Summary (3.4)
This chapter thoroughly covered VLANs: how to design and create VLANs and how to transmit those VLANs to other network devices such as other switches using a trunk link. Security risks associated with VLANs and how to mitigate those risks with some proactive designs and configurations were also covered. This section helps you to determine if you learned the main points as well as the finer details of the chapter.
This chapter introduced VLANs. VLANs are based on logical connections, instead of physical connections. VLANs are a mechanism to allow network administrators to create logical broadcast domains that can span across a single switch or multiple switches, regardless of physical proximity. This function is useful to reduce the size of broadcast domains or to allow groups or users to be logically grouped without the need to be physically located in the same place.
There are several types of VLANs:
- Default VLAN
- Management VLAN
- Native VLAN
- User/Data VLANs
- Black Hole VLAN
- Voice VLAN
On a Cisco switch, VLAN 1 is the default Ethernet VLAN, the default native VLAN, and the default management VLAN. Best practices suggest that the native and management VLANs be moved to another distinct VLAN and that unused switch ports be moved to a “black hole” VLAN for increased security.
The switchport access vlan command is used to create a VLAN on a switch. After creating a VLAN, the next step is to assign ports to the VLAN. The show vlan brief command displays the VLAN assignment and membership type for all switch ports. Each VLAN must correspond to a unique IP subnet.
Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned.
A port on a switch is either an access port or a trunk port. Access ports carry traffic from a specific VLAN assigned to the port. A trunk port by default is a member of all VLANs; therefore, it carries traffic for all VLANs.
VLAN trunks facilitate inter-switch communication by carrying traffic associated with multiple VLANs. IEEE 802.1Q frame tagging differentiates between Ethernet frames associated with distinct VLANs as they traverse common trunk links. To enable trunk links, use the switchport mode trunk command. Use the show interfaces trunk command to check whether a trunk has been established between switches.
Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which operates on a point-to-point basis only, between network devices. DTP is a Cisco proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst 3560 Series switches.
To place a switch into its factory default condition with 1 default VLAN, use the command delete flash:vlan.dat and erase startup-config.
This chapter also examined the configuration, verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI and explored basic security and design considerations in the context of VLANs.