2302-Ch03: VLANs: Virtual LANs Explained

Questions and Answers

At which layer of the OSI model are VLANs created?

• Layer 2 (correct)
• Layer 3
• Layer 4
• Layer 7

What is the primary purpose of creating VLANs?

• To eliminate routing protocols
• To reduce or eliminate broadcast traffic (correct)
• To increase the size of broadcast domains
• To simplify physical cabling

What is the effect of devices communicating within a single VLAN?

• They communicate through Layer 3 devices only.
• They must manage traffic from all other networks.
• They cannot communicate with each other at all.
• They communicate with each other and only manage traffic within their VLAN. (correct)

What are VLANs based on?

Logical connections. (C)

How do VLANs improve overall network performance?

By separating large broadcast domains into smaller ones (C)

What command is used to remove a VLAN from the vlan.dat file?

no vlan vlan-id (C)

What command resets a trunk to its default state?

no switchport trunk allowed vlan and no switchport trunk native vlan (B)

What is the purpose of DTP (Dynamic Trunking Protocol)?

To automatically negotiate trunking between devices (D)

Which command disables DTP on a Cisco switch interface?

switchport nonegotiate (D)

What is a VLAN trunk?

A Layer 2 link carrying traffic for multiple VLANs (A)

What is the default VLAN on a Cisco switch?

VLAN 1 (A)

Which type of VLAN is configured to separate user-generated traffic?

Data VLAN (D)

Which IEEE standard is supported by Cisco for coordinating trunks?

IEEE 802.1Q (A)

What is the purpose of VLAN trunks?

To allow all VLAN traffic to propagate between switches. (D)

What is the result of a device sending a broadcast Ethernet frame within a VLAN?

Only devices in the same VLAN receive the frame. (A)

What is the purpose of the 802.1Q header?

To specify the VLAN to which the frame belongs. (C)

Which type of VLAN is specifically configured for network management traffic?

Management VLAN (A)

What is the range of VLAN IDs supported by the VLAN ID (VID)?

Up to 4096 VLAN IDs (A)

What is the default native VLAN specified by the IEEE 802.1Q standard for trunk links?

VLAN 1 (A)

What happens when an untagged frame arrives on a trunk port?

It is assigned to the native VLAN. (A)

What is the default Port VLAN ID (PVID) assigned to an 802.1Q trunk port?

VLAN 1 (A)

Why is a separate voice VLAN required to support VoIP?

To apply QoS and security policies to voice traffic. (A)

What is the range of normal range VLANs on Catalyst 2960 and 3650 Series switches?

1 to 1005 (D)

Where are configurations for normal range VLANs stored?

vlan.dat file in flash memory. (B)

What is the range of extended range VLANs?

1006 to 4094 (A)

Flashcards

Virtual LAN (VLAN)

Breaks up a network into smaller, logical networks to reduce broadcast traffic at Layer 2.

VLAN Benefits

Segmentation and organizational flexibility in a switched network forming logical connections.

VLAN as a Network

A separate logical network where devices communicate as if on the same cable.

VLAN Packet Forwarding

Forwarded only to devices within the same VLAN; routing needed for inter-VLAN communication.

VLAN Broadcast Domain

Creates logical broadcast domains, improving network performance by separating large domains.

Correcting VLAN Assignment

Re-enter the command switchport access vlan vlan-id with the correct VLAN ID to correct a VLAN assignment.

Deleting a VLAN

The no vlan vlan-id command removes a VLAN from the vlan.dat file. Reassign member ports first to avoid connectivity issues.

Resetting a Trunk

Remove allowed VLANs and reset the native VLAN using no switchport trunk allowed vlan and no switchport trunk native vlan commands.

Dynamic Trunking Protocol (DTP)

A Cisco proprietary protocol that automates trunk negotiation. Disable it when connecting to non-Cisco devices to prevent misconfigurations.

VLAN to IP Network

Each VLAN corresponds to a separate IP network or subnet.

Default VLAN (VLAN 1)

Default VLAN on Cisco switches; all ports are members unless reconfigured. Cannot be renamed or deleted.

Data VLAN

VLANs specifically for separating user traffic into logical groups.

Native VLAN

Handles untagged traffic on trunk ports. Best practice to set to an unused VLAN, not VLAN 1.

Management VLAN

Secures network devices using VLANs for management traffic (SSH, HTTP(S), SNMP).

VLAN Trunk

Point-to-point links between network devices carrying multiple VLANs.

Canonical Format Identifier (CFI)

A 1-bit identifier that enables Token Ring frames to be carried across Ethernet links.

VLAN ID (VID)

A 12-bit VLAN identification number that supports up to 4096 VLAN IDs.

Untagged Frames

A trunk port forwards these to the native VLAN. These frames are unusual in a well-designed network.

Port VLAN ID (PVID)

The default VLAN ID assigned to all traffic (tagged or untagged) that ingresses the port. If the native VLAN has not been reconfigured, the PVID value is set to VLAN 1.

Voice VLAN

A separate VLAN used to prioritize and manage voice traffic (VoIP).

Normal Range VLANs

VLAN range from 1 to 1005; configurations stored in vlan.dat file in flash memory.

Extended Range VLANs

VLAN range from 1006 to 4094; configurations saved in the running configuration.

vlan.dat

The VLAN database file located in flash memory that stores normal range VLAN configurations.

Multiple VLAN port

A switch port configured to carry both voice and data traffic, utilizing separate VLANs.

Study Notes

• VLANs segment a network into smaller, logical broadcast domains at Layer 2.
• Devices in a VLAN communicate as if connected to the same cable, regardless of physical location.
• Network administrators can organize VLANs by location, department, or device type.

VLAN Definitions

• VLANs provide segmentation and organizational flexibility in a switched network.
• Devices in a VLAN communicate as if they are connected to the same cable.
• VLANs are based on logical connections.
• Administrators can segment networks based on function, team, or application, irrespective of physical locations.
• Each VLAN acts as a separate logical network, even when sharing infrastructure.
• Any switch port can belong to a VLAN.
• Unicast, broadcast, and multicast packets are forwarded only within the originating VLAN.
• Traffic destined for devices in other VLANs must be routed.
• Multiple IP subnets can exist on a switched network without multiple VLANs, keeping devices in the same Layer 2 broadcast domain.
• VLANs improve network performance by creating smaller broadcast domains.
• Access and security policies can be implemented based on VLAN groupings.
• A switch port can belong to one VLAN, except when connected to an IP phone or another switch.

Benefits of VLAN Design

• Each VLAN corresponds to an IP network, and the design must consider a hierarchical addressing scheme.
• Contiguous network address blocks are reserved for specific network areas.

Default VLAN

• The default VLAN on a Cisco switch is VLAN 1.
• All switch ports are assigned to VLAN 1 by default, unless configured otherwise.
• Layer 2 control traffic is associated with VLAN 1 by default.
• VLAN 1 cannot be renamed or deleted.

Data VLAN

• Data VLANs separate user-generated traffic.
• Modern networks can have many data VLANs based on requirements.
• Voice and network management traffic should not be on data VLANs.

Native VLAN

• User traffic from a VLAN is tagged with its VLAN ID when sent to another switch via trunk ports.
• 802.1Q trunk ports insert a 4-byte tag in the Ethernet frame header to identify the VLAN.
• Untagged traffic is placed on the native VLAN.
• The default native VLAN on a Cisco switch is VLAN 1.
• Best practice dictates configuring the native VLAN as an unused VLAN, distinct from VLAN 1.

Management VLAN

• This is a data VLAN specifically for network management traffic like SSH, Telnet, HTTPS, HTTP, and SNMP.
• VLAN 1 defaults as the management VLAN on Layer 2 switches.

Voice VLAN

• A separate VLAN is required for VoIP traffic, which needs:
  • Assured bandwidth to ensure voice quality
  • Transmission priority
  • Ability to be routed around congested areas
  • Delay of less than 150 ms

Defining VLAN Trunks

• VLAN trunks allow all VLAN traffic to propagate between switches without routers.
• A trunk is a point-to-point link between two network devices carrying multiple VLANs.
• Cisco supports IEEE 802.1Q for trunk coordination on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces.
• A VLAN trunk is a conduit for multiple VLANs and doesn't belong to a specific VLAN.
• By default, on a Cisco Catalyst switch, all VLANs are supported on a trunk port.

Network without VLANs

• A switch forwards broadcast frames to all ports except the one where the broadcast was received.
• The network is one broadcast domain.

Network with VLANs

• VLANs are associated with and configured on individual switch ports.
• Devices attached to those ports have no concept of VLANs but are configured with IP addresses and are members of a specific IP network
• A VLAN equals an IP network (or subnet).
• VLANs are configured on the switch, whereas IP addressing is configured on the device.

VLAN Identification with a Tag

• Standard Ethernet frames do not contain VLAN information.
• Tagging adds VLAN information when Ethernet frames are placed on a trunk using the IEEE 802.1Q header
• The 802.1Q header includes a 4-byte tag with the VLAN to which the frame belongs.
• When a switch receives a frame on a port in access mode, it inserts a VLAN tag, recalculates the FCS, and sends the tagged frame out of a trunk port.

VLAN Tag Field Details

• VLAN tag control information includes:
  • Type: Tag protocol ID (TPID) value, set to hexadecimal 0x8100 for Ethernet.
  • User priority: A 3-bit value supporting level of service implementation.
  • Canonical Format Identifier: A 1-bit identifier enabling Token Ring frames to be carried across Ethernet links.
  • VLAN ID: A 12-bit number supporting up to 4096 VLAN IDs.

Native VLANs and 802.1Q Tagging

• IEEE 802.1Q standard specifies a native VLAN for trunk links, defaulting to VLAN 1.
• Untagged frames arriving on a trunk port are assigned to the native VLAN.
• Management frames are sent between switches as untagged traffic.

Tagged Frames on the Native VLAN

• Some devices add a VLAN tag to native VLAN traffic, where control traffic should not be tagged.
• If an 802.1Q trunk port receives a tagged frame with the VLAN ID that is the native VLAN, it drops the frame.
• Configure devices so they do not send tagged frames on the native VLAN when configuring a switch port on a Cisco switch
• Devices that support tagged frames on the native VLAN include IP phones, servers, routers, and non-Cisco switches.

Untagged Frames on the Native VLAN

• Cisco switch trunk ports forward untagged frames to the native VLAN.
• If there are no devices or other trunk ports associated with the native VLAN, the frame is dropped.
• Default native VLAN is VLAN 1.
• A default Port VLAN ID (PVID) is assigned the value of the native VLAN ID when configuring an 802.1Q trunk port.
• All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value.
• If VLAN 99 is the configured native VLAN, the all untagged traffic is forwarded to VLAN 99 and the PVID is 99. If the native VLAN is not reconfigured, the PVID value is set to VLAN 1.

Voice VLAN Tagging

• A separate voice VLAN is required to support VoIP.
• Allows QoS and security policies for voice traffic.
• A Cisco IP phone connects directly to a switch port and a PC can connect to the IP phone.
• One VLAN is for voice traffic and the other is a data VLAN to support the host traffic.
• The link between the switch and the IP phone simulates a trunk link to carry both voice VLAN traffic and data VLAN traffic.
• The Cisco IP Phone contains an integrated three-port 10/100 switch.
  • Port 1 connects to the switch or other VoIP device.
  • Port 2 is an internal 10/100 interface that carries the IP phone traffic.
  • Port 3 (access port) connects to a PC or other device.
• The switch access port sends CDP packets instructing the attached IP phone to send voice traffic in one of three ways:
  • Voice VLAN traffic must be tagged with an appropriate Layer 2 class of service (CoS) priority value.
  • Access VLAN traffic can also be tagged with a Layer 2 CoS priority value.
  • Access VLAN is not tagged (no Layer 2 CoS priority value).

VLAN Ranges on Catalyst Switches

• Catalyst switches support varying numbers of VLANs, such as over 4,000 on Catalyst 2960 and 3650 Series switches.
• Normal range VLANs are 1 to 1,005, while extended range VLANs are 1,006 to 4,094.

Normal Range VLANs

• Used in small- to medium-sized business and enterprise networks.
• Identified by a VLAN ID between 1 and 1005.
• IDs 1002 through 1005 are reserved for legacy network technologies (Token Ring and Fiber Distributed Data Interface).
• IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
• Configurations are stored in the switch flash memory in a VLAN database file called vlan.dat.
• VLAN trunking protocol (VTP) helps synchronize the VLAN database between switches.

Extended Range VLANs

• Used by service providers and large global enterprises.
• Identified by a VLAN ID between 1006 and 4094.
• Configurations are saved in the running configuration by default.
• Support fewer VLAN features than normal range VLANs. Supports VTP transparent mode configuration to support extended range VLANs.
• 4096 is the upper boundary for the number of VLANs available on Catalyst switches.

LAN Creation Commands

• Configuration details for normal range VLANs are stored in flash memory on the switch in a file called vlan.dat.
• It is good practice to save running configuration changes to the startup configuration.

Data and Voice VLANs

• An access port can belong to only one data VLAN at a time, with an association to a voice VLAN.
• a port connected to an IP phone and an end device would be associated with two VLANs: one for voice and one for data.

Change VLAN Port Membership

• Re-enter the switchport access vlan vlan-id interface configuration command with the correct VLAN ID if the switch access port has been incorrectly assigned to a VLAN
• Use the no switchport access vlan interface configuration mode command to change the membership of a port back to the default VLAN 1.

Delete VLANs

• The no vlan vlan-id global configuration mode command removes a VLAN from the switch vlan.dat file.
• Before deleting a VLAN, reassign all member ports to a different VLAN first.
• The entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command.
• After issuing this command and reloading the switch, any previously configured VLANs are no longer present.
• To restore a Catalyst switch to its factory default condition, unplug all cables except the console and power cable from the switch
• Enter the erase startup-config privileged EXEC mode command followed by the delete vlan.dat command.

Trunk Configuration Commands

• A VLAN trunk is a Layer 2 link between two switches that carries traffic for all VLANs.

Reset the Trunk to the Default State

• Use the no switchport trunk allowed vlan and the no switchport trunk native vlan commands to remove the allowed VLANs and reset the native VLAN of the trunk.
• When reset to the default state, the trunk allows all VLANs and uses VLAN 1 as the native VLAN.

Introduction to DTP

• Dynamic Trunking Protocol (DTP) automates trunking negotiation between Cisco switches.
• DTP can speed up configuration process for a network administrator.
• Ethernet trunk interfaces support different trunking modes. Interface can be set to trunking or nontrunking, or to negotiate trunking with the neighbor interface.
• Trunk negotiation is managed by DTP, which operates on a point-to-point basis only, between network devices.
• DTP is enabled on Catalyst 2960 and Catalyst 3650 Series switches automatically.
• DTP manages trunk negotiation only if the port on the neighbor switch is configured in a trunk mode that supports DTP.
• Non-Cisco switches do not support DTP.
• Turning off DTP on Cisco switch interfaces connected to devices that do not support DTP avoids misconfigurations.
• The default DTP configuration for Cisco Catalyst 2960 and 3650 switches is dynamic auto.
• Use the switchport mode trunk and switchport nonegotiate interface configuration mode commands to enable trunking from a Cisco switch to a device that does not support DTP.
• Use the switchport mode dynamic auto command to re-enable dynamic trunking protocol

Negotiated Interface Modes

• Use the switchport nonegotiate interface configuration command to stop DTP negotiation.
• Use the switchport mode to configure the trunk mode.

Description

VLANs segment networks into logical broadcast domains, enabling communication as if devices share a cable, regardless of location. Network administrators use VLANs to organize by location, department, or device type, enhancing network management. Each VLAN operates as an independent network.