Cisco® CCNA Exam Cram Notes : VLANs and VTP

IV. LAN Switching Technologies

5. VLANs and VTP

VLANs: A VLAN is a group of devices on one or more logically segmented LANs. All devices working on a VLAN will have same broadcast domain. Like routers, switches (Layer 2) have the ability to provide domain broadcast segmentation called a VLAN. Using VLAN technology, you can group switch ports and their connected users into logically defined communities of interest. A VLAN operating on a Catalyst switch limits transmission of unicast, multicast, and broadcast traffic to only the other ports belonging to that VLAN, thereby controlling broadcasts. VLANs are typically configured on switch ports. However, note that a router is required to switch traffic between VLANs. A switch identifies the VLAN associated with a given frame and forwards the frame to associated ports. Separate VLANs for voice and data traffic improves the privacy and reliability of voice communication. Inter-Switch Link (ISL) is one of the VLAN trunking protocols used for switched VLAN networks. It uses frame tagging to identify the VLAN. ISL encapsulates the original Ethernet frame, and a VLAN-ID is inserted into the ISL header.The switch can be configured to provide two separate VLANs, one each for VOIP traffic and data traffic.

By implementing VLANs,

1. The effective broadcast traffic decreases, since VLANs do not forward the broadcast traffic from one VLAN to another.

2. The security can be improved by implementing a router (A layer 3 device) to route the packets among VLANs.

The benefits of VLANS include:

1. Easy Administration resulting in reduced administration costs,

2. Increased Security due to broadcast control, if you are using simple hub, you can observe traffic corresponding to any node by simply inserting a Network analyzer.

3. Grouping based on functional requirements irrespective of physical location of nodes, Simplify moves, adds, changes,

4. Distribution of traffic thereby using the network bandwidth more efficiently.

We use "show vlan" or "show vlan vlan#" command to see the configuration details of VLANs. The command "sh vlan" will display the configuration information for all VLANs, where as the command "sh vlan vlan#" shows only the configuration information pertaining to that vlan. For example, if you want to see the configuration information for vlan2, you give the command "sh vlan 2"

The following are the advantages of LAN segmentation using VLANs

1. Segmentation of broadcast domains using VLANs result in creation of more bandwidth per user.

2. Security is provided by isolating users corresponding to different VLANs. Users belonging to one VLAN will not receive frames meant for some other VLAN.

3. LAN segmentation using VLANs can be done based on job function rather than physical location, if required.

images/pin-icon.png

For communicating between VLANs, you need a layer 3 device. Note that VLANs operate at Layer-2. When the access ports are configured with two distinct VLANs, the switch will not port the frames that belong to a different VLAN.

VLAN Trunking Protocols: Inter-Switch Link and 802.1Q are two VLAN Trunking Protocols used with Fast Ethernet, that Cisco supports. LANE is associated with ATM and 802.10 is associated with FDDI. Also, it is important to note that ISL, 802.1Q, and 802.10 use Frame Tagging to identify the VLANs. VTP is a layer 2 protocol that maintains VLAN configurations through a common administrative domain. Configurations are made to a VTP server, and are propagated across trunk lines to all switches in the VTP domain. VTP provides auto-intelligence for configuring switches across the network. A VTP advertisement necessarily consists of "Configuration revision number". Every time a VTP server updates its VLAN information, it increments the configuration revision number by one count. VTP clients, use the revision number to enforce the VLAN configuration Update.

Feature ISL 802.1Q
Supported VLANs Normal and extended range Normal and extended range
Protocol defined by Cisco IEEE
Eapsulates original frame or inserts tag Encapsulates Inserts tag
Native VLAN support No Yes

Inter-switch Link (ISL) is a Cisco proprietary protocol that maintains VLAN information in Ethernet frames by encapsulating the whole Ethernet frame. In the case of ISL, the tag is external to the Ethernet frame, which is the same as encapsulating the Ethernet frame. ISL adds a 26-byte header (containing a 15-bit VLAN identifier) and a 4-byte CRC trailer to the frame. ISL is supported only on Cisco switches and even some newer Cisco switches don’t support it any more. ISL cannot be used to connect a Cisco switch to a switch by another vendor like HP and its use is being depreciated even by Cisco in favor of IEEE 802.1q which happens to be the more popular choice among trunking protocols.

IEEE 802.1q is a standard developed by the Institute of Electrical and Electronics Engineers (IEEE) to carry traffic belonging to multiple VLANs across a trunk. In contrast to ISL, 802.1Q does not actually encapsulate the original frame. Instead, it adds a 32-bit field between the source MAC address and the Ether Type/Length fields of the original frame. This 32-bit field carries the information used to deterministically identify the VLAN the Ethernet frame belongs to.

The extra VLAN header used by both ISL and 802.1Q uses the VLAN identifier or VLAN ID field to identify the VLAN the frame belongs to. VLAN ID is a 12-bit field specifying the VLAN to which the frame belongs. The range of hexadecimal values is from 0x000 to 0xFFF for a 12-bit number. The hexadecimal values of 0x000 and 0xFFF are reserved while all other values in the range can be used as VLAN identifiers, allowing up to 4,094 VLANs. Please see the below fig. to understand how IEEE 802.1Q tag is inserted in a regular Ethernet frame

 VLAN header

VLAN port assignments can be configured either of two ways:

Static VLANs: The administrator statically configures VLAN port assignment. VLAN memberships on the switch ports are assigned on a port-by-port basis.

Dynamic VLANs: A VMPS (VLAN Management Policy Server) can dynamically assign VLAN ports. The MAC address of the node is used to determine the VLAN assignment. A separate server or a Catalyst 5000 can function as a VMPS server. When a frame arrives on a dynamic port at the switch, it queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame.

Communication between different VLANs requires a trunk link to forward traffic normally.

For VLAN database to be exchanged between two switches:

1. The VTP domain name should be same,

2. VTP password must be the same,

3. Trunk links should be configured between the switches (switchport mode trunk), and

4. At least one switch should be configured as server and the other switches as server or client to learn vlan database. Server mode is the default on Cisco Catalyst switches.

5. All switches throughout the VTP domain must operate the same VTP version.

6. A Cisco Catalyst switch can belong to only one domain at any given time.

7. VTP messages not intended for a local domain (configured on a Cisco switch) are ignored.

images/pin-icon.png

A single physical port on a router can support one or more VLANs by use of sub-interfaces. There is no need to have as many physical ports on a router as that of VLANs. Inter-VLAN communication can occur only if the router is configured with appropriate sub-interfaces. If there are 4 VLANs (say, VLANs 100,200,300, and 400), in addition to VLAN 1 (management VLAN), 5 sub-interfaces have to be configured on the router interface connecting the switch.

VLAN Trunk Protocol (VTP): VTP is a layer 2 protocol that maintains VLAN configurations through a common administrative domain. Configurations are made to a VTP server, and are propagated across trunk lines to all switches in the VTP domain. VTP provides auto-intelligence for configuring switches across the network. A VTP advertisement necessarily consists of "Configuration revision number". Every time a VTP server updates its VLAN information, it increments the configuration revision number by one count. VTP clients, use the revision number to enforce the VLAN configuration Update.

VTP is a Layer 2 messaging protocol. It carries configuration information throughout a single domain. VTP operates in one of three modes

1. Server mode: VTP Servers can create, modify, or delete VLANs and other configuration parameters for the specified VLAN domain.

2. Client mode: A VTP client can't create, change, or delete VLANs.

3. Transparent mode: A VTP transparent mode is used when a switch is not required to participate in VTP, but only pass the information to other switches. Transparent switches don't work either as Server or clients.

Configurations made to a single switch, called VTP server, are propagated across the switch fabric under a single domain control. Other switches, configured as VTP clients, learn the configuration information from the server. Cisco switches such as Catalyst 1900, acting as VTP servers save the VLAN configuration information in their non volatile memory (NVRAM), whereas clients keep the information only in running configuration.

There are two different VTP versions. VTP version 1 and VTP version 2. These versions are not inter-operable. Version 1 is the default version. All Cisco switches in a given management domain should be configured in either version 1 or version 2.

Some of the advantages of VTP version 2 are as below:

1. Token Ring support: Supports Token Ring LAN switching and VLANs. If Token Ring is used, this is the version required.

2. Version number auto propagation: In case that all switches are capable of running Version 2, only one switch need to be Version 2 enabled, Version number is automatically propagated to others.

The default VTP configuration parameters for the Catalyst switch are as follows:

1. VTP domain name: None

2. VTP mode: Server

3. VTP password: None

4. VTP pruning: Disabled

5. VTP trap: Disabled

images/pin-icon.png

Remember that for successfully transferring VLAN information from one switch to another, the version numbers must be same on both the switches. Similarly, the VTP domain name must also be same on both the switches.

The VTP domain name can be specified manually or learned across a configured trunk line from a server with a domain name configured. By default, the domain name is not set. If you configure a VTP password, VTP does not function properly unless you assign the same password to each switch in the domain. VTP trap is disabled by default. If you enable this feature, it causes an SNMP message to be generated every time a new VTP message is sent.

To associate a switch with a management VLAN, you need to assign an IP address to the switch. The subnet portion of the switch IP address must match the subnet number of the management VLAN. Note that switches can maintain an IP stack, which enables us to manage the switches either locally, as well as remotely by Telnet.

VTP pruning is a technique that enhances the available network bandwidth by reducing the broadcast, multicast, and flooded unicast messages. These frames are not forwarded to network devices that don't have ports associated with a given VLAN. When VTP pruning is enabled, a switch forwards the flooded traffic across a link to another switch, only if that switch has ports associated with that VLAN. For example, a switch, Switch A sends flooded messages (say belonging to VLAN 7) to Switch B, only if Switch B has ports associated with VLAN 7.

VTP pruning should only be enabled on VTP servers, all the clients in the VTP domain will automatically enable VTP pruning. By default, VLANs 2 – 1001 are pruning eligible, but VLAN 1 can’t be pruned because it’s an administrative VLAN. Both VTP versions 1 and 2 support pruning.

Domain name set on a switch can be known by viewing the VTP Configuration of the switch, so use "show vtp status" command to check the domain name.

The command syntax for assigning a management domain for a switch is:

Switch#vtp domain <domain-name>

For example, if the domain name is newyork, the command is:

Switch#vtp domain newyork

To verify any configuration change, "show vtp status" privileged executive command can be used. This command displays, among other things, VTP domain name, VTP password if any, VTP pruning mode (enabled or disabled) and the IP address of the device that last modified the configuration.

You need to create a domain while configuring the first switch in a switch network. For subsequent switches, you only need to join the existing domain. The password is required if the domain need to be secured by a password. The command allows you to create a new domain (in case the first switch is being configured) or to join an existing domain (one or more switches have already been assigned a domain).

The following is the sample output from “show vtp status “ command

show vtp status
images/pin-icon.png

By default, there are no passwords in VTP informational updates, and any switch that has no VTP domain name can join the VTP domain when trunking is enabled. Also any switch that has the same VTP domain name will join and exchange VTP information. This could enable an unwanted switch in your network to manage the VLAN database on each of the switches. To prevent this from occurring, set a VTP password on the switches you want to exchange information.

The following are the advantages of LAN segmentation using VLANs:

1. Segmentation of broadcast domains using VLANs result in creation of more bandwidth per user.

2. Security is provided by isolating users corresponding to different VLANs. Users belonging to one VLAN will not receive frames meant for some other VLAN.

3. LAN segmentation using VLANs can be done based on job function rather than physical location, if required.

MAC Address: The MAC address contains 48 bits expressed as 12 hexadecimal digits. Note that 2 hexadecimal digits represent a byte. Therefore, a MAC address contains 6 bytes. The first 3 bytes represent the manufacturer identification code. The next 3 bytes represent the interface number unique to a given manufacturer. MAC address represents the hardware address and is usually burned into the ROM. A typical MAC address looks like:

xx-xx-xx-xx-xx-xx, where x represents a hexadecimal digit.

Ex: 00-00-0c-12-14-33

Here, 00-00-0c represents the vendor address, and 12-14-33 typically represents the interface serial number. The last 6 hex digits are administered by respective vendors, and unique to a given vendor.

Data and Voice VLAN: Before IP telephony, a PC could sit on the same desk as a phone. The phone happened to use UTP cabling, with that phone connected to some voice device (often called a voice switch or a private branch exchange [PBX]). The PC, of course, connected using an unshielded twisted-pair (UTP) cable to the usual LAN switch that sat in the wiring closet -sometimes in the same wiring closet as the voice switch. The term IP telephony refers to the branch of networking in which the telephones use IP packets to send and receive voice as represented by the bits in the data portion of the IP packet. The phones connect to the network like most other end-user devices, using either Ethernet or Wi-Fi. These new IP phones did not connect via cable directly to a voice switch, instead connecting to the IP network using an Ethernet cable and an Ethernet port built in to the phone. The phones then communicated over the IP network with software that replaced the call setup and other functions of the PBX. (The current products from Cisco that perform this IP telephony control function are called Cisco Unified Communication Manager). The migration from using the already-installed telephone cabling to these new IP phones that needed UTP cables that supported Ethernet caused some problems in some offices. In particular: The older non-IP phones used a category of UTP cabling that often did not support 100-Mbps or 1000-Mbps Ethernet. Most offices had a single UTP cable running from the wiring closet to each desk, but now two devices (the PC and the new IP phone) both needed a cable from the desktop to the wiring closet. Installing a new cable to every desk would be expensive, plus you would need more switch ports.

Sites that use IP telephony, which includes almost every company today, now have two devices off each access port. In addition, Cisco best practices for IP telephony design tell us to put the phones in one VLAN and the PCs in a different VLAN. To make that happen, the switch port acts a little like an access link (for the PC’s traffic), and a little like a trunk (for the phone’s traffic). The configuration defines two VLANs on that port, as follows:

Data VLAN: Same idea and configuration as the access VLAN on an access port but defined as the VLAN on that link for forwarding the traffic for the device connected to the phone on the desk (typically the user’s PC).

Voice VLAN: The VLAN defined on the link for forwarding the phone’s traffic. Traffic in this VLAN is typically tagged with an 802.1Q header

Example: Configuring the Voice and Data VLAN on Ports connected to Phones

The following lists configuration steps

Step 1. Use the vlan vlan-id command in global configuration mode to create the data and voice VLANs if they do not already exist on the switch.

Ex:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#vlan 11

Step 2. Configure the data VLAN like an access VLAN, as usual:

  • Use the interface type number command global configuration mode to

  • Move into interface configuration mode.

  • Use the switchport access vlan id-number command in interface configuration mode to define the data VLAN.

  • Use the switchport mode access command in interface configuration mode to make this port always operate in access mode (that is, to not trunk).

Ex:
Switch(config)#interface FastEthernet0/4
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport mode access

Step 3. Use the switchport voice vlan id-number command in interface configuration mode to set the voice VLAN ID.

Switch(config-if)#switchport voice vlan 11

images/pin-icon.png

The LAN used for voice traffic from the IP phone is called the voice VLAN and the VLAN used for data is called the data or access VLAN. For the LAN switch to forward traffic correctly, it needs to know the VLAN ID of the voice VLAN as well as the data VLAN.

Previous    Contents    Next


CCNA Cram Notes Contents
certexams ad

simulationexams ad