Chapter 5:

Virtual LAN (VLAN)

CISCO CERTIFIED NETWORK ASSOCIATE (CCNA)
Agenda
• VLAN Basics
• VLAN Memberships
• Identifying VLANs
• Configuring VLANs
• VLAN Trunking Protocol (VTP)
• Routing between VLANs
• Troubleshooting Switched LANs
• Dynamic Host Configuration Protocol (DHCP)

2
VLAN Basics

3
Virtual LANs (VLAN) Basics
• A LAN consists of all devices in the same broadcast domain
• Without VLANs, a switch considers all interfaces on the switch, and
the devices connected to those links, to be in the same broadcast
domain
• With VLANs, a switch groups interfaces into different VLANs
(broadcast domains) based on configuration, with each interface in a
different VLAN

4
Before using VLAN

5
After Using VLAN

6
Switch Virtual Interface (SVI)
• Switch Virtual Interface (SVI) Concept Inside a Switch
• A typical Layer 2 Cisco LAN switch can use only one VLAN interface at a time

7
Switch Virtual Interface (SVI)
• Choosing One VLAN on Which to Configure a Switch IP Address

SW-1# configure terminal

SW-1(config)# interface vlan 1
SW-1(config-if)# ip address 192.168.1.200 255.255.255.0
SW-1(config-if)# no shutdown
00:25:07: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:25:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed
state to up
SW-1(config-if)# exit
SW-1(config)# ip default-gateway 192.168.1.1 8
Benefit VLAN
• Most common reasons for choosing to create smaller broadcast
domains (VLANs):
• To reduce CPU overhead on each device
• To reduce security risks
• To improve security for hosts
• To create more flexible designs that group users
• To solve problems more quickly
• To reduce the workload for the Spanning Tree Protocol (STP)

9
VLAN Memberships

10
VLAN Memberships
• Static VLANs
• Creating static VLANs is the most common way to create a VLAN
• Static VLANs are the most secure
• Dynamic VLANs
• A dynamic VLAN determines a node’s VLAN assignment automatically
• Using intelligent management software, you can base VLAN assignments on
hardware (MAC) addresses, protocols, or even applications that create
dynamic VLANs
• Using the VLAN Management Policy Server (VMPS) service to set up a
database of MAC addresses to be used for the dynamic addressing of your
VLANs

11
VLAN Memberships

12
Identifying VLANs

13
 Identifying VLANs

• A switch port can belong to only one VLAN if it is an access port or all
VLANs if it is a trunk port
• You can manually configure a port as an access or trunk port, or you can let
the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the
switchport mode

14
 Identifying VLANs

• Types of links in a switched environment

• Access ports: An access port belongs to and carries the traffic of only one VLAN
• Voice access ports: An access port that can be configured for both data and voice
VLANs
• Trunk Ports: can carry various amounts of VLAN information across the link

15
Identifying VLANs
• Multiswitch VLAN Without VLAN Trunking

16
 Identifying VLANs

• Multiswitch VLAN with Trunking

17
Configuring VLANs

18
VLAN Configuration Guidelines
• Maximum number of VLANs is switch-dependent
• Catalyst desktop switches support 64 VLANs with a separate spanning
tree per VLAN
• VLAN1 is the factory default Ethernet VLAN
• CDP and VTP advertisements are sent on VLAN1
• The Catalyst switch IP address is in the management VLAN (VLAN1 by
default)
• To add or delete VLANs, the switch must be in VTP server or transparent
mode

19
 Configuring VLANs
Switch>en Switch>en
• Sample Switch#config t
Switch(config)#hostname SW1
Switch#config t
Switch(config)#hostname SW2
Configuration SW1(config)#vlan 10
SW1(config-vlan)#name vlan-10
SW2(config)#vlan 10
SW2(config-vlan)#name vlan-10
Access and SW1(config-vlan)#exit SW2(config-vlan)#exit
SW1(config)#vlan 20 SW2(config)#vlan 20
Trunk VLAN SW1(config-vlan)#name vlan-20 SW2(config-vlan)#name vlan-20
SW1(config-vlan)#exit SW2(config-vlan)#exit

SW1(config)#int range f0/1 - 2 SW2(config)#int range f0/1 - 2

SW1(config-if-range)#switchport access vlan 10 SW2(config-if-range)#switchport access vlan 10
SW1(config-if-range)#exit SW2(config-if-range)#exit

SW1(config)#int range f0/3 - 4 SW2(config)#int range f0/3 - 4

SW1(config-if-range)#switchport access vlan 20 SW1(config-if-range)#switchport access vlan 20
SW1(config-if-range)#exit SW2(config-if-range)#exit

SW1(config)#int f0/24 SW2(config)#int f0/24

SW1(config-if)#switchport mode trunk SW2(config-if)#switchport mode trunk
SW1(config-if)#end SW2(config-if)#end
SW1#write SW2#write 20
 Verify VLANs
• Verify Configuration Access and Trunk VLAN
SW1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23
10 vlan-10 active Fa0/1, Fa0/2
20 vlan-20 active Fa0/3, Fa0/4
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

SW1#show interfaces f0/24 switchport

Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
21
VLAN Trunking Identification Methods
• Inter-Switch Link (ISL)
• A way of explicitly tagging VLAN information onto an Ethernet frame
• This is proprietary to Cisco switches, and it’s used for Fast Ethernet and
Gigabit Ethernet links only
• IEEE 802.1Q
• Created by the IEEE as a standard method of frame tagging
• If you’re trunking between a Cisco switched link and a different brand of
switch, you’ve got to use 802.1Q for the trunk to work

22
VLAN Identification Methods
• Inter-Switch Link Protocol (ISL)

23
VLAN Identification Methods
• 802.1Q Trunking

24
VLAN Identification Methods
• Native VLAN: the only VLAN which is not tagged in a trunk, in other
words, native VLAN frames are transmitted unchanged.

25
 Native VLAN Configuration
• Sample Configuration Native VLAN
SW1#config t SW2#config t
SW1(config)#vlan 1 SW2(config)#vlan 1
SW1(config-vlan)#name native SW2(config-vlan)#name native
Default VLAN 1 may not have its name changed. Default VLAN 1 may not have its name changed.
SW1(config-vlan)#exit SW2(config-vlan)#exit

SW1(config)#interface vlan 1 SW2(config)#int vlan 1

SW1(config-if)#ip add 10.10.10.1 255.255.255.0 SW2(config-if)#ip add 10.10.10.2 255.255.255.0
SW1(config-if)#no shut SW2(config-if)#no shut
SW1(config-if)#end SW2(config-if)#end

SW2#ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
26
VLAN Trunking Protocol (VTP)

27
VLAN Trunking Protocol (VTP)
• VLAN Trunking Protocol (VTP) are protocol to manage all configured
VLANs across a switched internetwork
• VTP allows you to add, delete, and rename VLANs—information that
is then propagated to all other switches in the VTP domain
• Some of the cool features of VTP
• Consistent VLAN configuration across all switches in the network
• VLAN trunking over mixed networks
• Accurate tracking and monitoring of VLANs
• Dynamic reporting of added VLANs to all switches in the VTP domain
• Plug and Play VLAN adding

28
VTP Modes of Operation

29
 VTP Modes of Operation
• Server
• This is the default mode for all Catalyst switches
• At least one server in your VTP domain to propagate VLAN information throughout that domain
• Able to create, add, and delete VLANs in a VTP domain
• VLAN configurations are saved in NVRAM
• Client
• Receive information from VTP servers
• Can’t create, change, or delete VLANs
• VLAN information sent from a VTP server isn’t stored in NVRAM
• Transparent
• Switches in transparent mode don’t participate in the VTP domain or share its VLAN database
• Still forward VTP advertisements through any configured trunk links
• Can create, modify, and delete VLANs because they keep their own database
30
VTP Modes of Operation

31
 VTP Modes of Operation

• VTP advertisements are sent as multicast frames

• VTP servers and clients are synchronized to the latest revision number
• VTP advertisements are sent every 5 minutes or when there is a change

32
 VTP Pruning

• Increases available bandwidth by reducing unnecessary flooded traffic

• Example: Station A sends broadcast, and broadcast is flooded only
toward any switch with ports assigned to the red VLAN

33
 VTP Configuration Guidelines

• VTP domain name

• VTP mode (server/client/transparent)—VTP server mode is the default
• VTP pruning
• VTP password
• VTP trap
Use caution when adding a new switch to an existing domain. Add a new
switch in client mode to prevent the new switch from propagating incorrect
VLAN information.
Use the delete vtp command to reset the VTP revision number.

34
VLAN Trunking Protocol (VTP)
• Creating a VTP Domain
wg_sw_2950#config t
wg_sw_2950(config)#vtp [ server | client | transparent ]
wg_sw_2950(config)#vtp domain domain-name
wg_sw_2950(config)#vtp password password
wg_sw_2950(config)#vtp pruning
wg_sw_2950(config)#snmp-server enable traps vtp
wg_sw_2950(config)#exit

35
VLAN Trunking Protocol (VTP)
• VTP Configuration Example
wg_sw_1900(config)#vtp transparent
wg_sw_1900(config)#vtp domain switchlab pruning enable
wg_sw_1900(config)#exit
wg_sw_1900#show vtp
VTP version: 1
Configuration revision: 4
Maximum VLANs supported locally: 1005
Number of existing VLANs: 6
VTP domain name : switchlab
VTP password :
VTP operating mode : Transparent
VTP pruning mode : Enabled
VTP traps generation : Enabled
Configuration last modified by: 0.0.0.0 at 00-00-0000
00:00:00
wg_sw_1900#config terminal
wg_sw_1900(config)#interface f0/26
wg_sw_1900(config-if)#trunk on desirable
wg_sw_1900(config-if)#exit
wg_sw_1900(config)#exit
wg_sw_1900#show trunk A
DISL state: On, Trunking: On, Encapsulation type: ISL 36
Routing between VLANs

37
Routing between VLANs
• The devices in a VLAN need to be in the same subnet
• Layer 2 switches will not forward data between two VLANs

Routing Between Two VLANs on Two Physical Interfaces

38
 Routing Between Two VLANs Using a Trunk
• Know as Router on a stick (ROAS)
• A much less expensive (and much preferred) option uses a VLAN trunk between the
switch and router
• Equiring only one physical link between the router and switch, while supporting all VLANs
• Trunking can work between any two devices that choose to support it: between two
switches, between a router and a switch, or even between server hardware and a switch

39
 Routing Packets with a Layer 3 Switch

• Layer 2 LAN switches, plus their Layer 3 routers, creating products called
Layer 3 switches (also known as multilayer switches)
• Can be configured to act only as a Layer 2 switch, or they can be
configured to do both Layer 2 switching as well as Layer 3 routing

40
Routing between VLANs
Example 1#
• Example Topology 1#

41
Routing between VLANs
Example 1#
• Example Configuration 1#
Sydney (config)#interface FastEthernet 0/0.1
Sydney (config-subif)#description Management VLAN1
Sydney (config-subif)#encapsulation dot1q 1
Sydney (config-subif)#ip address 192.168.1.1 255.255.255.0

Sydney (config)#interface FastEthernet 0/0.2

Sydney (config-subif)#description Accounting VLAN2
Sydney (config-subif)#encapsulation dot1q 2
Sydney (config-subif)#ip address 192.168.2.1 255.255.255.0

Sydney (config)#interface FastEthernet 0/0.3

Sydney (config-subif)#description Accounting VLAN3
Sydney (config-subif)#encapsulation dot1q 3
Sydney (config-subif)#ip address 192.168.3.1 255.255.255.0

42
Routing between VLANs
Example 2#
• Example Topology & Configuration 2#
2960#config t
2960(config)#interface fa0/1
2960(config-if)#switchport mode trunk

43
Routing between VLANs
Example 3#
• Example Topology 3#

44
 Routing between VLANs
Example 3#
• Example Configuration 3#
2960#config t
2960(config)#int f0/1
2960(config-if)#switchport mode trunk
2960(config-if)#int f0/2
2960(config-if)#switchport access vlan 1
2960(config-if)#int f0/3
2960(config-if)#switchport access vlan 1
2960(config-if)#int f0/4
2960(config-if)#switchport access vlan 3
2960(config-if)#int f0/5
2960(config-if)#switchport access vlan 3
2960(config-if)#int f0/6
2960(config-if)#switchport access vlan 2
ISR#config t
ISR(config)#int f0/0
ISR(config-if)#no ip address
ISR(config-if)#no shutdown
ISR(config-if)#int f0/0.1
ISR(config-subif)#encapsulation dot1q 1
ISR(config-subif)#ip address 192.168.10.17 255.255.255.240
ISR(config-subif)#int f0/0.2
ISR(config-subif)#encapsulation dot1q 2
ISR(config-subif)#ip address 192.168.10.33 255.255.255.240
ISR(config-subif)#int f0/0.3
ISR(config-subif)#encapsulation dot1q 3
ISR(config-subif)#ip address 192.168.10.49 255.255.255.240
45
Routing between VLANs
Example 4#
• Example Topology & Configuration 4#
2960#config t
2960(config)#int f0/1
2960(config-if)#switchport mode trunk
2960(config-if)#int f0/2
2960(config-if)#switchport access vlan 1
2960(config-if)#int f0/3
2960(config-if)#switchport access vlan 2

ISR#config t
ISR(config)#int f0/0
ISR(config-if)#no ip address
ISR(config-if)#no shutdown
ISR(config-if)#int f0/0.1
ISR(config-subif)#encapsulation dot1q 1
ISR(config-subif)#ip address 172.16.10.1 255.255.255.128
ISR(config-subif)#int f0/0.2
ISR(config-subif)#encapsulation dot1q 2
ISR(config-subif)#ip address 172.16.10.254 255.255.255.128

46
Troubleshooting Switched LANs

47
Troubleshooting Switched LANs

48
Dynamic Host Configuration Protocol

49
Dynamic Host Configuration Protocol
(DHCP)
• Defined in RFC 2131
• Provides a framework for passing configuration information to hosts
on a TCP/IP network
• Adding the capability of automatic allocation of reusable network
addresses and additional configuration options
• DHCP is built on a client-server model, where designated DHCP server
hosts allocate network addresses and deliver configuration
parameters to dynamically configured hosts

50
DHCP process
• The DHCP process to lease an IP address uses the following four
messages between the client and server.
• Discover: Sent by the DHCP client to find a willing DHCP server
• Offer: Sent by a DHCP server to offer to lease to that client a specific IP
address (and inform the client of its other parameters)
• Request: Sent by the DHCP client to ask the server to lease the IPv4 address
listed in the Offer message
• Acknowledgment: Sent by the DHCP server to assign the address, and to list
the mask, default router, and DNS server IP addresses

51
DHCP process
• DHCP clients, however, have a somewhat unique problem: they do
not have an IP address yet, but they need to send IP packets. To make
that work, DHCP messages make use of two special IPv4 addresses
that allow a host that has no IP address to still be able to send and
receive messages on the local subnet :
• 0.0.0.0: An address reserved for use as a source IPv4 address for hosts that do
not yet have an IP address
• 255.255.255.255: The local broadcast IP address. Packets sent to this
destination address are broadcast on the local data link, but routers do not
forward them.

52
DHCP Discover and Offer

53
DHCP Relay
• Supporting DHCP for Remote Subnets with DHCP Relay
• A centralized DHCP server approach has advantages to control and
configuration of all the IPv4 addresses assigned throughout the
enterprise
• To make that work, the routers connected to the remote LAN subnets
need an interface subcommand: the ip helper-address
server-ip command.

54
 IP Helper Address Effect
• Watch for incoming DHCP messages, with destination IP address 255.255.255.255
• Change that packet’s source IP address to the router’s incoming interface IP address
• Change that packet’s destination IP address to the address of the DHCP server
• Route the packet to the DHCP server

55
Listing the Current Helper Address

56
Message Returned from the DHCP Server

57
Information Stored at the DHCP Server
• Subnet ID and mask: The DHCP server can use this information to
know all addresses in the subnet
• Reserved (excluded) addresses: The server needs to know which
addresses in the subnet to not lease
• Default router(s): This is the IP address of the router on that subnet
• DNS IP address(es): This is a list of DNS server IP addresses

58
 DHCP Server Configuration on Routers
• Use the ip dhcp excluded-address first last command in global
configuration mode to list addresses that should be excluded (that is, not leased by
DHCP)
• Use the ip dhcp pool name command in global configuration mode to both
create a DHCP pool for a subnet and to navigate into DHCP pool configuration mode
• Use the network command to define the subnet for this pool
• Use the default-router command to define default router IP address(es) in that subnet
• Use the dns-server command to define the list of DNS server IP addresses used by hosts
in this subnet
• Use the lease command to define the length of the lease, in days, hours, and minutes
• Use the domain-name command to define the DNS domain name
• Use the next-server command to define the TFTP server IP address used by any hosts
(like phones) that need a TFTP server
59
DHCP Server Configuration Example

60
DHCP Snooping
• DHCP snooping is a layer 2 security technology built into the
operating system of a capable network switch that drops DHCP traffic
determined to be unacceptable
• The fundamental use case for DHCP snooping is to prevent
unauthorized (rogue) DHCP servers offering IP addresses to DHCP
clients
• DHCP snooping must be done on a device that sits between devices in
the same VLAN, which is the role of a Layer 2 switch rather than a
Layer 3 switch or router.

61