VLAN:- (Virtual Local Area Network)



VLAN:- (Virtual LANs) are logical grouping of devices in the same broadcast domain. Each VLAN being treated as its own subnet or broadcast domain. This means that frames broadcasted onto the network will be switched only between the ports within the same vlan, in other word we can say

Vlan means virtual LAN, i.e something virtually exist which in not in real, i.e “VLAN is the method of breaking a single switch to act as a multiple switch”, which means if I create multiple vlan (vlan-1 and vlan-2)  and assign some port on each vlan (let port no. 1-to-5 assign in vlan-1 and port no 6 to 10 are assign in vlan-2) then the user  connected within vlan-1 could  communicate to each other  but not with users connected with vlan-2.

Depending on the range of vlan , they are as:-
  • Normal VLAN
  • Extended VLAN
  • Voice VLAN
Normal VLAN
  • VLAN 1 is the default vlan and can’t be renamed
  • VLAN 2-1001 can be created and basically used for Ethernet network
  • VLAN 1002-1005 are reserved for FDDI/ token ring etc  networks
  • Default range of VLANs is 1024 (Cisco Catalyst switches supported only upto 1024 VLANs)
  • ISL used 10-bit VLAN id  (upto 1024 Vlan)
Extended VLAN
  • 802.1Q include a 12-bit Vlan ID field (upto 4096 Vlans)
  • Cisco refers to the VLANs between 1025 and 4096 as extended –range VLANs
i.e Basically Vlan range from 1025-4096 is called the extended vlan,These extended vlan range is supported on some of the specific platforms and we can use these extended vlan range for adding more vlan into our networks, most of the catalyst switches use these Extended vlans under some restrictions and these are as:

Restrictions:-1
  • ·   VTP cannot be used for VLAN management (vtp must be configured as transparent or off)
·   i.e Extended vlan range will not work if VTP mode is other then transparent mode or off mode, If we tried to create a extended vlan in server mode , we get the message as shown below
Sw1(config)# vtp mode server
Sw1(config)#vlan 3500
Sw1(config)#exit

% fail to create vlan 3500
Extended vlan(s) not allowed in current VTP mode
%failed to commit extended VLANs changes.
so if we are using the extended vlan , we have to use VTP  either transparent mode or off mode, so if we create a extended vlan in transparent mode we would be able to create the vlan without any problem.
Sw1(config)# vtp mode transparent
Sw1(config)#vlan 3500
Sw1(config)#management
Sw1(config)#exit

Result can be seen by as :-
Sw1(config)#show vlan

Restrictions:-2
  • STP – extended system ID feature has to be enabled, by default it is enabled and can’t be disabled.
  • Extended system id is the combination of priority + vlan information, i.e  when stp going to select the root bridge it select the priority value and add the vlan no. which is called as extended system id.
It can be verified by
SW1# show spanning-tree summary
           Switch#sh spanning-tree sum
           Switch is in pvst mode
           Root bridge for:
           Extended system ID is ----------------- enabled
Portfast Default is -------------------------- disabled
PortFast BPDU Guard Default is ------- disabled
Portfast BPDU Filter Default is ----------disabled
Loopguard Default is -----------------------disabled
EtherChannel misconfig guard is -------disabled
UplinkFast is ----------------------------------disabled
BackboneFast is -----------------------------disabled
Configured Pathcost method used is short
It can’t be removed by command
SW1# no spanning-tree extend system-id--------can’t be removed error message shows
So overall conclusion is for extended vlan is to have a
  • vtp in either on transparent mode or off mode
  • the system must have extended system id support
Vlan Configuration :-
Switch>en
Switch#config t
           Enter configuration commands, one per line. End with CNTL/Z

   Creating a vlan
           Switch(config)#vlan 20----------------------------new vlan with vlan ID 20
Switch(config-vlan)#name Data-----------------Data is the name of created vlan-20 

Switch(config-vlan)#vlan 30
Switch(config-vlan)#name Voice---------------- voice is the name of vlan 30
Assigning port to vlan,
Switch(config-vlan)#in fa 0/3
Switch(config-if)#switchport mode access-----By default all ports are in dynamic mode
Switch(config-if)#switchport access vlan 20----Assigning a port no.fa 0/3 to vlan 20
similarly 
Switch(config-if)#interface fa 0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport voice vlan 30
&
Switch(config-if)#in fa 0/5
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10

Voice Valn:-

For this scenario if we have a ip phone connected in our network going to send the voice signal to the switch, so the switch have to be configured with separate, vlan called voice vlan which Is going to carry only your voice traffic
Voice vlan :-
  •     voice vlan feature enables access ports to carry ip voice traffic form an ip phone
  •     switch can connect to ip phone to Carry ie  voice traffic
  •     cisco ip phone contains an integrated three-port 10/100 switch,
  1.      one is like a access port connected with switch
  2.      another connected with computer system
  3.      port of switch connected with ip phone it can be part of both the vlan (data/voice vlan)
  4.      which will allow the traffic from pc-phone-switch
Default vlan configuration:-
  • Voice vlan feature is disabled by default
  • Voice vlan can be configured on switch’s access port
  • The voice vlan should be present and active on switch for ip phone to correctly communicate with voice vlan
  • Port fast feature is enabled automatically when the voice vlan is configured
Voice vlan configuration:-
  • In our scenario we are taking three switch port 
  • One for a dedicated data port
  • One for a dedicated voice port
  • And one for both data and voice vlan
  • Create vlan 20 for DaTA and Vlan 30 for Voice
  • Assign port connected with pc  to the data vlan and one port with voice vlan to ip phone
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.

           Switch(config)#vlan 20
Switch(config-vlan)#name Data

Switch(config-vlan)#vlan 30
Switch(config-vlan)#name Voice

Switch(config-vlan)#in fa 0/3
Switch(config-if)#switch mode access
Switch(config-if)#switch access vlan 20

Switch(config-if)#interface fa 0/4
Switch(config-if)#switch mode access
Switch(config-if)#switchport voice vlan 30

Switch(config-if)#in fa 0/5
Switch(config-if)#switch mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport voice vlan 30

Note :-it’s a basic configuration required on switch , router configuration also needed

Natve VLAN:-
. If a packet is received on a dot1q link. That doesn’t have  vlan tagged. It is assumed to belongs to  Native VLAN.
. Default native vlan is VLAN1
By default connection between the switches formed with 802.1q or dot1q/isl trunking protocol so if
·         Any traffic come from vlan 10 and transfer to another switch bia trunk link ,
·         before sending the packet to trunk link a tag is added which is called frame adding process
·         b/w  switch to switch This method insure that  which packet belong to which vlan. And hence forward the packet to port belong to  that vlan.
·         But if a switch receive a frame from hub, which don’t understand the concept of vlan, hence send the packet without a tag
·         So if a switch receive a frame without a tag, it is assume to belong to native vlan and hence  forward it to a port belong to native vlan.
Native vlan configuration:-
·         The best way to configure the native vlan is to create any vlan and assign it as a native vlan and ensure to not have any port in that vlan
·         So If any attacker want to use vlan hopping attack will reach to vlan with no port ,no host.
Configuration
            Sw(config)#vlan 111
            Sw(config)#in fa 0/0
            Sw(config-if)#switchport trunk encapsulation dot1q
Sw(config-if)#switchport mode trunk
Sw(config-if)#switchport trunk native vlan 111
Varification
            Sw# show int trunk
Port        mode     Encapsulation     status      native Vlan
Fa 0/0    on            802.1q                trunking        111
Note:- for cisco switch native vlan id must match on both end on the trunk.
            Sw# show int fa 0/0 switchport…………. To give the complete information about port fa 0/0

No comments:

Post a Comment

Networking Products:- Buy Directly from Amazon

ePackets

Your Words