Please enable JavaScript.

Coggle requires JavaScript to display documents.

Chapter 6 VLANs (Troubleshoot VLANs and Trunks (Introduction to…

- - - - If two devices in the same VLAN have different subnet addresses, they cannot communicate.
        
        This is a common problem, and it is easy to solve by identifying the incorrect configuration and changing the subnet address to the correct one.
- - - - The process of forwarding network traffic from one VLAN to another VLAN using routing is known as inter-VLAN routing.
    - - The first solution for inter-VLAN routing relied on routers with multiple physical interfaces. Each interface had to be connected to a separate network and configured with a distinct subnet.
        
        Connecting different physical router interfaces to different physical switch ports.
        
        The switch ports connected to the router are placed in access mode and each physical interface is assigned to a different VLAN.
    - - ‘Router-on-a-stick’ is a type of router configuration in which a single physical interface routes traffic between multiple VLANs on a network.
        
        The router interface is configured to operate as a trunk link and is connected to a switch port that is configured in trunk mode.
        
        The router performs inter-VLAN routing by accepting VLAN-tagged traffic on the trunk interface coming from the adjacent switch, and then, internally routing between the VLANs using subinterfaces
        
        The router then forwards the routed traffic, VLAN-tagged for the destination VLAN, out the same physical interface as it used to receive the traffic.
        
        Subinterfaces are software-based virtual interfaces, associated with a single physical interface. Subinterfaces are configured in software on a router and each subinterface is independently configured with an IP address and VLAN assignment.
  - - - Each interface is also configured with an IPv4 address for the subnet associated with the particular VLAN to which it is connected.
  - - - The subinterface must be configured to operate on a specific VLAN using theencapsulation dot1q vlan_id command.
      - There is a native keyword option that can be appended to this command to set the IEEE 802.1Q native VLAN. In this example, thenativekeyword option was excluded to leave the native VLAN default as VLAN 1.
- - - - VLANs provide segmentation and organizational flexibility, by grouping devices within a LAN based on logical connections
        
        Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations within the VLAN where the packets are sourced
        
        Each VLAN is considered a separate logical network
        
        Packets destined for stations that do not belong to the VLAN must be forwarded through a device that supports routing.
        
        VLANs improve network performance by separating large broadcast domains into smaller ones
        
        Each switch port can be assigned to only one VLAN (with the exception of a port connected to an IP phone or to another switch).
    - - Security - Groups that have sensitive data are separated from the rest of the network.
      - Cost reduction - Cost savings result from reduced need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
      - Better performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
      - Reduce the size of broadcast domains
      - Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When a new switch is provisioned, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name.
      - Simpler project and application management - VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier; an example of such an application is an e-learning development platform for faculty.
    - - Data VLAN
        
        It is a VLAN that is configured to carry user-generated traffic.
        
        A VLAN carrying voice or management traffic would not be a data VLAN.
        
        It is common practice to separate voice and management traffic from data traffic. A data VLAN is sometimes referred to as a user VLAN. Data VLANs are used to separate the network into groups of users or devices.
      - Default VLAN
        
        All switch ports become a part of the default VLAN after the initial boot up of a switch loading the default configuration.
        
        The default VLAN for Cisco switches is VLAN 1.
        
        The show vlan brief command shows the switch running the default configuration.
        
        VLAN 1 has all the features of any VLAN, except it cannot be renamed or deleted. By default, all Layer 2 control traffic is associated with VLAN 1.
      - Native VLAN
        
        A native VLAN is assigned to an 802.1Q trunk port.
        
        Trunk ports are the links between switches that support the transmission of traffic associated with more than one VLAN.
        
        Tagged traffic refers to traffic that has a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs.
        
        The 802.1Q trunk port places untagged traffic on the native VLAN, which by default is VLAN 1.
        
        An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic)
    - - A separate VLAN is needed to support Voice over IP (VoIP). VoIP traffic requires:
        
        Assured bandwidth to ensure voice quality
        
        Transmission priority over other types of network traffic
        
        Ability to be routed around congested areas on the network
        
        Delay of less than 150 ms across the network
  - - - A trunk is a point-to-point link between two network devices that carries more than one VLAN.
        
        VLAN trunks allow all VLAN traffic to propagate between switches, so that devices which are in the same VLAN, but connected to different switches, can communicate without the intervention of a router.
        
        A VLAN trunk does not belong to a specific VLAN
    - - The standard Ethernet frame header does not contain information about the VLAN to which the frame belongs
        
        when Ethernet frames are placed on a trunk, information about the VLANs to which they belong must be added.
        
        This process, called tagging, is accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q standard.
        
        The 802.1Q header includes a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs.
        
        When the switch receives a frame on a port configured in access mode and assigned a VLAN, the switch inserts a VLAN tag in the frame header, recalculates the Frame Check Sequence (FCS), and sends the tagged frame out of a trunk port.
        
        VLAN Tag Field Details
        
        Type - A 2-byte value called the tag protocol ID (TPID) value. For Ethernet, it is set to hexadecimal 0x8100.
        
        User priority - A 3-bit value that supports level or service implementation.
        
        Canonical Format Identifier (CFI) - A 1-bit identifier that enables Token Ring frames to be carried across Ethernet links.
        
        VLAN ID (VID) - A 12-bit VLAN identification number that supports up to 4096 VLAN IDs.
    - - Tagged Frames on the Native VLAN
        
        Some devices that support trunking add a VLAN tag to native VLAN traffic.
        
        Control traffic sent on the native VLAN should not be tagged.
        
        If an 802.1Q trunk port receives a tagged frame with the VLAN ID that is the same as the native VLAN, it drops the frame
      - Untagged Frames on the Native VLAN
        
        When a Cisco switch trunk port receives untagged frames (which are unusual in a well-designed network), it forwards those frames to the native VLAN. If there are no devices associated with the native VLAN (which is not unusual) and there are no other trunk ports (which is not unusual), then the frame is dropped.
        
        All untagged traffic coming in or out of the 802.1Q port is forwarded based on the PVID value
        
        Port VLAN ID (PVID)
    - - Recall that to support VoIP, a separate voice VLAN is required.
        
        An access port that is used to connect a Cisco IP phone can be configured to use two separate VLANs: one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. The link between the switch and the IP phone acts as a trunk to carry both voice VLAN traffic and data VLAN traffic
        
        The Cisco IP Phone contains an integrated three-port 10/100 switch. The ports provide dedicated connections to these devices:
        
        Port 1 connects to the switch or other VoIP device.
        
        Port 2 is an internal 10/100 interface that carries the IP phone traffic.
        
        Port 3 (access port) connects to a PC or other device.
        
        On the switch, the access is configured to send Cisco Discovery Protocol (CDP) packets that instruct an attached IP phone to send voice traffic to the switch in one of three ways, depending on the type of traffic:
        
        In a voice VLAN tagged with a Layer 2 class of service (CoS) priority value
        
        In an access VLAN tagged with a Layer 2 CoS priority value
        
        In an access VLAN, untagged (no Layer 2 CoS priority value)
- - - - Catalyst 2960 and 3560 Series switches support over 4,000 VLANs.
        
        Normal Range VLANs
        
        Used in small- and medium-sized business and enterprise networks.
        
        Identified by a VLAN ID between 1 and 1005.
        
        IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
        
        IDs 1002 through 1005 are reserved for Token Ring and Fiber Distributed Data Interface (FDDI) VLANs.
        
        Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
        
        Flash memory is persistent and does not require the copy running-config startup-config command.
        
        The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches, can only learn and store normal range VLANs.
        
        Extended Range VLANs
        
        Support fewer VLAN features than normal range VLANs.
        
        Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs.
        
        Are identified by a VLAN ID between 1006 and 4094.
        
        Configurations are not written to the vlan.dat file.
        
        Saved, by default, in the running configuration file.
        
        VTP does not learn extended range VLANs.
      - 4096 is the upper boundary for the number of VLANs available on Catalyst switches, because there are 12 bits in the VLAN ID field of the IEEE 802.1Q header.
    - - use the "show vlan brief" command to display the contents of the vlan.dat file
      - A series of VLAN IDs can be entered separated by commas, or a range of VLAN IDs separated by hyphens using the vlan vlan-id command.
        
        use the following command to create VLANs 100, 102, 105, 106, and 107:
        S1(config)# vlan 100,102,105-107
    - - The switchport mode access command is optional, but strongly recommended as a security best practice. With this command, the interface changes to permanent access mode.
      - Use the interface range command to simultaneously configure multiple interfaces.
      - The switchport access vlan command forces the creation of a VLAN if it does not already exist on the switch
    - - There are a number of ways to change VLAN port membership
        
        For changing a switch port to VLAN 1 membership with the no switchport access vlan interface configuration mode command.
        
        with this command the VLAN that was assigned to that interface is still active, even though no ports are assigned to it.
        
        A port can easily have its VLAN membership changed. It is not necessary to first remove a port from a VLAN to change its VLAN membership. When an access port has its VLAN membership reassigned to another existing VLAN, the new VLAN membership simply replaces the previous VLAN membership.
    - - The no vlan vlan-id global configuration mode command is used to remove a VLAN from the switch.
        
        The show vlan brief command verifies that the VLAN is no longer present in the vlan.dat file
        
        Before deleting a VLAN, reassign all member ports to a different VLAN first. Any ports that are not moved to an active VLAN are unable to communicate with other hosts after the VLAN is deleted and until they are assigned to an active VLAN.
      - The entire vlan.dat file can be deleted using the delete flash:vlan.dat privileged EXEC mode command.
        
        The abbreviated command version (delete vlan.dat) can be used if the vlan.dat file has not been moved from its default location.
        
        After issuing this command and reloading the switch, the previously configured VLANs are no longer present.
- - - - A VLAN trunk is an OSI Layer 2 link between two switches that carries traffic for all VLANs (unless the allowed VLAN list is restricted manually or dynamically)
        
        use the switchport mode trunk command. With this command, the interface changes to permanent trunking mode. The port enters into a Dynamic Trunking Protocol (DTP) negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change.
        
        Always configure both ends of a trunk link with the same native VLAN. If 802.1Q trunk configuration is not the same on both ends, Cisco IOS Software reports errors.
    - - The configuration is verified with the show interfaces interface-ID switchport command.