VLAN

Access Link/port and Trunk Link/port

• Access ports are basically used to connect to End

User’s system i.e. Computer, Printer, Server etc.
Access Port can be member of one Data VLAN
and one Voice VLAN.
• Trunk port connects Switch to Switch. By default
Trunk Port is a member of all VLAN.
 What is VLAN…Virtual LAN
• A physical L2 network includes all devices in a single
broadcast domain.
• VLAN logically creates multiple broadcast domain in
a single physical L2 network.
• VLAN is defined by a name and a number.
• A device of a VLAN can not communicate with
another device of another VLAN even if both devices
are in same IP subnet through a L2 device.
• Every switch port is made a member of a VLAN.
 Advantages of VLAN…
• Reduce the CPU load on each device by reducing the
number of devices in a broadcast domain.
• Reduce security risk by reducing the number of devices
in a broadcast domain to receive flooded frames
(broadcast, multicast, unknown unicast) by switch.
• Improve security by separating hosts by different
broadcast domain.
• Provide flexible design by department or group wise.
• To isolate and solve problems quickly.
• Reduce the workload of STP by limiting a VLAN to a
single switch.
 Multi-switch VLAN…

• Multiple interconnected switches can carry

multiple VLANs.
• Switch 1 and 2 both have VLAN 10 and 20.
• To communicate between same VLAN of Switch 1 and 2
switches use VLAN trunking method on the link between
them.
• VLAN trunking needs VLAN tagging .
• VLAN tagging is a process to add an additional header to the
normal Ethernet frame before sending it over trunk link.
• Additional header includes VLAN Identifier Field (VID or VLAN
ID).
• Sending switch adds the particular VLAN ID with the frame
and receiving switch thus know from which VLAN that frame
is belong.
• Sending switch adds the VID and receiving switch removes it
after knowing the VLAN information.
 Trunking Protocol…
Cisco supports 2 types of trunking protocol,
• Inter Switch Link (ISL) of Cisco
• IEEE’s 802.1Q

IEEE 802.1Q is widely used as trunking protocol in

today’s network.
IEEE 802.1Q inserts an extra 4 bytes 802.1Q VLAN
header into the original Ethernet frame’s
Ethernet header.
802.1Q Header…
 Some facts…
• VLAN ID is of 12 bits field.
• Theoretically it supports 212 or 4096 VLANs.
• In practical it supports 4094 VLANs.
• VLAN 0 and 4095 is reserved.
• VLAN 0 is used for priority traffic.
• VLAN 4095 is used by IOS for its internal use.
• 4094 VLANs are broken into 2 categories by Cisco.
• Standard range- 1 – 1005.
• Extended range- 1006 – 4094.
• Extended range of VLANs can be used if there is VTP or
VLAN Trunking Protocol version3 in use.
• VLAN 1, 1002-1005 we can not create or
delete, even not renamed. It is by default in a
switch.
• By default all switch ports are member of VLAN
1.
• We can create/delete standard range VLAN
from 2-1001.
VLAN configuration and verification…

Switch(config)#vlan 10
Switch(config-vlan)#name ccna
Switch(config-vlan)#exit

• 1st command creates the VLAN with VID 10.

• 2nd command gives a name to VLAN, without name a
VLAN’s name default to its VID in 4 digit decimal
number(VLAN0010).
• VLAN association,
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
• 2nd command makes f0/1 as an access port,
• Access port is a port on which end users are
connected and always deals with normal Ethernet
frames.
• 3rd command associates f0/1 to VLAN10.
• VLAN verification…
• Another way to configure VLAN…
(config)#interface fa0/1
(config-if)#switchport access vlan 10

by this command, currently unconfigured

VLAN 10 is configured and it use a VLAN name
VLAN0010 as the name is not configured.
• VLAN creation with Database mode…
#vlan database
switch(vlan)#vlan 3 name IT
switch(vlan)#exit
VLAN information are stored in vlan.dat file in
flash memory.
show running-config does not list any VLAN
command.
 Creating multiple VLANs
(config)#vlan 50 - 60
(config-vlan)#

To delete existing VLAN,

(config)#no vlan 10
or
(config)#no vlan 50 - 60
 VLAN shutdown….
• Administrators must ensure that correct Access interfaces are
in correct VLANs.
• It can also possible, that access VLANs are not being defined or
even after defined it is shut down.
(config)#vlan 10
(config-vlan)#shutdown
(config-vlan)#no shutdown
or
(config)#shutdown vlan 10
(config)#no shutdown vlan 10

#show vlan brief for verification.

 Trunking encapsulation
• Cisco switch supports both types of Trunking
802.1Q and ISL. If 2 switches supports both they
negotiate for ISL.

(config)#interface fa0/1
(config-if)#switchport trunk encapsulation dot1q/isl/negotiate
(config-if)#switchport mode trunk

#show interface trunk

dot1q represents 802.1Q.

 DTP…

• The Dynamic Trunking Protocol (DTP) is used to

form a trunk link between two Cisco switches by
protocol negotiation i.e. dynamically.
• DTP causes increased in traffic.
• It is enabled by default, but it can be disabled.
 DTP modes,
• Dynamic desirable- initiates and responds
negotiation message to dynamically choose
whether to start using trunk or not.
• Dynamic auto- passively waits to receive trunk
negotiation message at which point the switch
will respond and negotiates whether to use trunk
or not.
DTP configuration and verification…
(config)#interface fa0/1
(config-if)#switchport mode dynamic auto|dynamic desirable

#show interface fa0/1 switchport

#show interface trunk
#show interface fa0/1 switchport
• Administrative mode is default to Dynamic
Auto(L2 Switch) or Dynamic Desirable(L3
Switch).
• Operational mode is based on DTP
configuration.
• Administrative trunking encapsulation is dot1q,
the trunking type.
• Operational trunking encapsulation is native,
802.1Q Native VLAN.
 Combination of DTP modes…
Switch1 switch2 Result

Access Access Access

Access Trunk Do not use
Access Dynamic auto Access
Access Dynamic Desirable Access
Trunk Dynamic auto Trunk
Trunk Trunk Trunk
Trunk Dynamic desirable Trunk
Dynamic auto Dynamic auto Access
Dynamic desirable Dynamic desirable Trunk
Dynamic Auto Dynamic desirable Trunk
• Cisco recommends disabling trunk negotiation for better
security,
(config)#interface fa0/1
(config-if)#switchport nonegotiate

• Keeping the DTP mode “ON” not a good practice for Production
network, it can cause Man-in-the-middle attack.

• Best configure Trunk port or Access Port manually.

(config-if)#switchport mode access
(config-if)#switchport nonegotiate
or
(config-if)#switchport mode trunk
(config-if)#switchport nonegotiate
Allowing specific VLANs on trunk
(config-if)#switchport trunk allowed vlan 10

This command sets specific allowed VLANs for

the trunk interface.
By default, all VLANs are allowed on all trunk
interfaces.
If configured allowed VLANS do not match in
both side that can causes unexpected traffic
or no traffic to be sent over the trunk
 Native VLAN

• 802.1Q defines a special VLAN, called Native VLAN which is

default to VLAN 1, we can change the default Native Vlan.
• As a result 802.1Q does not add any additional header
(tagging) to frames of Native VLAN. So all the switches must
have same Native VLAN because receiving switch must
know that the frame without 802.1Q header is a part of
Native VLAN.
• Native VLAN is useful when a Cisco device is connected to a
switch which does not understand the concept of 802.1Q
trunking, i.e ISL.
• Native VLAN allows at least traffic of one VLAN to the
switch which gives the reachability to the switch.
 Setting Native VLAN on trunk
switch(config-if)# switchport trunk native vlan
vlan-id

Sets the native VLAN for the 802.1Q trunk. Valid

values are from 1 to 4094, except those VLANs
reserved for internal use. The default native
VLAN is VLAN1.
 Native VLAN mismatch
If the Trunk ports are configured with different native
VLANs then the configuration error generates console
notifications, and causes control and management
traffic to be misdirected. This causes a security risk and
creates unintended results.

CDP displays a notification of a native VLAN mismatch

on a trunk link

*Mar 1 06:45:26.232: %CDP-4-NATIVE_VLAN_MISMATCH: Native

VLAN mismatch discovered on FastEthernet0/1 (2), with S2
FastEthernet0/1 (99).
 Configuring IPv4 in a L2 Switch

• Why do we need IPv4 configured in a L2

switch?
- To allow Telnet/SSH access to switch.
- To allow IP management protocol like SNMP.
- To send and receive IP packets directly to
hosts of local subnet and remote subnet
through default gateway.
• Can we configure IP on a layer 2 switch physical
interface?
---No
• Why?
---IP is a layer 3 protocol and layer 2 switch
interfaces are layer 2 interface.

#show interface fastethernet 0/1 switchport

Basically a L2 switch uses virtual NIC inside the
switch, in which we can configure IP. This is
known as Switched Virtual Interface (SVI) or
VLAN interface. Instead of physical interface, SVI
is used to configure IP in a L2 switch.
(config)#interface vlan 1
(config-if)#ip address 10.0.0.1 255.0.0.0
(config-if)#no shutdown
(config-if)#exit
(config)#ip default-gateway 10.0.0.100

“no shutdown” command is used to enable VLAN

interface.
By default all ports of a switch belong to VLAN
1, by using VLAN 1 as SVI, all switch ports can
send and receive IP packets.
We can configure IP on a switch in any other
VLAN.
A normal Ethernet L2 switch sends and receive
Ethernet frames by default from all of its
ports. So, we need SVI to configure IP in a L2
switch so the L2 switch can send and receive
IP packets also.
 Verifications….

#show interface vlan 1

#show ip interface brief