The Basic Definition
The acronym VLAN expands to Virtual Local Area Network. A VLAN is a logical local area network (or LAN) that extends beyond a single traditional LAN to a group of LAN segments, given specific configurations. Because a VLAN is a logical entity, its creation and configuration is done completely in software.
How Is a VLAN Identified
Since a VLAN is a software concept, identifiers and configurations for a VLAN must be properly prepared for it to function as expected. Frame coloring is the process used to ensure that VLAN members or groups are properly identified and handled. With frame coloring, packets are given the proper VLAN ID at their origin so that they may be properly processed as they pass through the network. The VLAN ID is then used to enable switching and routing engines to make the appropriate decisions as defined in the VLAN configuration.
Why Use VLANs
Traditional network designs use routers to create broadcast domains and limit broadcasts between multiple subnets. This prevents broadcast floods in larger networks from consuming resources, or causing unintentional denials of service unnecessarily. Unfortunately, the traditional network design methodology has some flaws in design
- Geographic Focus - Traditional network designs focus on physical locations of equipment and personnel for addressing and LAN segment placement. Because of this there are a few significant drawbacks:
- Network segments for physically disjointed organizations cannot be part of the same address space. Each physical location must be addressed independently, and be part of its own broadcast domain. This can force personnel to be located in a central location, or to have additional latency or connectivity shortfalls.
- Relocations of personnel and departments can become difficult, especially if the original location retains its network segments. Relocated equipment will have to be reconfigured based on the new network configuration.
A VLAN solution can alleviate both of these drawbacks by permitting the same broadcast domain to extend beyond a single segment.
- Additional Bandwidth Usage - Traditional network designs require additional bandwidth because packets have to pass through multiple levels of network connectivity because the network is segmented.
A proper VLAN design can ensure that only devices that have that VLAN defined on it will receive and forward packets intended as source or destination of the network flow.
Types of VLAN
There are only two types of VLAN possible today, cell-based VLANs and frame-based VLANs.
- Cell-based VLANs are used in ATM switched networks with LAN Emulation (or LANE). LANE is used to allow hosts on legacy LAN segments to communicate using ATM networks without having to use special hardware or software modification.
- Frame-based VLANs are used in ethernet networks with frame tagging. The two primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a Cisco proprietary frame-tagging). Keep in mind that the 802.10 standard makes it possible to deploy VLANs with 802.3(Ethernet), 802.5(Token-Ring), and FDDI, but ethernet is most common.
VLAN modes
There are three different modes in which a VLAN can be configured. These modes are covered below:
- VLAN Switching Mode - The VLAN forms a switching bridge in which frames are forwarded unmodified.
- VLAN Translation Mode - VLAN translation mode is used when the frame tagging method is changed in the network path, or if the frame traverses from a VLAN group to a legacy or native interface which is not configured in a VLAN. When the packet is to pass into a native interface, the VLAN tag is removed so that the packet can properly enter the native interface.
- VLAN Routing Mode - When a packet is routed from one VLAN to a different VLAN, you use VLAN routing mode. The packet is modified, usually by a router, which places its own MAC address as the source, and then changes the VLAN ID of the packet.
VLAN configurations
Different terminology is used between different hardware manufacturers when it comes to VLANs. Because of this there is often confusion at implementation time. Following are a few details, and some examples to assist you in defining your VLANs so confusion is not an issue.
Cisco VLAN terminology
You need a few details to define a VLAN on most Cisco equipment. Unfortunately, because Cisco sometimes acquires the technologies they use to fill their switching, routing and security product lines, naming conventions are not always consistent. For this article, we are focusing only one Cisco switching and routing product lines running Cisco IOS.
- VLAN ID - The VLAN ID is a unique value you assign to each VLAN on a single device. With a Cisco routing or switching device running IOS, your range is from 1-4096. When you define a VLAN you usually use the syntax "vlan x" where x is the number you would like to assign to the VLAN ID. VLAN 1 is reserved as an administrative VLAN. If VLAN technologies are enabled, all ports are a member of VLAN 1 by default.
- VLAN Name - The VLAN name is an text based name you use to identify your VLAN, perhaps to help technical staff in understanding its function. The string you use can be between 1 and 32 characters in length.
- Private VLAN - You also define if the VLAN is to be a private vlan in the VLAN definition, and what other VLAN might be associated with it in the definition section. When you configure a Cisco VLAN as a private-vlan, this means that ports that are members of the VLAN cannot communicate directly with each other by default. Normally all ports which are members of a VLAN can communicate directly with each other just as they would be able to would they have been a member of a standard network segment. Private vlans are created to enhance the security on a network where hosts coexisting on the network cannot or should not trust each other. This is a common practice to use on web farms or in other high risk environments where communication between hosts on the same subnet are not necessary. Check your Cisco documentation if you have questions about how to configure and deploy private VLANs.
- VLAN modes - in Cisco IOS, there are only two modes an interface can operate in, "mode access" and "mode trunk". Access mode is for end devices or devices that will not require multiple VLANs. Trunk mode is used for passing multiple VLANs to other network devices, or for end devices that need to have membership to multiple VLANs at once. If you are wondering what mode to use, the mode is probably "mode access".
Cisco VLAN implementations
VLAN Definition To define a VLAN on a cisco device, you need a VLAN ID, a VLAN name, ports you would like to participate in the VLAN, and the type of membership the port will have with the VLAN.
- Step 1 - Log into the router or switch in question and get into enable mode.
- Step 2 - Get into configuration mode using "conf t".
- Step 3 - Create your VLAN by entering "vlan X" where X is the ID you would like to assign the VLAN.
- Step 4 - Name your VLAN by entering "name ". Replace with the string you would like to identify your VLAN by.
- Step 5 - If you want your new VLAN to be a private-vlan, you now enter "private-vlan primary" and "private-vlan association Y" where Y is the secondary VLAN you want to associate with the primary vlan. If you would like the private VLAN to be community based, you enter "private-vlan community" instead.
- Step 6 - Exit configuration mode by entering "end".
- Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.
VLAN Configuration A VLAN isn't much use if you haven't assigned it an IP Address, the subnet netmask, and port membership. In normal network segment configurations on routers, individual interfaces or groups of interfaces (called channels) are assigned IP addresses. When you use VLANs, individual interfaces are members of VLANs and do not have individual IP addresses, and generally don't have access lists applied to them. Those features are usually reserved for the VLAN interfaces. The following steps detail one method of creating and configuring your VLAN interface. NOTE: These steps have already assumed that you have logged into the router, gotten into enable mode, and entered configuration mode. These specific examples are based on the Cisco 6500 series devices.
- Step 1 - Enter "Interface VlanX" where X is the VLAN ID you used in the VLAN definition above.
- Step 2 - This step is optional. Enter "description " where VLAN description details what the VLAN is going to be used for. You can just simply re-use the VLAN name you used above if you like.
- Step 3 - Enter "ip address " where is the address you want to assign this device in the VLAN, and is the network mask for the subnet you have assigned the VLAN.
- Step 4 - The step is optional. Create and apply an access list to the VLAN for inbound and outbound access controls. For a standard access list enter "access-group XXX in" and "access-group YYY out" where XXX and YYY corresponds to access-lists you have previously configured. Remember that the terms are taken in respect to the specific subnet or interface, so "in" means from the VLAN INTO the router, and "out" means from the router OUT to the VLAN.
- Step 5 - This step is optional. Enter the private VLAN mapping you would like to use if the port is part of a private VLAN. This should be the same secondary VLAN you associated with the primary VLAN in VLAN definition above. Enter "private-vlan mapping XX" where XX is the VLAN ID of the secondary VLAN you would like to associate with this VLAN.
- Step 6 - This step is optional. Configure HSRP and any other basic interface configurations you would normally use for your Cisco device.
- Step 7 - Exit configuration mode by entering "end".
- Step 8 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.
Now you have your vlan defined and configured, but no physical ports are a member of the VLAN, so the VLAN still isn't of much use. Next port membership in the VLAN is described. IOS devices describe interfaces based on a technology and a port number, as with "FastEthernet3/1" or "GigabitEthernet8/16". Once you have determined which physical ports you want to be members of the VLAN you can use the following steps to configure it. NOTE: These steps have already assumed that you have logged into the router, gotten into enable mode, and entered configuration mode.
For access ports - Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN.
- Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
- Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port.
- Step 4 - Only use this step if you used step 3 above. Enter "switchport access vlan X" where X is the VLAN ID of the VLAN you want the port to be a member of.
- Step 5 - Only use this step if you used step 3 above. Enter "switchport mode access" to tell the port that you want it to be used as an access port.
- Step 6 - Exit configuration mode by entering "end".
- Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.
For trunk ports - Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN.
- Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
- Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port.
- Step 4 - Only use this step if you used step 3 above. Enter "switchport trunk encapsulation dot1q". This tells the VLAN to use dot1q encapsulation for the VLAN, which is the industry standard encapsulation for trunking. There are other encapsulation options, but your equipment may not operate with non Cisco equipment if you use them.
- Step 5 - Only use this step if you used step 3 above. Enter "switchport trunk allowed vlan XX, YY, ZZ" where XX, YY, and ZZ are VLANs you want the trunk to include. You can define one or more VLANs to be allowed in the trunk.
- Step 6 - Only use this step if you used step 3 above. Enter "switchport mode trunk" to tell the port to operate as a VLAN trunk, and not as an access port.
- Step 7 - Exit configuration mode by entering "end".
- Step 8 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.
For private VLAN ports - Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN.
- Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
- Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port.
- Step 4 - Enter "switchport private-vlan host association XX YY" where XX is the primary VLAN you want to assign, YY is the secondary VLAN you want to associate with it.
- Step 5 - Enter "switchport mode private-vlan host" to force the port to operate as a private-vlan in host mode.
- Step 6 - Exit configuration mode by entering "end".
- Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.
You should now have your VLAN properly implemented on a Cisco IOS device.
HP VLAN terminology
HP's Procurve line of switchgear is becoming more and more prevalent in enterprise and other business environments. Because of this, it isn't uncommon to have to get Cisco and Procurve hardware to integrate, and because of terminology this can be a challenge. Below some of the VLAN terminology is defined so there is less opportunity for confusion.
- VLAN ID - Fortunately, VLAN id's are pretty much the same everywhere, the only significant differences are the range of IDs that can be used. With Procurve devices, the number of VLANs is defined in the configuration. The default maximum VLANs supported on a Procurve device differs between models and firmware revisions, but is commonly set to 8. Newer Procurve hardware supports 4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device. VLAN ID 1 is reserved for the "DEFAULT_VLAN" or the default administrative VLAN.
- VLAN names - VLAN names are text fields that assist technicians to identify VLANs. Procurve allows names up to 32 characters, but if you want it to properly display in menu configuration mode, you should probably limit the name to 12 characters.
- VLAN modes - Procurve has three modes of operation for VLANs on the chassis, Untagged, Tagged, and No. Untagged mode is cisco's access mode. This mode is used for ports that connect to end nodes, or devices that will not be passing VLAN traffic forward. Tagged mode is the same as Cisco's trunk mode. This mode is used for ports that are connecting to devices that will be passing VLAN traffic forward, or for trunking multiple VLANs. No mode means that the port in question has no association whatsoever with that VLAN.
- Special note on "trunk" - Lots of confusion surrounds the word "trunk" when you go between vendor equipment. In Cisco's case, trunking is only used with VLANs. If you want to group multiple ethernet ports into a single logical ethernet group, they call it a channel-group. This is regardless of whether FEC or LACP is used for the channel properties. Procurve uses "trunk" to define a group of ethernet ports when using the HP trunking protocol, and the term "Tagged" for what Cisco calls a VLAN trunk. Of course, these two technologies have nothing to do with each other, but because of naming conventions, confusion arises.
HP Procurve VLAN implementations
VLAN Definition Most modern Procurve switches enable VLAN use by default, but if, for some reason, you have an older model, log into the switch, get into manager mode, go to the switch configuration menu (usually item 2), then the VLAN menu (usually item 8), then the VLAN support item (usually item 1), and make sure VLANs are enabled. If you change this setting, you will need to reboot the switch to get it to activate properly. The configuration menu is useful for these kinds of activities, troubleshooting, and other things, but is a little more difficult for configuring multiple switches or for using configuration templates, so the rest of the HP Procurve configuration details will be provided for the console configuration mode. Aside for enabling VLAN support as a whole, VLAN definitions and configuration are created in the same place, so the rest of the configuration examples will be provided under the VLAN configuration topic.
VLAN Configuration Configuring VLANs on a modern Procurve is pretty simple, you must first define the VLAN, set its properties, and then set up membership for ports and the VLAN mode they will support. The following list should help you accomplish these tasks. NOTE: HP has defined its interface ports by using a module/port convention. If you have a non-modular chassis (such as the 3448cl) then ports are numbered only using numbers, such as 1 or 36. If the chassis is modular (such as the 5308) then the ports number is prepended with the module slot, such as A1 or H6. No reference to the type of switch port (ethernet, fast ethernet, gigabit ethernet) is used for port reference.
- Step 1 - Log into the switch and get into manager mode. If, after logging in, you are in the configuration menu, exit the configuration menu by selecting item 5 (in most cases) or by using the arrow keys on your keyboard to highlight the "Command Line (CLI)" item.
- Step 2 - Enter "conf t" to get into terminal configuration mode.
- Step 3 - Enter "vlan X" where X is the VLAN id of the VLAN you would like to create.
- Step 4 - Name your VLAN by entering "name """ where is a text string from 1 to 32 characters (12 characters if you care about the configuration menu display). You should use quotes when naming the VLAN.
- Step 5 - Give the VLAN an IP address by entering "ip address " where is the IP address you want to assign this switch in that subnet, and is the network mask for the subnet assigned.
- Step 6 - This step is optional. If you want to assign some end node ports to the VLAN enter "untagged " where is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
- Step 7 - This step is optional. If you want to assign some VLAN trunk ports to the VLAN enter "tagged " where is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
- Step 8 - Enter "exit" to leave VLAN configuration mode.
- Step 9 - Exit configuration mode by entering "exit" again.
- Step 10 - Save your configuration by entering "wr memory".
You have now successfully configured your HP Procurve VLAN.
Vendor Summary
If you are going to integrate Cisco and HP Procurve hardware on the same network, and you intend to use VLANs there are only a few things you need to remember:
- For end nodes - Cisco uses "mode access", HP uses "untagged" mode.
- For VLAN dot1q trunks - Cisco uses "mode trunk", HP uses "tagged" mode.
- For no VLAN association - Cisco uses no notation at all, HP uses "no" mode in the configuration menu, or you have VLAN support turned off.
Next time you have to integrate the two with VLANs, this simple list should help keep you out of trouble.
Source: http://www.tech-faq.com/vlan.shtml
