VLAN

VIRTUAL LAN
VLAN BASIC
1) A virtual local area network (VLAN) is a group of hosts with a common set of requirements that
communicate as if they were attached to the same broadcast domain regardless of their physical
location.
2) VLAN configuration issues:
 A switch creates a broadcast domain
 VLANs help manage broadcast domains
 VLANs can be defined on port groups, users or protocols
 LAN switches and network management software provide a mechanism to create VLANs
3) VLANs help control the size of broadcast domains and localize traffic.
4) VLANs are associated with individual networks.
5) Devices in different VLANs cannot directly communicate without the intervention of a Layer 3
routing device.
BENEFITS OF VLAN
 Broadcast Control
Security
Flexibility
Broadcast Control
1. Using switch along with VLAN it provides control on broadcast.
2. All devices within VLAN are members of the same broadcast domain and receive all broadcast.
3. By Security
4. default these broadcast are filtered from all ports on a switch that aren’t members of the same
VLAN. This is great because you get all the benefits you would with a switch design without
getting hit with all the problem you’d have if all your users were in the same broadcast domain.
All broadcast traffic is contained within the VLAN.
5. For a packet to get to a different VLAN, it must be routed.

Security
VLAN creates multiple broadcast groups as well as we have complete control over each port of
switch. Due to this no one can now just plug in the switch and gain unauthorized access to n/w
resources , monitor network traffic or join any domain without network administrator
permission. Even switches can be configured to inform a network administrator of any
unauthorized access to network resources.
Flexibility
Layer 2 switches read only frames for filtering and by default it forward all broadcast. By creating
VLAN we create smaller broadcast domain at layer 2.
Broadcast sent by one node in one VLAN won’t be forwarded to ports configured to belong to a
different VLAN. So by assigning switch port or user to VLAN groups on a switch or group of
connected switches, you gain the flexibility to add only the user you want into that broadcast
domain regardless of their physical location.
VLAN
IDENTIFICATION (VID)
1. Maximum of 4096 VLAN are possible ranging from 0 to 4095.
2. Of this following are reserved VLAN :-
 0 user_priority data (802.1Q)
 1 Default Port VID (802.1Q)
 4095 Reserved (802.1Q)
 1002 Reserved for FDDI VLAN
 1003 Reserved for Token Ring (TrCRF) VLAN
 1004 Reserved for FDDI-Net VLAN
 1005 Reserved for Token Ring (TrBRF) VLAN
3. From 2 to 1001 VLAN are pruning eligible whereas from 1006 to 4094 are non-pruning.
4. From 2 to 1001 VLAN are normal VLAN and from 1006 to 4094 are extended VLAN.
5. By default in all the CISCO switches their exist a VLAN known as VLAN 1 / Native
VLAN / default VLAN/ admin VLAN.
VLAN IMPLEMENTATION
END-TO-END VLAN
LOCAL VLAN
 END-TO-END VLAN :-
 An end-to-end VLAN spans in the entire switched network.
 Users are grouped into VLANs independent of physical location.
 As a user moves around the campus, that user’s VLAN membership stays the same. It get
automatically configure on new location.
 Each VLAN has a common set of security and resource requirements for all members.
 Because users can be anywhere in the network, switches will be required to be aware of all
VLANs and will receive flooded traffic even if they do not currently have any active ports in a
particular VLAN.
 All users in a VLAN should have roughly the same traffic flow patterns, following the 80/20 rule.
 LOCAL VLAN :-
 Local VLAN is restricted to a single switch.
 Most enterprise networks have moved toward the 20/80 rule (where server and intranet/Internet
resources are centralized).
 End users require access to central resources outside their VLAN.
 End users require access to central resources outside their VLAN through layer 3 device.
VLAN MEMBERSHIP
Port-based VLANs
MAC address based VLANs
Protocol based VLANs
 PORT-BASED VLAN : -
 Network administrator assigns a port on a switch to a VLAN ID.
 Need to manually enter it into the switch, so if a computer moves, then you have to manually
update the changes.
 If a repeater is attached to a port, all of the users on the repeater must be on the same VLAN.

 MAC ADDRESS BASED VLAN : -

Switch maintains a table of addresses and their corresponding VLAN memberships.
Easy to keep track of computers that moved.
User assigned based on MAC addresses.

 PROTOCOL BASED VLAN : -

Membership is based on protocols and Layer 3 addresses.
Ex.: an IP subnet can be a VLAN or an IPX network
TYPES OF VLAN
(ASSIGNING METHOD)
 Static VLAN
Dynamic VLAN
STATIC VLAN :-
 The switch port that you assign a VLAN association to always maintains that association until an
administrator manually changes that port assignment.
 Easy to set up and monitor.
 It can be used where user movement needs to be controlled.

DYNAMIC VLAN :-
 Using intelligent management software, we can enable hardware (MAC) addresses, protocols, or even
applications to create dynamic VLANs.
 By VLAN Management Policy Server (VMPS) we can set up a database of MAC addresses that can be
used for dynamic addressing of VLANs.
 If a node is attached to an unassigned switch port, the VLAN management database can look up the
hardware address and assign and configure the switch port to the correct VLAN.
SWITCH PORT
Access port
Trunk port
Tunnel port
Routed port
 Switch ports are used as layer 2 interfaces associated with a physical.
 Switch port belong to one or more VLAN.
 Switch ports used for managing the physical interface and associated layer 2 protocols.
 Switch ports do not handle routing or bridging.
 Switch port are of three types VIZ;
1. Access port
2. Trunk port
3. Tunnel port
 ACCESS PORT: -
 Access port belongs to and carries traffic of only ONE VLAN (Except it is configured as a Voice
VLAN port).
 Traffic received and sent in native formats with no VLAN Tagging. Traffic arriving on access port
is assumed to belong to the VLAN assigned to the port. Access port drop packet if it receives tags
packet i.e. ISL or IEEE 802.1q.
 There are two types of access port as follows : -
I. Static Access Port: -
 It is manually configured to given VLAN.
II. Dynamic Access Port: -
 It learned its VLAN membership through incoming packets

TRUNK PORT:-
 Trunk port carries traffic of multiple VLAN and by default is a member of all VLAN in the VLAN
database.
 Trunk port is configured either by CISCO ISL protocols or IEEE 802.1q protocols.
 TUNNEL PORT : -
 Tunnel ports are used in IEEE 820.1q tunneling to segregate (isolated/separate) the traffic of
customers in service provider network from other customers who are using the same VLAN no.
 Tunnel port is configure on a service provider edge switch with an IEEE 802.1q.
 A packet entering through customer switch into the tunnel port in the service provider edge
switch is already encapsulated with 802.1q tag with customer VLAN are again encapsulated with
another layer of 802.1q tag called Metro tag containing VLAN ID unique in the service provider
network for each customer.
 Double tagged packets go through the service provider network keeping the original customer
VLAN separate from those of the other customers.
 Double tagged packets go through the service provider network keeping the original customer
VLAN separate from those of the other customers.
 ROUTED PORTS: -
 A routed port is a physical port that acts like a port on a router; it does not have to be connected
to a router.
 A routed port is not associated with a particular VLAN as in access port. A routed port behaves
like a regular router interface, except that it does not support VLAN Sub-interfaces.
 Routed ports can be configured with a layer 3 routing protocol. A routed port is a layer 3
interface only and does not support layer 2 protocols such as DTP (Dynamic Trunking Protocol)
& STP (Spanning Tree Protocol).
 Routed ports are supported only on switches running the IP base or IP service image. Configure
routed ports by putting the interface into layer 3 mode with no switch port interface
configuration command. Then assign an IP address to the port enable routing and assign routing
protocol characteristics by using the IP routing & router protocol global configuration
commands.
IDENTIFYING VLANs
 Access Links
Trunk Links
 Frames are switched throughout network.
 So switch should be able to transverse frames along with keeping track of MAC Address with
their respective VLAN.
 frames are handled differently according to the type of link they are traversing.
 There are two different types of links viz;
1. Access Links
2. Trunk Links

 ACCESS LINK :-
 This type of link is only part of one VLAN, and it’s referred to as the native VLAN of the port.
 Switches remove any VLAN information from the frame before it’s sent to an access-link device.
 Access-link devices cannot communicate with devices outside their VLAN unless the packet is
routed through a router.

TRUNK LINK : -
 Trunks can carry multiple VLANs
 A trunk link is point-to-point link between two switches, between a switch and router, or
between a switch and server.
 By default Trunked port carry VLAN 1 only between switches. Trunk link can carry all VLAN
information after configuration.
 Using trunk link frames keep travelling between switches, so their should be a way to identify
frames uniquely. For this we use frame tagging.
FRAME TAGGING : -
Working of Frame Tagging : -
1. Whenever a frames reaches to switch it first read VLAN ID form frame tag and checks whether
it has to send to another trunk port or access port using filter table.
2. If switch find that frames has to send out then it forward to respective trunk port.
3. If switch find that frames belong to his access port switch, then switch removes it VLAN tag
and delivered to access port without destination device knowing his VLAN ID.
4. To do frame tagging following protocol are used as follows : -
 Inter-Switch Link (ISL) :-
I. Cisco proprietary .
II. used for Fast Ethernet and Gigabit Ethernet links only.
III. ISL performs frame identification in Layer 2 by encapsulating each frame between a
header and trailer.
IV. Tag size is 30 byte.
V. A frame-type field in the ISL header indicates the source frame type i.e. ethernet,
token ring, FDDI and ATM frames over ethernet.
VI. ISL Frame Structure :-
• When a frame is destined out a trunk link to another switch or router.
• ISL adds a 26-byte header and a 4-byte trailer to the frame.
• The source VLAN is identified with a 10-bit VLAN ID in the header.
• The trailer contains a cyclic redundancy check (CRC) to assure error free frame is
received.
  IEEE 802.1Q : -
1. It is created by IEEE.
2. Tag size is 4 byte.
3. 802.1q can be used to operate between multiple vendors device.
4. 802.1Q also introduces the concept of a native VLAN on a trunk i.e. frames
belonging to this VLAN are not encapsulated with tagging information.
5. IEEE 802.1Q Frame Structure : -
• 802.1Q embeds its tagging information within the Layer 2 frame.
• This method is referred to as single-tagging or internal tagging.
• 802.1q is made of two part viz;
1. TPID ( Tag Protocol IDentifier)
2. TCI (Tag Control Information)
First two byte are known as TPID used to notify that it is a 802.1q frame having value of 0x8100.
Remaining two byte are used as a TCI field.
 First three bit of TCI field is priority field which is used to implement class of service functions in
802.1Q/802.1p prioritization standard.
 One bit of the TCI is a Canonical Format Indicator (CFI), flagging whether the MAC addresses are in
canonical format.
 Last 12 bits are used as a VLAN Identifier (VID) to indicate the source VLAN for the frame.
 The VID can have values from 0 to 4095.
VLAN Trunk Protocol
(VTP)
SERVER
CLIENT
TRANSPARENT
 VLAN TRUNK PROTOCOL (VTP) : -
 It is CISCO proprietary.
 It is used to manage all configured VLANs across a switched internetwork and to maintain consistency
throughout that network.
 VTP allows an administrator to add, delete, and rename VLANs.
 Advantages of VTP: -
1. Consistent VLAN configuration across all switches in the network.
2. Allowing VLANs to be trunked over mixed networks, like Ethernet to ATM LANE or FDDI.
3. Accurate tracking and monitoring of VLANs
4. Dynamic reporting of added VLANs to all switches
 VTP are manage through VTP server.
 All servers that need to share VLAN information must use the same domain name, and a switch can only be
in one domain at a time.
 Switches advertise VTP-management domain information, as well as a configuration revision number and all
known VLANs with any specific parameters.
 Switches detect the additional VLANs within a VTP advertisement and then prepare to receive information
on their trunk ports with the newly defined VLAN in tow.
 This information would be either VLAN ID, 802.10 SAID fields, or LANE information.
 Updates are sent out as revision numbers that are the notification plus 1.
 Any time a switch sees a higher revision number, it knows the information that it’s receiving is more current,
and it will overwrite the current database with that new information.
VTP Modes of Operation : -
 SERVER :-
1. At least one VTP server is need in VTP domain to propagate VLAN information
throughout the domain.
2. Only server can ADD, EDIT or DELETE VLAN in VTP Domain.
3. Changes made in server will be advertised in entire domain.
4. VLAN Database store s in NVRAM.
 CLIENT :-
1. Client receives information from servers and they also send updates to others.
2. Client cannot add, EDIT or DELETE VLAN.
3. No VLAN Database stores in NRAM.
 TRANSPARENT : -
1. Switches in transparent mode don’t participate in the VTP domain, but they will still
forward VTP advertisements through any configured trunk links.
2. They can ADD, EDIT or DELETE VLAN.
3. They keep there own Database.
4. It is not share with VTP domain.
5. Transparent mode is locally significant.
DTP (DYNAMIC
TRUNKING PROTOCOL)
 DTP is a CISCO proprietary point-to-point protocol
 Allows trunk to be dynamically established between 2 switches.
 DTP negotiation should be disabled if a switch has a trunk link connected to a router because the router
cannot participate in the DTP negotiation protocol.
 A trunk link can be negotiated between two switches only if both switches belong to the same VLAN
Trunking Protocol (VTP) management domain.
 If the two switches are in different VTP domains and trunking is desired between them, the trunk links
must be set to on or nonegotiate mode. This setting will force the trunk to be established.
 To enable DTP one end of trunk should be in switchport mode trunk.
 The trunking mode can be set to any of the following:
 on—This setting places the port in permanent trunking mode. The corresponding switch port at the
other end of the trunk should be similarly configured because negotiation is not allowed. The
encapsulation or identification mode should also be manually configured.
 off—This setting places the port in permanent non-trunking mode. The port will attempt to convert
the link to non-trunking mode.
 desirable—Selecting this port will actively attempt to convert the link into trunking mode. If the far
end switch port is configured to on, desirable, or auto mode, trunking will be successfully
negotiated.
 auto—The port will be willing to convert the link into trunking mode. If the far end switch port is
configured to on or desirable, trunking will be negotiated. By default, all Fast Ethernet and Gigabit
Ethernet links that are capable of negotiating using DTP are configured to this mode. Because of the
passive negotiation behavior, the link will never become a trunk, if both ends of the link are left to
the auto default.
 nonegotiate—The port is placed in permanent trunking mode, but no DTP frames are generated for
negotiation. The far end switch port must be manually configured for trunking mode.
 So on other opposite end switch should be set either auto or desirable using command switchport mode
dynamic auto|desirable
 DTP frames are sent out every 30 seconds to keep neighboring switch ports informed of the link’s mode.
PVLAN (PRIVATE VLAN)
 IN traditional VLAN there is no layer 2 segregation of devices for the same VLAN, So when one
of the devices in a VLAN is compromised, other devices on the same VLAN may be
compromised as well.
 Private VLANs provide Layer 2 isolation between ports within the same VLAN i.e. same
broadcast domain.
 A private VLAN uses VLANs three ways:
 Primary VLAN : -Carries traffic from promiscuous ports to isolated, community, and other
promiscuous ports. Every port in a private VLAN domain is a member of the primary
VLAN i.e the primary VLAN is the entire private VLAN domain.
 Secondary VLAN :- are of two types : -
 Isolated VLAN :- Carries traffic from isolated ports to promiscuous ports.
 Community VLAN—Carries traffic between community ports and to promiscuous
ports. You can configure multiple community VLANs in a private VLAN.
 Private VLAN ports are associated with a set of supporting VLANs that are used to create the
private VLAN structure.
 There are three types of private VLAN ports:
 Promiscuous :- A promiscuous port can communicate with all interfaces, including the
community and isolated ports within a private VLAN.
 Isolated :- An isolated port has complete Layer 2 separation from other ports within the
same private VLAN except for the promiscuous port. Private VLANs block all traffic to
isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is
forwarded only to promiscuous ports.
 Community :- Community ports communicate among themselves and with their
promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other
communities or isolated ports within their private VLAN.
 Private VLANs can be extend across multiple devices by trunking the primary,
isolated, and community VLANs to other devices that support private VLANs.
 In a switched environment, you can assign an individual private VLAN and
associated IP subnet to each individual or common group of end stations. The end
stations only need to communicate with a default gateway to gain access outside the
private VLAN.
VTP PRUNING
 VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as
broadcast, multicast, unknown, and flooded unicast packets.
 VTP pruning only sends broadcasts to trunk links that truly must have the information.
 For E.g., if switch A doesn’t have VLAN 3, and a broadcast is send to VLAN 3 then that broadcast
could not be traverse to trunk connect to switch A.
 This help to preserve bandwidth.
 By default VTP Pruning is disabled on all switches.
 On enabling pruning on a VTP server it get enable for whole domain.
 From VLAN 2 to 1001 are pruning eligible but VLAN 1 can’t be prune since it is administrative
VLAN.
 Flooding traffic without VTP Pruning.
 Flooding traffic when VTP Pruning is enable.
 To configure VTP pruning on a trunking LAN port, use command : switchport trunk pruning vlan