This post will deal with configuring Layer 2 VLANs on Cisco switches. Up to 4094 VLANs can be configured on Cisco catalyst switches. By default, only VLAN 1 is configured on the switch, so if you connect hosts on an out-of-the-box switch they all belong to the same Layer 2 broadcast domain.

The need to configure several Layer 2 VLANs on a switch arises from the need to segment an internal Local Area Network (LAN) into different IP subnetworks. If you want for example to separate the different departments of your enterprise into different IP subnetworks, then each department should belong to its own Layer 2 VLAN. For example, let’s assume the following scenario:

• Accounting Department: IP Subnet 192.168.2.0/24 –> VLAN 2
• Management Department: IP Subnet 192.168.3.0/24 –> VLAN 3
• Engineering Department: IP Subnet 192.168.4.0/24 –> VLAN 4

By separating the internal LAN into different IP subnets (and thus different VLANs) allows the network administrators to enforce traffic restrictions if needed between departments and have better control of internal hosts.

VLAN assignment on a switch is configured on a per-interface basis. That is, each switch port interface is assigned individually into a Layer 2 VLAN. If you have more than one switch connected and you want the same VLANs to belong across all switches, then a Trunk Port must be configured between the switches. The Trunk Port passes all VLANs between the switches. Let’s see the following network scenario to help us clarify some concepts.

On the LAN network above, we have three VLANs. VLAN 2,3, and 4. VLAN 4 belongs both to SWITCH 1 and SWITCH 2, therefore we need a Trunk Port between the two switches in order for hosts in VLAN4 in Switch 1 to be able to communicate with hosts in VLAN4 in Switch 2.

The ports of the two switches shall be configured as following:

SWITCH 1:
Fe0/1 – Fe0/2 –> VLAN 2 (Accounting)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

SWITCH 2:
Fe0/1 – Fe0/2 –> VLAN 3 (Management)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

Configuration:

Switch 1 Configuration:
!  Create VLANs 2 and 4 in the switch database
Switch1# configure terminal
Switch1(config)# vlan 2
Switch1(config-vlan)# name Accounting
Switch1(config-vlan)# end

Switch1(config)# vlan 4
Switch1(config-vlan)# name Engineering
Switch1(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 2
Switch1(config)# interface fastethernet0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch1(config)# interface fastethernet0/10
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/11
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end

!  Create Trunk Port Fe0/24
Switch1(config)# interface fastethernet0/24
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# end

One form of VLAN Hopping is double tagging, so named because the intruder will transmit frames that are “double tagged” with two separate VLAN IDs. As you’ll see in our example, certain circumstances must exist for a double tagging attack to be successful:

The intruder’s host device must be attached to an access port.

The VLAN used by that access port must be the native VLAN.

The term “native VLAN” tips us off to the third requirement – dot1q must be the trunking protocol in use, since ISL doesn’t use the native VLAN.

When the rogue host transmits a frame, that frame will have two tags. One will indicate native VLAN membership, and the second will be the number of the VLAN under attack. In this example, we’ll assume that to be VLAN 100, with the native VLAN set as VLAN 25.

The trunk receiving this double-tagged frame will see the tag for VLAN 25, and since that’s the native VLAN, that tag will be removed and then transmitted across the trunk – but the tag for VLAN 100 is still there!

When the switch on the other side of the trunk gets that frame, it sees the tag for VLAN 100 and forwards the frame to ports in that VLAN. The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

This is why you often see the native VLAN of a network set to a VLAN that no host on the network is a member of – that stops this version of VLAN Hopping right in its tracks.

Notice that I said “this version”. We’ll take a look at another VLAN Hopping tactic in the next installation of my CIsco CCNP BCMSN certification exam tutorial series!

After completing this module, you should be able to do the following:

• Describe how and when to implement and verify VLANs and trunking
• Define the purpose and function of VLANs on Cisco Catalyst switches
• Define the purpose and function of IEEE 802.1Q trunking on Cisco Catalyst switches
• Define the purpose and function of VTP on Cisco Catalyst switches

Watch Now – on your iPhone

Requirements:Cisco mobile learning modules are currently available for audio-

and video-enabled mobile devices including the Apple iPhone® and Apple iPod touch®,

with BlackBerry® functionality coming in mid 2010. Modules also operate on Windows

PCs and Mac computers. Mobile devices must have web access initially to download

the free Cisco video viewer from the Apple App Store® on iTunes®. After initial download,

modules operate both online and offline.

Further Information: For more information on the specific requirements for this product,

please select the iPhone link above.

Over the last week, I have done a fair amount of work segmenting a network with VLANs. VLAN, or virtual LAN, configuration is typically easy, but there are a few things that you need to know to be successful. This newsletter covers the basic configuration of VLANs on Catalyst switches. Examples are based on IOS switches. Check the links provided at the end of this article for examples of VLAN configurations using CatOS-based switches.

Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN do not receive broadcasts from devices in another VLAN. For devices on different VLANs to communicate, a layer 3 device (usually a router) must be used.

The first consideration for setting up VLANs in your network is planning your environment. Will the VLANs span multiple switches, or will you only be segmenting one switch? If you only have one switch to segment, you can just configure the VLANs with no other considerations. If you need to span multiple switches with VLAN information, you will need to decide which switches need which VLANs. You will also need to configure trunking and set up VLAN Trunking Protocol (VTP).

To configure VLANS on a single switch, you can use the following commands from privileged mode:

SwitchA# vlan database
SwitchA(vlan)# vlan 2 name vlan2
SwitchA(vlan)# exit
SwitchA# configure terminal
SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode access
SwitchA(config-if)# swichport access vlan 2
SwitchA(config-if)# end

These commands create VLAN number 2 and name it vlan2. Fast Ethernet interface 0/1 (on my Cat 2924XL-M) is then configured to use vlan2. It is important to note that VLAN 1 is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

For VLAN information to be passed between switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames travelling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations:

1) Inter-Switch Link Protocol (ISL)
Cisco proprietary trunking protocol.

2) IEEE 802.1Q (dot1q)
Industry standard trunking protocol.

3) LAN Emulation (LANE)
Used for trunking VLANs over ATM links.

4) IEEE 802.10 (dot10q)
Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To set up trunking between two switches, use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# switchport trunk encapsulation dot1q

Repeat commands on SwitchB.

This sets up fast Ethernet interface 0/1 to be a trunk port using dot1q encapsulation. It is important to note that once you change one side of a connection to trunk mode, communication between the two switches will be lost until the other side is configured for the same mode/encapsulation. If you are trying to set up trunking remotely, always change the far side of a connection first. The port is currently passing information for all VLANs (1-1005). To limit which VLANs will be allowed to pass information on the port you can use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005
SwitchA(config-if)# switchport trunk allowed vlan add 1-3

Repeat commands on SwitchB.

This removes the default of all VLANs, and adds back support for VLANs 1-3. It is good practice to remove everything and only add support for the VLANs that are required. We now have two switches happily passing VLAN traffic for VLANs 1-3. This process is great for a small number of switches with a limited number of VLANs. In a large environment that has a large number of switches, and requires several VLANs, it can be difficult to maintain the configuration on each switch.

Have you ever wondered what a Virtual LAN (or VLAN) is or been unclear as to why you would want one? If so, I have been in your place at one time too. Since then, I have learned a lot about what a VLAN is and how it can help me. In this article, I will share that knowledge with you.

What is a LAN?

Okay, most of you already know what a LAN is but let’s give it a definition to make sure. We have to do this because, if you don’t know what a LAN is, you can’t understand what a VLAN is.

A LAN is a local area network and is defined as all devices in the same broadcast domain. If you remember, routers stop broadcasts, switches just forward them.

What is a VLAN?

As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.

Are VLANs required?

It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.

When do I need a VLAN?

You need to consider using VLAN’s in any of the following situations:

• You have more than 200 devices on your LAN
• You have a lot of broadcast traffic on your LAN
• Groups of users need more security or are being slowed down by too many broadcasts?
• Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
• Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?

A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.

With a VLAN, one device can be connected to one switch, another device can be connected to another switch, and those devices can still be on the same VLAN (broadcast domain).

How can devices on different VLAN’s communicate?

Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or Layer 3 switch must be used to route between the subnets.

What is a trunk port?

When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port.

A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.

ProProfs.com Academy provides free quality resources on CCNA certification exam. Our CompTIA Cisco CCNA school provides you online access to resources required to gather skills and knowledge to quickly become CCNA certified. All resources and study material are totally free to all CCNA exam candidates & learners:

Cisco CCNA Exam Review

The CCNA certification (Cisco Certified Network Associate) indicates a foundation in and apprentice knowledge of networking. CCNA certified professionals can install, configure, and operate LAN, WAN, and dial access services for small networks (100 nodes or fewer), including but not limited to use of these protocols: IP, IGRP, Serial, Frame Relay, IP RIP, VLANs, RIP, Ethernet, Access Lists

Passing the Cisco CCNA certification is not an easy task. Cisco ensures passing the CCNA remains prestigious by maintaining the difficulty level of the CCNA exam by changing the exam pattern regularly. With the difficulty level being where it is, and the extensive exam syllabus, students must know what topics they should focus on for passing the CCNA exam. At ProProfs we provide a number of study tools including CCNA Discussion Board, CCNA Articles and notes wiki, and lot more to assist you in your CCNA studies and help you pass the exam with ease. You will numerous valuable tips in our resources that will help you get this prestigious certification.

CCNA Exam Specifics:

Exam Location: You can register for the exam at any Pearson VUE and Thompson Prometric center.
Time Allocated: 90 minutes per exam
Total marks: 900
Number Of Questions: Approximatly 55-65 questions per exam

Exam Pattern

The question types found on the CCNA exam are:

• Multiple Choice with Single answer: Student is required to select a single answer from a range of options (generally 4-5) by clicking on a radio button.
• Multiple Choice with Multiple answer: Student is required to select a range of options. The number of options to select is specified.
• Fill in the Blank: Student is required to type in the missing text to complete the sentence.
• Simulation: Troubleshoot and configure routers

CCNA Exam References

The following are some CCNA study aids that can help you prepare for the exam. All of these resources are free.

• Cisco CCNA Free Study Center by SemSim CCNA Router Simulator
• Dave’s CCNA Tips
• CCNA Training by Networks Inc. Ltd in the UK
• Techiwarehouse CCNA articles & tutorials

Benefits Of Passing Cisco CCNA Test

The Cisco CCNA Certification Exam is considered the industry standard in networking arena.

Here are some of the benefits of passing the CCNA exam.

• Satisfaction: Great moral booster. New employers will take you seriously and your current employer will take notice.
• More Career Options:
• Higher Salary: On average, certified professionals make 5-15% than their non certified peers.

Hello,  I am having a problem with host hbas logging into a CLARiiON array via IVR.  The hbas are zoned to 2 sp ports (spa and spb).  Usually only one SP port gets logged into successfully. This is very strange.  Sometimes it works fine.  Then I start trying to get the others working and the working one goes away.

Simple IVR topology.  Site 1, 3 switch fabric (vsan 250) connected via GE FCiP to site 2, 1 switch fabric (vsan 100).  Transit vsan is 1000.  The IVR zoneset is consistant on all switches.  All IVR zones are injected into the active running zones on the switches and show as active.  All fcns entries are correct (so I think).  Meaning sh fcns data vsan 100, 1000 and 250 all show the hbas N ports and storage ports logged in.  No errors anywwhere. We have an extremely robust site to site connection (4G fcip per fabric A and B).  2ms ping times, RTT 270us consistantly (dark fiber).  We are getting about 600MB/sec throughput with no errors.

I’m pretty much on my own.  I have opened a case with the vendor… but they are not making any head way… sh tech-supports have been sent in etc etc.

Hopefully this will help someone.  I figured this problem out myself.  Apparently this is a known issue leveraging FCiP WA.  If an hba has multiple paths to a target, and multiple equal cost paths over FCiP tunnels WA can cause issues.  I disabled WA and everything started working fine.

Our site to site configuration is across 4 GigE links per fabirc channeled together in 2 port channels, equal cost.  We are migrating our ESX clusters to a new data center via SVmotion (esx storage vmotion) across these links.  Not leveraging WA seems to of really slowed things down, but, at least the environment is stable.

At the FCC broadband workshop held this morning, researchers argued for a new Internet architecture built upon infrastructure currently used in large data centers that would be capable of adapting itself to deliver each individual application. Meanwhile, those associated with think tanks and the broadband industry argued that the most significant Internet-related innovation is already behind us and that we need to think about embedding more intelligence into the network we have.

It reminded me of Vanity Fair’s awesome story about the making of the web in which Bob Metcalfe relates his attempts to show some AT&T executives the precursor to the Internet:

Bob Metcalfe: Imagine a bearded grad student being handed a dozen AT&T executives, all in pin-striped suits and quite a bit older and cooler. And I’m giving them a tour. And when I say a tour, they’re standing behind me while I’m typing on one of these terminals. I’m traveling around the Arpanet showing them: Ooh, look. You can do this. And I’m in U.C.L.A. in Los Angeles now. And now I’m in San Francisco. And now I’m in Chicago. And now I’m in Cambridge, Massachusetts—isn’t this cool? And as I’m giving my demo, the damned thing crashed. And I turned around to look at these 10, 12 AT&T suits, and they were all laughing. And it was in that moment that AT&T became my bête noire, because I realized in that moment that these sons of bitches were rooting against me.

Today’s workshop, called “The Future of The Internet,” had a similar feel, with researchers David Clark, professor at the MIT Computer Science and Artificial Intelligence Laboratory, and Taieb Znati, division director for the National Science Foundation, talking up the idea of virtualizing communications networks in order to create several networks optimized for delivering different types of applications. By the way, this focus on the ability to deliver a specific application vs. delivering a set speed is a sticky topic when it comes to defining broadband. Going forward, we’re going to be hearing a lot about it.

Scott Shenker, a professor of computer science at UC Berkeley,  added that such a re-imagined network could be created by mirroring some of the wide area networks used by the likes of Amazon and Google to send information around their data centers. As he noted, today’s telecommunications networks are built atop of specialized hardware with routers running proprietary software. He argued that if the Googles and Amazons of the world could take their focus on deploying commodity hardware and open-source routers to the telecommunications industry, the entire infrastructure of the Internet would change — including allowing for lower-cost networks that could be virtualized.

As the theory moved farther outside of the current telecommunications model, Robert Atkinson, president of the technology industry-funded think tank Information Technology and Innovation Foundation, brought things back to the present by saying that the largest innovations on the web may be behind us and that while the Internet of 2022-2023 would be different from what it is today, it won’t have gone through the evolutionary changes seen in the last decade. His wish list included more embedded intelligence in the network to help advance packets and manage a flow of real-time data, as well as some type of authentication and identification for users.

The end goal seems to be figuring out how to build a network that knows what the content it’s delivering is and where it came from rather than a packet-based network focused on getting unidentified bits from machines. How this will relate to the National Broadband Plan that’s due next year is unclear, but the ideas expressed in the panel are worth listening to. So if you’re curious about what’s out on the fringes for the future of the web, check out the webcast of this panel, which sadly, I could not embed here.

Padmasree Warrior is, to quote her biography on their company blog “Cisco Systems’ Chief Technology Officer. As CTO, she is responsible for helping drive the company’s technological innovations and strategy, and works closely with its senior executive team and board of directors to align these efforts with Cisco’s corporate goals.

As an evangelist for what’s possible, she pushes the organization to stretch beyond its current capabilities – not just in technology, but also in its strategic partnerships and new business models”.

Here’s Padmasree’s 5 predictions for the future of collaboration, fleshed out by her in more detail here:

1. Collaboration Networks will be to Enterprises what Social Networks are to Consumers

My previous post railing about people confusing ’social media’ marketing with the intricate strategic and tactical connectivity inside companies, and others in their orbit, has a good counterpoint in Padmasree’s posts.

I don’t like the word ’social’ in a business context, not least because the word has deep meaning, particularly for those not living in the tech bubble. Socialism in a political sense, company social clubs and the general connotations of socializing and shmoozing. Many companies in Europe have a long tradition of employee social clubs, as another example. It’s a culturally messy word with a lot of baggage globally.

‘Collaboration Networks’ is a much more elegant way to describe business uses of similar technologies to the ones we use in our personal lives to stay in touch with friends. I’m going to use this term going forward as it is a great fit, is more accessible semantically than ‘Enterprise 2.0′ to the lay person and makes good sense to those in the non IT business world.

2. It is not about “on-premise” versus “on-demand”, it will be all about the User Experience

Steve Balmer’s famous ‘Developers, Developers, Developers‘ engineer cheerleading video clip badly needs a larger than life counterpart with someone bellowing ‘Users, Users, Users’. Malcolm Gladwell wrote in Blink about the ‘the first two seconds of looking–the decisive glance that knows in an instant’.

This is the reality with software. No one cares about the clever technology stack underpinning the system, all they care about is if they are going to be able to use it for their needs, if it will be useful, and if they can find stuff easily.

3. Innovation will be redefined by Operational Excellence

Padmasree: “There is a long-standing debate about what drives long term success: Is it innovation OR Operational Excellence?  Traditionally we viewed this as an either-or proposition, and most companies have taken pride in being really good at one or the other.

What we hear from most CEOs, CTOs and CIOs is that we need to do both — especially during the current economic downturn.  We no longer have the luxury of choosing one vs. the other.

- Beautifully put!

4. Organizations without boundaries will drive the next wave of productivity

“This prediction is rooted in the fact that business processes must extend beyond corporate firewalls.  That means they must encompass people outside the company as readily as they do people inside the four walls“.

This is the area where the confusion builds with ’social media’ marketing efforts. One of the biggest headaches in enabling ‘through the firewall’ collaboration is security and IP protection. The VPN connectivity necessary  to connect friends but not foes isn’t trivial, and the buzz around marketing transparency can obscure the delicate tactics around this.

5. Information Technology will evolve into Information Fabric

“…the future is no longer just about the management and routing of information.  It’s about providing people with the right information at the right time, connecting communities that can improve the relevance, and accelerating decisions to drive value for the business.  Importantly, it’s about weaving that information fabric into business processes so they run more efficiently and connect with each other in ways that were simply not possible before.”
The great pathfinding work done by John Hagel & John Seely Brown in their 2005 book ‘The Only Sustainable Edge: Why Business Strategy Depends on Productive Friction and Dynamic Specialization‘ is reflected here. Their sophisticated discussion of ‘performance fabric’ has ben neatly co-opted by Cisco to sell Padmasrees’ concept.