4 Knowledge Base

 

 TelecomTrainning.net > Knowledge Base
 Viewing KB Article
Good Afternoon, - Please register or - log-in to your account.
Search
Search   Saved Questions   Ask a question
Keywords 
 
Available categories
LTE
100 of Questions in LTE
CCNA Certification
CCNA Sample Q & A (1000 + Q &A)
(Network +) Certification
(Network +) Sample Q & A (1000 + Q &A)
Networking
General/Interview Q& A on Networking
Home Networking
General/Interview Q& A on Networking
VOIP, SIP & Asterisk
Q & A on VOIP,Ethereal, SIP & Asterisk
Telecom Test Equipments
Q & A on Telecom Test Equipment
PSTN / Wireline
General / Interview Q & A on PSTN / Wireline
LTE, Wireless, 3G ,Diameter and HSS
General/Interview Q & A on LTE, Wireless, 3G ,Diameter and HSS
Telecom General
Any Q & A in Telecom in General

Top Questions
Friends, Describe Secure storage and distribution of A-Keys?
How do I monitor SS7 Traffic in spectra2?
what is the difference between E1 signal & Ethernet signal ?
Can you tell me about PBGT?
Explain me the difference between a repeater, bridge and router? Relate this to the OSI model.
What is the difference between BRI & PRI ?
Guys what is the purpose of Umbrella Cell Approach in GSM ?
how can we explain media gateway in MSc?
What is GGSN?
What is the difference between Electrical-tilt and Mechanical-tilt of an antenna?
What is BSC?
What is demarc point?
Can any one explain me how sms flow will work using ss7 network ?( from physical layer to application layer)
why cellphone towers are painted in red and white?
Explain SLTA and SLTM messages in MTP3?
Hi guys what is WAP?
wat is the difference betweem MSC & GMSC, & MSS & GCS?
what is EDAp? what is the functions of EDAP?
What is a circuit id?
what is sdh?

What does a VLAN do?
hameznick 05-June-2009 03:41:15 AM

Comments


VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.
Posted by sagitraz


Virtual LANs perform traffic separation within a shared network environment. Communication between VLANs is performed through routing functionality and, for non routable protocols, switching. This integrated solution of high-speed, scalable VLAN switching of local traffic and efficient routing and switching of inter-VLAN traffic is becoming increasingly attractive in large networks. Cisco routers address this requirement with their ability to connect 802.10, ISL, and ATM LANE-based VLANs.
Posted by mylife


Breaks up broadcast domains in a layer 2 switch internetwork...
Posted by sean


A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the Broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices.
Uses

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.
Posted by jahangir1983


Saqlain has given a very excellent answer about Virtual lan.
No need of more answers
Posted by jahangir1983


Introduction

A VLAN is a grouping of computers that is logically segmented by functions, project teams, or applications without regard to the physical location of users. For example, several end stations might be grouped as a department, such as Engineering or Accounting, having the same attributes as a LAN even though they are not all on the same physical LAN segment. To accomplish this logical grouping, a VLAN-capable switching device must be used. Each switch port can be assigned to a VLAN. Ports in a VLAN share broadcast traffic and belong to the same broadcast domain. Broadcast traffic in one VLAN is not transmitted outside that VLAN. This segmentation improves the overall performance of the network.

Benefits

VLANs provide the following benefits:

* Reduced administration costs associated with moves, adds, and changes
* Controlled broadcast activity and better network security
* Leveraging existing investments
* Flexible and scalable segmentation

Companies continuously reorganize as they try to improve productivity. These moves, adds, and changes are one of the greatest expenses in managing a network. VLANs provide an effective mechanism to control these changes and reduce much of the cost of hub and router reconfiguration. If a group of VLAN users move but remain in the same VLAN connected to a switch port, their network addresses do not change. Router configuration is left intact; a simple move for a user from one location to another does not create any configuration changes in the router if the user stays in the same VLAN. Similar to routers, VLANs offer an effective mechanism for setting up firewalls in a switch fabric, protecting the network against broadcast problems that are potentially dangerous, and maintaining all the performance benefits of switching. You can create these firewalls by assigning switch ports or users to specific VLAN groups in single switches and across multiple connected switches, which will increase security easily and inexpensively by segmenting the network into distinct broadcast groups. Broadcast traffic in one VLAN is not transmitted outside that VLAN. This type of configuration substantially reduces overall broadcast traffic, frees bandwidth for real user traffic, and lowers the overall vulnerability of the network to broadcast storms.

You can leverage existing hub investments by assigning each hub segment connected to a switch port to a VLAN. All the stations that share a hub segment are assigned to the same VLAN. If an individual station must be reassigned to another VLAN, the station is relocated to the appropriate corresponding hub module. The interconnected switch fabric handles communication between the switching ports and automatically determines the appropriate receiving segments.

You can also assign VLANs based on the application type and the amount of applications broadcasts.

VLAN Operation

Switches?the Core of VLANs

Switches are a primary component of VLAN communication. They perform critical VLAN functions by acting as the entry point for end-station devices into the switched fabric, facilitating communication across the organization, and providing the intelligence to group users, ports, or logical addresses into common communities of interest. Each switch has the intelligence to make filtering and forwarding decisions by frame, based on VLAN metrics defined by network managers, and to communicate this information to other switches and routers within the network. The criteria used to define the logical grouping of nodes into a VLAN is based on a technique known as frame tagging. There are two types of frame tagging?implicit and explicit. Implicit tagging enables a packet to belong to a VLAN based on the Media Access Control (MAC) address, protocol, the receiving port of a switch, or another parameter into which nodes can be logically grouped. Explicit tagging requires the addition of a field into a frame or packet header that serves to classify the VLAN association of the frame. Frame tagging functions at Layer 2 and requires little processing or administrative overhead.

Routers

For inter-VLAN communication, you must use routers that extend VLAN communications between workgroups. Routers provide policy-based control, broadcast management, and route processing and distribution. They also provide the communication between VLANs and VLAN access to shared resources such as servers and hosts. Routers connect to other parts of the network that are either logically segmented into subnets or require access to remote sites across wide-area links. Consolidating the overall number of physical router ports required for communication between VLANs, routers use high-speed backbone connections over Fast Ethernet, Fiber Distributed Data Interface (FDDI), or Asynchronous Transfer Mode (ATM) for higher throughput between switches and routers.

Types of VLANS

Each VLAN is of a particular type, and has its own maximum transmission unit (MTU) size. Two types of VLANs are defined:

* Ethernet/802.3 VLANs
* Token Ring/802.5 VLANs

Switches will allow a VLAN of one of these types to be assigned to a static/dynamic port for which the physical MAC layer is of the corresponding type; for example, allow a VLAN of type Ethernet/802.3 to be assigned to a physical 10BaseT port.

Inter VLAN Communication

By definition, Virtual LANs perform traffic separation within a shared network environment. Communication between VLANs is performed through routing functionality and, for non routable protocols, switching. This integrated solution of high-speed, scalable VLAN switching of local traffic and efficient routing and switching of inter-VLAN traffic is becoming increasingly attractive in large networks. Cisco routers address this requirement with their ability to connect 802.10, ISL, and ATM LANE-based VLANs.

VLAN Standardization

IEEE 802.1q provides for the standardization of VLANs based on a three-layer approach. The IEEE 802.1q draft is expected to be approved as a standard in 1998.Currently, several different transport mechanisms are used for communicating VLAN information across high-performance backbones. Among them are the LANE standard that has been approved by the ATM Forum, Cisco's Inter-Switch Link (ISL) for Fast Ethernet, and the IEEE 802.10 protocol, which provides VLAN communication across shared FDDI backbones.
Posted by saqlain231


A VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.
Are VLANs required?

It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.
When do I need a VLAN?

You need to consider using VLAN’s in any of the following situations:

* You have more than 200 devices on your LAN
* You have a lot of broadcast traffic on your LAN
* Groups of users need more security or are being slowed down by too many broadcasts?
* Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
* Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?

A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.
Posted by saqlain231


The acronym VLAN expands to Virtual Local Area Network. A VLAN is a logical local area network (or LAN) that extends beyond a single traditional LAN to a group of LAN segments, given specific configurations. Because a VLAN is a logical entity, its creation and configuration is done completely in software.

How Is a VLAN Identified

Since a VLAN is a software concept, identifiers and configurations for a VLAN must be properly prepared for it to function as expected. Frame coloring is the process used to ensure that VLAN members or groups are properly identified and handled. With frame coloring, packets are given the proper VLAN ID at their origin so that they may be properly processed as they pass through the network. The VLAN ID is then used to enable switching and routing engines to make the appropriate decisions as defined in the VLAN configuration.

Why Use VLANs

Traditional network designs use routers to create broadcast domains and limit broadcasts between multiple subnets. This prevents broadcast floods in larger networks from consuming resources, or causing unintentional denials of service unnecessarily. Unfortunately, the traditional network design methodology has some flaws in design

* Geographic Focus - Traditional network designs focus on physical locations of equipment and personnel for addressing and LAN segment placement. Because of this there are a few significant drawbacks:
* Network segments for physically disjointed organizations cannot be part of the same address space. Each physical location must be addressed independently, and be part of its own broadcast domain. This can force personnel to be located in a central location, or to have additional latency or connectivity shortfalls.
* Relocations of personnel and departments can become difficult, especially if the original location retains its network segments. Relocated equipment will have to be reconfigured based on the new network configuration.

A VLAN solution can alleviate both of these drawbacks by permitting the same broadcast domain to extend beyond a single segment.

* Additional Bandwidth Usage - Traditional network designs require additional bandwidth because packets have to pass through multiple levels of network connectivity because the network is segmented.

A proper VLAN design can ensure that only devices that have that VLAN defined on it will receive and forward packets intended as source or destination of the network flow.
Types of VLAN

There are only two types of VLAN possible today, cell-based VLANs and frame-based VLANs.

* Cell-based VLANs are used in ATM switched networks with LAN Emulation (or LANE). LANE is used to allow hosts on legacy LAN segments to communicate using ATM networks without having to use special hardware or software modification.
* Frame-based VLANs are used in ethernet networks with frame tagging. The two primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a Cisco proprietary frame-tagging). Keep in mind that the 802.10 standard makes it possible to deploy VLANs with 802.3 (Ethernet), 802.5 (Token-Ring), and FDDI, but ethernet is most common.

VLAN modes

There are three different modes in which a VLAN can be configured. These modes are covered below:

* VLAN Switching Mode - The VLAN forms a switching bridge in which frames are forwarded unmodified.
* VLAN Translation Mode - VLAN translation mode is used when the frame tagging method is changed in the network path, or if the frame traverses from a VLAN group to a legacy or native interface which is not configured in a VLAN. When the packet is to pass into a native interface, the VLAN tag is removed so that the packet can properly enter the native interface.
* VLAN Routing Mode - When a packet is routed from one VLAN to a different VLAN, you use VLAN routing mode. The packet is modified, usually by a router, which places its own MAC address as the source, and then changes the VLAN ID of the packet.

VLAN configurations

Different terminology is used between different hardware manufacturers when it comes to VLANs. Because of this there is often confusion at implementation time. Following are a few details, and some examples to assist you in defining your VLANs so confusion is not an issue.
Cisco VLAN terminology

You need a few details to define a VLAN on most Cisco equipment. Unfortunately, because Cisco sometimes acquires the technologies they use to fill their switching, routing and security product lines, naming conventions are not always consistent. For this article, we are focusing only one Cisco switching and routing product lines running Cisco IOS.

* VLAN ID - The VLAN ID is a unique value you assign to each VLAN on a single device. With a Cisco routing or switching device running IOS, your range is from 1-4096. When you define a VLAN you usually use the syntax "vlan x" where x is the number you would like to assign to the VLAN ID. VLAN 1 is reserved as an administrative VLAN. If VLAN technologies are enabled, all ports are a member of VLAN 1 by default.
* VLAN Name - The VLAN name is an text based name you use to identify your VLAN, perhaps to help technical staff in understanding its function. The string you use can be between 1 and 32 characters in length.
* Private VLAN - You also define if the VLAN is to be a private vlan in the VLAN definition, and what other VLAN might be associated with it in the definition section. When you configure a Cisco VLAN as a private-vlan, this means that ports that are members of the VLAN cannot communicate directly with each other by default. Normally all ports which are members of a VLAN can communicate directly with each other just as they would be able to would they have been a member of a standard network segment. Private vlans are created to enhance the security on a network where hosts coexisting on the network cannot or should not trust each other. This is a common practice to use on web farms or in other high risk environments where communication between hosts on the same subnet are not necessary. Check your Cisco documentation if you have questions about how to configure and deploy private VLANs.
* VLAN modes - in Cisco IOS, there are only two modes an interface can operate in, "mode access" and "mode trunk". Access mode is for end devices or devices that will not require multiple VLANs. Trunk mode is used for passing multiple VLANs to other network devices, or for end devices that need to have membership to multiple VLANs at once. If you are wondering what mode to use, the mode is probably "mode access".

Cisco VLAN implementations
VLAN Definition

To define a VLAN on a cisco device, you need a VLAN ID, a VLAN name, ports you would like to participate in the VLAN, and the type of membership the port will have with the VLAN.

* Step 1 - Log into the router or switch in question and get into enable mode.
* Step 2 - Get into configuration mode using "conf t".
* Step 3 - Create your VLAN by entering "vlan X" where X is the ID you would like to assign the VLAN.
* Step 4 - Name your VLAN by entering "name ". Replace with the string you would like to identify your VLAN by.
* Step 5 - If you want your new VLAN to be a private-vlan, you now enter "private-vlan primary" and "private-vlan association Y" where Y is the secondary VLAN you want to associate with the primary vlan. If you would like the private VLAN to be community based, you enter "private-vlan community" instead.
* Step 6 - Exit configuration mode by entering "end".
* Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

You have now created a vlan by assigning it an ID, and giving it a name. At this point, the VLAN has no special configuration to handle IP traffic, nor are there any ports that are members of the VLAN. The next section describes how you complete your vlan configuration.
VLAN Configuration

A VLAN isn't much use if you haven't assigned it an IP Address, the subnet netmask, and port membership. In normal network segment configurations on routers, individual interfaces or groups of interfaces (called channels) are assigned IP addresses. When you use VLANs, individual interfaces are members of VLANs and do not have individual IP addresses, and generally don't have access lists applied to them. Those features are usually reserved for the VLAN interfaces. The following steps detail one method of creating and configuring your VLAN interface. NOTE: These steps have already assumed that you have logged into the router, gotten into enable mode, and entered configuration mode. These specific examples are based on the Cisco 6500 series devices.

* Step 1 - Enter "Interface VlanX" where X is the VLAN ID you used in the VLAN definition above.
* Step 2 - This step is optional. Enter "description " where VLAN description details what the VLAN is going to be used for. You can just simply re-use the VLAN name you used above if you like.
* Step 3 - Enter "ip address
" where
is the address you want to assign this device in the VLAN, and is the network mask for the subnet you have assigned the VLAN.
* Step 4 - The step is optional. Create and apply an access list to the VLAN for inbound and outbound access controls. For a standard access list enter "access-group XXX in" and "access-group YYY out" where XXX and YYY corresponds to access-lists you have previously configured. Remember that the terms are taken in respect to the specific subnet or interface, so "in" means from the VLAN INTO the router, and "out" means from the router OUT to the VLAN.
* Step 5 - This step is optional. Enter the private VLAN mapping you would like to use if the port is part of a private VLAN. This should be the same secondary VLAN you associated with the primary VLAN in VLAN definition above. Enter "private-vlan mapping XX" where XX is the VLAN ID of the secondary VLAN you would like to associate with this VLAN.
* Step 6 - This step is optional. Configure HSRP and any other basic interface configurations you would normally use for your Cisco device.
* Step 7 - Exit configuration mode by entering "end".
* Step 8 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

Now you have your vlan defined and configured, but no physical ports are a member of the VLAN, so the VLAN still isn't of much use. Next port membership in the VLAN is described. IOS devices describe interfaces based on a technology and a port number, as with "FastEthernet3/1" or "GigabitEthernet8/16". Once you have determined which physical ports you want to be members of the VLAN you can use the following steps to configure it. NOTE: These steps have already assumed that you have logged into the router, gotten into enable mode, and entered configuration mode.
For access ports

* Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN.
* Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
* Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port.
* Step 4 - Only use this step if you used step 3 above. Enter "switchport access vlan X" where X is the VLAN ID of the VLAN you want the port to be a member of.
* Step 5 - Only use this step if you used step 3 above. Enter "switchport mode access" to tell the port that you want it to be used as an access port.
* Step 6 - Exit configuration mode by entering "end".
* Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

For trunk ports

* Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN.
* Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
* Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port.
* Step 4 - Only use this step if you used step 3 above. Enter "switchport trunk encapsulation dot1q". This tells the VLAN to use dot1q encapsulation for the VLAN, which is the industry standard encapsulation for trunking. There are other encapsulation options, but your equipment may not operate with non Cisco equipment if you use them.
* Step 5 - Only use this step if you used step 3 above. Enter "switchport trunk allowed vlan XX, YY, ZZ" where XX, YY, and ZZ are VLANs you want the trunk to include. You can define one or more VLANs to be allowed in the trunk.
* Step 6 - Only use this step if you used step 3 above. Enter "switchport mode trunk" to tell the port to operate as a VLAN trunk, and not as an access port.
* Step 7 - Exit configuration mode by entering "end".
* Step 8 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

For private VLAN ports

* Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN.
* Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
* Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port.
* Step 4 - Enter "switchport private-vlan host association XX YY" where XX is the primary VLAN you want to assign, YY is the secondary VLAN you want to associate with it.
* Step 5 - Enter "switchport mode private-vlan host" to force the port to operate as a private-vlan in host mode.
* Step 6 - Exit configuration mode by entering "end".
* Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

You should now have your VLAN properly implemented on a Cisco IOS device.
HP VLAN terminology

HP's Procurve line of switchgear is becoming more and more prevalent in enterprise and other business environments. Because of this, it isn't uncommon to have to get Cisco and Procurve hardware to integrate, and because of terminology this can be a challenge. Below some of the VLAN terminology is defined so there is less opportunity for confusion.

* VLAN ID - Fortunately, VLAN id's are pretty much the same everywhere, the only significant differences are the range of IDs that can be used. With Procurve devices, the number of VLANs is defined in the configuration. The default maximum VLANs supported on a Procurve device differs between models and firmware revisions, but is commonly set to 8. Newer Procurve hardware supports 4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device. VLAN ID 1 is reserved for the "DEFAULT_VLAN" or the default administrative VLAN.
* VLAN names - VLAN names are text fields that assist technicians to identify VLANs. Procurve allows names up to 32 characters, but if you want it to properly display in menu configuration mode, you should probably limit the name to 12 characters.
* VLAN modes - Procurve has three modes of operation for VLANs on the chassis, Untagged, Tagged, and No. Untagged mode is cisco's access mode. This mode is used for ports that connect to end nodes, or devices that will not be passing VLAN traffic forward. Tagged mode is the same as Cisco's trunk mode. This mode is used for ports that are connecting to devices that will be passing VLAN traffic forward, or for trunking multiple VLANs. No mode means that the port in question has no association whatsoever with that VLAN.
* Special note on "trunk" - Lots of confusion surrounds the word "trunk" when you go between vendor equipment. In Cisco's case, trunking is only used with VLANs. If you want to group multiple ethernet ports into a single logical ethernet group, they call it a channel-group. This is regardless of whether FEC or LACP is used for the channel properties. Procurve uses "trunk" to define a group of ethernet ports when using the HP trunking protocol, and the term "Tagged" for what Cisco calls a VLAN trunk. Of course, these two technologies have nothing to do with each other, but because of naming conventions, confusion arises.

HP Procurve VLAN implementations
VLAN Definition

Most modern Procurve switches enable VLAN use by default, but if, for some reason, you have an older model, log into the switch, get into manager mode, go to the switch configuration menu (usually item 2), then the VLAN menu (usually item 8), then the VLAN support item (usually item 1), and make sure VLANs are enabled. If you change this setting, you will need to reboot the switch to get it to activate properly. The configuration menu is useful for these kinds of activities, troubleshooting, and other things, but is a little more difficult for configuring multiple switches or for using configuration templates, so the rest of the HP Procurve configuration details will be provided for the console configuration mode. Aside for enabling VLAN support as a whole, VLAN definitions and configuration are created in the same place, so the rest of the configuration examples will be provided under the VLAN configuration topic.
VLAN Configuration

Configuring VLANs on a modern Procurve is pretty simple, you must first define the VLAN, set its properties, and then set up membership for ports and the VLAN mode they will support. The following list should help you accomplish these tasks. NOTE: HP has defined its interface ports by using a module/port convention. If you have a non-modular chassis (such as the 3448cl) then ports are numbered only using numbers, such as 1 or 36. If the chassis is modular (such as the 5308) then the ports number is prepended with the module slot, such as A1 or H6. No reference to the type of switch port (ethernet, fast ethernet, gigabit ethernet) is used for port reference.

* Step 1 - Log into the switch and get into manager mode. If, after logging in, you are in the configuration menu, exit the configuration menu by selecting item 5 (in most cases) or by using the arrow keys on your keyboard to highlight the "Command Line (CLI)" item.
* Step 2 - Enter "conf t" to get into terminal configuration mode.
* Step 3 - Enter "vlan X" where X is the VLAN id of the VLAN you would like to create.
* Step 4 - Name your VLAN by entering "name """ where is a text string from 1 to 32 characters (12 characters if you care about the configuration menu display). You should use quotes when naming the VLAN.
* Step 5 - Give the VLAN an IP address by entering "ip address " where is the IP address you want to assign this switch in that subnet, and is the network mask for the subnet assigned.
* Step 6 - This step is optional. If you want to assign some end node ports to the VLAN enter "untagged " where is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
* Step 7 - This step is optional. If you want to assign some VLAN trunk ports to the VLAN enter "tagged " where is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
* Step 8 - Enter "exit" to leave VLAN configuration mode.
* Step 9 - Exit configuration mode by entering "exit" again.
* Step 10 - Save your configuration by entering "wr memory".

You have now successfully configured your HP Procurve VLAN.
Vendor Summary

If you are going to integrate Cisco and HP Procurve hardware on the same network, and you intend to use VLANs there are only a few things you need to remember:

* For end nodes - Cisco uses "mode access", HP uses "untagged" mode.
* For VLAN dot1q trunks - Cisco uses "mode trunk", HP uses "tagged" mode.
* For no VLAN association - Cisco uses no notation at all, HP uses "no" mode in the configuration menu, or you have VLAN support turned off.

Next time you have to integrate the two with VLANs, this simple list should help keep you out of trouble.

Posted by saqlain231


A virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the Broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch. Network reconfiguration can be done through software instead of physically relocating devices.
Uses

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.


This is also useful if someone wants to create multiple Layer 3 networks on the same Layer 2 switch. For example if a DHCP server (which will broadcast its presence) were plugged into a switch it would serve anyone on that switch that was configured to do so. By using VLANs you easily split the network up so some hosts won't use that server and default to Link-local addresses.

Virtual LANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. Virtual LANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.

By using VLAN, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.

[edit] Motivation

In a legacy network, users were assigned to networks based on geography and were limited by physical topologies and distances. VLANs can logically group networks so that the network location of users is no longer so tightly coupled to their physical location. Technologies able to implement VLANs are:

* Asynchronous Transfer Mode (ATM)
* Fiber Distributed Data Interface (FDDI)
* Ethernet
* Fast Ethernet
* Gigabit Ethernet
* 10 Gigabit Ethernet
* HiperSockets

[edit] Protocols and design

The protocol most commonly used today in configuring virtual LANs is IEEE 802.1Q. The IEEE committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco's ISL (Inter-Switch Link, a variant of IEEE 802.10) and 3Com's VLT (Virtual LAN Trunk). ISL is no longer supported by Cisco.

Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the existing Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and so does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to work on both access and trunk links: frames are standard Ethernet, and so can be handled by commodity hardware.

The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI contains the following elements:

* Three-bit user priority
* One-bit canonical format indicator (CFI)
* Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs

The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. Network devices that do not support a larger frame size will process the frame successfully but may report these anomalies as a "baby giant."

Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. This technology provides one method for multiplexing bridge groups (VLANs) over a high-speed backbone. It is defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been available on Cisco routers since Cisco IOS Software Release 11.1.

With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the packet as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. The fields in an ISL header identify the frame as belonging to a particular VLAN.

A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed.

Early network designers often configured VLANs with the aim of reducing the size of the collision domain in a large single Ethernet segment and thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the broadcast domain at the MAC layer. Virtual networks can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN Hopping [1] is a common means of bypassing such security measures.

Virtual LANs operate at Layer 2 (the data link layer) of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving Layer 3 (the network layer). In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs.

[edit] Cisco VLAN Trunking Protocol (VTP)

On Cisco devices, VTP (VLAN Trunking Protocol) maintains VLAN configuration consistency across the entire network. VTP uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis from a centralized switch in the VTP server mode. VTP is responsible for synchronizing VLAN information within a VTP domain and reduces the need to configure the same VLAN information on each switch.

VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations, because VLANs can crossconnect when duplicate names are used. They also could become internally disconnected when they are mapped from one LAN type to another, for example, Ethernet to ATM LANE ELANs or FDDI 802.10 VLANs. VTP provides a mapping scheme that enables seamless trunking within a network employing mixed-media technologies.

VTP provides the following benefits:

* VLAN configuration consistency across the network
* Mapping scheme that allows a VLAN to be trunked over mixed media
* Accurate tracking and monitoring of VLANs
* Dynamic reporting of added VLANs across the network
* Plug-and-play configuration when adding new VLANs

As beneficial as VTP can be, it does have disadvantages that are normally related to the Spanning Tree Protocol (STP) as a bridging loop propagating throughout the network can occur. Cisco switches run an instance of STP for each VLAN, and since VTP propagates VLANs across the campus LAN, VTP effectively creates more opportunities for a bridging loop to occur.

Before creating VLANs on the switch that will be propagated via VTP, a VTP domain must first be set up. A VTP domain for a network is a set of all contiguously trunked switches with the same VTP domain name. All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information.

Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:

* Management domain
* Configuration revision number
* Known VLANs and their specific parameters

[edit] Establishing VLAN memberships

The two common approaches to assigning VLAN membership are as follows:

* Static VLANs
* Dynamic VLANs

Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

Dynamic VLANs are created through the use of software packages such as CiscoWorks 2000. With a VLAN Management Policy Server [VMPS], an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the device queries a database for VLAN membership. See also FreeNAC which implements a VMPS server.

[edit] Port-based VLANs

With port-based VLAN membership, the port is assigned to a specific VLAN independent of the user or system attached to the port. This means all users attached to the port should be members of the same VLAN. The network administrator typically performs the VLAN assignment. The port configuration is static and cannot be automatically changed to another VLAN without manual reconfiguration.

As with other VLAN approaches, the packets forwarded using this method do not leak into other VLAN domains on the network. After a port has been assigned to a VLAN, the port cannot send to or receive from devices in another VLAN without the intervention of a Layer 3 device.

The device that is attached to the port likely has no understanding that a VLAN exists. The device simply knows that it is a member of a subnet and that the device should be able to talk to all other members of the subnet by simply sending information to the cable segment. The switch is responsible for identifying that the information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN. The switch is further responsible for ensuring that ports in a different VLAN do not receive the information.

This approach is quite simple, fast, and easy to manage in that there are no complex lookup tables required for VLAN segmentation. If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good. An ASIC allows the port-to-VLAN mapping to be done at the hardware level.

Protocol Based VLANs

This section needs additional citations for verification.
Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (February 2008)

In a protocol based VLAN enabled switch, traffic is forwarded through ports based on protocol. Essentially user tries to segregate or forward a particular protocol traffic from a port using the protocol based VLANs, traffic from any other protocol is not forwarded on the port. For example, if you have connected a host, pumping ARP traffic on the switch at port 10, connected a Lan pumping IPX traffic to the port 20 of the switch and connected a router pumping IP traffic on port 30. then if you define a protocol based VLAN supporting IP and including all the three ports 10, 20 and 30 then IP packets can be forwarded to the ports 10 and 20 also , but ARP traffic will not get forwarded to the ports 20 and 30, similarly IPX traffic will not get forwarded to ports 10 and 30.
References

* Andrew S. Tanenbaum, 2003, "Computer Networks", Pearson Education International, New Jersey.
1. ^ VLAN Insecurity - Rik Farrow

Posted by saqlain231

Q&A Rating

Q&A Rating
Rate This Question and Answer

Related Questions
Explain the term DECT operation??
Can anyone educate what will this command do "debug ipx routing activity"?
Where is voicemail.conf file located in Asterisk?


Search questions via popularity
Top viewed questions  Top emailed questions  Most printed questions  Most saved questions
 
Copyright © Telecom Training, All Rights Reserved