Lab4-VLAN

LAN

 A local area network (LAN) is a collection of devices connected together

in one physical location, such as a building, office, or home.
 A LAN can be small or large, ranging from a home network with one user to
an enterprise network with thousands of users and devices in an office or
school.

What is VLAN?

 VLAN is a logical grouping of networking devices.

 When we create VLAN, we actually break large broadcast domain in
smaller broadcast domains.
 Consider VLAN as a subnet.
 Same as two different subnets cannot communicate with each other
without router, different VLANs also requires router to communicate.
Advantage of VLAN

 Solve broadcast problem

 Reduce the size of broadcast domains
 Allow us to add additional layer of security
 Make device management easier
 Allow us to implement the logical grouping of devices by function instead
of location
Solve broadcast problem

 When we connect devices into the switch ports, switch creates separate collision domain
for each port and single broadcast domain for all ports.
 Switch forwards a broadcast frame from all possible ports.
 In a large network having hundreds of computers, it could create performance issue.
 we could use routers to solve broadcast problem, but that would be costly solution since
each broadcast domain requires its own port on router.
 Switch has a unique solution to broadcast issue known as VLAN.
 In practical environment we use VLAN to solve broadcast issue instead of router.
 Each VLAN has a separate broadcast domain.
 Logically VLANs are also subnets. Each VLAN requires a unique network number known as
VLAN ID. Devices with same VLAN ID are the members of same broadcast domain and
receive all broadcasts.
 These broadcasts are filtered from all ports on a switch that aren’t members of the same
VLAN.
Reduce the size of broadcast domains

 VLAN increase the numbers of broadcast domain while reducing their size.
 For example we have a network of 100 devices.
 Without any VLAN implementation we have single broadcast domain that
contain 100 devices.
 We create 2 VLANs and assign 50 devices in each VLAN.
 Now we have two broadcast domains with fifty devices in each.
 Thus more VLAN means more broadcast domain with less devices.
Allow us to add additional layer of
security
 VLANs enhance the network security.
 In a typical layer 2 network, all users can see all devices by default.
 Any user can see network broadcast and responds to it.
 Users can access any network resources located on that specific network.
 Users could join a workgroup by just attaching their system in existing switch.
 This could create real trouble on security platform.
 Properly configured VLANs gives us total control over each port and users.
 With VLANs, you can control the users from gaining unwanted access over the
resources.
 We can put the group of users that need high level security into their own VLAN
so that users outside from VLAN can’t communicate with them.
Make device management easier

 Device management is easier with VLANs.

 Since VLANs are a logical approach, a device can be located anywhere in
the switched network and still belong to the same broadcast domain.
 We can move a user from one switch to another switch in same network
while keeping his original VLAN.
 For example a company has a five story building and a single layer two
network.
 In this scenario, VLAN allows us to move the users from one floor to another
floor while keeping his original VLAN ID.
 The only limitation we have is that device when moved, must still be
connected to the same layer 2 network.
Allow us to implement the logical grouping
of devices by function instead of location

 VLANs allow us to group the users by their function instead of their

geographic locations.
 Switches maintain the integrity of your VLANs.
 Users will see only what they are supposed to see regardless what their
physical locations are.
VLAN Membership

 VLAN membership can be assigned to a device by one of two methods

 Static
 Dynamic
 These methods decide how a switch will associate its ports with VLANs.
Static

 Assigning VLANs statically is the most common and secure method. It is

pretty easy to set up and supervise. In this method we manually assign
VLAN to switch port. VLANs configured in this way are usually known as
port-based VLANs.
 Static method is the most secure method also. As any switch port that we
have assigned a VLAN will keep this association always unless we manually
change it. It works really well in a networking environment where any user
movement within the network needs to be controlled.
Dynamic

 In dynamic method, VLANs are assigned to port automatically depending

on the connected device. In this method we have configure one switch
from network as a server. Server contains device specific information like
MAC address, IP address etc. This information is mapped with VLAN. Switch
acting as server is known as VMPS (VLAN Membership Policy Server). Only
high end switch can configured as VMPS. Low end switch works as client
and retrieve VLAN information from VMPS.
 Dynamic VLANs supports plug and play movability. For example if we move
a PC from one port to another port, new switch port will automatically be
configured to the VLAN which the user belongs. In static method we have
to do this process manually.
VLAN Connections

 During the configuration of VLAN on port, we need to know what type of

connection it has.
 Switch supports two types of VLAN connection
 Access link
 Trunk link
Access link

 Access link connection is the connection where switch port is connected

with a device that has a standardized Ethernet NIC. Standard NIC only
understand IEEE 802.3 or Ethernet II frames. Access link connection can only
be assigned with single VLAN. That means all devices connected to this
port will be in same broadcast domain.
 For example twenty users are connected to a hub, and we connect that
hub with an access link port on switch, then all of these users belong to
same VLAN. If we want to keep ten users in another VLAN, then we have to
purchase another hub. We need to plug in those ten users in that hub and
then connect it with another access link port on switch.
Trunk link

 Trunk link connection is the connection where switch port is connected with
a device that is capable to understand multiple VLANs. Usually trunk link
connection is used to connect two switches or switch to router. Remember
that VLAN can span anywhere in network, that is happen due to trunk link
connection. Trunking allows us to send or receive VLAN information across
the network. To support trunking, original Ethernet frame is modified to carry
VLAN information.
Inter-VLAN Routing

 A VLAN is a broadcast domain, which means computers on separate VLANs are

unable to communicate without the intervention of a routing device.
 Whenever hosts in one VLAN need to communicate with hosts in another VLAN,
the traffic must be routed through a routing device.
 This process is known as inter-VLAN routing.
 To successfully exchange information between VLANs, you need a router or a
Layer 3 switch.
 There are three possible ways to implement inter-VLAN routing:
 Traditional Inter-VLAN Routing
 Router-on-a-Stick Inter-VLAN Routing
 Multilayer Switch Inter-VLAN Routing
Traditional Inter-VLAN Routing

 This method of inter-VLAN routing relies on a router with multiple physical

interfaces.
 Each interface is usually connected to the switch, one for each VLAN.
 The switch ports connected to the router are placed in access mode and
each router interface can then accept traffic from the VLAN associated
with the switch interface that it is connected to, and traffic can be routed
to the other VLANs connected to the other interfaces.
 This means that each of the routers’ interface IP addresses would then
become the default gateway address for each host in each VLAN.
 Host A checks whether the destination IP address is in its VLAN; if it is not, the
traffic will be forwarded to its default gateway on interface Fa0/0 on the router.
 Host A then sends an ARP request to the switch to determine the MAC address
of the Fa0/0 interface on the router. Once the router replies, Host A sends the
frame to the router as a unicast message, where it is then directly forwarded out
the trunk interface to the router.
 When the router receives the frame, it determines the destination IP address
and interface from the routing table.
 The router then sends an ARP request out the interface connected to the
destination VLAN (VLAN 20), which corresponds to interface Fa0/1 on the router.
 When the switch receives the message, it floods it to its ports, which then triggers
Host B to reply with its MAC address.
 The router then uses the information gathered to forward the message finally to
Host B on VLAN 20 as a unicast frame through the switch.
 To configure traditional inter-VLAN routing on a Cisco device, follow the
steps below:
 Now at this stage, when you try to ping between Host A and Host B, the
ping fails because the two PCs are on separate networks and the router is
not yet configured for inter-VLAN routing, so they cannot communicate
with one another. Our next step is to configure inter-VLAN routing to enable
communication between the VLANs
 Now at this juncture, if you try to ping between Host A and Host B, it will be
successful because the two VLANs are now interconnected through the
router.
 Traditional inter-VLAN routing happens to be the earliest form of inter-VLAN
routing. However, this method of inter-VLAN routing is not efficient. It is
archaic, and no longer employed in today’s switched networks. This is
because routers have a limited number of physical interfaces that can be
used to connect to different VLANs. Therefore, as the number of VLANs
increases on a network, the approach of having one router physical
interface per VLAN becomes unsustainable due to the inherent hardware
limitations of a router. In order to overcome some of the issues associated
with traditional inter-VLAN routing, a new method known as router-on-a-
stick was invented.
Router-on-a-Stick Inter-VLAN Routing

 A router-on-a-stick is a method of inter-VLAN routing in which the router is

connected to the switch using a single physical interface, hence the name
router-on-a-stick.
 Unlike the traditional inter-VLAN routing method, router-on-stick does not
require multiple physical interfaces on both the router and the switch.
Instead, the router’s operating system makes it possible to configure the
router interface to operate as a trunk link, which is then connected to a
switch port that is configured in trunk mode. This implies that only one
physical interface is required on the router and the switch to route packets
between multiple VLANs.
 IEEE 802.1Q (Dot1q) protocol—which defines a system of VLAN tagging for
Ethernet frames, is used to provide multi-vendor VLAN support.
 The single physical interface on the router is linked to logical (virtual)
subinterfaces, which can be configured with multiple IP addresses that
correspond to the VLANs on the switch.
 Each subinterface is configured for different subnets corresponding to their
VLAN assignment to facilitate logical routing.
 The router performs inter-VLAN routing by accepting traffic from all the
VLANs.
 It then determines the destination network based on the source and
destination IP in the packets.
 After a routing decision is made based on the destination VLAN, it then
forwards the data frames to the switch with the correct VLAN information
through the same physical interface used to receive the traffic
 Host A sends its unicast traffic to the switch.
 The switch then tags the unicast traffic as originating on VLAN 10 and
forwards it out its trunk link to the router.
 The router accepts the tagged unicast traffic on VLAN 10 and routes it to
VLAN 20 using its configured subinterfaces.
 The unicast traffic is tagged with VLAN 20 as it is sent out the router
interface to the switch.
 The switch removes the VLAN tag of the unicast frame and forwards the
frame directly to Host B on port Fa0/3.
 To configure router-on-a-stick inter-VLAN routing on a Cisco device, follow
the steps below:
 A ping between Host A and Host B will be successful because the two
VLANs are now interconnected through the router.
 The router-on-a-stick method of inter-VLAN routing also has some limitations,
such as scalability and latency issues. To overcome these issues, Cisco
developed a better alternative: The Multilayer Switch Inter-VLAN Routing.
Multilayer Switch Inter-VLAN Routing

 Multilayer Switch Inter-VLAN Routing is a method of inter-VLAN routing in

which a different kind of switch known as a multilayer switch is used to
perform routing functions.
 A multilayer switch is a hybrid device that combines the functions of a
switch with a router, which enables it to operate on both Layer 2 (L2) and
Layer 3 (L3) of the OSI model, hence the name multilayer.
 Unlike the router-on-a-stick inter-VLAN routing method, a multilayer switch
inter-VLAN routing does not require a dedicated router—everything
happens inside the switch.
 Multilayer switches perform all VLAN routing functions on the network,
thereby replacing the need for dedicated routers or trunk links.
 To enable a multilayer switch to perform routing functions, logical (virtual)
interfaces known as Switch Virtual Interface (SVI) are used, one for each
VLAN. SVI, also known as the VLAN interface, is a virtual routed interface
that connects a VLAN on the device to the Layer 3 routing engine within
the same device and can be configured with multiple IP addresses that
correspond to the VLANs on the switch. Each SVI is configured for different
subnets corresponding to their assigned VLAN to facilitate logical routing.
 When the multilayer switch receives a packet in a VLAN intended at the
Layer 2 switch, the multilayer switch performs routing. Let’s take a look at
the diagram shown
 If Host A in VLAN 10, wants to send a message to Host B in VLAN 20, the
steps it would take are as follows:
 Host A sends its unicast traffic to the directly connected L2 switch.
 L2 switch tags the unicast traffic as originating on VLAN 10 and forwards it
to the L3 switch via the trunk link.
 The L3 switch removes the VLAN tag and forwards the unicast traffic
internally to the VLAN 10 virtual interface.
 The L3 switch internally routes the unicast traffic to its VLAN 20 virtual
interface and then retags the traffic, which it then forwards back to the L2
switch via the trunk link.
 L2 switch removes the VLAN tag of the unicast frame and forwards the
frame directly to Host B on port fa0/3.
 Again, a ping between Host A and Host B will be successful because the
two VLANs are now interconnected through the multilayer switch.
Multilayer switch inter-VLAN routing is faster and more scalable than any
other inter-VLAN routing implementation. This is because routers are limited
by the number of available physical interfaces or ports, as well as the
amounts of traffic that can be accommodated on the trunk link at one
time. However, a multilayer switch does not totally replace the functionality
of a router, as routers support a wide range of other supplementary
features and capabilities.