VLANs A VLAN is a logical group of network stations and devices.

VLANs can be grouped by job functions or departments, regardless of physical location of users. Traffic between VLANs is restricted. Switches and bridges forward unicast, multicast, and broadcast traffic only on LAN segments that serve the VLAN to which the traffic belongs. In other words, devices on a VLAN only communicate with devices that are on the same VLAN. Routers provide connectivity between different VLANs. VLANs can enhance scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, and traffic flow management.

VLANs logically segment switched networks based on job functions, departments, or project teams, regardless of the physical location of users or physical connections to the network. All workstations and servers used by a particular workgroup share the same VLAN, regardless of the physical connection or location.

Configuration or reconfiguration of VLANs is done through software. Therefore, VLAN configuration does not require network equipment to be physically moved or connected. VLANs logically segment the network into different broadcast domains so that packets are only switched between ports that are assigned to the same VLAN. VLAN Operation A VLAN comprises a switched network that is logically segmented. Each switch port can be assigned to a VLAN. Ports assigned to the same VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts. This improves network performance because unnecessary broadcasts are reduced. The default VLAN for every port in the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be deleted. At least one port must be assigned to VLAN 1 in order to manage the switch. All other ports on the switch may be reassigned to alternate VLANs. Static membership VLANs are called port-based or port-centric membership VLANs. As a device enters the network, it automatically assumes the VLAN membership of the port to which it is attached. In port-based or port-centric VLAN membership, the port is assigned to a specific VLAN membership independent of the user or system attached to the port. When using this membership method, all users of the same port must be in the same VLAN. A single user, or multiple users, can be attached to a port and never realize that a VLAN exists. This approach is easy to manage because no complex lookup tables are required for VLAN segmentation. Dynamic membership VLANs are created through network management software.. Dynamic VLANs allow for membership based on the MAC address of the device connected to the switch port. As a device enters the network, the switch that it is connected to queries a database on the VLAN Configuration Server for VLAN membership. Network administrators are responsible for configuring VLANs both statically and dynamically. Benefits of VLANs VLANs allow network administrators to organize LANs logically instead of physically. This is a key benefit. This allows network administrators to perform several tasks:

Easily move workstations on the LAN Easily add workstations to the LAN Easily change the LAN configuration Easily control network traffic Improve security

VLAN types Three basic VLAN types are used to determine and control VLAN membership assignment:

Port-based VLANs MAC address based VLANs Protocol-based VLANs

Port-based Most common configuration method Ports assigned individually, in groups, in rows, or across 2 or more switches Simple to use Often implemented where Dynamic Host Control Protocol (DHCP) is used to assign IP addresses to network hosts MAC address Based Rarely implemented today Each address must be entered into the switch and configured individually Users find it useful Difficult to administer, troubleshoot, and manage Protocol-based Configured like MAC addresses, but instead uses a logical or IP address No longer common because of DHCP Frame tagging (IEEE 802.1Q) is used to identify the VLAN a frame belongs to. As packets are received by the switch from any attached end-station device, a unique packet identifier is added within each header. This header information designates the VLAN membership of each packet. The packet is then forwarded to the appropriate switches or routers based on the VLAN identifier and MAC address. Upon reaching the destination node the VLAN ID is removed from the packet by the adjacent switch and forwarded to the attached device. Packet tagging provides a mechanism for controlling the flow of broadcasts and applications while not interfering with the network and applications.

Use the following commands to create a VLAN using global configuration mode: Switch(config)#vlan vlan_number Switch(config-vlan)#name vlan_name Switch(config-vlan)#exit

Assign ports to be members of the VLAN. By default, all ports are initially members of VLAN1. Assign ports one at a time or as a range. Use the following commands to assign individual ports to VLANs: Switch(config)#interface fa** Switch(config-if)#switchport access vlan vlan_number Switch(config-if)# exit Use the following commands to assign a range ports to VLANs: Switch(config)#interface range fa#/start_of_range - end_of_range Switch(config-if)#switchport access vlan vlan_number Switch(config-if)#exit Trunking A trunk is a physical and logical connection between two switches across which network traffic travels. Switch(config)#interface fa(controler # / port #) Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk encapsulation {dot1q | isl | negotiate}

In a switched network, a trunk is a point-to-point link that supports several VLANs. The purpose of a trunk is to conserve ports when a link between two devices that implement VLANs is created.

The switching tables at both ends of the trunk can be used to make forwarding decisions based on the destination MAC addresses of the frames. As the number of VLANs that travel across the trunk increase, the forwarding decisions become slower and more difficult to manage. The decision process becomes slower because the larger switching tables take longer to process. Trunking protocols were developed to effectively manage the transfer of frames from different VLANs on a single physical line. The trunking protocols establish agreement for the distribution of frames to the associated ports at both ends of the trunk. Two types of trunking mechanisms exist; frame filtering and frame tagging. Frame tagging has been adopted as the standard trunking mechanism by the IEEE. Trunking protocols that use frame tagging achieve faster delivery of frames and make management easier. It is important to understand that a trunk link does not belong to a specific VLAN. A trunk link is a conduit for VLANs between switches and routers. Inter-VLAN Routing When a node in one VLAN needs to communicate with a node in another VLAN, a router is necessary to route the traffic between VLANs. Without the routing device, interVLAN traffic would not be possible. When VLANs are connected together, several technical issues will arise. Two of the most common issues that arise in a multiple-VLAN environment are:

The need for end user devices to reach non-local hosts The need for hosts on different VLANs to communicate

Local connectivity involves a single connection, or trunk, from the switch to the router. That trunk can support multiple VLANs. This topology is called a router on a stick because there is a single connection to the router. However, there are multiple logical connections between the router and the switch. Inter-VLAN traffic must cross the Layer 2 backbone to reach the router where it can move between VLANs. Traffic then travels back to the desired end station using normal Layer 2 forwarding. This out-to-the-routerand-back flow is characteristic of router-on-a-stick designs.

IEEE multivendor standard 802.1q or the Cisco Proprietary protocol ISL are used to trunk VLANs over Fast Ethernet links. The dashed lines in the picture refer to the multiple logical links running over this physical link using subinterfaces. The router can support many logical interfaces on individual physical links. For example, the Fast Ethernet interface FastEthernet 0/0 might support three virtual interfaces numbered FastEthernet 1/0.1, 1/0.2 and 1/0.3. The primary advantage of using a trunk link is a reduction in the number of router and switch ports used. Not only can this save money, it can also reduce configuration complexity. Consequently, the trunk-connected router approach can scale to a much larger number of VLANs than a one-link-per-VLAN design. VTP If there is no automated way to manage an enterprise network with hundreds of VLANs, manual configuration of each VLAN on each switch is necessary. Any change to the VLAN structure requires further manual configuration. One incorrectly keyed number causes inconsistencies in connectivity throughout the entire network. To resolve this issue, Cisco created VTP to automate many of the VLAN configuration functions. VTP ensures that VLAN configuration is consistently maintained across the network and reduces the task of VLAN management and monitoring.