easy to understand and implement once you get to
know it. Currently, 3 different versions of the protocol exist, that is, version 1, 2 (adds support for Token
Ring networks) and 3, with the first version being used in most networks.
Despite the variety of versions, it also operates in 3 different modes: Server, client and transparent mode,
giving us maximum flexibility on how changes in the network effect the rest of our switches. To help keep
things simple and in order to avoid confusion, we will work with the first version of the VTP protocol - VTP
v1, covering more than 90% of networks.
Below you'll find the 3 modes the VTP protocol can operate on any switch throughout the network:
 VTP Server mode

 VTP Client mode
 VTP Transparent mode
Each mode has been designed to cover specific network setups and needs, as we are about to see, but
for now, we need to understand the purpose of each mode and the following network diagram will help us
do exactly that.
A typical setup involves at least one switch configured as a VTP Server, and multiple switches configured
as VTP Clients. The logic behind this setup is that all information regarding VLANs is stored only on the
VTP Server switch from which all clients are updated. Any change in the VLAN database will trigger an
update from the VTP Server towards all VTP clients so they can update their database.
Lastly, be informed that these VTP updates will only traverse Trunk links. This means that you must
ensure that all switches connect to the network backbone via Trunk links, otherwise no VTP updates will
get to your switches.
Let's now take a closer look at what each VTP mode does and where it can be used.
VTP SERVER MODE
By default all switches are configured as VTP Servers when first powered on. All VLAN information such
as VLAN number and VLAN name is stored locally, on a separate NVRAM from where the 'startup-config'
is stored. This happens only when the switch is in VTP Server mode.
For small networks with a limited number of switches and VLANs, storing all VLAN information on every
switch is usually not a problem, but as the network expands and VLANs increase in number, it becomes a
problem and a decision must be made to select a few powerful switches as the VTP Servers while
configuring all other switches to VTP Client mode.
The diagram above shows a Cisco Catalyst 3550 selected to take the role of the network's VTP Server
since it is the most powerful switch. All other Catalyst switches have been configured as VTP Clients,
obtaining all VLAN information and updates from the 3550 VTP Server.
The method and frequency by which these updates occur is covered in much detail on the pages that
follow, so we won't get into any more detail at this point. However, for those who noticed, there is a new
concept introduced in the above diagram that we haven't spoken about: The VTP Domain.
THE VTP DOMAIN - VLAN MANAGEMENT DOMAIN

The VTP Domain, also known as the VLAN Management Domain, is a VTP parameter configured on
every switch connected to the network and used to define the switches that will participate in any changes
or updates made in the specified VTP domain.
Naturally, the core switch (VTP Server) and all other switches participate in the same domain, e.g firewall,
so when the VTP Server advertises new VLAN information for the VTP firewall domain, only clients
(switches) configured with the same VTP Domain parameter will accept and process these changes, the
rest will simply ignore them.
Lastly, some people tend to relate the VTP Domain with the Internet Domain name space, however, this
is completely incorrect. Even though the acronym 'DNS' contains the word 'Domain', it is not related in
any way with the VTP Domain. Here (in VTP land), the word 'Domain' is simply used to describe a logical
area in which certain hosts (switches) belong to or participate in, and are affected by any changes made
within it.
We should also note that all Cisco switches default to VTP Server mode but will not transmit any VLAN
information to the network until a VTP Domain is set on the switch.
At this point we are only referencing the VTP Domain concept as this is also analysed in greater depth
further on, so let's continue with the VTP modes!
VTP CLIENT MODE
In Client Mode, a switch will accept and store in its RAM all VLAN information received from the VTP
Server, however, this information is also saved in NVRAM, so if the switch is powered off, it won't loose
its VLAN information.
The VTP Client behaves like a VTP Server, but you are unable to create, modify or delete VLAN's on it.
In most networks, the clients connect directly to the VTP Server as shown in our previous diagram. If, for
any reason, two clients are cascaded together, then the information will propagate downwards via the
available Trunk links, ensuring it reaches all switches:
The diagram shows a 3550 Catalyst switch configured as a VTP Server and 4 Catalyst 2950 switches
configured as VTP Clients and cascaded below our 3550. When the VTP Server sends a VTP update,
this will travel through all trunk links (ISL, 802.1q, 802.10 and ATM LANE), as shown in the diagram.
The advertised information will firstly reach the two Catalyst 2950 switches directly connected to the 3550
and will then travel to the cascaded switches below and through the trunk links. If the link between the
cascaded 2950's was not a trunk link but an access link, then the 2nd set of switches would not receive
and VTP updates:
As you can see, the VTP updates will happlily arrive at the first catalyst switches but stop there as there
are no trunk links between them and the 2950's below them. It is very important you keep this in mind
when designing a network or making changes to the existing one.
VTP TRANSPARENT MODE
The VTP Transparent mode is something between a VTP Server and a VTP Client but does not
participate in the VTP Domain.
In Transparent mode, you are able to create, modify and delete VLANs on the local switch, without
affecting any other switches regardless of the mode they might be in. Most importantly, if the
transparently configured switch receives an advertisement containing VLAN information, it will ignore it
but at the same time forward it out its trunk ports to any other switches it might be connected to.
NOTE: A Transparent VTP switch will act as a VTP relay (forward all VTP information
it receives, out its trunk ports) only when VTP version 2 is used in the network. With
VTP version 1, the transparent switch will simply ignore and discard any VTP messages
received from the rest of the network.
Lastly, all switches configured to operate in Transparent mode save their configuration in their NVRAM
(just like all the previous two modes) but not to advertise any VLAN information of its own, even though it
will happily forward any VTP information received from the rest of the network.
This important functionality allows transparently configured switches to be placed anywhere within the
network, without any implications to the rest of the network because as mentioned, they act as a repeater
for any VLAN information received:
Our 3550 Catalyst here is configured as a VTP Server for the domain called "Firewall". In addition, we
have two switches configured in VTP Client mode, obtaining their VLAN information from the 3550 VTP
Server, but between these two VTP Clients, we have placed another switch configured to run in VTP
Transparent mode.
Our Transparent switch has been configured with the domain called "Lab", and as such, the switch will
forward all incoming VTP updates belonging to the "Firewall" domain out its other trunk link, without
processing the information. At the same time, it won't advertise its own VLAN information to its
neighbouring switches.
Closing, the VTP Transparent mode is not often used in live networks, but is well worth mentioning and
learning about.
SUMMARY
This page introduced a few new and very important concepts. The VTP Protocol is considered to be the
heart of VLANs in large scale networks as it completely makes the administration point of view easy and
transparent for every switch on your network.
We briefly spoke about the three different modes offered by the VTP protocol: Server, Client and
Transparent mode. To assist in providing a quick summary, the table below shows the main
characteristics for each mode:
VTP Mode Description
The default mode for all switches supporting VTP. You can create,
modify, and delete VLANs and
specify other configuration parameters (such as VTP version)
for the entire VTP domain.
VTP Server
VTP servers advertise their VLAN configurations to other switches in
the same VTP domain and synchronize their VLAN configurations with
other switches based on advertisements received over trunk
links. VLAN configurations are saved in NVRAM.
VTP Client Behaves like a VTP server, but you cannot create, change, or delete
VLANs on a VTP client. VLAN configurations are saved in NVRAM.
Does not advertise its VLAN configuration and does not synchronize its
VLAN configuration based on received advertisements. However, they
will forward VTP advertisements as they are received from other
VTP Transparent switches.
You can create, modify, and delete VLANs on a switch in VTP
transparent mode. VLAN configurations are saved in NVRAM, but
they are not advertised to other switches.
All switches by default are configured as VTP Servers but without a domain. At this point we need to
select the 'Core' switch (usually the most powerful) and configure it as a VTP Server, while reconfiguring
all the rest to Client mode. Also, VTP Updates sent by the Server will only propagate through trunk links
configured for ISL, IEEE 802.1q, 802.10 or LANE encapsulation.
NOTE: You should be aware that all VTP Messages are sent through what we call the
"Management VLAN". This specially created VLAN is usually the first one in the network -
VLAN 1 - and by rule is never used by anyone else other than the switches themselves.
The creation of a Management VLAN ensures all switches have their own network to
communicate between each other without any disruptions.
The next page will analyse the VTP Protocol structure, messages and updates. This will provide a deep
understanding on how VTP works and what information it's messages contain. For those out there keen
on configuring a switch for VTP, it's covered towards the end of the VLAN topic as shown on the VLAN
Introduction page.
IN-DEPTH ANALYSIS OF VTP

4.2727272727311111 Rating 4.27 (11 Votes)
inShare
The previous article introduced the VTP protocol and we saw how it can be used within a network, to help
manage your VLANs and ease the administrative overhead providing a stress-free VLAN environment,
automatically updating all the network switches with the latest VLAN information.
This article extends on the above by delving into the VTP protocol itself and analysing it's structure and
format in order to gain a better understanding and enhance those troubleshooting skills.
THE VTP PROTOCOL STRUCTURE
We've mentioned that the VTP protocol runs only over trunk links interconnecting switches in the network.
Whether you're using ISL or IEEE 802.1q as your encapsulation protocol, it really doesn't matter as the
VTP structure in both cases remains the same.
Following are the fields which consist the VTP protocol:

 VTP Protocol Version (1 or 2)
 VTP Message Type (See Below)
 Management Domain Length
 Management Domain Name
What we need to note here is that because there are a variety of "VTP Message Types", the VTP Header
changes depending on these messages, but the fields we just mentioned above are always included.
To be more specific, here are the different messages currently supported by the VTP protocol:
 Summary Advertisements
 Subset Advertisement
 Advertisement Requests
 VTP Join Messages
It is obvious that all switches use these different messages to request information or advertise the VLANs
they are aware of. These messages are extremely important to understand as they are the foundations of
the VTP protocol.
We'll take each message and analyse them individually, explaining their purpose and usage, but before
we proceed, let's take a quick visual look at the messages and their types to help make all the above
clearer:
First up is the 'Summary Advertisements'.
VTP PROTOCOL - SUMMARY ADVERTISEMENT MESSAGE
The 'Summary Advertisement' message is issued by all VTP Domain Servers in 5 minute intervals, or
every 300 seconds. These advertisements inform nearby Catalyst switches with a variety of information,
including the VTP Domain name, configuration revision number, timestamp, MD5 encryption hash code,
and the number of subset advertisements to follow.
The configuration version number is a value each switch stores to help it identify new changes made in
the VTP domain. For those experienced with DNS, it's pretty much the same as the DNS serial number.
Each time a VTP Server's configuration is changed, the configuration revision number will automatically
increment by one.
When a switch receives a summary advertisement message, it will first compare the VTP domain
name (Mgmt Domain Name field) with its own.
If the Domain Name is found to be different, it will discard the message and forward it out its trunk links.
However, in the likely case that the domain name is found to be the same, it will then check
the configuration revision number (Config Revision No.) and if found to be the same or lower than it's
own, it will ignore the advertisement. If, on the other hand, it is found to be greater, an advertisement
request is sent out.
The Updater Identity field contains the IP Address of the switch that last incremented the Configuration
Revision Number, while the Update Timestamp field gives the time the last update took place.
The MD5 (Message Digest 5) field contains the VTP password in the case where it is configured and
used to ensure the validation of the VTP Update.
Lastly, summary advertisements are usually followed by Subset Advertisements, this is indicated by
the Followers field and is the next message we'll be closely examining.
VTP PROTOCOL - SUBSET ADVERTISEMENT

As mentioned in the previous message, when VLAN changes are made on the Catalyst VTP Server, it will
then issue a Summary Advertisement, followed by a Subset Advertisement. Depending on how many
VLANs are configured in the domain, there might be more than one Subset Advertisement sent to ensure
all VLAN information is updated on the VTP Clients.
Comparing the fields of this message with the previous one, you'll notice most of them are identical,
except for the Sequence No. and VLAN Info. Field.
The Code field for a Subset Advertisement of this type is set to 0x02 while the Sequence No. field
contains the sequence of the packet in the stream of packets following a summary advertisement. The
sequence starts with 1 and increments based on the number of packets in the stream.
Apart from these fields, we also have the VLAN Info Field, which happens to be the most important as it
contains all the VLAN information the switches are waiting for.
The VLAN Info Field will be presented in segments. Complexity and importance requires us to break it
up further and analyse the subfields it contains:
Each VLAN Info Field contains all the information required for one VLAN. This means that if our network
is powered with 10 VLANs and a Subset Advertisement is triggered, the VTP Server will send a total
of 10 Subset Advertisements since each VLAN Info Field contains data for one VLAN.
The most important subfields in the VLAN Info Field are the VLAN Name Length, ISL VLAN ID, MTU
Size and VLAN Name. These subfields contain critical information about the VLAN advertised in the
particular Subset Advertisement frame. Some might be suprised to see settings such as MTU's to be
configurable in VLAN's, and this confirms that each VLAN is treated as a separate network, where even
different MTU sizes are possible amongst your network's VLANS.
ADVERTISEMENT REQUESTS
Turning a switch off will result loosing all its VTP information stored in its memory (RAM). When the
switch is next turned on, all its database information is reset and therefore requires to be updated with the
latest version available from the VTP Server(s).
A switch will also send an Advertisement Request when it hears a VTP summary advertisement with a
higher revision number than what it currently has. Another scenario where a request would be issued is
when the VTP domain membership has changed, even though this is quite uncommon since the VTP
domain name is rarely, if ever, changed after its initial configuration.
So what happens when a Advertisement Request hits the streets of your network?
As you would already be aware from the message types we have just covered, the VTP Server will
respond with Summary Advertisement, followed by as many Subset Advertisements required to
inform the VTP Clients about the currently configured VLANs.
The diagram below shows the structure of an Advertisement Request sent by a VTP Client switch:
Most fields as you can see, are similar to the previous messages we've seen, except two:
The Reserved and Starting Advertisement To Request. The Reserved is exactly what it implies -
reserved and not used in the Advertisement Request messages, while the Starting Advertisement To
Request is the actual request sent by the VTP Client.
VTP JOIN MESSAGES

VTP Join Messages are similar to the Advertisement Request messages but with a different Message
Type field value and a few more parameters. As indicated by the message name, a VTP Join
Message is sent when the VTP Client first joins a VTP domain, informing the VTP Server(s) about the
new guy in 'town':)
OTHER VTP OPTIONS - VTP PASSWORD

The VTP Password is a feature that all security conscious Administrators/Engineers will welcome. With
the password feature, you are able to secure your VTP Domain since only switches configured with the
correct password are able to properly decrypt the VTP messages advertised in the management VLAN.
By default the VTP Password option is not turned on and therefore most management VLANs are set to
use non-secure advertisements. Once enabled on the VTP Domain Server(s), all switches participating in
the domain must be manually configured with the same password, otherwise it will fail to decrypt all
incoming VTP messages.
SUMMARY
This page analysed the structure of each message the VTP protocol currently supports to maintain the
network's switches in synchronisation with the VTP domain server(s):
 Summary Advertisements
 Subset Advertisement
 Advertisement Requests
 VTP Join Messages
We're sure you would agree that VLAN's are in fact a whole study case alone, but surely at the same time
it's quite exciting as new concepts and methods of ensuring stability, speed and reliability are revealed.
This completes our in-depth discussion on the VTP Protocol messages. Next up is VTP Prunning, a nice
service that ensures our network backbone is not constantly flooded with unnecessary traffic. We are
sure you'll enjoy the page, along with the awesome diagrams we have prepared.
VTP PRUNING
4.1211111 Rating 4.12 (25 Votes)
inShare
INTRODUCTION
As you would be aware a switched network creates one broadcast domain, similar to that of a VLAN
powered network where all nodes belonging to the same VLAN are part of the same broadcast domain,
receiving all broadcasts sent on their network.
THE BROADCAST AND UNICAST PROBLEM IN VLAN NETWORKS
What we are about to see is how these broadcasts can actually create problems by flooding the VLAN
network with unnecessary traffic, and depending on your network setup, this can prove to be a huge
problem. The reason for this is because the trunk links interconecting your network switches will carry
these broadcasts to every switch in the network, regardless of which VLAN the broadcast is intended for.
As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on
the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports
assigned to the same VLAN it was received from, that is, VLAN 2.
In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the
network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and
immediately forwards it out the other two - towards Switch 2 & 3.
Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch
3 however, is a different case - it has no ports assigned to VLAN 2 and therefore will drop the broadcast
packet it receives.
In this example, the bandwidth usage was ineffecient because one broadcast packet was sent over all
possible trunk links, and was then dropped by Switch 3.
You might ask yourself 'So what's the big deal?'.
The problem here is small and can easily be ignored... but consider a network of fifteen or more 12 port
switches (this translates to at least 210 nodes) and you can start to appreciate how serious the problem
can get. To make things worse (and more realistic), consider you're using 24 port switches, then you're all
of a sudden talking about more than 300 nodes!
To further help understand how serious the problem gets, let's take a look at our example network below:
Here we have a medium sized network powered by Cisco Catalyst switches. The two main switches up
the top are the VTP servers and also perform 3rd layer switching by routing packets between the VLANs
we've created.
Right below them you'll find our 2950's Catalyst switches which are connected to the core switches via
redundant fiber trunk links. Directly below our 2950's are our 2948 Catalyst switches that connect all
workstations to the network.
A workstation connected to a port assigned to VLAN 2 decided to send a network broadcast looking for a
specific network resource. While the workstation is totally unaware of our network design and complexity,
its broadcast is the reason all our trunks will flood with unwanted traffic, consuming valuable bandwidth!
Let's take a look at what happens:

We don't think describing the above is actually required as the diagram shows all the information we need
and we're confident you will agree that we dealing with a big problem:)
So how do we fix this mess ?
Keep reading on as you're about to learn........
THE SOLUTION: ENABLING VTP PRUNING
VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary
flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames
on a VLAN over trunk links only if the receiving end of the trunk has ports in that VLAN.
Looking at the above diagram you will notice that the Root Catalyst 3550 Switch receives a broadcast
from Switch 1, but only forwards it out one of it's trunks. The Root Switch knows that the broadcast
belongs to VLAN 2 and furthermore it's aware no port is assigned to VLAN 2 on Switch 3, therefore it
won't forward it out the trunk that leads to that switch.
SUPPORT FOR VTP PRUNING

The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP
1, VTP pruning is possible with the use of additional VTP message types.
When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its
neighboring switches informing them about the ports it has active on that VLAN. This information is then
stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the
switch via the trunk port or not.
Note: VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by
issuing the "set vtp pruning enable" command.
If this command is issued on the VTP Server(s) of your network, then pruning is enabled for
the entire management domain.
VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN
Introduction page, however, we should inform you that you can actually enable pruning for specific
VLANs in your network.
When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links.
This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear
all VLANs from the list using the "clear vtp prune-eligible vlan-range" command and then set the VLAN
range you wish to add in the prune eligible list by issuing the following command: "set vtp prune-eligible
vlan-range" where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'.
By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally
used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never
eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated
in our examples.
SUMMARY
VTP Pruning can in fact be an administrator's best friend in any Cisco powered network, increasing
available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the
destination devices.
At this point, we have also come to the end of the first part of our VLAN presentation. As we are still
working on the second and final part of the VLAN topic, we hope these pages will keep you going until it
is complete

Vlan Networks

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Vlan Networks

Transféré par

Droits d'auteur :

Formats disponibles

VLAN NETWORKS

 Switches and hubs

Section 2: Designing VLANs. (Subcategory)

Section 5: Analyzing Popular Tagging Protocols.

Section 7: Virtual Trunk Protocol (VTP) (Subcategory)

THE TRADITIONAL SWITCHED NETWORK

VLANS = SEPARATE BROADCAST DOMAINS

VLANS HELP REDUCE THE COST

VLANS - ACCESS & TRUNK LINKS

VLAN TAGGING - UNDERSTANDING VLANS

This is process belongs to the world of VLAN Tagging!

The diagram below illustrates the process described above:

VLAN TAGGING PROTOCOL

INTERSWITCH LINK (ISL)

 Support of up to 4096 VLANs

LAN EMULATION (LANE)

VLAN INTERSWITCH LINK (ISL) PROTOCOL

INTERSWITCH LINK (ISL)

THE ISL HEADER

DESTINATION ADDRESS (DA) FIELD

Type Value Encapsulated Frame

USER DEFINED FIELD

Type Value Frame Priority

XX00 Normal Priority

SOURCE ADDRESS (SA) FIELD

AAAA03 (SNAP) FIELD

HIGH BITS SOURCE ADDRESS (HSA) FIELD

VLAN - DESTINATION VIRTUAL LAN ID FIELD

FRAME CHECK SEQUENCE (ISL FCS)

VLANS - IEEE 802.1Q TRUNK LINK PROTOCOL

IEEE 802.1q Analysis

The IEEE 802.1q Header

TPID - Tag Protocol IDentifier

VLAN ID - Virtual Local Area Network Identifier

INTERVLAN ROUTING - ROUTING BETWEEN VLAN

THE NEED FOR ROUTING

VLAN ROUTING SOLUTIONS

VLAN ROUTING SOLUTION NO.1: USING A ROUTER WITH 2 ETHERNET INTERFACES

VLAN ROUTING SOLUTION NO.4: INTERVLAN ROUTING

Enhanced Multilayer Image (EMI) - All

ACCESS LISTS & INTERVLAN ROUTING

VLAN SECURITY - MAKING THE MOST OF VLANS

When deploying VLANs, here are five key considerations to address:

2. NATIVE VLAN, ISL AND 802.1Q

3.VIRTUAL TRUNK PROTOCOL AND VTP PRUNING

VTP pruning (http://www.firewall.cx/networking-topics/vlan-networks/virtual-trunk-protocol.html), an

5. SECURING VLAN DEVICES

These best practices include:

COMPARING OLD FLAT NETWORKS & VLAN

DESIGNING YOUR FIRST VLAN

SOLUTION 1 - WITHOUT VLANS

SOLUTION 2 - WITH VLANS

most likely to shut down as a security precaution.

CHOOSING CORRECT SWITCHES

DYNAMIC VLANS & FALLBACK VLANS

VTP INTRODUCTION & MODES

WELCOME TO VIRTUAL TRUNK PROTOCOL (VTP)

INTRODUCING THE VTP MODES

 VTP Server mode

VTP SERVER MODE

THE VTP DOMAIN - VLAN MANAGEMENT DOMAIN

VTP CLIENT MODE

VTP TRANSPARENT MODE

VTP Mode Description