8 VLANs and Inter-VLAN Routing Flashcards
What is a VLAN ?
A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. When you create VLANs, you’re given the ability to create smaller broadcast domains within a layer 2 switched inter-network by assigning different ports on the switch to service different subnetworks. A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcast onto the network are only switched between the ports logically grouped within the same VLAN.
Can hosts on one VLAN communicate with hosts from another VLAN without a router ?
By default, hosts in a specific VLAN can’t communicate with hosts that are members of another VLAN, so if you want inter-VLAN communication you need a router or Inter-VLAN Routing (IVR).
Ways VLANs simplify network management:
■ Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN.
■ A group of users that need an unusually high level of security can be put into its own VLAN so that users outside of that VLAN can’t communicate with that group’s users.
■ As a logical grouping of users by function, VLANs can be considered independent from their physical or geographic locations.
■ VLANs greatly enhance network security if implemented correctly.
■ VLANs increase the number of broadcast domains while decreasing their size.
What are access ports ?
An access port belongs to and carries the traffic of only one VLAN. Traffic is both received and sent in native formats with no VLAN information (tagging) at all. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Because an access port doesn’t look at the source address, tagged traffic—a frame with added VLAN information—can be correctly forwarded and received only on trunk ports. With an access link, this can be referred to as the configured VLAN of the port. Any device attached to an access link is unaware of a VLAN membership—the device just assumes it’s part of some broadcast domain. But it doesn’t have the big picture, so it doesn’t understand the physical network topology at all. You can only create a switch port to be either an access port or a trunk port.
What are Voice access ports ?
***Nowadays, most switches will allow you to add a second VLAN to an access port on a switch port for your voice traffic, called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlaid on top of the data VLAN, enabling both types of traffic to travel through the same port. Even though this is technically considered to be a different type of link, it’s still just an access port that can be configured for both data and voice VLANs. This allows you to connect both a phone and a PC device to one switch port but still have each device in a separate VLAN.
What are Trunk ports ?
Trunk ports can carry multiple VLANs at a time as well. A trunk link is a 100, 1,000, 10,000 Mbps, or more, point-to-point link between two switches, between a switch and router, or even between a switch and server, and it carries the traffic of multiple VLANs—from 1 to 4,094 VLANs at a time. But the amount is really only up to 1,001 unless you’re going with extended VLANs.
What is Frame Tagging ?
A frame identification method that uniquely assigns a user-defined VLAN ID to each frame. Each switch that a frame reaches must first identify the VLAN ID from the frame tag. It then finds out what to do with the frame by looking at the information in the filter table. If the frame reaches a switch that has another trunked link, the frame will be forwarded out of the trunk-link port. Once the frame reaches an exit that’s determined by the forward/filter table to be an access link matching the frame’s VLAN ID, the switch will remove the VLAN identifier. This is so the destination device can receive the frames without being required to understand their VLAN identification information.
Inter-Switch Link (ISL)
Inter-Switch Link (ISL) is a way of explicitly tagging VLAN information onto an Ethernet frame. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method. This allows the switch to identify the VLAN membership of a frame received over the trunked link. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. ISL functions at layer 2 by encapsulating a data frame with a new header and by performing a new cyclic redundancy check (CRC). ISL is proprietary to Cisco switches. ISL can be used on a switch port, router interfaces, and server interface cards to trunk a server. Although some Cisco switches still support ISL frame tagging, Cisco has moved toward using only 802.1q.
IEEE 802.1q
Created by the IEEE as a standard method of frame tagging, IEEE 802.1q actually inserts a field into the frame to identify the VLAN. If you’re trunking between a Cisco switched link and a different brand of switch, you’ve got to use 802.1q for the trunk to work. 802.1q tagged frame can carry information for 4,094 VLANs.
Routing Between VLANs
Hosts in a VLAN live in their own broadcast domain and can communicate freely. VLANs create network partitioning and traffic separation at layer 2 of the OSI. If you want hosts or any other IP-addressable device to communicate between VLANs, you must have a layer 3 device to provide routing. For this, you can use a router that has an interface for each VLAN or a router that supports ISL or 802.1q routing. Each of the routers’ interface IP addresses would then become the default gateway address for each host in each respective VLAN. Cisco is really moving away from ISL, so you should only be using 802.1q. Instead of using a router interface for each VLAN, you can use one FastEthernet interface and run ISL or 802.1q trunking.
What is a router on a stick (ROAS) ?
An interface on a router configured with ISL or 802.1q trunking. This allows all VLANs to communicate through one interface.
What are the reserved VLANs ?
VLANs 1 (default VLAN) and 1002 - 1005
VLAN numbers above 1005 are called extended VLANs and won’t be saved in the database unless your switch is set to what is called VLAN Trunking Protocol (VTP) transparent
mode.
How to configure VLAN ?
S1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN
S1(config)#vlan 2
S1(config-vlan)#name Sales
“show vlan” command
displays access ports and configuration
“show interfaces trunk” command
Cisco switches run a proprietary protocol called Dynamic Trunk Protocol (DTP) , and if there is a compatible switch connected, they will start trunking automatically. You have to use the show interfaces trunk command to see your trunked ports.
