VLAN

Done

VLAN (Virtual Local Area Network)

LAN (Local Area Network)

It is a group of devices in a single location. But it also is a single broadcast domain, including all devices in that broadcast domain.

💡

Important: A Broadcast domain is a group of devices that will receive a broadcast frame (MAC FFFF.FFFF.FFFF) sent by any member in that group.

💡

Lots of unnecessary broadcast traffic can lead to decreased performance

💡

By dividing a network, putting a router/firewall between, you can apply policies that control the forwarding of packets

VLANs

VLANs don`t forward broadcast/unknown frames between different VLANs. In order for frames to travel across VLANs the switch forwards the frame to the router.

Logically separate hosts at Layer 2

Are configured in switches in per-interface basis.

💡

There can be devices in the same subnet but in different VLANs.

See VLANs Status

show vlan brief

By default, all ports are assigned to the same VLAN, VLAN 1. Also, VLANs from 1002 to 1005 cannot be deleted, they are used for old technologies.

Set VLANs

configure terminal // Global Configuration Mode
interface g0/0 // Enter in an interface
switchport mode access //Turn that port into an access port*
switchport access vlan 10 // switchport access vlan {vlan-number} //assigns a VLAN to that port

💡

*An access port is one that is connected to a single VLAN, and usually connect directly to the end host (PC, Server, etc.)

Select a VLAN

configure terminal
vlan 10 // vlan {vlan-number} //If that vlan doesn`t exists, it creates it

Change a VLAN`s name

configure terminal
vlan 10 // vlan {vlan-number}
name ENGINEERING // name {Description}

VLAN Trunking

Trunk

It is a single port that carries multiple VLANs. In order for the receiving device know what VLAN a frame belongs to, the trunk port will tag the frame indicating what VLAN it belongs to.

💡

Trunk port = “tagged” port Access port = “untagged” port

There are two trunking protocols:

ISL
- This is a old Cisco proprietary protocol

IEEE 802.1Q
- This is a international standard created by IEEE
- It consists of a field inserted into the frame with a size of 4 bytes (32 Bits)
- It is inserted in the frame between the Source and the Type/Length fields. Itself is made of 2 fields:
  - TPID (Tag Protocol Identifier) (16 Bits)
    - Value 0x8100
  - TCI (Tag Control Information):
    - PCP (3 Bits) (Priority Code Point)
      - Used for CoS (Class of Service), used to prioritize traffic in congested networkds
    - DEI (1 Bit) (Drop Eligible Indicator)
      - Used to sinalize a frame that can be dropped if the network is congested
    - VID (12 Bits) (VLAN ID)
      - Used to identify the VLAN the frame belongs to
      - Since it is 12 bits long, when powering the number 2, it results in a value of 4096 VLANs.
        VLAN 0 and 4095 are reserved
        Actual VLAN range: 1 - 4094
        Normal VLANs: 1-1005
        Extended VLANs 1006-494
- It has a feature called Native VLAN
  - When a switch sends a frame through a trunk port, when the frame belongs to the configured Native VLAN (1 for example), it will not tag it
    - Natives VLANs must be the same on both switch, for both of them to forward properly the frame

Select Trunking Protocol

configure terminal // Global Configuration Mode
interface f1/0 // Interface Mode
switchport trunk encapsulation dot1q //switchport trunk encapsulation {dot1q/isl/negotiate}

💡

This is needed for older switches that support both ISL and 802.1Q standards

Turn on Trunk mode

configure terminal
interface f1/0
switchport mode trunk

See trunk status

show interfaces trunk

Manage VLANs in a Trunk Port

Specific VLAN(s)

configure terminal
interface f0/1
switchport trunk allowed vlan 10 // switchport trunk allowed vlan {vlan-id}

Add VLAN(s)

Adds a VLAN without rewriting the already allowed VLANs

configure terminal
interface f0/1
switchport trunk allowed vlan add 20 // switchport trunk allowed vlan add {vlan-id}

All VLANs

As the name implies, it allows all VLANs through that trunk port

configure terminal
interface f0/1
switchport trunk allowed vlan all

Except VLAN(s)

Adds only the ranges of VLANs not specified

configure terminal
interface f0/1
switchport trunk allowed vlan except 1,20,30 //switchport trunk allowed vlan except {vlan-id}

None VLAN(s)

Blocks all frames belonging to VLANs to be forwarded to that port

configure terminal
interface f0/1
switchport trunk allowed vlan none

Remove VLAN(s)

Remove specific VLAN IDs from the current list

configure terminal
interface f0/1
switchport trunk allowed vlan remove 10 // switchport trunk allowed vlan remove {vlan-id}

Change Native VLAN

This is to be preferably configured to an unused VLAN

configure terminal
interface f0/1
switchport trunk native vlan 1001 // switchport trunk native vlan {vlan-id}

ROAS (Router on a Stick)

It is used when only one interface is used to talk with a trunk port in a switch, discarding the use for a separate interface for each VLAN when inter-vlaning.

It uses subinterfaces, and treat them separately. Also each tagged frame, will be re-tagged to the configured vlan id when forwarded. While on the switch side, the port is configured as a regular trunk.

//adding VLANs 10, 20, 30
configure terminal
interface g0/0.10 // A . is added with the VLAN id (not necessary the same number, but is better to do so)
encapsulation dot1q 10 //encapsulation {trunk protocol} {vlan}
ip address 192.168.1.62 255.255.255.192
interface g0/0.20
encapsulation dot1q 20
ip address 192.168.1.126 255.255.255.192
interface g0/0.30
encapsulation dot1q 30
ip address 192.168.1.190 255.255.255.192

Native VLAN on ROAS

Option #1 - Subinterface

configure terminal // Global Configuration Mode
interface g0.10  //subinterface
encapsulation dot1q 10 native

Multilayer Switch

It is capable of both switching and routing

It is “Layer 3 aware”

You can assign ip addresses to its interfaces

You can virtual interfaces for VLANs, and assign IP addresses to those interfaces

You can configure routes

Capable of Inter-VLAN routing

SVI (Switch Virtual Interface)

These are interfaces virtually created in a switch in order for it to perform routing. Therefore, you can assign IP addresses to them. So instead of configuring the default gateway on a pc belonging to a VLAN as the router, you can assign it to the virtual interface created in the multilayer switch and it will perform the inter-VLAN routing.

Enable Routing Functions

configure terminal // Global Configuration Mode
ip routing

Turn a Port from Switch mode to Router mode

configure terminal // Global Configuration Mode
interface g0/1 // Interface mode
no switchport

💡

When you want the devices connected to the multilayer switch to reach Internet, configure its default route to a router connected to the Internet.

Create a SVI

configure terminal // Global Configuration Mode
interface vlan10 // interface vlan{vlan-id} // Create the SVI for that VLAN
ip address 192.168.0.62 255.255.255.192 // ip address {ip-address} {subnet mask}
no shutdown

Conditions to a SVI to be up

The VLAN must exist in a switch (It is not automatically created as enabling an access port)

The Switch must have a access port to that VLAN in up/up state, AND/OR one trunk link with that VLAN allowed

The VLAN must not be in shutdown

The SVI must not be in shutdown

💡

you can create and name a VLAN at the same time: vlan vlan-id name vlan-name