VLAN Foundation

By default a cisco switch sends a broadcast everywhere but only its VLAN where broadcast traffic restrained upto the VLAN itself. Every VLAN has separate broadcast domain. As we can see in the figure that if red VLAN sends out a broadcast the only ports marked as red will receive them and same is with blue ports and VLAN. Where the white ports which are connecting switches and carry all the traffic of VLAN are known as TRUNK PORTS Where this name is CISCO given to it other vendors calls these TRUNK Ports as TAG Ports. So the VLAN helps us to create and manages 1. 2. 3. 4. 5. Logically separated groups, users Segments broadcast domains (Means every VLAN correlated/requires a subnet) Subnet correlation Access control Quality of service

What is LOCAL VLAN Concept?

CISCO recommends that whenever we are going to create a VLAN we should follow the concept of LOCAL VLANs which says that any VLAN must constrain to a specific switch Block.

Here these are the recommendations of the LOCAL VLANs

1.

Local VLANS do not extend beyond the distribution layer Local VLAN Traffic routed to other destinations (as the Server Block of switch has connected the server directly to it and has its own VLANs and same case is with user now if from user VLAN if someone want to connect to the Server Block then the traffic should be routed between the two block purpose of doing this is that we want to restrict the broadcast to locally only and dont want to flood it out to all over the network) Should be created around physical boundaries (like the access layer VLAN should remain within the Access Layer and Distribution Layer VLAN should be restricted to Distribution layer and shouldnt move to CORE Layer).

2.

3.

How to Setup VLAN

In above output we can see the Default settings for the VLAN configurations as it comes with the switch. Default VLAN 1 has 23 ports assigned to it by default all Ports are included in VLAN1, where the 1002,1003,1004 and 1005 VLANS are Industry compliant standards VLANS having status ACTIVE / UNSUPPORTED as these are currently not supported by the switch vendor have to create these in order to meet the industry compliant. Now we can create our own VLANS, there are two methods for creating VLAN one is the old one (can be created from privilege mode) not recommended where the other is the new method (uses Configuration mode to create VLAN) and is recommended.

The new VLAN 100 with name IT has been created where 100 is the number of VLAN can be any number.

NOTE: We dont use this mode of creating VLAN as normally we use Ctrl + Z to come out of the privilege mode but if you use this key here it will UNDO every thing. So to come out of it always use EXIT Command.

Recommend Method of Creating VLAN

Now we will assign ports to these newly created VLANS.

In above output we have assigned ports to the VLANs and before doing this we set the mode of port as ACCESS because by default all ports are in Dynamic Mode which means they are potentially trying to negotiate with the TRUNK Port of the other side.

Above output shows that two VLANS IT and SALES has been assigned the ports respectively and now they cannot communicate with each other as they are completely in separate domains. NOTE: The VLAN configurations are not stored in Running Configurations as if we use show running configuration command we will not able to fine the information about our VLAN Configuration instead the switch stores the VLAN information in FLASH Memory in a file called VLAN.DAT.

How to Erase VLAN Configuration?

wr e this command will erase running configurations from the switch NVRAM.

There is a very important note about erasing VLAN configurations from the switch as we have to delete the vlan.dat individually and manually other wise it stays up partially and VTP will keep propagating them in the network as valid VLAN information

And then erase vlan.dat file using this command delete flash:vlan.dat

Even we have deleted the vlan.dat but it still shows in vlan show for the reason we have to reboot the switch for changes to take place Done

TRUNKING

Trunking is the process of connecting multiple switches together and allowing them to send vlan information between each other. Computer has no idea what VLAN they belong to infact we configure switches that define the Ports for which VLAN they belongs to, When computer attached to a switch within a VLAN sends a broadcast to switch the switch before sending it out attached a TAG to the packets but before sending it out the TAG strips off of the packet so when a computer receives this packets he receives it just like another normal packets. But in case of TRUNKING the TAG is not striped off from the packet instead it keeps its tag while it passes through the one TRUNK port to another and then before computer receives it this TAG is removed.

NOTE: the term TRUNKING is the CISCO Term and no other vendor call this by this name instead they call this TAGED PORT and its all LAYER 2 Feature and works on Data Link Layer. 1. 2. 3. Trunking (aka tagging) passes MULTI-VLAN information between switches Places VLAN Information into each frame Layer 2 Feature

Two ways of TAGING

ISL and 802.1Q

Inter-Switch Layer Tagging

CISCO Proprietary (only works between cisco switches) The only difference between 802.1Q and ISL is that in ISL it encapsulates the entire Frame before it goes out of trunk. When a CISCO switch receives a frame fro VLAN before sending it out it adds a new header at the start of frame and at the end of the frame it adds a trailer and then it sends out to the trunk. This method has been phased out. Its no more in practice in CISCO switches.

802.1Q

OPEN Standard / Industry Standard Inserts the TAG into Frame Rather than Encapsulates and before sending it out it recalculates CRC and sends out for trunking

What is NATIVE VLAN?

This is the concept which was created for 802.1Q where in ISL there is no concept of this.

The Native VLAN messages received because of the above topology if we have the situation like above in which the two Trunk ports are connected with each other through a HUB where HUM also have some of the device attached to it directly. Now the computer attached with HUB are sending messages to HUB and TRUNKING PORTS on either switches are also receiving those messages as we know that TRUNK LINKS should only allow to send TAGED Packets only, what a trunk link can do with UNTAGED Packet when it receives is what NATIVE VLAN is there for, its a configuration on switch that if it receives some of the packets that are untagged then I assign it automatically to VLAN (Any VLAN created for this purpose) and thats the native VLAN.

When we connects switches together and they have mismatched NATIVE VLAN information configured on them (one in VLAN 10 and other is in VLAN1) then there we will start receiving this message saying we have received native vlan mismatched error on these VLANs?. As we are not using this topology and not putting HUB between our switches so we will not be using this concept in its original form but the NATIV VLAN idea has been used similarly in VoIP.

This is the very common scenario in which an IP phone is connected with a switch and from switch port on IP phone it is connected to the Computer now both are connected via Ethernet cable and there is separated cable for IP phone in Common practice the IP phone and Computer both will never be in the same VLAN as it could degrade the service of IP phone it a heavy file transfer or data traffic generated on that ethernet segment and also at the same time it becomes a security issue as well. As both IP phone and Computer is on the same Length of ethernet by using 2 drops of cable and other end is connected with only one port of switch so its normally not possible to put them on separate VLANs. To do this we run a small version of a trunk from the switch to the phone and that phone has the ability to understand and sends TAGED packets where computer sends untagged packets, so in this case the TRUNK port is also receiving untagged packets and here we will use the native VLAN concept as when the switch Trunk port receives the untagged packets the native vlan configured on the switch will put the untagged packet to its appropriate VLAN.

TRUNKING PROTOCOL
The switches use a protocol to auto-negotiate Trunk links that is called Dynamic Trunking Protocol (DTP). There are 5 different modes of switch port that can be used as Trunking. Access Mode Trunk Dynamic-Auto Dynamic Desirable Non-Negotiate Access Mode If a port is configured as access mode then whatever device connected to this port will be consider an access layer device and can only access a single VLAN and whatever VLAN 50 is assigned to this port this attached device will be on it. But in case if the computer attached to it is replaced with switch then every port on that switch will be the part of that specific VLAN50.

Dynamic Desirable

Every fresh switch from CISCO by default is in this mode means the port on the switch is not in TRUNK or Access mode but it will try to negotiate to be in a mode whatever it will be plugged into on other side. It will become an ACCESS Port if attached to a PC and becomes a TRUNK Port if it is attached to a switch. How to check the mode of the Port

Dynamic-Auto It will automatically change between Access and Trunk port but it differ from Dynamic Desirable in a way it do not send DTP Packets out to ask that make me a trunk port like if the both ends to the switches are set to AUTO then the ports will become a Access port but if the one ends sets to Auto and other dynamic then dynamic sends out DTP Packets and the Auto will then tend to became a TRUNK port in this case. Trunk Where the TRUNK mode is only server as TRUNK Port and sends DTP Packets out this cant be Access Mode in anyway. Non-Negotiate Where the Port is TRUNK doesnt sends DTP Packets out this means that we know where the other Trunk ports are on the other switch so we dont waste DTP packets out to discover them. This is the most preferred method. If a computer is attached to this port it will not sends DTP Packets to it so its secure as well.

Configuring Trunk Port

Here we can leave the port as default after setting port encapsulation as the default mode is Dynamic Desirable and when we will set the other end port as TRUNK and when that port will sends out the DTP Packet it will automatically move to TRUNK Mode.

Here we can see that after setting port as TRUNK it has sends out DTP packet and it will start negotiating with other remote port to be a TRUNK port

If we will use the non-negotiating mode it will not sends out DTP packet to be TRUNK port so if we have set AUTO on the other side it will not be negotiated to be as TRUNK Port.

Setting Native VLAN

We can set any number of VLAN if we want untagged traffic received by this port to some specific VLAN.

VLAN Traffic Filtering

There are two ways to filter traffic of VLANs. Method 1, Manually Removing or Allowing VLAN There could be situation in which between two TRUNK ports we dont want all of the VLANs to be passing on like if at one end we have VLAN 10. 20 and 30 but at the other end we just have 30 VLAN in this case there is no use of send VLAN 10 and 20 Traffic to the other end here we can use these command to allow some specific VLAN to send there packets on TRUNK port.

With ALLOWED we can specify what VLAN we want to be allowed on TRANK where ALL allow the all VLANs and EXCEPT can be used filter few of them and NONE will allow you to specify them manually etc. How to Verify

VLAN Trunking Protocol-VTP

The VTP is not a trunking protocol instead it is a VLAN replication Protocol. (There are only two trunking protocols ISL and 802.1Q) VTP is used to simplify the administration of VLAN When we pullout the new switch out of box, it has by default only one VLAN in it and that is VLAN1 with VTP REV 0 and multiple switches are connected with each other and have trunk link initially they all have VLAN1 with VTP REV 0 as soon as you created a new VLAN 10 on switch the REV will increment its number and will update rest of switches connected automatically with the change and suddenly every switch in the network will have VLAN 10 with REV 1 in his VLAN Database. Wherever this change takes place it will increment the REV no and replicate the VLAN Database to the rest of the switches in the network. Advantage of VTP VTP is uses to create a change in when switch and replicates it to the rest of the networks, so in a campus network where may be 100 switches are installed we will made change the VLAN setup in one switch and then replicates it to all other switches without telnet of all other switches Disadvantage of VTP If we have added a new switch in our switch domain and the switch has already been used before and have VTP and VLAN information on it in that case if it has REV no bigger then the REV number which is in our domain it will be replicated to the all switches in the domain immediately resulting in lost of all VLAN information configured on the switch in our network. Only way to fix this issue is to manually create a VLAN again and add it to the switches.