VLAN is the logical grouping of layer two devices sharing same broadcast domain. VLAN can span over the multiple physical locations. In this tutorial we will explain basic concept of VLAN such as What VLAN is, Advantage of VLAN, VLAN membership; Static and Dynamic, VLAN Connections and Trunk tagging with examples.
This tutorial is the first part
of our article “VLAN, VTP, DTP, STP and Router on Stick Explained with
Examples”. You can read other parts of this article here:-
VLAN Practice LAB
Setup on Packet Tracer
This
is the second part of this article. In this part we will setup a practice lab
in Packet Tracer. You can create practice lab by following the instruction or
alternatively download pre created lab. This lab will be used to demonstrate
the configuration part of VLAN, VTP, DTP, STP and router on stick.
Configure VTP
Server and Client in Switch
This
the third part of this article. In this part we will explain VTP mode with
examples including VTP Server mode, VTP Client mode and VTP transparent mode.
Later we will configure VTP Server and clients in our practice lab.
VLAN Tagging
Explained with DTP Protocol
This
the fourth part of this article. In this part we will explain access link,
trunk link, VLAN tagging process, VLAN tagging protocol ISL and 802.1Q, Dynamic
trunking protocol and DTP mode with examples. After that we will configure
trunking in our practice lab.
VLAN Configuration
commands Step by Step Explained
This
is the last part of this article. In this part we will provide a step by step
guide to configure the VLAN. We will also configure the Intra VLAN
communication with router on stick example. At end of this article we will
provide a summary of all commands used in this tutorial to configure the VLAN
VTP and DTP.
What is VLAN
VLAN is a logical grouping of networking devices. When we
create VLAN, we actually break large broadcast domain in smaller broadcast
domains. Consider VLAN as a subnet. Same as two different subnets cannot
communicate with each other without router, different VLANs also requires router
to communicate.
Advantage of VLAN
VLAN provides following
advantages:-
ü Solve
broadcast problem
ü Reduce
the size of broadcast domains
ü Allow
us to add additional layer of security
ü Make
device management easier
ü Allow
us to implement the logical grouping of devices by function instead of location
Solve broadcast
problem
When we connect devices into
the switch ports, switch creates separate collision domain for each port and
single broadcast domain for all ports. Switch forwards a broadcast frame from
all possible ports. In a large network having hundreds of computers, it could
create performance issue. Of course we could use routers to solve broadcast
problem, but that would be costly solution since each broadcast domain requires
its own port on router. Switch has a unique solution to broadcast issue known
as VLAN. In practical environment we use VLAN to solve broadcast issue instead
of router.
Each
VLAN has a separate broadcast domain. Logically
VLANs are also subnets. Each VLAN requires a unique network number known as
VLAN ID. Devices with same VLAN ID are
the members of same broadcast domain and receive all broadcasts. These broadcasts are filtered from all ports
on a switch that aren’t members of the same VLAN.
Reduce the size
of broadcast domains
VLAN
increase the numbers of broadcast domain while reducing their size. For example
we have a network of 100 devices. Without any VLAN implementation we have
single broadcast domain that contain 100 devices. We create 2 VLANs and assign
50 devices in each VLAN. Now we have two broadcast domains with fifty devices
in each. Thus more VLAN means more broadcast domain with less devices.
Allow us to add
additional layer of security
VLANs
enhance the network security. In a
typical layer 2 network, all users can see all devices by default. Any user can
see network broadcast and responds to it. Users can access any network
resources located on that specific network. Users could join a workgroup by
just attaching their system in existing switch. This could create real trouble on security
platform. Properly configured VLANs gives us total control over each port and
users. With VLANs, you can control the users from gaining unwanted access over
the resources. We can put the group of users that need high level security into
their own VLAN so that users outside from VLAN can’t communicate with them.
Make device
management easier
Device management is easier with VLANs. Since VLANs are a
logical approach, a device can be located anywhere in the switched network and
still belong to the same broadcast domain. We can move a user from one switch
to another switch in same network while keeping his original VLAN.
For example our company has a five story building and a
single layer two network. In this scenario, VLAN allows us to move the users
from one floor to another floor while keeping his original VLAN ID. The only
limitation we have is that device when
moved, must still be connected to the same layer 2 network.
Allow us to
implement the logical grouping of devices by function instead of locationVLANs allow us to group the users by their function instead of their geographic locations. Switches maintain the integrity of your VLANs. Users will see only what they are supposed to see regardless what their physical locations are.
VLAN Examples
To understand VLAN more clearly let's take an example.
Ø Our
company has three offices.
Ø All
offices are connected with back links.
Ø Company
has three departments Development, Production and Administration.
Ø Development
department has six computers.
Ø Production
department has three computers.
Ø Administration
department also has three computers.
Ø Each
office has two PCs from development department and one from both production and
administration department.
Ø Administration
and production department have sensitive information and need to be separate
from development department.
With default configuration, all computers share same
broadcast domain. Development department can access the administration or production
department resources.
With VLAN we could create logical boundaries over the
physical network. Assume that we created three VLANs for our network and
assigned them to the related computers.
VLAN Admin for Administration department
VLAN Dev for Development department
VLAN Pro for Production department
VLAN also enhances the
security. Now Development department cannot access the Administration and
Production department directly. Different VLAN can communicate only via Router
where we can configure wild range of security options.
So far in this article we
have explained VLAN, in following section we will explain VLAN terms in more details.
VLAN
Membership
VLAN membership can be assigned to a device by one of two method
2. Dynamic
These methods decide how a switch will associate its ports with
VLANs.
Static
Static method is the most secure method also. As any switch port
that we have assigned a VLAN will keep this association always unless we
manually change it. It works really well
in a networking environment where any user movement within the network needs to
be controlled.
Dynamic
In dynamic method, VLANs are assigned to port automatically
depending on the connected device. In
this method we have configure one switch from network as a server. Server
contains device specific information like MAC address, IP address etc. This
information is mapped with VLAN. Switch acting as server is known as VMPS (VLAN
Membership Policy Server). Only high end
switch can configured as VMPS. Low end
switch works as client and retrieve VLAN information from VMPS.
Dynamic VLANs supports plug and play movability. For example if we
move a PC from one port to another port, new switch port will automatically be
configured to the VLAN which the user belongs. In static method we have to do
this process manually.
VLAN
Connections
During the configuration of VLAN on port, we need to know what
type of connection it has.
Switch supports two types of VLAN connection1. Access link
2. Trunk link
Access link
Access link connection is the connection where switch port is
connected with a device that has a standardized Ethernet NIC. Standard NIC only
understand IEEE 802.3 or Ethernet II frames. Access link connection can only be
assigned with single VLAN. That means all devices connected to this port will
be in same broadcast domain.
For example twenty users are connected to a hub, and we connect
that hub with an access link port on switch, then all of these users belong to
same VLAN. If we want to keep ten users in another VLAN, then we have to
purchase another hub. We need to plug in those ten users in that hub and then
connect it with another access link port on switch.
Trunk link
Trunk link connection is the connection where switch port is
connected with a device that is capable to understand multiple VLANs. Usually
trunk link connection is used to connect two switches or switch to router.
Remember earlier in this article I said that VLAN can span anywhere in network,
that is happen due to trunk link connection. Trunking allows us to send or
receive VLAN information across the network. To support trunking, original
Ethernet frame is modified to carry VLAN information.
Trunk Tagging
In trunking a separate logical connection is created for each VLAN
instead of a single physical connection. In tagging switch adds the source
port’s VLAN identifier to the frame so that other end device can understands
what VLAN originated this frame. Based on this information destination switch
can make intelligent forwarding decisions on not just the destination MAC
address, but also the source VLAN identifier.
Since original Ethernet frame is modified to add information,
standard NICs will not understand this information and will typically drop the
frame. Therefore, we need to ensure that when we set up a trunk connection on a
switch’s port, the device at the other end also supports the same trunking
protocol and has it configured. If the device at the other end doesn’t
understand these modified frames it will drop them. The modification of these
frames, commonly called tagging. Tagging is done in hardware by
application-specific integrated circuits (ASICs).
Switch
supports two types of Ethernet trunking methods:
2. Dot1q [ IEEE’s 802.1Q, protocol for Ethernet]
That’s all for this part. In next part of this article we will practically implement what we have learnt from this part on Cisco switches.
No comments:
Post a Comment