Vlans


In order to implement VLANs in a network environment, you'll need a Layer 2 switch that supports them. Almost all switches sold today that are described as "managed" switches provide the ability to make ports members of different VLANs. However, switches that don't provide any configuration function (such as many basic, lower-end switches) don't provide the ability to configure VLANs. Almost any Cisco Catalyst switch that you'll come across today provides the ability to make ports part of different VLANs.

Before getting into the details of how a VLAN functions, it's worth exploring some of the advantages that a VLAN provides. First and foremost, VLANs provide the ability to define broadcast domains without the constraint of physical location. For example, instead of making all of the users on the third floor part of the same broadcast domain, you might use VLANs to make all of the users in the HR department part of the same broadcast domain. The benefits of doing this are many. Firstly, these users might be spread throughout different floors on a building, so a VLAN would allow you to make all of these users part of the same broadcast domain. To that end, this can also be viewed as a security feature - since all HR users are part of the same broadcast domain, you could later use policies such as access lists to control which areas of the network these users have access to, or which users have access to the HR broadcast domain. Furthermore, if the HR department's server were placed on the same VLAN, HR users would be able to access their server without the need for traffic to cross routers and potentially impact other parts of the network.

VLANs are defined on a switch on a port-by-port basis. That is, you might choose to make ports 1-6 part of VLAN 1, and ports 7-12 part of VLAN 2. There's no need for ports in the same VLAN to be contiguous at all - you could make ports 1, 3 and 5 on a switch part of VLAN 1, for example. On almost all switches today, all ports are part of VLAN 1 by default. If you want to implement additional VLANs, these must first be defined in the switch's software (such as the IOS on a Cisco switch), and then ports must be made members of that VLAN. A VLAN isn't limited to a single switch, either. If trunk links are used to interconnect switches, a VLAN might have 3 ports on one switch, and 7 ports on another, as shown below. The logical nature of a VLAN makes it a very effective tool, especially in larger networking environments.

Inter-VLAN Communication

I mentioned a few times already that a VLAN is simply a special type of broadcast domain, in that it is defined on a switch port basis rather than on traditional physical boundaries. Recall from the earlier articles in this series that when a host in one broadcast domain wishes to communicate with another, a router must be involved. This same holds true for VLANs. For example, imagine that port 1 on a switch is part of VLAN 1, and port 2 part of VLAN 99. If all of the switch's ports were part of VLAN 1, the hosts connected to these ports could communicate without issue. However, once the ports are made part of different VLANs, this is no longer true. In order for a host connected to port 1 to communicate with another connected to port 2, a router must be involved.

You may already be familiar with the concept of a Layer 3 switch. A Layer 3 switch is generally a Layer 2 switching device that also includes the ability to act as a router, usually through the use of additional hardware and software features. If a switch includes Layer 3 capabilities, it can be configured to route traffic between VLANs defined in the switch, without the need for packets to ever leave the switch. However, if a switch only includes Layer 2 functionaility, an external router must be configured to route traffic between the VLANs. In some cases, it's entirely possible that a packet will leave switch port 1, be forwarded to an external router, and then be routed right back to port 2 on the originating switch. For this reason, many companies have decided to implement Layer 3 switches strategically throughout their network. Regardless of the method chosen, it's most important for you to recognize that when a host on one VLAN wants to communicate with a host on another, a router must somehow be involved.

Extending VLANs Between Switches

In order to extend VLANs across different switches, a trunk link must interconnect the switches. Think of a trunk link as being similar to an uplink between hubs - usually a trunk link is implemented between fast switch ports on two different switches using a crossover cable. For example, you might interconnect two Gigabit Ethernet ports on different switches using fiber optics, or two 100 Mbps switch ports using a traditional Cat5 crossover cable. In most cases it is generally recommended that you use the fastest port available for trunk connections, since this link will often carry a great deal of traffic, possibly for multiple VLANs.

To begin, let's assume that you have connected a link between the 100 Mbps ports of two switches, as shown below. Notice that each of these ports are members of VLAN 1 on each switch. By default, without any additional configuration, these ports will act as a trunk link, but will only pass traffic for the VLAN associated with their port connections - VLAN 1. This type of link, where only traffic for a single VLAN is passed, is referred to as an "Access Link". While an access link does the job for a single VLAN environment, multiple access links would be required if you wanted traffic from multiple VLANs to be passed between switches. Having multiple access links between the same pair of switches would be a big waste of switch ports. Obviously another solution is required when traffic for multiple VLANs needs to be transferred across a single trunk link. The solution for this comes through the use of VLAN tagging.

VLAN Tagging

When you want traffic from multiple VLANs to be able to traverse a link that interconnects two switches, you need to configure a VLAN tagging method on the ports that supply the link. Although there are a number of tagging methods in use for different technologies, the two that you need to be aware of for the purpose of the CCNA exam are known as InterSwitch Link (ISL) and 802.1q. ISL is a Cisco proprietary VLAN tagging methods, while 802.1q is a open standard. When interconnecting two Cisco switches, ISL is usually the best choice, but if you need to interconnect switches of different types (a Cisco switch and an Avaya switch, for example), then you'll need to use IETF.

For the CCNA exam, the only thing that you really need to know about 802.1q is that it is the open standard for VLAN tagging, and should be used in mixed environments. The exam expects you to have a somewhat deeper understanding of ISL, including how it works, when it can be used, and ultimately, its purpose.

First and foremost, you need to be aware that ISL will only function on ports with a speed of 100 Mbps or greater. That is, you cannot use ISL in conjunction with a 10 Mbps port. That shouldn't be an issue, since most Cisco Catalyst switches provide at least one or two Fast Ethernet ports, even on lower-end models like the 1912. Secondly, the ports on either end of the link need to support and be configured for ISL.

ISL is referred to as a VLAN tagging method. Essentially, what ISL does is tag a frame as it leaves a switch with information about the VLAN that the frame belongs to. For example, if a frame from VLAN 99 is leaving a switch, the ISL port will add information to the frame header, designating that the frame is part of VLAN 99. When this ISL frame reaches the port at the other end of the switch, it will look at the ISL header, determine that the frame is meant for VLAN 99, will strip off the ISL information, and will forward it into VLAN 99. One of the issues with VLAN tagging is that by adding information to an Ethernet frame, the size of the frame can move beyond the Ethernet maximum of 1518 bytes, to 1522 bytes. Because of this, all non-ISL ports will see frames larger than 1518 bytes as giants, and as such, invalid. This is the reason why a port needs to be configured for ISL in order for it to understand this different frame format.

One VLAN tagging is configured on the ports associated with the link connecting switches, the link is known as a "Trunk Link". A trunk link is capable of transferring frames from many different VLANs through the use of technologies like ISL or 802.1q.

A better strategy here would be to configure ISL tagging on one of the router's Fast Ethernet interfaces, and then configure ISL on the connected switch port. This configuration, also known as a "router on a stick", would allow the router to process the traffic of multiple VLANs, and route traffic between them. We'll get into the details of routing within the next few articles.

Beyond its intended purpose of configuring trunk links between switches, ISL is often used in other ways. For example, it is possible to purchase network interface cards that support ISL. If a server were configured with an ISL-capable network card, it could be connected to an ISL port on a switch.

This would allow a server to be made part of multiple VLANs simultaneously, the benefit being that hosts from different broadcast domains could then access the server without the need for their packets to be routed. While this may seem like a perfect solution, you need to remember than the server would now see all traffic from these VLANs, which could negatively impact performance.

I hope this article has provided you the good information about the Vlans.

This articles is submitted by Kashif Raza http://www.networkingtutorials.net

home | site map
© 2005