8 Virtual LANs CERTIFICATION OBJECTIVES 8.01 Virtual LAN Overview 8.02 VLAN Connections 8.03 VLAN Trunk Protocol 8.04 1900 and 2950 VLAN Configuration ✓ Two Minute Drill Q&A Self Test CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 Blind Folio 8:1 D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:56 PM Color profile: Generic CMYK printer profile Composite Default screen A s was mentioned in Chapters 2 and 7, layer-2 devices, including bridges and switches, always propagate certain kinds of traffic in the broadcast domain: broadcasts, multicasts, and unknown destination traffic. This process impacts every machine in the broadcast domain (layer-2 network). It impacts the bandwidth of these devices’ connections as well as their local processing. If you were using bridges, the only solution available to solve this problem would be to break up the broadcast domain into multiple broadcast domains and interconnect these domains with a router. With this approach, each new broadcast domain would be a new logical segment and would need a unique network number to differentiate it from the other layer-3 logical segments. Unfortunately, this is a costly solution, since each broadcast domain, each logical segment, needs its own port on a router. The more domains that you have, the bigger the router that you have to purchase. As you will see in this chapter, switches also have the same problem with traffic that must be flooded. You will see, however, that switches have a unique solution to reduce the number of router ports required, and thus the cost of the layer-3 device that you need to obtain: virtual LANs and trunking. CERTIFICATION OBJECTIVE 8.01 Virtual LAN Overview A virtual LAN (VLAN) is a group of networking devices in the same broadcast domain. The top part of Figure 8-1 shows an example of a simple VLAN, where every device is in both the same collision and broadcast domains. In this example, a hub is providing the connectivity, which represents, to the devices connected to it, that the segment is a logical segment. The bottom part of Figure 8-1 shows an example of a switch with four PCs connected to it. One major difference between the switch and the hub is that all devices connected to the hub are in the same collision domain whereas in the switch example, each port of the switch is a separate collision domain. By default, all ports on a switch are in the same broadcast domain. In this example, however, the configuration of the switch places PC-E and PC-F in one broadcast domain (VLAN) and PC-G and PC-H in another broadcast domain. Switches are used to create VLANs, or separate broadcast domains. VLANs are not restricted to any physical boundary in the switched network, assuming that all 2 Chapter 8: Virtual LANs CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:56 PM Color profile: Generic CMYK printer profile Composite Default screen the devices are interconnected via switches and that there are no intervening layer-3 devices. For example, a VLAN could be spread across multiple switches, or be contained in the same switch, as is shown in Figure 8-2. In this example, there are three VLANs. Notice that VLANs are not tied to any physical location: PC-A, PC-B, PC-E, and PC-F are in the same VLAN, but are connected to different ports of different switches. However, a VLAN could be contained to one switch, as the PC-C and PC-D are connected to SwitchA. Virtual LAN Overview 3 CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 FIGURE 8-1 VLAN examples D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:56 PM Color profile: Generic CMYK printer profile Composite Default screen The switches in your network are what maintain the integrity of your VLANs. For example, if PC-A generates a broadcast, SwitchA and SwitchB will make sure that only other devices in that VLAN (PC-B, PC-E, and PC-F) will see the broadcast, and that other devices will not, and that holds true even across switches, as is the case in Figure 8-2. Subnets and VLANs Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3 devices, provide this boundary function. Each of these subnets requires a unique network number. And to move from one network number to another, you need a router. In this case of broadcast domains and switches, each of these separate broadcast domains is a separate VLAN; and therefore, you still need a routing function. 4 Chapter 8: Virtual LANs CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 FIGURE 8-2 VLAN examplesPhysical switched topology using VLANs A VLAN is a group of devices in the same broadcast domain or subnet. You need a router to move traffic between VLANs. The 1900 and the 2950 SI support 64 VLANs. D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:57 PM Color profile: Generic CMYK printer profile Composite Default screen From the user’s perspective, the physical topology shown in Figure 8-2 would actually look like Figure 8-3. And from the user’s perspective, the devices know that to reach another VLAN, they must forward their traffic to the default gateway address in their VLAN—the IP address on the router’s interface. One advantage that switches have over bridges, though, is that in a switched VLAN network, assuming your routing function supports VLANs, the switch can handle multiple VLANs on a single port and a router can route between these VLANs on the same single port. With a bridge, each VLAN must be placed on a separate port of a router, increasing the cost of your routing solution. Cisco has recommendations as to the number of devices in a VLAN, which are shown in Table 8-1. Remember that these numbers are recommendations from Cisco, recommendations backed by many years of designing and implementing networks. Each network has its own, unique, characteristics. I once saw a broadcast domain that had almost 1,500 devices in it; it worked, but not very well. Virtual LAN Overview 5 CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 FIGURE 8-3 Logical topology using VLANs D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:57 PM Color profile: Generic CMYK printer profile Composite Default screen Scalability Through segmentation of broadcast domains, VLANs increase your scalability. Since VLANs are a logical construct, a user can be located anywhere in the switched network and still belong to the same broadcast domain. If you move a user from one switch to another switch in the same switched network, you can still keep the user in his original VLAN. This includes a move from one floor of a building to another floor, or from one part of the campus to another. The limitation is that the user, when moved, must still be connected to the same layer-2 network. Table 8-2 lists the VLAN capabilities of the 1900 and 2950 switches. 6 Chapter 8: Virtual LANs CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 Protocol Number of Devices IP 500 IPX 300 NetBIOS 200 AppleTalk 200 Mixed protocols 200 TABLE 8-1 Recommendations for Number of Devices in a VLAN VLANs provide for location independence. This flexibility makes adds, changes, and moves of networking devices a simple process. It also allows you to group people together, perhaps according to their job function, which also makes implementing your security policies straightforward. The 1900 and the 2950 SI support 64 VLANs. Switch Model Software Revision Number of VLANs 1900 Enterprise IOS 64 2950 IOS Standard Image (SI) 64 2950 IOS Enhanced Image (EI) 250 TABLE 8-2 VLAN Capabilities of the Cisco Switches D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:57 PM Color profile: Generic CMYK printer profile Composite Default screen VLAN Membership A device’s membership in a VLAN can be determined by one of two methods: static or dynamic. These methods affect how a switch will associate a port in its chassis with a particular VLAN. When you are dealing with static VLANs, you must manually assign a port on a switch to a VLAN using an Interface Subconfiguration mode command. VLANs configured in this way are typically called port-based VLANs. With dynamic VLANs, the switch automatically assigns the port to a VLAN using information from the user device, such as its MAC address, IP address, or even directory information (a user or group name, for instance). The switch then consults a policy server, called a VLAN membership policy server (VMPS), which contains a mapping of device information to VLANs. One of the switches in your network must be configured as this server. The 1900 and 2950 switches cannot serve as a VMPS server switch, but other switches, such as the Catalyst 6500, can. In this situation, the 1900 and 2950 switches act as clients and use the 6500 to store the dynamic VLAN membership information. Dynamic VLANs have one main advantage over static VLANs: they support plug-and-play movability. For instance, if you move a PC from a port on one switch to a port on another switch and you are using dynamic VLANs, the new switch port will automatically be configured for the VLAN the user belongs to. About the only time that you have to configure information with dynamic VLANs is if you hire an employee, an employee leaves the company, or the employee changes job functions. If you are using static VLANs, not only will you have to manually configure the switch port with this updated information, but if you move the user from one switch to nother, you will also have to perform this manual configuration to reflect the user’s new VLAN membership. One advantage, though, that static VLANs have over dynamic VLANs is that, since they have been around much longer than dynamic VLANs, the configuration process is easy and straightforward. With dynamic VLANs, a lot of initial preparation must be made involving matching users to VLANs. This book focuses exclusively on static VLANs. Dynamic VLANs are beyond the scope of this book, though they are covered in Cisco’s CCNP and CCDP Switching exam. Virtual LAN Overview 7 CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 Static VLANs are also called port-based VLANs. D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:57 PM Color profile: Generic CMYK printer profile Composite Default screen CERTIFICATION OBJECTIVE 8.02 VLAN Connections When dealing with VLANs, switches support two types of connections: access links and trunks. When setting up your switches, you will need to know what type of connection an interface is and configure it appropriately. As you will see, the configuration process for each is different. The remainder of this section discusses the two types of connections. Access-Link Connections An access-link connection is a connection to a device that has a standardized Ethernet NIC that understands only standardized Ethernet frames—in other words, a normal NIC card that understands IEEE 802.3 and/or Ethernet II frames. Access-link connections can only be associated with a single VLAN. This means that any device or devices connected to this port will be in the same broadcast domain. For example, if you have ten users connected to a hub, and you plug the hub into an access- link interface on a switch, then all of these users will belong to the same VLAN that is associated with the switch port. If you wanted five users on the hub to belong to one VLAN and the other five to a different VLAN, you would need to purchase an additional hub and plug each hub into a different switch port. Then, on the switch, you would need to configure each of these ports with the correct VLAN identifier. Trunk Connections Unlike access-link connections, trunk connections are capable of carrying traffic for multiple VLANs. In order to support trunking, the original Ethernet frame must be modified to carry VLAN information. This is to ensure that the broadcast integrity is maintained. For instance, if a device from VLAN 1 has generated a broadcast and the connected switch has received it, when this switch forwards it to other switches, these switches need to know the VLAN origin so that they forward this frame only out of VLAN 1 ports and not other VLAN ports. 8 Chapter 8: Virtual LANs CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 An access-link connection is a connection between a switch and a device with a normal Ethernet NIC, where the Ethernet frames are transmitted unaltered. D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:57 PM Color profile: Generic CMYK printer profile Composite Default screen Cisco supports four trunk methods to maintain VLAN integrity: ■ Cisco’s proprietary InterSwitch Link (ISL) protocol for Ethernet ■ IEEE’s 802.1Q, commonly referred to as dot1q for Ethernet ■ LANE for ATM ■ 802.10 for FDDI (proprietary Cisco implementation) These trunking methods create the illusion that instead of a single physical connection between the two trunking devices, there is a separate logical connection for each VLAN between them. When trunking, the switch adds the source port’s VLAN identifier to the frame so that the device at the other end of the trunk understands what VLAN originated this frame and can make intelligent forwarding decisions on not just the destination MAC address, but also the source VLAN identifier. Since information is added to the original Ethernet frame, normal NICs will not understand this information and will typically drop the frame. Therefore, you need to ensure that when you set up a trunk connection on a switch’s interface, the device at the other end also has trunking configured. If the device at the other end doesn’t understand these modified frames or is not set up for trunking, it will drop the frames. The modification of these frames, commonly called tagging, is done in hardware by application-specific integrated circuits (ASICs). ASICs are specialized processors. Since the tagging is done in hardware at faster than wire speeds, no latency is involved in the actual tagging process. And to ensure compatibility with access-link devices, switches will strip off the tagging information and forward the original Ethernet frame to the device connected to the access-link connection. From the user’s perspective, the source generates a normal Ethernet frame and the destination receives this frame, which is an Ethernet 802.3 or II frame coming in and the same going out. In reality, this frame is tagged as it enters the switched infrastructure and sheds the tag as it exits the infrastructure: the process of tagging and untagging the frame is hidden from the users on access-link connections. Trunk links are common between certain types of devices, including switch-to- switch, switch-to-router, and switch-to-file server connections. Using a trunk link on a router is a great way of reducing your layer-3 infrastructure costs. For instance, in the old days of bridging, in order to route between different broadcast domains, you needed a separate physical router interface for each broadcast domain. If you had VLAN Connections 9 CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 A trunk modifies the original frame to carry VLAN information. Remember the four trunking methods. D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:57 PM Color profile: Generic CMYK printer profile Composite Default screen two broadcast domains, you needed two router ports; if you had 20 broadcast domains, you needed 20 router ports. As you can see, the more broadcast domains you had, the more expensive the router would become. Today, with the advent of VLANs and trunk connections, you can use a single port on a router to route between your multiple broadcast domains. If you had 2 or 20 broadcast domains, you could use just one port on the router to accomplish the routing between these different subnets. Of course, you would need a router and an interface that supported trunking. (Not every Cisco router supports trunking; you would need at least a 1751 or 2600 series router.) If you had a router that didn’t support trunking, you would have to have a separate router interface for each VLAN you had created in order to route between the VLANs. Therefore, if you have a lot of VLANs, it makes sense to economize and buy a router that supports trunking. You can also buy specialized NICs for PCs or file servers that support trunking. For instance, you might have a file server that you want multiple VLANs to access. One solution would be to use a normal NIC and set this up with an access-link connection to a switch. Since this is an access-link connection, the server could belong to only one VLAN. The users in the same VLAN, when accessing the server, would have all their traffic switched via layer-2 devices to reach it. Users in other VLANs, however, would have to have their traffic routed to this server via a router, since the file server is in a different broadcast domain. If throughput is a big concern, you might want to buy a trunk NIC for the file server. Configuring this NIC is different from configuring a normal NIC on a file server. For each VLAN that you want the file server to participate in, you would create a virtual NIC, assign your VLAN identifier and layer-3 addressing to the virtual NIC for the specific VLAN, and then associate it with the physical NIC. Once you have created all of these logical NICs on your file server, you need to set up a trunk connection on the switch to the server. Once you have done this, members of VLANs that you have configured on the file server will be able to directly access the file server without going through a router. Since these cards can be expensive, many administrators will purchase these devices only for critical services. Trunking Example Figure 8-4 shows an example of a trunk connection between SwitchA and SwitchB in a network that has 3 VLANs. In this example, PC-A, PC-F, and PC-H belong to one VLAN, PC-B and PC-G belong to a second VLAN, and PC-C, PC-D, and PC-E belong to a third VLAN. The trunk between the two switches is also tagging VLAN information so that the remote switch understands the source VLAN of the originator. 10 Chapter 8: Virtual LANs CertPrs8 / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:58 PM Color profile: Generic CMYK printer profile Composite Default screen [...]... presented with setting up VLANs and associating interfaces to your VLANs Creating VLANs This section covers how you can create VLANs on your switches and then assign access-link connections (interfaces) to your newly created VLANs As you will see, the configurations on the 1900 and 2950 are slightly different Here are some guidelines to remember when creating VLANs: ■ The number of VLANs you can create is... that PVST has is that if STP changes are occurring in one VLAN, they do not affect other instances of STP for other VLANs, making a more stable topology Given this, it is highly recommended that you implement VTP pruning to prune off VLANs from trunks of switches that are not using those VLANs Pruning is discussed later in this chapter The downside of PVST is that since each VLAN has its own instance... Associate Study Guide / Deal / 222934-9 / Chapter 8 Virtual LANs VTP Modes When you are setting up VTP, you have three different modes to choose from for your switch’s configuration: ■ Client ■ Server ■ Transparent Table 8-4 shows the differences between these VTP modes A switch configured in either VTP server or transparent mode can add, modify, and delete VLANs The main difference between these modes is... VLANs, where every VLAN is not necessarily active on every switch You could easily accidentally prune a VLAN from a trunk that shouldn’t have been pruned, thus creating connectivity problems VTP pruning is a feature that allows the switches to share additional VLAN information and that allows them to dynamically prune inactive VLANs from trunk connections In this instance, the switches share what VLANs... Encapsulation: dot1q Operational Trunking Encapsulation: dot1q egotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1,2 Pruning VLANs Enabled: 2-1001 Priority for untagged frames: 0 D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:12:02 PM Color profile: Generic CMYK printer profile CertPrs8 Composite... Here’s an example of using the trunk parameter: 2950# show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-4094 Port Vlans allowed and active in management domain Fa0/1 1-2 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1-2 In this example, there is one interface that is trunking, fa0/1, with a native VLAN of... their traffic first to Switch 8 and then to Switch 4 FIGURE 8-9 STP and VLANs D:\omh\CertPrs8\934-9\ch08.vp Monday, August 04, 2003 12:11:59 PM Color profile: Generic CMYK printer profile CertPrs8 Composite Default screen 18 Chapter 8: / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 Virtual LANs When one instance of STP is running, this is referred to as Common Spanning... VLANs on every switch, including VLAN 1 and 1,002-1,005 ■ To add or delete VLANs, your switch must be in either VTP server or transparent mode ■ VLAN names can be changed—VLAN numbers can’t: you must delete a VLAN and re-add in order to renumber it ■ All interfaces, by default, belong to VLAN 1 ■ CDP, DTP, and VTP advertisements are sent in VLAN 1, by default ■ Cisco supports Per-VLAN STP for its VLANs... types So in this example, you would have to go around and reconfigure your ports to put them back into the correct VLAN In this instance, if you were using dynamic VLANs, you would only have to add the VLAN back on the server switch; for static VLANs, you would have your work cut out for you Given this problem, some administrators don’t like to use VTP server and client modes; instead, they prefer to configure... 04, 2003 12:12:00 PM Color profile: Generic CMYK printer profile CertPrs8 Composite Default screen 22 Chapter 8: / CCNA Cisco Certified Network Associate Study Guide / Deal / 222934-9 / Chapter 8 Virtual LANs VTP Messages If you use a client/server configuration for VTP, there are three types of VTP messages that these switches can generate: ■ Advertisement request ■ Subset advertisement ■ Summary . layer-3 device that you need to obtain: virtual LANs and trunking. CERTIFICATION OBJECTIVE 8.01 Virtual LAN Overview A virtual LAN (VLAN) is a group of networking. dynamic VLANs, a lot of initial preparation must be made involving matching users to VLANs. This book focuses exclusively on static VLANs. Dynamic VLANs are