Using VLANs enhances the network performance, and the network security, and enhances the management flexibility of the network.
Suppose that we have the following network:
Figure 16.1: a network without a VLAN
In figure (16.1), all the devices exist in the same broadcast domain. This is because that the switches do not divide the broadcast domains.
We can divide this LAN into many VLANs by assigning every switch port to a certain VLAN. Every VLAN will has its own broadcast domain as seen in figure (16.2).
Figure 16.2: a network that is divided to VLANs
Dividing one broadcast domain into many broadcast domains enhances the network performance.
Every department in the company should exist in its own LAN as seen in figure (16.3).
Figure 16.3: every department exists in its own LAN
This enhances network security because,
As you can see in figure (16.3), to put every department in its own LAN, we need to dedicate some switches to every department, and to connect every department’s LAN to its own router’s interface. Therefore, if we have ten departments, we will need ten router interfaces, which will cost us a lot of money.
VLANs allow us to divide one LAN into many VLANs. Every VLAN will have its own network IP, and it will work as a totally separated LAN, and will has all the options that exist to a regular LAN. In addition, all the VLANs can connect to only on router’s interface, as seen in figure (16.4).
Figure 16.4: every department exists in its own VLAN
Therefore, VLANs enhance the network security by allowing us to put the computers of every department in its own VLAN.
VLANs allow the network administrator to put any computer in any VLAN, regardless of its physical location.
Suppose that our company has three floors and three departments, the sales, the finance and the HR.
We can configure the three VLANs, the sales VLAN, the finance VLAN and the HR VLAN, on every switch in every floor as seen in figure (16.5).
Figure 16.5: VLANs enhances the network management
Doing that will allow us to connect a sales computer to the ‘sales’ VLAN, regardless this computer exists in the first floor or in the second floor or in the third floor. This is also applicable to other department computers, which enhances the network management flexibility.
Every port in a switch can be assigned to a certain VLAN.
The administrator manually assigns the switch port to a certain VLAN.
The port is automatically assigned to a certain VLAN, depending on the device attached to this port. This is done using a server that is called the ‘VMPS’ (VLAN Membership Policy Server).
The switch uses the trunk port to pass the frames from all the VLANs to another switch. This is done after tagging every frame with its VLAN number.
Generally, the trunk ports are used to connect between switches.
Suppose that we have two switches, every switch contains two VLANs (VLAN 1 and VLAN 2), as seen in figure (16.6).
Figure 16.6: the trunk port
What happens if a computer in the ‘VLAN 1’ on the ‘SW1’ sends some data to a computer in the ‘VLAN 1’ on the ‘SW2’?
The ‘SW1’ will tag the frames with the VLAN1’s tagging.
Then, the ‘SW1’ will send the frames through its trunk port to reach the ‘SW2’.
The ‘SW2’ will receive the frames, and it will find the VLAN1’s tagging that exists on them.
Accordingly, the ‘SW2’ will pass those frames to ‘VLAN1’ ports. Therefore, it will reach the destination computer.
VLAN tagging methods:
There are two frame-tagging methods.
When a switch receives an untagged frame through its trunk port, it will consider it as it is belonging to its ‘native VLAN’.
The default native VLAN is the ‘VLAN 1’. However, the administrator can configure any VLAN on the switch to be the native VLAN.
We can configure a VLAN on a switch using the following commands,
Sw(config)#vlan vlan number
Sw(config-vlan)#name vlan name
To view the VLAN information,
Sw#show vlan brief
VLANs information is stored in the VLAN database file (vlan.dat), which is stored in the switch’s flash memory.
We can configure a switch port as an access port as following,
Sw(config)#interface port number
Sw(config-if)#switchport mode access
Sw(config-if)#switchport access vlan vlan number
We can configure a switch port as a trunk port as following,
Sw(config-if)#switchport mode trunk
Sw(config-if)#switchport trunk encapsulation { dot1q |isl | negotiate }
‘Dot1q’: to make the switch uses the ‘IEEE802.1Q’ to tag the frames.
‘Isl’: to make the switch uses the ‘ISL’ to tag the frames.
Negotiate: to negotiate the tagging method between the two switches.
The following command allows us to allow only certain VLANs to be able to pass through the trunk port. By default, all VLANs are allowed to pass through the trunk port.
Sw(config-if)#switchport trunk allowed vlan vlan numbers
Suppose that we have two switches connected to each other as seen in figure (16.7).
Figure 16.7: switches connected by a trunk port
We can use the following command on SW1,
Sw(config-if)#switchport mode dynamic { desirable | auto }
Desirable: means that the SW1’s port will actively try to make the link between it and SW2 a trunk link.
Auto: the SW1 will passively accept to make the link a trunk link.
If we need to make the SW1’s port never be a trunk port, we can use the following command,
Sw(config-if)#switchport nonegotiate
In this case, the SW1 will never convert this port to a trunk port.
As you know, every VLAN has its own network IP. In addition, if we have two VLANs, we need a ‘layer 3’ device – a router – to route the data between those two VLANs.
We have two methods to route the data between the VLANs, the first one is the ordinary method, and the second one is called the ‘router on a stick’ method.
Figure 16.8: ordinary routing between the VLANs
In this method, we need a router’s interface for every VLAN.
We assign an IP to the first router’s interface (fa 0/0) that belongs to VLAN1. (IP = 10.0.0.1)
In addition, we assign an IP to the second router’s interface (fa 0/1) that belongs to VLAN2. (IP = 20.0.0.1)
We connect one of the switch ports that belong to VLAN1 to ‘fa 0/0’.
We connect one of the switch ports that belong to VLAN2 to ‘fa 0/1’.
All VLAN1 devices should be assigned a default gateway IP address ‘10.0.0.1’.
All VLAN2 devices should be assigned a default gateway IP address ‘20.0.0.1’.
Therefore, the router now sees two direct connected networks that it can route between them.
The router configuration will be as following,
Router(config)#interface fa 0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#interface fa 0/1
Router(config-if)#ip address 20.0.0.1 255.255.255.0
Router(config-if)#no shutdown
Figure 16.8: router on a stick method
In this method, we logically divide the router’s interface ‘fa0/0’ into sub-interfaces ‘fa0/0.1’ and ‘fa0/0.2’.
We assign an IP to the first sub-interface ‘fa 0/0.1’ that belongs to VLAN1. (IP = 10.0.0.1)
In addition, we assign an IP to the second sub-interface ‘fa 0/0.2’ that belongs to VLAN2. (IP = 20.0.0.1)
We configure a switch port as a trunk port and connect it to the router’s interface.
All VLAN1 devices should be assigned a default gateway IP address ‘10.0.0.1’.
All VLAN2 devices should be assigned a default gateway IP address ‘20.0.0.1’.
Therefore, the router now sees two direct connected networks that it can route between them.
The router configuration will be as following,
Router(config)#interface fa 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#interface fa 0/0.1
Router(config-subif)#encapsulation dot1q 1
(1 is the VLAN number)
Router(config-subif)#ip address 10.0.0.1 255.255.255.0
Router(config-subif)#interface fa 0/0.2
Router(config-subif)#encapsulation dot1q 2
(2 is the VLAN number)
Router(config-subif)#ip address 20.0.0.1 255.255.255.0
The VTP is used to maintain the consistency of the VLAN information between the switches that exist in the same VTP domain.
Suppose that we have many switches in our network, we can put all those switches in one VTP domain. Then, we do not need to configure our VLANs on all the switches, we can configure our VLANs only on one switch, the VTP server, and this VLAN information will propagate through all the switches in the VTP domain.
Every switch of the switches that exist in the VTP domain can be configured to work in one of the following VTP modes,
Switches working in the server mode propagate the VLAN information to other switches using the ‘VTP advertisments’. Every ‘VTP advertisement’ has a ‘VTP revision number’, which helps the other switches to determine if this ‘VTP advertisement’ is new or old.
In this mode,
• The VLAN information can be locally modified, we can connect to the switch that is working as the VTP sever, and change the VLANs configuration that exists on it.
• Once a change occurs in the VLAN database, the ‘VTP revision number’ is incremented by one, and a ‘VTP advertisement’ is sent to all the switches in the VTP domain.
• Every VTP domain must contain at least one VTP server.
Switches working in the client mode take its VLAN information from the switches that are working in the server mode.
In this mode,
• The VLAN information cannot be locally modified.
• The switch builds its VLAN information from the VTP advertisement received from the VTP server.
In this mode,
• Switches do not apply VLAN information received from the VTP server on itself.
• In VTPv2 (VTP version 2), switches working in the transparent mode forward the VTP information that received from the VTP server to the other switches.
• To communicate VLAN information between the switches, the ‘VTP domain name’, and the ‘VTP Password’ must be the same on all the VTP domain switches. In addition, at least one of the switches must work in the VTP server mode.
• VTP advertisements are sent only on the trunk links.
• VTP advertisement contains the ‘VTP domain name’ and the ‘VTP revision number’.
When the VTP pruning is enabled on a switch that exists in the VTP domain, the broadcasts are not forwarded to this switch unless there are ports in it that belong to the VLAN that the broadcast propagates in. By default, the VTP pruning is disabled on the switches.
Suppose that we have the network in figure (16.9), the broadcast should propagate in VLAN5. This is because that the computer that generated this broadcast exists in VLAN5.
The broadcast will propagate through SW1, SW2 and SW3, This is because that, those switches have ports that are belonging to VLAN5.
The broadcast will not propagate through SW5 and SW4, because those switches do not have ports that are belonging to VLAN5.
Figure 16.9: VTP pruning
To configure VTP on a switch, we can use the following commands,
Switch(config)#vtp domain domain name
Switch(config)#vtp password vtp password
Switch(config)#vtp mode { server | client | transparent }
Switch(config)#vtp version 2
(to enable VTP version 2)
Switch(config)#vtp pruning
(to enable VTP pruning)
To view the VTP information, we can use the following command,
Switch#show vtp status
VTP mode: server
VTP version: version 1
VTP pruning: disabled