VLAN Networks

VLAN Security - Making the Most of VLANs

2011-06-08T08:22:12+10:00

It's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a single organization — without the headache of managing multiple cable plants and switches.

Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and security.

Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally well. The market has been flooded by thousands of switches that seem to do the job, but special consideration must be taken before making a purchase.

A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports.

Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything runs smoothly. The tasks of these switches include prioritizing network packets based on their source and destination (essentially Quality of Service), ensuring all edge switches are aware of the VLANs configured in the network, continuously monitoring for possible network loops on every VLAN, switching packets between VLANs as required and ensuring network security according to their configuration .

Edge switches, also known as access switches, are dedicated to the end devices: user workstations, network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers directly to the core- backbone switches). The edge switches must be compatible with the VLAN features that the core backbone switches support, otherwise unavoidable problems will arise because of incompatibilities among the switch devices.

This is one reason many organizations standardize when it comes to network equipment from companies that include Cisco Systems, HP and Juniper Networks.

When deploying VLANs, here are five key considerations to address:

1. Links on VLAN Switches

VLAN switches have two main types of links: access links and trunk links.

Access Links are the most common type of links on any VLAN capable switch. All network hosts connect to the switch's Access Links to gain access to the local network. These links are the ordinary ports found on every switch, but configured to access a particular VLAN.

Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all available VLANs.

2. Native VLAN, ISL and 802.1q

When a port on a switch is configured as an access link, it has access to one specific VLAN. Any network device connecting to it will become part of that VLAN.

Ethernet frames entering or exiting the port are standard Ethernet II type frames, which are understood by the network device connected to the port. Because these frames belong only to one network, they are said to be “untagged” — meaning that they do not contain any information as to which VLAN they are assigned.

Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging.

Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q. Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors supporting VLAN trunking.

What might come as a surprise is that a trunk link can also be configured to act as an access link when a device (computer or switch) that does not support VLAN trunking connects to it. This means that if you have a trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN. The VLAN in this case is known as the native VLAN, a common term that refers to the VLAN a trunk port is configured for when acting as an access link.

3.Virtual Trunk Protocol and VTP Pruning

VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the core switch, is propagated to all network switches within the VTP domain.

During initial network configuration, all switches are configured members of the same VTP domain. With the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All information is then automatically sent to all members of the VTP domain. The VTP equivalent for other vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-tuned in the recent years and includes many features implemented previously only in Cisco's VTP Protocol .

VTP pruning, an extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN.

In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network.

4. Inter-VLAN Routing

Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one of the most important features found on advanced switches. Because inter-VLAN routing directs packets based on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3 switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases where a Layer 3 switch is not available, this function can also be performed by a server with two or more network cards or a router, a method often referred to as router on a stick.

Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.

5. Securing VLAN Devices

Even though many administrators and IT managers are aware of VLAN technologies and concepts, that doesn't necessarily hold true when it comes to VLAN security.

The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled. Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas.

Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result.

These best practices include:

Removing console-port cables and introducing password-protected console or virtual terminal access with specified timeouts and restricted access policies;
Applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-list to restrict telnet/SHH access from specific networks and hosts;
Avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ;
Disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD);
Deploying VTP domain, VTP pruning and password protections;
Controlling inter-VLAN routing through the use of IP access lists.

For hands-on details about each of these practices, read through our Basic & Advanced Catalyst Layer3 Switch Configuration Guide.

Raising the Throttle

VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.

Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks.

It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.

Summary

This article covered basic VLAN concepts such as Access Links, Trunk Links, Virtual Trunk Protocol (VTP), Inter-VLAN routing and more. We explained how VLAN networks operate, different methods on how VLANs communicate, and also referenced a few best VLAN security practices. This article is also available for download in pdf format here: VLAN Security - Making the Most of VLANs

For more information on VLAN Network, readers and visit our dedicated VLAN Network section.

VTP Pruning

2011-06-08T08:08:17+10:00

VTP (VLAN Trunking Protocol) pruning is a feature that is used in Cisco switches to reduce unnecessary traffic in VLAN (Virtual Local Area Network) trunks. When VTP pruning is enabled on a trunk, the switch will stop forwarding broadcast, multicast, and unknown unicast traffic to VLANs that do not have any active ports.

This feature optimizes network bandwidth utilization by preventing unnecessary traffic from being sent across the network, which can help improve network performance. However, VTP pruning should only be used in situations where there are VLANs with no active ports, as enabling it on all trunks can cause connectivity issues if new ports are added to VLANs in the future.

The Broadcast And Unicast Problem In VLAN Networks

In VLAN (Virtual Local Area Network) networks, broadcast and unicast problems can occur due to the presence of multiple VLANs within a single physical network. Broadcast packets are sent to all hosts on a network, while unicast packets are sent to a specific host. When a broadcast or unicast packet is sent within a VLAN network, it is forwarded to all ports within the same VLAN. If a large number of broadcast or unicast packets are sent, it can lead to network congestion and slow down the overall network performance. To mitigate these issues, VLANs are used to logically separate network traffic, reducing the number of devices that receive unnecessary broadcast and unicast packets. However, proper configuration and management of VLANs are essential to prevent broadcast storms and ensure efficient use of network resources.

The below diagram is an example of how network broadcasts can flood the network, creating uncessary traffic through all trunk links:

As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports assigned to the same VLAN it was received from, that is, VLAN 2.

In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and immediately forwards it to its downlink ports to Switch 2 and Switch 3.

Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch 3 however has no ports assigned to VLAN 2 and therefore will drop the broadcast packet received. In this example, Switch 3's uplink received broadcast traffic that was not necessary, therefore wasting valuable bandwidth.

Whie the inefficent usage of Switch 3's uplink doesn't seem like a major issue, the magnitude of this problem can be easily appreciated within a large network of switches as shown in the below diagram:

Here we have a medium sized network powered by Cisco Catalyst switches. The two main switches up the top are the VTP servers and also perform Inter-VLAN routing by routing packets between the different VLAN networks.

Below the core switches are the distribution-layer Catalyst switches (2950) with redundant fiber trunk links. Directly below the 2950 switches are the access-layer Catalyst switches (2948) allowing workstations connect to the network.

In this example, a workstation connected to VLAN 2 sends a network broadcast request (lower left corner) to the network. As shown on the diagram, this broadcast will be sent out all network ports assigned to VLAN 2 on the local switch, but also out through all uplink ports to other switches. The same will occur on all other switches, causing a large amount of uncessary traffic through network uplinks:

We can appreciate how much uncessary traffic is generated here and how easily switch uplinks can be flooding with broadcast traffic.

Once can still argue that in today's modern multi-gigabit networks, this would be insignificant traffic, however from a design perspective, this is by far not an efficient network design.

The Solution: Enabling VTP Pruning

VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames on a VLAN over trunk links only if the switch on the other end of the link has ports configured for that VLAN.

Looking at the above diagram you will notice that the Root Catalyst 3550 Switch receives a broadcast from Switch 1, but only forwards it out one of it's trunks. The Root Switch knows that the broadcast belongs to VLAN 2 and furthermore it's aware no port is assigned to VLAN 2 on Switch 3, therefore it won't forward it out the trunk link connecting to that switch.

Support For VTP Pruning

The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP 1, VTP pruning is possible with the use of additional VTP message types.

When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not.

VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network.

When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the clear vtp prune-eligible vlan-range command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: set vtp prune-eligible vlan-range where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'.

By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.

VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the set vtp pruning enable command on the VTP Server. This will also enable VTP pruning for the entire management domain.

Summary

VTP Pruning is a much welcomed feature within any VTP-enabled Cisco powered network, assiting in increasing bandwidth availability by restricting broadcast and unknown unicast traffic. We provided examples on how VTP can be configured and the effects it has in a small but also large network.

VTP Protocol - In-Depth Analysis

2011-06-08T07:42:11+10:00

The previous article introduced the VTP protocol, we examined how it can be used within a network, to help manage VLANs and ease the administrative overhead, providing a stress-free VLAN environment by automatically updating all the network switches with the latest VLAN information.

This article extends on the above by delving into the VTP protocol itself and analysing it's structure and format in order to gain a better understanding and enhance those troubleshooting skills.

The VTP Protocol Structure

We've mentioned that the VTP protocol runs only over trunk links interconnecting switches in the network. Whether you're using ISL or IEEE 802.1q as your encapsulation protocol, it really doesn't matter as the VTP structure in both cases remains the same.

Following are the fields which consist the VTP protocol:

VTP Protocol Version (1 or 2)
VTP Message Type (See Below)
Management Domain Length
Management Domain Name

What we need to note here is that because there are a variety of VTP Message Types, the VTP Header changes depending on these messages, but the fields we just mentioned above are always included.

To be more specific, here are the different messages currently supported by the VTP protocol:

Summary Advertisements
Subset Advertisement
Advertisement Requests
VTP Join Messages

It is obvious that all switches use these different messages to request information or advertise the VLANs they are aware of. These messages are extremely important to understand as they are the foundations of the VTP protocol.

We'll take each message and analyse them individually, explaining their purpose and usage, but before we proceed, let's take a quick visual look at the messages and their types to help make all the above clearer:

First up is the Summary Advertisements.

VTP Protocol - Summary Advertisement Message

The Summary Advertisement message is issued by all VTP Domain Servers in 5 minute intervals, or every 300 seconds. These advertisements inform nearby Catalyst switches with a variety of information, including the VTP Domain name, configuration revision number, timestamp, MD5 encryption hash code, and the number of subset advertisements to follow.

The configuration version number is a value each switch stores to help it identify new changes made in the VTP domain, similar to how DNS keeps track of changes to its resource records via the DNS serial number. Each time the VTP Server configuration is changed, the configuration revision number will automatically increment by one.

When a switch receives a summary advertisement message, it will first compare the VTP domain name (Mgmt Domain Name field) with its own.

If the Domain Name is found to be different, it will discard the message and forward it out its trunk links. However, in the likely case that the domain name is found to be the same, it will then check the configuration revision number (Config Revision No.) and if found to be the same or lower than it's own, it will ignore the advertisement. If however it is found to be greater, an advertisement request is sent out.

The Updater Identity field contains the IP Address of the switch that last incremented the Configuration Revision Number, while the Update Timestamp field gives the time the last update took place.

Message Digest 5 (MD5) carries the VTP password, if MD5 is configured and used to authenticate the validation of a VTP update. Further more, VTP takes the VTP domain name into account when calculating the VTP MD5 hash. MD5 hash is different each time a vtp update message is transmitted even though domain name and password (it is null by default) are same. This is because the configuration revision number is used to calculate the MD5 hash and as it is different after creating the vlan, therefore the MD5 will also be different.

Lastly, summary advertisements are usually followed by Subset Advertisements, this is indicated by the Followers field and is the next message we'll be closely examining.

VTP Protocol - Subset Advertisement

As mentioned in the previous message, when VLAN changes are made on the Catalyst VTP Server, it will then issue a Summary Advertisement, followed by a Subset Advertisement. Depending on how many VLANs are configured in the domain, there might be more than one Subset Advertisement sent to ensure all VLAN information is updated on the VTP Clients.

Comparing the fields of this message with the previous one, you'll notice most of them are identical, except for the Sequence No. and VLAN Info. Field.

The Code field for a Subset Advertisement of this type is set to 0x02 while the Sequence No. field contains the sequence of the packet in the stream of packets following a summary advertisement. The sequence starts with 1 and increments based on the number of packets in the stream.

Apart from these fields, we also have the VLAN Info Field, which happens to be the most important as it contains all the VLAN information the switches are waiting for.

The VLAN Info Field will be presented in segments. Complexity and importance requires us to break it up further and analyse the subfields it contains:

Each VLAN Info Field contains all the information required for one VLAN. This means that if our network is powered with 10 VLANs and a Subset Advertisement is triggered, the VTP Server will send a total of 10 Subset Advertisements since each VLAN Info Field contains data for one VLAN.

The most important subfields in the VLAN Info Field are the VLAN Name Length, ISL VLAN ID, MTU Size and VLAN Name. These subfields contain critical information about the VLAN advertised in the particular Subset Advertisement frame. Some might be suprised to see settings such as MTU's to be configurable in VLAN's, and this confirms that each VLAN is treated as a separate network, where even different MTU sizes are possible amongst your network's VLANS.

Advertisement Requests

Turning a Cisco switch off will result loosing all its VTP information stored in its memory (RAM). When the switch is next turned on, all its database information is reset and therefore requires to be updated with the latest version available from the VTP Server(s).

A switch will also send an Advertisement Request when it hears a VTP summary advertisement with a higher revision number than what it currently has. Another scenario where a request would be issued is when the VTP domain membership has changed, even though this is quite uncommon since the VTP domain name is rarely, if ever, changed after its initial configuration.

So what happens when an Advertisement Request is sent on the network?

As you would already be aware from the message types covered, the VTP Server will respond with Summary Advertisement, followed by as many Subset Advertisements required to inform the VTP Clients about the configured VLANs.

The diagram below shows the structure of an Advertisement Request sent by a VTP Client switch:

Most fields as you can see, are similar to the previous messages we've seen, except two: The Reserved and Starting Advertisement To Request. The Reserved is exactly what it implies - reserved and not used in the Advertisement Request messages, while the Starting Advertisement To Request is the actual request sent by the VTP Client.

VTP Join Messages

VTP Join Messages are similar to the Advertisement Request messages but with a different Message Type field value and a few more parameters. As indicated by the message name, a VTP Join Message is sent by the VTP Client, and directed to the VTP Server, when it first joins a VTP domain.

Other VTP Options - VTP Password

The VTP Password is a necessary feature to ensure the security and integrity of VTP messages. With the password feature, you are able to secure your VTP Domain since only switches configured with the correct password are able to properly decrypt the VTP messages advertised in the management VLAN.

By default the VTP Password option is not turned on and therefore most management VLANs are set to use non-secure advertisements. Once enabled on the VTP Domain Server(s), all switches participating in the domain must be manually configured with the same password, otherwise it will fail to decrypt all incoming VTP messages.

Summary

This page analysed the structure of each message the VTP protocol currently supports to maintain the network's switches in synchronisation with the VTP domain server(s):

Summary Advertisements
Subset Advertisement
Advertisement Requests
VTP Join Messages

We're sure you would agree that VLAN's are in fact a whole study case alone, but surely at the same time it's quite exciting as new concepts and methods of ensuring stability, speed and reliability are revealed.

This completes our in-depth discussion on the VTP Protocol messages. Next up is VTP Prunning, a much needed service that ensures our network backbone is not constantly flooded with unnecessary traffic. We are sure you'll enjoy the page, along with the awesome diagrams we have prepared.

VTP Introduction & Modes

2011-05-30T06:45:10+10:00

The invention of VLANs was very much welcomed by all engineers and administrators, allowing them to extend, redesign and segment their existing network with minimal costs, while at the same time making it more secure, faster and reliable!

If you're responsible for a network of up to 4-6 switches that include a few VLANs, then you'll surely agree that it's usually a low overhead to administer them and periodically make changes - most engineers can live with that:)

Ask now an engineer who's in charge of a medium to a large scale network and you will definately not receive the same answer, simply because these small changes can quickly become a nightmare and if you add the possibility of human error, then the result could be network outages and possibly downtime.

Welcome To Virtual Trunk Protocol (VTP)

VTP, a Cisco proprietary protocol, was designed by Cisco with the network engineer and administrator in mind, reducing the administration overhead and the possibility of error as described above in any switched network environment.

When a new VLAN is created and configured on a switch without the VTP protocol enabled, this must be manually replicated to all switches on the network so they are all aware of the newly created VLAN. This means that the administrator must configure each switch separately, a task that requires a lot of time and adds a considerable amount of overhead depending on the size of the network.

The configuration of a VLAN includes the VLAN number, name and a few more parameters which will be analysed further on. This information is then stored on each switch's NVRAM and any VLAN changes made to any switch must again be replicated manually on all switches.

If the idea of manually updating all switches within your network doesn't scare you because your network is small, then imagine updating more than 15-20 switches a few times per week, so your network can respond to your organisation's needs....have we got you thinking now? :)

With the VTP protocol configured and operating, you can forget about running around making sure you have updated all switches as you only need to make the changes on the nominated VTP server switch(es) on your network. This will also ensure these changes are magically propagated to all other switches regardless of where they are.

Introducing The VTP Modes

The VTP protocol is a fairly complex protocol, but easy to understand and implement once you get to know it. Currently, 3 different versions of the protocol exist, that is, version 1, 2 (adds support for Token Ring networks) and 3, with the first version being used in most networks.

Despite the variety of versions, it also operates in 3 different modes: Server, client and transparent mode, giving us maximum flexibility on how changes in the network effect the rest of our switches. To help keep things simple and in order to avoid confusion, we will work with the first version of the VTP protocol - VTP v1, covering more than 90% of networks.

Below you'll find the 3 modes the VTP protocol can operate on any switch throughout the network:

VTP Server mode
VTP Client mode
VTP Transparent mode

Each mode has been designed to cover specific network setups and needs, as we are about to see, but for now, we need to understand the purpose of each mode and the following network diagram will help us do exactly that.

A typical setup involves at least one switch configured as a VTP Server, and multiple switches configured as VTP Clients. The logic behind this setup is that all information regarding VLANs is stored only on the VTP Server switch from which all clients are updated. Any change in the VLAN database will trigger an update from the VTP Server towards all VTP clients so they can update their database.

Lastly, be informed that these VTP updates will only traverse Trunk links. This means that you must ensure that all switches connect to the network backbone via Trunk links, otherwise no VTP updates will reach the rest of the switches.

Let's now take a closer look at what each VTP mode does and where it can be used.

VTP Server Mode

By default all switches are configured as VTP Servers when first powered on. All VLAN information such as VLAN number and VLAN name is stored locally, on a separate NVRAM memory which is where the device's startup-config is stored. This happens only when the switch is in VTP Server mode.

For small networks with a limited number of switches and VLANs, storing all VLAN information on every switch is usually not a problem, but as the network expands and VLANs increase in number, it becomes a problem and a decision must be made to select a few powerful switches as the VTP Servers while configuring all other switches to VTP Client mode.

The diagram above shows a Cisco Catalyst 3550 selected to take the role of the network's VTP Server since it is the most powerful switch. All other Catalyst switches have been configured as VTP Clients, obtaining all VLAN information and updates from the 3550 VTP Server.

The method and frequency by which these updates occur is covered in much detail on the pages that follow, so we won't get into any more detail at this point. However, for those who noticed, there is a new concept introduced in the above diagram that we haven't spoken about: The VTP Domain.

The VTP Domain - VLAN Management Domain

The VTP Domain, also known as the VLAN Management Domain, is a VTP parameter configured on every switch connected to the network and used to define the switches that will participate in any changes or updates made in the specified VTP domain.

Naturally, the core switch (VTP Server) and all other switches participate in the same domain, e.g firewall, so when the VTP Server advertises new VLAN information for the VTP firewall domain, only clients (switches) configured with the same VTP Domain parameter will accept and process these changes, the rest will simply ignore them.

Lastly, some people tend to relate the VTP Domain with the Internet Domain name space, however, this is completely incorrect. Even though the acronym 'DNS' contains the word 'Domain', it is not related in any way with the VTP Domain. Here (in VTP land), the word 'Domain' is simply used to describe a logical area in which certain hosts (switches) belong to or participate in, and are affected by any changes made within it.

We should also note that all Cisco switches default to VTP Server mode but will not transmit any VLAN information to the network until a VTP Domain is set on the switch.

At this point we are only referencing the VTP Domain concept as this is also analyzed in greater depth further on, so let's continue with the VTP modes!

VTP Client Mode

In Client Mode, a switch will accept and store in its RAM all VLAN information received from the VTP Server, however, this information is also saved in NVRAM, so if the switch is powered off, it won't loose its VLAN information.

The VTP Client behaves like a VTP Server, but you are unable to create, modify or delete VLAN's on it.

In most networks, the clients connect directly to the VTP Server as shown in our previous diagram. If, for any reason, two clients are cascaded together, then the information will propagate downwards via the available Trunk links, ensuring it reaches all switches:

The diagram shows a 3550 Catalyst switch configured as a VTP Server and 4 Catalyst 2950 switches configured as VTP Clients and cascaded below our 3550. When the VTP Server sends a VTP update, this will travel through all trunk links (ISL, 802.1q, 802.10 and ATM LANE), as shown in the diagram.

The advertised information will firstly reach the two Catalyst 2950 switches directly connected to the 3550 and will then travel to the cascaded switches below and through the trunk links. If the link between the cascaded 2950's was not a trunk link but an access link, then the 2nd set of switches would not receive and VTP updates:

As you can see, the VTP updates will happlily arrive at the first catalyst switches but stop there as there are no trunk links between them and the 2950's below them. It is very important you keep this in mind when designing a network or making changes to the existing one.

VTP Transparent Mode

The VTP Transparent mode is something between a VTP Server and a VTP Client but does not participate in the VTP Domain.

In Transparent mode, you are able to create, modify and delete VLANs on the local switch, without affecting any other switches regardless of the mode they might be in. Most importantly, if the transparently configured switch receives an advertisement containing VLAN information, it will ignore it but at the same time forward it out its trunk ports to any other switches it might be connected to.

Note: A Transparent VTP switch will act as a VTP relay (forward all VTP information it receives, out its trunk ports) only when VTP version 2 is used in the network. With VTP version 1, the transparent switch will simply ignore and discard any VTP messages received from the rest of the network.

Lastly, all switches configured to operate in Transparent mode save their configuration in their NVRAM (just like all the previous two modes) but not to advertise any VLAN information of its own, even though it will happily forward any VTP information received from the rest of the network.

This important functionality allows transparently configured switches to be placed anywhere within the network, without any implications to the rest of the network because as mentioned, they act as a repeater for any VLAN information received:

Our 3550 Catalyst here is configured as a VTP Server for the domain labelled "Firewall". In addition, we have two switches configured in VTP Client mode, obtaining their VLAN information from the 3550 VTP Server, but between these two VTP Clients, we have placed another switch configured to run in VTP Transparent mode.

Our Transparent switch has been configured with the domain called "Lab", and as such, the switch will forward all incoming VTP updates belonging to the "Firewall" domain out its other trunk link, without processing the information. At the same time, it won't advertise its own VLAN information to its neighbouring switches.

Closing, the VTP Transparent mode is not often used in live networks, but is well worth mentioning and learning about.

Summary

This page introduced a few new and very important concepts. The VTP Protocol is considered to be the heart of VLANs in large scale networks as it completely makes the administration point of view easy and transparent for every switch on your network.

We briefly spoke about the three different modes offered by the VTP protocol: Server, Client and Transparent mode. To assist in providing a quick summary, the table below shows the main characteristics for each mode:

VTP Mode	Description
VTP Server	The default mode for all switches supporting VTP. You can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version) for the entire VTP domain. VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links. VLAN configurations are saved in NVRAM.
VTP Client	Behaves like a VTP server, but you cannot create, change, or delete VLANs on a VTP client. VLAN configurations are saved in NVRAM.
VTP Transparent	Does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, they will forward VTP advertisements as they are received from other switches. You can create, modify, and delete VLANs on a switch in VTP transparent mode. VLAN configurations are saved in NVRAM, but they are not advertised to other switches.

VTP Mode

Description

VTP Server

The default mode for all switches supporting VTP. You can create, modify, and delete VLANs and
specify other configuration parameters (such as VTP version)
for the entire VTP domain.

VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk
links. VLAN configurations are saved in NVRAM.

VTP Client

Behaves like a VTP server, but you cannot create, change, or delete VLANs on a VTP client. VLAN configurations are saved in NVRAM.

VTP Transparent

Does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, they will forward VTP advertisements as they are received from other switches.

You can create, modify, and delete VLANs on a switch in VTP transparent mode. VLAN configurations are saved in NVRAM, but they are not advertised to other switches.

All switches by default are configured as VTP Servers but without a domain. At this point we need to select the 'Core' switch (usually the most powerful) and configure it as a VTP Server, while reconfiguring all the rest to Client mode. Also, VTP Updates sent by the Server will only propagate through trunk links configured for ISL, IEEE 802.1q, 802.10 or LANE encapsulation.

You should be aware that all VTP Messages are sent through what we call the "Management VLAN". This specially created VLAN is usually the first one in the network - VLAN 1 - and by rule is never used by anyone else other than the switches themselves.

The creation of a Management VLAN ensures all switches have their own network to communicate between each other without any disruptions.

The next article will analyse the VTP Protocol structure, messages and updates. This will provide a deep understanding on how VTP works and what information it's messages contain. For those out there keen on configuring a switch for VTP, it's covered towards the end of the VLAN topic as shown on the VLAN Introduction page.

InterVLAN Routing - Routing between VLAN Networks

2011-05-30T05:44:11+10:00

This article deals with the popular topic of InterVLAN routing, which is used to allow routing & communication between VLAN networks. Our article analyses InterVLAN routing and provides 4 different methods of InterVLAN routing to help understand the concept

VLAN Configuration and InterVLAN routing for Cisco Enterprise Layer 3 switches (e.g 3560, 3750, 3800, 4500, 6500 and 9400 series switches) is covered extensively in our article Basic & Advanced Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing (SVI), VLAN Security – VLAN Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements for SVI Routing.

The Need For Routing

Each network has it's own needs, though whether it's a large or small network, internal routing, in most cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus reducing network broadcasts and increasing your security, is a tactic used by most engineers. Popular setups include a separate broadcast domain for critical services such as File Servers, Print servers, Domain Controllers e.t.c, serving your users non-stop.

The issue here is how can users from one VLAN (broadcast domain), use services offered by another VLAN?

Thankfully there's an answer to every problem and in this case, its VLAN routing:

The above diagram is a very simple but effective example to help you get the idea. Two VLANs consisting of two servers and workstations of which one workstation has been placed along with the servers in VLAN 1, while the second workstation is placed in VLAN 2.

In this scenario, both workstations require access to the File and Print servers, making it a very simple task for the workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2.

As you might have already guessed, we need to somehow route packets between the two VLANs and the good news is that there is more than one way to achieve this and that's what we'll be covering on this page.

VLAN Routing Solutions

While the two Cisco Catalyst switches are connected via a trunk link, they are unable to route packets from one VLAN to another. If we wanted the switch to support routing, we would require it to be a layer 3 switch with routing capabilities, a service offered by most enterprise Cisco Catalyst switches.

There are four ways to enable the communcation between VLANs (InterVLAN Routing being the most popular) using a single switch or router and this article will cover them all, providing an in-depth view on VLAN routing methods.

Note: The term InterVLAN Routing refers to a specific routing method which we will cover as a last scenario, however it is advised that you read through all given solutions to ensure you have a solid understanding on the VLAN routing topic.

VLAN Routing Solution No.1: Using A Router With 2 Ethernet Interfaces

Decades ago, this was one of the preferred and fastest methods to route packets between different VLAN networks. The setup is quite simple and involves a Cisco router with two Ethernet interfaces as shown in the diagram, connecting to both VLANs with an appropriate IP Address assigned to each interface. In this setup, enabling IP Routing on the router is a prerequisite, and we also have the option of applying access lists (ACLs) to control access between our VLAN networks:

With this setup, each host (servers and workstations) will have need to have the local router interface IP configured as a default gateway to access the other VLAN network. This VLAN routing solution is considered expensive and doesn't scale well for today's complex and large network environments.

In the case where there are more than two VLANs, additional Ethernet interfaces will be required, so basically, the idea here is that you need one Ethernet interface for each VLAN network.

To finish this scenario, as the network gets bigger and more VLANs are created, it will very quickly get messy and expensive, so this solution will prove inadequate to cover our future growth.

VLAN Routing Solution No.2: Using A Router With One Ethernet (Trunk) Interface

This solution is certainly fancier but requires, as you would have already guessed, a router that supports trunk links. With this kind of setup, the trunk link is created, using of course the same type of encapsulation the switches use (ISL or 802.1q), and enabling IP routing on the router side. This method of InterVLAN routing is also known as Router on a Stick. You can read more on its configuration under our Cisco Router Knowledgebase

The downside here is that not many engineers will sacrifice a router just for routing between VLANs when there are many cheaper alternatives, as you will soon find out. Nevertheless, despite the high cost and dedicated hardware, it's still a valid and workable solution and depending on your needs and available equipment, it might be just what you're looking for!

Closing this scenario, the router will need to be configured with two virtual interfaces, one for each VLAN, with the appropriate IP Address assigned to each one so routing can be performed.

VLAN Routing Solution No.3: Using A Server With Two Network Cards

Back in the 90's the need to route between VLAN networks was often resolved by using Windows or Linux servers to perform the routing between VLAN networks.

In order for the server to route between the two network, it requires two network cards - one for each VLAN with the appropriate IP Addresses assigned, therefore one network card will be configured with IP Addresses 192.168.1.1 and the other with IP address 192.168.2.1. Once this is complete, all that's required is to enable IP routing on the server.

Lastly, each workstation must use the server as either a gateway, or a static route entry needs be created to be able to reach the other network.

VLAN Routing Solution No.4: InterVLAN Routing

And at last, InterVLAN routing! This is without a doubt the best VLAN routing solution out of all of the above. InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.

The Cisco Catalyst series switches used here are layer 3 switches with built-in IP routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where switches such as the Catalyst 3550 are usually placed as core switches, connecting all branch switches together (2924's in this case) via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone.

We should also note that InterVLAN routing on the Catalyst enterprise switches has certain software requirements regarding the IOS image loaded on the switch as outlined on the table below:

Image Type & Version	InterVLAN Routing Capability
Enhanced Multilayer Image (EMI) - All Versions	YES
Standard Multilayer Image (SMI) - prior to 12.1(11)EA1	NO
Standard Multilayer Image (SMI) - 12.1(11)EA1 and later	YES

Issuing the Show version command to reveal the IOS version or license, allowing us to determine if IP routing (InterVLAN Routing) is supported.

In returning to our example, our 3550 Catalyst will be configured with two virtual (SVI) interfaces, one for each VLAN, and of course the appropriate IP Address assigned to them to ensure there is a logical interface connected to both networks. Lastly, as you might have guessed, we need to issue the 'IP Routing' command to enable the InterVLAN Routing service!

The diagram above was designed to help you 'visualise' how switches and their interfaces are configured to specific VLAN, making the InterVLAN routing service possible. The switch above has been configured with two VLANs, VLAN 1 and 2. The Ethernet interfaces are then assigned to each VLAN, allowing them to communicate directly with all other interfaces assigned to the same VLAN and the other VLAN, when the internal routing process is present and enabled.

Access Lists & InterVLAN Routing

Another common addition to the InterVLAN routing service is the application of Access Lists (packet filtering) on the routing switch,to restrict access to services or hosts as required.

In modern implementations, central file servers and services are usually placed in their own isolated VLAN, securing them from possible network attacks while controlling access to them. When you take into consideration that most trojans and viruses perform an initial scan of the network before attacking, an administrator can smartly disable ICMP echoes and other protocols used to detect a live host, avoiding possible detection by an attacker host located on a different VLAN.

Summary

InterVLAN is a terrific service and one that you simply can't live without in a large network. The topic is a fairly easy one once you get the idea, and this is our aim here, to help you get that idea, and extend it further by giving you other alternative methods.

The key element to the InterVLAN routing service is that you must have at least one VLAN interface configured with an IP Address on the InterVLAN capable switch, which will also dictate the IP network for that VLAN. All hosts participating in that VLAN must also use the same IP addressing scheme to ensure communication between them. When the above requirements are met, it's then as simple as enabling the IP Routing service on the switch and you have the InterVLAN service activated.

VLANs - IEEE 802.1q Trunk Link Protocol Analysis

2011-05-30T05:35:52+10:00

While the VLAN Tagging article briefly covered the IEEE 802.1q protocol this article will continue building upon it by further analyzing the IEEE 802.1q Trunk Link Protocol. The IEEE 802.1q tagging method is the most popular as it allows the seemless integration of VLAN capable devices from all vendors supporting the protocol.

IEEE 802.1q Analysis

The IEEE 802.1q tagging mechanism seems quite simple and efficient thanks to its 4-byte overhead squeezed between the Source Address and Type/Length field of our Ethernet II frame:

The process of inserting the 802.1q tag into an Ethernet II frame results in the original Frame Check Sequence (FCS) field to become invalid since we are altering the frame, hence it is essential that a new FCS is recalculated, based on the new frame now containing the IEEE 802.1q field. This process is automatically performed by the switch, right before it sends the frame through a trunk link. Our focus here will be the pink 3D block, labeled as the IEEE 802.1q header.

The IEEE 802.1q Header

As noted, the 802.1q header is only 4 bytes or 32 bits in length while within this space there is all the necessary information required to successfully identify the frame's VLAN and ensure it arrived to the correct destination. The diagram below analyses all fields contained in a 802.1q header:

The structure is quite simple as there are only 4 fields when compared with the 11 fields InterSwitch Link (ISL) has. We will continue by analysing each of these fields in order to discover what the protocol is all about.

TPID - Tag Protocol IDentifier

The TPID field is 16 bit long with a value of 0x8100. It is used to identify the frame as an IEEE 802.1q tagged frame.

Note: The next three fields, Priority, CFI and VLAN ID are also known as the TCI (Tag Control Information) field and are often represented as one single field (TCI Field).

Priority

The Priority field is only 3 bits long but used for prioritisation of the data this frame is carrying.

Data Prioritisation is a whole study in itself but we won't be analysing it here since it's well beyond the scope of our topic. However, for those interested, data prioritisation allows us to give special priority to time-latency sensitive services, such as Voice Over IP (VoIP), over normal data. This means that the specified bandwidth is allocated for these critical services to pass them through the link without any delay.

The IEEE 802.1p priority protocol was developed to provide such services and is utilised by the IEEE 802.1q tagging protocol.

The Priority field is approximately 3 bits long, allowing a total of 2^3=8 different priorities for each frame, that is, level zero (0) to seven (7) inclusive.

CFI - Canonical Format Indicator

The CFI field is only 1 bit long. If set to 1, then it means the MAC Address is in non-canonical format, otherwise 0 means it is canonical format. For Ethernet switches, this field is always set to zero (0). The CFI field is mainly used for compatibility reasons between Ethernet and Token Ring networks.

In the case where a frame arrives to an Ethernet port and the CFI flag is set to one (1), then that frame should not be forwarded as it was received to any untagged port (Access Link port).

VLAN ID - Virtual Local Area Network Identifier

The VLAN ID field is perhaps the most important field out of all because we are able to identify which VLAN the frame belongs to, allowing the receiving switch to decide which ports the frame is allowed to exit depending on the switch configuration.

For those who recall our VLAN Tagging article, we mentioned that the IEEE 802.1q tagging method supports up to 4096 different VLANs. This number derives from the 12 bit VLAN ID field we are analysing right now and here are the calculations to prove this: 2^12=4096, which translates from VLAN 0 to VLAN 4095 inclusive.

Summary

That completes our analysis on the IEEE 802.1q protocol. As a last note, you should remember that this protocol is the most wide spread tagging method used around the world that supports up to 4096 VLANs!

VLAN InterSwitch Link (ISL) Protocol Analysis

2011-05-30T05:18:55+10:00

Deciding whether to use ISL or IEEE 802.1q to power your trunk links can be quite confusing if you cannot identify the advantages and disadvantages of each protocol within your network.

This article will cover the ISL protocol in great detail, providing an insight to its secrets and capabilities which you probably were unaware of. In turn, this will also help you understand the existence of certain limitations the protocol has, but most importantly allow you to decide if ISL is the tagging process you require within your network.

InterSwitch Link (ISL)

ISL is Cisco's propriety tagging method and supported only on Cisco's equipment through Fast & Gigabit Ethernet links. The size of an ISL frame can be expected to start from 94 bytes and increase up to 1548 bytes due to the overhead (additional fields) the protocol places within the frame it is tagging.

These fields and their length are also shown on the diagram below:

We will be focusing on the two purple coloured 3D blocks, the ISL header and ISL Frame Check Sequence (FCS) respectively. The rest of the Ethernet frame shown is a standard Ethernet II frame as we know it. If you need more information, visit our Ethernet II page.

The ISL Header

The ISL header is 26 byte field containing all the VLAN information required (as one would expect), to allow a frame traverse over a Trunk Link and find its way to its destination.

Here is a closer look at the header and all the fields it contains:

You can see that the ISL header is made out of quite a few fields, perhaps a lot more than what you might have expected, but this shouldn't alarm you as only a handful of these fields are important. As usual, we will start from the left field and work our way to the far right side of the header. First up...... the DA field:

Destination Address (DA) Field

The 'DA' field is a 40 bit destination address field that contains a multicast address usually set to "0x01-00-0C-00-00" or "0x03-00-0C-00-00". This address is used to signal to the receiver that the packet is in ISL format.

Type Field

The 'Type' field is 4 bits long and helps identify the encapsulated original frame. Depending on the frame type, the ISL 'Type' field can take 4 possible values as outlined in the table below:

Type Value	Encapsulated Frame
0000	Ethernet
0001	Token-Ring
0010	FDDI
0011	ATM

The 4 bits of space assigned to the 'Type Value' field allow a maximum of 2^4=16 different values. Since all combinations are not used, there is plenty of room for future encapsulations that might be developed.

User Defined Field

The 'User' field occupying 4 bits serves as an extension to the previous 'Type' field and is mostly used when the original encapsulated frame is an Ethernet II type frame. When this happens, the first two bits of the 'User' field act as a prioritisation mechanism, allowing the frames to find their way to the destination much faster.

Currently, there are 4 different priorities available, as shown in the table below:

Type Value	Frame Priority
XX00	Normal Priority
XX01	Priority 1
XX10	Priority 2
XX11	Highest Priority

We should also note that the use of priorities is optional and not required.

Source Address (SA) Field

The 'SA' field is the source MAC address of the switch port transmitting the frame. This field is -as expected- 48 bits long. The receiving device can choose to ignore this field. It is worth noting that while the Destination Address field located at the beginning of the header contains a multicast MAC Address, the Source MAC address field we are looking at here contains the MAC address of the sending device - usually a switch.

Length Field

The 'Length' field is 16 bits long and contains the whole ISL frame's length minus the DA, Type, User, SA, LEN and FCS fields. If you're good at mathematics, you can easily calculate the total length of the excluded fields, which is 18 bytes. With this in mind, a quick way to find this field's value is to take the total frame size and subtract 18 bytes :)

Length fields are used in frames to help the receiving end identify where specific portions of the frame exist within the frame received.

AAAA03 (SNAP) Field

The SNAP field is a 24 bit long field with a value of "0xAAAA03".

High bits Source Address (HSA) Field

The 'HSA' field is a 24 bit value. This field represents the upper three bytes of the SA field (the manufacturers ID portion) and must contain the value "0x00-00-0C". Since the SA field is 48 bits long or 6 bytes, the upper 3 bytes of the SA field would translate to 24 bits, hence the length of the HSA field.

VLAN - Destination Virtual LAN ID Field

The VLAN field is the Virtual LAN ID of the frame. This is perhaps the most important field of all as our frame moves between trunk links because it allows all trunk links to identify the VLAN this frame belongs to. The VLAN ID field is 15 bits long and often referred to as the "color" of the frame.

Without this field, there would be no way of identifying which VLAN the frame transitting a trunk link belongs to.

Bridge Protocol Data Unit (BPDU) & Cisco Discovery Protocol (CDP) Indicator

The 'BPDU' field is only 1 bit long but very important as it is set for all BPDU packets encapsulated by the ISL frame. For those unaware, BPDU's are used by the Spanning Tree Protocol (STP) to shut down redundant links and avoid network loops. This field is also used for CDP and Virtual Trunk Protocol (VTP) frames that are encapsulated.

Index Field

The Index field is a 16 bit value and indicates the port index of the source of the packet as it exits the switch. It is used for diagnostic purposes only and may be set to any value by other devices.

RES Field - Reserved for Token Ring and Fiber Distributed Data Interface (FDDI)

The RES field is a 16 bit value and used when Token Ring or FDDI packets are encapsulated with an ISL frame. In the case of Token Ring frames, the Access Control (AC) and Frame Control (FC) fields are placed here whereas in the case of FDDI, the FC field is placed in the Least Significant Byte (LSB) of this field (as in a FC of 0x12 would have a RES field of 0x0012). For Ethernet packets, the RES field should be set to all zeros.

Frame Check Sequence (ISL FCS)

Coming to the end of the ISL protocol analysis, we met the FCS field which consists of four bytes. The FCS contains a 32-bit CRC value, which is created by the sending MAC (switch) and is recalculated by the receiving MAC (switch) to check for corrupt frames. In an Ethernet II frame, the FCS is generated using the Destination MAC, Source MAC, Ethertype, and Data fields while ISL's FCS is calculated based on the entire ISL frame and added to the end of it.

Summary

This article analysed all fields of the ISL header and FCS. The next page deals with the popular IEEE 802.1q, an alternative to Cisco's ISL tagging protocol.

VLAN Tagging - Understanding VLANs Ethernet Frames

2011-05-30T05:08:09+10:00

We mentioned that Trunk Links are designed to pass frames (packets) from all VLANs, allowing us to connect multiple switches together and independently configure each port to a specific VLAN. However, we haven't explained how these packets run through the Trunk Links and network backbone, eventually finding their way to the destination port without getting mixed or lost with the rest of the packets flowing through the Trunk Links.

This is process belongs to the world of VLAN Tagging!

VLAN Tagging

VLAN Tagging, also known as Frame Tagging, is a method developed by Cisco to help identify packets travelling through trunk links. When an Ethernet frame traverses a trunk link, a special VLAN tag is added to the frame and sent across the trunk link.

As it arrives at the end of the trunk link the tag is removed and the frame is sent to the correct access link port according to the switch's table, so that the receiving end is unaware of any VLAN information.

The diagram below illustrates the process described above:

Here we see two 3500 series Catalyst switches and one Cisco 3745 router connected via the Trunk Links. The Trunk Links allow frames from all VLANs to travel throughout the network backbone and reach their destination regardless of the VLAN the frame belongs to. On the other side, the workstations are connected directly to Access Links (ports configured for one VLAN membership only), gaining access to the resources required by VLAN's members.

Again, when we call a port 'Access Link' or 'Trunk Link', we are describing it based on the way it has been configured. This is because a port can be configured as an Access Link or Trunk Link (in the case where it's 100Mbits or faster).

This is stressed because a lot of people think that it's the other way around, meaning, a switch's uplink is always a Trunk Link and any normal port where you would usually connect a workstation, is an Access Link port!

VLAN Configuration, InterVLAN routing,Trunk Link configuration for Cisco Layer 3 switches (3550, 3560 series, 3750 series, 4500 series and 6500 series switches) is covered extensively at the following article: Basic & Advanced Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing (SVI), VLAN Security – VLAN Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements for SVI Routing.

VLAN Tagging Protocol

We're now familiar with the term 'Trunk Link' and its purpose, that is, to allow frames from multiple VLANs to run across the network backbone, finding their way to their destination. What you might not have known though is that there is more than one method to 'tag' these frames as they run through the Trunk Links or ... the VLAN Highway as we like to call it.

InterSwitch Link (ISL)

ISL is a Cisco propriety protocol used for FastEthernet and Gigabit Ethernet links only. The protocol can be used in various equipments such as switch ports, router interfaces, server interface cards to create a trunk to a server and much more. You'll find more information on VLAN implementations on our last page of the VLAN topic.

Being a propriety protocol, ISL is available and supported naturally on Cisco products only:) You may also be interested in knowing that ISL is what we call, an 'external tagging process'. This means that the protocol does not alter the Ethernet frame as shown above in our previous diagram - placing the VLAN Tag inside the Ethernet frame, but encapsulating the Ethernet frame with a new 26 byte ISL header and adding an additional 4 byte frame check sequence (FCS) field at the end of frame, as illustrated below:

Despite this extra overhead, ISL is capable of supporting up to 1000 VLANs and does not introduce any delays in data transfers between Trunk Links.

In the above diagram we can see an ISL frame encapsulating an Ethernet II frame. This is the actual frame that runs through a trunk link between two Cisco devices when configured to use ISL as their trunk tagging protocol.

The encapsulation method mentioned above also happens to be the reason why only ISL-aware devices are able to read it, and because of the addition of an ISL header and FCS field, the frame can end up being 1548 bytes long! For those who can't remember, Ethernet's maximum frame size is 1518 bytes, making an ISL frame of 1548 bytes, what we call a 'giant' or 'jumbo' frame!

Lastly, ISL uses Per VLAN Spanning Tree (PVST) which runs one instance of the Spanning Tree Protocol (STP) per VLAN. This method allows us to optimise the root switch placement for each available VLAN while supporting neat features such as VLAN load balancing between multiple trunks.

Since the ISL's header fields are covered on a separate page, we won't provide further details here.

IEEE 802.1q

The 802.1q standard was created by the IEEE group to address the problem breaking large networks into smaller and manageable ones through the use of VLANs. The 802.1q standard is of course an alternative to Cisco's ISL, and one that all vendors implement on their network equipment to ensure compatibility and seamless integration with the existing network infrastructure.

As with all 'open standards' the IEEE 802.1q tagging method is by far the most popular and commonly used even in Cisco oriented network installations mainly for compatability with other equipment and future upgrades that might tend towards different vendors.

In addition to the compatability issue, there are several more reasons for which most engineers prefer this method of tagging. These include:

Support of up to 4096 VLANs
Insertion of a 4-byte VLAN tag with no encapsulation
Smaller final frame sizes when compared with ISL

Amazingly enough, the 802.1q tagging method supports a whopping 4096 VLANs (as opposed to 1000 VLANs ISL supports), a large amount indeed which is merely impossible to deplet in your local area network.

The 4-byte tag we mentioned is inserted within the existing Ethernet frame, right after the Source MAC Address as illustrated in the diagram below:

Because of the extra 4-byte tag, the minimum Ethernet II frame size increases from 64 bytes to 68 bytes, while the maximum Ethernet II frame size now becomes 1522 bytes. If you require more information on the tag's fields, visit our protocol page where further details are given.

As you may have already concluded yourself, the maximum Ethernet frame is considerably smaller in size (by 26 bytes) when using the IEEE 802.1q tagging method rather than ISL. This difference in size might also be interpreted by many that the IEEE 802.1q tagging method is much faster than ISL, but this is not true. In fact, Cisco recommends you use ISL tagging when in a Cisco native environment, but as outlined earlier, most network engineers and administrators believe that the IEEE802.1q approach is much safer, ensuring maximum compatability.

And because not everything in this world is perfect, no matter how good the 802.1q tagging protocol might seem, it does come with its restrictions:

In a Cisco powered network, the switch maintains one instance of the Spanning Tree Protocol (STP) per VLAN. This means that if you have 10 VLANs in your network, there will also be 10 instances of STP running amongst the switches. In the case of non-Cisco switches, then only 1 instance of STP is maintained for all VLANs, which is certainly not something a network administrator would want.
It is imperative that the VLAN for an IEEE 802.1q trunk is the same for both ends of the trunk link, otherwise network loops are likely to occur.
Cisco always advises that disabling a STP instance on one 802.1q VLAN trunk without disabling it on the rest of the available VLANs, is not a good idea because network loops might be created. It's best to either disable or enable STP on all VLANs.

LAN Emulation (LANE)

LAN Emulation was introduced to solve the need of creating VLANs over WAN links, allowing network managers to define workgroups based on logical function, rather than physical location. With this new technology (so to speak - it's actually been around since 1995!), we are now able to create VLANs between remote offices, regardless of their location and distance.

LANE is not very common and you will most probably never see it implemented in small to mid-sized networks, however, this is no reason to ignore it. Just keep in mind that we won't be looking at it in much depth, but briefly covering it so we can grasp the concept.

LANE has been supported by Cisco since 1995 and Cisco's ISO release 11.0. When implemented between two point-to-point links, the WAN network becomes totally transparent to the end users:

Every LAN or native ATM host, like the switch or router shown in the diagram, connects to the ATM network via a special software interface called 'LAN Emulation Client'. The LANE Client works with the LAN Emulation Server (LES) to handle all messages and packets flowing through the network, ensuring that the end clients are not aware of the WAN network infrastructure and therefore making it transparent.

The LANE specification defines a LAN Emulation Configuration Server (LECS), a service running inside an ATM switch or a physical server connected to the ATM switch, that resides within the ATM network and allows network administrators to control which LANs are combined to form VLANs.

The LAN Emulation Server with the help of the LANE Client, maps MAC addresses to ATM addresses, emulating Layer 2 protocols (DataLink layer) and transporting higher layer protocols such as TCP/IP, IPX/SPX without modification.

802.10 (FDDI)

Tagging VLAN frames on Fiber Distributed Data Interface (FDDI) networks is quite common in large scale networks. This implementation is usually found on Cisco's high-end switch models such as the Catalyst 5000 series where special modules are installed inside the switches, connecting them to an FDDI backbone. This backbone interconnects all major network switches, providing a fully redundant network.

The various modules available for the Cisco Catalyst switches allow the integration of Ethernet into the FDDI network. When intalling the appropriate switch modules and with the use of the 802.10 SAID field, a mapping between the Ethernet VLAN and 802.10 network is created, and as such, all Ethernet VLANs are able to run over the FDDI network.

The diagram above shows two Catalyst switches connected to a FDDI backbone. The links between the switches and the backbone can either be Access type links (meaning one VLAN passes through them) or Trunk links (all VLANs are able to pass through them). At both ends, the switches have an Ethernet port belonging to VLAN 6, and to 'connect' these ports we map each switch's Ethernet module with its FDDI module.

Lastly, the special FDDI modules mentioned above support both single VLANs (non-trunk) and multiple VLANs (trunk).

To provide further detail, the diagram below shows the IEEE 802.10 frame, along with the SAID field in which the VLAN ID is inserted, allowing the frame to transit trunk links as described:

It's okay if your impressed or seem confused with the structure of the above frame, that's normal:) You'll be suprised to find out that the Cisco switch in the previous diagram must process the Ethernet II frame and convert it before placing it on the IEEE 802.10 backbone or trunk.

During this stage, the original Ethernet II frame is converted to an Ethernet SNAP frame and then finally to an IEEE 802.10 frame. This conversion is required to maintain compatability and reliability between the two different topologies. The most important bit to remember here is the SAID field and its purpose.

Summary

This page introduced four popular VLAN tagging methods, providing you with the frame structure and general details of each tagging method. Out of all, the IEEE 802.1q and ISL tagging methods are the most popular, so make sure you understand them quite well.

VLANs - Access & Trunk Links

2011-05-30T04:57:10+10:00

If you've read our previous article The VLAN Concept - Introduction to VLANs then you should feel comfortable with terms such as 'VLAN', 'Static & Dynamic VLANs', however this is just the beginning in this complex world. This article will start to slowly expand on these terms to help understand how VLANs are implemented inside an enterprise network.

To begin with, we will take a closer look at the port interfaces on these smart switches and then start moving towards the interfaces connecting to the network backbone where things become slightly more complicated, though do not be alarmed since our detailed and easy to read diagrams are here to ensure the learning process is as enjoyable as possible.

VLAN Links - Interfaces

When inside the world of VLANs there are two types of interfaces, or if you like, links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, or Trunk Links.

Access Links

Access Links are the most common type of links on any VLAN switch. All network hosts connect to the switch's Access Links in order to gain access to the local network. These links are your ordinary ports found on every switch, but configured in a special way, so you are able to plug a computer into them and access your network.

Here's a picture of a Cisco Catalyst 3550 series switch, with it's Access Links (ports) marked in the Green circle:

We must note that the 'Access Link' term describes a configured port - this means that the ports above can be configured as the second type of VLAN links - Trunk Links. What we are showing here is what's usually configured as an Access Link port in 95% of all switches. Depending on your needs, you might require to configure the first port (top left corner) as a Trunk Link, in which case, it is obviously not called a Access Link port anymore, but a Trunk Link!

When configuring ports on a switch to act as Access Links, we usually configure only one VLAN per port, that is, the VLAN our device will be allowed to access. If you recall the diagram below which was also present during the introduction of the VLAN concept, you'll see that each PC is assigned to a specific port:

In this case, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 3 have been assigned to VLAN 1 while ports 4, 5 and 6 to VLAN 2.

In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 3, while ports 4, 5 and 6 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly configured the switch to route traffic between the two VLANs.

It is equally important to note at this point that any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them.

The following diagram illustrates this to help you get the picture:

As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are understood by the network device connected to the port. There is nothing special about these packets, other than the fact that they belong only to the VLAN the port is configured for.

If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0 with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned to VLAN 1 must be configured with the appropriate network address so they may communicate with all other hosts in the same VLAN.

Trunk Links

What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. There is, however, one more type of port configuration which we mentioned in the introductory section on this page - the Trunk Link.

A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches.

The diagram below shows multiple switches connected throughout a network and the Trunk Links are marked in purple colour to help you identify them:

As you can see in our diagram, our switches connect to the network backbone via the Trunk Links. This allows all VLANs created in our network to propagate throughout the whole network. Now in the unlikely event of Trunk Link failure on one of our switches, the devices connected to that switch's ports would be isolated from the rest of the network, allowing only ports on that switch, belonging to the same VLAN, to communicate with each other.

So now that we have an idea of what Trunk Links are and their purpose, let's take a look at an actual switch to identify a possible Trunk Link:

As we noted with the explanation of Access Link ports, the term 'Trunk Link' describes a configured port. In this case, the Gigabit ports are usually configured as Trunk Links, connecting the switch to the network backbone at the speed of 1 Gigabit, while the Access Link ports connect at 100Mbits.

In addition, we should note that for a port or link to operate as a Trunk Link, it is imperative that it runs at speeds of 100Mbit or greater. A port running at speeds of 10Mbit's cannot operate as a Trunk Link and this is logical because a Trunk Link is always used to connect to the network backbone, which must operate at speeds greater than most Access Links!

Summary

This page introduced the Access and Trunk links. We will be seeing a lot of both links from now on, so it's best you get comfortable with them! Configuration of these links is covered later on, because there is still quite a bit of theory to cover!

Dynamic VLANs

2011-05-30T04:13:45+10:00

Dynamic VLANs were introduced to grant the flexibility and complexity(!) that Static VLANs did not provide. Dynamic VLANs are quite rare because of their requirements and initial administrative overhead. As such, most administrators and network engineers tend to prefer Static VLANs.

Dynamic VLANs

Dynamic VLANs, as opposed to Static VLANs, do not require the administrator to individually configure each port, but instead, a central server called the VMPS (VLAN Member Policy Server). The VMPS is used to handle the on-the-spot port configuration of every switch participating on the VLAN network.

The VMPS server contains a database of all workstation MAC addresses, along with the associated VLAN the MAC address belongs to. This way, we essentially have a VLAN-to-MAC address mapping:

The above diagram works as an aim to help us understand the mapping relationship that exists in the VMPS server. As shown, each MAC address, which translates to a host on the network, is mapped to a VLAN, allowing this host to move inside the network, connecting to any switch that is part of the VMPS network and maintain its VLAN configuration.

You can now start to imagine the initial workload involved when configuring a VMPS server for a network of over 300 workstations:)

As one would expect, the above model works very well and also requires the switches to be in constant contact with the VMPS server, requesting configuration information everytime a host connects to a switch participating in the VLAN network. Of course, there is a lot more information we can use to configure the VMPS database, but we won't be covering that just as yet.

Like all network services offered, Cisco has cleverly designed this model to be as flexible as our network might require. For example, you are able to connect more than one host on one dynamically configured port, as long as all hosts are part of the same VLAN:

The diagram above shows us a VLAN capable switch that has been configured to support Dynamic VLANs. On port No.5, we have connected a simple switch (not VLAN aware) from which another 4 workstations are connected.

As mentioned previously, this type of configuration is valid and therefore supported, but it also has its restrictions and limitations.

One of the restrictions, which by the way can also be considered as a semi-security feature, is that all workstations connected to the same port, must be configured in the VMPS server as part of the same VLAN, otherwise the port is most likely to shut down as a security precaution.

To consider the limitations of this configuration: if the switch detects more than 20 active hosts (20 MAC addresses) on the port, it will once again shut it down, leaving the workstations without any network connection. When this happens, the port that shuts down will return into an isolated state, not belonging to any VLAN.

The fact is that Dynamic VLANs are really not suitable for every network, even though they allow a great deal of flexibility and security. If you consider the advantage one single feature of Dynamic VLANs can provide you with, then it might be all you need to implement them.

Because each host connected to the switch is checked against the VMPS database for its VLAN membership before the port is activated and assigned to a VLAN, this gives the network administrator the ability to ensure no foreign host is able to walk up to a wall socket and simply plug their workstation to access the network, if his MAC address is not stored in the VMPS database. For a large scale network, this could be considered an ACE card under your sleeve.

Choosing Correct Switches

One important factor we haven't yet mentioned is that you cannot run the VMPS server on a Cisco Catalyst 2900 or 3500 series. The Catalyst 4500 and upwards are able to act as a VMPS, and at the time of writing, this switch has reached its end of retail life. For those who have dealt with Cisco Catalyst switches in the past, you would know that a Catalyst 4500 is not the type of switch you would use in a 20 or 50 node network!

The Catalyst 4500, 6500 series, are switches designed for enterprise networks, as such, they are built to be modular, easily expandable depending on your needs, and lastly, fully redundant because you can't have your core backbone switch failing when all other switches and network equipment are directly connected to it.

We've added a few pictures of the Catalyst 6500 series for you to admire :)

You can clearly see the slots available that allow the Catalyst switches to expand and grow with your network. In the likely event you require more ports as your network expands, you simply buy a Fastethernet blade (some people call them 'slices') and insert it into an available slot!

Dynamic VLANs & FallBack VLANs

Another very interesting and smart feature Dynamic VLANs support is the fallback VLAN. This neat feature allows you to automatically configure a port to a VLAN specially created for workstations whose MAC address is not in the VMPS server. Consider company visitors or clients who require specific or restricted access to your network, they can freely connect to the network and have Internet access, alongside with limited rights on public directories.

In the event the fallback VLAN has not been configured and the MAC address connected to the switch's port is unknown, the VMPS server will send an 'access-denied' response, blocking access to the network, but the port will remain active. If the VMPS server is running in 'secure-mode', it will proceed and shutdown the port as an additional security measure.

The above diagram represents a portion of a large scale network using a Cisco 6500 Catalyst as the core switch. The switch has been configured to support Dynamic VLANs, therefore a VMPS server has been configured inside the switch, alongside with a DHCP server for each created VLAN. The administrator has already assigned the 3 workstations MAC addresses to the VLANs shown and also created the fallback VLAN for any MAC address that does not exist in the database.

Now consider this interesting scenario: One morning a visitor arrives in the office and requires Internet connection so he can demonstate a new product to the management. As an administrator, you've already configured a fallback VLAN with a DHCP server activated for the VLAN, pushing the necessary settings to the clients so they may obtain Internet access services.

The visitor finds a free RJ-45 socket on the wall, which connects to a Catalyst 3550 switch nearby, and plugs in his laptop. Before the user is allowed to access the network, the Cisco 3550 switch checks the laptop's MAC address and reads 4B:63:3F:A2:3E:F9. At this point, the port is blocked, not allowing the laptop computer to send or receive data. The Cisco 3550 switch sends the MAC address to the 6500 Catalyst switch which is acting as the VMPS server and it checks for an entry that matches the specified MAC address but is unable to find one.

Naturally, it determines that this a visitor, so it creates an entry for that MAC address to the fallback VLAN and sends the information back to the Cisco 3550 switch. The switch will then enable access to the port our visitor is connected to by configuring the port to the fallback VLAN.

If the visitor's computer is configured to obtain an IP Address automatically, it will do so, once the operating system has booted. When this happens, the visitor's DHCP request will arrive to the 6500 Catalyst switch and its DHCP server will send the requested information, enabling the client (our visitor) to configure itself with all the parameters required to access the VLAN. This will also mean our visitor is now able to access the Internet!

Finishing, if the computer is not configured for DHCP, the client must be advised with the correct network settings or asked to enable automatic IP configuration in their network properties.

Summary

The past pages could be considered as an 'eye-opener' for people who are new to the VLAN concept, and at the same time a 'quick-overview' for those who are well aware of their existence! We hope all your questions to this point have been answered, if not, they are most likely too advanced and will surely be answered in the pages that follow.

Previous - Static VLANs

Static VLANs

2011-05-30T02:17:37+10:00

VLANs are usually created by the network administrator, assigning each port of every switch to a VLAN. Depending on the network infrastructure and security policies, the assignment of VLANs can be implemented using two different methods: Static or Dynamic memberships - these two methods are also known as VLAN memberships.

Each of these methods have their advantages and disadvantages and we will be analysing them in great depth to help you decide which would best suite your network.

Depending on the method used to assign the VLAN membership, the switch may require further configuration, but in most cases it's a pretty straight forward process. This page deals with Static VLANs while Dynamic VLANs are covered next.

Static VLANs

Static VLAN membership is perhaps the most widely used method because of the relatively small administration overhead and security it provides. With Static VLANs, the administrator will assign each port of the switch to one VLAN. Once this is complete, they can simply connect each device or workstation to the appropriate port.

The picture below depicts an illustration of the above, where 4 ports have been configured for 4 different VLANs:

The screenshot above shows a Cisco switch (well, half of it :>) where ports 1, 2, 7 and 10 have been configured and assigned to VLANs 1, 5, 2 and 3 respectively.

At this point, we should remind you that these 4 VLANs are not able to communicate between each other without the use of a router as they are treated as 4 separate physical networks, regardless of the network addressing scheme used on each of them. However, we won't provide further detail on VLAN routing since it's covered later on.

Static VLANs are certainly more secure than traditional switches while also considerably easy to configure and monitor. As one would expect, all nodes belonging to a VLAN must also be part of the same logical network in order to communicate with one another. For example, on our switch above, if we assigned network 192.168.1.0/24 to VLAN 1, then all nodes connecting to ports assigned to VLAN 1 must use the same network address for them to communicate between each other, just as if this was an ordinary switch.

In addition, Static VLANs have another strong point - you are able to control where your users move within a large network. By assigning specific ports on your switches throughout your network, you are able to control access and limit the network resources to which your users are able to use.

A good example would be a large network with multiple departments where any network administrator would want to control where the users can physically connect their workstation or laptop and which servers they are able to access.

The following diagram shows a VLAN powered network where the switches have been configured with Static VLAN support.

The network diagram might look slightly complicated at first, but if you pay close attention to each switch, you will notice that it's quite simple - six switches with 6 VLANs configured- one VLAN per department, as shown. While each VLAN has one logical network assigned to it, the IT department has, in addition, placed one workstation in the following departments for support purposes: Management, R&D, and HR department.

The network administrator has assigned Port 1 (P1) on each department switch to VLAN 5 for the workstation belonging to the IT department, while the rest of the ports are assigned to the appropriate VLAN as shown in the diagram.

This setup allows the administrator to place any employee in the IT department, anywhere on the network, without worrying if the user will be able to connect and access the IT department's resources.

In addition, if a user in any of the above departments e.g the Management department, decided to get smart by attempting to gain access to the IT department's network and resources by plugging his workstation to Port 1 of his department's switch. He surely wouldn't get far because his workstation would be configured for the 192.168.1.0 network (VLAN 1), while Port 1 requires him to use a 192.168.5.0 network address (VLAN 5). Logically, he would have to change his IP address to match the network he is trying to gain access to, and in this case this would be network 192.168.5.0.

Summary

To sum up, with Static VLANs, we assign each individual switch port to a VLAN. The network addresses are totally up to us to decide. In our example, the switches do not care what network address is used for each VLAN as they totally ignore this information unless routing is performed (this is covered in the InterVLAN routing page). As far as the switches are concerned, if you have two ports assigned to the same VLAN, then these two ports are able to communicate between each other as it would happen on any normal layer 2 switch.

Previous - Comparing Old Flat Networks & VLAN Networks Next - Dynamic VLANs

Comparing Traditional Flat & VLAN Networks

2011-05-30T01:37:01+10:00

Designing and building a network is not a simple job. VLANs are no exception to this rule, in fact they require a more sophisticated approach because of the variety of protocols used to maintain and administer them.

Our aim here is not to tell you how to setup your VLANs and what you should or shouldn't do, this will be covered later on. For now, we would like to show you different physical VLAN layouts to help you recognise the benefits offered when introducing this technology into your network, regardless of its size.

The technology is available and we simply need to figure out how to use it and implement it using the best possible methods, in order to achieve outstanding performance and reliability.

We understand that every network is unique as far as its resources and requirements are concerned, which is another reason why we will take a look at a few different VLAN implementations. However, we will not mention the method used to set them up - this is up to you to decide once you've read the following pages!

Designing your First VLAN

Most common VLAN setups involve grouping departments together regardless of their physical placement through the network. This allows us to centralise the administration for these departments, while also limiting unwanted incidents of unauthorised access to resources of high importance.

As always, we will be using neat examples and diagrams to help you get a visual on what we are talking about.

Let's consider the following company: Packet Industries

Packet Industries is a large scale company with over 40 workstations and 5 servers. The company deals with packet analysis and data recovery and has labs to recover data from different media that require special treatment due to their sensitivity. As with every other company, there are quite a few different departments that deal with different aspects of the business and these are:

Management/HR Department
Accounting Department
Data Recovery & IT Department

These five departments are spread throughout 3 floors in the building the company is situated. Because the IT department takes confidentiality of their own and customer's data seriously, they have decided to redesign their network and also take a look at the VLAN solutions available, to see if they are worth the investment.

We are going to provide two different scenarios here, the first one will not include VLANs, while the second one will. Comparing the two different solutions will help you see the clear advantages of VLANs and also provide an insight to how you can also apply this wonderful technology with other similar networks you might be working with.

Solution 1 - Without VLANs

The IT department decided that the best way to deal with the security issue would be to divide the existing network by partitioning it. Each department would reside in one broadcast domain and access lists would be placed between each network's boundaries to ensure access to and from them are limited according to the access policies.

Since there are three departments, it is important that three new networks had to be created to accommodate their new design. The budget, as in most cases, had to be controlled so it didn't exceed the amount granted by the Accounting Department.

With all the above in mind, here's the proposal the IT department created:

As you can see, each department has been assigned a specific network. Each level has a dedicated switch for every network available. As a result, this will increase the network security since we have separate physical networks and this solution also seems to be the most logical one. These switches are then grouped together via the network backbone which, in its turn, connects to the network's main router.

The router here undertakes the complex role of controlling access and routing between the networks and servers with the use of access lists as they have been created by the IT Department. If needed, the router can also be configured to allow certain IP's to be routed between the three networks, should there be such a requirement.

The above implementation is quite secure as there are physical and logical restrictions placed at every level. However, it is somewhat restrictive as far as expanding and administering the network since there is no point of central control. Lastly, if you even consider adding full redundancy to the above, essentially doubling the amount of equipment required, the cost would clearly be unreasonable...

So let's now take a look at the second way we could implement the above, without blowing the budget, without compromising our required security level and also at the same time create a flexible and easily expandable network backbone.

Solution 2 - With VLANs

The solution we are about to present here is surely the most preferred and economical. The reasons should be fairly straight forward: We get the same result as the previous solution, at almost half the cost and as a bonus, we get the flexibility and expandability we need for the future growth of our network, which was very limited in our previous example.

By putting the VLAN concept we covered on the previous page into action, you should be able to visualise the new setup:

As you can see, the results in this example are a lot neater and the most apparent change would be the presence of a single switch per level, connecting directly to the network backbone. These switches of course are VLAN capable, and have been configured to support the three separate logical and physical networks. The router from the previous solution has been replaced by what we call a 'layer 3 switch'.

These type of switches are very intelligent and understand layer 3 (IP Layer) traffic. With such a switch, you are able to apply access-lists to restrict access between the networks, just like you normally would on a router, but more importantly, route packets from one logical network to another! In simple terms, layer 3 switches are a combination of a powerful switch, with a built-in router :)

Summary

If the above example was interesting and provided a insight into the field of VLANs, we can assure you - you haven't seen anything yet. When unleashing the power of VLANs, there are amazing solutions given for any problem or need that your network requires.

It's now time to start looking at the VLAN technology in a bit more detail, that is, how it's configured, the postive and negative areas for each type of VLAN configuration and more much.

The next page analyses Static VLANs which are perhaps the most popular implementation of VLANs around the world. Take a quick break for some fresh air if needed, otherwise, gear up and let's move!

Next - Static VLANs

The VLAN Concept - Introduction to VLANs

2011-05-30T01:20:45+10:00

We hear about them everywhere, vendors around the world are constantly trying to push them into every type of network and as a result, the Local Area Network (LAN) we once knew starts to take a different shape. And yet, for some of us, the concept of what VLANs are and how they work might still be a bit blurry.

To help start clearing things up we will define the VLAN concept not only through words, but through the use of our cool diagrams and at the same time, compare VLANs to our standard flat switched network.

We will start by taking a quick look at a normal switched network, pointing out it's main characteristics and then move on to VLANs.

The Traditional Switched Network

Almost every network today has a switch interconnecting all network nodes, providing a fast and reliable way for the nodes to communicate. Switches today are what hubs were a while back - the most common and necessary equipment in our network, and there is certainly no doubt about that.

While switches might be adequate for most type of networks, they prove inadequate for mid to large sized networks where things are not as simple as plugging a switch into the power outlet and hanging a few Pc's from it!

For those of you who have already read our "switches and bridges" section, you will be well aware that switches are layer 2 devices which create a flat network:

The above network diagram illustrates a switch with 3 workstations connected. These workstations are able to communicate with each other and are part of the same broadcast domain, meaning that if one workstation were to send a broadcast, the rest will receive it.

In a small network multiple broadcast might not be too much of a problem, but as the size of the network increases, so will the broadcasts, up to the point where they start to become a big problem, flooding the network with garbage (most of the times!) and consuming valuable bandwidth.

To visually understand the problem, but also the idea of a large flat network, observe the diagram below:

The problem here starts to become evident as we populate the network with more switches and workstations. Since most workstations tend to be loaded with the Windows operating system, this will result in unavoidable broadcasts being sent occasionaly on the network wire - something we certainly want to avoid.

Another major concern is security. In the above network, all users are able to see all devices. In a much larger network containing critical file servers, databases and other confidential information, this would mean that everyone would have network access to these servers and naturally, they would be more susceptible to an attack.

To effectively protect such systems from your network you would need to restrict access at the network level by segmenting the exisiting network or simply placing a firewall in front of each critical system, but the cost and complexity will surely make most administrators think twice about it. Thankfully there is a solution ..... simply keep reading.

Introducing VLANs

Welcome to the wonderful world of VLANs!

All the above problems, and a lot more, can be forgotten with the creation of VLANs...well, to some extent at least.

As most of you are already aware, in order to create (and work with) VLANs, you need a layer 2 switch that supports them. A lot of people new to the networking field bring the misconception that it's a matter of simply installing additional software on the clients or switch, in order to "enable" VLANs throughout the network - this is totally incorrect!

Because VLANs involve millions of mathematical calculations, they require special hardware which is built into the switch and your switch must therefore support VLANs at the time of purchase, otherwise you will not be able to create VLANs on it!

Each VLAN created on a switch is a separate network. This means that a separate broadcast domain is created for each VLAN that exists. Network broadcasts, by default, are filtered from all ports on a switch that are not members of the same VLAN and this is why VLANs are very common in today's large network as they help isolate network segments between each other.

To help create the visual picture on how VLANs differentiate from switches, consider the following diagram:

What we have here is a small network with 6 workstations attached to a VLAN capable switch. The switch has been programmed with 2 VLANs, VLAN1 and VLAN2 respectfully, and 3 workstations have been assigned to each VLAN.

VLAN Configuration for Cisco Layer 3 switches is covered at the following article: Basic & Advanced Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing (SVI), VLAN Security – VLAN Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements for SVI Routing.

VLANs = Separate Broadcast Domains

With the creation of our VLANs, we have also created 2 broadcast domains. This mean that if any workstation in either VLAN sends a broadcast, it will propagate out the ports which belong to the same VLAN as the workstation that generated the broadcast:

This is clearly illustrated in the diagram above where Workstation 1, belonging to VLAN1, sends a network broadcast (FF:FF:FF:FF:FF:FF). The switch receives this broadcast and forwards it to Workstation 2 and 3, just as it would happen if these three workstations were connected to a normal switch, while the workstations belonging to VLAN2 are totally unaware of the broadcast sent in VLAN1 as they do not receive any packets flowing in that network.

To help clear any questions or doubts on how the above setup works, the diagram below shows the logical equivalent setup of our example network:

By this stage, you should begin seeing the clear advantages offered by the use of VLANs within your network. Security, cost and network traffic are reduced as more hosts are added to the network and the number of VLANs are increased.

VLANs Help Reduce Networking Costs

To briefly touch upon the financial side of things, let's take an example to see exactly how we are saving money by using VLANs.

Consider you're the network administrator for a large company and you have been asked to split the existing network infrastructure into 12 seperate networks, but without the possibility of these new networks to communicate between each other. Since the cabling is already in place, we need to simply group the ports of each network we create to one physical switch and for the 12 network, a total of 12 switches will be required.

By using VLANs, the above task would be possible with one or more VLAN capable switches that will cover the number of hosts we need to connect to them, and the cost would surely be a lot less than that compared to 12 switches.

During the implementation of the above task, you would connect all workstations to the switch and then assign the appropriate workstations/nodes to their respectful VLAN, creating a total of 12 VLANs. It is worth noting here that most entry level VLAN switches e.g Cisco 2900 series, are capable of handling up to 64 VLANs, so if we were to use these switches, we would still have plently of room to create more.

Switch Model	Maximum VLANs Supported	VLAN Trunking Supported
Catalyst 2912 XL, Catalyst 2924 XL & Catalyst 2924C XL	64	yes
Catalyst 2900 LRE XL	250	yes
Catalyst 2912M and Catalyst 2924M modular	250	yes
Catalyst 3500 XL, 3550, 3560, 3750, 4500, 6500	250	yes

There are a lot more examples one can use to show how these new generation switches are able to solve complex network designs, security issues and at the same time, keep the budget low. Lastly, the best example is one that is able to solve your own requirements, so take a minute to think about it and you will surely agree.

Summary

This page introduced the concept of VLANs and indicated the differences existing between them and normal switched networks. We also briefly examined their efficiency in terms of cost, security and implementation.

The information here serves as an introduction to the VLAN technology and we will now start diving deeper into the topic, analysing it in greater detail. Having said that, our next page deals with the design of VLANs, showing different logical and physical configurations of VLANs within networks. So, make yourself comfortable and let's continue cause there is still so much to cover!

Next - VLANs - Access & Trunk Links or Back to VLAN Networks Section