JB

VLANs, Switching, ARP & Lab Implementation

Course Administration & Student Success

  • Semester week 6; second assessment approaching.

  • Lecturers can view Panopto analytics ➔ low engagement is visible.

  • Risk when students fall behind: temptation to misuse AI for assignments.

  • Recommended actions- Watch/attend lectures, attempt pracs early.

    • Reach out for help: lecturer will always respond.

    • University support services: disability, time-management, back-injury exam adjustments, etc.

  • Final exam (this course)- Open-book.

    • Extra-time & other accommodations available for learning/health issues; request early.

Local Area Networks (LANs) vs. Virtual LANs (VLANs)

  • Early LANs = one physical segment (e.g. thick/thin coax) per IP subnet.- Needed a separate router interface for every segment.

    • Physical constraints: buildings ≠ share subnets easily.

    • Large broadcast domains or duplicated security/firewall rules.

  • VLAN idea: “logical/virtual” LAN over common physical plant.- Allows hosts in different buildings—but same IP subnet—to share one broadcast domain.

    • Security zones can be carved without extra cabling/hardware.

  • Benefits- Scalability (4 096 VLAN IDs by standard).

    • Traffic isolation; reduced broadcast scope.

    • Easier security policy (place finance PCs in a single VLAN regardless of location).

Trunk Ports & 802.1Q Tagging

  • Access port = carries ONE VLAN → frames untagged.

  • Trunk port = carries MULTIPLE VLANs → frames tagged with 802.1Q header.- Tag fields: 12-bit VLAN ID (0-4095) + priority bits (QoS) + CFI.

    • Cisco legacy protocol ISL exists but 802.1Q is now universal.

  • A trunk may optionally leave one “native” VLAN untagged (commonly VLAN 1).

  • Only links transporting ≥2 VLANs need tags; end-host links don’t.

  • Servers/phones can run VLAN-aware NICs (receive/send tagged frames) → e.g.

    IP phone trunk carrying voice-VLAN + data-VLAN; phone internally contains a 2-port switch.

Router-on-a-Stick (single-interface inter-VLAN routing)

  • Common campus pattern:- One physical Ethernet between L3 router & switch.

    • Sub-interfaces: Ether2.20, Ether2.30, Ether2.40 each with VLAN tag.

    • Hosts in different VLANs reach each other by:

    1. Frame exits access port untagged.

    2. Switch tags across trunk to router.

    3. Router routes (L3) and re-tags for destination VLAN.

    4. Switch strips tag on destination access port.

  • Traffic path looks like “trombone”: out and back the same wire.

  • Alternative: Multilayer switch (MLS) where routing process lives inside switch (virtual interfaces “SVIs”).

ARP (Address Resolution Protocol)

  • Purpose: map IPv4 IP -> MAC for local-subnet delivery.

  • Workflow (DR-OA):1. Discover – broadcast “Who has 192.168.20.28?”

    1. Offer – target replies with unicast MAC.

    2. Request – host might re-ask if race.

    3. Acknowledge – reply cached.

  • Table entries age out (timer) to save CAM memory & allow host moves.

  • Routers also maintain ARP tables for each directly-connected network (first-hop resolution).

  • If destination is remote subnet, host ARPs for gateway’s MAC.

  • Gratuitous ARP: host announces “I am 192.168.40.49” to detect duplicate IPs.

  • IPv6 analogy: Neighbor Discovery (ICMPv6) replaces ARP; uses multicast – no broadcasts.

Switch Forwarding Database (FDB / CAM)

  • Learned per-VLAN via source MACs.

  • Entry: {MAC, VLAN, Port, Age}.

  • If unknown destination ➔ flood out all ports in same VLAN (except ingress).

  • Entries age out; enables physical move/port change.

Spanning Tree & Discovery Protocols (Layer 2 background traffic)

  • STP (IEEE 802.1D) prevents loops → periodic BPDUs.

  • LLDP (802.1AB) vendor-neutral neighbor discovery; Cisco CDP, MikroTik MNDP, Extreme EDP also seen.

  • Capture shows packets on well-known ports (e.g.

    LLDP 0x88cc, MNDP UDP/5678).

Lab Topology (GNS3 – ‘LANLab2025’)

  • Devices- Extreme XOS multilayer switch (12 ports).

    • Two generic L2 switches.

    • MikroTik Router (Ether2 trunk).

    • Nine VPCS hosts (Blue = VLAN 20, Green = 30, Red = 40).

  • Trunk links (purple) carry VLANs 1, 20, 30 (+ later 40).

  • Router acts as DHCP server for VLAN 20 & 30.

  • Each VPCS: default gateway = .1 of its subnet.

Packet-Capture Exercises

  1. Capture access-link → demonstrate ARP requests/replies.

  2. Capture trunk between switches → show 802.1Q tag (ID 20 vs 30).

  3. Ping across VLANs ➔ observe same ICMP echo crossing link twice with different tags & TTL-1 .

  4. Attempt to see flooding when MAC unknown (hard due to background DHCP/STP traffic).

Adding a New VLAN (40) – Step-by-Step

  1. Create VLAN on XOS

create vlan VLAN40 tag 40

  1. Tag trunk ports to router & downstream switch

configure vlan VLAN40 add ports 10,11 tagged

  1. Router sub-interface (MikroTik)

/interface vlan add interface=ether2 name=vlan40 vlan-id=40
   /ip address add address=192.168.40.1/24 interface=vlan40

  1. Static host IPs (VPCS)

ip 192.168.40.49 255.255.255.0 192.168.40.1

  • Gratuitous ARP checks for duplicates.

  1. Verify:- Hosts in VLAN 40 can now ping gateway & remote VLANs.

    • If gateway omitted ➔ intra-VLAN pings work, inter-VLAN fail.

Security & Isolation Insights

  • Simply omitting VLAN40 from trunks or omitting router interface isolates it fully (no Internet, no other VLANs).

  • VLANs provide segmentation but not encryption; still share physical medium → sniffing possible per-VLAN.

  • Design principle: only trunk VLANs where needed; minimise broadcast leakage.

Data-Link & Frame Tidbits

  • Ethernet minimum payload >= 46 bytes; small ARP frames padded with zeros.

  • FCS (CRC-32) appended; may be stripped in capture depending on NIC/virtual switch.

Connections to Future Topics

  • Wi-Fi MAC framing even more complex (next week).

  • VLAN, STP, LLDP fundamental for Cisco CCNA/NP studies.

  • Security lecture will expand on VLAN hopping & mitigation.

Practical / Ethical Implications

  • Mis-configured trunks (native VLAN mismatch) can create security holes.

  • Proper ARP timeouts balance mobility vs.

    flooding overhead.

  • Accessibility & academic integrity policies mirror network best-practice: engage early, monitor, remediate issues pro-actively.

Numerical References & ‘Mini-Formulas’

  • VLAN ID range: 1 <= VID <= 4094 (0 & 4095 reserved).

  • 802.1Q header adds 4 bytes to Ethernet frame.

  • Router-on-stick sub-interface addressing: gateway = subnet_network+1 or +254 common.

  • Broadcast MAC: FF:FF:FF:FF:FF:FF; IP broadcast 255.255.255.255.

  • ICMP echo shows TTLreturn = TTLout - 1 after router hop.