Оглавление
VLAN Default Configuration
Tables through show the default configurations for the different VLAN media types.
Table 17-2 Ethernet VLAN Defaults and Ranges
Parameter
Default
Range
VLAN ID
1
1-4094
VLAN name
«default» for VLAN 1″VLANvlan_ID» for other Ethernet VLANs
—
802.10 SAID
10vlan_ID
100001-104094
MTU size
1500
1500-18190
Translational bridge 1
0-1005
Translational bridge 2
0-1005
VLAN state
active
active, suspend
Pruning eligibility
VLANs 2-1001 are pruning eligible; VLANs 1006-4094 are not pruning eligible.
—
Table 17-3 FDDI VLAN Defaults and Ranges
Parameter
Default
Range
VLAN ID
1002
1-1005
VLAN name
«fddi-default»
—
802.10 SAID
101002
1-4294967294
MTU size
1500
1500-18190
Ring number
1-4095
Parent VLAN
0-1005
Translational bridge 1
0-1005
Translational bridge 2
0-1005
VLAN state
active
active, suspend
Table 17-4 Token Ring (TrCRF) VLAN Defaults and Ranges
Parameter
Default
Range
VLAN ID
1003
1-1005
VLAN name
«token-ring-default»
—
802.10 SAID
101003
1-4294967294
Ring Number
1-4095
MTU size
VTPv1 default 1500VTPv2 default 4472
1500-18190
Translational bridge 1
0-1005
Translational bridge 2
0-1005
VLAN state
active
active, suspend
Bridge mode
srb
srb, srt
ARE max hops
7
0-13
STE max hops
7
0-13
Backup CRF
disabled
disable; enable
Table 17-5 FDDI-Net VLAN Defaults and Ranges
Parameter
Default
Range
VLAN ID
1004
1-1005
VLAN name
«fddinet-default»
—
802.10 SAID
101004
1-4294967294
MTU size
1500
1500-18190
Bridge number
1
0-15
STP type
ieee
auto, ibm, ieee
VLAN state
active
active, suspend
Table 17-6 Token Ring (TrBRF) VLAN Defaults and Ranges
Parameter
Default
Range
VLAN ID
1005
1-1005
VLAN name
«trnet-default»
—
802.10 SAID
101005
1-4294967294
MTU size
VTPv1 1500; VTPv2 4472
1500-18190
Bridge number
1
0-15
STP type
ibm
auto, ibm, ieee
VLAN state
active
active, suspend
Dynamic Interfaces on WLCs
Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to VLANs for wireless LAN clients.
A controller can support up to 512 dynamic interfaces (VLANs).
Each dynamic interface is individually configured and allows separate communication streams to exist on any or all of a controller’s distribution system ports.
Each dynamic interface controls VLANs and other communications between controllers and all other network devices, and each acts as a DHCP relay for wireless clients associated to Wireless LANs (WLANs) mapped to the interface.
You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port.
If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.
For information about maximum number of VLANs supported on a Cisco WLC platform, see the respective Cisco WLC platform’s datasheet.
Cisco recommends using tagged VLANs for dynamic interfaces.
VLANs with WLAN controllers use this model:
Lab Instruction
Objective 1. – On SW1, Create VLAN 10 and name it DATA.
SW1>enable SW1#config t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#vlan 10 SW1(config-vlan)#name DATA SW1(config-vlan)#exit SW1(config)#
Objective 2. – Configure Fa0/1 on SW1 as a trunk interface and set the native VLAN to 10
SW1(config)#interface FastEthernet0/1 SW1(config-if)#switchport trunk encapsulation dot1q SW1(config-if)#switchport mode trunk SW1(config-if)#switchport trunk native vlan 10 SW1(config-if)#end SW1(config)#
Objective 3. – Verify the native VLAN on interface FastEthernet0/1 on SW1.
SW1#show interfaces Fa0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q other 10 Port Vlans allowed on trunk Fa0/1 none Port Vlans allowed and active in management domain Fa0/1 none Port Vlans in spanning tree forwarding state and not pruned Fa0/1 none SW1# SW1(config)#
encapsulation dot1q
To enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a VLAN, use the encapsulation dot1qcommand in interface range configuration mode or subinterface configuration mode. To disable IEEE 802.1Q encapsulation, use the no form of this command.
Interface Range Configuration Mode
encapsulation dot1q vlan-id second-dot1q {any | vlan-id} [native]
no encapsulation dot1q
Subinterface Configuration Mode
encapsulation dot1q vlan-id second-dot1q {any |vlan-id | vlan-id-vlan-id[,vlan-id-vlan-id]}
no encapsulation dot1q vlan-id second-dot1q {any | vlan-id | vlan-id-vlan-id[,vlan-id-vlan-id]}
Native VLAN Mismatch
Interface Trunk configuration is locally significant. This means that the Trunk settings on one switchport do not have to exactly match the settings on the other side of the link. Therefore, you can configure native VLAN 10 on one side and VLAN 20 on the other side of a single trunk link. This causes a dangerous faulty state called Native VLAN mismatch. Cisco proprietary protocol CDP can detect this misconfiguration and report with error messages as shown below. Please note that, if CDP is disabled on the link, there is no way for the switch to automatically detect this.
Native VLAN mismatch can cause some major issues and security implications such as:
- Misdirected traffic — Frames, originating in the VLAN configured as Native, are sent untagged across the trunk. Upon receiving on the other side on the link, they are forwarded in different VLAN because trunk settings don’t match on both sides.
- VLAN hopping — malicious traffic can cross VLAN boundaries.
Verify
Use this section to confirm that your configuration works properly.
Catalyst Switches Verification
Catalyst switch that runs Cisco IOS Software: show running-config interface interface_type interface_number
w-backbone-6k#show running-config interface gigabitethernet 2/1 Building configuration… Current configuration : 190 bytes ! interface GigabitEthernet2/1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 1,81,82,171,999 switchport mode trunk end
WLAN Controller VLAN Verification
Verify the interface configuration. The command is show interface summary.
(W-8540-1) >show interface summary Number of Interfaces.......................... 8 Interface Name Port Vlan Id IP Address Type Ap Mgr Guest -------------------------------- ---- -------- --------------- ------- ------ ----- 171 1 171 192.168.171.30 Dynamic No No management 1 1 10.48.39.46 Static Yes No redundancy-management 1 1 10.48.39.52 Static No No redundancy-port - untagged 169.254.39.52 Static No No service-port N/A N/A 0.0.0.0 DHCP No No virtual N/A N/A 1.2.3.4 Static No No vlan 81 1 81 192.168.81.46 Dynamic No No vlan 82 1 82 192.168.82.46 Dynamic No No
Verify the WLAN and the associated interface. The command is show wlan summary.
(W-8540-1) >show wlan summary Number of WLANs.................................. 2 WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility ------- ------------------------------------- -------- -------------------- --------------- 1 self-anchor / self-anchor Disabled management none 2 Students / Students Enabled vlan 81 none (W-8540-1) >
Objective
A Virtual Local Area Network (VLAN) allows you to logically segment a Local Area Network (LAN) into different broadcast domains. In scenarios where sensitive data
may be broadcast on a network, VLANs can be created to enhance security by designating a broadcast to a specific
VLAN. Only users that belong to a VLAN are able to access and manipulate the data on that VLAN.
You can configure the ports and specify whether the port should be in access or trunk mode, and assign specific
ports to VLANs. This article provides instructions on how to configure an interface VLAN as an access or trunk
port on your switch through the Comman Line Interface (CLI).
Introduction
A Virtual Local Area Network (VLAN) allows you to logically segment a Local Area Network (LAN) into different broadcast domains. In scenarios where sensitive data may be broadcast on a network, VLANs can be created to enhance security by designating a broadcast to a specific VLAN. Only users that belong to a VLAN are able to access and manipulate the data on that VLAN. VLANs can also be used to enhance performance by reducing the need to send broadcasts and multicasts to unnecessary destinations.
Note: To learn how to configure the VLAN settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.
Networking devices on which multiple protocols are running cannot be grouped to a common VLAN. Non-standard devices are used to pass traffic between different VLANs in order to include the devices participating in a specific protocol. For this reason, you cannot take advantage of the many features of VLAN.
VLAN groups are used to load balance the traffic on a Layer 2 network. The packets are distributed with respect to different classifications and are assigned to VLANs. Many different classifications exist, and if more than one classification scheme is defined, the packets are assigned to the VLAN in this order:
- Tag — The VLAN number is recognized from the tag.
- MAC-based VLAN — The VLAN is recognized from the source Media Access Control (MAC)-to-VLAN mapping of the ingress interface.
- Subnet-based VLAN — The VLAN is recognized from the source Subnet-to-VLAN mapping of the ingress interface.
- Protocol-based VLAN — The VLAN is recognized from the Ethernet type Protocol-to-VLAN mapping of the ingress interface.
- PVID — VLAN is recognized from the port default VLAN ID.
1. Create the VLANs. To learn how to configure the VLAN settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.
2. Configure interfaces to VLANs. For instructions on how to assign interfaces to VLANs through the web-based utility of your switch, click here. For CLI-based instructions, click here.
Note: If the interface does not belong to the VLAN, the subnet-based groups to VLAN configuration setting will not take effect.
3. Configure protocol-based VLAN groups. For instructions on how to configure protocol-based VLAN Groups through the web-based utility of your switch, click here.
4. (Optional) You can also configure the following:
- MAC-based VLAN Groups Overview — For instructions on how to configure MAC-based VLAN Groups through the web-based utility of your switch, click here. For CLI-based instructions, click here.
- Subnet-based VLAN Groups Overview — For instructions on how to configure subnet-based VLAN Groups through the web-based utility of your switch, click here. For CLI-based instructions, click here.
Command Modes
MST configuration mode (config-mst)
Usage Guidelines
The vlans vlan-range is entered as a single value or a range.
The mapping is incremental, not absolute. When you enter a range of VLANs, this range is added or removed to the existing instances.
Any unmapped VLAN is mapped to the CIST instance.
Examples
The following example shows how to map a range of VLANs to instance 2:
The following example shows how to map a VLAN to instance 5:
The following example shows how to move a range of VLANs from instance 2 to the CIST instance:
The following example shows how to move all the VLANs that are mapped to instance 2 back to the CIST instance:
Как работает voice VLAN?
Чтобы установить приоритетность потоков голосовых данных, они должны быть сначала идентифицированы. Voice VLAN может идентифицировать поток голосовых данных двумя способами: один — путем определения исходного MAC-адреса принятого пакета (MAC address-based mode), а другой — путем идентификации тега VLAN принятого пакета (VLAN-based mode).
В режиме на основе MAC-адреса сетевой коммутатор может определить, является ли поток данных потоком голосовых данных, в соответствии с полем MAC-адреса источника в пакете данных, поступающем в его интерфейс. Как показано на следующем рисунке, после того, как коммутатор получает пакет данных, отправленный PC и IP-телефоном, он выполняет следующую обработку: если MAC-адрес источника соответствует OUI (уникальный идентификатор организации), настроенному на коммутаторе, к пакету добавлена голосовая метка VLAN И увеличил приоритет пакета. Если исходный MAC-адрес не соответствует OUI, тег VLAN PVID будет добавлен в пакет, и пакет не будет отправлен первым.
В режиме VLAN Ethernet коммутатор определяет, является ли пакет данных речевым пакетом данных, на основе идентификатора VLAN пакета данных, поступающего в интерфейс. Как показано на рисунке ниже, IP-телефон сначала отправляет пакет данных на сетевой коммутатор. Затем коммутатор добавляет информацию о голосовой VLAN в соответствующие поля s, принимает пакет данных и отправляет его обратно. После получения информации о голосовой VLAN IP-телефон снова отправляет помеченное голосовое сообщение. Если тег соответствует голосовой VLAN, настроенной на коммутаторе, коммутатор пересылает приоритет пакета. Таким образом, когда происходит перегрузка сети, коммутатор может обеспечить приоритетную передачу голосовых сообщений.
VLAN в коммутации
Virtual LAN или VLAN – технология логической группировки сетевых узлов и ресурсов в виртуальные сети. VLAN позволяют сегментировать единый широковещательный домен на более мелкие. При получении ethernet-фрейма коммутатор тэгирует (энкапсулирует) фрейм соответствующим идентификатором vlan. Любой порт коммутатора может принадлежать только одному VLAN, при этом трафик разных VLAN изолирован друг от друга. Наиболее распространенный протокол энкапсуляции vlan — IEEE 802.1q.
Перед тем как отправить тегированный фрейм с порта, коммутатор очищает фрейм от тэга. Такие порты называются порты в режиме доступа (access) в терминологии Cisco.
Для передачи тегированных фреймов между коммутаторами используются порты в режиме транк (trunk). Поскольку фреймы передаются с тегами, соседние коммутаторы разбирают фреймы в соответствующие VLANы и сегментация сохраняется.
Транк порты позволяют передавать также один нетегированный vlan — его называют Native. Любой нетегированный фрейм полученный по транк-порту трактуется как native vlan.
VLAN-ID может принимать значения 1-4096. Номера 1002-1005 зарезервированы под fddi и token-ring.
Команды настройки Vlan на коммутаторе с cisco IOS
Создание необходимых VLAN’ов
en ! Переход в привилегированный режим conf t ! Переход в режим конфигурирования vtp mode transparent ! Переключение VTP в прозрачный режим vlan 5,15,20-25 ! Создание VLAN с номерами 5,15,20-25
Создание интерфейса управления
int vlan 5 ! Создание менеджмент-интерфейса на Vlan 5 ip address 1.1.1.10 255.255.255.0 ! Задание ip адреса и маски no shut ! Включение интерфейса
ip default-gateway 1.1.1.1 ! Задание шлюза
Настройка портов доступа
int fa 0/10 ! Переход к настройкам порта FastEthernet с номером 10 switchport mode access ! Переключение порта в режим access switchport access vlan 15 ! Переключение порта в VLAN номер 15
Настройка магистральных портов
int gi 0/1 ! Переход к настрокам порта GigabitEthernet 0/1 switchport trunk encapsulation dot1q ! включение энкапсуляции 802.1q switchport mode trunk ! Переключение порта в режим trunk switch trunk allow vlan 5,20-25 ! Задание списка допустимых VLAN в транке
Сеть управления VLAN99
Ну и напоследок представим, что в одном коммутаторе доступа есть ПК административного персонала, за которыми работают администраторы, а также обычные пользователи. Посмотрим на PVID для интерфейсов.
Т.к. нам нужно чтобы ПК администратора VP7 был в одной сети с коммутаторами и роутером, сделаем его untagged.
Получим адрес управления.
Включим оба ПК.
Попробуем проверить связь с коммутаторами и ПК.
Взглянем на DHCP сервер.
Далее мы можем создавать interface-list и управлять трафиком через firewall
На этом настройка VLAN Bridge на роутере MikroTik под управлением routeros завершена, спасибо за внимание
Introduction
VLAN is a network that is usually segmented by function or application. VLANs
behave much like physical LANs, but you can group hosts even if they are not physically
co-located. A switch port can belong to a VLAN. Unicast, broadcast, and multicast packets are forwarded and
flooded out ports in the same VLAN.
VLANs can also be used to enhance performance by reducing the need to send broadcasts and multicasts to
unnecessary destinations. It also eases network configuration by logically connecting devices without physically
relocating those devices.
Note: To learn how to configure the VLAN settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.
The image below displays an SG350X switch that is configured with the following VLANs:
- VLAN1 — This is the default VLAN. The switch is connected to the router through this VLAN. This can be used
but cannot be modified or deleted. - VLAN10 — Virtual network for the Admin department. The network address is 192.168.10.1 with subnet mask
255.255.255.0 or /24. - VLAN20 — Virtual network for the Finance department. The network address is 192.168.20.1 with subnet mask
255.255.255.0 or /24. - VLAN30 — Virtual network for the Operations department. The network address is 192.168.30.1 with subnet mask
255.255.255.0 or /24.
In a bigger network, the configured VLANs with interfaces assigned as access and trunk ports on switches could
look like this:
The port modes are defined as follows:
- Access Port — The frames received on the interface are assumed to not have a VLAN tag and are assigned to
the specified VLAN. Access ports are used primarily for hosts and can only carry traffic for a single VLAN. - Trunk Port — The frames received on the interface are assumed to have VLAN tags. Trunk ports are for links
between switches or other network devices and are capable of carrying traffic for multiple VLANs.
Note: By default, all interfaces are in trunk mode, which means they can carry traffic for all VLANs. To
know how to assign an interface VLAN as an Access or Trunk port through the web-based utility of the switch,
click here.
1. Create the VLANs. To learn how to configure the VLAN settings on your switch through the web-based utility,
click here. For CLI-based instructions, click here.
2. (Optional) Set the desired VLAN-related configuration for ports. For instructions on how to configure the VLAN
interface settings on your switch through the web-based utility, click here. For CLI-based instructions, click here.
3. Assign interfaces to VLANs. For instructions on how to assign interfaces to VLANs through the web-based
utility of your switch, click here.
4. (Optional) Configure VLAN groups on your switch. You can configure any of the following:
- MAC-based VLAN Group Overview — For instructions on how to configure MAC-based VLAN Groups through the
web-based utility of your switch, click here. For CLI-based instructions, click here. - Subnet-based VLAN Groups Overview — For instructions on how to configure subnet-based VLAN Groups through
the web-based utility of your switch, click here. For CLI-based instructions, click here. - Protocol-based VLAN Groups Overview — For instructions on how to configure Protocol-based VLAN Groups
through the web-based utility of your switch, click here. For CLI-based instructions, click here.
5. (Optional) Configure TV VLAN settings on your switch. You can configure any of the following:
- Access Port Multicast TV VLAN — For instructions on how to configure Access Port Multicast TV VLAN through
the web-based utility of your switch, click here. - Customer Port Multicast TV VLAN — For instructions on how to configure Customer Port Multicast TV VLAN
through the web-based utility of your switch, click here.
Prerequisites
Requirements
There are no specific requirements for this document. However, this document assumes that there is a working DHCP server to provide IP addresses to the access points (APs) that are registered to the controller.
Components Used
-
Catalyst switch that runs Cisco IOSSoftware.
-
Cisco WLC 8540 that runs software version 8.5.120.0.
- Access Points
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Summary
- Inbound: Untagged frames received on a trunk port are forwarded into the VLAN configured as Native.
- Outbound: Frames from the VLAN configured as Native are forwarded untagged.
- Control-plane messages such as DTP and BPDUs are sent out untagged.
- Control-plane messages such as CDP and VTP are sent out untagged if Native VLAN is 1 otherwise are tagged with VLAN1.
- Native VLAN is configured per trunk port and is locally significant. Therefore, different VLAN numbers can be configured on both sides of a single trunk link leading to native VLAN mismatch.
- Native VLAN mismatch leads to misdirected traffic and is a security implication.
- Allowed VLANs can be specified on any trunk port with the switchport trunk allowed vlan command.
Версия Cisco
Cisco под “trunk’ом” понимает канал типа “точка-точка” (канал связи, напрямую соединяющий два устройства), который соединяет коммутатор и другое сетевое устройство, например еще один коммутатор или маршрутизатор. Его задача – передавать трафик нескольких VLAN через один канал и обеспечивать им доступ ко всей сети. В простонародии называется «транком», что логично.
Начнем с того, что такое VLAN?
VLAN расшифровывается как Virtual local area network или виртуальная локальная сеть. Это технология, которая позволяет разделить одну физическую сеть на несколько логических, работающих независимо друг от друга. Например, есть на предприятии отдел кадров, бухгалтерия и IT-отдел. У них есть свои коммутаторы, которые соединены через центральный коммутатор в единую сеть, и вот сети этих отделов и нужно отделить друг от друга. Тогда-то на помощь и приходит технология VLAN.
Так выглядит сеть, разделенная на VLAN’ы (виртуальные сети).
Часто для обозначения VLAN’а используют разные цвета.
Так порты, обозначенные зеленым цветом, входят в один VLAN, а порты, обозначенные красным цветом, в другой. Тогда компьютеры, которые находятся в одном VLAN’е, могут взаимодействовать только друг с другом, а с компьютерами, входящими в другой VLAN, не могут.
Перемены в таблице коммутации в VLAN
При создании VLAN’ов в таблицу коммутации у коммутаторов добавляется еще одно поле, в котором указываются идентификаторы VLAN. Упрощенно это выглядит так:
Тут мы видим, что порты 1 и 2 принадлежат VLAN’у 2, а порты 3 и 4 – VLAN’у 10.
Идем дальше. На канальном уровне данные передаются в виде кадров (фреймов). При передаче кадров от одного коммутатора к другому нужна информация о том, к какому VLAN’у принадлежит тот или иной кадр. Эту информацию добавляют в передаваемый кадр. На данный момент для этой цели используют открытый стандарт IEEE 802.1Q. Пошаговая эволюция кадра в VLAN
- Компьютер генерирует и отправляет обычный кадр (фрейм, он же пакет канального уровня, т.е. уровня коммутаторов), ничего не добавляя. Этот кадр выглядит так:
- Коммутатор получает кадр. В соответствии с таблицей коммутации, он понимает, с какого компьютера пришел кадр, и к какому VLAN’у принадлежит этот компьютер. Тогда коммутатор сам добавляет в кадр служебную информацию, так называемый тег. Тег – это поле после MAC-адреса отправителя, в котором содержится, грубо говоря, номер VLAN’а. Так выглядит кадр с тегом:
Затем коммутатор отправляет этот кадр на другой коммутатор.
-
Коммутатор, который принимает кадр, извлекает из него информацию о VLAN, то есть понимает, на какой компьютер нужно передать этот кадр, удаляет всю служебную информацию из кадра и передает его на компьютер получателя.
-
На компьютер получателя приходит кадр уже без служебной информации.
Теперь возвращаемся к нашему “trunk’у”. Порты коммутатора, поддерживающие VLAN можно разделить на две группы:
- Тегированные порты (или trunk-порты у Cisco)
- Нетегированные порты (или access порты)
Нас интересуют тегированные порты или trunk-порты. Они как раз и служат для того, чтобы через один порт можно было передавать данные, принадлежащие к разным VLAN и получать данные нескольких VLAN на один порт (мы помним, что обычно порты из разных VLAN друг друга не видят).
На этом рисунке тегированными являются порты номер 21 и 22, которые соединяют два коммутатора. Через них и будут проходить кадры, например, от компьютера Е к компьютеру А, которые находятся в одном VLAN’е, по схеме, которая описана выше.
Так вот, канал связи между этими портами у Cisco как раз и называется “trunk’ом”.
VLAN Types
Untagged VLANs
A switchport may be a ‘tagged’ or ‘untagged’ port. An untagged port, or access port on a Cisco switch, connects to hosts (such as a server). The host is unaware of any VLAN configuration.
The connected host sends its traffic without any VLAN tag on the frames. When the frame reaches the switch port, the switch will add the VLAN tag. The switch port is configured with a VLAN ID that it will put into the tag.
Most switch ports will use this mode by default, with VLAN ID 1.
When a frame leaves an untagged port, the switch strips the VLAN tag from the frame. The traffic is then forwarded as normal.
The following diagram shows this process:
The traffic flows like this:
- Host A sends traffic to the switch. The traffic does not have a VLAN tag
- The frame is received on port 1 of the switch. This is an untagged port, configured with VLAN ID 10. The switch then inserts the VLAN tag into the frame
- The switch determines that the frame needs to be forwarded out of port 2. This is also an untagged port, so The VLAN tag is stripped from the frame
- Host B receives the untagged frame as normal
Tagged VLANs
A port is a ‘tagged port’ when the interface is expecting frames containing VLAN tags. An example of this is when two switches are connected, and pass tagged traffic. Cisco switches use the term ‘trunk’ to refer to a tagged port.
The sender will send a frame with a VLAN tag. The receiving switch will see the VLAN tag, and if the VLAN is allowed, it will forward the frame as required. For example, a broadcast may be received on VLAN 10. In this case, the switch will flood the frame to all other ports configured with VLAN 10.
Here, you can see this process in action:
In this case, the following will happen:
- A host will send a frame without a tag
- The frame enters an untagged port on switch 1, configured with VLAN 10 in this case. The switch adds the VLAN tag to the frame
- Switch 1 determines that port 2 should send this frame to switch 2. This is a tagged port, so it checks that VLAN 10 is allowed on this port. If it is, it leaves the tag intact, and sends the frame. If VLAN 10 is not allowed, it drops the frame
- Switch 2 receives the frame on tagged port 1. This switch also determines if VLAN 10 is allowed on this port, and drops it if it is not. Switch 2 determines that port 2 should send the frame
- Since port 2 is an untagged port, it strips the tag from the frame, and then sends it
- Host B receives the untagged frame
Native VLANs
In some cases, an untagged frame will arrive on a tagged port. To handle this, tagged ports have a special VLAN configured on them called the untagged VLAN. This is also known as the ‘native VLAN’.
The switch assigns any untagged frame that arrives on a tagged port to the native VLAN. If a frame on the native VLAN leaves a trunk (tagged) port, the switch strips the VLAN tag out.
In short, the native VLAN is a way of carrying untagged traffic across one or more switches.
Consider this Example. The ports that the hosts connect to are trunk ports, with native VLAN 15 configured.
- Host A sends a frame with no VLAN tag
- Switch 1 receives the frame on the trunk port. It does not have a tag, so it adds the VLAN ID 15 tag to the frame
- The switch sends the frame out of port 2. The frame has a tag for VLAN 15, which matches the native VLAN on port 2, so the switch strips the tag out
- Host B receives the frame
Carrying untagged traffic has its uses. This happens when one switch wants to send information to another switch.
An example of switch-to-switch communication is CDP. CDP is a Cisco protocol used to share information about connected devices.
In this case, if there is a trunk link between two switches, how does the sending switch decide which VLAN to use? In short, it sends untagged traffic, which is on the native VLAN.
Other VLAN Types
Be aware that there are other VLAN types and uses, which fall outside the scope of this article. So far data VLANs have been covered, but there are also voice VLANs.
There are also different ways of using data VLANs. This includes reserving VLANs for management, or creating ‘remote VLANs’ for use in ERSPAN ports.
Additionally there are methods of manipulating VLANs for security, such as private VLANs. This is a method of subdividing VLANs to segregate traffic within a VLAN.
It’s also possible to use double-tagging, which is adding two tags to a frame. This is sometimes used by service providers to keep customer traffic separate. It may also be used to extend the number of available VLANs. Unfortunately, this is also commonly associated with an attack called ‘VLAN Hopping’.
Configure InterVLAN Routing
Task
In this section, you are presented with the information to configure the features described in this document.
This logical diagram explains a simple interVLAN routing scenario. The scenario can be expanded to include a multi-switch environment if you first configure and test inter-switch connectivity across the network before you configure the routing capability. For such a scenario that uses a Catalyst 3550, refer to Configuring InterVLAN Routing with Catalyst 3550 Series Switches.
Step-by-Step Instructions
Complete these steps in order to configure a switch to perform interVLAN routing.
-
Enable routing on the switch with the command. Even if IP routing was previously enabled, this step ensures that it is activated.
Switch(config)#ip routing
Note: If the switch does not accept the command, upgrade to either SMI image Cisco IOS Software Release12.1(11)EA1 or later, or an EMI image, and repeat this step. See the section for more information.
Tip: Check the . Verify whether is enabled. The command, if enabled, appears towards the top of the output.hostname Switch!!ip subnet-zeroip routing!vtp domain Ciscovtp mode transparent
-
Make note of the VLANs that you want to route between. In this example, you want to route traffic between VLANs 2, 3 and 10.
-
Use the command in order to verify that the VLANs exist in the VLAN database. If they do not exist, add them on the switch. This example shows the addition of VLANs 2, 3, and 10 to the switch VLAN database
Switch#vlan database Switch(vlan)#vlan 2 VLAN 2 added: Name: VLAN0002 Switch(vlan)#vlan 3 VLAN 3 added: Name: VLAN0003 Switch(vlan)#vlan 10 VLAN 10 added: Name: VLAN0010 Switch(vlan)#exit APPLY completed. Exiting....Tip: You can use VLAN Trunking Protocol (VTP) in order to propagate these VLANs to other switches. Refer to Understanding and Configuring VLAN Trunk Protocol (VTP).
-
Determine the IP addresses you want to assign to the VLAN interface on the switch. For the switch to be able to route between the VLANs, the VLAN interfaces must be configured with an IP address. When the switch receives a packet destined for another subnet/VLAN, the switch looks at the routing table in order to determine where to forward the packet. The packet is then passed to the VLAN interface of the destination. It is in turn sent to the port where the end device is attached.
-
Configure the VLAN interfaces with the IP address identified in step 4.
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface Vlan2 Switch(config-if)#ip address 10.1.2.1 255.255.255.0 Switch(config-if)#no shutdown
Repeat this process for all VLANs identified in step 1.
-
Configure the interface to the default router. In this scenario you have a Layer 3 FastEthernet port.
Switch(config)#interface FastEthernet 0/1 Switch(config-if)#no switchport Switch(config-if)#ip address 200.1.1.1 255.255.255.0 Switch(config-if)#no shutdown
The command makes the interface Layer 3 capable. The IP address is in the same subnet as the default router.
Note: This step can be omitted if the switch reaches the default router through a VLAN. In its place, configure an IP address for that VLAN interface.
-
Configure the default route for the switch.
Switch(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.2
From the diagram in the section, note that the IP address of the default router is 200.1.1.2. If the switch receives a packet for a network not in the routing table, it forwards it to the default gateway for further processing. From the switch, verify that you can ping the default router.
Note: The ip default-gateway command is used to specify the default gateway when routing is not enabled. However, in this case, routing is enabled (from step 1). Therefore, the command is unnecessary.
-
Configure your end devices to use the respective Catalyst 3550 VLAN interface as their default gateway. For example, devices in VLAN 2 should use the interface VLAN 2 IP address as its default gateway. Refer to the appropriate client configuration guide for more information on how to designate the default gateway.
-
(Optional) When you implement Inter-VLAN routing, you can also isolate some VLANs from being routed. Refer to the section of Creating Ethernet VLANs on Catalyst Switches for more information.
This video on the Cisco Support Community demonstrates how to configure the InterVLAN routing on Catalyst 3550 Series Switch:
