Home |
VLAN Trunking Protocol
Virtual Local Area Networks (VLANs)
In this Study Guide we'll take a look at yet
another topic that you'll need to be familiar with for the CCNA exam,
Virtual Local Area Networks (VLANs). This includes a look at not only what
VLANs are and their purpose/function, but also inter-VLAN communications,
extending VLANs, and trunking techniques.
The material to be covered in this article includes:
Introduction to VLANs
I'm always amazed how people get themselves all tied in a knot when the
topic of VLANs comes up. At the most basic level, a VLAN is nothing
more than a broadcast domain. The only difference between a
traditional broadcast domain and one defined by a VLAN is that
traditionally a broadcast domain has been seen as a distinct physical
entity whose boundaries consist of a router. In fact, VLANs are very
similar - their boundaries are also defined by a routing device, just
like any broadcast domain. However, a VLAN is a logical construct,
meaning that hosts are not necessarily groups within the physical
confines of a traditional broadcast domain.
In order to implement VLANs in a network environment, you'll need a
Layer 2 switch that supports them. Almost all switches sold today that
are described as "managed" switches provide the ability to make ports
members of different VLANs. However, switches that don't provide any
configuration function (such as many basic, lower-end switches) don't
provide the ability to configure VLANs. Almost any Cisco Catalyst
switch that you'll come across today provides the ability to make
ports part of different VLANs.
Before getting into the details of how a VLAN functions, it's worth
exploring some of the advantages that a VLAN provides. First and
foremost, VLANs provide the ability to define broadcast domains
without the constraint of physical location. For example, instead of
making all of the users on the third floor part of the same broadcast
domain, you might use VLANs to make all of the users in the HR
department part of the same broadcast domain. The benefits of doing
this are many. Firstly, these users might be spread throughout
different floors on a building, so a VLAN would allow you to make all
of these users part of the same broadcast domain. To that end, this
can also be viewed as a security feature - since all HR users are part
of the same broadcast domain, you could later use policies such as
access lists to control which areas of the network these users have
access to, or which users have access to the HR broadcast domain.
Furthermore, if the HR department's server were placed on the same
VLAN, HR users would be able to access their server without the need
for traffic to cross routers and potentially impact other parts of the network.
VLANs are defined on a switch on a port-by-port basis. That is, you
might choose to make ports 1-6 part of VLAN 1, and ports 7-12 part of
VLAN 2. There's no need for ports in the same VLAN to be contiguous at
all - you could make ports 1, 3 and 5 on a switch part of VLAN 1, for
example. On almost all switches today, all ports are part of VLAN 1 by
default. If you want to implement additional VLANs, these must first
be defined in the switch's software (such as the IOS on a Cisco
switch), and then ports must be made members of that VLAN. A VLAN
isn't limited to a single switch, either. If trunk links are used to
interconnect switches, a VLAN might have 3 ports on one switch, and 7
ports on another, as shown below. The logical nature of a VLAN makes
it a very effective tool, especially in larger networking environments.
Inter-VLAN Communication
I mentioned a few times already that a VLAN is simply a special type of
broadcast domain, in that it is defined on a switch port basis rather
than on traditional physical boundaries. Recall from the earlier
articles in this series that when a host in one broadcast domain
wishes to communicate with another, a router must be involved. This
same holds true for VLANs. For example, imagine that port 1 on a
switch is part of VLAN 1, and port 2 part of VLAN 99. If all of the
switch's ports were part of VLAN 1, the hosts connected to these ports
could communicate without issue. However, once the ports are made part
of different VLANs, this is no longer true. In order for a host
connected to port 1 to communicate with another connected to port 2, a
router must be involved.
You may already be familiar with the concept of a Layer 3 switch. A
Layer 3 switch is generally a Layer 2 switching device that also
includes the ability to act as a router, usually through the use of
additional hardware and software features. If a switch includes Layer
3 capabilities, it can be configured to route traffic between VLANs
defined in the switch, without the need for packets to ever leave the
switch. However, if a switch only includes Layer 2 functionality, an
external router must be configured to route traffic between the VLANs.
In some cases, it's entirely possible that a packet will leave switch
port 1, be forwarded to an external router, and then be routed right
back to port 2 on the originating switch. For this reason, many
companies have decided to implement Layer 3 switches strategically
throughout their network. Regardless of the method chosen, it's most
important for you to recognize that when a host on one VLAN wants to
communicate with a host on another, a router must somehow be involved.
Extending VLANs Between Switches
In order to extend VLANs across different switches, a trunk link must
interconnect the switches. Think of a trunk link as being similar to
an uplink between hubs - usually a trunk link is implemented between
fast switch ports on two different switches using a crossover cable.
For example, you might interconnect two Gigabit Ethernet ports on
different switches using fiber optics, or two 100 Mbps switch ports
using a traditional Cat5 crossover cable. In most cases it is
generally recommended that you use the fastest port available for
trunk connections, since this link will often carry a great deal of
traffic, possibly for multiple VLANs.
To begin, let's assume that you have connected a link between the 100
Mbps ports of two switches, as shown below. Notice that each of these
ports are members of VLAN 1 on each switch. By default, without any
additional configuration, these ports will act as a trunk link, but
will only pass traffic for the VLAN associated with their port
connections - VLAN 1. This type of link, where only traffic for a
single VLAN is passed, is referred to as an "Access Link." While an
access link does the job for a single VLAN environment, multiple
access links would be required if you wanted traffic from multiple
VLANs to be passed between switches. Having multiple access links
between the same pair of switches would be a big waste of switch
ports. Obviously another solution is required when traffic for
multiple VLANs needs to be transferred across a single trunk link. The
solution for this comes through the use of VLAN tagging.
VLAN Tagging
When you want traffic from multiple VLANs to be able to traverse a link
that interconnects two switches, you need to configure a VLAN tagging
method on the ports that supply the link. Although there are a number
of tagging methods in use for different technologies, the two that you
need to be aware of for the purpose of the CCNA exam are known as
InterSwitch Link (ISL) and 802.1q. ISL is a Cisco proprietary VLAN
tagging methods, while 802.1q is a open standard. When interconnecting
two Cisco switches, ISL is usually the best choice, but if you need to
interconnect switches of different types (a Cisco switch and an 3Com
switch, for example), then you'll need to use IETF.
For the CCNA exam, the only thing that you really need to know about
802.1q is that it is the open standard for VLAN tagging, and should be
used in mixed environments. The exam expects you to have a somewhat
deeper understanding of ISL, including how it works, when it can be
used, and ultimately, its purpose.
First and foremost, you need to be aware that ISL will only function on
ports with a speed of 100 Mbps or greater. That is, you cannot use ISL
in conjunction with a 10 Mbps port. That shouldn't be an issue, since
most Cisco Catalyst switches provide at least one or two Fast Ethernet
ports, even on lower-end models like the 1912. Secondly, the ports on
either end of the link need to support and be configured for ISL.
ISL is referred to as a VLAN tagging method. Essentially, what ISL does
is tag a frame as it leaves a switch with information about the VLAN
that the frame belongs to. For example, if a frame from VLAN 99 is
leaving a switch, the ISL port will add information to the frame
header, designating that the frame is part of VLAN 99. When this ISL
frame reaches the port at the other end of the switch, it will look at
the ISL header, determine that the frame is meant for VLAN 99, will
strip off the ISL information, and will forward it into VLAN 99. One
of the issues with VLAN tagging is that by adding information to an
Ethernet frame, the size of the frame can move beyond the Ethernet
maximum of 1518 bytes, to 1522 bytes. Because of this, all non-ISL
ports will see frames larger than 1518 bytes as giants, and as such,
invalid. This is the reason why a port needs to be configured for ISL
in order for it to understand this different frame format.
One VLAN tagging is configured on the ports associated with the link
connecting switches, the link is known as a "Trunk Link". A trunk link
is capable of transferring frames from many different VLANs through
the use of technologies like ISL or 802.1q. A trunk link is
illustrated in the graphic below.
Beyond its intended purpose of configuring trunk links between switches,
ISL is often used in other ways. For example, it is possible to
purchase network interface cards that support ISL. If a server were
configured with an ISL-capable network card, it could be connected to
an ISL port on a switch. This would allow a server to be made part of
multiple VLANs simultaneously, the benefit being that hosts from
different broadcast domains could then access the server without the
need for their packets to be routed. While this may seem like a
perfect solution, you need to remember than the server would now see
all traffic from these VLANs, which could negatively impact
performance.
A more common alternative use for ISL is to connect a Cisco router to a
switch in order to facilitate the routing of traffic between VLANs.
For example, if you wanted to route traffic between VLANs 1 and 99 in
a non-ISL environment with one switch, you would need to connect the
router to both a port on VLAN 1 and a port on VLAN 99, as shown below.
A better strategy here would be to configure ISL tagging on one of the
router's Fast Ethernet interfaces, and then configure ISL on the
connected switch port. This configuration, also known as a "router on
a stick," would allow the router to process the traffic of multiple
VLANs, and route traffic between them. We'll get into the details of
routing within the next few articles.
The next Study Guide we'll look at the VLAN Trunking Protocol (VTP).
Top