Newsletter

HOME Contact Technical Website OUR SERVICES Applications Networking Security Subnet Calculator OUR CLIENTS Client List Testimonials Case Studies FRAGMENT Current Release of Fragment ABOUT US Our Founder Our Vision Media and News Services Agreement Privacy & Terms TOOLS Inverse Mask Subnet Calculator

VLAN Tutorial    

Introduction

Virtual LAN (or VLAN) technology allows for groups of network nodes with common requirements to be grouped into a single broadcast domain across one or more network switch. VLAN technology is specific to Layer-2 of the OSI model. VLAN technology provides Layer-2 segmentation between VLAN boundaries.

Technologies able to implement VLANs are:

• Ethernet
• Fast Ethernet
• Gigabit Ethernet
• 10 Gigabit Ethernet
• HiperSockets
• Asynchronous Transfer Mode (ATM)
• Fiber Distributed Data Interface (FDDI)

For the purposes of simplified explanation, a VLAN is a single logical switch. Two or more VLANs in a single physical switch make the switch appear to be two or more physical switches. A single common VLAN across multiple physical switches makes all interfaces in the switches in the same VLAN appear to be a single switch.

Port segmentation on a network device does create a VLAN. Older hubs from companies like HP and Barracuda allowed for ports to be assigned to distinct broadcast / collision domains. These devices required a separate connection from each segment to a router to allow traffic to flow between segments.

The true power of VLANs is that a single cable can carry traffic for multiple VLANs from one network device to another while maintaining the Layer-2 boundary.

VLAN Types

The standards body IEEE developed and published a means where the Ethernet packet header is altered or tagged. This methodology was published under the IEEE 802.1q standard. Prior to this publication major network gear providers built proprietary systems. These included Cisco's ISL (Inter-Switch Link, a variant of IEEE 802.10) and 3Com's VLT (Virtual LAN Trunk). All vendors, including Cisco Systems support 802.1q in their current product lines. This tutorial will be working with IEEE 802.1q only.

IEEE 802.1q
The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI contains the following elements:

• Three-bit user priority
• One-bit canonical format indicator (CFI)
• Twelve-bit VLAN identifier (VID) which uniquely identifies the VLAN to which the frame belongs

Native VLAN
The 802.1q standard has a mechanism for dealing with untagged packets in a VLAN trunk. The ‘Native VLAN’ as it is known is special. For traffic to properly flow between VLAN trunk ports the native VLAN must be agreed upon by both sides of the wire. When configuring your trunk interface it is best to explicitly state which is to be the native VLAN and not apply any tagging to the packets for this virtual LAN.

Baby Giants
The 802.1Q standard can create an interesting scenario on the network. The maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes. This means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. Network devices that do not support a larger frame size will process the frame successfully but may report these anomalies as a "baby giant."

Switches and Routers

True Layer-2 switches will not pass traffic from one VLAN to another as this would break the Layer-2 boundary set up by the VLAN distinction. Therefore a router or other Layer-3 aware device is required to move traffic from one VLAN to another.

Some switches now come equipped with Layer-3 awareness. For these devices a Layer-3 interface has to be enabled to provide routing between VLANs.

Most modern routers, outside of residential grade devices, are capable of participating in VLAN technologies, thus allowing a single cable to connect the router to the switch for all traffic.

While every manufacturer approaches VLAN technology in their own way, the basic approach to implementing VLANs remains the same:

1. Create the VLAN
2. Assign interfaces to the VLAN

Since Cisco Systems is the premier provider of networking gear and is commonly deployed, Cisco IOS will be used in these examples. For other manufacturers, see their documentation. These are the basic commands.

VLANs on Routers
All commands assume you are in "configure terminal" mode.

Assign Interfaces - Sub Interfaces for Routers

Step	Mode	Command	Option	Notes
1	Global	interface	type mod/port.sub	Create the sub interface.
2	Interface	encapsulation dot1q	vlan-id	Use the vlan-id for the VLAN you wish to assign.
3	Interface	ip address	ip-address mask	Set a primary IP address for an interface.

When creating sub interfaces, the parent interface can have no configuration information other than description, speed and duplex settings.

VLANs on Switches
All commands assume you are in the "configure terminal" mode.

Creating the VLAN

Step	Mode	Command	Option	Notes
1	Global	vlan	vlan-id	The vlan-id is a unique identifier for the VLAN.
2	vlan-config	name	vlan-name	A name associated with the VLAN for easier management.
		State	suspend | active	Defines the state of the VLAN.
		Mtu	mtu-size	As VLANs can cross multiple technologies the smallest MTU should be defined.

Assigning Interfaces - Layer 2

Step	Mode	Command	Option	Notes
1	Global	interface	type mod/port
2	Interface	switchport access vlan	number	Use the vlan-id for the VLAN you wish to assign

Assign Interfaces - Trunk

Step	Mode	Command	Option	Notes
1	Global	interface	type mod/port
2	Interface	switchport mode	trunk	Trunking is on for these links. They will also send DTP signals that attempt to initiate a trunk with the other side.
or	Interface	switchport mode	dynamic [auto | desirable]	These links would like to become trunk links and will send DTP signals that attempt to initiate a trunk. They will only become trunk links if the other side responds to the DTP signal.

Troubleshooting

Trouble shooting VLANs is pretty simple. As VLANs are a straight forward technology, there are few places things can go wrong. Once again we will be using IOS from Cisco Systems as the example.

The most obvious problem to occur within a single switch is that an interface is not in the correct VLAN. To see which interfaces are in which VLAN, issue the command:

The command show vlan will list all of the VLANs and which interfaces are assigned to each VLAN

Between switches or between switch and router there may be a problem if the VLAN is not being carried over the trunk. To confirm which VLANs are traversing the connections, issue the command:

show interface trunk

Sources
The following websites where used in creating this article.
Wikipedia
Cisco Press

Fragment - Current Release

---

Articles

Administration IT Roles and Responsibilities App_Sec BCP STATS On Passwords Spending Enough Planning to Fail Living With the Enemy A Reason for Policy Mission Critical Messaging – Do you have a policy Globalizing the SMB High Availability: People and Processes Case for Project Management Risk Management

Networking On Routing VLAN Tutorial IPs 4 Golden Rules WAN Technology primer DHCP Primer Your Head in the Cloud(s) DNS: Terms and Process VPN Surfing Challenge Network Slowdown Importance of Time High Availability: Technologies

Security Spammers Go Full Circle Beyond the Lock The Guardian at the Gate A Web of Trust Data Breach Notification

Misc Electricity Primer Documentation-101 Data Control Open Source in the Enterprise Closing the Loop Helping IT to help you Your ICT Keystone