VLAN

VLAN means Virtual LAN.  a VLAN is as much the same as a subnet.
Computers connected to a switch doesn't mean that they can communicate, they must be in the same vlan (subnet). for computer in different network (subnet/vlan ) to communicate a layer 3 device is needed. however, we can create internetwork without VLAN.


VLAN advantages:
-Security : data are not cannot travel cross vlans except they are meant to.
-Higher performance : vlan create seperate broadcast domain, host that is not logically in the same domain won't receive broadcast traffic.
-Improved IT staff efficiency : vlan makes IT staff works easier, because each network has similar function.


VLAN characteristics
-vland id 1 - 10005 are normal range IDs. (stored in the vlan.dat file in flash memory)
-1 and 1002 - 1005 (1002-1005 are reserved for token ring and FDDI VLANs) are automatically created and cannot be removed.
-1006-4094 are extended vlan, designed for sevice provider (stored in the running configuration file)

VLAN types
Data vlan : traffic generated by users. it's common practice to seperate voice traffic and management traffic from user's data traffic.
Default vlan : the default vlan id assigned to ports when the port is up. this make any devices connected to the port can communicate to each other and become in one broadcast domain. in Cisco this is vlan 1. securit best practice is to change the default vlan other than vlan 1.
Native vlan : assigned to trunk port. according to IEEE, native vlan designed to maintain backward compatibility with untagged traffic (old LAN scenario). for our purposes we call native vlan a comon identifier on opposing end of trunk-link. best practice is to set native vlan other than vlan 1.
Management vlan : management vlan is used for administrator to connect to the switch, as switch is a layer 2 address, we create a vlan interface so that we can remotely connect to the switch by assigning an ip address to the vlan interface. and also because traffic only forwarde to the same vlan, computer attached to another vlan port won't be able to access the management vlan.
Voice vlan : voice vlan is needed because voice traffic require low latency. you can tag vlan for voice traffic. this can be achieved because cisco ip phone is a switch, it can communicate with the switch it's connected to and prioritize voice traffice.

Switchport membership modes
Static mode : manually assigned a port belongs to which vlan.
Dynamic mode : port vlan configuration is handled by a VMPS (Vlan Membership Policy Server) based on the MAC address connected to the port.
Voice vlan : a port can be assigned to a data vlan and void vlan if an IPphone is connected to it. example to configure the port connected to an IPphone on a switch

interface fas 0/18
mls qos trust cos
switchport voice vlan 150
switchport mode access
switchport access vlan 20
end

from the example configuration, void vlan is assigned to vlan id 150, data vlan is assigned to vlan 20.


********
TRUNK
********
Trunk link is used to carry traffic from more than one vlan. trunk doesn't belong to a specific vlan, rather that it's a conduit for vlans between switches and routers.

ISL is legacy of cisco trunking technology, today only 802.1Q trunking that's used.

when frame forwarded through a trunk link, more information is needed to know from which vlan does the frame belongs to (ordinary ethernet frame doesn't contain vlan information). this is accomplished by encapsulating the frame with a header that contains vlan information, that is 802.1Q frame tagging. inside the header that is vlan id and ethertype

Native Vlan & Trunk in 802.1Q
Native vlan is the vlan that traffic from native vlan will pass through trunk link untagged (isn't encapsulated with 802.1Q header). when a trunk port receive an untagged frame, it will forwarded to the default PVID (Port Vlan ID) which is the id of the native vlan. native vlan behaviour, receive tagged frame: drop the traffic


to configure native vlan on a trunk port

switchport trunk native vlanID

vlanID : id of vlan that will be the native vlan


Dynamic Trunking Protocol (DTP) is cisco propietary, other switches from different vendors don't support DTP. DTP modes
ON : command "swicthport mode trunk". the port sends DTP frames periodically. the port then will become a trunk port whatever the other end is set to be.
dynamic auto : command "switchport mode trunk auto". the port sends DTP frames periodically, telling that the port can be a trunk port but doesn't request the other end to make a trunk connection. this port will be a trunk only if the other end request this port to be trunk.
dynamic desirable : command "switchport mode trunk desirable", the port sends DTP frames periodically, telling the other end that it's able to be in a trunking state and asks the other end to be in a trunking state, if the other end is able to be in a trunking state (with mode of on / desirable / auto), this port will be a trunk port, if the other end is set to nonegotiate this port will remain access port (not a trunk port).
nonegotiate : command "switchport nonegotiate" this will turn off DTP, no DTP frame will be sent out. this port won't be a trunk port through DTP negotiation. BUT USE THIS MODE TO ESTABLISH A TRUNK LINK WITH A SWITCH FROM OTHER VENDORS.

enter the command "show dtp interface" to determine the current mode configured.

******************
VLAN Commands
******************
Creating vlans
There are two ways to create a vlan in a cisco catalyst switch, through the vlan database and global configuration. database configuration is being phased out in favor of global configuration.
commands in global configuration level

vlan vlanid
name word

vlanid = number of the vlan


Deleting a vlan / vlans
to delete a single vlan use the command

no vlan vlanid


to delete entire vlan in the vlan.dat file use the command

delete flash:vlan.dat


Assigning port to a vlan
first, configure the port mode to be an access port, then assign the vlan id to the port
commands in interface configuration level

switchport mode access
switchport access vlan vlanid


Removing port from a vlan
command in interface configuration level

no switchport access vlan


Set allowed vlan on a trunk
command in interface configuration level

switchport trunk allowed vlan add vlan-id

vlan-id : the vlan ids that are allowed to pass this trunk link. example
10, 20, 30 (allow vlan 10, 20 and 30 to pass the trunk link)


************************************
Common Vlan Error Configuration
************************************
Native vlan mismatches : This configuration error generates console notifications, causes control and management traffic to be misdirected and, as you have learned, poses a security risk.
Trunk mode mismatches : This configuration error causes the trunk link to stop working.
Allowed Vlans on trunks : In this situation, unexpected traffic or no traffic is being sent over the trunk.
Vlan on different subnet : every host in the same vlan must be in the same subnet.