After completing this chapter, you will be able to perform the following tasks:
Identify what a VLAN is and how it operates.
Configure a VLAN to improve network performance.
Identify what role the switch plays in the creation of VLANs.
Identify how network devices communicate about VLANs.
Describe the need and operation of the VLAN Trunking Protocol.
Configure the Catalyst Switch for VLAN operation.
The design and function of a bridged/switched network is to provide enhanced network services by segmenting the network into multiple collision domains. The fact remains, however, that without any other mechanism, the bridged/switched network is still a single broadcast domain. A broadcast domain is a group of devices that can receive one another's broadcast frames. For example, if device A sends a broadcast frame and that frame is received by devices B and C, all three devices are said to be in a common broadcast domain. Because broadcast frames are flooded out all ports on a bridge/switch (by default), the devices connected to the bridge/switch are in a common broadcast domain.
Controlling broadcast propagation throughout the network is important to reduce the amount of overhead associated with these frames. Routers, which operate at Layer 3 of the OSI model, provide broadcast domain segmentation for each interface. Switches can also provide broadcast domain segmentation using virtual LANs (VLANs). A VLAN is a group of switch ports, within a single or multiple switches, that is defined by the switch hardware and/or software as a single broadcast domain. A VLAN's goal is to group devices connected to a switch into logical broadcast domains to control the effect that broadcasts have on other connected devices. A VLAN can be characterized as a logical network.
The benefits of VLANs include the following:
Security
Segmentation
Flexibility
VLANs enable you to group users into a common broadcast domain regardless of their physical location in the internetwork. Creating VLANs improves performance and security in the switched network by controlling broadcast propagation and requiring that communications between these broadcast be carried out by a Layer 3 device that is capable of implementing security features such as access control lists (ACLs).
In a broadcast environment, a broadcast sent out by a host on a single segment would propagate to all segments. In normal network operation, hosts frequently generate broadcast/multicast traffic. If hundreds or thousands of hosts each sent this type of traffic, it would saturate the bandwidth of the entire network, as shown in Figure 3-1. Also, without forcing some method of checking at an upper layer, all devices in the broadcast domain would be able to communicate via Layer 2. This severely limits the amount of security you can enforce on the network.
Figure 3-1 Broadcast Propagation
Before the introduction of switches and VLANs, internetworks were divided into multiple broadcast domains by connectivity through a router. Because routers do not forward broadcasts, each interface is in a different broadcast domain. Figure 3-2 shows an internetwork broken into multiple broadcast domains using routers. Notice that each segment is an individual IP subnet and that regardless of a workstation's function, its subnet is defined by its physical location.
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. A VLAN can be designed to provide independent broadcast domains for stations logically segmented by functions, project teams, or applications, without regard to the users' physical location. Each switch port can be assigned to only one VLAN. Ports in a VLAN share broadcasts. Ports that do not belong to the same VLAN do not share broadcasts. This control of broadcast improves the internetwork's overall performance.
VLANs enable switches to create multiple broadcast domains within a switched environment, as illustrated in Figure 3-3.
Figure 3-2 Multiple Broadcast Domains Using Routers
Notice that now all users in a given group (department in this example) are defined to be in the same VLAN. Any user in this VLAN receives a broadcast from any other member of the VLAN, while users of other VLANs do not receive these broadcasts. Each of the users in a given VLAN is also in the same IP subnet. This is different from the broadcast domains of Figure 3-2, in which the physical location of the device determines the broadcast domain. However, there is a similarity with a legacy, non-VLAN internetwork because a router is still needed to get from one broadcast domain to another, even if a VLAN is used to define the broadcast domain instead of a physical location. Therefore, the creation of VLANs does not eliminate the need for routers.
Within the switched internetwork, VLANs provide segmentation and organizational flexibility. Using VLAN technology, you can group switch ports and their connected users into logically defined communities of interest, such as coworkers in the same department, a cross-functional product team, or diverse user groups sharing the same network application.
A VLAN can exist on a single switch or span multiple switches. VLANs can include stations in a single building or multiple-building infrastructures. In rare and special cases, they can even connect across wide-area networks (WANs).
Figure 3-3 VLAN Overview
VLAN Concepts
As mentioned previously, prior to the VLAN, the only way to control broadcast traffic was through segmentation using routers. VLANs are an extension of a switched and routed internetwork. By having the ability to place segments (ports) in individual broadcast domains, you can control where a given broadcast is forwarded. The sections that follow expand on these concepts. Basically, each switch acts independently of other switches in the network. With the concept of VLANs, a level of interdependence is built into the switches themselves. The characteristics of a typical VLAN setup are as follows:
Each logical VLAN is like a separate physical bridge.
VLANs can span multiple switches.
Trunk links carry traffic for multiple VLANs.
With VLANs, each switch can distinguish traffic from different broadcast domains. Each forwarding decision is based on which VLAN the packet came from; therefore, each VLAN acts like an individual bridge within a switch. To bridge/switch between switches, you must either connect each VLAN independently (that is, dedicate a port per VLAN) or have some method of maintaining and forwarding the VLAN information with the packets. A process called trunking allows this single connection. Figure 3-4 illustrates a typical VLAN setup in which multiple VLANs span two switches interconnected by a Fast Ethernet trunk.
Figure 3-4 Multiple VLANs Can Span Multiple Switches
How VLANs Operate
A Catalyst switch operates in your network like a traditional bridge. Each VLAN configured on the switch implements address learning, forwarding/filtering decisions, and loop avoidance mechanisms as if it were a separate physical bridge. This VLAN might include several ports, possibly on multiple switches.
Internally, the Catalyst switch implements VLANs by restricting data forwarding to destination ports in the same VLAN as originating ports. In other words, when a frame arrives on a switch port, the Catalyst must retransmit the frame only to a port that belongs to the same VLAN as that of the incoming port. The implication is that a VLAN operating on a Catalyst switch limits transmission of unicast, multicast, and broadcast traffic. Flooded traffic originating from a particular VLAN floods out only other ports belonging to that VLAN. Each VLAN is an individual broadcast domain because a broadcast in a given VLAN will never reach any ports in other VLANs.
Normally, a port carries traffic only for the single VLAN to which it belongs. For a VLAN to span multiple switches on a single connection, a trunk is required to connect two switches. A trunk carries traffic for all VLANs by identifying the originating VLAN as the frame is carried between the switches. Figure 3-4 shows a Fast Ethernet trunk carrying multiple VLANs between the two switches. Most ports on Catalyst switches are capable of being trunk ports. Any port on a Catalyst 2950 can be a trunk port.
VLAN Membership Modes
VLANs are a Layer 2 implementation in your network's switching topology. Because they are implemented at the data link layer, they are protocol-independent. To put a given port (segment) into a VLAN, you must create a VLAN on the switch and then assign that port membership on the switch. After you define a port to a given VLAN, broadcast, multicast, and unicast traffic from that segment will be forwarded by the switches only to ports in the same VLAN. If you need to communicate between VLANs, you must add a router (or Layer 3 switch) and a Layer 3 protocol to your network.
The ports on a Layer 2 Catalyst switch, such as a 2950, all function as Layer 2 ports. In Cisco IOS Software, a Layer 2 port is known as a switchport. A switchport can either be a member of a single VLAN or be configured as a trunk link to carry traffic for multiple VLANs. When a port is in a single VLAN, the port is called an access port. Access ports are configured with a VLAN membership mode that determines to which VLAN they can belong. The membership modes follow:
StaticWhen an administrator assigns a single VLAN to a port, it is called static assignment. By default, all Layer 2 switchports are statically assigned to VLAN 1 until an administrator changes this default configuration.
DynamicThe IOS Catalyst switch supports the dynamic assignment of a single VLAN to a port by using a VLAN Membership Policy Server (VMPS). The VMPS must be a Catalyst Operating System switch, such as a Catalyst 5500 or 6500, running the set-based operating system. An IOS-based Catalyst switch cannot operate as the VMPS. The VMPS contains a database that maps MAC addresses to VLAN assignment. When a frame arrives on a dynamic port, the switch queries the VMPS for the VLAN assignment based on the arriving frame's source MAC address.
A dynamic port can belong to only one VLAN at a time. Multiple hosts can be active on a dynamic port only if they all belong to the same VLAN. Figure 3-5 demonstrates the static and dynamic VLAN membership modes.
Figure 3-5 VLAN Membership Modes
For an access port, the VLAN identity is not known by the sender or receiver attached to the access port. Frames going into and out of access ports are standard Ethernet frames, as discussed in Chapter 2, "Configuring Catalyst Switch Operations." The VLAN identity is used only within the switch to provide broadcast domain boundaries.