Embed Size (px)
DESCRIPTION
Understanding Virtual LANs. Agenda. What Is a VLAN? How Does it Work? VLAN Technologies. Constraints of Shared LANs. Users are physically bound Subnets are tied to hubs Users are grouped by location No security on segment Addressing is constrained Moves require address changes - PowerPoint PPT Presentation
Citation preview
Understanding Virtual LANs
Agenda
What Is a VLAN? How Does it Work? VLAN Technologies
Constraints of Shared LANs
• Users are physically bound
• Subnets are tied to hubs
• Users are grouped by location
• No security on segment
• Addressing is constrained
• Moves require address changes
• Router ports are expensive
Virtual LANs
• One broadcast domain within a switch
• VLANs help manage broadcast domain
• Can be defined on port groups, users, or protocols
• LAN switches and network management software provide a mechanism to create VLANs
Server Farm
VLAN 1VLAN 2VLAN 3
Remove the Physical Boundaries
Group users by department, team, or application Routers provide communication between VLANs
Engineering Marketing Acctg.
Floor 3
Floor 2
Floor 1
VLAN Benefits
Reduced administrative costs Simplify moves, adds, and changes
Efficient bandwidth utilization Better control of broadcasts
Improved network security Separate VLAN group for high-security
users Relocate servers into secured locations
Scalability and performance Microsegment with scalability Distribute traffic load
Approaches Can Vary Performance Port-Based
VLAN 1
VLAN 2
VLAN 3
Layer 3-Based
Subnet198.22.xx
VLAN 1 VLAN 2
Subnet198.21.xx
VLAN 2
MAC-Based
VLAN 1
MACAddresses
MACAddresses
Establishing VLAN Membership
Port driven MAC address
driven Network
address driven Application type
driven
Multiple VLANs per Port
Broadcast Outgoing
Mac 1Mac 2
Mac 3
Mac 4Mac 5
Mac 6
Mac 7Mac 8
Mac 9
Mac 10Mac 11
Mac 12
Broadcast Incoming
Does This Make Sense in Switched/Shared LANs?
Requested when multiple clients are attached Requires address lookups Cannot filter broadcasts on shared segment Results in lots of administration, little return
HubHub
Two Physical Topology Approaches
Communicating Between VLANs
Layer 3 links VLANs together
Adds additional security and management
Logical links conserve physical ports
Multimode, depending on protocol
Controls access by VLAN Up to 255 VLANs per
routerVLAN 2
VLAN 3
VLAN 1
Cisco Internetworking Software
VLANs 1, 2, 3
Logical Communication
Physical Link per VLAN
VLAN Technologies
Inter-Switch Link
VLAN Tag Added at Incoming Port
VLAN Tag Stripped by Forwarding Port
Inter-Switch Link (ISL) Carries
VLAN Identifier
Interconnects multiple switches and maintains VLAN information as traffic goes between switches
Establishes membership through ASICs
Labels each packet as received (“packet tagging”)
Eliminates lookups and tables Transports multiple VLANs
across links Protocol, endstation-independent Easily managed• 802.10
• ISLISL• 802.1Q• LANE
Wide vendor endorsement for 802.1Q tagging standard
Cisco supports across Fast Ethernet, Gigabit uplinks
Cisco maps ISL to 802.1Q dynamically with VTP
Packet Tagging as Common VLAN Exchange
VLAN Standardization
Level-1 Explicit Tagging
SRC
DES SRC
Data
DES
DES SRC
FCSFCS
FCS DES SRC FCS
VLAN ID
802.1Q
VLAN Standard Implementation
Cisco environment uses ISL
Vendor environment uses an existing, yet different packet tagging method
Interdomain communication based on 802.1Q standard
Si Si
Cisco Domain
Vendor X Domain
ISL ?
Company ABC
Typical Environment
VLAN administration and configuration protocol
Reduces VLAN setup and administration Eliminates configuration errors Decreases network manager’s
time adding and managing VLANs
Maintains security between VLANs
Virtual Trunk Protocol (VTP)
(config)#hostname uniti_1900uniti_1900(config)#vlan 2 name salesuniti_1900(config)#vlan 3 name marketinguniti_1900(config)#exituniti_1900#sh vlan
VLAN Name Status Ports--------------------------------------1 default Enabled 1-12, AUI, A, B2 sales Enabled3 marketing Enabled1002 fddi-default Suspended1003 token-ring-defau Suspended1004 fddinet-default Suspended1005 trnet-default Suspended--------------------------------------[ output cut]
1900 Series (1)
uniti_1900(config)#int e0/2uniti_1900(config-if)#vlan-membership ? dynamic Set VLAN membership type as dynamic static Set VLAN membership type as staticuniti_1900(config-if)#vlan-membership static ? <1-1005> ISL VLAN indexuniti_1900(config-if)#vlan-membership static 2uniti_1900(config-if)#int e0/3uniti_1900(config-if)#vlan-membership static 3uniti_1900(config-if)#uniti_1900 #sh vlan
VLAN Name Status Ports--------------------------------------1 default Enabled 1, 4-12, AUI, A, B2 sales Enabled 23 marketing Enabled 31002 fddi-default Suspended
[output cut]
1900 Series (2)
uniti_1900(config)#int f0/26uniti_1900(config-if)#trunk ? auto Set DISL state to AUTO desirable Set DISL state to DESIRABLE nonegotiate Set DISL state to NONEGOTIATE off Set DISL state to OFF on Set DISL state to ONuniti_1900(config-if)#trunk onuniti_1900(config-if)#uniti_1900 #sh trunk ? A Trunk A B Trunk Buniti_1900 #sh trunk aDISL state: On, Trunking: Off, Encapsulation type: Unknownuniti_1900 #sh trunk bDISL state: Off, Trunking: Off, Encapsulation type: Unknownuniti_1900 #
1900 Series (3)
uniti_1900(config)#vtp ? client VTP client domain Set VTP domain name password Set VTP password pruning VTP pruning server VTP server transparent VTP transparent trap VTP trapuniti_1900(config)#vtp serveruniti_1900(config)#vtp domain unitiuniti_1900(config)#vtp password ciscouniti_1900(config)#
1900 Series (4)
uniti_1900 #sh vtp VTP version: 1 Configuration revision: 4 Maximum VLANs supported locally: 1005 Number of existing VLANs: 7 VTP domain name : uniti VTP password : cisco VTP operating mode : Server VTP pruning mode : Disabled VTP traps generation : Enabled Configuration last modified by: 192.168.11.10 at 00-00-
0000 00:00:00uniti_1900 #
1900 Series (5)
2950 Series (1)
uniti_2950#vlan databaseuniti_2950(vlan)#vlan 1 name salesA default VLAN may not have its name changed.uniti_2950(vlan)#vlan 2 name marketingVLAN 2 added: Name: marketinguniti_2950(vlan)#vlan 3 name accountingVLAN 3 added: Name: accountinguniti_2950(vlan)#applyAPPLY completed.uniti_2950(vlan)#
2950 Series (2)uniti_2950#sh vlan brief
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
… , Fa0/22, Fa0/23, Fa0/242 marketing active3 accounting active10 vlan10 active20 vlan20 active30 vlan30 active1002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsup
2950 Series (3)
uniti_2950#conf tEnter configuration commands, one per line. End with CNTL/Z.uniti_2950(config)#int f0/2uniti_2950(config-if)#switchport access vlan 2uniti_2950(config-if)#int f0/3uniti_2950(config-if)#switchport access vlan 3uniti_2950(config-if)#^Z
2950 Series (4)uniti_2950#sh vlan brief
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6 …, Fa0/23, Fa0/242 marketing active Fa0/23 accounting active Fa0/310 vlan10 active20 vlan20 active30 vlan30 active1002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsup
2950 Series (5)uniti_2950(config)#int f0/24uniti_2950(config-if)#switchport mode trunkuniti_2950#sh run
[output cut]!interface FastEthernet0/2 switchport access vlan 2 no ip address…interface FastEthernet0/24 switchport mode trunk no ip address![output cut]
2950 Series (6)uniti_2950(config)#vtp mode ? client Set the device to client mode. server Set the device to server mode. transparent Set the device to transparent mode.uniti_2950(config)#vtp mode serverDevice mode already VTP SERVER.uniti_2950(config)#vtp domain unitiChanging VTP domain name from NULL to unitiuniti_2950(config)#vtp password ciscoSetting device VLAN database password to cisco
uniti_2950#sh vtp ? counters VTP statistics password VTP password status VTP domain status
2950 Series (7)uniti_2950#sh vtp statusVTP Version : 2Configuration Revision : 2Maximum VLANs supported locally : 64Number of existing VLANs : 10VTP Operating Mode : ServerVTP Domain Name : unitiVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x80 0x44 0xF2 0x33 0x2B 0x87
0x56 0x80Configuration last modified by 0.0.0.0 at 3-1-93 00:10:15Local updater ID is 0.0.0.0 (no valid interface found)uniti_2950#
router(config)#int f0/0.1router(config-subif)#ip address 192.168.1.1 255.255.255.0router(config-subif)#encapsulation dot1q vlan#
router(config)#int f0/0router(config-if)#no ip addressrouter(config-if)#no shutrouter(config-if)#int f0/0.1router(config-subif)#ip address 192.168.1.1 255.255.255.0router(config-subif)#encapsulation isl 1router(config)#int f0/0.2router(config-subif)#ip address 192.168.2.1 255.255.255.0router(config-subif)#encapsulation isl 2
Inter-VLAN Routing
Summary
VLANs enable logical (instead of physical) groups of users on a switch
VLANs address the needs for mobility and flexibility
VLANs reduce administrative overhead, improve security, and provide more efficient bandwidth utilization
