Вы находитесь на странице: 1из 90

VLAN Networks

Introduction
Virtual Local Area Networks or VLANs are one of the latest and coolest
network technologies developed in the past few years, though have only recently started to gain recognition. The non-stop growth of Local Area Networks (LANs) and the need to minimize the cost for this expensive equipment, without sacrificing network performance and security, created the necessary soil for the VLAN seed to surface and grow into most modern networks. This article covers VLAN theory extensively using modern and easy-tounderstand examples accompanied by detailed diagrams to ensure the theory is understood. VLAN Design, Access and Trunk Links, VLAN Tagging (ISL, 802.1q, LANE, IEEE 802.10), InterSwitch Link (ISL), InterVLAN Routing, Virtual Trunk Protocol (VTP) and VTP Pruning are just a few of the topics covered over the next couple of pages. The truth is that VLANs are not as simple as most people perceive it to be. Instead they cover extensive material to be a whole study in itself as they contain a mixture of protocols, rules, and guidelines that a network administrator should be well aware of. Unfortunately, most

documentation provided by vendors and other sites is inadequate or very shallow. They lightly touch upon the VLAN topic and fail to give the reader a good understanding on how VLANs really work and the wonderful things one can do when implementing them. Like most topics covered on our site, VLANs have been broken down into a number of pages, each one focusing on specific areas to help the reader build up their knowledge as preparation for designing and building their own VLAN network. Since VLANs is a topic that requires strong background knowledge of

certain areas, as they contain a lot of information at the technical and protocol level, we believe that the reader should be familiar and comfortable with the following concepts: Switches and hubs Broadcast and collision domains Internet Protocol (IP) IP routing As we cover all the theory behind VLANs and how they are implemented within various network topologies, we will finally demonstrate the configuration of a Cisco powered network utilizing VLANs! Protocols such as Spanning Tree Protocol (STP) are essential when implementing VLANs within a mid to large sized network, so we will briefly touch upon the topic, without thoroughly analysing it in great detail because STP will be covered as a separate topic.

So What's Covered?
Before we begin our journey into the VLAN world, let's take a look at what we will be covering:

Section 1: The VLAN Concept. This page explains what a VLAN is and
how it differs from a normal switched environment. Be sure to find our well known diagrams along with illustrations to help cover your questions. In short, its a great introductory page for the topic.

Section 2: Designing VLANs. (Subcategory)


Section 2.1: Designing VLANs - A Comparison With Old Networks. This subsection will give you an insight to the different VLAN implementations: Static and Dynamic VLANs. The subsection begins with an introduction page to help you 'see' the actual difference in the network infrastructure

between the old boring networks and VLAN powered networks. This way, you will be able to appreciate the technology much better!

Section 2.2: Designing VLANs - Static VLANs. Definitely the most


wide spread VLAN implementation. The popular Static VLANs are analysed here. We won't be covering any configuration commands here as this page serves as an introduction to this VLAN implementation. As always, cool 3D diagrams and examples are included to help you understand and process the information.

Section 2.3: Designing VLANs - Dynamic VLANs. Dynamic VLANs


are less common to most networks but offer substantial advantages over Static VLANs for certain requirements. Again, this page serves as an introduction to the specific VLAN implementation.

Section 3: VLAN Links: Access Links & Trunk Links. Access links
are used to connect hosts, while Trunk links connect to the network backbone. Learn how Access & Trunk links operate, the logic which dictates the type of link and interface used and much more.

Section 4: VLAN Tagging - ISL, 802.1q, LANE and IEEE 802.10.


To tag or not to tag! Understand the VLAN tagging process and find out the different tagging methods available, which are the most popular and how they differentiate from each other. Neat diagrams and examples are included to ensure no questions are left unanswered!

Section 5: Analyzing Popular Tagging Protocols. Section 5.1: InterSwitch Link Analysis (ISL): Analysis of Cisco's
proprietary ISL protocol. We take a look at how it is implemented and all available fields it contains.

Section 5.2: IEEE 802.1q Analysis. IEEE's 802.1q protocol is the

most widely spread trunking protocol. Again, we take a look at its implementation with an analysis of all its fields.

Section 6: InterVLAN Routing. A very popular topic, routing between


VLANs is very important as it allows VLANs to communicate. We'll examine all possible InterVLAN routing methods and analyze each one's advantages and disadvantages. Needless to say, our cool diagrams also make their appearance here!

Section 7: Virtual Trunk Protocol (VTP) (Subcategory) Section 7.1: Introduction To The VTP Protocol. The introductory
page deals with understanding the VTP concept. Why it's required and what are its advantages.

Section 7.2: In-Depth Analysis Of VTP. Diving deeper, this page will
analyse the VTP protocol structure. It includes 3d diagrams explaining each VTP message usage and much more.

Section 7.3: Virtual Trunk Protocol Pruning (VTP Pruning). VTP


Prunning is an essential service in any large network to avoid broadcast flooding over trunk links. This page will explain what VTP Prunning does and how it works by reading through our excellent examples. The diagrams used here have been given extra special attention!

Section 8: VLAN Security: This article covers VLAN Security best


practices. Originally written for the U.S FedTech Magazine, it tackles a lot of important issues regarding VLAN Security.

The VLAN Concept

Introduction
By now we should feel comfortable with terms such as 'VLAN', 'Static & Dynamic VLANs', but this is just the beginning in this complex world. On this page, we will start to slowly expand on these terms by introducing new ones! To begin with, we will take a closer look at the port interfaces on these smart switches and then start moving towards the interfaces connecting to the network backbone where things become slightly more

complicated, though do not be alarmed since our detailed and easy to read diagrams are here to ensure the learning process is as enjoyable as possible.

VLAN Links - Interfaces


When inside the world of VLANs there are two types of interfaces, or if you like, links. These links allow us to connect multiple switches together or just simple network devices e.g. PC that will access the VLAN network. Depending on their configuration, they are called Access Links, or Trunk Links.

Access Links
Access Links are the most common type of links on any VLAN switch. All network hosts connect to the switch's Access Links in order to gain access to the local network. These links are your ordinary ports found on

every switch, but configured in a special way, so you are able to plug a computer into them and access your network. Here's a picture of a Cisco Catalyst 3550 series switch, with it's Access Links (ports) marked in the Green circle:

We must note that the 'Access Link' term describes a configured port this means that the ports above can be configured as the second type of VLAN links - Trunk Links. What we are showing here is what's usually configured as an Access Link port in 95% of all switches. Depending on your needs, you might require to configure the first port (top left corner) as a Trunk Link, in which case, it is obviously not called a Access Link port anymore, but a Trunk Link! When configuring ports on a switch to act as Access Links, we usually configure only one VLAN per port, that is, the VLAN our device will be allowed to access. If you recall the diagram below which was also present during the introduction of the VLAN concept, you'll see that each PC is assigned to a specific port:

In this case, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 3 have been assigned to VLAN 1 while ports 4, 5 and 6 to VLAN 2. In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 3, while ports 4, 5 and 6 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly configured the switch to route traffic between the two VLANs. It is equally important to note at this point that any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them. The following diagram illustrates this to help you get the picture:

As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are understood by the network device connected to the port. There is nothing special about these packets, other than the fact that they belong only to the VLAN the port is configured for. If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0 with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned to VLAN 1 must be configured with the appropriate network address so they may communicate with all other hosts in the same VLAN.

Trunk Links
What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. There is, however, one more type of port configuration which we mentioned in the introductory section on

this page - the Trunk Link. A Trunk Link or 'Trunk' is a port configured to carry packets for any VLAN. These types of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches. The diagram below shows multiple switches connected throughout a network and the Trunk Links are marked in purple color to help you identify them:

As you can see in our diagram, our switches connect to the network backbone via the Trunk Links. This allows all VLANs created in our network to propagate throughout the whole network. Now in the unlikely event of Trunk Link failure on one of our switches, the devices connected to that switch's ports would be isolated from the rest of the network, allowing only ports on that switch, belonging to the same

VLAN, to communicate with each other. So now that we have an idea of what Trunk Links are and their purpose, let's take a look at an actual switch to identify a possible Trunk Link:

As we noted with the explanation of Access Link ports, the term 'Trunk Link' describes a configured port. In this case, the Gigabit ports are usually configured as Trunk Links, connecting the switch to the network backbone at the speed of 1 Gigabit, while the Access Link ports connect at 100Mbits. In addition, we should note that for a port or link to operate as a Trunk Link, it is imperative that it runs at speeds of 100Mbit or greater. A port running at speeds of 10Mbit's cannot operate as a Trunk Link and this is logical because a Trunk Link is always used to connect to the network backbone, which must operate at speeds greater than most Access Links!

Summary
This page introduced the Access and Trunk links. We will be seeing a lot of both links from now on, so it's best you get comfortable with them! Configuration of these links is covered later on, because there is still quite a bit of theory to cover!

VLAN Tagging

Introduction
We mentioned that Trunk Links are designed to pass frames (packets) from all VLANs, allowing us to connect multiple switches together and independently configure each port to a specific VLAN. However, we haven't explained how these packets run through the Trunk Links and network backbone, eventually finding their way to the destination port without getting mixed or lost with the rest of the packets flowing through the Trunk Links. This is process belongs to the world of VLAN Tagging!

VLAN Tagging
VLAN Tagging, also known as Frame Tagging, is a method developed by Cisco to help identify packets travelling through trunk links. When an Ethernet frame traverses a trunk link, a special VLAN tag is added to the frame and sent across the trunk link. As it arrives at the end of the trunk link the tag is removed and the frame is sent to the correct access link port according to the switch's table, so that the receiving end is unaware of any VLAN information. The diagram below illustrates the process described above:

Here we see two 3500 series Catalyst switches and one Cisco 3745 router connected via the Trunk Links. The Trunk Links allow frames from all VLANs to travel throughout the network backbone and reach their destination regardless of the VLAN the frame belongs to. On the other side, the workstations are connected directly to Access Links (ports configured for one VLAN membership only), gaining access to the resources required by VLAN's members. Again, when we call a port 'Access Link' or 'Trunk Link', we are describing it based on the way it has been configured. This is because a port can be configured as an Access Link or Trunk Link (in the case where it's 100Mbits or faster). This is stressed because a lot of people think that it's the other way around, meaning, a switch's uplink is always a Trunk Link and any normal port where you would usually connect a workstation, is an

Access Link port!

VLAN Tagging Protocol


We're now familiar with the term 'Trunk Link' and its purpose, that is, to allow frames from multiple VLANs to run across the network backbone, finding their way to their destination. What you might not have known though is that there is more than one method to 'tag' these frames as they run through the Trunk Links or ... the VLAN Highway as we like to call it.

InterSwitch Link (ISL)


ISL is a Cisco propriety protocol used for Fast Ethernet and Gigabit Ethernet links only. The protocol can be used in various equipments such as switch ports, router interfaces, server interface cards to create a trunk to a server and much more. You'll find more information on VLAN implementations on our last page of the VLAN topic. Being a propriety protocol, ISL is available and supported naturally on Cisco products only:) You may also be interested in knowing that ISL is what we call, an 'external tagging process'. This means that the protocol does not alter the Ethernet frame as shown above in our previous diagram - placing the VLAN Tag inside the Ethernet frame, but encapsulating the Ethernet frame with a new 26 byte ISL header and adding an additional 4 byte frame check sequence (FCS) field at the end of frame, as illustrated below:

Despite this extra overhead, ISL is capable of supporting up to 1000 VLANs and does not introduce any delays in data transfers between Trunk Links. In the above diagram we can see an ISL frame encapsulating an Ethernet II frame. This is the actual frame that runs through a trunk link between two Cisco devices when configured to use ISL as their trunk tagging protocol. The encapsulation method mentioned above also happens to be the reason why only ISL-aware devices are able to read it, and because of the addition of an ISL header and FCS field, the frame can end up being 1548 bytes long! For those who can't remember, Ethernet's maximum frame size is 1518 bytes, making an ISL frame of 1548 bytes, what we call a 'giant' or 'jumbo' frame! Lastly, ISL uses Per VLAN Spanning Tree (PVST) which runs one instance of the Spanning Tree Protocol (STP) per VLAN. This method allows us to optimize the root switch placement for each available VLAN while supporting neat features such as VLAN load balancing between multiple trunks. Since the ISL's header fields are covered on a separate page, we won't provide further details here.

IEEE 802.1q
The 802.1q standard was created by the IEEE group to address the problem breaking large networks into smaller and manageable ones through the use of VLANs. The 802.1q standard is of course an alternative to Cisco's ISL, and one that all vendors implement on their network equipment to ensure compatibility and seamless integration with the existing network infrastructure. As with all 'open standards' the IEEE 802.1q tagging method is by far the most popular and commonly used even in Cisco oriented network installations mainly for compatibility with other equipment and future upgrades that might tend towards different vendors. In addition to the compatibility issue, there are several more reasons for which most engineers prefer this method of tagging. These include: Support of up to 4096 VLANs Insertion of a 4-byte VLAN tag with no encapsulation Smaller final frame sizes when compared with ISL Amazingly enough, the 802.1q tagging method supports a whopping 4096 VLANs (as opposed to 1000 VLANs ISL supports), a large amount indeed which is merely impossible to deplete in your local area network. The 4-byte tag we mentioned is inserted within the existing Ethernet frame, right after the Source MAC Address as illustrated in the diagram below:

Because of the extra 4-byte tag, the minimum Ethernet II frame size increases from 64 bytes to 68 bytes, while the maximum Ethernet II frame size now becomes 1522 bytes. If you require more information on the tag's fields, visit our protocol page where further details are given. As you may have already concluded yourself, the maximum Ethernet frame is considerably smaller in size (by 26 bytes) when using the IEEE 802.1q tagging method rather than ISL. This difference in size might also be interpreted by many that the IEEE 802.1q tagging method is much faster than ISL, but this is not true. In fact, Cisco recommends you use ISL tagging when in a Cisco native environment, but as outlined earlier, most network engineers and administrators believe that the IEEE802.1q approach is much safer, ensuring maximum compatibility. And because not everything in this world is perfect, no matter how good the 802.1q tagging protocol might seem, it does come with its restrictions: In a Cisco powered network, the switch maintains one instance of the Spanning Tree Protocol (STP) per VLAN. This means that if you have 10 VLANs in your network, there will also be 10 instances of STP running amongst the switches. In the case of non-Cisco switches, then only 1 instance of STP is maintained for all VLANs, which is certainly not something a network administrator would want.

It is imperative that the VLAN for an IEEE 802.1q trunk is the same for both ends of the trunk link, otherwise network loops are likely to occur. Cisco always advises that disabling a STP instance on one 802.1q VLAN trunk without disabling it on the rest of the available VLANs, is not a good idea because network loops might be created. It's best to either disable or enable STP on all VLANs.

LAN Emulation (LANE)


LAN Emulation was introduced to solve the need of creating VLANs over WAN links, allowing network managers to define workgroups based on logical function, rather than physical location. With this new technology (so to speak - it's actually been around since 1995!), we are now able to create VLANs between remote offices, regardless of their location and distance. LANE is not very common and you will most probably never see it implemented in small to mid-sized networks, however, this is no reason to ignore it. Just keep in mind that we won't be looking at it in much depth, but briefly covering it so we can grasp the concept. LANE has been supported by Cisco since 1995 and Cisco's ISO release 11.0. When implemented between two point-to-point links, the WAN network becomes totally transparent to the end users:

Every LAN or native ATM host, like the switch or router shown in the diagram, connects to the ATM network via a special software interface called 'LAN Emulation Client'. The LANE Client works with the LAN Emulation Server (LES) to handle all messages and packets flowing through the network, ensuring that the end clients are not aware of the WAN network infrastructure and therefore making it transparent. The LANE specification defines a LAN Emulation Configuration Server (LECS), a service running inside an ATM switch or a physical server connected to the ATM switch, that resides within the ATM network and allows network administrators to control which LANs are combined to form VLANs. The LAN Emulation Server with the help of the LANE Client, maps MAC addresses to ATM addresses, emulating Layer 2 protocols (Data Link layer) and transporting higher layer protocols such as TCP/IP, IPX/SPX without modification.

802.10 (FDDI)
Tagging VLAN frames on Fiber Distributed Data Interface (FDDI)

networks is quite common in large scale networks. This implementation is usually found on Cisco's high-end switch models such as the Catalyst 5000 series where special modules are installed inside the switches, connecting them to an FDDI backbone. This backbone interconnects all major network switches, providing a fully redundant network. The various modules available for the Cisco Catalyst switches allow the integration of Ethernet into the FDDI network. When installing the appropriate switch modules and with the use of the 802.10 SAID field, a mapping between the Ethernet VLAN and 802.10 network is created, and as such, all Ethernet VLANs are able to run over the FDDI network.

The diagram above shows two Catalyst switches connected to a FDDI backbone. The links between the switches and the backbone can either be Access type links (meaning one VLAN passes through them) or Trunk links (all VLANs are able to pass through them). At both ends, the switches have an Ethernet port belonging to VLAN 6, and to 'connect' these ports we map each switch's Ethernet module with its FDDI module. Lastly, the special FDDI modules mentioned above support both single VLANs (non-trunk) and multiple VLANs (trunk). To provide further detail, the diagram below shows the IEEE 802.10 frame, along with the SAID field in which the VLAN ID is inserted,

allowing the frame to transit trunk links as described:

It's okay if your impressed or seem confused with the structure of the above frame, that's normal :) You'll be surprised to find out that the Cisco switch in the previous diagram must process the Ethernet II frame and convert it before placing it on the IEEE 802.10 backbone or trunk. During this stage, the original Ethernet II frame is converted to an Ethernet SNAP frame and then finally to an IEEE 802.10 frame. This conversion is required to maintain compatibility and reliability between the two different topologies. The most important bit to remember here is the SAID field and its purpose.

Summary
This page introduced four popular VLAN tagging methods, providing you with the frame structure and general details of each tagging method. Out of all, the IEEE 802.1q and ISL tagging methods are the most popular, so make sure you understand them quite well.

InterSwitch Link (ISL) Protocol Analysis

Introduction
Deciding whether to use ISL or IEEE 802.1q to power your trunk links can be quite confusing if you cannot identify the advantages and disadvantages of each protocol within your network. This page will cover the ISL protocol in great detail, providing an insight to its secrets and capabilities which you probably were unaware of. In turn, this will also help you understand the existence of certain limitations the protocol has, but most importantly allow you to decide if ISL is the tagging process you require within your network.

InterSwitch Link (ISL)


ISL is Cisco's propriety tagging method and supported only on Cisco's equipment through Fast & Gigabit Ethernet links. The size of an ISL frame can be expected to start from 94 bytes and increase up to 1548 bytes due to the overhead (additional fields) the protocol places within the frame it is tagging. These fields and their length are also shown on the diagram below:

We will be focusing on the two purple colored 3D blocks, the ISL header and ISL Frame Check Sequence (FCS) respectively. The rest of the Ethernet frame shown is a standard Ethernet II frame as we know it. If you need more information, visit our Ethernet II page.

The ISL Header


The ISL header is 26 byte field containing all the VLAN information required (as one would expect), to allow a frame traverse over a Trunk Link and find its way to its destination. Here is a closer look at the header and all the fields it contains:

You can see that the ISL header is made out of quite a few fields, perhaps a lot more than what you might have expected, but this shouldn't alarm you as only a handful of these fields are important. As usual, we will start from the left field and work our way to the far right side of the header. First up...... the DA field:

Destination Address (DA) Field


The 'DA' field is a 40 bit destination address field that contains a multicast address usually set to "0x01-00-0C-00-00" or "0x03-00-0C00-00". This address is used to signal to the receiver that the packet is in ISL format.

Type Field
The 'Type' field is 4 bits long and helps identify the encapsulated original frame. Depending on the frame type, the ISL 'Type' field can take 4 possible values as outlined in the table below:

Type Value 0000 0001 0010 0011

Encapsulated Frame Ethernet Token-Ring FDDI ATM

The 4 bits of space assigned to the 'Type Value' field allow a maximum of 2^4=16 different values. Since all combinations are not used, there is plenty of room for future encapsulations that might be developed.

User Defined Field


The 'User' field occupying 4 bits serves as an extension to the previous 'Type' field and is mostly used when the original encapsulated frame is an Ethernet II type frame. When this happens, the first two bits of the 'User' field act as a prioritization mechanism, allowing the frames to find

their way to the destination much faster. Currently, there are 4 different priorities available, as shown in the table below:

Type Value XX00 XX01 XX10 XX11

Frame Priority Normal Priority Priority 1 Priority 2 Highest Priority

We should also note that the use of priorities is optional and not required.

Source Address (SA) Field


The 'SA' field is the source MAC address of the switch port transmitting the frame. This field is -as expected- 48 bits long. The receiving device can choose to ignore this field. It is worth noting that while the Destination Address field located at the beginning of the header contains a multicast MAC Address, the Source MAC address field we are looking at here contains the MAC address of the sending device - usually a switch.

Length Field

The 'Length' field is 16 bits long and contains the whole ISL frame's length minus the DA, Type, User, SA, LEN and FCS fields. If you're good at mathematics, you can easily calculate the total length of the excluded fields, which is 18 bytes. With this in mind, a quick way to find this field's value is to take the total frame size and subtract 18 bytes :) Length fields are used in frames to help the receiving end identify where specific portions of the frame exist within the frame received.

AAAA03 (SNAP) Field


The SNAP field is a 24 bit long field with a value of "0xAAAA03".

High bits Source Address (HSA) Field


The 'HSA' field is a 24 bit value. This field represents the upper three bytes of the SA field (the manufacturers ID portion) and must contain the value "0x00-00-0C". Since the SA field is 48 bits long or 6 bytes, the upper 3 bytes of the SA field would translate to 24 bits, hence the length of the HSA field.

VLAN - Destination Virtual LAN ID Field


The 'VLAN' field is the Virtual LAN ID of the frame. This is perhaps the most important field of all as our frame moves between trunk links because it allows all trunk links to identify the VLAN this frame belongs to. The VLAN ID field is 15 bits long and often referred to as the "color"

of the frame. Without this field, there would be no way of identifying which VLAN the frame transiting a trunk link belongs to.

Bridge Protocol Data Unit (BPDU) & Cisco Discovery Protocol (CDP) Indicator
The 'BPDU' field is only 1 bit long but very important as it is set for all BPDU packets encapsulated by the ISL frame. For those unaware, BPDU's are used by the Spanning Tree Protocol (STP) to shut down redundant links and avoid network loops. This field is also used for CDP and Virtual Trunk Protocol (VTP) frames that are encapsulated.

Index Field
The 'Index' field is a 16 bit value and indicates the port index of the source of the packet as it exits the switch. It is used for diagnostic purposes only and may be set to any value by other devices.

RES Field - Reserved for Token Ring and Fiber Distributed Data Interface (FDDI)
The 'RES' field is a 16 bit value and used when Token Ring or FDDI packets are encapsulated with an ISL frame. In the case of Token Ring frames, the Access Control (AC) and Frame Control (FC) fields are placed here whereas in the case of FDDI, the FC field is placed in the Least Significant Byte (LSB) of this field (as in a FC of "0x12" would have a RES field of "0x0012"). For Ethernet packets, the RES field should be set to all zeros.

Frame Check Sequence (ISL FCS)

Coming to the end of the ISL protocol analysis, we met the 'FCS' field which consists of four bytes. The FCS contains a 32-bit CRC value, which is created by the sending MAC (switch) and is recalculated by the receiving MAC (switch) to check for corrupt frames. In an Ethernet II frame, the FCS is generated using the Destination MAC, Source MAC, Ether type, and Data fields while ISL's FCS is calculated based on the entire ISL frame and added to the end of it.

Summary
This page analyzed all fields of the ISL header and FCS. The next page deals with the popular IEEE 802.1q, an alternative to Cisco's ISL tagging protocol.

IEEE 802.1q Link Protocol Analysis

Introduction
Our VLAN Tagging page briefly covered the IEEE 802.1q protocol and we are about to continue its analysis here. As mentioned previously, the IEEE 802.1q tagging method is the most popular as it allows the seem less integration of VLAN capable devices from all vendors who support the protocol. So, without any more delay, let's get right into the protocol.

IEEE 802.1q Analysis


The IEEE 802.1q tagging mechanism seems quite simple and efficient thanks to its 4-byte overhead squeezed between the Source Address and Type/Length field of our Ethernet II frame:

The process of inserting the 802.1q tag into an Ethernet II frame results in the original Frame Check Sequence (FCS) field to become invalid since we are altering the frame, hence it is essential that a new FCS is recalculated, based on the new frame now containing the IEEE 802.1q field. This process is automatically performed by the switch, right before it sends the frame down a trunk link. Our focus here will be the pink 3D block, labeled as the IEEE 802.1q header.

The IEEE 802.1q Header


As noted, the 802.1q header is only 4 bytes or 32 bits in length while within this space there is all the necessary information required to successfully identify the frame's VLAN and ensure it arrived to the correct destination. The diagram below analyses all fields contained in a 802.1q header:

The structure is quite simple as there are only 4 fields when compared with the 11 ISL has. We will continue by analysing each of these fields in

order to discover what the protocol is all about.

TPID - Tag Protocol Identifier


The TPID field is 16 bit long with a value of 0x8100. It is used to identify the frame as an IEEE 802.1q tagged frame. Note: The next three fields, Priority, CFI and VLAN ID are also known as the TCI (Tag Control Information) field and are often represented as one single field (TCI Field).

Priority
The Priority field is only 3 bits long but used for prioritisation of the data this frame is carrying. Data Prioritization is a whole study in itself but we won't be analysing it here since its well beyond the scope of our topic. However, for those interested, data prioritization allows us to give special priority to timelatency sensitive services, such as Voice Over IP (VoIP), over normal data. This means that the specified bandwidth is allocated for these critical services to pass them through the link without any delay. The IEEE 802.1p priority protocol was developed to provide such services and is utilized by the IEEE 802.1q tagging protocol. The Priority field is approximately 3 bits long, allowing a total of 2^3=8 different priorities for each frame, that is, level zero (0) to seven (7) inclusive.

CFI - Canonical Format Indicator


The CFI field is only 1 bit long. If set to '1', then it means the MAC Address is in non-canonical format, otherwise '0' means it is canonical format. For Ethernet switches, this field is always set to zero (0). The CFI field is mainly used for compatibility reasons between Ethernet and Token Ring networks. In the case where a frame arrives to an Ethernet port and the CFI flag is set to one (1), then that frame should not be forwarded as it was received to any untagged port (Access Link port).

VLAN ID - Virtual Local Area Network Identifier


The VLAN ID field is perhaps the most important field out of all because we are able to identify which VLAN the frame belongs to, allowing the receiving switch to decide which ports the frame is allowed to exit depending on the switch configuration. For those who recall our VLAN Tagging page, we mentioned that the IEEE 802.1q tagging method supports up to 4096 different VLANs. This number derives from the 12 bit VLAN ID field we are analysing right now and here are the calculations to prove this: 2^12=4096, which translates from VLAN 0 to VLAN 4095 inclusive.

Summary
That completes our analysis on the IEEE 802.1q protocol. As a last note,

you should remember that this protocol is the most wide spread tagging method used around the world that supports up to 4096 VLANs!

Inter VLAN Routing

Introduction
This article deals with the popular topic of InterVLAN routing, which is used to allow routing & communication between VLAN networks. Our article analyses InterVLAN routing and provides 4 different methods of InterVLAN routing to help understand the concept.

The Need For Routing


Each network has it's own needs, though whether it's a large or small network, internal routing, in most cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus reducing

network broadcasts and increasing your security, is a tactic used by most engineers. Popular setups include a separate broadcast domain for critical services such as File Servers, Print servers, Domain Controllers etc., serving your users non-stop. The issue here is how users from one VLAN (broadcast domain) can, use services offered by another VLAN? Thankfully there's an answer to every problem and in this case, its VLAN routing:

The above diagram is a very simple but effective example to help you get the idea. Two VLANs consisting of two servers and workstations of which one workstation has been placed along with the servers in VLAN 1, while the second workstation is placed in VLAN 2. In this scenario, both workstations require access to the File and Print servers, making it a very simple task for the workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2. As you might have already guessed, we need to somehow route packets between the two VLANs and the good news is that there is more than one way to achieve this and that's what we'll be covering on this page.

VLAN Routing Solutions


While the two 2924 Catalyst switches are connected via a trunk link, they are unable to route packets from one VLAN to another. If we wanted the switch to support routing, we would require it to be layer 3 switches with routing capabilities, a service offered by the popular Catalyst 3550 series and above. Since there are quite a few ways to enable the communication between VLANs (InterVLAN Routing being the most popular) there is a good chance that we are able to view all possible solutions. This follows our standard method of presenting all possible solutions, giving you an indepth view on how VLAN routing can be setup, even if you do not have a layer 3 switch. Note: The term 'InterVLAN Routing' refers to a specific routing method which we will cover as a last scenario; however it is advised that you read through all given solutions to ensure you have a solid

understanding on the VLAN routing topic.

VLAN Routing Solution No.1: Using A Router With 2 Ethernet Interfaces


A few years ago, this was one of the preferred and fastest methods to route packets between VLANs. The setup is quite simple and involves a Cisco router e.g. 2500 series with two Ethernet interfaces as shown in the diagram, connecting to both VLANs with an appropriate IP Address assigned to each interface. IP Routing is of course enabled on the router and we also have the option of applying access lists in the case where we need to restrict network access between our VLANs.

In addition, each host (servers and workstations) must either use the router's interface connected to their network as a 'default gateway' or a route entry must be created to ensure they use the router as a gateway to the other VLAN/Network. This scenario is however expensive to implement because we require a dedicated router to router packets between our prospective. In the case where there are more than two VLANs, additional Ethernet interfaces will be required, so basically, the idea here is that you need one Ethernet interface on your router that will connect to each VLAN. To finish this scenario, as the network gets bigger and more VLANs are created, it will very quickly get messy and expensive, so this solution will prove inadequate to cover our future growth. VLANs, and is also limited from an expandability

VLAN Routing Solution No.2: Using A Router With One Ethernet (Trunk) Interface
This solution is certainly fancier but requires, as you would have already guessed, a router that supports trunk links. With this kind of setup, the trunk link is created, using of course the same type of encapsulation the

switches use (ISL or 802.1q), and enabling IP routing on the router side. This method of InterVLAN routing is also known as 'Router on a Stick'. You can read more on its configuration under our

Cisco Router Knowledgebase

The downside here is that not many engineers will sacrifice a router just for routing between VLANs when there are many cheaper alternatives, as you will soon find out. Nevertheless, despite the high cost and dedicated hardware, it's still a valid and workable solution and depending on your needs and available equipment, it might be just what

you're looking for! Closing this scenario, the router will need to be configured with two virtual interfaces, one for each VLAN, with the appropriate IP Address assigned to each one so routing can be performed.

VLAN Routing Solution No.3: Using A Server With Two Network Cards
We would call this option a "Classic Solution". What we basically do, is configure one of the servers to perform the routing between the two VLANs, reducing the overall cost as no dedicated equipment is required.

In order for the server to perform the routing, it requires two network cards - one for each VLAN and the appropriate IP Addresses assigned, therefore we have configured one with IP Addresses 192.168.1.1 and the other with 192.168.2.1. Once this phase is complete, all we need to do is enable IP routing on the server and we're done. Lastly, each workstation must use the server as either a gateway, or a route entry should be created so they know how to get to the other network. As you see, there's nothing special about this configuration, it's simple, cheap and it gets the job done.

VLAN Routing Solution No.4: InterVLAN Routing


And at last.... InterVLAN routing! This is without a doubt the best VLAN routing solution out of all of the above. InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.

The Cisco Catalyst 3550 series switches used here are layer 3 switches with built-in routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where switches such as the Catalyst 3550 are usually placed as core switches, connecting all branch switches together (2924's in this case) via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone. We should also note that InterVLAN routing on the Catalyst 3550 has certain software requirements regarding the IOS image loaded on the switch as outlined on the table below:

Image Type & Version

InterVLAN Routing Capability

Enhanced Multilayer Image (EMI) - All Versions Standard Multilayer Image (SMI) - prior to 12.1(11)EA1 Standard Multilayer Image (SMI) - 12.1(11)EA1 and later

YES

NO

YES

If you happen to have a 3550 Catalyst in hand, you can issue the 'Show version' to reveal your IOS version and find out if it supports IP routing. In returning to our example, our 3550 Catalyst will be configured with two virtual interfaces, one for each VLAN, and of course the appropriate IP Address assigned to them to ensure there is a logical interface connected to both networks. Lastly, as you might have guessed, we need to issue the 'IP Routing' command to enable the InterVLAN Routing service!

The diagram above was designed to help you 'visualize' how switches and their interfaces are configured to specific VLAN, making the

InterVLAN routing service

possible. The switch

above

has been

configured with two VLANs, VLAN 1 and 2. The Ethernet interfaces are then assigned to each VLAN, allowing them to communicate directly with all other interfaces assigned to the same VLAN and the other VLAN, when the internal routing process is present and enabled.

Access Lists & InterVLAN Routing


Another common addition to the InterVLAN routing service is the application of Access Lists (packet filtering) on the routing switch, to restrict access to services or hosts as required. In modern implementations, central file servers and services are usually placed in their own isolated VLAN, securing them from possible network attacks while controlling access to them. When you take into

consideration that most Trojans and viruses perform an initial scan of the network before attacking, an administrator can smartly disable ICMP echoes and other protocols used to detect a live host, avoiding possible detection by an attacker host located on a different VLAN.

Summary
InterVLAN is a terrific service and one that you simply can't live without in a large network. The topic is a fairly easy one once you get the idea, and this is our aim here, to help you get that idea, and extend it further by giving you other alternative methods. The key element to the InterVLAN routing service is that you must have at least one VLAN interface configured with an IP Address on the InterVLAN capable switch, which will also dictate the IP network for that VLAN. All hosts participating in that VLAN must also use the same IP addressing scheme to ensure communication between them. When the above requirements are met, it's then as simple as enabling the IP Routing service on the switch and you has the InterVLAN service

activated.

VLAN Security

Introduction
Take a look under the hood of this powerful networking tool so that your agency can reap the benefits of bandwidth, availability and security. It's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a single organization without the headache of managing multiple cable plants and switches. Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and security. Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally well. The market has been flooded by thousands of switches that seem to do the job, but special consideration

must be taken before making a purchase. A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports. Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything runs smoothly. The tasks of these switches include prioritizing network packets based on their source and destination (essentially Quality of Service), ensuring all edge switches are aware of the VLANs configured in the network, continuously monitoring for possible network loops on every VLAN, switching packets between VLANs as required and ensuring network security according to their configuration . Edge switches, also known as access switches, are dedicated to the end devices: user workstations, network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers directly to the core- backbone switches). The edge switches must be compatible with the VLAN features that the core backbone switches support, otherwise unavoidable problems will arise because of incompatibilities among the switch devices. This is one reason many organizations standardize when it comes to network equipment from companies that include Cisco Systems, HP and Juniper Networks. When deploying VLANs, here are five key considerations to address:

1. Links on VLAN Switches


VLAN switches have two main types of links: access links and trunk links. Access Links are the most common type of links on any VLAN capable switch. All network hosts connect to the switch's Access Links to gain access to the local network. These links are the ordinary ports found on

every switch, but configured to access a particular VLAN. Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all available VLANs.

2. Native VLAN, ISL and 802.1q


When a port on a switch is configured as an access link (http://www.firewall.cx/networking-topics/vlan-networks/218-vlanaccess-trunk-links.html), it has access to one specific VLAN. Any network device connecting to it will become part of that VLAN. Ethernet frames entering or exiting the port are standard Ethernet II type frames (http://www.firewall.cx/networkingtopics/ethernet/ethernet-frame-formats/201-ethernet-ii.html) , which are understood by the network device connected to the port. Because these frames belong only to one network, they are said to be untagged meaning that they do not contain any information as to which VLAN they are assigned. Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging. Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q. Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors supporting VLAN trunking. What might come as a surprise is that a trunk link can also be configured to act as an access link when a device (computer or switch) that does not support VLAN trunking connects to it. This means that if you have a

trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN. The VLAN in this case is known as the native VLAN, a common term that refers to the VLAN a trunk port is configured for when acting as an access link.

3.Virtual Trunk Protocol and VTP Pruning


VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the core switch, is propagated to all network switches within the VTP domain. During initial network configuration, all switches are configured members of the same VTP domain. With the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All information is then automatically sent to all members of the VTP domain. The VTP equivalent for other vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-tuned in the recent years and includes many features implemented previously only in Cisco's VTP Protocol . VTP pruning (http://www.firewall.cx/networking-topics/vlannetworks/virtual-trunk-protocol.html), an extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN. In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network.

4. Inter-VLAN Routing
Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one of the most important features found on advanced switches. Because inter-VLAN routing (http://www.firewall.cx/networking-topics/vlan-networks/222-intervlanrouting.html) directs packets based on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3 switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases where a Layer 3 switch is not available, this function can also be performed by a server with two or more network cards or a router, a method often referred to as router on a stick. Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.

5. Securing VLAN Devices


Even though many administrators and IT managers are aware of VLAN technologies and concepts, that doesn't necessarily hold true when it comes to VLAN security. The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled. Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas.

Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result. These best practices include: removing console-port cables and introducing password-protected console or virtual terminal access with specified timeouts and restricted access policies; applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-list to restrict telnet/SHH access from specific networks and hosts; avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ; disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD); deploying VTP domain, VTP pruning and password protections; controlling inter-VLAN routing through the use of IP access lists. For hands-on details about each of these practices, go to fedtechmagazine.com/0211VLANsec.

Raising the Throttle


VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.

Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks. It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.

About the Article


This article was originally written by Chris Partsenidis on behalf of fedtechmagazine.com. This article is also available for download in pdf format here: VLAN Security - Making the Most of VLANs

Designing VLANs
This section deals with VLAN design. We take a look at Static VLANs - the most popular implementation, Dynamic VLANs and also compare the older flat networks with VLANs.

A Comparison With Old Networks


Introduction
Designing and building a network is not a simple job. VLANs are no exception to this rule, in fact they require a more sophisticated approach because of the variety of protocols used to maintain and administer them. Our aim here is not to tell you how to setup your VLANs and what you should or shouldn't do, this will be covered later on. For now, we would like to show you different physical VLAN layouts to help you recognize the benefits offered when introducing this technology into your network, regardless of its size. The technology is available and we simply need to figure out how to use it and implement it using the best possible methods, in order to achieve

outstanding performance and reliability. We understand that every network is unique as far as its resources and requirements are concerned, which is another reason why we will take a look at a few different VLAN implementations. However, we will not mention the method used to set them up - this is up to you to decide once you've read the following pages!

Designing your First VLAN


Most common VLAN setups involve grouping departments together regardless of their physical placement through the network. This allows us to centralize the administration for these departments, while also limiting unwanted incidents of unauthorized access to resources of high

importance. As always, we will be using neat examples and diagrams to help you get a visual on what we are talking about. Let's consider the following company: Packet Industries Packet Industries is a large scale company with over 40 workstations and 5 servers. The company deals with packet analysis and data recovery and has labs to recover data from different media that require special treatment due to their sensitivity. As with every other company, there are quite a few different departments that deal with different aspects of the business and these are: Management/HR Department Accounting Department Data Recovery & IT Department These five departments are spread throughout 3 floors in the building the

company is situated. Because the IT department takes confidentiality of their own and customer's data seriously, they have decided to redesign their network and also take a look at the VLAN solutions available, to see if they are worth the investment. We are going to provide two different scenarios here, the first one will not include VLANs, while the second one will. Comparing the two different solutions will help you see the clear advantages of VLANs and also provide an insight to how you can also apply this wonderful technology with other similar networks you might be working with.

Solution 1 - Without VLANs!


The IT department decided that the best way to deal with the security issue would be to divide the existing network by partitioning it. Each department would reside in one broadcast domain and access lists would be placed between each network's boundaries to ensure access to and from them are limited according to the access policies. Since there are three departments, it is important that three new networks had to be created to accommodate their new design. The budget, as in most cases, had to be controlled so it didn't exceed the amount granted by the Accounting Department. With all the above in mind, here's the proposal the IT department created:

As you can see, each department has been assigned a specific network. Each level has a dedicated switch for every network available. As a result, this will increase the network security since we have separate physical networks and this solution also seems to be the most logical one. These switches are then grouped together via the network backbone which, in its turn, connects to the network's main router. The router here undertakes the complex role of controlling access and routing between the networks and servers with the use of access lists as they have been created by the IT Department. If needed, the router can also be configured to allow certain IP's to be routed between the three networks, should there be such a requirement. The above implementation is quite secure as there are physical and logical restrictions placed at every level. However, it is somewhat

restrictive as far as expanding and administering the network since there is no point of central control. Lastly, if you even consider adding full redundancy to the above, essentially doubling the amount of equipment required, the cost would clearly be unreasonable... So let's now take a look at the second way we could implement the above, without blowing the budget, without compromising our required security level and also at the same time create a flexible and easily expandable network backbone.

Solution 2 - With VLANs!


The solution we are about to present here is surely the most preferred and economical. The reasons should be fairly straight forward: We get the same result as the previous solution, at almost half the cost and as a bonus, we get the flexibility and expandability we need for the future growth of our network, which was very limited in our previous example. By putting the VLAN concept we covered on the previous page into action, you should be able to visualize the new setup:

As you can see, the results in this example are a lot neater and the most apparent change would be the presence of a single switch per level, connecting directly to the network backbone. These switches of course are VLAN capable, and have been configured to support the three separate logical and physical networks. The router from the previous solution has been replaced by what we call a 'layer 3 switch'. These type of switches are very intelligent and understand layer 3 (IP Layer) traffic. With such a switch, you are able to apply access-lists to restrict access between the networks, just like you normally would on a router, but more importantly, route packets from one logical network to another! In simple terms, layer 3 switches are a combination of a powerful switch, with a built-in router :)

Summary
If the above example was interesting and provided a insight into the field of VLANs, we can assure you - you haven't seen anything yet. When unleashing the power of VLANs, there are amazing solutions given for any problem or need that your network requires. It's now time to start looking at the VLAN technology in a bit more detail, that is, how it's configured, the positive and negative areas for each type of VLAN configuration and more much. The next page analyses Static VLANs which are perhaps the most popular implementation of VLANs around the world. Take a quick break for some fresh air if needed, otherwise, gear up and let's move!

Static VLANs

Introduction
VLANs are usually created by the network administrator, assigning each port of every switch to a VLAN. Depending on the network infrastructure and security policies, the assignment of VLANs can be implemented using two different methods: Static or Dynamic memberships - these two methods are also known as VLAN memberships. Each of these methods has their advantages and disadvantages and we will be analyzing them in great depth to help you decide which would best suite your network. Depending on the method used to assign the VLAN membership, the switch may require further configuration, but in most cases it's a pretty straight forward process. This page deals with Static VLANs while Dynamic VLANs are covered next. Static VLANs Static VLAN membership is perhaps the most widely used method because of the relatively small administration overhead and security it provides. With Static VLANs, the administrator will assign each port of the switch to one VLAN. Once this is complete, they can simply connect each device or workstation to the appropriate port. The picture below depicts an illustration of the above, where 4 ports have been configured for 4 different VLANs:

The screenshot above shows a Cisco switch (well, half of it :>) where ports 1, 2, 7 and 10 have been configured and assigned to VLANs 1, 5, 2 and 3 respectively. At this point, we should remind you that these 4 VLANs are not able to communicate between each other without the use of a router as they are treated as 4 separate physical networks, regardless of the network addressing scheme used on each of them. However, we won't provide further detail on VLAN routing since it's covered later on. Static VLANs are certainly more secure than traditional switches while also considerably easy to configure and monitor. As one would expect, all nodes belonging to a VLAN must also be part of the same logical network in order to communicate with one another. For example, on our switch above, if we assigned network 192.168.1.0/24 to VLAN 1, then all nodes connecting to ports assigned to VLAN 1 must use the same network address for them to communicate between each other, just as if this was an ordinary switch. In addition, Static VLANs have another strong point - you are able to control where your users move within a large network. By assigning specific ports on your switches throughout your network, you are able to control access and limit the network resources to which your users are

able to use. A good example would be a large network with multiple departments where any network administrator would want to control where the users can physically connect their workstation or laptop and which servers they are able to access. The following diagram shows a VLAN powered network where the switches have been configured with Static VLAN support.

The network diagram might look slightly complicated at first, but if you pay close attention to each switch, you will notice that it's quite simple six switches with 6 VLANs configured- one VLAN per department, as shown. While each VLAN has one logical network assigned to it, the IT department has, in addition, placed one workstation in the following departments for support purposes: Management, R&D, and HR

department. The network administrator has assigned Port 1 (P1) on each department switch to VLAN 5 for the workstation belonging to the IT department, while the rest of the ports are assigned to the appropriate VLAN as shown in the diagram. This setup allows the administrator to place any employee in the IT department, anywhere on the network, without worrying if the user will be able to connect and access the IT department's resources. In addition, if a user in any of the above departments e.g the Management department, decided to get smart by attempting to gain access to the IT department's network and resources by plugging his workstation to Port 1 of his department's switch. He surely wouldn't get far because his workstation would be configured for the 192.168.1.0 network (VLAN 1), while Port 1 requires him to use a 192.168.5.0 network address (VLAN 5). Logically, he would have to change his IP address to match the network he is trying to gain access to, and in this case this would be network 192.168.5.0.

Summary
To sum up, with Static VLANs, we assign each individual switch port to a VLAN. The network addresses are totally up to us to decide. In our example, the switches do not care what network address is used for each VLAN as they totally ignore this information unless routing is performed (this is covered in the InterVLAN routing page). As far as the switches are concerned, if you have two ports assigned to the same VLAN, then these two ports are able to communicate between each other as it would happen on any normal layer 2 switch.

Dynamic VLANs

Introduction
Dynamic VLANs were introduced to grant the flexibility and complexity(!) that Static VLANs did not provide. Dynamic VLANs are quite rare because of their requirements and initial administrative overhead. As such, most administrators and network engineers tend to prefer Static VLANs. Dynamic VLANs Dynamic VLANs, as opposed to Static VLANs, do not require the administrator to individually configure each port, but instead, a central server called the VMPS (VLAN Member Policy Server). The VMPS is used to handle the on-the-spot port configuration of every switch participating on the VLAN network. The VMPS server contains a database of all workstation MAC addresses, along with the associated VLAN the MAC address belongs to. This way, we essentially have a VLAN-to-MAC address mapping:

The above diagram works as an aim to help us understand the mapping relationship that exists in the VMPS server. As shown, each MAC address, which translates to a host on the network, is mapped to a VLAN, allowing this host to move inside the network, connecting to any switch that is part of the VMPS network and maintain its VLAN configuration. You can now start to imagine the initial workload involved when configuring a VMPS server for a network of over 300 workstations:) As one would expect, the above model works very well and also requires the switches to be in constant contact with the VMPS server, requesting configuration information every time a host connects to a switch participating in the VLAN network. Of course, there is a lot more information we can use to configure the VMPS database, but we won't be covering that just as yet. Like all network services offered, Cisco has cleverly designed this model to be as flexible as our network might require. For example, you are able to connect more than one host on one dynamically configured port, as long as all hosts are part of the same VLAN:

The diagram above shows us a VLAN capable switch that has been configured to support Dynamic VLANs. On port No.5, we have connected a simple switch (not VLAN aware) from which another 4 workstations are connected. As mentioned previously, this type of configuration is valid and therefore supported, but it also has its restrictions and limitations. One of the restrictions, which by the way can also be considered as a semi-security feature, is that all workstations connected to the same port, must be configured in the VMPS server as part of the same VLAN, otherwise the port is most likely to shut down as a security precaution. To consider the limitations of this configuration: if the switch detects more than 20 active hosts (20 MAC addresses) on the port, it will once again shut it down, leaving the workstations without any network connection. When this happens, the port that shuts down will return into an isolated

state, not belonging to any VLAN. The fact is that Dynamic VLANs are really not suitable for every network, even though they allow a great deal of flexibility and security. If you consider the advantage one single feature of Dynamic VLANs can provide you with, then it might be all you need to implement them. Because each host connected to the switch is checked against the VMPS database for its VLAN membership before the port is activated and assigned to a VLAN, this gives the network administrator the ability to ensure no foreign host is able to walk up to a wall socket and simply plug their workstation to access the network, if his MAC address is not stored in the VMPS database. For a large scale network, this could be considered an ACE card under your sleeve.

Choosing Correct Switches


One important factor we haven't yet mentioned is that you cannot run the VMPS server on a Cisco Catalyst 2900 or 3500 series. The Catalyst 4500 and upwards are able to act as a VMPS, and at the time of writing, this switch has reached its end of retail life. For those who have dealt with Cisco Catalyst switches in the past, you would know that a Catalyst 4500 is not the type of switch you would use in a 20 or 50 node network! The Catalyst 4500, 6500 series, are switches designed for enterprise networks, as such, they are built to be modular, easily expandable depending on your needs, and lastly, fully redundant because you can't have your core backbone switch failing when all other switches and network equipment are directly connected to it. We've added a few pictures of the Catalyst 6500 series for you to admire :)

You can clearly see the slots available that allow the Catalyst switches to expand and grow with your network. In the likely event you require more ports as your network expands, you simply buy a Fastethernet blade (some people call them 'slices') and insert it into an available slot!

Dynamic VLANs & FallBack VLANs


Another very interesting and smart feature Dynamic VLANs support is the fallback VLAN. This neat feature allows you to automatically configure a port to a VLAN specially created for workstations whose MAC address is not in the VMPS server. Consider company visitors or clients who require specific or restricted access to your network, they can freely connect to the network and have Internet access, alongside with limited rights on public directories. In the event the fallback VLAN has not been configured and the MAC address connected to the switch's port is unknown, the VMPS server will send an 'access-denied' response, blocking access to the network, but the port will remain active. If the VMPS server is running in 'secure-mode', it will proceed and shutdown the port as an additional security measure.

The above diagram represents a portion of a large scale network using a Cisco 6500 Catalyst as the core switch. The switch has been configured to support Dynamic VLANs, therefore a VMPS server has been configured inside the switch, alongside with a DHCP server for each created VLAN. The administrator has already assigned the 3 workstations MAC addresses to the VLANs shown and also created the fallback VLAN for any MAC address that does not exist in the database. Now consider this interesting scenario: One morning a visitor arrives in the office and requires Internet connection so he can demonstate a new product to the management. As an administrator, you've already configured a fallback VLAN with a DHCP server activated for the VLAN, pushing the necessary settings to the clients so they may obtain Internet access services. The visitor finds a free RJ-45 socket on the wall, which connects to a

Catalyst 3550 switch nearby, and plugs in his laptop. Before the user is allowed to access the network, the Cisco 3550 switch checks the laptop's MAC address and reads 4B:63:3F:A2:3E:F9. At this point, the port is blocked, not allowing the laptop computer to send or receive data. The Cisco 3550 switch sends the MAC address to the 6500 Catalyst switch which is acting as the VMPS server and it checks for an entry that matches the specified MAC address but is unable to find one. Naturally, it determines that this a visitor, so it creates an entry for that MAC address to the fallback VLAN and sends the information back to the Cisco 3550 switch. The switch will then enable access to the port our visitor is connected to by configuring the port to the fallback VLAN. If the visitor's computer is configured to obtain an IP Address

automatically, it will do so, once the operating system has booted. When this happens, the visitor's DHCP request will arrive to the 6500 Catalyst switch and its DHCP server will send the requested information, enabling the client (our visitor) to configure itself with all the parameters required to access the VLAN. This will also mean our visitor is now able to access the Internet! Finishing, if the computer is not configured for DHCP, the client must be advised with the correct network settings or asked to enable automatic IP configuration in their network properties.

Summary
The past pages could be considered as an 'eye-opener' for people who are new to the VLAN concept, and at the same time a 'quick-overview' for those who are well aware of their existence! We hope all your questions to this point have been answered, if not, they are most likely too advanced and will surely be answered in the pages that follow.

Virtual Trunk Protocol VTP Introduction & Modes

Introduction
The invention of VLANs was very much welcomed by all engineers and administrators, allowing them to extend, redesign and segment their existing network with minimal costs, while at the same time making it more secure, faster and reliable! If you're responsible for a network of up to 4-6 switches that include a few VLANs, then you'll surely agree that it's usually a low overhead to administer them and periodically make changes - most engineers can live with that :) Ask now an engineer who's in charge of a medium to a large scale network and you will definitely not receive the same answer, simply because these small changes can quickly become a nightmare and if you add the possibility of human error, then the result could be network outages and possibly downtime.

Welcome To Virtual Trunk Protocol (VTP)


VTP, a Cisco proprietary protocol, was designed by Cisco with the network engineer and administrator in mind, reducing the administration overhead and the possibility of error as described above in any switched network

environment. When a new VLAN is created and configured on a switch without the VTP protocol enabled, this must be manually replicated to all switches on the network so they are all aware of the newly created VLAN. This means that the administrator must configure each switch separately, a task that requires a lot of time and adds a considerable amount of overhead depending on the size of the network. The configuration of a VLAN includes the VLAN number, name and a few more parameters which will be analyzed further on. This information is then stored on each switch's NVRAM and any VLAN changes made to any switch must again be replicated manually on all switches. If the idea of manually updating all switches within your network doesn't scare you because your network is small, then imagine updating more than 15-20 switches a few times per week, so your network can respond to your organizations needs....have we got you thinking now? :) With the VTP protocol configured and operating, you can forget about running around making sure you have updated all switches as you only need to make the changes on the nominated VTP server switch(es) on your network. This will also ensure these changes are magically propagated to all other switches regardless of where they are.

Introducing The VTP Modes


The VTP protocol is a fairly complex protocol, but easy to understand and implement once you get to know it. Currently, 3 different versions of the protocol exist, that is, version 1, 2 (adds support for Token Ring networks) and 3, with the first version being used in most networks. Despite the variety of versions, it also operates in 3 different modes: Server, client and transparent mode, giving us maximum flexibility on

how changes in the network effect the rest of our switches. To help keep things simple and in order to avoid confusion, we will work with the first version of the VTP protocol - VTP v1, covering more than 90% of networks. Below you'll find the 3 modes the VTP protocol can operate on any switch throughout the network: VTP Server mode VTP Client mode VTP Transparent mode Each mode has been designed to cover specific network setups and needs, as we are about to see, but for now, we need to understand the purpose of each mode and the following network diagram will help us do exactly that.

A typical setup involves at least one switch configured as a VTP Server,

and multiple switches configured as VTP Clients. The logic behind this setup is that all information regarding VLANs is stored only on the VTP Server switch from which all clients are updated. Any change in the VLAN database will trigger an update from the VTP Server towards all VTP clients so they can update their database. Lastly, be informed that these VTP updates will only traverse Trunk links. This means that you must ensure that all switches connect to the network backbone via Trunk links, otherwise no VTP updates will get to your switches. Let's now take a closer look at what each VTP mode does and where it can be used.

VTP Server Mode


By default all switches are configured as VTP Servers when first powered on. All VLAN information such as VLAN number and VLAN name is stored locally, on a separate NVRAM from where the 'startup-config' is stored. This happens only when the switch is in VTP Server mode. For small networks with a limited number of switches and VLANs, storing all VLAN information on every switch is usually not a problem, but as the network expands and VLANs increase in number, it becomes a problem and a decision must be made to select a few powerful switches as the VTP Servers while configuring all other switches to VTP Client mode.

The diagram above shows a Cisco Catalyst 3550 selected to take the role of the network's VTP Server since it is the most powerful switch. All other Catalyst switches have been configured as VTP Clients, obtaining all VLAN information and updates from the 3550 VTP Server. The method and frequency by which these updates occur is covered in much detail on the pages that follow, so we won't get into any more detail at this point. However, for those who noticed, there is a new concept introduced in the above diagram that we haven't spoken about: The VTP Domain.

The VTP Domain - VLAN Management Domain


The VTP Domain, also known as the VLAN Management Domain, is a VTP parameter configured on every switch connected to the network and used to define the switches that will participate in any changes or updates made in the specified VTP domain. Naturally, the core switch (VTP Server) and all other switches participate

in the same domain, e.g firewall, so when the VTP Server advertises new VLAN information for the VTP firewall domain, only clients (switches) configured with the same VTP Domain parameter will accept and process these changes, the rest will simply ignore them. Lastly, some people tend to relate the VTP Domain with the Internet Domain name space, however, this is completely incorrect. Even though the acronym 'DNS' contains the word 'Domain', it is not related in any way with the VTP Domain. Here (in VTP land), the word 'Domain' is simply used to describe a logical area in which certain hosts (switches) belong to or participate in, and are affected by any changes made within it. We should also note that all Cisco switches default to VTP Server mode but will not transmit any VLAN information to the network until a VTP Domain is set on the switch. At this point we are only referencing the VTP Domain concept as this is also analyzed in greater depth further on, so let's continue with the VTP modes!

VTP Client Mode


In Client Mode, a switch will accept and store in its RAM all VLAN information received from the VTP Server, however, this information is also saved in NVRAM, so if the switch is powered off, it won't lose its VLAN information. The VTP Client behaves like a VTP Server, but you are unable to create, modify or delete VLAN's on it. In most networks, the clients connect directly to the VTP Server as shown in our previous diagram. If, for any reason, two clients are cascaded together, then the information will propagate downwards via the available Trunk links, ensuring it reaches all switches:

The diagram shows a 3550 Catalyst switch configured as a VTP Server and 4 Catalyst 2950 switches configured as VTP Clients and cascaded below our 3550. When the VTP Server sends a VTP update, this will travel through all trunk links (ISL, 802.1q, 802.10 and ATM LANE), as shown in the diagram. The advertised information will firstly reach the two Catalyst 2950 switches directly connected to the 3550 and will then travel to the cascaded switches below and through the trunk links. If the link between the cascaded 2950's was not a trunk link but an access link, then the 2nd set of switches would not receive and VTP updates:

As you can see, the VTP updates will happily arrive at the first catalyst switches but stop there as there are no trunk links between them and the 2950's below them. It is very important you keep this in mind when designing a network or making changes to the existing one.

VTP Transparent Mode


The VTP Transparent mode is something between a VTP Server and a VTP Client but does not participate in the VTP Domain. In Transparent mode, you are able to create, modify and delete VLANs on the local switch, without affecting any other switches regardless of the mode they might be in. Most importantly, if the transparently configured switch receives advertisement containing VLAN information, it will ignore it but at the same time forward it out its trunk ports to any other switches it might be connected to. NOTE: A Transparent VTP switch will act as a VTP relay (forward all VTP information it receives, out its trunk ports) only when VTP version 2 is used in the network. With VTP version 1, the transparent switch will simply ignore and discard any VTP messages received from the rest of the network. Lastly, all switches configured to operate in Transparent mode save their configuration in their NVRAM (just like all the previous two modes) but not to advertise any VLAN information of its own, even though it will happily forward any VTP information received from the rest of the network. This important functionality allows transparently configured switches to be placed anywhere within the network, without any implications to the rest of the network because as mentioned, they act as a repeater for any VLAN information received:

Our 3550 Catalyst here is configured as a VTP Server for the domain called "Firewall". In addition, we have two switches configured in VTP Client mode, obtaining their VLAN information from the 3550 VTP Server, but between these two VTP Clients, we have placed another switch configured to run in VTP Transparent mode. Our Transparent switch has been configured with the domain called "Lab", and as such, the switch will forward all incoming VTP updates belonging to the "Firewall" domain out its other trunk link, without processing the information. At the same time, it won't advertise its own VLAN information to its neighboring switches. Closing, the VTP Transparent mode is not often used in live networks, but is well worth mentioning and learning about.

Summary
This page introduced a few new and very important concepts. The VTP Protocol is considered to be the heart of VLANs in large scale networks as it completely makes the administration point of view easy and transparent for every switch on your network. We briefly spoke about the three different modes offered by the VTP protocol: Server, Client and Transparent mode. To assist in providing a quick summary, the table below shows the main characteristics for each

mode:
VTP Mode Description

The default mode for all switches supporting VTP. You can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version) for the entire VTP domain. VTP Server VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links. VLAN configurations are saved in NVRAM. Behaves like a VTP server, but you cannot create, VTP Client change, or delete VLANs on a VTP client. VLAN configurations are saved in NVRAM. Does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, they will forward VTP advertisements as they are received from other VTP Transparent switches. You can create, modify, and delete VLANs on a switch in VTP transparent mode. VLAN configurations are saved in NVRAM, but they are not advertised to other switches.

All switches by default are configured as VTP Servers but without a domain. At this point we need to select the 'Core' switch (usually the most

powerful) and configure it as a VTP Server, while reconfiguring all the rest to Client mode. Also, VTP Updates sent by the Server will only propagate through trunk links configured for ISL, IEEE 802.1q, 802.10 or LANE encapsulation.

NOTE: You should be aware that all VTP Messages are sent through what we call the "Management VLAN". This specially created VLAN is usually the first one in the network - VLAN 1 - and by rule is never used by anyone else other than the switches themselves. The creation of a Management VLAN ensures all switches have their own network to communicate between each other without any disruptions.

The next page will analyze the VTP Protocol structure, messages and updates. This will provide a deep understanding on how VTP works and what information its messages contain. For those out there keen on configuring a switch for VTP, it's covered towards the end of the VLAN topic as shown on the VLAN Introduction page.

In-Depth Analysis Of VTP

Introduction
The previous page introduced the VTP protocol and we saw how it can be used within a network, to help manage your VLANs and ease the administrative overhead providing a stress-free VLAN environment, automatically updating all the network switches with the latest VLAN information. This page extends on the above by delving into the VTP protocol itself and analyzing it's structure and format in order to gain a better understanding and enhance those troubleshooting skills.

The VTP Protocol Structure


We've mentioned that the VTP protocol runs only over trunk links interconnecting switches in the network. Whether you're using ISL or IEEE 802.1q as your encapsulation protocol, it really doesn't matter as the VTP structure in both cases remains the same. Following are the fields which consist the VTP protocol: VTP Protocol Version (1 or 2) VTP Message Type (See Below) Management Domain Length

Management Domain Name What we need to note here is that because there are a variety of "VTP Message Types", the VTP Header changes depending on these messages, but the fields we just mentioned above are always included. To be more specific, here are the different messages currently supported by the VTP protocol:

VTP Join Messages


It is obvious that all switches use these different messages to request information or advertise the VLANs they are aware of. These messages are extremely important to understand as they are the foundations of the VTP protocol. We'll take each message and analyze them individually, explaining their purpose and usage, but before we proceed, let's take a quick visual look at the messages and their types to help make all the above clearer:

VTP Protocol - Summary Advertisement Message


The 'Summary Advertisement' message is issued by all VTP Domain Servers in 5 minute intervals, or every 300 seconds. These

advertisements inform nearby Catalyst switches with a variety of

information, including the VTP Domain name, configuration revision number, timestamp, MD5 encryption hash code, and the number of subset advertisements to follow. The configuration version number is a value each switch stores to help it identify new changes made in the VTP domain. For those experienced with DNS, it's pretty much the same as the DNS serial number. Each time a VTP Server's configuration is changed, the configuration revision will automatically increment by one.
number

When a switch receives a summary advertisement message, it will first compare the VTP domain name (Mgmt Domain Name field) with its own. If the Domain Name is found to be different, it will discard the message and forward it out its trunk links. However, in the likely case that the domain name is found to be the same, it will then check the configuration revision number (Config Revision No.) and if found to be the same or lower than its own, it will ignore the advertisement. If, on the other hand, it is found to be greater, an advertisement request is sent out. The Updater Identity field contains the IP Address of the switch that last incremented the Configuration Revision Number, while the Update Timestamp field gives the time the last update took place. The MD5 (Message Digest 5) field contains the VTP password in the case where it is configured and used to ensure the validation of the VTP

Update. Lastly, summary advertisements are usually followed by Subset

Advertisements, this is indicated by the 'Followers' field and is the next message we'll be closely examining.

VTP Protocol - Subset Advertisement


As mentioned in the previous message, when VLAN changes are made on the Catalyst VTP Server, it will then issue a Summary Advertisement, followed by a Subset Advertisement. Depending on how many VLANs are configured in the domain, there might be more than one Subset Advertisement sent to ensure all VLAN information is updated on the VTP Clients.

Comparing the fields of this message with the previous one, you'll notice most of them are identical, except for the Sequence No. and VLAN Info. Field. The Code field for a Subset Advertisement of this type is set to 0x02 while the Sequence No. field contains the sequence of the packet in the stream of packets following a summary

advertisement. The sequence starts with 1 and increments based on the number of packets in the stream. Apart from these fields, we also have the VLAN Info Field, which happens to be the most important as it contains all the VLAN information the

switches are waiting for. The VLAN Info Field will be presented in segments. Complexity and importance requires us to break it up further and analyse the subfields it contains:

Each VLAN Info Field contains all the information required for one VLAN. This means that if our network is powered with 10 VLANs and a Subset Advertisement is triggered, the VTP Server will send a total of 10 Subset Advertisements since each VLAN Info Field contains data for one VLAN. The most important subfields in the VLAN Info Field are the VLAN Name Length, ISL VLAN ID, MTU Size and VLAN Name. These subfields contain critical information about the VLAN advertised in the particular Subset Advertisement frame. Some might be suprised to see settings such as MTU's to be configurable in VLAN's, and this confirms that each VLAN is treated as a separate network, where even different MTU sizes are possible amongst your network's VLANS.

Advertisement Requests
Turning a switch off will result losing all its VTP information stored in its memory (RAM). When the switch is next turned on, all its database information is reset and therefore requires to be updated with the latest

version available from the VTP Server(s). A switch will also send an Advertisement Request when it hears a VTP summary advertisement with a higher revision number than what it currently has. Another scenario where a request would be issued is when the VTP domain membership has changed, even though this is quite uncommon since the VTP domain name is rarely, if ever, changed after its initial configuration. So what happens when a Advertisement Request hits the streets of your network? As you would already be aware from the message types we have just covered, the VTP Server will respond with Summary Advertisement, followed by as many Subset Advertisements required to inform the VTP Clients about the currently configured VLANs. The diagram below shows the structure of an Advertisement Request sent by a VTP Client switch:

Most fields as you can see are similar to the previous messages we've seen, except two: The Reserved and Starting Advertisement To Request. The Reserved is exactly what it implies - reserved and not used in the Advertisement Request messages, while the Starting Advertisement To Request is the actual request sent by the VTP Client.

VTP Join Messages VTP Join Messages are similar to the Advertisement Request messages but with a different Message Type field value and a few more parameters. As indicated by the message name, a VTP Join Message is sent when the VTP Client first joins a VTP domain, informing the VTP Server(s) about the new guy in 'town':) Other VTP Options - VTP Password The VTP Password is a feature that all security conscious

Administrators/Engineers will welcome. With the password feature, you are able to secure your VTP Domain since only switches configured with the correct password are able to properly decrypt the VTP messages advertised in the management VLAN. By default the VTP Password option is not turned on and therefore most management VLANs are set to use non-secure advertisements. Once enabled on the VTP Domain Server(s), all switches participating in the domain must be manually configured with the same password, otherwise it will fail to decrypt all incoming VTP messages.

Summary
This page analyzed the structure of each message the VTP protocol currently supports to maintain the network's switches in synchronization with the VTP domain server(s):

Summary Advertisements Subset Advertisement Advertisement Requests VTP Join Messages


We're sure you would agree that VLAN's are in fact a whole study case

alone, but surely at the same time it's quite exciting as new concepts and methods of ensuring stability, speed and reliability are revealed. This completes our in-depth discussion on the VTP Protocol messages. Next up is VTP Pruning, a nice service that ensures our network backbone is not constantly flooded with unnecessary traffic. We are sure you'll enjoy the page, along with the awesome diagrams we have prepared.

VTP Pruning
Introduction
As you would be aware a switched network creates one broadcast domain, similar to that of a VLAN powered network where all nodes belonging to the same VLAN are part of the same broadcast domain, receiving all broadcasts sent on their network.

The Broadcast And Unicast Problem In VLAN Networks


What we are about to see is how these broadcasts can actually create problems by flooding the VLAN network with unnecessary traffic, and depending on your network setup, this can prove to be a huge problem. The reason for this is because the trunk links interconnecting your network switches will carry these broadcasts to every switch in the network, regardless of which VLAN the broadcast is intended for.

As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports assigned to the same VLAN it was received from, that is, VLAN 2. In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and immediately forwards it out the other two - towards Switch 2 & 3. Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch 3 however, is a different case - it has no ports assigned to VLAN 2 and therefore will drop the broadcast packet it receives. In this example, the bandwidth usage was inefficient because one broadcast packet was sent over all possible trunk links, and was then dropped by Switch 3. You might ask yourself 'So what's the big deal?'. The problem here is small and can easily be ignored... but consider a

network of fifteen or more 12 port switches (this translates to at least 210 nodes) and you can start to appreciate how serious the problem can get. To make things worse (and more realistic), consider you're using 24 port switches, then you're all of a sudden talking about more than 300 nodes! To further help understand how serious the problem gets, let's take a look at our example network below:

Here we have a medium sized network powered by Cisco Catalyst switches. The two main switches up the top are the VTP servers and also perform 3rd layer switching by routing packets between the VLANs we've created. Right below them you'll find our 2950's Catalyst switches which are connected to the core switches via redundant fiber trunk links. Directly below our 2950's are our 2948 Catalyst switches that connect all workstations to the network. A workstation connected to a port assigned to VLAN 2 decided to send a network broadcast looking for a specific network resource. While the workstation is totally unaware of our network design and complexity, its broadcast is the reason all our trunks will flood with unwanted traffic,

consuming valuable bandwidth! Let's take a look at what happens:

We don't think describing the above is actually required as the diagram shows all the information we need and we're confident you will agree that we dealing with a big problem :) So how do we fix this mess? Keep reading on as you're about to learn........

The Solution: Enabling VTP Pruning


VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames on a VLAN over trunk links only if the receiving end of the trunk has ports in that VLAN.

Looking at the above diagram you will notice that the Root Catalyst 3550 Switch receives a broadcast from Switch 1, but only forwards it out one of its trunks. The Root Switch knows that the broadcast belongs to VLAN 2 and furthermore it's aware no port is assigned to VLAN 2 on Switch 3, therefore it won't forward it out the trunk that leads to that switch.

Support For VTP Pruning


The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP 1, VTP pruning is possible with the use of additional VTP message types. When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not.

Note: VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the "set vtp pruning enable" command.

If this command is issued on the VTP Server(s) of your network, then pruning is enabled for the entire management domain.

VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network. When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the "clear vtp prune-eligible vlan-range" command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: "set vtp prune-eligible vlan-range" where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'. By default, VLANs 21000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 10011005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.

Summary
VTP Pruning can in fact be an administrator's best friend in any Cisco powered network, increasing available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. At this point, we have also come to the end of the first part of our VLAN presentation. As we are still working on the second and final part of the VLAN topic, we hope these pages will keep you going until it is complete.