VLANs Comprehensive Notes

VLANs

VLAN Features & Benefits

  • LAN (Local Area Network): All components are physically connected.

  • Virtual LAN (VLAN):

    • Logical connections between devices, forming a "virtual" network regardless of location.

    • Logical partition of an L2 network.

    • A broadcast domain spanning multiple physical LANs.

  • VLAN Features and Benefits:

    • Segmentation of devices on the same switch.

    • Better network organization based on requirements and resources (e.g., faculty vs. students).

    • Isolation of broadcast, multicast, and unicast traffic in individual VLANs, even on the same switch.

    • Dedicated IP address range for each VLAN.

    • Smaller broadcast domains leading to better performance and less wasted bandwidth (BW).

    • Enhanced security: communication restricted to devices within the same VLAN.

    • Cost reduction by supporting multiple VLANs per switch port.

VLAN Types

  • Default VLAN:

    • VLAN 1 is the default VLAN.

    • Serves as the default Native VLAN, default Management VLAN, and default Data VLAN.

    • Cannot be deleted or renamed.

    • All switch ports are on VLAN 1 unless configured otherwise.

  • Data VLAN: Carries user-generated traffic (e.g., web traffic).

  • Native VLAN:

    • Used for trunk links only.

    • All frames are tagged with 802.1Q trunk link, except those on native VLANs.

    • Untagged traffic (e.g., STP traffic) is placed into the native VLAN.

  • Management VLANs:

    • Used for carrying management traffic (e.g., SSH, Telnet, HTTPS, or SNMP).

    • Should be isolated from end-user traffic.

    • Typically, the VLAN acts as the SVI (Switched Virtual Interface) for the L2 switch.

  • Voice VLAN:

    • Guaranteed bandwidth and high QoS priority.

    • Requires latency of less than 150ms.

    • Presents a security risk if not properly configured.

VLAN Ranges (Cisco-Specific)

  • Catalyst Switches 2960 and 3650:

    • Support more than approximately 4K VLANs.

    • 12-bit Dot1Q VLAN ID field allows for 212=40962^{12} = 4096 as the upper boundary for available VLANs.

  • Normal Range VLAN: 1 – 1005

    • Used in SMEs (Small and Medium Enterprises).

    • Are in Running-Config (i.e., NVRAM).

    • 1, 1002–1005 are auto-created and cannot be deleted.

    • Supports fewer VLAN features.

    • Stored in the vlan.dat file in flash memory.

  • Extended Range VLAN: 1006 - 4095

    • Used by ISPs (Internet Service Providers).

    • 1002–1005 are reserved for legacy VLANs.

    • Requires VTP (VLAN Trunking Protocol) configurations (i.e., transparent mode) to support extended-range VLANs.

    • VTP can synchronize between switches.

VLAN Trunks (#1)

  • Cisco Trunk: A point-to-point link between two network devices, which:

    • Allows more than one VLAN per link.

    • Extends the VLAN across the entire network.

    • Supports all VLANs and IEEE 802.1Q trunking.

  • In a multi-switch environment, intra-VLAN communication requires a trunking protocol (e.g., 802.1Q).

  • Inter-VLAN communication requires an L3 device.

  • 802.1Q Tag Field: Specifies the format and purpose of the VLAN tag.

    • Type:

      • 2-Byte hex field; 0x8100 indicates this is an IEEE 802.1q tagged frame.

      • Referred to as Tag Protocol ID (TPID).

    • User Priority: 3-bit value that supports IEEE 802.1p class of service (maps to frame priority level).

    • Canonical Format Identifier (CFI): 1-bit value supporting token ring frames on Ethernet.

    • VLAN ID (VID): 12-bit VLAN identifier supporting up to 4096 VLANs.

  • VLAN identification with a tag; 4-byte header in 802.1Q.

    • FCS (Frame Check Sequence) must be recalculated.

    • The end-device will remove the tag, and FCS is recalculated back to the original number.

VLAN Trunks (#2)

  • Native VLANs and 802.1Q trunk basics:

    • Tagging on all VLANs.

    • Native VLAN is for legacy use (e.g., a hub or for management frames between switches).

      • Untagged traffic is assigned to the native VLAN.

      • Tagged traffic with VLAN ID same as native VLAN is dropped!

    • VLAN 1 is the native VLAN unless changed.

    • Both ends of the trunk link must be configured with the same native VLAN.

    • It is possible to have different native VLANs on separate trunks, each configured separately.

  • Voice VLAN Tagging:

    • A VoIP phone is a 3-port switch.

    • The access port uses two VLANs (voice and data).

    • The switch uses CDP (Cisco Discovery Protocol) to inform the phone about the Voice VLAN.

    • The phone will tag its traffic and can set the Class of Service (CoS).

      • CoS is L2 QoS (Quality of Service).

    • The phone may or may not tag frames from the PC with a CoS value.

  • Poor network design can result from improper VLAN trunk configuration.

Dynamic Trunking Protocol (DTP)

  • DTP (Cisco proprietary) allows L2-level management of trunk negotiation between two VLAN-aware switches, including trunking encapsulation type.

    • DTP manages trunk port establishment, while VTP shares VLAN information across several switches.

    • DTP is automatically enabled on Catalyst 2960 & 3650 series switches (dynamic auto).

  • DTP Trunking Modes:

    • Switchport mode access: Interface becomes (and negotiates for) a non-trunk interface.

    • Switchport mode dynamic auto: Interface becomes a trunk if the neighboring interface is set to trunk or desirable mode.

    • Switchport mode dynamic desirable: Interface becomes a trunk if the neighboring interface is set to trunk, desirable, or dynamic auto mode.

    • Switchport mode trunk: Interface becomes a trunk even if the neighboring interface is not a trunk interface.

    • Switchport nonegotiate: Prevents the interface from generating DTP frames.

VLAN Trunking Protocol (VTP) (#1)

  • VTP (Cisco proprietary) allows managing VLANs on a switch configured as a VTP server.

  • VTP Server: Distributes and syncs VLAN information over trunked links (e.g., via IEEE 802.1q) to VTP-enabled switches across the network.

VLAN Trunking Protocol (VTP) (#2)

VTP Mode

Definition

Does it Respond to VTP Advertisements?

Is the Global VLAN Configuration Preserved on Restart?

Does it Update other VTP-Enabled Switches

VTP Server

VTP servers advertise the VTP domain VLAN information to other VTP-enabled switches in the same VTP domain.

  • VTP servers store the VLAN information for the entire domain in NVRAM.

  • Switches configured in VTP server mode are allowed to create, delete, or rename VLANs for the domain. | Participates fully | Yes, global configurations are stored in NVRAM | Yes
    VTP Client | VTP clients function the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.

  • A VTP client only stores the VLAN information for the entire domain while the switch is on.

  • A switch reset deletes the VLAN information.

  • You must configure VTP client mode on a switch. | Participates fully | No, global configurations are stored in RAM only | Yes
    VTP Transparent | Transparent switches do not participate in VTP except to forward VTP advertisements to VTP clients and VTP servers.

  • VLANs that are created, renamed, or deleted on transparent switches are local to that switch only.

  • To create an extended VLAN, a switch must be configured as a VTP transparent switch when using VTP versions 1 or 2. | Only forwards VTP advertisements | No, local VLAN configuration is only stored in NVRAM | No

  • VTP Server: Manages domain and VLAN configuration. Multiple VTP servers can be configured.

  • VTP Client: Updates local VTP configurations. VTP client switches cannot change VLAN configurations.

  • VTP Transparent: Manages local VLAN configurations. VLAN configurations are not shared with the VTP network.

VLAN Trunking Protocol (VTP) (#3)

  • VTP Advertisements:

    • Summary Advertisements: Contains the VTP domain name and configuration revision number.

    • Advertisement Request: Response to a summary advertisement message when the summary advertisement contains a higher configuration revision number than the current value.

    • Subset Advertisements: Contains VLAN information, including any changes.

  • VTP Versions:

    • VTP v1: Default VTP mode on all switches, supports normal range VLANs only.

    • VTP v2: Supports normal range VLANs only; supports legacy token ring networks; supports advanced features e.g. Type-Length-Value (TLV), version-dependent transparent mode, and consistency checks.

    • VTP v3: Support for the entire IEEE 802.1q VLAN range (up to 4095) and Private VLANs (PVLAN) structures (out of CCNAv6 & DAT300 scope).

VLAN Configuration

  • VLAN details are stored in the vlan.dat file.

  • VLANs are created in the global configuration mode.

  • VLAN Creation Commands:

    • Enter global configuration mode: Switch# configure terminal

    • Create a VLAN with a valid ID number: Switch(config)# vlan vlan-id

    • Specify a unique name to identify the VLAN: Switch(config-vlan)# name vlan-name

    • Return to the privileged EXEC mode: Switch(config-vlan)# end

VLAN Creation Example

  • To place a Student PC in VLAN 20, create the VLAN and then name it.

  • If the VLAN is not named, the Cisco IOS will assign a default name: vlan followed by the four-digit number of the VLAN (e.g., vlan0020 for VLAN 20).

  • Example:

    • S1# configure terminal

    • S1(config)# vlan 20

    • S1(config-vlan)# name student

    • S1(config-vlan)# end

VLAN Port Assignment Commands

  • Once the VLAN is created, assign it to the correct interfaces.

  • Commands:

    • Enter global configuration mode: Switch# configure terminal

    • Enter interface configuration mode: Switch(config)# interface interface-id

    • Set the port to access mode: Switch(config-if)# switchport mode access

    • Assign the port to a VLAN: Switch(config-if)# switchport access vlan vlan-id

    • Return to the privileged EXEC mode: Switch(config-if)# end

VLAN Port Assignment Example

  • Assign the VLAN to the port interface.

  • Once the device is assigned to the VLAN, the end device will need the IP address information for that VLAN.

  • Example: Student PC receives 172.17.20.22

    • S1# configure terminal

    • S1(config)# interface fa0/18

    • S1(config-if)# switchport mode access

    • S1(config-if)# switchport access vlan 20

    • S1(config-if)# end

Data and Voice VLANs

  • An access port may only be assigned to one data VLAN.

  • However, it may also be assigned to one Voice VLAN for when a phone and an end device are on the same switchport.

Data and Voice VLAN Example

  • Create and name both Voice and Data VLANs.

  • In addition to assigning the data VLAN, also assign the Voice VLAN and turn on QoS for the voice traffic to the interface.

  • Newer Catalyst switches will automatically create the VLAN if it does not already exist when it is assigned to an interface.

  • NOTE: QoS is beyond the scope here. Example command: mls qos trust [cos | device cisco-phone | dscp | ip-precedence]

Verify VLAN Information

  • Use the show vlan command.

  • Complete Syntax: show vlan [brief | id vlan-id | name vlan-name | summary]

  • Options:

    • brief: Display VLAN name, status, and its ports one VLAN per line.

    • id vlan-id: Display information about the identified VLAN ID number.

    • name vlan-name: Display information about the identified VLAN name. vlan-name is an ASCII string from 1 to 32 characters.

    • summary: Display VLAN summary information.

Change VLAN Port Membership

  • Ways to change VLAN membership:

    • Re-enter the switchport access vlan vlan-id command.

    • Use the no switchport access vlan command to place the interface back in VLAN 1.

  • Use the show vlan brief or the show interface fa0/18 switchport commands to verify the correct VLAN association.

Delete VLANs

  • Delete VLANs with the no vlan vlan-id command.

    • Caution: Before deleting a VLAN, reassign all member ports to a different VLAN.

  • Delete all VLANs with the delete flash:vlan.dat or delete vlan.dat commands.

  • Reload the switch when deleting all VLANs.

  • NOTE: To restore to factory default – unplug all data cables, erase the startup-configuration and delete the vlan.dat file, then reload the device.

Trunk Configuration

  • Configure and verify VLAN trunks.

  • Trunks are layer 2 and carry traffic for all VLANs.

  • Trunk Configuration Commands:

    • Enter global configuration mode: Switch# configure terminal

    • Enter interface configuration mode: Switch(config)# interface interface-id

    • Set the port to permanent trunking mode: Switch(config-if)# switchport mode trunk

    • Sets the native VLAN to something other than VLAN 1: Switch(config-if)# switchport trunk native vlan vlan-id

    • Specify the list of VLANs to be allowed on the trunk link: Switch(config-if)# switchport trunk allowed vlan vlan-list

    • Return to the privileged EXEC mode: Switch(config-if)# end

Trunk Configuration Example

  • Example Subnets:

    • VLAN 10 - Faculty/Staff - 172.17.10.0/24

    • VLAN 20 - Students - 172.17.20.0/24

    • VLAN 30 - Guests - 172.17.30.0/24

    • VLAN 99 - Native - 172.17.99.0/24

  • F0/1 port on S1 is configured as a trunk port.

  • NOTE: This assumes a 2960 switch using 802.1q tagging. Layer 3 switches require the encapsulation to be configured before the trunk mode.

  • Example:

    • S1(config)# interface fa0/1

    • S1(config-if)# switchport mode trunk

    • S1(config-if)# switchport trunk native vlan 99

    • S1(config-if)# switchport trunk allowed vlan 10,20,30,99

    • S1(config-if)# end

Verify Trunk Configuration

  • Set the trunk mode and native VLAN.

  • Using the sh int fa0/1 switchport command:

    • The port is set to trunk administratively.

    • The port is set as trunk operationally (functioning).

    • Encapsulation is dot1q.

    • Native VLAN is set to VLAN 99.

    • All VLANs created on the switch will pass traffic on this trunk.

Reset the Trunk to the Default State

  • Reset the default trunk settings with the no command.

  • All VLANs are allowed to pass traffic.

  • Native VLAN = VLAN 1.

  • Verify the default settings with the sh int fa0/1 switchport command.

Reset the Trunk to the Default State (Cont.)

  • Reset the trunk to an access mode with the switchport mode access command:

    • The interface is set to an access interface administratively.

    • The interface is set as an access interface operationally (functioning).

Dynamic Trunking Protocol

  • The default DTP configuration is dependent on the Cisco IOS version and platform.

    • Use the show dtp interface command to determine the current DTP mode.

    • Best practice recommends that the interfaces be set to access or trunk and to turn off DTP.