Try   HackMD
VLAN Management

Virtual Local Area Networks (VLANs) provide segmentation and organizational flexibility in a switched network, and allow an administrator to segment networks based on factors such as function, team, or application, without regard for the physical location of the users or devices.

A group of devices within a VLAN communicate as if each device was attached to the same cable. VLANs are based on logical connections, instead of physical connections; any switch port can belong to a VLAN. However, each switch port can be assigned to only one VLAN (except for a port connected to an IP phone or to another switch).

Unicast, broadcast, and multicast packets are forwarded and flooded only to end devices within the VLAN where the packets are sourced. Packets initiated within a VLAN that are destined for devices outside of the VLAN must be forwarded through a device that supports routing.

Multiple IP subnets can exist on a switched network, without the use of multiple VLANs. However, the devices will be in the same Layer 2 broadcast domain. This means that any Layer 2 broadcasts, such as an ARP request, will be received by all devices on the switched network, even by those not intended to receive the broadcast. Therefore, VLANs improve network performance by separating large broadcast domains into smaller ones.

The standard Ethernet frame header does not contain information about the VLAN to which the frame belongs. Therefore, when Ethernet frames are placed on a trunk, information about the VLANs to which they belong must be added. This process, called tagging, is accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q standard. The 802.1Q header includes a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs.

Types of VLAN

Default

The default VLAN on a Cisco switch is VLAN 1. Therefore, all switch ports are on VLAN 1 unless it is explicitly configured to be on another VLAN. By default, all Layer 2 control traffic is associated with VLAN 1.

Important facts to remember about VLAN 1 include the following:

  • All ports are assigned to VLAN 1 by default.
  • The native VLAN is VLAN 1 by default.
  • The management VLAN is VLAN 1 by default.
  • VLAN 1 cannot be renamed or deleted.

Data

Data VLANs are VLANs configured to separate user-generated traffic. They are also referred to as user VLANs because they separate the network into groups of users or devices. A modern network might have many data VLANs depending on organizational requirements.

Voice and network management traffic should not be permitted on data VLANs.

Native

User traffic from a VLAN must be tagged with its VLAN ID when it is sent to another switch. Trunk ports are used between switches to support the transmission of tagged traffic.

A switch may also have to send untagged traffic across a trunk link. For example, control traffic sent on the native VLAN should not be tagged. The 802.1Q trunk port places untagged traffic on the native VLAN.

It is a best practice to configure the native VLAN as an unused VLAN, distinct from VLAN 1 and other VLANs.

Management

A management VLAN is a data VLAN configured specifically for network management traffic including SSH, Telnet, HTTPS, HTTP, and SNMP. By default, VLAN 1 is configured as the management VLAN on a Layer 2 switch.

Management frames that are sent between switches is an example of traffic that is typically untagged.

Voice

A separate VLAN is needed to support Voice over IP (VoIP).

VoIP traffic requires the following:

  • Assured bandwidth to ensure voice quality
  • Transmission priority over other types of network traffic
  • Ability to be routed around congested areas on the network
  • Delay of less than 150 ms across the network

VLAN Configuration

When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host in a particular VLAN are restricted to the devices that are in that VLAN.

A VLAN is the equivalent to an IP network (or subnet). VLANs are configured on the switch, whereas IP addressing is configured on the device.

S1# configure terminal
S1(config)# vlan 100,102,105-107
S1(config-vlan)# name student
S1(config-vlan)# exit
S1(config)#
S1(config)# interface range fa 0/6 - 8, gig 1/1 - 2
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20

Naming each VLAN is considered a best practice in switch configuration.

The network administrator must configure the other devices on the vlan to be in the same subnet.

VLAN Ranges

Different Cisco Catalyst switches support various numbers of VLANs. For example, the Catalyst 2960 and 3650 Series switches support over 4,000 VLANs. Normal range VLANs on these switches are numbered 1 to 1,005 and extended range VLANs are numbered 1,006 to 4,094.

Normal Range VLANs

The following are characteristics of normal range VLANs:

  • They are used in all small- and medium-sized business and enterprise networks.
  • They are identified by a VLAN ID between 1 and 1005.
  • IDs 1002 through 1005 are reserved for legacy network technologies (i.e., Token Ring and Fiber Distributed Data Interface).
  • IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
  • Configurations are stored in the switch flash memory in a VLAN database file called vlan.dat.
  • When configured, VLAN trunking protocol (VTP), helps synchronize the VLAN database between switches.

Extended Range VLANs

The following are characteristics of extended range VLANs:

  • They are used by service providers to service multiple customers and by global enterprises large enough to need extended range VLAN IDs.
  • They are identified by a VLAN ID between 1006 and 4094.
  • Configurations are saved, by default, in the running configuration.
  • They support fewer VLAN features than normal range VLANs.
  • Requires VTP transparent mode configuration to support extended range VLANs.

4096 is the upper boundary for the number of VLANs available on Catalyst switches, because there are 12 bits in the VLAN ID field of the IEEE 802.1Q header.

VLAN Management Interface

S1(config)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# interface vlan 99
S1(config-if)# ip add 192.168.99.2 255.255.255.0
S1(config-if)# no shut
S1(config-if)# exit
S1(config)# ip default-gateway 192.168.99.1

Voice-over-IP (VoIP)

A separate voice VLAN is required to support VoIP. This enables quality of service (QoS) and security policies to be applied to voice traffic.

A Cisco IP phone connects directly to a switch port. An IP host can connect to the IP phone to gain network connectivity as well. The access port connected to the Cisco IP phone can be configured to use two separate VLANs. One VLAN is for voice traffic and the other is a data VLAN to support the host traffic. The link between the switch and the IP phone simulates a trunk link to carry both voice VLAN traffic and data VLAN traffic.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
 The connected switch sends CDP packets instructing the attached IP phone to send voice traffic in one of three ways. The method used varies based on the type of traffic:

  1. Voice VLAN traffic must be tagged with an appropriate Layer 2 class of service (CoS) priority value.
  2. Access VLAN traffic can also be tagged with a Layer 2 CoS priority value.
  3. Access VLAN is not tagged (no Layer 2 CoS priority value).
S1(config)# vlan 150
S1(config-vlan)# name VOICE
S1(config-vlan)# interface fa0/10
S1(config-if)# switchport mode access
S1(config-if)# mls qos trust cos
S1(config-if)# switchport voice vlan 150
S1(config-if)# end

Voice traffic must be labeled as trusted as soon as it enters the network. Use the mls qos trust interface configuration command to set the trusted state of an interface, and to indicate which fields of the packet are used to classify traffic.

Switch(config-if)# mls qos trust [cos | device cisco-phone | dscp | ip-precedence]

Deleting VLANs

The no vlan vlan-id global configuration mode command is used to remove a VLAN from the switch vlan.dat file.

Before deleting a VLAN, reassign all member ports to a different VLAN first. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN.

The entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command. The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location. After issuing this command and reloading the switch, any previously configured VLANs are no longer present.

Port Configuration – Negotiated Interface Modes

VLANs are associated with and configured on individual switch ports. Devices attached to those ports have no concept of VLANs. However, these devices are configured with IP addressing and are members of a specific IP network.

When a switch receives a frame on a port configured in access mode and assigned a VLAN, the switch inserts a VLAN tag in the frame header, recalculates the Frame Check Sequence (FCS), and sends the tagged frame out of a trunk port.

After creating a VLAN, the next step is to assign ports to the VLAN. An access port can belong to only one data VLAN at a time.

The following example displays the syntax for defining a port to be an access port and assigning it to a VLAN.

S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20

The switchport mode access command is optional, but strongly recommended as a security best practice. Access mode indicates that the port belongs to a single VLAN and will not negotiate to become a trunk link.

The configuration options available to the switchport mode interface configuration command are as follows:

Switch(config-if)# switchport mode { access | dynamic { auto | desirable } | trunk }
Option Description
access
  • Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link.
  • The interface becomes a nontrunk interface, regardless of whether the neighboring interface is a trunk interface.
dynamic auto
  • Makes the interface able to convert the link to a trunk link.
  • The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode.
  • The default switchport mode for all Ethernet interfaces is dynamic auto.
dynamic desirable
  • Makes the interface actively attempt to convert the link to a trunk link.
  • The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or dynamic auto mode.
trunk
  • Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link.
  • The interface becomes a trunk interface even if the neighboring interface is not a trunk interface.

Change VLAN Port Membership

There are a number of ways to change VLAN port membership.

If the switch access port has been incorrectly assigned to a VLAN, then simply re-enter the switchport access vlan vlan-id interface configuration command with the correct VLAN ID. The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch.

S1(config)# vlan 150
S1(config-vlan)# name VOICE
S1(config-vlan)# interface fa0/10
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 20
! % Access VLAN does not exist. Creating vlan 20
S1(config-if)# mls qos trust cos
S1(config-if)# switchport voice vlan 150
S1(config-if)# end

To change the membership of a port back to the default VLAN 1, use the no switchport access vlan interface configuration mode command as shown.

Trunk Ports

A trunk is a point-to-point link between two network devices that carries more than one VLAN. This enables devices connected to different switches but in the same VLAN to communicate without going through a router.

Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces. If an 802.1Q trunk port receives a tagged frame with the native VLAN ID, it drops the frame. Devices from other vendors that support tagged frames on the native VLAN include IP phones, servers, routers, and non-Cisco switches.

When a Cisco switch trunk port receives untagged frames (which are unusual in a well-designed network), it forwards those frames to the native VLAN. If there are no devices associated with the native VLAN (which is not unusual) and there are no other trunk ports (which is not unusual), then the frame is dropped.

Trunk Configuration

  1. Configure the interface as a trunk.
    2. S1(config)# interface fastEthernet 0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport nonegotiate
  2. Configure both ends of a trunk link with the same native VLAN.
    3. S1(config-if)# switchport trunk native vlan 99
  3. Restrict the interface to only allow relevant VLANs (ex. 10, 20, 30, and 99).
    4. S1(config-if)# switchport trunk allowed vlan 10,20,30,99

When configuring an 802.1Q trunk port, a default Port VLAN ID (PVID) is assigned the value of the native VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value.

Reset the Trunk to the Default State

Use the no switchport trunk allowed vlan and the no switchport trunk native vlan commands to remove the allowed VLANs and reset the native VLAN of the trunk.

When it is reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN.

Dynamic Trunking Protocol

Some Cisco switches have a proprietary protocol that lets them automatically negotiate trunking with a neighboring device. This protocol is called Dynamic Trunking Protocol (DTP).

Ethernet trunk interfaces support different trunking modes. An interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface. Trunk negotiation is managed by DTP, which operates on a point-to-point basis only, between network devices.

Some internetworking devices might forward DTP frames improperly, which can cause misconfigurations. To avoid this, turn off DTP on Cisco switch interfaces that are connected to devices that do not support DTP.

To enable trunking from a Cisco switch to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration mode commands. This causes the interface to become a trunk, but it will not generate DTP frames.

If the ports connecting two switches are configured to ignore all DTP advertisements with the switchport mode trunk and the switchport nonegotiate commands, the ports will stay in trunk port mode. If the connecting ports are set to dynamic auto, they will not negotiate a trunk and will stay in the access mode state, creating an inactive trunk link.

When configuring a port to be in trunk mode, use the switchport mode trunk command. Then there is no ambiguity about which state the trunk is in; it is always on.

Inter-VLAN Routing

VLANs are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the reason, hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3 switch to provide routing services.

Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another.

There are three inter-VLAN routing options:

  • Legacy Inter-VLAN routing - This is a legacy solution. It does not scale well.
  • Router-on-a-Stick - This is an acceptable solution for a small to medium-sized network.
  • Layer 3 switch using switched virtual interfaces (SVIs) - This is the most scalable solution for medium to large organizations.

Legacy Inter-VLAN Routing

The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces. Each router interface was connected to a switch port in different VLANs. The router interfaces served as the default gateways to the local hosts on the VLAN subnet.

In this example, the MAC address table of switch S1 is populated as follows:

Port MAC Address VLAN
F0/1 R1 G0/0/0 MAC 10
F0/11 PC1 MAC 10
F0/12 R1 G0/0/1 MAC 20
F0/24 PC2 MAC 20

Legacy inter-VLAN routing using physical interfaces works, but it has a significant limitation. It is not reasonably scalable because routers have a limited number of physical interfaces. Requiring one physical router interface per VLAN quickly exhausts the physical interface capacity of a router.

This method of inter-VLAN routing is no longer implemented in switched networks.

Router-on-a-Stick Scenario

The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-VLAN routing method. It only requires one physical Ethernet interface to route traffic between multiple VLANs on a network. Specifically, the router interface is configured using subinterfaces to identify routable VLANs.

The configured subinterfaces are software-based virtual interfaces. Each is associated with a single physical Ethernet interface. Each subinterface is independently configured with an IP address and VLAN assignment. This facilitates logical routing. If the exit interface is configured as an 802.Q subinterface, the data frames are VLAN-tagged with the new VLAN and sent back out the physical interface.

The router-on-a-stick method of inter-VLAN routing cannot scale beyond 50 VLANs.

Virtual subinterfaces are defined by entering the interface configuration command interface interface-id.vlan-id and are then configured like a standard VLAN port.

Configure physical interface G0/1 as a Router-on-a-Stick:
(assume VLANs 10, 20, and 99 are already configured)

R1(config)# interface G0/1.10
R1(config-subif)# description Default Gateway for VLAN 10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip add 192.168.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/1.20
R1(config-subif)# description Default Gateway for VLAN 20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip add 192.168.20.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/1.99
R1(config-subif)# description Default Gateway for Native VLAN 99
R1(config-subif)# encapsulation dot1Q 99 native
R1(config-subif)# ip add 192.168.99.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/1
R1(config-if)# description Trunk link to S1
R1(config-if)# no shut
R1(config-if)# end
R1#

Layer 3 Switch (SVI Routing)

The modern method of performing inter-VLAN routing is to use Layer 3 switches and switched virtual interfaces (SVI). An SVI is a virtual interface that is configured on a Layer 3 switch, as shown in the figure.

A Layer 3 switch is also called a multilayer switch as it operates at both Layer 2 and Layer 3.

Although virtual, the SVI performs the same functions for the VLAN as a router interface would. Specifically, it provides Layer 3 processing for packets that are sent to or from all switch ports associated with that VLAN.

The following are advantages of using Layer 3 switches for inter-VLAN routing:

  • They are much faster than router-on-a-stick because everything is hardware switched and routed.
  • There is no need for external links from the switch to the router for routing.
  • They are not limited to one link because Layer 2 EtherChannels can be used as trunk links between the switches to increase bandwidth.
  • Latency is much lower because data does not need to leave the switch in order to be routed to a different network.
  • They more commonly deployed in a campus LAN than routers.

The only disadvantage is that Layer 3 switches are more expensive.

Layer 3 Switch – SVI Configuration

Inter-VLAN SVIs are created the same way that the management VLAN interface is configured. The SVI is created for a VLAN that exists on the switch.

  1. Create VLANs 10 and 20.
    2. D1(config)# vlan 10
D1(config-vlan)# name LAN10
D1(config-vlan)# vlan 20
D1(config-vlan)# name LAN20
D1(config-vlan)# exit
D1(config)#
  2. Configure the SVI for VLANs 10 and 20. The IP addresses that are configured will serve as the default gateways to the hosts in the respective VLANs.
    3. D1(config)# interface vlan 10
D1(config-if)# description Default Gateway SVI for 192.168.10.0/24
D1(config-if)# ip add 192.168.10.1 255.255.255.0
D1(config-if)# no shut
D1(config-if)# int vlan 20
D1(config-if)# description Default Gateway SVI for 192.168.20.0/24
D1(config-if)# ip add 192.168.20.1 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
  3. Configure the access ports connecting to the hosts and assign them to their respective VLANs.
    4. D1(config)# interface GigabitEthernet1/0/6
D1(config-if)# description Access port to PC1
D1(config-if)# switchport mode access
D1(config-if)# switchport access vlan 10
D1(config)# interface GigabitEthernet1/0/18
D1(config-if)# description Access port to PC2
D1(config-if)# switchport mode access
D1(config-if)# switchport access vlan 20
D1(config-if)# exit
D1(config)#
  4. Enable IPv4 routing with the ip routing global configuration command to allow traffic to be exchanged between VLANs 10 and 20.
    5. D1(config)# ip routing
D1(config)#

Layer 3 Switch Port Routing

  1. Configure G1/0/1 to be a routed port, assign it an IPv4 address, and enable it.
    2. D1(config)# interface GigabitEthernet1/0/1
D1(config-if)# description routed Port Link to R1
D1(config-if)# no switchport
D1(config-if)# ip address 10.10.10.2 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
  2. Ensure IPv4 routing is enabled with the ip routing global configuration command.
    3. D1(config)# ip routing
D1(config)#
  3. Configure the OSPF routing protocol to advertise the VLAN 10 and VLAN 20 networks, along with the network that is connected to an adjacent WAN router.
    4. D1(config)# router ospf 10
D1(config-router)# network 192.168.10.0 0.0.0.255 area 0
D1(config-router)# network 192.168.20.0 0.0.0.255 area 0
D1(config-router)# network 10.10.10.0 0.0.0.3 area 0
D1(config-router)# end
D1#

ospf configuration is beyond the scope of this guide.

Troubleshooting

Issue Type How to Fix How to Verify
Missing VLANs
  • Create (or re-create) the VLAN if it does not exist.
  • Ensure host port is assigned to the correct VLAN.
show vlan [brief]
show interface interface-id switchport
ping
Switch Trunk Port Issues
  • Ensure trunks are configured correctly.
  • Ensure port is a trunk port and enabled.
show interfaces trunk
show running-config interface interface-id
Switch Access Port Issues
  • Assign correct VLAN to access port.
  • Ensure port is an access port and enabled.
  • Host is incorrectly configured in the wrong subnet.
show interface interface-id switchport
show running-config
Router Configuration Issues
  • Router subinterface IPv4 address is incorrectly configured.
  • Router subinterface is assigned to the VLAN ID.
show ip interface brief
`show interfaces

Private VLANs

VLANs are configured as broadcast domains. However, in some situations, it may useful to break this rule and allow only the minimum required L2 connectivity within the VLAN.

Private VLANs (PVLAN) provide Layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous - A promiscuous port can talk to everyone. It can communicate with all interfaces, including the isolated and community ports within a PVLAN.

  • Isolated - An isolated port has complete Layer 2 separation from all other ports within the same PVLAN, except for promiscuous ports.

  • Community - Community ports can talk to other community ports (within the PVLAN) and promiscuous ports (regardless of which PVLAN).

PVLANs are used mainly in service provider co-location sites. Another typical application can be found in hotels where each room would be connected on its own isolated port.

PVLAN Edge

Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch, so that one neighbor cannot see the traffic generated by another neighbor.

In such an environment, the use of the PVLAN Edge feature ensures that there is no exchange of unicast, broadcast, or multicast traffic between PVLAN edge ports on the switch. The PLVAN Edge feature is also called Protected Ports.

A protected port does not forward any data traffic, such as unicast, multicast, or broadcast, to any other port that is also a protected port; only control traffic is forwarded because these packets are processed by the CPU and forwarded in software. Instead, all data traffic being passed between protected ports must be forwarded through a Layer 3 device. However, forwarding behavior between a protected port and a non-protected port proceeds as usual.

The PVLAN edge protection applies only to the ports that are local to a switch: there is no isolation provided between two protected ports located on different switches.

To configure the PVLAN Edge feature, enter the switchport protected interface configuration mode command.

The PVLAN Edge feature can be configured on a physical interface or an EtherChannel group. When the PVLAN Edge feature is enabled for a port channel, it is enabled for all ports in the port-channel group.

Last changed by 
Faelin Landy
0
1
3908

Read more

Ruby on Rails Tutorial, pt. 1 – Ruby

Overview of the "Ruby" part of Ruby on Rails

Jan 25, 2024
ASA Firewall Configuration

ASA Firewall Configuration [toc] --- Getting Started ASA CLI Overview The ASA command line interface has a similar look and feel to the Cisco router IOS. However, the ASA CLI also has different commands. This table contrasts common IOS router and ASA commands.

Nov 21, 2021
Network Security Configuration

Network Security Configuration [toc] --- {%hackmd r8ZvM3noSwKf-NviH6Qb3Q %} Dynamic Routing Protocol Security Routing systems can be attacked by disrupting peer network routers, or by falsifying or spoofing the information carried within the routing protocols. Spoofing routing information may generally be used to cause systems to misinform each other, cause a DoS attack, or cause traffic to follow a path it would not normally follow.

Nov 21, 2021
VPN Configuration

VPN Configuration [toc] --- Overview To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. VPNs are private in that traffic over a VPN is encrypted to keep the data confidential while it is transported across a public network. :::info The first types of VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE), which does not include encryption services, is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual point-to-point link.

Nov 18, 2021
Read more from Faelin Landy
Published on HackMD