Virtual LAN – VLAN
VLAN = Subnet = Broadcast Domain
A layer2 switch allows communication between devices of the same vlan; to have communication between different vlans, we need a layer3 device (router, multilayer switch, etc.) to intercommunicate the vlans. Layer 3 devices do not forward broadcast.
Vlans allow us to segment our network according to traffic patterns, application types, user grouping, improving management, and t-shoot to name a few.
- Normal range (id 1-1005, including special use ones, stored in vlan.dat).
- Extended range (id 1006-4094) – VTP v1 and v2 do not propagate them, and these are stored in the running-config. Only VTP v3 can propagate them and must be in transparent mode).
- Special use (1,1002-1005). These are automatically created and reserved for special uses.
jmcristobal# configure terminal jmcristobal(config)# vlan vlan-id jmcristobal(config-vlan)# name nombre-de-vlan ! ### Example: configuration of vlan 10 and 20 ### jmcristobal(config)#vlan 10 jmcristobal(config-vlan)#name Empleados jmcristobal(config-vlan)#vlan 20 jmcristobal(config-vlan)#name Visitantes jmcristobal(config-vlan)#end jmcristobal(config)#
The vlan name is optional; if we do not assign any name to the vlan, the vlan name will be filled with zeros; for example, for VLAN 20 it would be VLAN0020. The vlan name can be up to 32 characters.
Validate that the vlans have been created on the switch:
jmcristobal#sh vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3 Gi1/3 10 Empleados active Gi1/0, Gi1/1 20 Visitantes active Gi1/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup jmcristobal#
When creating a vlan by default, its operational state is active; vlans can be disabled locally on a switch or globally across the VTP domain; let’s see what those commands are.
Disable/Enable a vlan in the whole VTP domain:
jmcristobal(config)# vlan 50 jmcristobal(config-vlan)# state suspend | active
Disable/Enable vlan locally on a switch:
jmcristobal(config)# vlan 50 jmcristobal(config-vlan)# [no] shutdown
Once we have created our vlans to use, we continue with their assignment to each of the switch ports.
Access Port
- Static
- Dynamic
jmcristobal# configure terminal jmcristobal(config)# interface interface-id jmcristobal(config-vlan)# switchport mode access jmcristobal(config-vlan)# switchport access vlan vlan-id ! Example: Assigning port g1/2 to vlan 20 jmcristobal(config)#inter gig1/2 jmcristobal(config-if)#switchport mode access jmcristobal(config-if)#switchport access vlan 20
It is necessary to specify that the port will work in layer two before assigning it as an access mode port in multilayer switches. Otherwise, we will receive a message like the following:
jmcristobal(config-if)#switchport mode acces Command rejected: Et1/5 not a switching port.
To tell the switch that the port will work in layer2, it is only a matter of entering the switchport command before putting it in access mode, for example:
jmcristobal(config)#interface gig1/5 jmcristobal(config-if)#switchport jmcristobal(config-if)#switchport mode access jmcristobal(config-if)#switchport access vlan 20
Note: when an access port is assigned to a VLAN, if the VLAN does not exist, it is created in the vlan.dat file with its default name VLANxxxx. This case does not apply when a vlan tag is allowed on a trunk; in this scenario, the vlan is not created.
- Dynamic VLANs provide membership based on the MAC address of the end-user device.
- They use a VLAN Membership Policy Server (VMPS) database.
- In the database the user’s MAC address must be associated with a vlan.
- It allows great flexibility and mobility to end-users.
- Requires more administrative work – adding new computers, modifying end-user macs, etc.
- Requires trunking and 802.1x to be turned off.
For more information: