VLAN Tutorial

February 5th, 2013 Leave a comment Go to comments

Introduction

In this VLAN tutorial, I'm going to cover the basic theory and terminology related to the Virtual Local Area Networks (VLANs).

  • When to use VLANs
  • Benefits of using VLANs
  • How do VLANs work
  • What are the different types of VLANs
  • Configuring an intra and inter VLAN on a Cisco switch
  • Configuring a VLAN with Voice over IP (VoIP)
  • Cisco's 3-layered architecture
  • Configuring the VLAN trunking protocol (VTP)

 

What is VLAN ?

A Virtual Local Area Network (VLAN) is a network technology used to logically separate large broadcast domains using layer 2 devices.

 

When to use VLANs ?

In medium-to-large size organizations, we usually have different departments physically separated on rooms or floors. A set of end-devices (PCs, servers, printers, phones, etc) are connected to a series of switches connecting to a router or a layer 3 switch. This inner network forms a broadcast domain, which with the expand of an organization may lead to performance and security issues. Imagine 5 departments, each one performing entirely different functions, with up to 50 end-devices, having direct access to all other departments, flooding the medium with ARP requests.

So what can we do to improve this situation ? The broadcast domain ends with the router, so we could be able to further divide the network with routers. But we don’t want to, because routers are slow, expensive, they have limited number of ports, and they are generally not designed for company-level sub-networking.

What we need is to configure VLANs for every department, or floor, or building on that matter.

 

Benefits of using VLANs

VLANs provide the following general benefits :

Improved security – the different groups of users don’t need to know of each other and shouldn’t see each other’s data unless explicitly configured.

Higher performance – Dividing the network into different virtual sub-networks reduces unnecessary traffic and improves performance.

Cost reduction – the routers are usually considerably more expensive compared to switches (with the exception of layer 3 switches which we’ll discuss later)

Simplified network management – logically dividing the network into virtual sub-networks improves maintenance and manageability.  

 

How do VLANs work ?

The virtual networks work by tagging the packets while they travel.
Each port on a switch is associated with a VLAN. When a frame comes, the switch decomposes it and inserts a VLAN tag, specifying the ID of the VLAN configured on that specific port.

VLAN-tag-image

 

Types of VLANs

There are few types of VLANs :

Data VLAN
This is the main type of virtual network. It is designed to carry user-defined data. The link connected to your computer is assigned to a data VLAN.

Default VLAN
This is the VLAN assigned by default to all ports. For Cisco switches this is VLAN1. That’s why if you don’t configure any virtual networks, your network will still reside in a VLAN – the default VLAN 1. 

Native VLAN
This is the most misunderstood type of VLAN. 

The native VLAN is the VLAN assigned to untagged packets, which have not yet travelled through a VLAN marked port. Such situations might occur when :

  • a packet comes from the router and travels through a trunk link (a link that allows multiple VLANs to travel on it, discussed later). It doesn’t have any VLAN tag associated, therefore it’s placed on the native VLAN. Note that in that case no modifications on the frame itself are made. The primary reason native VLANs are introduced is for backward compatibility.

  • a packet emerges from a PC connected to a VoIP device or a hub. The PC doesn’t know anything about VLANs, nor the VoIP telephone. That’s why the packet is placed on the native VLAN.

The native VLAN must be configured on all switches. From a security perspective, it’s not a good practice to leave it unchanged.

Management VLAN
A VLAN used for switch management. It’s a good practice to change it so it differs from the default one, although sometimes the Management VLAN is also set to be the native one. 

Voice VLAN
This is a special type of VLAN used with VoIP devices. I’ll discuss that later in detail.

 

Configuring an Intra-VLAN on a Cisco switch

Consider the following simple topology :
  simple-vlan-image

We have 4 PCs connected with 2 switches. We want to put PC0 and PC2 into VLAN 10 and PC1 and PC3 into VLAN 20.

 

Access and trunk links

Before I continue, I'd like to make a point regarding the different between access and trunk links :

  • The links connecting the end devices are called access links. These are the links usually carrying the Data VLAN information.
  • The link between the switches is called trunk link. It carries packets from all the VLANs, including the native VLAN. It usually needs a bigger throughput than an access link.

So in order to configure these basic VLANs, we need to perform the following steps :

  1. Create the VLANs on both switches
  2. Designate the proper access links
  3. Assign the VLAN IDs and configure any additional security
  4. Configure the trunk links

So let’s access the first switch in global configuration mode and enter the following commands :


Switch1(config)#vlan 10
Switch1(config-vlan)#name Development
Switch1(config-vlan)#vlan 20
Switch1(config-vlan)#name Sales
Switch1(config-vlan)#vlan 100
Switch1(config-vlan)#name Management
Switch1(config-vlan)#exit
Switch1(config)#int Fa0/2
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 10
Switch1(config-if)#spanning-tree portfast
Switch1(config-if)#switchport port-security mac-address sticky
Switch1(config-if)#switchport port-security maximum 1
Switch1(config-if)#exit
Switch1(config)#int Fa0/3
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 20
Switch1(config-if)#spanning-tree portfast
Switch1(config-if)#switchport port-security mac-address sticky
Switch1(config-if)#switchport port-security maximum 1
Switch1(config-if)#exit
Switch1(config)#int Fa0/1
Switch1(config-if)#switchport trunk encapsulation dot1q
Switch1(config-if)#switchport mode trunk
Switch1(config-if)#switchport trunk native vlan 100
Switch1(config-if)#do wr

// skipped entering the same set of commands for the second switch

This will create the VLANs and assign them to Fa0/2 and Fa0/3 respectively. The fast Ethernet ports are configured as access ports, since they are connected to PCs. The uplinks are configured as trunk with a native VLAN set to 100. The security commands are an addition that denies more than 1 MAC address assignments on the port. The spanning-tree portfast command is used to configure the Spanning Tree Protocol to just start forwarding packets, without waiting for all the timeouts. It’s the usual configuration for access ports. The last command simply saves the runtime configuration into the startup configuration of the switch. Its full equivalent is copy running-config startup-config.

The same set of commands needs to be executed on the second switch. If everything is OK, PC1 will not be able to ping PC2. We’ve done our job limiting the broadcast and reducing the traffic. The two virtual networks are separated, despite sharing the same physical medium through the trunk.

Note that we are not forced to use a trunk link at all, although it’s desirable. We could have used two links for each VLAN, but usually we have more than 2 subnetworks defined and using a trunk link is the way to go.

 

Configuring VLAN with Voice over IP (VoIP)

Normally, you can configure only one VLAN per switch port. Working with Voice over IP is an exception. In this situation, we need to configure two VLANs – one for data and one for voice.

Let's change our example a little bit by adding a VoIP device :

vlan-topology-voip
The configuration becomes :

Switch1(config)#vlan 50
Switch1(config-vlan)#name Voice
Switch1(config-vlan)#exit
Switch1(config)#int Fa0/2
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 10
Switch1(config-if)#switchport port-security mac-address sticky
Switch1(config-if)#switchport port-security maximum 1
Switch1(config-if)#switchport voice vlan 50
Switch1(config-if)#mls qos trust cos
Switch1(config-if)#exit
Switch1(config-if)#do wr

 

Configuring an Inter-VLAN on a Cisco switch

In the topology created, we were unable to ping PC3 from PC0. And that’s perfectly normal, we put them in different VLANs, and the idea of the VLAN is to restrict the traffic between the inner segments of the network. But we will need, of course, connection between these segments. In order for a packet originating from one VLAN to reach an end-device in another VLAN, layer 3 device is needed. This device could be either a router or a layer 3 switch.

So let’s add our router :

router-on-a-stick-image

 

What is a layer 3 switch ?

Layer 3 switch (also known as a multi-layer switch) is a multi-functional device that have the same functionality like a layer 2 switch, but behaves like a router when necessary. It’s generally faster than a router due to it’s hardware based routing functions, but it’s also more expensive than a normal switch. As a rule of a thumb, use Layer 3 switch whenever you need maximum performance.

 

Configuring Inter-VLAN with a router (Router on a stick topology)

The standard way of wiring the VLANs into the trunk of the router is by creating virtual interfaces on one of its physical ports.

So let’s configure the link on the router :

Router(config)#int Fa0/1
Router(config-if)#no shutdown
Router(config-if)#int Fa0/1.1
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 192.168.10.2 255.255.255.252
Router(config-subif)#int Fa0/1.2
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 192.168.20.2 255.255.255.252
Router(config-subif)#int Fa0/1.3
Router(config-subif)#encapsulation dot1Q 100 native
Router(config-subif)#ip address 192.168.100.2 255.255.255.252
Router(config-if)#do wr

And on the switch :


CoreSwitch(config)#int Fa0/0
CoreSwitch(config-if)#switchport mode trunk
CoreSwitch(config-if)#switchport trunk encapsulation dot1q
CoreSwitch(config-if)#switchport trunk native vlan 100
CoreSwitch(config-if)#no switchport port-security
CoreSwitch(config-if)#do wr

We subnet the virtual networks just like a normal network. We also disable the switchport security on the trunk link to the router, since there are no end-devices. Also note that IEEE 802.1Q (dot1q) is not the only encapsulation protocol available. An alternative might be ISL, which is a Cisco proprietary protocol. One of the reasons 802.1Q is the preferred one is that it is not vendor-specific.

 

Configuring Inter-VLAN with a multilayer switch

Alternatively, we could use a multilayer switch instead of a router. The commands used are almost the same :


CoreSwitch(config)#ip routing // activates the routing functions of the switch
CoreSwitch(config-if)#int vlan 10
CoreSwitch(config-if)#ip address 192.168.10.2 255.255.255.252
CoreSwitch(config-if)#no shutdown
CoreSwitch(config-if)#int vlan 20
CoreSwitch(config-if)#ip address 192.168.20.2 255.255.255.252
CoreSwitch(config-if)#no shutdown
CoreSwitch(config-if)#do wr

 

Cisco's 3 Layered Model

In small networks, one or two layer 2 switches and a router usually do the job. In bigger environments, however, a more complex setup is required in order to accommodate all the traffic. In such cases, the so called Cisco 3 layered model is used.

Consider the following topology :

VLAN-distributed-topology
 
This is a standard topology for creating medium to large networks. It is divided in three layers :
 
Core layer – it’s the backbone of the network carrying all the traffic from the sub-networks. 
The Core layer doesn’t know about any virtual networks configured.

Distribution layer – this is a middle layer usually constructed with layer 3 switches configured with routing functions. This is the layer where we configure any VLANs to be accessed through the Access layer. The Distribution layer takes out a big deal of the traffic and that’s why the natural solution is to use a multilayer switch.

Access layer – this is the user layer consisting of end-devices and layer 2 switches. All these connections are necessary so that if something happens to one of the switches, the other takes his role. This is called layer 2 load balancing and is managed by using the Spanning Tree Protocol (STP).

 

The VLAN Trunking Protocol (VTP)

In our previous example we had only two switches to configure. What we needed was to manually enter the same set of commands on every switch in order to create our VLANs. Depending of the size of the network, however, there might be tens or even hundreds of switches. Most bigger networks consists of a lot of switches and links between them. It will be quite time-consuming to configure all the virtual networks on every switch (just like to configure all the routes on a router). Here is where VTP comes in play.

 

So what’s VTP ?

The VLAN Trunking Protocol is a Cisco proprietary protocol, which allows us to create virtual networks only on one switch being sure that they will be automatically populated on all other switches on the network. In order for VTP to work, all the switches must be placed in the same domain, using the vtp domain <name> command.

 

VTP Modes

There are 3 VTP modes available :

Server mode – a switch in a server mode is responsible for the propagation of all the information related to the different virtual networks

Client mode – Receives and forwards any VLAN information it receive

Transparent mode – Forwards any information it receives, but VLANs must be configured manually

 

Configuring VTP

Configuring VTP is quite simple. The following set of commands will configure a switch to run VTP in a server mode.


Switch1(config)#set vtp domain <name>
Switch1(config)#set vtp mode server
Switch1(config)#vtp password 1234
Switch1(config)#do wr

You can find more information on configuring VTP here.

 


That is from me,
I'd like to give special thanks to my Cisco instructor Ionka Gancheva for reviewing this article. ;)

If you have some comments or recommendations – don't hesitate to contact me !


About the author:
Kosta Hristov (34 Posts)

Hi there ! My name is Kosta Hristov and I currently live in London, England. I've been working as a software engineer for the past 6 years on different mobile, desktop and web IT projects. I started this blog almost one year ago with the idea of helping developers from all around the world in their day to day programming tasks, sharing knowledge on various topics. If you find my articles interesting and you want to know more about me, feel free to contact me via the social links below. ;)




Like the article ? Share it ! ;)


  1. vladi
    February 8th, 2013 at 22:11 | #1

    Hey, very nice and quite good article. I like to make some remarks:
    1. It's true that on 2960 switches the only supported encapsulation method for vlan is 802.Q, but other switches are still supporting ISL
    2. The diagram for VTP is not quite good example. In this scenario CISCO will definitely recommend for you to use L3 routing between the Distribution Switchers and you will almost for sure never use VTP in this complex environment.
    Besides that your article is quite good reference :) Keep going on :)

  2. February 9th, 2013 at 16:24 | #2

    Hello Vladi,

    You are absolutely right, I changed the article a little bit. With that diagram I wanted to mention the 3 layered model, but I guess it's a better idea to move it to a new section with a brief description. ;)

    Thanks for the remark ! :)

  3. February 14th, 2013 at 16:03 | #3

    Seems like a nice brief howto. 10x.

  4. Steve Plichta
    August 15th, 2013 at 18:33 | #4

    Kosta, this was a very good article.  Succinct and easy enough for my students to understand.  Thank you.

  5. August 15th, 2013 at 21:52 | #5

    Hi Steve, 

    I'm glad you found it useful. 

    Best Regards

  6. zakarie
    December 14th, 2013 at 17:32 | #6

    KOSTA, i really Appreciate for the tutorial and liked it. i am having a mini project with a network which has four departments ( Finance, Human resource management, Sales and Procurement), and i wanted to use the same concept like this one.
    The network is going to be a server-client network my network is small i am going to use one server which is stored the whole information and another one which will be a backup for the main one.
    event if you can help me my network’s topolgy. and the configuration for my network.
    i will be Great full your assistance.
    thanks Kosta Hristov

  7. nicolas
    June 12th, 2014 at 14:23 | #7

    i think there is a little mistake… You talk about “tagging the packet” with the link to the wikipedia page about 802.3q, however the VLAN tags is inserted in the ethernet header.
    It is a layer 2 technology.

    I think you should call it “tagging the frame” rather than “tagging the packet”. A packet is a layer 3 IP datagram.

    Just to remember:
    Ethernet FRAME: Layer2
    IP PACKET: Layer 3
    TCP SEGMENT: Layer 4

  1. No trackbacks yet.

Current month ye@r day *


Copyright © Developing the future 2013. Licensed under the CC BY-NC-ND 3.0 Creative Commons license.