VLANS Flashcards
LAN Designs
• The campus LAN should be designed for scalability, performance and security
To aid in a best practice design process, the network topology is split into access, distribution and core layers
The layers have their own design principles and characteristics
The Access Layer
• End hosts such as desktop computers, servers and IP phones connect into the network at the access layer
• It is designed to have a high port count at an affordable cost
• Desktops typically have only one Network Interface Card (NIC) so they connect into one switch or Wireless Access Point
• Servers will often have dual NICs and connect to a pair of redundant switches
• client access security measures are enabled at the Access Layer
The Distribution Layer
• Access Layer switches uplink to Distribution Layer switches
• The Distribution Layer switches serve as an aggregation point for the Access Layer and provide scalability
• Distribution Layer switches are typically deployed in redundant pairs, with downstream Access Layer switches connected to both
• End hosts are not typically connected here
• Most software policy such as Qos is enabled at this laver
The Core Layer
• Distribution Layer switches uplink to Core Layer switches
• Core Layer switches are typically deployed in redundant pairs, with downstream Distribution Layer switches connected to both
• Traffic between different parts of the campus travels through the core so it is designed for speed and resiliency
• Software policy slows the switch down so should be avoided in the
Core Layer
Collapsed Distribution and Core
• Smaller campuses do not need the scalability of three separate layers
• In these cases a Collapsed Distribution and Core layer is used, where the Distribution and Core layer functions are performed on the same hardware device
Spine-Leaf Data Center Design
Tier 1 - Leaf
Tier 2 - Spine
Router Operations
• Routers operate at Layer 3 of the OSI stack
• Hosts in separate IP subnets must send traffic via a router to communicate
• Security rules on routers or firewalls can be used to easily control what traffic is allowed between different IP subnets at Layer 3
• Routers do not forward broadcast traffic by default
• They provide performance and security by splitting networks into smaller domains at Layer 3
Switch Operations
• Switches operate at Layer 2 of the OSI stack
• They do forward broadcast traffic by default
• By default a campus switched network is one large broadcast domain
• Switches flood broadcast traffic everywhere, including between different IP subnets
• This raises performance and security concerns
Broadcast traffic problem in switch
• Switches flood broadcast traffic everywhere, including between different IP subnets
• This affects security because the traffic bypasses router or firewall
Layer 3 security policies
• It affects performance because every end host has to process the traffic
• It also affects performance by using bandwidth on links where the traffic is not required
VLAN Virtual Local Area Networks solve the switch problems
• We can increase performance and security in the LAN by implementing
VLANs on our switches
• VLANs segment the LAN into separate broadcast domains at Layer 2
• There is typically a one-to-one relationship between an IP subnet and a VLAN
• Switches only allow traffic within the same VLAN
VLAN Access Ports
• VLAN access ports are configured on switch interfaces where end hosts are plugged in
• Access ports are configured with one specific VLAN
• The configuration is all on the switch, the end host is not VLAN aware
• Switches only allow traffic within the same VLAM
Dot1Q Trunks
• An access port carries traffic for one specific VLAN
• Dot1Q trunks are configured on the links between switches where we need to carry traffic for multiple VLANS
• ISL (Inter-Switch Link) was a Cisco proprietary trunking protocol which is now obsolete
• When the switch forwards traffic to another switch, it tags the layer 2
Dot1Q header with the correct VLAN
• The receiving switch will only forward the traffic out ports that are in that VLAN
• The switch removes the Dot1Q tag from the Ethernet frame when it sends it to the end host
Hypervisors - VLAN Aware Hosts
• End hosts are typically members of only one VLAN and are not VLAN aware
• A special case is virtualized hosts, where there are virtual machines in different IP subnets on the host
• In this case we need to trunk the VLANs down to the host
Trunk Port Configuration
SW1 (config)#interface FastEthernet 0/24
SWl (config-interface) #description Trunk to SW2
SW1 (config-interface) #switchport trunk encapsulation dotla
SW1 (config-interface) #switchport mode trunk
Voice VLAN Configuration
SW1 (config)#interface FastEthernet 0/10
SW1 (config-interface) #description IP Phone
SW1 (config-interface) #switchport mode access
SW1 (config-interface) #switchport access vlan 10
SW1 (config-interface) #switchport voice vlan 20
The Native VLAN
• The switch needs to know which VLAN to assign to any traffic which comes in untagged on a trunk port
• This used to be required for when a switch was connected to a hub.
Hubs are Layer 1 devices so are not VLAN aware
• The Native VLAN is used for this
• The default Native VLAN is VLAN 1
• There are some security issues with using VLAN 1 as the Native VLAN so best practice is to change it to an unused VLAN
• The Native VLAN must match on both sides of a trunk for it to come up
Native VLAN Configuration
SW1 (config) #vlan 199
SW1 (config-vlan) #name Native
SW1 (config) #interface GigabitEthernet 0/1
SW1 (config-interface) #description Trunk to SW2
SW1 (config-interface) #switchport trunk encapsulation dotlg
SW1 (config-interface) #switchport mode trunk
SW1 (config-interface) #switchport trunk native vian 199
Allowed VLAN Configuration
SW1 (config) #interface GigabitEthernet 0/1
SW1 (config-if) #switchport trunk allowed vlan 10,30
Dynamic Trunking Protocol DTP
• If two Cisco switches are cabled together they can negotiate a trunk connection using Cisco’s Dynamic Trunking Protocol DTP
• It is however recommended to manually configure switch ports
• Manual configuration:
• switchport mode access
• switchport mode trunk
Dynamic Trunking Protocol DTP
• DTP configuration:
• Switchport mode dynamic auto: will form a trunk if the neighbour switch port is set to trunk or desirable. Trunk will not be formed if both sides are set to auto. Default on newer switches.
• Switchport mode dynamic desirable: will form a trunk if the neighbour switch port is set to trunk, desirable or auto. Default on older switches.
• Switchport nonegotiate: disables DTP.
VLAN Trunking Protocol VTP
• The VLAN Trunking Protocol (VTP) allows you to add, edit or delete VLANs on switches configured as VTP Servers, and have other switches configured as VTP Clients synchronise their VLAN database with them
• This can be convenient if you manage a large campus
• You will still need to perform port level VLAN configuration on the switches
• Be careful if using VTP - if you accidentally introduce a switch with a higher VLAN database revision number into the domain it can wipe out all your production VLANS
• If using both DTP and VTP, the VTP domain name has to match on neighbour switches for trunks to be formed by DTP
VTP Modes
• VTP Server: Can add, edit or delete VLANs. A VTP Server will synchronise its VLAN database from another Server with a higher revision number.
• VTP Client: Cannot add, edit or delete VLANs. A VTP Client will synchronise its VLAN database from the Server with the highest revision number.
• VTP Transparent: Does not participate in the VTP domain. Does not advertise or learn VLAN information but will pass it on. Can add, edit or delete VLANs in its own local VLAN database.
VTP Configuration
SW1 (config)#vtp domain Flackbox
SW1 (config) #vtp mode server or
SW1 (config) #vtp mode client or
SW1 (config)#vtp mode transparent
SW1 (config) #vlan 20
SW1 (config-vlan) #name sales
(Cannot add VLAN if VTP Client)
Verification - show vtp status
SWl#show vtp status
VTP Version : 2
Configuration Revision : 6
Maximum VLANs supported locally : 255
Number of existing VLANS : 8
VTP Operating Mode : Server
VTP Domain Name : Flackbox
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation: Disabled
MD5 digest: 0x82 0xED 0x2C 0x99 0×BE 0x8 0xEE 0x1
Configuration last modified by 0.0.0.0 at 3-1-93 00:07:47
Local updater ID is 0.0.0.0 (no valid interface found)
