Virtual Local Area Network (VLAN)

VLAN can be roughly defined as a LAN configured by software, not by physical wiring. In a switched LAN, changes in the work-group/LANs mean physical changes in the network configuration. Thus, the whole idea of VLAN technology is to divide a LAN into logical, instead of physical, segments.

Each VLAN represents a unique broadcast domain:

  • Traffic between devices within the same VLAN is switched.
  • Traffic between devices in different VLANs requires a Layer-3 device to communicate. This point is explained within the next pages under the title of Inter-VLAN routing.
  • VLANs separate the devices into different broadcast domain and Layer-3 subnets.

Collision and broadcast domains:

Collision domain: A collision domain is simply defined as any physical segment where a collision can occur.

Consider the above diagram. Remember that:

  • Routers separate broadcast and collision domains.
  • Switches (Layer-2) separate collision domains because they can operate at full duplex. Therefore, each individual port on a switch belongs to its own collision domain that results into creation of more collision domains. More collision domains mean fewer collisions.
  • Hubs belong to only one collision domain because they can only operate at half-duplex. Thus, all ports on a hub belong to the same collision domain. Less collision domains mean more collision because it’s possible that multiple hosts send data via hub at the same time.
  • Switches and hubs both only belong to one broadcast domain.

Advantages of VLANs:

The main benefits of VLAN are as following:

  • Broadcast control: eliminate unnecessary broadcast traffic.
  • Security: logically separate users. Or restrict the communication between VLANs with use of access-lists.
  • Flexibility: removes the physical boundaries of a network.

VLAN Membership:

We can assign the hosts to a VLAN as the VLAN members in two ways:

  • Statically: it happens based on the switch ports. Thus. Manually assigning an individual or a group of ports to a VLAN.
  • Dynamically: it happens based on the MAC address of the host.

Creating VLANs:

By default, all interfaces belong to VLAN 1. To assign an interface to a different VLAN, that VLAN must first be created:

Switch(config)# vlan 10

Switch(config-vlan)# name CE

To remove an individual or a group of VLANs:

Switch(config)# no vlan 10 [or Switch(config)# no vlan 10–100]

To view all created VLANs:

Switch# show vlan brief

Statically assigning VLANs:

Switch(config)# interface Fa0/1 [or Switch(config)# interface range Fa0/1–10]

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 10

VLAN port types:

A VLAN-enabled switch supports two types of ports:

  • Access ports: It’s part of only one VLAN.
  • Trunk ports: It’s not member of a single VLAN. It carries multiple VLAN traffic, and normally it’s used to connect switches to other switches or routers. The frames are identified by their VLAN Frame Tag which 802.1q protocols is used for this purpose. Similarly, uplink access (one port for each VLAN) is also used, but it’s not feasible in large switching environment. Note this that Tagging only occurs when a frame is sent out a Trunk port.

Configuring Trunk Links:

Prior to configuring a link as a trunk link, it’s better to select the tagging or encapsulation protocol (i.e. 802.1q). Then configure as following:

Switch(config)# interface gi0/1

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Both sides of the link must be configured with the same tagging protocol. Otherwise, a trunk connection will not form.

Native VLAN:

The native VLAN determines the VLAN that untagged traffic belongs to.

The original intent of native vlan was for legacy compatibility with hubs as bellow diagram. Traffic from hosts connected to the hub will be forwarded to the switches untagged.

VLAN Trunking Protocol (VTP):

VTP comes to play in large switching environment. VTP requires that all participating switches join a VTP domain.

VTP Modes:

A switch using VTP must operate in one of three modes:

  • Server: It’s responsible for creating, deleting, or modifying entries in the vlan database.
  • Client: It can’t add, edit, or delete vlans. It synchronizes its vlan database from the server with the highest revision number.
  • Transparent: It maintains its own local vlan database. It doesn’t participate in the vtp domain.

Note: configuration revision number is a number that is increased every time a change happens in a vlan database. Then it is shared with other switches. So other switches update their vlan database based on the higher revision number.

Requirements:

  • Link must be trunk
  • Same vtp domain
  • Same vtp password (if set)

Configuring VTP:

Configure every switch individually just to put them in the same domain and choose their mode. After that, encapsulate them and trunk them as well.

Switch(config)# vtp domain NAME

Switch(config)# vtp mode server/client/transparent

Switch(config)# vtp password Passw0rd

Switch(config)# vtp pruning

Switch# show vtp status

Note: VTP pruning is a mechanism that prevents broadcasting frames from a vlan to a switch whose ports are not assigned to this (sender) vlan.

Spanning Tree Protocol (STP):

STP is a protocol used in a switched network which allows you to create a loop free topology.

Every switch broadcast a BPDU ID that includes priority value and MAC address of the switch. The lowest priority value is selected as the root switch. On the other hand, root port is selected based on following characteristics:

  • Check the port cost (shortest distance to root)
  • Check the Bridge ID (priority & MAC)
  • Lowest forwarding physical port number.

Loops are created as a result of redundant links. Thus, loops must be avoided. Otherwise, loops create the following issues:

  • Broadcast storm, until crashes the system.
  • Unstable MAC/port table.
  • Duplicate frames.

Generally, STP does the following:

  • Eliminates cycles in a network.
  • Finds shortest path to root for each switch.
  • Save any redundant paths in case of a failure.
  • Runs in Data Link layer using MAC address.

Port Roles:

  • Root port: shortest path to root switch. It forwards all packets.
  • Designated port: forwards all packets. The other end of root port is designated port.
  • Blocked port: it does not send or receive any packets.

Inter-VLAN routing:

The process of inter communication between different VLANs. There are three methods:

  1. Legacy inter-VLAN (old method)
  2. Router on a stick
  3. Layer-3 switch

Legacy inter-VLAN routing (Old method):

The old method physically connects every VLAN to the router. Thus, we should put those switch ports (hosts & router) within the same VLAN. It means the port that connect the switch to the router should be a member of VLAN. Hence, the router interfaces serve as the default gateways to the local hosts on the VLAN subnets.

Then go to the router configuration and set IP to its interfaces. As far as there’s one router and all VLANs are directly connected to the router, there’s no need for routing protocol configuration.

Steps for configuration:

  • Create VLANs
  • Assign hosts to the VLANs
  • Connect every VLAN to a router.
  • Set an IP to every interfaces of the router that acts as the gateway for the local hosts in the VLANs.

First step:

Switch>

Switch>en

Switch#conf t

Switch(config)#vlan 10

Switch(config-vlan)#vlan 20

Switch(config-vlan)#exit

Switch(config)#exit

Switch#

Second step:

Switch#

Switch#conf t

Switch(config)#interface fastEthernet 0/12

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Switch(config)#interface fastEthernet 0/24

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#interface fastEthernet 0/11

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#exit

Switch#

Third step:

Router>en

Router#conf t

Router(config)#interface gigabitEthernet 0/0/0

Router(config-if)#ip add 192.168.10.1 255.255.255.0

Router(config-if)#no shut

Router(config-if)#

Router(config)#exit

Router#

Router#conf t

Router(config)#interface gigabitEthernet 0/0/1

Router(config-if)#ip add 192.168.20.1 255.255.255.0

Router(config-if)#no shut

Router(config-if)#

Router(config-if)#exit

Router(config)#

Inter-VLAN using a Router on a stick:

In this method, we need one link/port to connect the router to all the VLANs, then make this port as a Trunk port. After that, go to the router configuration and create sub-interfaces for every VLAN. For this, go to the router interface and put a unique number for every VLAN at the end of interface name/number. E.g. interface F0/0.1 for one VLAN. Then encapsulate it: encapsulation dot1q VLAN-number. Now assign an IP to this sub-interface. Continue this process for every VLAN. Note that the interface should not be shutdown. For this, you need to use the <No shutdown> command to turn on the main interface on the router.

Steps for configuration:

  • Create VLANs
  • Assign hosts to the VLANs
  • Set the type of the switch port that is connected to the router as TRUNK
  • Go to the router configuration. Create sub-interfaces and assign an IP to every sub-interface that acts as the default gateway for the VLANs hosts.

First & second steps:

Switch>en

Switch#conf t

Switch(config)#vlan 10

Switch(config-vlan)#vlan 20

Switch(config-vlan)#exit

Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Switch(config)#interface fastEthernet 0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#exit

Switch#

Third step:

Switch#

Switch#conf t

Switch(config)#interface fastEthernet 0/3

Switch(config-if)#switchport mode trunk

Switch(config-if)#exit

Switch(config)#exit

Switch#

Forth step:

Router>en

Router#conf t

Router(config)#interface gigabitEthernet 0/0/0.1 [A sub-interface for a VLAN]

Router(config-subif)#encapsulation dot1q 10 [the last number shows the VLAN number]

Router(config-subif)#ip add 192.168.10.1 255.255.255.0

Router(config-subif)#exit

Router(config)#interface gigabitEthernet 0/0/0.2 [A sub-interface for another VLAN]

Router(config-subif)#encapsulation dot1q 20 [It’s for VLAN 20]

Router(config-subif)#ip add 192.168.20.1 255.255.255.0

Router(config-subif)#exit

Router(config)#interface gigabitEthernet 0/0/0

Router(config-if)#no shut

Router(config-if)#exit

Router(config)#exit

Router#

Inter-VLAN using Layer-3 switch:

It’s easier than the two previous options. First create VLANs, then do the membership process. Now create Switch Virtual Interface (SVI) for every VLAN as bellow:

Steps for configuration:

  • Create the VLANs
  • Configure access ports and assign the hosts to the VLANs
  • Create the SVI VLAN interfaces
  • Enable IP routing in the switch

First step: Creating the VLANs

Switch>

Switch>en

Switch#conf t

Switch(config)# vlan 10

Switch(config-vlan)# name CE

Switch(config-vlan)# vlan 20

Switch(config-vlan)# name NE

Switch(config-vlan)# exit

Switch(config)#

Switch#

Second step: Configure access port and assign the hosts to the VLANs

Switch>

Switch>en

Switch#conf t

Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#

Switch(config)#interface fastEthernet 0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Switch(config)#

Third step: Create the SVI VLAN interfaces

Switch>

Switch>en

Switch#conf t

Switch(config)# interface vlan 10

Switch(config-if)# ip address 192.168.10.1 255.255.255.0

Switch(config-if)# no shut

Switch(config-if)# exit

Switch#

Switch(config)# interface vlan 20

Switch(config-if)# ip address 192.168.20.1 255.255.255.0

Switch(config-if)# no shut

Switch(config-if)# exit

Switch(config)#

Fourth step: Enable IP routing

Switch(config)# ip routing

Switch(config)#

Note: The above note is my daily note from different classes.

Data Analyst, Programmer, Network Engineer, Play Football & Bowling

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store