16: Virtual LAN (VLAN)

16.1 Virtual LAN (VLAN) characteristics

Using VLANs enhances the network performance, and the network security, and enhances the management flexibility of the network.

16.1.1 VLANs enhance the network performance

Suppose that we have the following network:

Image2331.JPGFigure 16.1: a network without a VLAN

In figure (16.1), all the devices exist in the same broadcast domain. This is because that the switches do not divide the broadcast domains.

We can divide this LAN into many VLANs by assigning every switch port to a certain VLAN. Every VLAN will has its own broadcast domain as seen in figure (16.2).

Image2341.JPGFigure 16.2: a network that is divided to VLANs

Dividing one broadcast domain into many broadcast domains enhances the network performance.

16.1.2 VLANs enhance the network security

Every department in the company should exist in its own LAN as seen in figure (16.3).

Image2352.JPGFigure 16.3: every department exists in its own LAN

This enhances network security because,

  1. 1. The broadcast packet sent from one department will not reach any computer in another department. As an example, in figure (16.3), if a computer in the ‘sales’ department sent a broadcast, it will reach all the computers in the ‘sales’ LAN. However, it will not reach any computer in the ‘finance’ LAN.
  2. 2. We can control the access to the network resources. As an example, in figure (16.3), we can configure our network to allow the ‘sales’ LAN (10.0.0.0/24) to access the server ‘20.0.0.2’, while not allowing the ‘finance’ LAN (11.0.0.0/24) to access the same server.

As you can see in figure (16.3), to put every department in its own LAN, we need to dedicate some switches to every department, and to connect every department’s LAN to its own router’s interface. Therefore, if we have ten departments, we will need ten router interfaces, which will cost us a lot of money.

VLANs allow us to divide one LAN into many VLANs. Every VLAN will have its own network IP, and it will work as a totally separated LAN, and will has all the options that exist to a regular LAN. In addition, all the VLANs can connect to only on router’s interface, as seen in figure (16.4).

Image2363.JPGFigure 16.4: every department exists in its own VLAN

Therefore, VLANs enhance the network security by allowing us to put the computers of every department in its own VLAN.

16.1.3 VLANs enhance the management flexibility

VLANs allow the network administrator to put any computer in any VLAN, regardless of its physical location.

Suppose that our company has three floors and three departments, the sales, the finance and the HR.

We can configure the three VLANs, the sales VLAN, the finance VLAN and the HR VLAN, on every switch in every floor as seen in figure (16.5).

Image2370.JPGFigure 16.5: VLANs enhances the network management

Doing that will allow us to connect a sales computer to the ‘sales’ VLAN, regardless this computer exists in the first floor or in the second floor or in the third floor. This is also applicable to other department computers, which enhances the network management flexibility.

16.2 VLAN switch port membership

Every port in a switch can be assigned to a certain VLAN.

Static port

The administrator manually assigns the switch port to a certain VLAN.

Dynamic port

The port is automatically assigned to a certain VLAN, depending on the device attached to this port. This is done using a server that is called the ‘VMPS’ (VLAN Membership Policy Server).

Trunk port

The switch uses the trunk port to pass the frames from all the VLANs to another switch. This is done after tagging every frame with its VLAN number.

Generally, the trunk ports are used to connect between switches.

Suppose that we have two switches, every switch contains two VLANs (VLAN 1 and VLAN 2), as seen in figure (16.6).

Image2379.JPG Figure 16.6: the trunk port

What happens if a computer in the ‘VLAN 1’ on the ‘SW1’ sends some data to a computer in the ‘VLAN 1’ on the ‘SW2’?

The ‘SW1’ will tag the frames with the VLAN1’s tagging.

Then, the ‘SW1’ will send the frames through its trunk port to reach the ‘SW2’.

The ‘SW2’ will receive the frames, and it will find the VLAN1’s tagging that exists on them.

Accordingly, the ‘SW2’ will pass those frames to ‘VLAN1’ ports. Therefore, it will reach the destination computer.

VLAN tagging methods:

There are two frame-tagging methods.

  1. 1. ‘ISL’, it is a Cisco proprietary method.
  2. 2. ‘IEEE802.1Q’

The native VLAN

When a switch receives an untagged frame through its trunk port, it will consider it as it is belonging to its ‘native VLAN’.

The default native VLAN is the ‘VLAN 1’. However, the administrator can configure any VLAN on the switch to be the native VLAN.

16.3 Virtual LAN (VLAN) configuration

16.3.1 Configuring a VLAN on a switch

We can configure a VLAN on a switch using the following commands,

Sw(config)#vlan vlan number

Sw(config-vlan)#name vlan name

To view the VLAN information,

Sw#show vlan brief

VLANs information is stored in the VLAN database file (vlan.dat), which is stored in the switch’s flash memory.

16.3.2 VLAN access port configuration

We can configure a switch port as an access port as following,

Sw(config)#interface port number

Sw(config-if)#switchport mode access

Sw(config-if)#switchport access vlan vlan number

16.3.3 VLAN trunk port configuration

We can configure a switch port as a trunk port as following,

Sw(config-if)#switchport mode trunk

Sw(config-if)#switchport trunk encapsulation { dot1q |isl | negotiate }

‘Dot1q’: to make the switch uses the ‘IEEE802.1Q’ to tag the frames.

‘Isl’: to make the switch uses the ‘ISL’ to tag the frames.

Negotiate: to negotiate the tagging method between the two switches.

The following command allows us to allow only certain VLANs to be able to pass through the trunk port. By default, all VLANs are allowed to pass through the trunk port.

Sw(config-if)#switchport trunk allowed vlan vlan numbers

Another way to configure the trunk port,

Suppose that we have two switches connected to each other as seen in figure (16.7).

Image2386.JPG Figure 16.7: switches connected by a trunk port

We can use the following command on SW1,

Sw(config-if)#switchport mode dynamic { desirable | auto }

Desirable: means that the SW1’s port will actively try to make the link between it and SW2 a trunk link.

Auto: the SW1 will passively accept to make the link a trunk link.

If we need to make the SW1’s port never be a trunk port, we can use the following command,

Sw(config-if)#switchport nonegotiate

In this case, the SW1 will never convert this port to a trunk port.

16.4 Routing between VLANs

As you know, every VLAN has its own network IP. In addition, if we have two VLANs, we need a ‘layer 3’ device – a router – to route the data between those two VLANs.

We have two methods to route the data between the VLANs, the first one is the ordinary method, and the second one is called the ‘router on a stick’ method.

16.4.1 The ordinary routing method

Image2395.JPGFigure 16.8: ordinary routing between the VLANs

In this method, we need a router’s interface for every VLAN.

We assign an IP to the first router’s interface (fa 0/0) that belongs to VLAN1. (IP = 10.0.0.1)

In addition, we assign an IP to the second router’s interface (fa 0/1) that belongs to VLAN2. (IP = 20.0.0.1)

We connect one of the switch ports that belong to VLAN1 to ‘fa 0/0’.

We connect one of the switch ports that belong to VLAN2 to ‘fa 0/1’.

All VLAN1 devices should be assigned a default gateway IP address ‘10.0.0.1’.

All VLAN2 devices should be assigned a default gateway IP address ‘20.0.0.1’.

Therefore, the router now sees two direct connected networks that it can route between them.

The router configuration will be as following,

Router(config)#interface fa 0/0

Router(config-if)#ip address 10.0.0.1 255.255.255.0

Router(config-if)#no shutdown

Router(config-if)#interface fa 0/1

Router(config-if)#ip address 20.0.0.1 255.255.255.0

Router(config-if)#no shutdown

16.4.2 Router on a stick method

Image2457.JPGFigure 16.8: router on a stick method

In this method, we logically divide the router’s interface ‘fa0/0’ into sub-interfaces ‘fa0/0.1’ and ‘fa0/0.2’.

We assign an IP to the first sub-interface ‘fa 0/0.1’ that belongs to VLAN1. (IP = 10.0.0.1)

In addition, we assign an IP to the second sub-interface ‘fa 0/0.2’ that belongs to VLAN2. (IP = 20.0.0.1)

We configure a switch port as a trunk port and connect it to the router’s interface.

All VLAN1 devices should be assigned a default gateway IP address ‘10.0.0.1’.

All VLAN2 devices should be assigned a default gateway IP address ‘20.0.0.1’.

Therefore, the router now sees two direct connected networks that it can route between them.

The router configuration will be as following,

Router(config)#interface fa 0/0

Router(config-if)#no ip address

Router(config-if)#no shutdown

Router(config-if)#interface fa 0/0.1

Router(config-subif)#encapsulation dot1q 1

(1 is the VLAN number)

Router(config-subif)#ip address 10.0.0.1 255.255.255.0

Router(config-subif)#interface fa 0/0.2

Router(config-subif)#encapsulation dot1q 2

(2 is the VLAN number)

Router(config-subif)#ip address 20.0.0.1 255.255.255.0

16.5 VLAN Trunking Protocol (VTP)

The VTP is used to maintain the consistency of the VLAN information between the switches that exist in the same VTP domain.

Suppose that we have many switches in our network, we can put all those switches in one VTP domain. Then, we do not need to configure our VLANs on all the switches, we can configure our VLANs only on one switch, the VTP server, and this VLAN information will propagate through all the switches in the VTP domain.

16.5.1 VTP modes

Every switch of the switches that exist in the VTP domain can be configured to work in one of the following VTP modes,

‘Server’ VTP mode

Switches working in the server mode propagate the VLAN information to other switches using the ‘VTP advertisments’. Every ‘VTP advertisement’ has a ‘VTP revision number’, which helps the other switches to determine if this ‘VTP advertisement’ is new or old.

In this mode,

• The VLAN information can be locally modified, we can connect to the switch that is working as the VTP sever, and change the VLANs configuration that exists on it.

• Once a change occurs in the VLAN database, the ‘VTP revision number’ is incremented by one, and a ‘VTP advertisement’ is sent to all the switches in the VTP domain.

• Every VTP domain must contain at least one VTP server.

‘Client’ VTP mode

Switches working in the client mode take its VLAN information from the switches that are working in the server mode.

In this mode,

• The VLAN information cannot be locally modified.

• The switch builds its VLAN information from the VTP advertisement received from the VTP server.

‘Transparent’ VTP mode

In this mode,

• Switches do not apply VLAN information received from the VTP server on itself.

• In VTPv2 (VTP version 2), switches working in the transparent mode forward the VTP information that received from the VTP server to the other switches.

16.5.2 VTP characteristics

• To communicate VLAN information between the switches, the ‘VTP domain name’, and the ‘VTP Password’ must be the same on all the VTP domain switches. In addition, at least one of the switches must work in the VTP server mode.

• VTP advertisements are sent only on the trunk links.

• VTP advertisement contains the ‘VTP domain name’ and the ‘VTP revision number’.

16.5.3 VTP pruning

When the VTP pruning is enabled on a switch that exists in the VTP domain, the broadcasts are not forwarded to this switch unless there are ports in it that belong to the VLAN that the broadcast propagates in. By default, the VTP pruning is disabled on the switches.

Suppose that we have the network in figure (16.9), the broadcast should propagate in VLAN5. This is because that the computer that generated this broadcast exists in VLAN5.

The broadcast will propagate through SW1, SW2 and SW3, This is because that, those switches have ports that are belonging to VLAN5.

The broadcast will not propagate through SW5 and SW4, because those switches do not have ports that are belonging to VLAN5.

5813.jpg Figure 16.9: VTP pruning

16.5.4 VTP configuration

To configure VTP on a switch, we can use the following commands,

Switch(config)#vtp domain domain name

Switch(config)#vtp password vtp password

Switch(config)#vtp mode { server | client | transparent }

Switch(config)#vtp version 2

(to enable VTP version 2)

Switch(config)#vtp pruning

(to enable VTP pruning)

To view the VTP information, we can use the following command,

Switch#show vtp status

The default VTP configuration on the switches are,

VTP mode: server

VTP version: version 1

VTP pruning: disabled