Hans-On Workshop

Introduction to VLAN theory and configuration

Table of contents

 Principles and applications of VLANs

 Setting up the VLAN
Is a Virtual Area Network?

► A logical grouping of network users and resources connected

to administratively defined ports on a switch
► VLANs Break up broadcast domains in a pure switched inter-
network
► VLAN features allow the network to be segmented by software
management, improving network performance and security
► Workstations, servers and other network equipment
connected to the switch can be grouped according to similar
data and security requirements
slide 3
VLAN : IEEE 802.1Q

BroadCast

One Large “Broadcast Domain”

slide 4
VLAN : IEEE 802.1Q

VLAN 3:
BroadCast Students Data
VLAN 2: Staff Ports: 17-32
Ports: 1-16 VLAN 4: Faculty
Ports: 33-48

» Separate a single physical

LAN into multiple Virtual
LANs
» Multiple broadcast domains”
slide 5
Benefits of VLANs
► Increased security
» Ports in a VLAN can be configured to have limited access to resources
» Switches can be configured to inform a network management station of any unauthorized access
to network resources
» Able to place restrictions on hardware addresses, protocols, and applications
► Flexibility
» Users can be added to a workgroup regardless of their location
► Capacity
» When a VLAN has a large number of users, broadcasts can reduce performance, but it is a
simple process to implement further VLANs
► If inter-VLAN communication is required it can be achieved using a router or layer 3
switch
» Restrictions on data flow can be implemented on either device

slide 6
VLAN : IEEE 802.1Q
VLAN 2: VLAN 3: VLAN 4:
Staff Students Faculty
Ports: 1-16 Ports: 17-32 Ports: 33-48 » Limitations:
» Sharing network
Data Data
resources, such as servers
Data
and printers, across
multiple VLANs can be
difficult.
» A VLAN that spans several
switches requires a port
on each switch for the
Data Data VLAN 4:
interconnection of the
Faculty various parts of the VLAN.
Ports: 33-48
VLAN 2: VLAN 3:
Staff Students
Ports: 1-16 Ports: 17-32 Data
slide 7
Tagging

► Tagging is used to make a remote device understand the destination VLAN

Local device Remote device

RED tagged port RED tagged port

slide 8
802.1q Frame Tagging
► To accommodate VLAN identification within an Ethernet frame, a 4-byte 802.1q Tag is added
to the frame
► This increases the maximum Ethernet frame size to 1522 bytes
► The format for an Ethernet Tagged frame is shown below. In an Ethernet Frame, the TPID is 2
bytes long and will contain the value of 81-00

D/A S/A 802.1q Type Data FCS

6 bytes 6 bytes 4 bytes 2 bytes 46-1500 bytes 4 bytes

Tag Protocol ID VLAN ID

16 bits 12 bits

Priority 3 bits CFI 1 bit

slide 9
VLAN Awareness

► The switch is VLAN aware, in that it can accept VLAN tagged frames, and it
supports VLAN switching required by such tags
► A network can contain a mixture of VLAN aware devices, for instance other 802.1Q
compatible switches, and VLAN unaware devices, for instance, workstations and
legacy switches that do not support VLAN tagging
► The switch can be configured to send VLAN tagged or untagged frames on each
port, depending on whether or not the devices connected to the port are VLAN
aware

slide 10
VLAN : IEEE 802.1Q
VLAN 2: VLAN 3: VLAN 4:
Staff Students Faculty
Ports: 1-16 Ports: 17-32 Ports: 33-48 » One port on the switch
can be configured as an
uplink to another 802.1Q-
compatible switch
49

Port 49 Tagged for » By using VLAN tagging,

Staff, Students &
Faculty 49
this one port can carry
(802.1Q-compliant)
traffic from all VLANs on
the switch
Data Data VLAN 4:
Faculty
Ports: 33-48
VLAN 2: VLAN 3:
Staff Students
Ports: 1-16 Ports: 17-32 Data
slide 11
VLAN : IEEE 802.1Q
VLAN 2: VLAN 3: VLAN 4:
Staff Students Faculty
Ports: 1-16 Ports: 17-32 Ports: 33-48

49 Server
Port 49 Tagged for
Staff, Students &
Faculty Port 50 Tagged
(802.1Q-compliant) 49 50 for Staff and Students

Data VLAN 4:
Ethernet card on server
Faculty Tagged for Staff and
Ports: 33-48 Students VLANs
VLAN 2: VLAN 3:
Staff Students
Ports: 1-16 Ports: 17-32

slide 12
VLAN : IEEE 802.1Q
VLAN 2: VLAN 3: VLAN 4:
Staff Students Faculty
Ports: 1-16 Ports: 17-32 Ports: 33-48

49 Router
Port 49 Tagged for
Staff, Students &
Faculty Port 50 Tagged
(802.1Q-compliant) 49 50 for Staff and Students

Data VLAN 4:
Single port on router
Faculty Tagged for Staff and
Ports: 33-48 Students VLANs
VLAN 2: VLAN 3:
Staff Students
Ports: 1-16 Ports: 17-32

slide 13
Ingress Rules

► The Ingress Rules for the port: check the VLAN tagging in the
frame to determine whether it will be discarded or forwarded
to the Learning Process
► Acceptable Frames parameter set to:
» Admit All Frames
» or Admit Only VLAN Tagged Frames(default)
► If Ingress Filtering is enabled, frames are admitted only if they
have the VID of a VLAN to which the port belongs
► Ingress Filtering is enabled by default.

slide 14
Tagged Link

► The uplink port is tagged for VLAN 100 on both devices

Mac VLAN port Mac VLAN port
0A 100(U) 16 0A 100(T) 49
0B 100(T) 49 0B 100(U) 25

49 49

D S

100
16 0B 0A
25

D S D S
0B 0A 0B 0A

slide 15
Wrong configuration

► The uplink port is tagged for VLAN 100 on only one device
Mac VLAN port Mac VLAN port
0A 100(U) 16 0A 100(T) 49
0B 100(U) 49 0B 100(U) 25

Port 49
untagged

D S
49

Ingress Rule
X
16 0B 0A
25

D S
0B 0A

slide 16
VLAN - Gateway Addressing

► Traffic is switched at
Layer 2 within a VLAN
► Traffic is switched at
Layer 3 between VLANs

L2
L3

slide 17
The Default VLAN

► By default, the switch is configured to include all ports as

untagged members of a single default VLAN, with no VLAN
tagging required on incoming frames, or added to outgoing
frames
► This default VLAN cannot be deleted from the switch
► If all the devices on the physical LAN are to belong to the same
logical LAN, that is, the same broadcast domain, then the
default settings will be acceptable, and no additional VLAN
configuration is required

slide 18
VLAN Ports

► VLAN ports have two mode options:

» Access – allows only untagged frames i.e. a normal untagged port
awplus# configure
awplus(config)# interface port1.0.1
awplus(config-if)# switchport mode access
» Trunk – This is normal 802.1Q ports where you add the VLANs to the
port tagged and then set the native VLAN as the untagged VLAN.
awplus# configure
awplus(config)# interface port1.0.1
awplus(config-if)# switchport mode trunk

slide 19
VLAN Configuration

► To create or delete a VLAN

awplus# configure terminal
awplus(config)# vlan database
awplus(config-vlan)# vlan 2 name test1
awplus(config-vlan)# vlan 3
awplus(config-vlan)# vlan 4-6
awplus(config-vlan)# no vlan 5
awplus(config-vlan)# exit

slide 20
Adding or Deleting Ports

► To add untagged port(s) to a VLAN go to config mode for the

port and set those ports to access mode for that VLAN:
awplus# configure terminal
awplus(config)# interface port1.0.2
awplus(config-if)# switchport access vlan 2
awplus(config-if)# exit

► To delete untagged ports from a VLAN

awplus(config)#interface port1.0.2
awplus(config-if)#no switchport access vlan

slide 21
Adding or Deleting Ports

► To add a list of ports (note the format of the port list):

awplus# configure terminal
awplus(config)# interface port1.0.1,port1.0.3-port1.0.6
awplus(config-if)# switchport access vlan 2
awplus(config-if)# exit

slide 22
Using Trunk mode

► Using Trunk mode:

» In this example port1.0.1 is set up with VLAN 2 and 3 tagged and VLAN
4 untagged.
awplus# configure terminal
awplus(config)# interface port1.0.1
awplus(config-if)# switchport mode trunk
awplus(config-if)# switchport trunk native vlan 4
awplus(config-if)# switchport trunk allowed vlan add 2,3

slide 23
 Native VLAN - Q and A
Q: Why not transfer all ports of the switch to “Trunk” mode, carrying only tagged frames?
A: Some machines, such as terminals, cannot read tagged frames. They therefore have to
send their traffic to a port in “Access” mode, or via the “Native” VLAN of a port in trunk
mode.
Q: What is the purpose of changing the native VLAN of a port in trunk mode?
A: Among other reasons: the PC can only read untagged frames. The IP telephone can
therefore be placed into a tagged voice VLAN and the PC that are connected to switch
through an IP telephone into a non-tagged data VLAN, by changing the native VLAN of the
port to the expected value.
Q: Why is it recommended that the native VLAN should be kept on a port in trunk mode?
A: Some protocols that are essential to the operation of the network function untagged, such
as Spanning Tree. It is therefore strongly recommended that the native VLAN should be kept
on a port in trunk mode, so that these protocols function correctly. This is always VLAN 1
(default VLAN).
slide 24
Display the trunked and access VLANs from the previous slide
awplus# sho vlan brief
VLAN ID Name Type State Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= ====================================
1 default STATIC ACTIVE port1.0.2(u) port1.0.3(u)
port1.0.4(u)
port1.0.5(u) port1.0.6(u)
port1.0.7(u)
port1.0.8(u) port1.0.9(u)
port1.0.10(u) port1.0.11(u)
port1.0.12(u) port1.0.13(u)
port1.0.14(u) port1.0.15(u)
port1.0.16(u) port1.0.17(u)
port1.0.18(u) port1.0.19(u)
port1.0.20(u) port1.0.21(u)
port1.0.22(u) port1.0.23(u)
port1.0.24(u)
2 my2 STATIC ACTIVE port1.0.1(t)
3 my3 STATIC ACTIVE port1.0.1(t)
4 my4 STATIC ACTIVE port1.0.1(u)

slide 25
 Thank You!

Americas Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021

© 2016 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.