Switching Technologies and VLAN Concepts

Key Points
Virtual Local Area Network (VLAN) is a switching technology used to improve network performance
by separating large broadcast domains into smaller ones. VLAN trunks provide a way for one physical
interface to transport multiple VLANs. The IEEE 802.1Q trunking protocol is the recommended frame
tagging method to use on trunk links. In larger networks where there are many switches to manage,
VLAN Trunking Protocol (VTP) provides a way to automatically update switches with new or
modified VLAN information. Spanning Tree Protocol (STP) allows redundant switched networks
without worrying about switching loops. STP runs by default and might not need any adjustment at all.

VLAN Concepts
Although a switch “out of the box” is configured to have only one VLAN, normally a switch will be
configured to have two or more VLANs. Doing so creates multiple broadcast domains by putting some
interfaces into one VLAN and other interfaces into other VLANs. Reasons for using VLANs include
the following:
➢ Grouping users by department instead of by physical location,
➢ Segmenting devices into smaller LANs to reduce processing overhead for all devices on LAN,
➢ Reducing the workload of STP by limiting a VLAN to a single access switch,
➢ Enforcing better security by isolating sensitive data to separate VLANs,
➢ Separating IP voice traffic from data traffic.

Benefits of using VLANs include the following:

➢ Security: Sensitive data can be isolated to one VLAN, separating it from the others.
➢ Cost reduction: Cost savings result from less need for expensive network upgrades and more
efficient use of existing bandwidth and uplinks.
➢ Higher performance: Dividing flat Layer 2 networks into multiple logical broadcast domains
reduces unnecessary traffic on the network and boosts performance.
➢ Broadcast storm mitigation: VLAN segmentation prevents a broadcast storm from
propagating throughout the entire network.

1
Traffic Types
A key factor for VLAN deployment is understanding the traffic patterns and the various traffic types in
the organization. Table 1 lists the common types of network traffic that you should evaluate before
placing devices and configuring VLANs.
Traffic Type Description
Network To make network troubleshooting easier, some designers assign a separate VLAN to carry
management certain types of network management traffic.
IP telephony Designers often configure the data to and from the IP phones on a separate VLAN
designated for voice traffic so that they can apply quality of service measures to give high
priority to voice traffic.
Normal data Normal data traffic is typical application traffic that is related to file and print services,
email, Internet browsing, database access, and other shared network applications.
Scavenger class Scavenger class includes all traffic with protocols or patterns that exceed their normal data
flows. Applications assigned to this class have little or no contribution to the organizational
objectives of the enterprise and are typically entertainment oriented in nature.
Table 1. Traffic types
Types of VLANs
Some VLAN types are defined by the type of traffic they support; others are defined by the specific
functions they perform. The principal VLAN types and their descriptions follow:
➢ Data VLAN: Configured to carry only user-generated traffic, ensuring that voice and
management traffic is separated from data traffic.
➢ Default VLAN: All the ports on a switch are members of the default VLAN, which is VLAN 1
for cisco switches. VLAN 1 has all the features of any VLAN, except that you cannot rename it
nor delete it. It is a security best practice to restrict VLAN 1 to carry control traffics only (for
example, CDP or VTP), and supporting no other traffic.
➢ Black hole VLAN: A security best practice is to define a black hole VLAN to be a dummy
VLAN distinct from all other VLANs. All unused switch ports are assigned to the black hole
VLAN so that any unauthorized device connecting to an unused switch port will be prevented
from communicating beyond the switch to which it is connected.
➢ Native VLAN: This VLAN type serves as a common identifier on opposing ends of a trunk
link. A security best practice is to define a native VLAN to be a dummy VLAN distinct from all
other VLANs defined in the switched LAN. The native VLAN is not used for any traffic in the
switched network unless legacy bridging devices happen to be present in the network, or a

2
 multi-access interconnection exists between switches joined by a hub.
➢ Management VLAN: A VLAN defined by the network administrator as a means to access the
management capabilities of a switch. By default, VLAN1 is management VLAN. It is a security
best practice to define the management VLAN to be a VLAN distinct from all other VLANs
defined in the switched LAN. You do so by configuring and activating a new VLAN interface.
➢ Voice VLANs: This enables switch ports to carry IP voice traffic from an IP phone.

Trunking VLANs
A VLAN trunk is an Ethernet point-to-point link between an Ethernet switch interface and an Ethernet
interface on another networking device, such as a router or a switch, carrying the traffic of multiple
VLANs over the singular link. A VLAN trunk allows you to extend the VLANs across an entire
network. A VLAN trunk does not belong to a specific VLAN; rather, it serves as a conduit for VLANs
between switches. Figure 2 shows a small switched network with a trunk link between S1 and S2
carrying multiple VLAN traffic.

Figure 2. Example of a VLAN Trunk

When a frame is placed on a trunk link, information about the VLAN it belongs to must be added to the
frame. This is accomplished by using IEEE 802.1Q frame tagging. When a switch receives a frame on
a port configured in access mode and destined for a remote device via a trunk link, the switch takes
apart the frame and inserts a VLAN tag, and sends the tagged frame out the trunk port. Figure 3 shows
the 802.1Q tag inserted in an Ethernet frame.

3
The VLAN tag field consists of a 16-bit Type field called the EtherType field and a Tag control
information field. The EtherType field is set to the hexadecimal value of 0x8100. This value is called
the tag protocol ID (TPID) value. With the EtherType field set to the TPID value, the switch receiving
the frame knows to look for information in the Tag control information field. The Tag control
information field contains the following:
➢ 3 bits of user priority: Used to provide fast transmission of Layer 2 frames, like voice traffic.
➢ 1 bit of Canonical Format Identifier (CFI): Enables Token Ring frames to be carried across
Ethernet links easily.
➢ 12 bits of VLAN ID (VID): VLAN identification numbers.

Figure 3. Fields of the 802.1Q Tag Inside an Ethernet Frame

VTP Concepts
VTP does not provide a method for trunking between devices. Instead, VTP is a Layer 2 messaging
protocol that maintains VLAN configuration consistency by managing the additions, deletions, and
name changes of VLANs across networks. VTP helps with VLAN management and although it makes
the configuration and troubleshooting of VLANs easier, it is not required. The benefits of VTP include
the following:
➢ VLAN configuration consistency across the network
➢ Accurate tracking and monitoring of VLANs
➢ Dynamic reporting of added VLANs across a network

4
Figure 4 shows an example of how VTP messages can be sent between the VTP server and VTP clients.

Figure 4. VTP Server Sends Updates to VTP Clients

Notice in the figure that the shaded area is named VTP Domain CCNA. A VTP domain is one switch or
several interconnected switches that share VTP advertisements. A switch can be in only one VTP
domain. A router or Layer 3 switch defines the boundary of each domain.

VTP Modes
VTP operates in one of three modes:
➢ Server: The server is where VLANs can be created, deleted, or renamed for the domain. VTP
servers advertise VLAN information to other switches in the same VTP domain.
➢ Client: You cannot create, change, or delete VLANs on a VTP client.
➢ Transparent: VTP transparent mode switches forward VTP advertisements to VTP clients and
VTP servers, but do not originate or otherwise implement VTP advertisements. VLANs that are
created, renamed, or deleted on a VTP transparent mode switch are local to that switch only.

5
VTP Operation
VTP advertisements are sent by the server every 5 minutes over the default VLAN using a multicast
frame. A configuration revision number included in the frame is used by all VTP clients and servers to
determine if there has been a change in the VLAN database. Figure 5 illustrates VTP operation.

Figure 5. VTP Operation

Figure 5 begins with all switches having the same VLAN configuration revision number, meaning that
they have the same VLAN configuration database; this means that all switches know about the same
VLAN numbers and VLAN names. The process begins with each switch knowing that the current
configuration revision number is 3. The steps shown in Figure 5 are as follows:
1) Someone configures a new VLAN on the VTP server.
2) The VTP server updates its VLAN database revision number from 3 to 4.
3) The server sends VTP update messages out its trunk interfaces, stating revision number 4.
4) The two VTP client switches notice that the updates list a higher revision number (4) than their
current revision numbers (3).
5) The two client switches update their VLAN databases based on the server’s VTP updates.

VTP defines three types of messages:

➢ Summary advertisement: Sent every 5 minutes by the server; it lists the revision number,
domain name, and other information, but no VLAN information.

6
 ➢ Subset advertisement: Follows a summary advertisement if something has changed in the
VLAN database, indicated by a new larger revision number.
➢ Advertisement request message: Allows a switch to immediately request VTP messages from
a neighboring switch as soon as a trunk comes up.

Inter-VLAN Routing
In previous sections, we learnt how VLANs segment broadcast traffic on a switch and segment a
switched network into different LANs, we also learnt how VLAN information can be transmitted to
other switches in the network using VTP and how we can avoid layer two loops using STP.

Each network has it's own needs, though whether it's a large or small network, internal routing, in most
cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus
reducing network broadcasts and increasing your security, is a tactic used by most engineers. Popular
setups include a separate broadcast domain for critical services such as File Servers, Print servers,
Domain Controllers etc serving your users non-stop.

The issue here is how can users from one VLAN (broadcast domain), use services offered by another
VLAN? Thankfully there's an answer to every problem and in this case, its VLAN routing. Inter-VLAN
routing can be defined as a way to forward traffic between different VLANs by implementing a router
in the network.

Figure 6. Example of two VLANs

7
The above diagram is a very simple but effective example to help you get the idea. Two VLANs
consisting of two servers and workstations of which one workstation has been placed along with the
servers in VLAN 1, while the second workstation is placed in VLAN 2. In this scenario, both
workstations require access to the File and Print servers, making it a very simple task for the
workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2. As you might have
already guessed, we need to somehow route packets between the two VLANs and the good news is that
there is more than one way to achieve this and that's what we'll be covering on this section.

VLAN Routing Solutions

While the two switches are connected via a trunk link, they are unable to route packets from one VLAN
to another. If we wanted the switch to support routing, we would require it to be a layer 3 switch with
routing capabilities, a service offered by the popular Catalyst 3550 series and above.
Since there are quite a few ways to enable the communication between VLANs (Inter-VLAN Routing
being the most popular) there is a good chance that we are able to view all possible solutions. This
follows our standard method of presenting all possible solutions, giving you an in-depth view on how
VLAN routing can be setup, even if you do not have a layer 3 switch.
Note: The term 'Inter-VLAN Routing' refers to a specific routing method which we will cover as a last
scenario, however it is advised that you read through all given solutions to ensure you have a solid
understanding on the VLAN routing topic.
1) Using a Router with 2 Ethernet Interfaces (Traditional Inter-VLAN Routing): a few years ago,
this was one of the preferred and fastest methods to route packets between VLANs. The setup is
quite simple and involves a Cisco router with two Ethernet interfaces as shown in the diagram,
connecting to both VLANs with an appropriate IP Address assigned to each interface. IP
Routing is of course enabled on the router.

In addition, each host (servers and workstations) must either use the router's interface connected
to their network as a 'default gateway' or a route entry must be created to ensure they use the
router as a gateway to the other VLAN/Network. This scenario is however expensive to
implement because we require a dedicated router to router packets between our VLANs, and is
also limited from an expandability prospective.

In the case where there are more than two VLANs, additional Ethernet interfaces will be
required, so basically, the idea here is that you need one Ethernet interface on your router that
will connect to each VLAN.

8
 To finish this scenario, as the network gets bigger and more VLANs are created, it will very
quickly get messy and expensive, so this solution will prove inadequate to cover our future
growth.

Figure 7. Using a Router with 2 Ethernet Interfaces

2) Using a Router with one Ethernet (Trunk) Interface: This solution is certainly fancier but
requires a router that supports trunk links. With this kind of setup, the trunk link is created,
using the same type of encapsulation the switches use (ISL or 802.1q), and enabling IP routing
on the router side. This method of Inter-VLAN routing is also known as 'Router on a Stick'.
Closing this scenario, the router will need to be configured with two virtual interfaces, one for
each VLAN, with the appropriate IP Address assigned to each one so routing can be performed.

Figure 8. Using a Router with one Ethernet (Trunk) Interface

9
 3) Using a Server with two Network Cards: What we basically do, is configure one of the servers
to perform the routing between the two VLANs, reducing the overall cost as no dedicated
equipment is required. In order for the server to perform the routing, it requires two network
cards - one for each VLAN and the appropriate IP Addresses assigned, therefore we have
configured one with IP Addresses 192.168.1.1 and the other with 192.168.2.1. Once this phase
is complete, all we need to do is enable IP routing on the server and we're done. Lastly, each
workstation must use the server as either a gateway, or a route entry should be created so they
know how to get to the other network. As you see, there's nothing special about this
configuration, it's simple, cheap and it gets the job done.

Comparison of router-on-a-stick and traditional inter-VLAN routing

Metric Traditional Inter-VLAN Routing Router-on-a-stick
No. of physical interfaces One for each VLAN One for many VLANs
Bandwidth No bandwidth contention Bandwidth contention
Port mode Access mode switch port Trunk mode switch port
Cost More expensive Less expensive
Admin complexity Less complex configuration Complex configuration

10