Virtual LAN (VLAN)

Topics

Where does VLAN come from ? Flat network and Problems with Flat Network Bandwidth Security Load balancing What is VLAN ?

I. Where does VLAN come from ?

Now, Lets look at the picture.

This is a Flat network

`

Flat Network

It is called flat network because this is a full Layer 2-only switched network.

Flat Network
A flat network is a single broadcast domain, such that every connected device sees every broadcast packet that is transmitted by one host in the network. Each port in a switch is a collision domain. So it only reduces the size of collision domains. The switch, however, does not prevent the propagation of broadcast packets. So there are a number of problems associated with flat network.

Problems with Flat Network

Bandwidth problem. Security problem.

Load Balancing problem

8

Bandwidth Problem.

In some case, a layer-2 switched campus network can span several buildings. And high numbers of users on a network generate a lot of traffic and remember that in a flat network every host receives and process every frame sent.
`

So this leads to great demands on bandwidth and the performance of the network is decreased.

Security Problem.
Because any users can see one another in a flat layer-2 environment. So it is very hard to provide security

In the following picture, we will see that it is very hard to prevent PC D from arriving File Server because they are in the same subnet. File
Server

PC D
`

PC C
`

PC B
10
`

PC A

Load Balancing Problem.

In a flat network, it is difficult to establish alternative paths to a destination because of broadcast loop. So Load Balancing is not possible

File Server

PC D
`

PC C
`

PC B
11
`

PC A

The solution for these problems is Virtual LAN (VLAN)

12

What is VLAN ?
File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

A VLAN is a logical subnet composed of specified members created on switch. 13 subnets are also referred to as segments or broadcast domains.

What is VLAN ?
File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

In figure above, we see that PCs with red connectors are members of VLAN 10, PCs with blue connectors are members of VLAN 90. 14

What is VLAN ?
File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

Stations in a logical subnet do not need to be connected to the same physical cable segment. PC D does not connect to the same segment with PCs A, B, C.(it 15 belongs to VLAN 10 as them.).

What is VLAN ?
File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

All devices in a VLAN are members of the same broadcast domain. This means that every station in a VLAN receives any broadcast sent by any member of that VLAN. Stations that are not members of the 16 VLAN do not receive the broadcast.

What is VLAN ?
File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

PC A, B, C, D can communicate with one another. PC X and Y can see each other. But PCs in VLAN 90 ( X, Y) can not communicate with PCs in VLAN 17 10 (A, B, C, D).

Using Vlan to solve the bandwidth problem.

File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

By dividing networks into smaller broadcast domains, VLANs reduce bandwidth demands
18

Using Vlan to solve the bandwidth problem.

File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

Any traffic originating within a subnet remains within that subnet So Vlan can solve the bandwidth problem.

19

Using Vlan to solve the security problem.

File Server PC A PC B

VLAN 10 PC X VLAN 90 PC C

PC Y

PC D

Because VLANs are configured as individual subnets, they ensure a greater level of security.
20

Using Vlan to solve the security problem.

SanJose

VLAN 30 File Server 1.1.1.2 3.3.3.3

PC A

PC B

Router on a stick

VLAN 10 PC X VLAN 90 PC C

PC Y 2.2.2.2

PC D

When traffic needs to be transferred from one VLAN to another, a router or a dedicated routing device is used to route between each 21 VLAN subnet.

Using Vlan to solve the security problem.

SanJose

VLAN 30 File Server 1.1.1.2 3.3.3.3

PC A

PC B

Router on a stick

VLAN 10 PC X VLAN 90 PC C

PC Y 2.2.2.2

PC D

This layer-3 device is sometimes referred to as a router on a stick.

22

Using Vlan to solve the security problem.

SanJose

VLAN 30 File Server 1.1.1.2 3.3.3.3

PC A

PC B

Router on a stick

VLAN 10 PC X VLAN 90 PC C

PC Y 2.2.2.2

PC D

Now we want to deny access of PC A (1.1.1.2) to File Server (3.3.3.3) and only allow PC Y (2.2.2.2). To do so, we can make an access list on router SanJose to permit ip 23 address 2.2.2.2 and deny ip address 1.1.1.2 to File Server (3.3.3.3)

Using Vlan to solve the security problem.

SanJose

VLAN 30 File Server 1.1.1.2 3.3.3.3

PC A

PC B

Router on a stick

VLAN 10 PC X VLAN 90 PC C

PC Y 2.2.2.2

PC D

We can not do that with a layer 2 switch in flat network. So VLAN can solves security problem.

24

VLAN Membership Modes

25

VLAN link types

There are two types of link associated with VLANs: Access links. Trunk links.

26

Access links
VLAN 4 VLAN 3 VLAN 2

An access link is a link thats strictly a member of one VLAN only. An access link will only transport frames of just one VLAN. Access link is usually used to attach PCs, servers, or printer.

27

Trunk links

There are two type of trunk links: Layer 2 trunk links. Layer 3 trunk links.

28

Layer 2 trunk links

A VLAN 1 1 B VLAN 3 Switch 1 C VLAN 2

VLAN 1

2 3 Switch 2

VLAN 3

Z VLAN 2

We see that if PC A in VLAN 1 on Switch 1 want to talk to PC X in VLAN 1 on Switch 2, there must be an access link 1 connected between Switch 1 and Switch 2. It is the same for VLAN 2 and VLAN 3 members. So totally we need 3 access links to connect 3 VLANs (1,2,3) in order 29 for their members to talk to each other.

Layer 2 trunk links

A VLAN 1

So what will happen if we have 30 or 300 VLANs ? VLAN 1

1

VLAN 3 Switch 1

2 3 Switch 2

VLAN 3

C VLAN 2 VLAN 2

And notice that access link 1 must belong to VLAN 1, access link 2 must belong to VLAN 2 and access link 3 must belong to VLAN 3.

30

Layer 2 trunk links

A

VLAN 1

VLAN 1

VLAN 3 Switch 1 Switch 2

VLAN 3

C VLAN 2 VLAN 2

We see that now there is only one link needed to connect Switch 1 and Switch 2, then members of the same VLAN can talk to each other respectively (theo th t nh sn) This link is called layer 2 trunk link.
31

Layer 2 trunk links

A

VLAN 1

VLAN 1

VLAN 3 Switch 1 Switch 2

VLAN 3

C VLAN 2 VLAN 2

There is one important thing to take care is that, with layer 2 trunk link, a member of one VLAN can see other members of that VLAN only. It can not talk to members of other VLAN. In order for PC A can talk to PC B or to PC C, a layer 3 device such 32 as a router or a layer 3 switch is needed.

Layer 3 trunk links

A

VLAN 1

So what will happen if we have 30 or 300 VLANs ?

E0

VLAN 3 Switch 1

E1

Router

E2 C VLAN 2

A port configured as an access link cannot communicate with other VLAN unless (tr khi) it has access to a router. The impossibility (iu khng th xy ra) of this method is that we need to use router that have a lot of NICs.
33

Layer 3 trunk links

A VLAN 1

VLAN 3

Switch 1
C VLAN 2 D

Router

A layer 3 trunk link is a link that can carry traffic from multiple VLANs. It does not belong to any specific VLAN. 34

Layer 3 trunk links

A VLAN 1

VLAN 3

F0/0

Switch 1
C VLAN 2 D

Router

You can configure a trunk link to transport all VLANs or you can limit it to a specific set of VLANs. The important thing is that trunking layer 3 require a high speed LAN 35 interface on router (>100 Mbps)

Sub-interfaces
A VLAN 1 192.168.1.0 VLAN 3 F0/0

172.16.0.0
C 10.0.0.0 VLAN 2

Switch 1

Router

A VLAN is a logical subnet = a segment = a broadcast domain. It has its own IP network address
36

Sub-interfaces
A VLAN 1 192.168.1.0 VLAN 3 F0/0

172.16.0.0
C 10.0.0.0 VLAN 2

Switch 1

Router

Trunk link can reduces the number of LAN interfaces needed on router. But only one IP network address can be assigned to an interface

37

Dividing a Physical Interface into Subinterfaces

Cisco IOS allowed to create separate logical subinterfaces from physical interface

38

Sub-interfaces
A
VLAN 1 192.168.1.0 192.168.1.1 F0/0.1 B VLAN 3 172.16.0.0 Switch 1 10.0.0.1 F0/0.3 C 10.0.0.0 VLAN 2 D 172.16.0.1 F0/0.2 Router

Each subinterface will represent a VLAN We can assigned IP address to subinterfaces.

39

VLAN Frame Identification

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D Z U

VLAN 2

Users in a campus network can be assigned to VLANs that span several switches. These switches need to be able to identify which traffic belongs to which VLANs so that they can direct it to the correct ports. 40 This is where VLAN Frame Identification comes from.

VLAN Frame Identification

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D Z U

VLAN 2

VLAN frame identification is a technique that has been developed specifically for multi-VLAN, inter-switch communications. It operates at layer 2 (the data-link layer) of the OSI model.
41

How does VLAN Frame Identification work ?

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D Z U

VLAN 2

VLAN identification works by assigning a unique VLAN ID to each frame. The VLAN ID is added to each frame as its forwarded through the switch fabric (c cu) on trunk links. 42

How does VLAN Frame Identification work ?

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D Z U

VLAN 2

Each switch checks the VLAN identifier to determine which VLAN the frame belongs to, so that it can transmit it to other ports in that VLAN. Lets take a tour from PC B to PC Y in VLAN 3. 43

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
Data

VLAN 3
Y
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 2
C D Z U

VLAN 2

Data

PC B want to send data to PC Y, it send that frame to Switch 1.

44

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D

VLAN 2

This frame is in VLAN 3, the destination MAC address of this frame is MAC Y, and the way to get there is to Switch 2

Data

Switch 1 receives the frame and check its mac-address-table then see that this frame is in VLAN 3 and destined to VLAN 3 on Switch 2. 45

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D

VLAN 2

Data

The link between Switch 2 and me is a trunk link, I have to add a VLAN ID of VLAN 3 to the frame, so that Switch 2 can distinguish from VLAN 1 and VLAN 2 frames.

It add a VLAN ID of VLAN 3 to that frame and send that frame to the trunk link connected with Switch 2. 46

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Data

VLAN 3
Y
Switch 2 Switch 3 Switch 4 Switch 1

VLAN 2
C D Z U

VLAN 2

Data

It add a VLAN ID of VLAN 3 to that frame and send that frame to the trunk link connected with Switch 2. 47

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1
Data

VLAN 3
Y
Switch 3 Switch 4 Switch 2

VLAN 2
C D

VLAN 2

This frame is destined to VLAN 3 and the way to get there is through Switch 3
Data

Switch 2 receives the frame and after checking the VLAN ID that it know the frame is destined to VLAN 3 on Switch 4. 48 Switch 2 then send the frame to appropriate port to Switch 3.

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2
Data

VLAN 3
Y
Switch 4 Switch 3

VLAN 2
C D Z U

VLAN 2

Data

And the same process happens.

49

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2
Data Data

VLAN 3
Y
Switch 3 Switch 4

VLAN 2
C D Z U

VLAN 2

Data

When Switch 4 receives and checks the frame. It get the VLAN ID out of the frame and send to PC Y.
50

A tour from PC B to PC Y VLAN 3

A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2
Data

VLAN 3
Y
Switch 4 Switch 3

VLAN 2
C D Z U

VLAN 2

Data

PC Y receive the frame and know that the frame is from PC B (according to MAC address). But it does not know which VLAN it is in. Only Switch 4 know that information.

51

VLAN ID Encapsulation
A X

VLAN 1

VLAN 1

VLAN 3
B
Switch 1 Switch 2 Switch 3 Switch 4

VLAN 3
Y

VLAN 2
C D Z U

VLAN 2

Data

The process of adding VLAN ID information to a frame is called encapsulation.

52

VLAN ID Encapsulation

There are two types of trunking encapsulation:

Cisco Inter-Switch Link (ISL). IEEE 802.1Q.

53

Cisco Inter-Switch Link (ISL)

A

VLAN 1

VLAN 1

VLAN 3 Switch 1

ISL
Switch 2

VLAN 3

C VLAN 2 VLAN 2

ISL is a Cico proprietary frame encapsulation protocol for interconnecting multiple switches. It is primarily used for Ethernet media
54

Cisco Inter-Switch Link (ISL)

A

VLAN 1

VLAN 1

VLAN 3 Switch 1

ISL
Switch 2

VLAN 3

C VLAN 2

Cisco

Cisco
VLAN 2

Its supported on Cisco Catalyst switches and Cisco routers only.

55

Cisco Inter-Switch Link (ISL)

Cisco
A Access link

Cisco
ISL
X Trunk link Access link

Frame

ISL Header

Frame CRC

When a frame is destined out a trunk link to another switch or router ISL adds a 26-byte header and a 4-byte trailer to the frame.

The source VLAN is identified with a 10-bit VLAN ID field in the header. The trailer contains a cyclic redundancy check (CRC) value to ensure the data integrity of the end encapsulated frame. 56

IEEE 802.1Q
A

VLAN 1

VLAN 1

VLAN 3 Switch 1

802.1Q
Switch 2

VLAN 3

C VLAN 2

Cisco

HP
VLAN 2

IEEE 802.1Q is the industry standard for identifying VLANs transported over trunk links. It is also primarily used for Ethernet media. IEEE 802.1Q is an open standard.

58

IEEE 802.1Q
Cisco
A Access link

HP

802.1Q
X Trunk link Access link

Frame 802.1Q tag (+ 4bytes)

When a frame is destined out a trunk link to another switch or router IEEE 802.1Q embeds (insert) a VLAN identifier (tagging information) into a frames existing header. This method is referred to as single-tagging or internal tagging. 59 - IEEE 802.1Q can support up to 4095 VLANs.

802.1Q Frame

60

Configuring static VLANs

The following guidelines must be followed when configuring VLANs on Cisco 29xx switches: The maximum number of VLANs is switch dependent. VLAN 1 is one of the factory-default VLANs. VLAN 1 is the default Ethernet VLAN. Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) advertisements are sent on VLAN 1. The Catalyst 29xx IP address is in the VLAN 1 broadcast domain by default. The switch must be in VTP server mode to create, add, or delete VLANs.

61

Configuring static VLANs

The steps necessary to create the VLAN are shown below. A VLAN name may also be configured, if necessary.

Switch#vlan database Switch(vlan)#vlan vlan_number Switch(vlan)#exit

Example: Create a VLAN 2 with the name Marketing

Switch#vlan database Switch(vlan)#vlan 2 name Marketing Switch(vlan)#exit

62

Assign VLAN to a Switch port

63

Deleting VLANs

64