Virtual Local Area Network (VLANs)

LAN is a single broadcast domain, including all devices in that broadcast domain and
Broadcast domain is the group of devices, which will receive a broadcast frame
(Destination MAC FFFF:FFFF:FFFF) sent by any one of the members.

By default, all layer 2 switch will forward both broadcast and multicast out every port
except the originating port. However, switch can be logically segmented into
separate broadcast domain called Virtual LANs (VLANs).

Each VLANs represents a unique broadcast domain:

a. Traffic between devices within the same VLAN is switched
b. Traffic between devices in different VLANs require a Layer 3 device to
communicate.

Logical separation provided by VLAN is not a layer 3 function. VLAN tags are inserted
into the Layer 2 headers. Switch that support VLANs, is not necessarily a Layer 3
switch, and Layer 2 switch cannot route between VLANs.
Host A will communicate with Host B and vice-versa. However, all host in VLAN 100
will not be able to communicate with Hosts in VLAN 200 because they are in
different segment and would need Layer 3 device in order to communicate.

Note: On all CISCO switches, VLAN 1 by default considered management VLAN and
should be dedicated for system traffic such as CDP, STP, VTP, and DTP.
VLANs provide several benefits:
1. Broadcast Control – Eliminate unnecessary broadcast traffic.
2. Security – Access Lists to prevent unauthorized access.
3. Flexibility – Remove physical boundaries allowing user to connect from anywhere.
Vlan 1, 1002 -5 exist by default and cannot be
deleted

All ports are in

default VLAN1

VLAN for FDDI and TokenRing not

in used and obsolete today
VLAN Membership
VLAN membership can be configured one of the two ways:
1. Statically
2. Dynamically

Statically assigning a VLAN involves manually assigning an individual or group of ports

to a VLAN. Any host connected to that port immediately becomes a member of
that VLAN. This is transparent to the host.

VLANs can be assigned dynamically based on the MAC address of the host. This allows
a host to remain in the same VLAN, regardless of which switchport it is connected
to.
Dynamic VLAN assignment require a separate database to maintain the MAC-to-VLAN
relationship. Cisco developed the VLAN Membership Policy Server (VMPS) to
provide this functionality.
VLAN Configuration
Layer2_Switch(config)#int range fa0/1-fa0/2
Layer2_Switch(config-if-range)#switchport mode access
Layer2_Switch(config-if-range)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
Layer2_Switch(config-if-range)#

Access port is a switch port which belongs to a single VLAN, and usually connects to end hosts
like PCs
Switchports which carry multiple VLANs are called Trunk port

Layer2_Switch(config)#int range fa0/3-fa0/4

Layer2_Switch(config-if-range)#switchport mode access
Layer2_Switch(config-if-range)#switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20
Layer2_Switch(config-if-range)#
You can confirm the VLAN
creation by running Sh vlan brief
We have to specify the name for VLAN in order to recognize them for which
department/Tiers they have been created for.
Layer2_Switch(config)#vlan 10
Layer2_Switch(config-vlan)#name Sales
Layer2_Switch(config-vlan)#vlan 20
Layer2_Switch(config-vlan)#name Presales

You can manually create VLAN first and then assign the interface like example below
Layer2_Switch(config)#vlan 30
Layer2_Switch(config-vlan)#name IT

Layer2_Switch(config)#interface range fa0/5-fa0/10

Layer2_Switch(config-if-range)#switchport mode access
Layer2_Switch(config-if-range)#switchport access vlan 30
Configuring Router Interface to pass traffic between VLAN.

Router Ethernet interface connected to

switch port are placed in respective VLAN

Router interface are configured

Presales client can connect Sales client via

switch ->Router ->Switch ->SalesClient

Routers has 2 interface where one interface connected to Sales VLAN, and second
interface connected to Presales VLAN. On a switch, we only need to ensure that
the ports are in respective VLAN. In this case Fa0/5 and Fa0/6 are placed
respectively in Sales and Presales VLAN.
VLAN Ports
Switch ports are layer 2 only interface that are associated with a physical port. A
switch port can belong to only one VLAN if it is an Access Port or all VLAN if it is a
Trunk Port. Frames are handled differently according to the port type.
There are two main types of ports:
Access Port – An access port belongs to and carries the traffic on only one VLAN.
Traffic is both received and sent in native format with no VLAN tagging. Anything
arrives on an access port is assumed to belong to same VLAN. However, if it
receives different [ like IEEE 802.1Q tagged ] packet then it is simply dropped
because an access port doesn’t look at the source address.
Access port devices can’t communicate with devices outside their VLAN unless the
packet is routed. And you can only create a switch port to be either an access port
or trunk port – not both.
Trunk Port – Trunk port can carry multiple VLAN traffic at the same time. A trunk
port/link is a point to point link between switches or between a switch and a
router or between a switch and a server and it carries the traffic of multiple VLAN
from 1 to 4094 at a time (though its only up to 1005 unless you use extended
VLAN)
Trunks can carry the frames of various VLAN across the link. If the link between your
switches aren’t trunked, only information from the configured access VLAN will be
switched across that link.
Untagged Port

Tagged Port
VLAN ranges [1-4094] are divided into two sections:
Normal VLANs: 1-1005
Extended VLANs: 1006 -4094
Some older devices do not support extended VLANs except modern devices.

802.1Q has a feature called the native VLAN and ISL does not have this feature. Native
VLAN is VLAN 1 by default on all trunk ports. However, this can be manually
configured on each trunk port. This has to be configured on each port separately
and it’s not the globally configured.

Switch does not add an 802.1Q tag to frames in the native VLAN. It will forward the
frames normally without adding the 802.1Q tag. So when receiving switch receives
an untagged frame on a trunk port, it assumes the frame belongs to the native
VLAN. It’s important that native VLAN matches between the switches
VLAN Frame Tagging/Identification
When VLANs spans multiple switches, a mechanism is required to identify which VLAN
a frames belongs to and this is accomplished using Frame Tagging.
Tagging only occurs when a frame is sent out a trunk port. Traffic sent out access port
is never tagged.
If HostA sends a frame to HostB, no frame tagging will occur:
• The frame never leaves the SwitchA.
• The frame stays within its own VLAN.
• The frame is simply switched to HostB.

If HostA sends a frame to HostC, which is in a separate VLAN:

• The frame again never leaves the switch.
• Frame tagging will still not occur.
• Because HostC is in a different VLAN, the frame must be routed.

If HostA sends a frame to HostD, which is on a separate switch:

• The frame is sent out the trunk port to SwitchB.
• The frame must be tagged as it is sent out the trunk port.
• The frame is tagged with its VLAN ID - VLAN 100 in this example.
• When SwitchB receives the frame, it will only forward it out ports belonging to
VLAN 100 – gi1/20 and gi1/21.
• If SwitchB has HostD’s MAC address in its table, it will forward the frame only out
the appropriate port – gi1/20.
• The VLAN tag is stripped from the frame before being forwarded to the host.
Frame Tagging Protocol
Cisco switches support two frame tagging protocol.
ISL (Inter-Switch Link) – It’s an old cisco proprietary protocol create before IEEE dot1q.
It’s used for fastethernet and GigabitEthernet links only. Support technologies like
Ethernet, Token Ring, ATM etc. ISL function at layer 2 by encapsulating a data
frame with a new header and new CRC.
IEEE 802.1Q (dot1q) – Referred to as dot1q, an industry standard frame tagging
protocol. Dot1Q embedds a 4 byte VLAN tag directly into the Layer 2 frame header.
It support maximum of 4096 VLANs on trunk port.
Note: ISL is outdated/legacy and modern Cisco equipments doesn’t support it. For
CCNA you should learn 802.1Q(Dot1q)
 4 bytes

Tag Protocol Identifier [TPID] – Always set to 0x8100 [Indicate 802.1q tag] and distinguish the
frames from untagged frames.
Tag Control Information [TCI] – Consist of 3 sub-fields tag [PCP, DEI, and VID].
PCP (Priority Code Point) – Used for Class of Service(COS) which prioritizes important traffic
in congested network.
DEI(Drop Eligible Indicator] – Used to indicate frames that can be dropped if the network is
congested.
VID(VLAN ID) – 12 bit in length (2^12=4096) range of 0 -4095. VLAN 0 and 4095 are reserved
and can’t be used and actual VLAN range is 1-4094
 ROAS (Router on a Stick)

.4

192.168.1.0/26 .2

.3
192.168.1.64/26
192.168.1.0/26

Configuring Trunk Port on Switches [SWA and SWB]

SWA(config)#int g0/1
SWA(config-if)#switchport mode trunk
SWB(config)#int g0/2
SWB(config-if)#switchport mode trunk
Note: Switches which support both ISL and dot1q have a trunk encapsulation of Auto by default . To
manually configure the interface as trunk port, you must first set the encapsulation to dot1q . On
switch that only support 802.1Q, this is not necessary and e.g. above.

SWA(config)#int g0/1
SWA(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
SWA(config-if)#switchport trunk encapsulation dot1q
SWA(config-if)#switchport mode trunk
SWA(config-if)#
 To confirm trunk interface configuration, you can use sh int trunk command

By Default, all VLANs are allowed on trunk

VLANs allowed in management domain. At

present we only have default VLAN and
additional VLAN is not configured yet.

Let’s configure additional VLAN 10 and 20 on SWA and SWB respectively.

SWB(config)#Vlan
SWB(config)#Vlan 10
SWB(config-vlan)#name
SWB(config-vlan)#name IT
SWB(config-vlan)#int range fa0/1-fa0/2
SWB(config-if-range)#switchport mode access
SWB(config-if-range)#switchport access vlan 10
SWB(config-if-range)#

SWA(config)#Vlan 10
SWA(config-vlan)#name IT
SWA(config-vlan)#int fa0/1
SWA(config-if)#switchport mode access
SWA(config-if)#switchport access vlan 10
SWA(config-if)#vlan 20
SWA(config-vlan)#name Management
SWA(config-vlan)#int fa0/2
SWA(config-if)#switchport mode access
SWA(config-if)#switchport access vlan 20
SWA(config-if)#
Now to add the newly created VLAN in allowed trunk port
SWA(config)#int g0/1
SWA(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWA(config-if)#switchport trunk allowed vlan 10,20
SWA(config-if)#

Native VLAN
Native VLAN determines the VLAN that untagged frame belongs to. Only one native
VLAN can be assigned to a trunk port. All untagged traffic received on port (configured
as native VLAN) will become a member of the native VLAN.

Frames belonging to the native VLAN are not tagged when being sent out a trunk port.
The original intent of native VLAN was for legacy compatibility with HUBs but now
deprecated.
Native VLANs are only supported on 802.1Q trunk ports and must be configured
identically on both side of the dot1q trunk, otherwise the switches will not form a
trunk connections.
For Security purposes, it is best to change the native VLAN to an unused VLAN or
better solution is to force trunk port to tag native VLAN traffic – globally or per-
trunk port basis;
Switch(config)# vlan dot1q tag native
or
Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk native vlan tag
To configure the native VLAN to unused VLAN. You can use following command:
SWA(config)#int g0/1
SWA(config-if)#switchport trunk native vlan 1001
SWA(config-if)#

SWB(config)#int g0/1
SWB(config-if)#switchport trunk native vlan 1001
SWB(config-if)#

To Configure the Router Interface connected to SwitchB G0/2

SWB(config)#int g0/2
SWB(config-if)#switchport mode trunk
SWB(config-if)#switchport trunk allowed vlan 10,20
SWB(config-if)#switchport trunk native vlan 1001
SwB(config-if)#

Ensure Router Interface is up or else it will

not show-up in sh int trunk command
Configuring Router – Last device to configure
Router on a Stick (ROAS) is used to route between multiple VLANs using a single
Interface on the router and switch
Switch interface is configured as a regular trunk. Router interface is configured using
sub-interfaces. You configure the VLAN tag and IP address on each sub-interface.
Router(config)#int g0/0
Router(config-if)#no shut
Router(config-if)#int g0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 192.168.1.1 255.255.255.192
Router(config-subif)#int g0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 192.168.1.65 255.255.255.192
Router(config-subif)#

If your client [192.168.1.3] on VLAN 10 pings client [192.168.1.67] on VLAN 20, you
will notice that It’s not pinging because VLAN 20 is not made aware by SB.
C:\>ping 192.168.1.67
Pinging 192.168.1.67 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.67:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
On Switch B, we will create VLAN 20 and add VLAN 20 in the trunk Interface
SB(config)#vlan 20
SB(config-vlan)#name Management
We have to create and empty VLAN 20 on SWB, so
SB(config-vlan)#int g0/1
SB(config-if)#switchport trunk allowed vlan 20 that it will understand and forward the traffic
SB(config-if)#

C:\>ping 192.168.1.67
Pinging 192.168.1.67 with 32 bytes of data:
Reply from 192.168.1.67: bytes=32 time<1ms TTL=255
Reply from 192.168.1.67: bytes=32 time=1ms TTL=255
Reply from 192.168.1.67: bytes=32 time<1ms TTL=255
Reply from 192.168.1.67: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.67:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Once the VLAN 20 is created in SB and allowed,

you will see communication gets established.
Dynamic Trunk Protocol (DTP)
Trunk frame tagging protocol can be auto-negotiated, through the use of the Dynamic Trunking
Protocol (DTP).
DTP has two modes to dynamically decide whether a port becomes a trunk:
1. Desirable – Port will actively attempt to form a trunk with remote switch.
2. Auto – Port will passively wait for remote switch to initiate the trunk.
Trunk ports send out DTP frames every 30 seconds to indicate their configured mode.

To configure the DTP mode on an interface:

Switch(config)# interface gi2/24
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport mode dynamic auto

A trunk will form in the following configurations:

• manual trunk - manual trunk
• manual trunk - dynamic desirable
• manual trunk - dynamic auto
• dynamic desirable - dynamic desirable
• dynamic desirable - dynamic auto

A trunk will never form, if the two sides of the trunk are set to dynamic auto. DTP is also vulnerable to
VLAN spoofing attacks. To disable DTP
Switch(config)# interface gi2/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
VLAN Trunking Protocol (VTP)
VTP simplifies VLAN management – updates to the VLAN database are propagated to
all switches using VTP advertisements. VTP requires that all participating switches
joins a VTP Domain. Switches must belong to same domain to share VLAN
information, and switch can only belong to a single domain.
VTP versions
There are 3 versions of VTP :
1. VTP version 1 – Support standard 1-1005 VLAN range and also default on catalyst
switches.
2. VTP version 2 – Introduces additional features like Token Ring support, VLAN
consistency check etc.
3. VTP version 3 – Support only Cisco switch platform. VTP 3 can forward both VLAN
and other database information such as MST (Multiple Spanning Tree) protocol.
Other enhancements like support for extended VLAN range 1006-4094, improve
VTP authentication and etc..
Note: VTP1 and VTP2 are not compatible. If VTP server is configured with VTP2, all
other switches in the VTP domain will change to v2 as well.
VTP Modes
A switch using VTP must operate in one of three modes:
a. Server – Responsible for creating, deleting, or modifying entries in VLAN database.
b. Client – cannot modify the VLAN database and rely on advertisement.
c. Transparent – Switch maintains its own local VLAN database(vlan.dat), and does
not directly participate in the VTP Domain. A transparent switch will never accepts
VLAN database information from another switch, even a server and will never
advertise its local VLAN database to another switch.
Transparent switches will pass through advertisements from other switches in the VTP
Domain.
VTP 1 – Transparent switch will only pass through advertisement from the same VTP
domain
VTP 2 – Transparent switch will pass through advertisement from any VTP Domain.

VTP Advertisement – Revision number

VTP advertisements are marked with a 32-bit configuration revision number. Any
change to VLAN will increment the configuration revision number by 1. Higher
number represent a newer database revision.
A switch will only accepts an advertisement if the revision number is higher, lower
revision numbers are ignored.
Best practice, to configure a new switch as a VTP client and reset its revision number
to zero before deploying into a production network.
There are three methods of resetting the revision number to zero on a switch:
1. Change the VTP domain name, and then change it back to the original name.
2. Change the VTP mode to transparent, and then change it back to either server or
client. Transparent switches always a revision number of 0.
3. You can also delete VLAN.dat file from the flash. [Delete vlan.dat and reboot].

VTP Advertisement – Message Type

3 message type exist for VTP advertisement
4. Summary Advertisement
5. Subset Advertisement
6. Advertisement Request
Both VTP Server and Client will send out a summary advertisement every 300 seconds.
Summary advertisement contains:
VTP version
Domain Name
Configuration Revision number
MD5 digest and Time stamp.
Configuring VTP
By default, a switch is in a VTP server mode, and joined to a blank domain labeled
NULL.
To change the VTP domain name:
Switch(config)# vtp domain MYDOMAIN
Note that the domain name is case sensitive. To configure the VTP mode:
Switch(config)# vtp mode server
Switch(config)# vtp mode client
Switch(config)# vtp mode transparent

The VTP domain can be secured using a password:

Switch(config)# vtp password P@SSWORD!

Cisco switches uses VTP version 1 by default, which is not compatible with VTPv2. If
server is configured with VTPv2, all other switches in the VTP will change to v2 as
well.
Switch(config)# vtp version 2
 VTP Pruning
VTP pruning eliminates unnecessary broadcast or multicast traffic throughout the
switching infrastructure.

Assume that a host is connected to SwitchB, in VLAN 300. If the host sends out a broadcast,
SwitchB will forward the broadcast out every port in VLAN 300, including the trunk ports to
SwitchA and SwitchC. Both SwitchA and SwitchC will then forward that broadcast out every
port in VLAN 300.
However, SwitchA does not have any ports in VLAN 300, and will drop the broadcast. Thus,
sending the broadcast to SwitchA is a waste of bandwidth.
VTP pruning allows a switch to learn which VLANs are active on its neighbors. Thus,
broadcasts are only sent out the necessary trunk ports where those VLANs exist. VTP is
disabled by default on IOS switches.
Switch(config)# vtp pruning

To manually specify which VLANs are pruning eligible on a trunk:

Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk pruning vlan 2-10
Switch(config-if)# switchport trunk pruning vlan add 42
Switch(config-if)# switchport trunk pruning vlan remove 5
Switch(config-if)# switchport trunk pruning vlan except 100-200
Switch(config-if)# switchport trunk pruning vlan none