Understanding VLANs in Computer Networking
VLANs (Virtual Local Area Networks) allow for the logical separation of LANs without physical segregation. They group network stations based on administrative criteria rather than physical location. VLANs enhance security, facilitate group collaboration, and optimize network traffic by segregating devices into different IP networks. Trunk switches play a crucial role in defining VLANs and inter-switch communication. Access and trunk ports on switches manage tagged and untagged frames, respectively. Implementing VLANs can streamline network management and enhance overall efficiency.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
GC 2017-2018 VLANs: Virtual Local Area Networks VLANs meet the need to have separated LANs However, LANs are not physically separated A virtual LAN (VLAN) is an emulation of a standard LAN A VLAN is a set of LAN stations that belong to an administrative group Group membership is based on configuration parameters rather than on physical location of a station A VLAN is essentially a broadcast domain Two physically separated networks Two virtual LANs implemented in a single switch 1/22
GC 2017-2018 VLANs: Virtual Local Area Networks (cont.) A VLAN can span multiple switches (see the figure below) Two VLANs spanning two switches Trunk Switches normally define VLANs in terms of which ports are in each VLAN (Port-based VLANs) When sending a frame to another switch, the switches need a way to identify the VLAN to which the frame belongs A VLAN tag, that contains a VLAN identifier (VLAN ID), is added to the frame header The link between the two switches is called a trunk 2/22
GC 2017-2018 VLANs: Virtual Local Area Networks (cont.) Typically, the stations in a VLAN are also in the same IP network; stations in different VLANs are in different IP networks L2 switches forward frames between stations in the same VLAN; they cannot forward frames between different VLANs Members of different VLANs must communicate with each other at Layer 3 (a router/L3 switch has to be used). Motivations for using VLANs To group users by groups that work together, instead of by physical location To enforce better security Conflict of jurisdiction Sensitive devices can be kept on a separate VLANs To separate specialized traffic from mainstream traffic - for example, putting IP telephones on a separate VLAN from that connecting user PCs To reduce overhead by limiting the size of each broadcast domain 3/22
GC 2017-2018 Port configuration Access port It transmits and receives untagged frames It can have only one VLAN configured on the interface It can carry traffic for only one VLAN Trunk port It transmits and receives tagged frames A trunk port can have more VLANs configured on the interface It can carry traffic for several VLANs simultaneously Switch A Switch B TRUNK TRUNK TRUNK TRUNK (tagged) (tagged) (tagged) ACCESS (untagged) ACCESS (untagged) TRUNK TRUNK Switch C Switch D ACCESS (untagged) ACCESS (untagged) 4/22
GC 2017-2018 Passing VLAN traffic: trunks versus single links 5/22
GC 2017-2018 VLAN configuration SW-Prova#show vlan brief VLAN Name Status Ports ---- -------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Gi0/1, Gi0/2 6/22
GC 2017-2018 VLAN configuration (cont.) SW-Prova#vlan database Switch(vlan)#vlan 2 name Amministrazione VLAN 2 added: Name: Amministrazione Switch(vlan)#vlan 3 name Vendite VLAN 3 added: Name: Vendite Switch(vlan)#vlan 4 name prova-1 VLAN 4 added: Name: prova-1 Switch(vlan)#vlan 5 name prova-2 VLAN 5 added: Name: prova-2 Switch(vlan)#vlan 6 name prova-3 VLAN 6 added: Name: prova-3 Switch(vlan)#vlan 100 name Produzione VLAN 100 added: Name: Produzione SW-Prova(vlan)#exit APPLY completed. Exiting.... SW-Prova# 7/22
GC 2017-2018 Association of ports to VLANs SW-Prova(config)#int fastEthernet 0/12 SW-Prova(config-if)#switchport access vlan 100 Switch(config-if)#exit . SW-Prova(config)#int fastEthernet 0/16 SW-Prova(config-if)#switchport access vlan 2 SW-Prova(config-if)#exit .. SW-Prova(config)#int fastEthernet 0/20 SW-Prova(config-if)#switchport access vlan 3 SW-Prova(config-if)#exit .. SW-Prova(config)#int fastEthernet 0/24 SW-Prova(config-if)#switchport access vlan 4 SW-Prova(config-if)#exit . SW-Prova(config)#int fastEthernet 0/28 SW-Prova(config-if)#switchport access vlan 5 SW-Prova(config-if)#exit .. SW-Prova(config)#int fastEthernet 0/32 SW-Prova(config-if)#switchport access vlan 6 SW-Prova(config-if)#exit .. 8/22
GC 2017-2018 Association of ports to VLANs (cont.) SW-Prova#show vlan brief VLAN Name Status Ports ---- -------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Gi0/1, Gi0/2 2 Amministrazione active Fa0/16, Fa0/17, Fa0/18, Fa0/19 3 Vendite active Fa0/20, Fa0/21, Fa0/22, Fa0/23 4 prova-1 active Fa0/24, Fa0/25, Fa0/26, Fa0/27 5 prova-2 active Fa0/28, Fa0/29, Fa0/30, Fa0/31 6 prova-3 active Fa0/32, Fa0/33, Fa0/34, Fa0/35 100 Produzione active Fa0/12, Fa0/13, Fa0/14, Fa0/15 9/22
GC 2017-2018 Definition of trunk ports SW-A SW-Prova SW-B TRUNK TRUNK TRUNK TRUNK (tagged) (tagged) GigabitEthernet 0/1 GigabitEthernet 0/2 VLAN 100 VLAN 100 VLAN 1 VLAN 2 VLAN 5 VLAN 6 VLAN 1 VLAN 2 VLAN 3 VLAN 4 VLAN 5 VLAN 6 VLAN 1 VLAN 2 VLAN 3 VLAN 4 VLAN 5 VLAN 6 ACCESS (untagged) ACCESS (untagged) ACCESS (untagged) SW-Prova(config)#interface GigabitEthernet 0/1 SW-Prova(config-if)#switchport mode trunk SW-Prova(config-if)#switchport trunk allowed vlan add 1,2,5,6 SW-Prova(config-if)#exit SW-Prova(config)#interface GigabitEthernet 0/2 SW-Prova(config-if)#switchport mode trunk SW-Prova(config-if)#switchport trunk allowed vlan all 10/22
GC 2017-2018 IEEE 802.1Q-2005: port association Port-based VLANs Low flexibility Network managers take control of users SW-A SW-Prova SW-B TRUNK TRUNK TRUNK TRUNK (tagged) (tagged) VLAN 100 VLAN 100 VLAN 1 VLAN 2 VLAN 5 VLAN 6 VLAN 1 VLAN 2 VLAN 3 VLAN 4 VLAN 5 VLAN 6 VLAN 1 VLAN 2 VLAN 3 VLAN 4 VLAN 5 VLAN 6 11/22
GC 2017-2018 IEEE 802.1Q: tag format Tag format for Ethernet V 2.0 and IEEE 802.3 frames 6 Destination Address 3 1 6 PCP DEI 81-00 801.Q Tag Source Address TPID (Tag Protocol Identifier) TCI (Tag Control Information) Length/Type 2 2 VID (VLAN ID) - 12 bits 2 2 42 - Payload 1500 only in the IEEE 802.3 frames PAD FCS 4 12/22
GC 2017-2018 IEEE 802.1Q: tag format (cont) Tag Control Information (TCI) Priority Code Point (PCP): a 3-bit field which refers to the IEEE 802.1p priority It indicates the frame priority level. Values are from 0 (best effort) to 7 (highest) These values can be used to prioritize different classes of traffic (voice, video, data, etc.) Drop Eligible Indicator (DEI): a 1-bit field May be used separately or in conjunction with PCP to indicate frames eligible to be dropped in the presence of congestion VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs The value 0x000 indicates that the frame does not belong to any VLAN; in this case, the 802.1Q tag specifies only a priority and is referred to as a priority tag On switches, VLAN 1 (the default VLAN ID) is often reserved for a management VLAN 13/22
GC 2017-2018 IEEE 802.1V Port-based VLANs Static VLAN assignments are created by placing each switch port in a particular VLAN As a device accesses the network, the device automatically becomes a member of the VLAN in which the access port has been placed IEEE 802.1V defines protocol-based VLANs If a frame received from a given port encapsulates a PDU generated by a protocol for which a VLAN has been specified, then the frame is considered part of that VLAN Otherwise, the frame is considered part of the VLAN associated to that port 14/22
GC 2017-2018 IEEE 802.1Q: IVL switches IVL (Indipendent Virtual LAN) bridge: a Filtering Database, identified by a FID (Filtering Identifier), is created for each VLAN A station can belong to more than one VLAN IVL switch Port MAC adress Ag. Time 4 08-00-2b-16-50-a0 1 4 5 6 7 8 9 VLAN 2 VLAN 2 VLAN 4 VLAN 6 VLAN 2 VLAN 4 FID # 1 VLAN 2 5 08-00-2b-20-10-56 7 7 08-00-2b-c4-e6-aa 2 08-00-5a-10-40-e1 FID # 2 VLAN 4 08-00-2b-16-50-a0 9 08-00-5a-10-40-e1 12 FID # 3 VLAN 6 08-00-2b-c4-e6-aa 15/22 08-00-2b-20-10-56
GC 2017-2018 IVL Switch and VLAN-aware servers Server 802.1Q aware Port 3 TRUNK IVL Switch Port 1 VLAN 10 VLAN 15 Port 2 VLAN 15 VLAN 10 Client A Client B Switch(config)#int fastEthernet 0/3 Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk allowed vlan add 10,15 Switch(config-if)#end 16/22
GC 2017-2018 IEEE 802.1Q : the native VLAN 802.1Q defines one VLAN on each trunk as the native VLAN (VLAN 1, by default) Frames in the native VLAN are not tagged when sent over a trunk When the switch on the other side of the trunk link receives a frame and notices the lack of an 802.1Q tag, it knows that the frame is part of the native VLAN Native VLAN plays an important role in some practical situations, such as that in figure: 802.1Q-aware IP phone with a built-in L2 switch trunk carries VLAN X and VLAN 1 L2 access switch You can put the IP phone in a given VLAN X . The PC is placed in the native VLAN 802.1Q-unaware PC 17/22
GC 2017-2018 Configuration of trunk ports IEEE 802.1Q allows for the following methods: Static configuration of VLAN membership information via management facilities (Static VLAN Registration Entries) Dynamic configuration and distribution of VLAN membership information by means of Multiple VLAN Registration Protocol (MVRP) Combined static and dynamic configuration. The static configuration mechanisms are used in order to configure some VLAN membership information; for other VIDs, MVRP is relied upon to register and propagate the membership information 18/22
GC 2017-2018 VLANs and the standard STP IEEE 802.1D In a network where the STP protocol runs and VLANs are configured BPDUs are transmitted untagged The spanning tree will be independent of VLANs (here, a single instance of STP is assumed) Links connecting VLAN-aware switches which are part of a mesh must be trunk Blocking Trunk link (all VLANs) Problem: only the frames of VLAN 15 can be forwarded VLAN-aware switch VLAN-aware switch Access link VLAN 15 19/22
GC 2017-2018 Multiple spanning trees Every switch runs more STP instances On a switch, a different set of parameters (bridge priority, port cost, port priority) are configured for each STP instance More uniform use of resources (load balancing at layer-2) Multiple Spanning Tree (MST) protocol is defined in IEEE 802.1s Per VLAN Spanning Tree (PVST) and Per VLAN Spanning Tree Plus (PVST+) are Cisco proprietary protocols Tree 1 VLAN 1, 3, 8, 10 LAN segment SW-2 Tree 1 Tree 2 VLAN 2, 4, 5, 6 Bridge Priority 1,7000,08002b201056 MAC address A B 1,8000,08002b102062 1,6000,08002bc4e6aa C Root for tree 1 SW-1 SW-3 SW-2 Tree 2 Bridge Priority 2,7000,08002b201056 MAC address A B 2,8000,08002bc4e6aa 2,6000,08002b102062 Root for tree 2 C 20/22 SW-3 SW-1
GC 2017-2018 How to accommodate the VLAN information The System ID Extension field has been introduced, borrowing 12 bits from the original Bridge Priority: The Bridge Priority is a value of 0 to 61440 and increments in blocks of 4096 The System ID Extension is a value of 1 to 4095 corresponding to the VLAN participating in STP 21/22
GC 2017-2018 Wireshark packet capture of a BPDU The (Bridge Priority + System ID Extension) and MAC address together make up the Bridge ID used to elect the Root Bridge 22/22