VLANs: A VLAN is a group of devices on one or more logically segmented LANs. All devices working on a VLAN will have same broadcast domain. Like routers, switches (Layer 2) have the ability to provide domain broadcast segmentation called a VLAN. Using VLAN technology, you can group switch ports and their connected users into logically defined communities of interest. A VLAN operating on a Catalyst switch limits transmission of unicast, multicast, and broadcast traffic to only the other ports belonging to that VLAN, thereby controlling broadcasts.
The benefits of VLANS include:
1. Easy Administration resulting in reduced administration costs,
2. Increased Security due to broadcast control, if you are using simple hub, you can observe traffic corresponding to any node by simply inserting a Network analyzer.
3. Grouping based on functional requirements irrespective of physical location of nodes, Simplify moves, adds, changes,
4. Distribution of traffic thereby using the network bandwidth more efficiently.
You use "show vlan" or "show vlan vlan#" command to see the configuration details of VLANs. The command "sh vlan" will display the configuration information for all VLANs, where as the command "sh vlan vlan#" shows only the configuration information pertaining to that vlan. For example, if you want to see the configuration information for vlan2, you give the command "sh vlan 2"
For communicating between VLANs, you need a layer 3 device. Note that VLANs operate at Layer-2. When the access ports are configured with two distinct VLANs, the switch will not port the frames that belong to a different VLAN.
VTP : VLAN Trunk Protocol (VTP) is a layer 2 protocol that maintains VLAN configurations through a common administrative domain. Configurations are made to a VTP server, and are propagated across trunk lines to all switches in the VTP domain. VTP provides auto-intelligence for configuring switches across the network. A VTP advertisement necessarily consists of "Configuration revision number". Every time a VTP server updates its VLAN information, it increments the configuration revision number by one count. VTP clients, use the revision number to enforce the VLAN configuration Update.
VTP pruning is a technique that enhances the available network bandwidth by reducing the broadcast, multicast, and flooded unicast messages. These frames are not forwarded to network devices that don't have ports associated with a given VLAN. When VTP pruning is enabled, a switch forwards the flooded traffic across a link to another switch, only if that switch has ports associated with that VLAN.
By default, there are no passwords in VTP informational updates, and any switch that has no VTP domain name can join the VTP domain when trunking is enabled. Also any switch that has the same VTP domain name will join and exchange VTP information. This could enable an unwanted switch in your network to manage the VLAN database on each of the switches. To prevent this from occurring, set a VTP password on the switches you want to exchange information.
The command syntax for assigning a management domain for a switch is:
Switch#vtp domain <domain-name>
For example, if the domain name is newyork, the command is:
Switch#vtp domain newyork
You need to create a domain while configuring the first switch in a switch network. For subsequent switches, you only need to join the existing domain. The password is required if the domain need to be secured by a password. The command allows you to create a new domain (in case the first switch is being configured) or to join an existing domain (one or more switches have already been assigned a domain).
The default VTP configuration parameters for the Catalyst switch are as follows:
1. VTP domain name: None
2. VTP mode: Server
3. VTP password: None
4. VTP pruning: Disabled
5. VTP trap: Disabled
The VTP domain name can be specified manually or learned across a configured trunk line from a server with a domain name configured. By default, the domain name is not set. If you configure a VTP password, VTP does not function properly unless you assign the same password to each switch in the domain. VTP trap is disabled by default. If you enable this feature, it causes an SNMP message to be generated every time a new VTP message is sent.
Domain name set on a switch can be known by viewing the VTP Configuration of the switch, so use "show vtp status" command to check the domain name.
The command "show vlan" can be used to know the ports connected to a specific VLAN and by their VLAN name.
For inter-VLAN communication we need a Layer 3 device (like a router)
Communication between different VLANs requires a trunk link to forward traffic normally.
For VLAN database to be exchanged between two switches:
1. The VTP domain name should be same,
2. VTP password must be the same,
3. Trunk links should be configured between the switches (switchport mode trunk), and
4. Atleast one switch should be configured as server and the other switches as server or client to learn vlan database. Server mode is the default on Cisco Catalyst switches.
5. All switches throughout the VTP domain must operate the same VTP version.
6. A Cisco Catalyst switch can belong to only one domain at any given time.
7. VTP messages not intended for a local domain (configured on a Cisco switch) are ignored.
VTP modes: 3 modes the VTP protocol can operate on any switch throughout the network
VTP Server mode: The default mode for all switches supporting VTP. You can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version)for the entire VTP domain.VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links. VLAN configurations are saved in NVRAM.
VTP Client mode: Behaves like a VTP server, but you cannot create, change, or delete VLANs on a VTP client. VLAN configurations are saved in NVRAM.
VTP Transparent Mode: Does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, they will forward VTP advertisements as they are received from other switches.
You can create, modify, and delete VLANs on a switch in VTP transparent mode. VLAN configurations are saved in NVRAM, but they are not advertised to other switches.
To verify any configuration change, "show vtp" privileged executive command can be used. This command displays, among other things, VTP domain name, VTP password if any, VTP pruning mode (enabled or disabled) and the IP address of the device that last modified the configuration
VLAN port assignments can be configured either of two ways:
Static and Dynamic VLANs : Static VLANs are also known as Port based VLANs. They are created by assigning ports on a switch to specific VLANs. Any host connected to a given port on a switch is automatically assigned the VLAN of the switch port. The administrator statically configures VLAN port assignment. VLAN memberships on the switch ports are assigned on a port-by-port basis.
Dynamic VLANs: A VMPS (VLAN Management Policy Server) can dynamically assign VLAN ports. The MAC address of the node is used to determine the VLAN assignment. A separate server or a Catalyst 5000 can function as a VMPS server. When a frame arrives on a dynamic port at the switch, it queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame. On the other hand, in dynamic VLANs, the VLANs are assigned to switch ports using a centralized Policy Server. The policy server will have a mapping of Physical address (like MAC address) of a host to corresponding VLAN. The Policy Server will automatically assign the designated VLAN to the switch port after looking up into the VLAN-MAC address table. Therefore, even if a host is moved from one switch to another, the host will retain the same VLAN. However, dynamic VLANs are considered to be less secure than Static VLANs. For example, an attacker may spoof your Mac address over a wireless LAN and gain access to the company's network.
The following are the advantages of LAN segmentation using VLANs:
1. Segmentation of broadcast domains using VLANs result in creation of more bandwidth per user.
2. Security is provided by isolating users corresponding to different VLANs. Users belonging to one VLAN will not receive frames meant for some other VLAN.
3. LAN segmentation using VLANs can be done based on job function rather than physical location, if required.
The MAC address contains 48 bits expressed as 12 hexadecimal digits. Note that 2 hexadecimal digits represent a byte. Therefore, a MAC address contains 6 bytes. The first 3 bytes represent the manufacturer identification code. The next 3 bytes represent the interface number unique to a given manufacturer. MAC address represents the hardware address and is usually burned into the ROM. A typical MAC address looks like:
xx-xx-xx-xx-xx-xx, where x represents a hexadecimal digit.
Ex: 00-00-0c-12-14-33
Here, 00-00-0c represents the vendor address, and 12-14-33 typically represents the interface serial number. The last 6 hex digits are administered by respective vendors, and unique to a given vendor.