This post will deal with configuring Layer 2 VLANs on Cisco switches. Up to 4094 VLANs can be configured on Cisco catalyst switches. By default, only VLAN 1 is configured on the switch, so if you connect hosts on an out-of-the-box switch they all belong to the same Layer 2 broadcast domain.

The need to configure several Layer 2 VLANs on a switch arises from the need to segment an internal Local Area Network (LAN) into different IP subnetworks. If you want for example to separate the different departments of your enterprise into different IP subnetworks, then each department should belong to its own Layer 2 VLAN. For example, let’s assume the following scenario:

• Accounting Department: IP Subnet 192.168.2.0/24 –> VLAN 2
• Management Department: IP Subnet 192.168.3.0/24 –> VLAN 3
• Engineering Department: IP Subnet 192.168.4.0/24 –> VLAN 4

By separating the internal LAN into different IP subnets (and thus different VLANs) allows the network administrators to enforce traffic restrictions if needed between departments and have better control of internal hosts.

VLAN assignment on a switch is configured on a per-interface basis. That is, each switch port interface is assigned individually into a Layer 2 VLAN. If you have more than one switch connected and you want the same VLANs to belong across all switches, then a Trunk Port must be configured between the switches. The Trunk Port passes all VLANs between the switches. Let’s see the following network scenario to help us clarify some concepts.

On the LAN network above, we have three VLANs. VLAN 2,3, and 4. VLAN 4 belongs both to SWITCH 1 and SWITCH 2, therefore we need a Trunk Port between the two switches in order for hosts in VLAN4 in Switch 1 to be able to communicate with hosts in VLAN4 in Switch 2.

The ports of the two switches shall be configured as following:

SWITCH 1:
Fe0/1 – Fe0/2 –> VLAN 2 (Accounting)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

SWITCH 2:
Fe0/1 – Fe0/2 –> VLAN 3 (Management)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

Configuration:

Switch 1 Configuration:
!  Create VLANs 2 and 4 in the switch database
Switch1# configure terminal
Switch1(config)# vlan 2
Switch1(config-vlan)# name Accounting
Switch1(config-vlan)# end

Switch1(config)# vlan 4
Switch1(config-vlan)# name Engineering
Switch1(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 2
Switch1(config)# interface fastethernet0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch1(config)# interface fastethernet0/10
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/11
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end

!  Create Trunk Port Fe0/24
Switch1(config)# interface fastethernet0/24
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# end

One form of VLAN Hopping is double tagging, so named because the intruder will transmit frames that are “double tagged” with two separate VLAN IDs. As you’ll see in our example, certain circumstances must exist for a double tagging attack to be successful:

The intruder’s host device must be attached to an access port.

The VLAN used by that access port must be the native VLAN.

The term “native VLAN” tips us off to the third requirement – dot1q must be the trunking protocol in use, since ISL doesn’t use the native VLAN.

When the rogue host transmits a frame, that frame will have two tags. One will indicate native VLAN membership, and the second will be the number of the VLAN under attack. In this example, we’ll assume that to be VLAN 100, with the native VLAN set as VLAN 25.

The trunk receiving this double-tagged frame will see the tag for VLAN 25, and since that’s the native VLAN, that tag will be removed and then transmitted across the trunk – but the tag for VLAN 100 is still there!

When the switch on the other side of the trunk gets that frame, it sees the tag for VLAN 100 and forwards the frame to ports in that VLAN. The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

This is why you often see the native VLAN of a network set to a VLAN that no host on the network is a member of – that stops this version of VLAN Hopping right in its tracks.

Notice that I said “this version”. We’ll take a look at another VLAN Hopping tactic in the next installation of my CIsco CCNP BCMSN certification exam tutorial series!

After completing this module, you should be able to do the following:

• Describe how and when to implement and verify VLANs and trunking
• Define the purpose and function of VLANs on Cisco Catalyst switches
• Define the purpose and function of IEEE 802.1Q trunking on Cisco Catalyst switches
• Define the purpose and function of VTP on Cisco Catalyst switches

Watch Now – on your iPhone

Requirements:Cisco mobile learning modules are currently available for audio-

and video-enabled mobile devices including the Apple iPhone® and Apple iPod touch®,

with BlackBerry® functionality coming in mid 2010. Modules also operate on Windows

PCs and Mac computers. Mobile devices must have web access initially to download

the free Cisco video viewer from the Apple App Store® on iTunes®. After initial download,

modules operate both online and offline.

Further Information: For more information on the specific requirements for this product,

please select the iPhone link above.

Over the last week, I have done a fair amount of work segmenting a network with VLANs. VLAN, or virtual LAN, configuration is typically easy, but there are a few things that you need to know to be successful. This newsletter covers the basic configuration of VLANs on Catalyst switches. Examples are based on IOS switches. Check the links provided at the end of this article for examples of VLAN configurations using CatOS-based switches.

Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN do not receive broadcasts from devices in another VLAN. For devices on different VLANs to communicate, a layer 3 device (usually a router) must be used.

The first consideration for setting up VLANs in your network is planning your environment. Will the VLANs span multiple switches, or will you only be segmenting one switch? If you only have one switch to segment, you can just configure the VLANs with no other considerations. If you need to span multiple switches with VLAN information, you will need to decide which switches need which VLANs. You will also need to configure trunking and set up VLAN Trunking Protocol (VTP).

To configure VLANS on a single switch, you can use the following commands from privileged mode:

SwitchA# vlan database
SwitchA(vlan)# vlan 2 name vlan2
SwitchA(vlan)# exit
SwitchA# configure terminal
SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode access
SwitchA(config-if)# swichport access vlan 2
SwitchA(config-if)# end

These commands create VLAN number 2 and name it vlan2. Fast Ethernet interface 0/1 (on my Cat 2924XL-M) is then configured to use vlan2. It is important to note that VLAN 1 is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

For VLAN information to be passed between switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames travelling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations:

1) Inter-Switch Link Protocol (ISL)
Cisco proprietary trunking protocol.

2) IEEE 802.1Q (dot1q)
Industry standard trunking protocol.

3) LAN Emulation (LANE)
Used for trunking VLANs over ATM links.

4) IEEE 802.10 (dot10q)
Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To set up trunking between two switches, use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# switchport trunk encapsulation dot1q

Repeat commands on SwitchB.

This sets up fast Ethernet interface 0/1 to be a trunk port using dot1q encapsulation. It is important to note that once you change one side of a connection to trunk mode, communication between the two switches will be lost until the other side is configured for the same mode/encapsulation. If you are trying to set up trunking remotely, always change the far side of a connection first. The port is currently passing information for all VLANs (1-1005). To limit which VLANs will be allowed to pass information on the port you can use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005
SwitchA(config-if)# switchport trunk allowed vlan add 1-3

Repeat commands on SwitchB.

This removes the default of all VLANs, and adds back support for VLANs 1-3. It is good practice to remove everything and only add support for the VLANs that are required. We now have two switches happily passing VLAN traffic for VLANs 1-3. This process is great for a small number of switches with a limited number of VLANs. In a large environment that has a large number of switches, and requires several VLANs, it can be difficult to maintain the configuration on each switch.

Have you ever wondered what a Virtual LAN (or VLAN) is or been unclear as to why you would want one? If so, I have been in your place at one time too. Since then, I have learned a lot about what a VLAN is and how it can help me. In this article, I will share that knowledge with you.

What is a LAN?

Okay, most of you already know what a LAN is but let’s give it a definition to make sure. We have to do this because, if you don’t know what a LAN is, you can’t understand what a VLAN is.

A LAN is a local area network and is defined as all devices in the same broadcast domain. If you remember, routers stop broadcasts, switches just forward them.

What is a VLAN?

As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.

Are VLANs required?

It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.

When do I need a VLAN?

You need to consider using VLAN’s in any of the following situations:

• You have more than 200 devices on your LAN
• You have a lot of broadcast traffic on your LAN
• Groups of users need more security or are being slowed down by too many broadcasts?
• Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
• Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?

A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.

With a VLAN, one device can be connected to one switch, another device can be connected to another switch, and those devices can still be on the same VLAN (broadcast domain).

How can devices on different VLAN’s communicate?

Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or Layer 3 switch must be used to route between the subnets.

What is a trunk port?

When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port.

A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.