What is a VLAN ?
A VLAN stands for Virtual LAN or Virtual Local Area Network
It is a tool to separate hosts, which are connected to the same switch or switches, in the same way as if they were connected to a separate LANs and belonged to different broadcast domains. Use of VLANs is a way to have more than only one broadcast domain on a single switch. Without VLANs, this type of design could be achieved by separating LANs with routers. Any broadcast generated by a host, on a Non-VLAN kind of network, would be forwarded to every other host, greatly congesting the network. Also, the use of VLANs allows changing which host belongs to which LAN without moving anything physically. It’s a handy trick up your sleeve if you are far, far away and wish to connect a host to a different network.
Each VLANs is a separate broadcast domain
Other characteristics of VLANs:
- VLANs allows to filter and separate different work groups (i.e. marketing, engineering, accounting) if they do not need to communicate directly. It increases the security of a networkbecause people who suppose not to communicate directly or suppose not to have an access to the same parts of the network or servers cannot do so easily. VLANs allows to group users by nature of their network activity rather than their physical location.
- Host in two VLANs in order to communicate need a router.
- VLANs allows separatingVoIP data from a not time critical data in a network. This allows giving a way to VoIP services before everything else.
- Hosts in different VLANs can even use the same IP address ranges, without conflicts, because they are seen as separate networks.
- By default, all ports on a switch belong to VLAN 1.
- VLAN 1 also cannot be deleted.
There are two types of VLAN memberships depending how hosts can be assigned to a VLAN:
- Static – It is port based. A host connected to a given port on a switch belongs to a given VLAN based on a switch port assignment to a specific VLAN.
- Dynamic(VMPS – VLAN Management Policy Server) – Host is assigned to a VLAN depending which MAC address or upper layer protocol it uses. A neat solution when your users roam and may be located in different part of a building every time they connect.
How do switches knows where to forward frames that belong to a specific VLANs ?
Cisco switches use tags that are inserted in front of each frame. The tag is an identifier that allows a switch to figure out to which VLAN a frame belongs.
There are two ways how Cisco switches can tag (encapsulate) frames:
- ISL – Inter-Switch Link (Cisco’s proprietary)
- IEEE 802.1q (industry standard)
Switch Ports can operate in one of the following modes:
- Access– direct connection of a host to a port
- Trunk – communication between two or more switches
- Native – does not recognize VLAN tagging, used to connect to networks that do not recognize VLANs.
Switches can communicate between more than one switch by use one additional cable per VLAN or by using trunk links.
A trunk link is a link that belongs to all VLANs at the same time.
Hosts of a different VLANs in order to communicate, needs a router like they would do if they were members of two different physical networks. Frames of different VLANs are tagged, so information which frame belongs to which VLAN is not lost when they are sent over a single trunk link. Thanks for that a trunk connection can be used between a switch and a router, instead of having one group of cables to connect a switch with hosts and as many cables to connect switch with a router for each VLAN.Only one cable is used between a router and a switch. It is a trunk link. This type of configuration is known as router-on-a-stick.
To represent each VLAN on a router, usually, the virtual sub-interfaces are used. This way each VLAN connected via a trunk-link has it’s own representation on a router, with out need for a separate physical interface for each VLAN.
Typically when you configure a VLAN you assign which switch port belongs to which VLAN. To increase the security of a network you can configure not only which host belongs to which switch port, you can also enforce that if on any of these ports any other host with different MAC address will ever connect a switch will react in a certain way, for example, shutdown the port. This mechanism is known as switch port security.
To reduce an effort required by an administrator to replicate a VLAN database across a network the VTP (VLAN Trunking Protocol) protocol was invented. As Jeremy Cioara said in one of his training videos, it really should be called VLAN Replication Protocol. The protocol share and propagate the information about which switch serve which VLANs in a network. This way each switch in a network knows what VLANs are configured and what is their presence on specific switches.
VTP allows sending updates about a VLAN membership. The benefit of knowing what VLANs are supported by which switches is that you can stop a broadcast being sent over links that are not connected to switches with a specified VLANs (access) or are not connecting these switches (trunk). When a frame is sent from one switch to another the often it doesn’t need to be broadcast over all links that are in a network. Instead, the frame is being broadcasted only over those links that connect certain VLANs (trunks) or ports for these links belong to that VLANs. It conserves bandwidth and is known as pruning.
On the picture above frames from the Host A are sent only along the link between Switch 1-2, 2-4 and then from Switch 4 to the Host B. The frame doesn’t need to be sent out of any other port.
Switches can be configured as groups known as VTP domains. In these domains, switches share information about VLAN changes. VTP is not available on devices of other vendors as the protocol is proprietary. The updates are sent out every time a VLAN configuration changes on any switch which is participation in the domain.
To issue a valid VTP update the switch needs to:
- be a member of a specific domain (name)
- ‘knows’ a passwordfor this domain (not authorized updates will not take effect)
- the switch needs to be in a server mode
- the VLAN database revision numberof an update needs to be higher than a number of any other VLAN database version.
In terms of the VTP domain switches can be in one of the following modes:
- Server– can update VLAN database. A switch in a VTP server mode without configured VTP domain name will not be able to update VLAN database.When a switch is connected to more than one VTP domains it will latch-on to the domain from which it first receives a VTP update.In case there was only one VTP server in a network and it doesn’t work anymore (malfunction, power outage etc.), to restore normal operation of the network the best solution is to switch one of the switches from VTP mode client to the server.
- Client– cannot update, change, delete or crate VLANs, but can receive the updates.
- Transparent– ignores VLAN updates altogether, doesn’t update it’s VLAN database based on received updates.In the VTP version 2 a switch in the transparent mode forward updates.For the VTP version 1, these updates are not forwarded to other switches which are ‘interested’ in it.
WARNING: Do not connect your lab switch to your production network. The lab switch most likely will have some VTP revision number. If the revision number is higher than the highest in your VTP domain it will overwrite VTP information on all switches in the domain. Because your lab setup is most likely quite different from your production networks it will effectively bring the network down.
To reset the VTP revision number on a specific switch change the domain name to something else and then change it back.
WARNING 2: Switches by default are in the VTP server mode. This way you can make changes to VLAN databases straight away.
Two adjacent switches can negotiate the roles of their ports, either access or trunk. To accomplish that they use a DTP (Dynamic Trunking Protocol ). Switches on both ends of the link need to belong to the same VTP domain, with a password must match on the both ends of the link.
Switches can be set in a variety of modes in terms of trunk link negotiations:
- Dynamic Auto (auto)– passively awaits for the other side and is willing to switch to trunk mode. This mode is a default setting. Do not use this mode on both ends, because trunk link will never be negotiated.
- Dynamic Desirable (desirable)– post in this mode will actively attempt to negotiate a trunk link. The other side has to agree. On or Desirable setting will allow a trunk link to be negotiated.
- Trunk (on)– Manually sets a port mode to a trunk, regardless of a neighbour agreement.
- Access (off)– Manually sets a port mode to an access, regardless of a neighbour agreement.
- — (nonegotiate)– Manually switch off the negotiations of a trunk link. Used when a switch is connected to a device that doesn’t ‘understand’ DTP protocol and it could cause problems for the other device.