VLAN Example

A VLAN example is illustrated in Figure 1 below. Figure 1 shows a building network example that includes devices for the staff and students of a university. For security purposes, the traffic from individuals working on administrative devices (staff) could be separated from the traffic generated by the academic devices (students).

A method of separating these different devices could be to have them on separate physical networks; however this type of solution can be expensive and inflexible. A better solution would be to create separate VLANs for administrative and academic traffic.

Figure 1 shows four different common areas that exist in a university setting, two of each belong to either the administrative or academic side of the network. The areas that are in the administrative part of the network are separated into VLAN 10; the areas that are in the academic part of the network are separated into VLAN 20. In order for the devices in VLAN 10 to communicate with the devices in VLAN 20, a Layer 3 device (like a router) is required. The Layer 3 device can then be configured to filter the traffic allowed to pass between the two VLAN’s (if any).

VLAN Trunks

Another part of the understanding of VLANs is how they are used between different devices. Without further configuration, the VLAN configuration of a switch is specific to each individual switch. In many smaller deployments, this works out fine as one single switch is deployed for connectivity. However, on larger deployments where there are multiple switches used over a building or campus then the VLAN configuration needs to span multiple switches, this is done with trunks.

Under normal conditions, a switchport is limited to be in a single VLAN; a trunk allows the switchport to support the transport of traffic on multiple VLAN’s. This is accomplished through the use of IEEE 802.1q trunking. When using 802.1q trunking, a tag is inserted into the frame header to identify the VLAN membership; once the frame reaches the destination switch the tag is removed and sent out on all matching VLAN switchports.

Basic VLAN Configuration

The normal range of VLAN numbers used goes from 1 through 1001; the numbers from 1002 through 1005 are reserved for Token Rink and FDDI VLAN’s.  On most switches, including Cisco, the default is VLAN 1 on all switchports. The VLAN range from 1006 through 4094 is also available if extended range VLAN’s are configured.

In order to configure a VLAN on a Cisco switch use the following steps:

Enter global configuration mode

Step 1.              switch#configure terminal

Create or modify an existing VLAN

Step 2.              switch(config)#vlan vlan-id

Configure a VLAN name (optional)

Step 3.              switch(config-vlan)#name name

Another method of creating a VLAN is to configure a switchport into a nonexistent VLAN.  When this is done, the VLAN is automatically created.

In order to configure a switchport into a specific VLAN on a Cisco switch use the following steps:

Enter global configuration mode

Step 1.              switch#configure terminal

Enter interface configuration mode

Step 2.              switch(config)#interface type number

Configure a switchport VLAN

Step 3.              switch(config-if)#switchport access vlan vlan-id

Summary

The configuration of VLAN’s on modern network is common at the access layers of the network; it provides a method of security which is easy to implement and configure. Hopefully this article gives a basic understanding of the concept and how it can be used.

Learn More About VLANs

If you’re interested in learning more about VLANs, check out our article on How to Configure, Verify and Troubleshoot a VLAN and our free video from our Cisco CCNA training covering Virtual LANs and VTP: VLAN Trunking Protocol.

Each VLAN consists of a separated broadcast domain. Which means that only ports belonging to a specific VLAN share broadcasts eliminating unnecessary traffic from flooding the entire network; hence improving the overall performance of the network.

By now, you’re probably thinking that your VLANs can spread through a couple of building infrastructures. Well get this … VLANs can also extend their existence across Wide Area Networks (WANs) using a layer 2 tunnel. This is why VLANs can be designed without regard of the physical location of the hosts. This is also why VLANs are virtually the coolest LANs out there.

In this article, I’ll explain some basic concepts behind VLAN operation on Cisco catalyst switches. I’ll also give you the steps to configuring, verifying and troubleshooting a VLAN.

VLAN Modes and VLAN Trunking

Cisco catalyst switches support Dynamic VLANs by using a VLAN Management Policy Server in order to assign specific VLAN IDs to corresponding MAC addresses. Usually, Static assignment of VLANs to switch ports is configured. To be able to do so, first, all different VLAN subnets need to be defined. Afterwards, VLAN IDs can be assigned to switch ports and a host that attaches on a given port automatically assumes the VLAN membership of that port.

Once a VLAN membership is granted, a host can communicate to other hosts within the same VLAN. If routing between different VLANs is required then a router needs to be incorporated in the network. A host link can have access to only one VLAN. A link that is able to carry more than one VLAN tagged frame is called a trunk and the method of identifying several different VLANS on a trunk is called tagging.

Cisco used to support its own proprietary trunking protocol for VLAN tagging – ISL, or InterSwitch Link Protocol. However, ISL is not supported anymore and Cisco suggests using IEEE 802.1Q protocol instead.

The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte protocol identifier (TPID) and 2-byte control information (TCI). The TPID has a fixed value of 0×8100 that indicates that the frame carries the 802.1Q/802.1p tag information.

The TCI contains the following elements:

• Three-bit user priority
• One-bit canonical format indicator (CFI)
• Twelve-bit VLAN identifier (VID) which uniquely identifies the VLAN to which the frame belongs

A schematic diagram of the 802.1Q frame is shown below:

Configuring a VLAN

Configuring VLANs is actually very easy. The difficulty is to decide which users should belong to which VLAN. Once you’ve decided this and visualized the VLAN enabled network, then you are ready to create your VLANs on the Cisco catalyst switch. Take a look at this example:

How to Assign Switch Ports to a VLAN

The following commands indicate how you can assign interface fastethernet 2 to vlan2 and fastethernet 3 to vlan 3:

Configuring 802.1Q Trunking

To set a Fast Ethernet port or even a Gigabit Ethernet port to trunk mode use the switchport mode interface configuration command:

The switchport mode command can be configured using 4 different options:

• Trunk: The interface is configured into permanent trunking mode and negotiates with the partner site interface to set up the into trunk mode.
• Access: Disables port trunk mode; no trunking negotiation takes place.
• Dynamic desirable: Enables interfaces continuous attempt to convert the link to a trunking link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. This is the default mode for all Ethernet interfaces.
• Dynamic auto: Makes the interface to become a trunk only if the connected port is set to trunk or desirable.

How to Verify a VLAN Configuration

Use the show vlan command to verify your VLAN configuration. This command displays all switchports and their associated VLAN as well as the VLAN status and some extra parameters that relate to Token Ring and FDDI trunks.

You can use the show vlan id [vlan#] command to see information about a particular VLAN. Below you can see a sample output of the show vlan command.

You can also use the show interface [interface name-number] switchport command to display the VLAN
information on the particular interface as well as the interfaces administrative and operational mode (access or trunk mode).

A sample output of this command is presented below:

Use the show ip interface vlan [vlan#] command to display ip related information on a particular VLAN as well as status and MAC address. Here is a sample output of this command:

How to Troubleshoot a VLAN Configuration

Three main steps need to be followed when troubleshooting VLAN problems:

• The first thing you need to do is to make sure that your cable and switch port are good. Always start your troubleshooting procedure by investigating your physical connectivity. Test your cable and make sure it’s working. Check the swith ports link LED to make sure that layer 1 is working properly.
• Next, check your switche’s interface configuration. Use the command show interface [interface name-number] to check whether there are CRC errors or late collisions perceived on the interface.

  These errors are usually the result of physical problems such as bad cable or NIC but can also indicate duplex mismatch with the attached device. If you notice that collisions are increasing continuously, then look for a duplex mismatch problem or even for congestion on the link.

• If two hosts cannot communicate then check whether they are in the same VLAN. If they are positioned into different VLANS then you definitely need a router to be able to enable communication between the two hosts. If a host is not able to connect to the switch, make sure the host belongs to the same subnet as the switchs VLAN.

Organize and Secure Your Network with a VLAN

It’s always a good habit to differentiate hosts in a network either based on departmental differentiation, expertise classification or anything else you think would work. What you end up with are groups that need isolation for better network performance and stronger security.

VLANS are able to accomodate both: better network performace and improved security. VLANs will help you administer your network in a more efficient way, at the same time conserving network resources by preventing flooding of unnecessary traffic within the network.