Virtual Local Area Networks
(VLANs)
1/10
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
Static VLANs have nothing to do with devices. Any device plugged into port 2 wil be on the Sales VLAN
Assign ports 6, 7 to Admin
Static VLAN
Port 8
Unassigned
A static VLAN is a “port-based” VLAN and requires manual assignment of individual ports on a switch to a virtual network. Once a port is assigned, it will always be part of that particular VLAN.
click here to continue
5/10
Assign ports 1 and 2 to Sales
Assign ports 3, 4, and 5 to Marketing
BB:CC:00:13:E1:1F
BB:CC:00:21:71:F1
VLAN
VLAN 30
BB:CC:00:49:58:60
BB:CC:00:26:E4:18
BB:CC:00:77:28:15
Changing port location does not change the device’s VLAN membership
BB:CC:00:51:E5:79
VLAN 10
Dynamic VLAN
BB:CC:00:24:68:39
VLAN 20
6/10
A dynamic VLAN is based on the device instead of port location. It is MAC-based which means VLAN membership is determined by a device’s MAC address (or IP address). A dynamic VLAN requires a central server called the VLAN Member Policy Server which contains the database of MAC addresses, along with their associated VLANs.
MAC Address
The primary reason to build a VLAN is to isolate and contain broadcast traffic by grouping segments to form logical traffic patterns. VLANs are created to reduce broadcast traffic in a LAN, and to allow for configuration flexibility. Switches are used to implement VLANs. Individual VLANs do not connect to other VLANs. A router is necessary to provide VLAN-to-VLAN communications.
Network resources like printers and servers can be assigned to multiple VLANs. This reduces the need for additional physical routes.
Performance
Users and resources that communicate most frequently with each other can be grouped into common VLANs regardless of physical location.
Access to Resources
Moving and/or adding new devices can be handled by VLAN assignments rather than having to do additional wiring.
Benefits of VLANs
VLANs free up bandwidth by limiting node-to-node and broadcast traffic. Each group’s traffic is largely contained within a VLAN which also reduces extraneous traffic.
Simple Management
Security
VLANs create virtual boundaries, so VLANs can restrict access to other VLANs as required.
Flexibility
3/10
Back
VLANs
Next
Restart
8
Sales
192.168.20.1 - 192.168.20.254
1, 2
10
Port #
3, 4, 5
1
6, 7
With option 1, you manually assign a port on the switch to a VLAN.
Native
2
192.168.30.1 - 192.168.30.254
IP Network Address
3
192.168.30.1 - 192.168.3 0.254
192.168.1.1 - 192.168.1.254
With option 2, port assignments are automatic based on the device’s MAC address.
4
Admin
192.168.10.1 - 192.168.10.254
Click each button to build a database
VLAN Name
5
30
4/10
VLAN #
6
7
To create a VLAN, create a VLAN Database which consists of VLAN numbers and names (remember, ports not assigned belong to VLAN1).
Each VLAN uses a different IP network address.
Marketing
Network Address
How VLANs Work
Option 1
20
192.168.10.1 - 192.168.10.254
Option 2
Broadcast Domains
Ports not assigned belong
to VLAN1 (Default VLAN),
also called the native VLAN.
When devices connect to a switch, hub or wireless access point, they all share the same network. Each device can directly communicate with all the other device on that network. When one device sends a broadcast, all devices receive it. As an organization's network grows, performance and security issues can result. A Virtual LAN (VLAN) is a way of logically separating a group of devices connected to the switching infrastructure into a separate network or broadcast domain. Devices then only communicate with those in the group and not with other devices connected to the same physical switched network. Switch ports get assigned to a specific VLAN.
2/10
For VLANs on one switch to communicate with VLANs on a different switch, the switches must be configured with TRUNK ports. A trunk port is a port that allows all VLAN traffic all the time. It uses a VLAN identification process called tagging to direct the traffic to the correct VLAN ports on each switch.
VLAN Trunks
7/10
4 bytes
2 bytes
VLAN
Tag
46-1500 bytes
VLAN Tagging, or Frame Tagging, helps identify packets travelling through trunk links. The IEEE 802.1q frame tagging standard was created to identify the VLAN destination of frames crossing a trunk line. The 802.1Q standard supports up to 4096 VLANs. When an Ethernet frame traverses a trunk link, the frame has a special VLAN. When the frame arrives at the other end of the trunk link, the VLAN tag is removed and the frame proceeds to the correct access link port according to the switch's table--the receiving end is unaware of any VLAN information.
VLAN Tagging
Destination
Address
Traditional Ethernet
data frame
Source
Address
Click to create
VLAN data frame
Length/
Type
VLAN 30
Data
8/10
FCS
6 bytes
Hosts on separate VLANs are not able to communicate even if they are connected on the same switch. What if a device on one VLAN needs to communicate with a device on a different VLAN? InterVLAN routing routes traffic between different VLANs.
?
InterVLAN Routing
9/10
Menu
click on each option
Option 3
Option 1
With InterVLAN Routing using physical connections, each VLAN on the the switch needs a cable connected to the router. This means if you want to route between all four VLANS, you need four cables connecting the router to the switch. A sub interface must also be created on each router interface. This becomes a challenge with many VLANs on a big network (this option is not very common).
Option 2 is a trunk (or router on a stick) which requires that you enable 802.1Q tagging and configure each subinterface to each vlan. Each VLAN will be on a different IP network. The advantage of this option is that the configuration only uses one physical port on the switch and router. Physically there is only one link, but logically there are four separate links.
Router checks its
routing table
The widely adopted use of VLANs resulted in switches that could perform VLAN routing. These switches are called multi-level switches or layer three switches because they can perform layer three functions like routing. Multilayer switches support Switch Virtual Interfaces (SVIs). SVIs are logical gateways that perform routing. Each SVI has an IP address associated with the VLAN yet they are completely virtual. One SVI can be created for each VLAN. Multilayer switches build a routing table.
VLAN 1
Activities
10/10
click on the switch to begin
The activities simulate the steps to create a VLAN. The first step is to build the VLAN database. Then you will go on to manually configure the VLAN ports.
The activities will have you simulating the steps in creating a VLAN.
The first step is to create the VLAN database. Then you will to on
to manually configure the VLAN ports.
VLAN20
TRUNK
VLAN30
VLAN10