Vlan

What is a LAN?
Okay, most of you already know what a LAN is but let’s give it a definition to make sure. We have to
do this because, if you don’t know what a LAN is, you can’t understand what a VLAN is.

A LAN is a local area network and is defined as all devices in the same broadcast domain. If you
remember, routers stop broadcasts, switches just forward them.

What is a VLAN?
As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by
switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create
the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default
VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports
on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port
in any other VLAN, other than 10. However, these devices can all communicate because they are on
the same VLAN. Without additional configuration, they would not be able to communicate with any
other devices, not in their VLAN.

Are VLANs required?
It is important to point out that you don’t have to configure a VLAN until your network gets so large
and has so much traffic that you need one. Many times, people are simply using VLAN’s because the
network they are working on was already using them.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices
are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can
just use all the ports on a switch and all devices will be able to talk to one another.

When do I need a VLAN?
You need to consider using VLAN’s in any of the following situations:

• You have more than 200 devices on your LAN
• You have a lot of broadcast traffic on your LAN
• Groups of users need more security or are being slowed down by too many broadcasts?
• Groups of users need to be on the same broadcast domain because they are running the same
applications. An example would be a company that has VoIP phones. The users using the
phone could be on a different VLAN, not with the regular users.
• Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?
A common question is why not just subnet the network instead of using VLAN’s? Each VLAN
should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that
devices in different physical locations, not going back to the same router, can be on the same network.

The limitation of subnetting a network with a router is that all devices on that subnet must be
connected to the same switch and that switch must be connected to a port on the router.

With a VLAN, one device can be connected to one switch, another device can be connected to
another switch, and those devices can still be on the same VLAN (broadcast domain).

How can devices on different VLAN’s communicate?
Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is
its own subnet, a router or Layer 3 switch must be used to route between the subnets.

What is a trunk port?
When there is a link between two switches or a router and a switch that carries the traffic of more than
one VLAN, that port is a trunk port.

A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary
Inter-switch link (ISL) or the IEEE standard 802.1q.

How do I create a VLAN?
Configuring VLAN’s can vary even between different models of Cisco switches. Your goals, no
matter what the commands are, is to:

• Create the new VLAN’s
• Put each port in the proper VLAN

Let’s say we wanted to create VLAN’s 5 and 10. We want to put ports 2 & 3 in VLAN 5 (Marketing)
and ports 4 and 5 in VLAN 10 (Human Resources). On a Cisco 2950 switch, here is how you would

do it:

At this point, only ports 2 and 3 should be able to communicate with each other and ports 4 & 5
should be able to communicate. That is because each of these is in its own VLAN. For the device on
port 2 to communicate with the device on port 4, you would have to configure a trunk port to a router
so that it can strip off the VLAN information, route the packet, and add back the VLAN information.

What do VLAN’s offer?
VLAN’s offer higher performance for medium and large LAN’s because they limit broadcasts. As the
amount of traffic and the number of devices grow, so does the number of broadcast packets. By using
VLAN’s you are containing broadcasts.

VLAN’s also provide security because you are essentially putting one group of devices, in one
VLAN, on their own network.

Article Summary
Here is what we have learned:

• A VLAN is a broadcast domain formed by switches
• Administrators must create the VLAN’s then assign what port goes in what VLAN,
manually.
• VLAN’s provide better performance for medium and large LAN’s.
• All devices, by default, are in VLAN 1.
• A trunk port is a special port that runs ISL or 802.1q so that it can carry traffic from more
than one VLAN.
• For devices in different VLAN’s to communicate, you must use a router of Layer 3 switch.

From Other Sites

Short for virtual LAN, a network of computers that behave as if they are connected to the same wire even
though they may actually be physically located on different segments of a LAN. VLANs are configured
through software rather than hardware, which makes them extremely flexible. One of the biggest
advantages of VLANs is that when a computer is physically moved to another location, it can stay on the
same VLAN without any hardware reconfiguration.

Types of VLAN
There are only two types of VLAN possible today, cell-based VLANs and frame-based
VLANs.

• Cell-based VLANs are used in ATM switched networks with LAN Emulation (or
LANE). LANE is used to allow hosts on legacy LAN segments to communicate
using ATM networks without having to use special hardware or software
modification.
• Frame-based VLANs are used in ethernet networks with frame tagging. The two
primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a
Cisco proprietary frame-tagging). Keep in mind that the 802.10 standard makes it
possible to deploy VLANs with 802.3(Ethernet), 802.5(Token-Ring), and FDDI,
but ethernet is most common.

VLAN modes
There are three different modes in which a VLAN can be configured. These modes are
covered below:

• VLAN Switching Mode - The VLAN forms a switching bridge in which frames
are forwarded unmodified.
• VLAN Translation Mode - VLAN translation mode is used when the frame
tagging method is changed in the network path, or if the frame traverses from a
VLAN group to a legacy or native interface which is not configured in a VLAN.
When the packet is to pass into a native interface, the VLAN tag is removed so
that the packet can properly enter the native interface.
• VLAN Routing Mode - When a packet is routed from one VLAN to a different
VLAN, you use VLAN routing mode. The packet is modified, usually by a router,
which places its own MAC address as the source, and then changes the VLAN ID
of the packet.

VLAN configurations
Different terminology is used between different hardware manufacturers when it comes
to VLANs. Because of this there is often confusion at implementation time. Following
are a few details, and some examples to assist you in defining your VLANs so confusion
is not an issue.

Cisco VLAN terminology

You need a few details to define a VLAN on most Cisco equipment. Unfortunately,
because Cisco sometimes acquires the technologies they use to fill their switching,
routing and security product lines, naming conventions are not always consistent. For this
article, we are focusing only one Cisco switching and routing product lines running Cisco
IOS.

• VLAN ID - The VLAN ID is a unique value you assign to each VLAN on a
single device. With a Cisco routing or switching device running IOS, your range
is from 1-4096. When you define a VLAN you usually use the syntax "vlan x"
where x is the number you would like to assign to the VLAN ID. VLAN 1 is
reserved as an administrative VLAN. If VLAN technologies are enabled, all ports
are a member of VLAN 1 by default.
• VLAN Name - The VLAN name is an text based name you use to identify your
VLAN, perhaps to help technical staff in understanding its function. The string
you use can be between 1 and 32 characters in length.
• Private VLAN - You also define if the VLAN is to be a private vlan in the VLAN
definition, and what other VLAN might be associated with it in the definition
section. When you configure a Cisco VLAN as a private-vlan, this means that
ports that are members of the VLAN cannot communicate directly with each other
by default. Normally all ports which are members of a VLAN can communicate
directly with each other just as they would be able to would they have been a
member of a standard network segment. Private vlans are created to enhance the
security on a network where hosts coexisting on the network cannot or should not
trust each other. This is a common practice to use on web farms or in other high
risk environments where communication between hosts on the same subnet are
not necessary. Check your Cisco documentation if you have questions about how
to configure and deploy private VLANs.
• VLAN modes - in Cisco IOS, there are only two modes an interface can operate
in, "mode access" and "mode trunk". Access mode is for end devices or devices
that will not require multiple VLANs. Trunk mode is used for passing multiple
VLANs to other network devices, or for end devices that need to have
membership to multiple VLANs at once. If you are wondering what mode to use,
the mode is probably "mode access".

Cisco VLAN implementations

VLAN Definition

To define a VLAN on a cisco device, you need a VLAN ID, a VLAN name, ports you
would like to participate in the VLAN, and the type of membership the port will have
with the VLAN.

• Step 1 - Log into the router or switch in question and get into enable mode.
• Step 2 - Get into configuration mode using "conf t".
• Step 3 - Create your VLAN by entering "vlan X" where X is the ID you would
like to assign the VLAN.
• Step 4 - Name your VLAN by entering "name <VLAN Name>". Replace <Vlan
Name> with the string you would like to identify your VLAN by.
• Step 5 - If you want your new VLAN to be a private-vlan, you now enter "private-
vlan primary" and "private-vlan association Y" where Y is the secondary VLAN
you want to associate with the primary vlan. If you would like the private VLAN
to be community based, you enter "private-vlan community" instead.
• Step 6 - Exit configuration mode by entering "end".
• Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.

VLAN Configuration

A VLAN isn't much use if you haven't assigned it an IP Address, the subnet netmask, and
port membership. In normal network segment configurations on routers, individual
interfaces or groups of interfaces (called channels) are assigned IP addresses. When you
use VLANs, individual interfaces are members of VLANs and do not have individual IP
addresses, and generally don't have access lists applied to them. Those features are
usually reserved for the VLAN interfaces. The following steps detail one method of
creating and configuring your VLAN interface. NOTE: These steps have already
assumed that you have logged into the router, gotten into enable mode, and entered
configuration mode. These specific examples are based on the Cisco 6500 series devices.

• Step 1 - Enter "Interface VlanX" where X is the VLAN ID you used in the VLAN
definition above.
• Step 2 - This step is optional. Enter "description " where VLAN description
details what the VLAN is going to be used for. You can just simply re-use the
VLAN name you used above if you like.
• Step 3 - Enter "ip address <address> <netmask>" where <address> is the address
you want to assign this device in the VLAN, and <netmask> is the network mask
for the subnet you have assigned the VLAN.
• Step 4 - The step is optional. Create and apply an access list to the VLAN for
inbound and outbound access controls. For a standard access list enter "access-
group XXX in" and "access-group YYY out" where XXX and YYY corresponds
to access-lists you have previously configured. Remember that the terms are taken
in respect to the specific subnet or interface, so "in" means from the VLAN INTO
the router, and "out" means from the router OUT to the VLAN.

• Step 5 - This step is optional. Enter the private VLAN mapping you would like to
use if the port is part of a private VLAN. This should be the same secondary
VLAN you associated with the primary VLAN in VLAN definition above. Enter
"private-vlan mapping XX" where XX is the VLAN ID of the secondary VLAN
you would like to associate with this VLAN.
• Step 6 - This step is optional. Configure HSRP and any other basic interface
configurations you would normally use for your Cisco device.
configuration.

Now you have your vlan defined and configured, but no physical ports are a member of
the VLAN, so the VLAN still isn't of much use. Next port membership in the VLAN is
described. IOS devices describe interfaces based on a technology and a port number, as
with "FastEthernet3/1" or "GigabitEthernet8/16". Once you have determined which
physical ports you want to be members of the VLAN you can use the following steps to
configure it. NOTE: These steps have already assumed that you have logged into the
router, gotten into enable mode, and entered configuration mode.

For access ports

• Step 1 - Enter "Interface <interface name>" where <interface name> is the name
Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 - This step is optional. Enter "description <interface description>" where
<interface description> is text describing the system connected to the interface in
question. It is usually helpful to provide DNS hostname, IP Address, which port
on the remote system is connected, and its function.
• Step 3 - This step depends on your equipment and IOS version, and requirements.
Enter "switchport" if you need the interface to act as a switch port. Some
hardware does not support switchport mode, and can only be used as a router port.
Check your documentation if you don't know the difference between a router port
and a switch port.
• Step 4 - Only use this step if you used step 3 above. Enter "switchport access vlan
X" where X is the VLAN ID of the VLAN you want the port to be a member of.
• Step 5 - Only use this step if you used step 3 above. Enter "switchport mode
access" to tell the port that you want it to be used as an access port.
configuration.

For trunk ports

and a switch port.
• Step 4 - Only use this step if you used step 3 above. Enter "switchport trunk
encapsulation dot1q". This tells the VLAN to use dot1q encapsulation for the
VLAN, which is the industry standard encapsulation for trunking. There are other
encapsulation options, but your equipment may not operate with non Cisco
equipment if you use them.
• Step 5 - Only use this step if you used step 3 above. Enter "switchport trunk
allowed vlan XX, YY, ZZ" where XX, YY, and ZZ are VLANs you want the
trunk to include. You can define one or more VLANs to be allowed in the trunk.
• Step 6 - Only use this step if you used step 3 above. Enter "switchport mode
trunk" to tell the port to operate as a VLAN trunk, and not as an access port.
configuration.

For private VLAN ports

and a switch port.
• Step 4 - Enter "switchport private-vlan host association XX YY" where XX is the
primary VLAN you want to assign, YY is the secondary VLAN you want to
associate with it.
• Step 5 - Enter "switchport mode private-vlan host" to force the port to operate as a
private-vlan in host mode.

configuration.

You should now have your VLAN properly implemented on a Cisco IOS device.

HP VLAN terminology

HP's Procurve line of switchgear is becoming more and more prevalent in enterprise and
other business environments. Because of this, it isn't uncommon to have to get Cisco and
Procurve hardware to integrate, and because of terminology this can be a challenge.
Below some of the VLAN terminology is defined so there is less opportunity for
confusion.

• VLAN ID - Fortunately, VLAN id's are pretty much the same everywhere, the
only significant differences are the range of IDs that can be used. With Procurve
devices, the number of VLANs is defined in the configuration. The default
maximum VLANs supported on a Procurve device differs between models and
firmware revisions, but is commonly set to 8. Newer Procurve hardware supports
4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device.
VLAN ID 1 is reserved for the "DEFAULT_VLAN" or the default administrative
VLAN.
• VLAN names - VLAN names are text fields that assist technicians to identify
VLANs. Procurve allows names up to 32 characters, but if you want it to properly
display in menu configuration mode, you should probably limit the name to 12
characters.
• VLAN modes - Procurve has three modes of operation for VLANs on the chassis,
Untagged, Tagged, and No. Untagged mode is cisco's access mode. This mode is
used for ports that connect to end nodes, or devices that will not be passing
VLAN traffic forward. Tagged mode is the same as Cisco's trunk mode. This
mode is used for ports that are connecting to devices that will be passing VLAN
traffic forward, or for trunking multiple VLANs. No mode means that the port in
question has no association whatsoever with that VLAN.
• Special note on "trunk" - Lots of confusion surrounds the word "trunk" when you
go between vendor equipment. In Cisco's case, trunking is only used with
VLANs. If you want to group multiple ethernet ports into a single logical ethernet
group, they call it a channel-group. This is regardless of whether FEC or LACP is
used for the channel properties. Procurve uses "trunk" to define a group of
ethernet ports when using the HP trunking protocol, and the term "Tagged" for
what Cisco calls a VLAN trunk. Of course, these two technologies have nothing
to do with each other, but because of naming conventions, confusion arises.

HP Procurve VLAN implementations

VLAN Definition

Most modern Procurve switches enable VLAN use by default, but if, for some reason,
you have an older model, log into the switch, get into manager mode, go to the switch
configuration menu (usually item 2), then the VLAN menu (usually item 8), then the
VLAN support item (usually item 1), and make sure VLANs are enabled. If you change
this setting, you will need to reboot the switch to get it to activate properly. The
configuration menu is useful for these kinds of activities, troubleshooting, and other
things, but is a little more difficult for configuring multiple switches or for using
configuration templates, so the rest of the HP Procurve configuration details will be
provided for the console configuration mode. Aside for enabling VLAN support as a
whole, VLAN definitions and configuration are created in the same place, so the rest of
the configuration examples will be provided under the VLAN configuration topic.

VLAN Configuration

Configuring VLANs on a modern Procurve is pretty simple, you must first define the
VLAN, set its properties, and then set up membership for ports and the VLAN mode they
will support. The following list should help you accomplish these tasks. NOTE: HP has
defined its interface ports by using a module/port convention. If you have a non-modular
chassis (such as the 3448cl) then ports are numbered only using numbers, such as 1 or 36.
If the chassis is modular (such as the 5308) then the ports number is prepended with the
module slot, such as A1 or H6. No reference to the type of switch port (ethernet, fast
ethernet, gigabit ethernet) is used for port reference.

• Step 1 - Log into the switch and get into manager mode. If, after logging in, you
are in the configuration menu, exit the configuration menu by selecting item 5 (in
most cases) or by using the arrow keys on your keyboard to highlight the
"Command Line (CLI)" item.
• Step 2 - Enter "conf t" to get into terminal configuration mode.
• Step 3 - Enter "vlan X" where X is the VLAN id of the VLAN you would like to
create.
• Step 4 - Name your VLAN by entering "name "<VLAN Name>"" where <VLAN
Name> is a text string from 1 to 32 characters (12 characters if you care about the
configuration menu display). You should use quotes when naming the VLAN.
• Step 5 - Give the VLAN an IP address by entering "ip address <ip address>
<netmask>" where <ip address> is the IP address you want to assign this switch
in that subnet, and <netmask> is the network mask for the subnet assigned.
• Step 6 - This step is optional. If you want to assign some end node ports to the
VLAN enter "untagged <port-list>" where <port-list> is a list of ports either
comma delimited if they are non-sequential, or using a dash between list
beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This
would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
• Step 7 - This step is optional. If you want to assign some VLAN trunk ports to the
VLAN enter "tagged <port-list>" where <port-list> is a list of ports either comma
delimited if they are non-sequential, or using a dash between list beginning and
end if they are. An example of this is "untagged 1,3,5,7-16". This would configure
ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.

• Step 8 - Enter "exit" to leave VLAN configuration mode.
• Step 9 - Exit configuration mode by entering "exit" again.
• Step 10 - Save your configuration by entering "wr memory".

You have now successfully configured your HP Procurve VLAN.

Vendor Summary

If you are going to integrate Cisco and HP Procurve hardware on the same network, and
you intend to use VLANs there are only a few things you need to remember:

• For end nodes - Cisco uses "mode access", HP uses "untagged" mode.
• For VLAN dot1q trunks - Cisco uses "mode trunk", HP uses "tagged" mode.
• For no VLAN association - Cisco uses no notation at all, HP uses "no" mode in
the configuration menu, or you have VLAN support turned off.

Vlan

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Vlan

Similaire à Vlan (20)

Dernier

Dernier (20)

Vlan