VLAN Tutorial
Introduction
In this VLAN tutorial, I'm going to cover the basic theory and terminology related to the Virtual Local Area Networks (VLANs).
- When to use VLANs
- Benefits of using VLANs
- How do VLANs work
- What are the different types of VLANs
- Configuring an intra and inter VLAN on a Cisco switch
- Configuring a VLAN with Voice over IP (VoIP)
- Cisco's 3-layered architecture
- Configuring the VLAN trunking protocol (VTP)
What is VLAN ?
A Virtual Local Area Network (VLAN) is a network technology used to logically separate large broadcast domains using layer 2 devices.
When to use VLANs ?
In medium-to-large size organizations, we usually have different departments physically separated on rooms or floors. A set of end-devices (PCs, servers, printers, phones, etc) are connected to a series of switches connecting to a router or a layer 3 switch. This inner network forms a broadcast domain, which with the expand of an organization may lead to performance and security issues. Imagine 5 departments, each one performing entirely different functions, with up to 50 end-devices, having direct access to all other departments, flooding the medium with ARP requests.
So what can we do to improve this situation ? The broadcast domain ends with the router, so we could be able to further divide the network with routers. But we don’t want to, because routers are slow, expensive, they have limited number of ports, and they are generally not designed for company-level sub-networking.
What we need is to configure VLANs for every department, or floor, or building on that matter.
Benefits of using VLANs
VLANs provide the following general benefits :
Improved security – the different groups of users don’t need to know of each other and shouldn’t see each other’s data unless explicitly configured.
Higher performance – Dividing the network into different virtual sub-networks reduces unnecessary traffic and improves performance.
Cost reduction – the routers are usually considerably more expensive compared to switches (with the exception of layer 3 switches which we’ll discuss later)
Simplified network management – logically dividing the network into virtual sub-networks improves maintenance and manageability.
How do VLANs work ?
The virtual networks work by tagging the packets while they travel.
Each port on a switch is associated with a VLAN. When a frame comes, the switch decomposes it and inserts a VLAN tag, specifying the ID of the VLAN configured on that specific port.
Types of VLANs
There are few types of VLANs :
Data VLAN
This is the main type of virtual network. It is designed to carry user-defined data. The link connected to your computer is assigned to a data VLAN.
Default VLAN
This is the VLAN assigned by default to all ports. For Cisco switches this is VLAN1. That’s why if you don’t configure any virtual networks, your network will still reside in a VLAN – the default VLAN 1.
Native VLAN
This is the most misunderstood type of VLAN.
The native VLAN is the VLAN assigned to untagged packets, which have not yet travelled through a VLAN marked port. Such situations might occur when :
-
a packet comes from the router and travels through a trunk link (a link that allows multiple VLANs to travel on it, discussed later). It doesn’t have any VLAN tag associated, therefore it’s placed on the native VLAN. Note that in that case no modifications on the frame itself are made. The primary reason native VLANs are introduced is for backward compatibility.
-
a packet emerges from a PC connected to a VoIP device or a hub. The PC doesn’t know anything about VLANs, nor the VoIP telephone. That’s why the packet is placed on the native VLAN.
The native VLAN must be configured on all switches. From a security perspective, it’s not a good practice to leave it unchanged.
Management VLAN
A VLAN used for switch management. It’s a good practice to change it so it differs from the default one, although sometimes the Management VLAN is also set to be the native one.
Voice VLAN
This is a special type of VLAN used with VoIP devices. I’ll discuss that later in detail.
Configuring an Intra-VLAN on a Cisco switch
Consider the following simple topology :
We have 4 PCs connected with 2 switches. We want to put PC0 and PC2 into VLAN 10 and PC1 and PC3 into VLAN 20.
Access and trunk links
Before I continue, I'd like to make a point regarding the different between access and trunk links :
- The links connecting the end devices are called access links. These are the links usually carrying the Data VLAN information.
- The link between the switches is called trunk link. It carries packets from all the VLANs, including the native VLAN. It usually needs a bigger throughput than an access link.
So in order to configure these basic VLANs, we need to perform the following steps :
- Create the VLANs on both switches
- Designate the proper access links
- Assign the VLAN IDs and configure any additional security
- Configure the trunk links
So let’s access the first switch in global configuration mode and enter the following commands :
Switch1(config)#vlan 10
Switch1(config-vlan)#name Development
Switch1(config-vlan)#vlan 20
Switch1(config-vlan)#name Sales
Switch1(config-vlan)#vlan 100
Switch1(config-vlan)#name Management
Switch1(config-vlan)#exit
Switch1(config)#int Fa0/2
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 10
Switch1(config-if)#spanning-tree portfast
Switch1(config-if)#switchport port-security mac-address sticky
Switch1(config-if)#switchport port-security maximum 1
Switch1(config-if)#exit
Switch1(config)#int Fa0/3
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 20
Switch1(config-if)#spanning-tree portfast
Switch1(config-if)#switchport port-security mac-address sticky
Switch1(config-if)#switchport port-security maximum 1
Switch1(config-if)#exit
Switch1(config)#int Fa0/1
Switch1(config-if)#switchport trunk encapsulation dot1q
Switch1(config-if)#switchport mode trunk
Switch1(config-if)#switchport trunk native vlan 100
Switch1(config-if)#do wr// skipped entering the same set of commands for the second switch
This will create the VLANs and assign them to Fa0/2 and Fa0/3 respectively. The fast Ethernet ports are configured as access ports, since they are connected to PCs. The uplinks are configured as trunk with a native VLAN set to 100. The security commands are an addition that denies more than 1 MAC address assignments on the port. The spanning-tree portfast command is used to configure the Spanning Tree Protocol to just start forwarding packets, without waiting for all the timeouts. It’s the usual configuration for access ports. The last command simply saves the runtime configuration into the startup configuration of the switch. Its full equivalent is copy running-config startup-config.
The same set of commands needs to be executed on the second switch. If everything is OK, PC1 will not be able to ping PC2. We’ve done our job limiting the broadcast and reducing the traffic. The two virtual networks are separated, despite sharing the same physical medium through the trunk.
Note that we are not forced to use a trunk link at all, although it’s desirable. We could have used two links for each VLAN, but usually we have more than 2 subnetworks defined and using a trunk link is the way to go.
Configuring VLAN with Voice over IP (VoIP)
Normally, you can configure only one VLAN per switch port. Working with Voice over IP is an exception. In this situation, we need to configure two VLANs – one for data and one for voice.
Let's change our example a little bit by adding a VoIP device :
The configuration becomes :
Switch1(config)#vlan 50
Switch1(config-vlan)#name Voice
Switch1(config-vlan)#exit
Switch1(config)#int Fa0/2
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan 10
Switch1(config-if)#switchport port-security mac-address sticky
Switch1(config-if)#switchport port-security maximum 1
Switch1(config-if)#switchport voice vlan 50
Switch1(config-if)#mls qos trust cos
Switch1(config-if)#exit
Switch1(config-if)#do wr
Configuring an Inter-VLAN on a Cisco switch
In the topology created, we were unable to ping PC3 from PC0. And that’s perfectly normal, we put them in different VLANs, and the idea of the VLAN is to restrict the traffic between the inner segments of the network. But we will need, of course, connection between these segments. In order for a packet originating from one VLAN to reach an end-device in another VLAN, layer 3 device is needed. This device could be either a router or a layer 3 switch.
So let’s add our router :
What is a layer 3 switch ?
Layer 3 switch (also known as a multi-layer switch) is a multi-functional device that have the same functionality like a layer 2 switch, but behaves like a router when necessary. It’s generally faster than a router due to it’s hardware based routing functions, but it’s also more expensive than a normal switch. As a rule of a thumb, use Layer 3 switch whenever you need maximum performance.
Configuring Inter-VLAN with a router (Router on a stick topology)
The standard way of wiring the VLANs into the trunk of the router is by creating virtual interfaces on one of its physical ports.
So let’s configure the link on the router :
Router(config)#int Fa0/1
Router(config-if)#no shutdown
Router(config-if)#int Fa0/1.1
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 192.168.10.2 255.255.255.252
Router(config-subif)#int Fa0/1.2
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 192.168.20.2 255.255.255.252
Router(config-subif)#int Fa0/1.3
Router(config-subif)#encapsulation dot1Q 100 native
Router(config-subif)#ip address 192.168.100.2 255.255.255.252
Router(config-if)#do wr
And on the switch :
CoreSwitch(config)#int Fa0/0
CoreSwitch(config-if)#switchport mode trunk
CoreSwitch(config-if)#switchport trunk encapsulation dot1q
CoreSwitch(config-if)#switchport trunk native vlan 100
CoreSwitch(config-if)#no switchport port-security
CoreSwitch(config-if)#do wr
We subnet the virtual networks just like a normal network. We also disable the switchport security on the trunk link to the router, since there are no end-devices. Also note that IEEE 802.1Q (dot1q) is not the only encapsulation protocol available. An alternative might be ISL, which is a Cisco proprietary protocol. One of the reasons 802.1Q is the preferred one is that it is not vendor-specific.
Configuring Inter-VLAN with a multilayer switch
Alternatively, we could use a multilayer switch instead of a router. The commands used are almost the same :
CoreSwitch(config)#ip routing // activates the routing functions of the switch
CoreSwitch(config-if)#int vlan 10
CoreSwitch(config-if)#ip address 192.168.10.2 255.255.255.252
CoreSwitch(config-if)#no shutdown
CoreSwitch(config-if)#int vlan 20
CoreSwitch(config-if)#ip address 192.168.20.2 255.255.255.252
CoreSwitch(config-if)#no shutdown
CoreSwitch(config-if)#do wr
Cisco's 3 Layered Model
In small networks, one or two layer 2 switches and a router usually do the job. In bigger environments, however, a more complex setup is required in order to accommodate all the traffic. In such cases, the so called Cisco 3 layered model is used.
Consider the following topology :
This is a standard topology for creating medium to large networks. It is divided in three layers :
Core layer – it’s the backbone of the network carrying all the traffic from the sub-networks. The Core layer doesn’t know about any virtual networks configured.
Distribution layer – this is a middle layer usually constructed with layer 3 switches configured with routing functions. This is the layer where we configure any VLANs to be accessed through the Access layer. The Distribution layer takes out a big deal of the traffic and that’s why the natural solution is to use a multilayer switch.
Access layer – this is the user layer consisting of end-devices and layer 2 switches. All these connections are necessary so that if something happens to one of the switches, the other takes his role. This is called layer 2 load balancing and is managed by using the Spanning Tree Protocol (STP).
The VLAN Trunking Protocol (VTP)
In our previous example we had only two switches to configure. What we needed was to manually enter the same set of commands on every switch in order to create our VLANs. Depending of the size of the network, however, there might be tens or even hundreds of switches. Most bigger networks consists of a lot of switches and links between them. It will be quite time-consuming to configure all the virtual networks on every switch (just like to configure all the routes on a router). Here is where VTP comes in play.
So what’s VTP ?
The VLAN Trunking Protocol is a Cisco proprietary protocol, which allows us to create virtual networks only on one switch being sure that they will be automatically populated on all other switches on the network. In order for VTP to work, all the switches must be placed in the same domain, using the vtp domain <name> command.
VTP Modes
There are 3 VTP modes available :
Server mode – a switch in a server mode is responsible for the propagation of all the information related to the different virtual networks
Client mode – Receives and forwards any VLAN information it receive
Transparent mode – Forwards any information it receives, but VLANs must be configured manually
Configuring VTP
Configuring VTP is quite simple. The following set of commands will configure a switch to run VTP in a server mode.
Switch1(config)#set vtp domain <name>
Switch1(config)#set vtp mode server
Switch1(config)#vtp password 1234
Switch1(config)#do wr
You can find more information on configuring VTP here.
That is from me,
I'd like to give special thanks to my Cisco instructor Ionka Gancheva for reviewing this article. ;)
If you have some comments or recommendations – don't hesitate to contact me !
Hey, very nice and quite good article. I like to make some remarks:
1. It's true that on 2960 switches the only supported encapsulation method for vlan is 802.Q, but other switches are still supporting ISL
2. The diagram for VTP is not quite good example. In this scenario CISCO will definitely recommend for you to use L3 routing between the Distribution Switchers and you will almost for sure never use VTP in this complex environment.
Besides that your article is quite good reference :) Keep going on :)
Hello Vladi,
You are absolutely right, I changed the article a little bit. With that diagram I wanted to mention the 3 layered model, but I guess it's a better idea to move it to a new section with a brief description. ;)
Thanks for the remark ! :)
Seems like a nice brief howto. 10x.
Kosta, this was a very good article. Succinct and easy enough for my students to understand. Thank you.
Hi Steve,
I'm glad you found it useful.
Best Regards
KOSTA, i really Appreciate for the tutorial and liked it. i am having a mini project with a network which has four departments ( Finance, Human resource management, Sales and Procurement), and i wanted to use the same concept like this one.
The network is going to be a server-client network my network is small i am going to use one server which is stored the whole information and another one which will be a backup for the main one.
event if you can help me my network’s topolgy. and the configuration for my network.
i will be Great full your assistance.
thanks Kosta Hristov
i think there is a little mistake… You talk about “tagging the packet” with the link to the wikipedia page about 802.3q, however the VLAN tags is inserted in the ethernet header.
It is a layer 2 technology.
I think you should call it “tagging the frame” rather than “tagging the packet”. A packet is a layer 3 IP datagram.
Just to remember:
Ethernet FRAME: Layer2
IP PACKET: Layer 3
TCP SEGMENT: Layer 4
pleaseee can i have the configuration of last image???
@Kosta Hristov
pleasee can i have the configuration of last image….
Reference ?
Very nice tutorial appreciate it. Thanks everything explained very clearly.