Basic VLAN Concept
Concept of trunking and frame tagging
So far our VLANs only involves on switch. If a switch port is assigned to a particular VLAN, it only carries the traffic for that particular VLAN. What happens if our VLANs expand across multiple switches. The 2 switch ports that link 2 switches have to carry traffic for multiple VLANs. What VLAN should we assign these 2 link ports to? The answer is, we don't assign them to any VLANs, we set their mode to trunk mode.
In Cisco networks, trunking is a special function that can be assigned to a port, making that port capable of carrying traffic for any or all of the VLANs accessible by a particular switch. Such a port is called a trunk port, in contrast to an access port, which carries traffic only to and from the specific VLAN assigned to it. A trunk port marks frames with special identifying tags (either ISL tags or 802.1Q tags) as they pass between switches, so each frame can be routed to its intended VLAN.
Using VLANs, you can configure ports on the switch for segmentation, flexibility, and security.
CCNA classifies VLAN into 5 types:
- Data VLAN, also called user VLAN, is any VLAN that is configured to carry user-generated traffic.
- Voice VLAN, is any VLAN that is configured to carry Voice over IP (VOIP) traffic.
- Management VLAN, is any VLAN that is configured to carry management traffic. VLAN1 is the default management VLAN. Management VLAN need to be assigned an IP address and subnet mask for remote access.
- Default VLAN, is the default VLAN all switch ports belong to at initial boot up. Cisco switches use VLAN 1 as default VLAN.
- Native VLAN, is any VLAN assigned to an 802.1Q trunk port. An 802.1Q trunk port can carry traffic from multiple VLANs (tagged traffic), as well as traffic not from VLAN (untagged traffic).
Access Links are the links or ports assigned to a particular VLAN. An access link can only carry one VLAN.
Trunk Links are capable of carrying multiple VLANs.
The switch decide which ports belong to which VLANs by configuring their VLAN membership.
VLAN memebership
- Static VLAN memebership -- administrator statically assign a particular VLAN to a particular port. A switch port can only be assigned to one VLAN.
- Dynamic VLAN memebership -- through VLAN membership policy server, a server contains the mapping of MAC address to corresponding VLANs.
Frame Tagging: the method of identify which VLAN a frame came from and which VLAN it will go to. There are two methods of frame tagging:
- Inter Switch Link (ISL) is a Cisco proprietary standard.
- 802.1q is an industry standard, also associate Native VLAN (No tag)
Configure VLANs on a cisco Switch (router on a stick)
Basic commands:
To show all VLAN status in brief
show vlan brief
To create a VLAN
vlan vlanid
After creating the VLAN, we exit the VLAN database by using the the command "end" to update this database.
To set the ascii name for the VLAN
name WORD
Example:
Switch(config)#vlan 2
Switch(config-vlan)#name raliegh
Switch(config-vlan)#end
To set access mode characteristics of the interface, and associate this interface to a particular VLAN
Switchport access vlan vlanid
Example:
Switch(config)#interface fa0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#end
To set access mode to trunk
Switchport mode trunk
Example:
Switch(config)#interface fa0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#end
The following commands are tested in packet tracer 5.1 with a 3560-24PS Multilayer Switch.
Switch>enable
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 2
Switch(config-vlan)#name raliegh
Switch(config-vlan)#end
%SYS-5-CONFIG_I: Configured from console by console
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
2 raliegh active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fa0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
2 raliegh active Fa0/7
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch#
VLAN vs VLAN Interface
By default, all the switch ports belong to VLAN 1. VLAN 1 has all the features of any VLAN, except it cannot be renamed or deleted. By default, all Layer 2 control traffic is associated with VLAN 1. The 802.1Q trunk port places untagged traffic on the native VLAN, which by default is VLAN 1.In order to manage a LAN switch via HTTP, Telnet, SSH, or SNMP, we need to configure a management VLAN, and assign an IP address and subnet mask to the switch virtual interface (SVI) of the VLAN. VLAN 1 is the default management VLAN.
Switch(config)#interface vlan1
Switch(config-if)#ip address 10.1.1.5 255.255.255.0
It is important to understand the difference of vlan and vlan interface.
While VLAN is a layer 2 thing, VLAN interface is a layer 3 thing.
VLAN logically divides a large broadcast domain into smaller ones. Broadcast domain is layer 2 network segments, defined by the network a broadcast Ethernet frame can reach.
VLAN interface (or switch virtual interface (SVI), or management interface) on the other hand, is an imaginary layer 3 network interface. They are created so that the layer 2 network segment a VLAN cutting out can have a layer 3 IP address associated with it.
Remember, a LAN switch is a layer 2 device with physical ports and the switch deal with frames, that are flushed down as bits to the wire at Layer 1 -- switch don't know IP (IP is a field in layer 3 packet), and it isn't assigned an IP address by default, you can not even ping a brand new cisco LAN switch. In order to remote login LAN switch via IP, you need to give it layer 3 IP addresses. This is why we need the layer 3 VLAN interface, so called switch virtual interface (SVI).
No comments:
Post a Comment