Virtual Local Area Networks

A virtual LAN (VLAN) is a group of hosts or network devices, such as routers (running transparent bridging) and bridges, that forms a single bridging domain.  There can be several VLANs defined on a single switch.  A VLAN can also span multiple switches.  Using layer 2 protocols such as IEEE 802.1q and ISL (Inter-Switch Link) allow a VLAN to span across multiple switches.  VLANs are formed to group related users together regardless of the physical connections of their hosts to the network.  The users can be spread across a campus network or even across geographically isolated locations.  Users can be organized into separate VLANs according to their department, location, function, application, address (logical or physical), or protocol used.  The goal with VLANs is to group users into separate VLANs so their traffic will stay within the VLAN.  When you configure VLANs, the network can take advantage of the following benefits:

Benefits of using VLANs
  • Broadcast Control - Just as switches physically isolate collision domains for attached hosts and only forward traffic out a particular port, VLANs refine this concept further and provide complete isolation between VLANs.  A VLAN is a bridging domain, and all broadcast and multicast traffic is contained within it.
  • Security - VLANs provide security in two ways:
    • High-security users can be grouped into a VLAN, possibly on the same physical segment, and no users outside of that VLAN can communicate with them.
    • Because VLANs are logical groups that behave like physically separate entities, inter-VLAN communication can only be achieved through a router.  When inter-VLAN communication occurs through a router, all the security and filtering functionality that routers traditionally provide can be used.  In the case of nonroutable protocols, there can be no inter-VLAN communication.  All communication must occur within the same VLAN.
  • Performance - You can isolate users that require high performance networks for bandwidth intensive projects, VLANs can isolate them and the rest of the network from each other.
  • Network Management - Software on the switch allows you to assign users to VLANs and, later, reassign them to another VLAN. Recabling to change connectivity is no longer necessary in the switched LAN environment because network management tools allow you to reconfigure the LAN logically in seconds.

Routers by default only send broadcasts within the originating network, but switches forward them to all segments.  This is known as a flat network because it's one big broadcast domain.  Switches and VLANs are used to replace the flat network.  All members of a VLAN are in the same broadcast domain and receive all broadcasts.  By default the broadcasts are filtered from all ports on a switch that aren't in the same VLAN.  Routers, layer 3 switches, or Route Switch Modules (RSM) must be used in conjunction with switches to provide connections between networks (VLANs), which can stop broadcasts from propagating throughout the entire internetwork.

VLAN Organizations

A traditional collapsed backbone consists of a router with separate networks attached to its interfaces.  Each node attached to the physical network need to have the same network number in order to communicate on the internetwork.  On switches you can group users into communities of interest called VLAN Organizations.  In a VLAN, network nodes of each VLAN can communicate with other nodes in the same VLAN, the nodes in one VLAN need to go through a router or other layer 3 device in order to communicate with other VLANs.

VLAN Memberships

VLANs are usually created by administrators who assign switch ports to VLANs.  These are called static VLANs.  Dynamic VLANs are configured by assigning all the host devices' hardware addresses into a database.

Static VLAN

Static VLANs are the typical method of creating VLANs and are the most secure.  The switch port you assign a VLAN association to always maintains that association until an administrator changes the port assignment.

Dynamic VLAN

Dynamic VLANs determine a node's VLAN assignment automatically.  Using intelligent management software, you can enable MAC addresses, protocols, or even applications to create dynamic VLANs.  For example, if the MAC address is in a centralized database, and if it connects to a switch port, the VLAN management database can lookup the address and configure the port for the correct VLAN.  If the user moves, the switch will automatically assign them to their correct VLAN.

Links in a Switched Environment

VLANs can span multiple connected switches by using frame tagging and trunk connections.  Switches in the switch fabric must keep track of frames and which VLAN the frame belongs to.  Frame tagging performs this function.  Switches can then direct frames to the appropriate port.

Frame Tagging

Switches use frame tagging to keep track of users and frames as they travel the switch fabric and VLANs.  Switch fabric is a group of connected switches.  Frame tagging assigns a unique user-defined ID to each frame, also called VLAN ID or color.  Frame tagging is to be used when an Ethernet frame traverses a trunked link.  Each switch the frame traverses must identify the VLAN ID and then determine what to do with the frame based on its filter table.  Once the frame reaches the exit to the access link, the VLAN ID is removed and the end device receives the frame without having to understand the VLAN ID.  A VLAN interface can have only one VLAN ID, and VLAN trunk interfaces support multiple VLANs across them.

There are two types of links:
Access Links

Links that are only part of one VLAN are referred to as the native VLAN of the port.  Any device attached to an access link is unaware of a VLAN membership.  This device just assumes that it is part of a broadcast domain, without any understanding of the physical network.  Switches remove any VLAN information before it is sent to an access link device.  Access link devices can't communicate with any devices outside their VLAN without a router or layer 3 device.

Trunk Links

Trunks can carry multiple VLANs and are used to connect switches to other switches, to routers, or servers.  Trunk links are only supported on Fast or Gigabit Ethernet (100 or 1000Mbps).  Cisco switches support two ways to identify which VLAN a frame belongs to: ISL and 802.1q.  If no trunk encapsulation type is specified when configuring an Ethernet trunk, ISL is used as the default.  Trunk links have a native or default VLAN that is used if the trunk link fails.  Trunked links carry the traffic of multiple VLANs from 1 to 1005 at a time.  Trunking allows you to make a single port a part of multiple VLANs, so you can be in more than one broadcast domain at a time.  When connecting switches together, trunk links can carry some or all VLAN information across the link.  If you don't trunk the links then the switch will only carry VLAN 1 information across the link.  Cisco switches use the Dynamic Trunking Protocol (DTP) to manage trunks.  DTP is a PPP that was created to send trunk information across 802.1q trunks.

Trunking Methods
  • Inter-Switch Link - ISL is a Cisco proprietary protocol for interconnecting multiple switches and maintaining VLAN information as traffic goes between switches.  ISL is similar to 802.10 as they both multiplex bridge groups over a high-speed backbone (ISL runs only on Fast Ethernet).  With ISL, an Ethernet frame is encapsulated with a header that maintains VLAN IDs between switches.  A 26-byte header that contains a 10-bit VLAN ID is prepended to the Ethernet frame.  A VLAN ID is added to the frame only when the frame is destined for a non-local network.  Since the frame is encapsulated, only devices running ISL can read it.  If you need a protocol for other than Cisco Switches use 802.1q.  ISL frames can be up to 1522 bytes long.  On multi-VLAN ports, each frame is tagged as it enters the switch.  ISL NICs allow servers to send and receive frames tagged with multiple VLANs so the frames can traverse multiple VLANs without going through a router.  The ISL protocol can allow a file server to exist in multiple VLANs at the same time.  Note that ISL encapsulation is only added to frames that are forwarded on a trunk link, and when they arrive at the access link the encapsulation is removed and the frame is delivered.
  • IEEE 802.1q - Created by the IEEE as a standard method of frame tagging.  It actually inserts a field into the frame to identify the VLAN.  If you are trunking between a Cisco switch and a non-Cisco switch, you will need to use 802.1q for the trunk to work.
  • IEEE 802.10 - Defines a method for securing bridging of data across a shared MAN (Metropolitan Area Network) backbone.  The coloring (VLAN ID) of traffic across the FDDI backbone is achieved by inserting a 16-byte header between the source MAC and the Link Service Access Point (LSAP) of frames leaving a switch.  This header contains the 4-byte VLAN ID or "color".  The receiving switch removes the header and forwards the frame to interfaces that match the VLAN color.
  • Local Area Network Emulation (LANE) - LANE is a service that provides interoperability between ATM-based workstations and devices connected to existing LAN technology.  LANE uses MAC encapsulation because this approach supports the largest number of existing OSI layer 3 protocols.  The end result is that all devices attached to an emulated LAN appear to be on one bridged segment.  In ATM LANE environments, the ATM switch handles traffic that belongs to the same emulated LAN (ELAN), and routers handle inter-ELAN traffic.

More about LAN Emulation (LANE)

LANE is a standard defined by the ATM Forum that gives to stations attached via ATM the same capabilities they normally obtain from legacy LANs, such as Ethernet and Token Ring.  As the name suggests, the function of the LANE protocol is to emulate a LAN on top of an ATM network. Specifically, the LANE protocol defines mechanisms for emulating either an IEEE 802.3 Ethernet or an 802.5 Token Ring LAN.  The current LANE protocol does not define a separate encapsulation for FDDI.  (FDDI packets must be mapped into either Ethernet or Token Ring emulated LANs [ELANs] by using existing translational bridging techniques.)  Fast Ethernet (100BaseT) and IEEE 802.12 (100VG-AnyLAN) both can be mapped unchanged because they use the same packet formats.

The LANE protocol defines a service interface for higher-layer (network layer) protocols that is identical to that of existing LANs.  Data sent across the ATM network is encapsulated in the appropriate LAN MAC packet format.  In other words, the LANE protocols make an ATM network look and behave like an Ethernet or Token Ring LAN---albeit one operating much faster than an actual Ethernet or Token Ring LAN network.

It is important to note that LANE does not attempt to emulate the actual MAC protocol of the specific LAN concerned (CSMA/CD for Ethernet or token passing for IEEE 802.5).  LANE requires no modifications to higher-layer protocols to enable their operation over an ATM network.  Because the LANE service presents the same service interface of existing MAC protocols to network-layer drivers.

LANE Protocol

The basic function of the LANE protocol is to resolve MAC addresses to ATM addresses.  The goal is to resolve such address mappings so that LANE end systems can set up direct connections between themselves and then forward data.  The LANE protocol is deployed in two types of ATM-attached equipment: ATM network interface cards (NICs) and internetworking and LAN switching equipment.

ATM NICs implement the LANE protocol and interface to the ATM network but present the current LAN service interface to the higher-level protocol drivers within the attached end system.  The network-layer protocols on the end system continue to communicate as if they were on a known LAN by using known procedures.  However, they are able to use the vastly greater bandwidth of ATM networks.

The second class of network gear to implement LANE consists of ATM-attached LAN switches and routers.  These devices, together with directly attached ATM hosts equipped with ATM NICs, are used to provide a virtual LAN (VLAN) service in which ports on the LAN switches are assigned to particular VLANs independently of physical location.

Communicating between VLANs

To communicate between VLANs you need to have a router with an interface for each VLAN or a router that supports ISL routing.  The lowest Cisco router that supports ISL routing is the 2600 series.  If you're using a router with one interface and ISL, the interface should be at least 100Mbps (Fast Ethernet).

VLAN Trunking Protocol (VTP)

VTP is a protocol used between switches to simplify the management of VLANs.  With VTP, you can make configuration changes centrally on a single Catalyst series switch and have those changes automatically communicated to all the other switches in the network.

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis.  VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.

Developed by Cisco, it is the industry's first protocol implementation specifically designed for large VLAN deployments.  VTP enhances VLAN deployment by providing the following:

  • Integration of ISL, 802.10, and ATM LAN-based VLANs.
  • Auto-intelligence within the switches for configuring VLANs.
  • Configuration consistency across the network.
  • An auto-mapping scheme for going across mixed-media backbones.
  • Accurate tracking and monitoring of VLANs.
  • Dynamic reporting of added VLANs across the network.
  • Plug-and-Play setup and configuration when adding new VLANs.

To allow VTP to manage your VLANs across the network, you must first create a VTP server.  All servers that need to share VLAN information must use the same domain name, and a switch can only be in one domain at a time.  If all your switches are in the same VLAN then you don't need to use VTP.  VTP information is sent via a trunk port. Switches advertise VTP management domain information, as well as configuration revision number and all known VLANs with any specific parameters.  Switches detect the additional VLANs within a VTP advertisement and then prepare to receive information on their trunk ports.  The information would be VLAN ID, 802.10 SAID fields, or LANE information.  Updates are sent out as revision numbers that are notification +1.  Anytime a switch sees a higher revision number, it knows the information is newer and overwrites the database with the newer one.

Three modes of operation within a VTP
  • Server - Default mode for all catalyst switches.  You need at least one to propagate VLAN data throughout the domain.  The switch must be in server mode to create, add, or delete VLANs in a VTP domain.  Any changes made while in server mode will be advertised to the entire VTP domain.  Advertisements are sent every 5 minutes or whenever there is a change.
  • Client - Receives information from VTP servers and sends and receives updates, but can't make any changes.  To add a switch to a VLAN, first make it a client to update the database, then change it to a server to make the changes and have them advertised or alternatively delete the VTP database with the delete vtp privileged EXEC mode command.
  • Transparent - Doesn't participate in the VTP domain, but will still forward VTP advertisements through the configured trunk links.  Can add and create VLANs as it doesn't share its database with any other switch and changes made to its database are only considered locally significant.
VTP Advertisements

Each switch in the VTP domain sends periodic advertisements out each trunk port to a reserved multicast address. VTP advertisements are received by neighboring switches, which update their VTP and VLAN configurations as necessary.

The following global configuration information is distributed in VTP advertisements:

  • VLAN IDs (ISL and 802.1Q)
  • Emulated LAN names (for ATM LANE)
  • 802.10 SAID values (FDDI)
  • VTP domain name
  • VTP configuration revision number
  • VLAN configuration, including maximum transmission unit (MTU) size for each VLAN
  • Frame format
VTP Pruning

VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast, multicast, unknown, and flooded unicast packets.  VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.  By default, VTP pruning is disabled.  VTP pruning only sends broadcasts to trunk links that must have the information.  Enabling VTP pruning on a VTP server enables pruning for the entire management domain.  VTP pruning takes effect several seconds after you enable it.  By default, VLANs 2 through 1000 are pruning-eligible.  VTP pruning does not prune traffic from VLANs that are pruning-ineligible.  VLAN 1 is always pruning-ineligible; traffic from VLAN 1 cannot be pruned.  VLAN 1 can never prune because it is an administrative VLAN.

Configuring VLANs