Chapter 2. VLAN Operations

This chapter explores probably the most fundamental concept of modern LAN switching: virtual LANs (VLANs). In legacy Ethernet networks of the 1980s and early 1990s, the concept of virtual LANs did not exist; instead, only the concept of physical LANs existed. Layer 1 and Layer 2 Ethernet devices such as hubs and bridges were dedicated to a single, physical LAN, and implementing another LAN required more hubs and bridges. Today, LAN switches have the capability to provide connectivity for multiple physical LANs by implementing the concept of virtual LANs. In this chapter you learn about transparent bridging, which is the function provided by a bridge on a single physical LAN. This concept is then extended to VLANs, and you learn how they work and how to configure them.

After some initial introductory material, this chapter presents the following configuration scenarios, which provide you with the practical knowledge required to implement spanning tree, which provide you with the practical knowledge required to implement VLANs:

  • Scenario 2-1: Understanding Transparent Bridging
  • Scenario 2-2: Configuring VLAN Trunking Protocol (VTP)
  • Scenario 2-3: Configuring VLANs
  • Scenario 2-4: Configuring the Management VLAN
  • Scenario 2-5: Configuring Extended-Range VLANs

Introduction

In recent years, Ethernet has all but replaced Token Ring and FDDI technology on LANs. Many consider Ethernet to be a technology that is inferior in some ways to Token Ring and FDDI. These technologies provide more robust error-checking capabilities and more predictable access to media than Ethernet; however, the simplicity and low cost of Ethernet has seen it win over the other technologies.

With gigabit Ethernet well established and affordable, Ethernet is now also replacing aging, expensive, and very complex ATM equipment, which was popular in the mid-1990s for providing high-speed switch interconnectivity (also known as trunking).

Ethernet LANs use a concept called transparent bridging to enable the transmission of frames over multiple LAN devices called bridges. A bridge is a Layer 2 device that is used to segment collision domains and increase LAN performance. In this section, you learn about transparent bridging and the concepts of broadcast domains and collision domains which are important in understanding the benefits that switches and VLANs provide. You then learn about VLANs and how they are implemented on Cisco Catalyst switches. The following topics are discussed:

  • Bridging overview
  • VLAN concepts

Bridging Overview

To understand the primary operation of a switch, you must understand how transparent bridging works. All Ethernet LAN switches implement transparent bridging, so it is crucial that you be familiar with this process. Both bridges and switches offer performance benefits over using Layer 1 devices by providing LAN segmentation, which is the process of reducing large collision domains into smaller, more manageable collision domains. Collision domains are defined as an area of the LAN where only a single device can access the Ethernet network at any one time (i.e., multiple devices must contend for access to the network). The following are covered in this bridging overview:

  • Transparent bridging
  • LAN segmentation

Transparent Bridging

An Ethernet switch is a Layer 2 device that essentially operates as a transparent bridge. A transparent bridge is a device that understands Layer 2 addressing and can make intelligent Layer 2 forwarding decisions. The bridge operates by maintaining a table of MAC addresses and associated egress ports. The table tells the bridge where stations are located within the LAN, which enables the bridge to determine how to forward Layer 2 frames by reading the destination MAC address of each frame and looking up the corresponding egress port on the bridge. Table 2-1 shows a simple bridging table.

Table 2-1. Bridging Table

MAC Address

Egress Port

Age (Minutes)

0000.01a0.64b1

FastEthernet0/1

1

00a0.d1d0.20b9

FastEthernet0/2

0

0030.2448.d79e

FastEthernet0/3

4

In Table 2-1, each MAC address entry represents a destination host—for example if a frame is received with a destination MAC address of 0000.01a0.64b1, the frame will be sent out the FastEthernet0/1 interface.

The MAC address entries in the bridge table shown in Table 2-1 must somehow be populated, and this information must be accurate to ensure frames are delivered correctly. Transparent bridging allows a bridge or switch to learn the location of devices in the LAN based upon frames received on a particular port.

Figure 2-1 illustrates the algorithm that occurs when a frame is received on an interface.

02fig01.gif

Figure 2-1 Transparent Bridging

Figure 2-2 explains the processes shown in Figure 2-1 in terms of a sample network topology.

02fig02.gif

Figure 2-2 Transparent Bridging Example

In Figure 2-2, assume that Host A (aaaa.aaaa.aaaa) is communicating with Host B (bbbb.bbbb.bbbb). The following processes occur:

  1. Learning— Host A sends a frame to Host B. The bridge examines the source address (aaaa.aaaa.aaaa) of received frames and associates the ingress port (1/0) of the received frame with the source address of the frame by adding an entry to the bridging table.
  2. Flooding— The bridge examines the destination address (bbbb.bbbb.bbbb), looks in the local bridging table, and finds no entry for the destination address. Because the received frame is sent to an unknown destination, the bridge floods the frame out all ports (except for the ingress port 1/0) to ensure the frame reaches the destination.
  3. Forwarding— Host B receives the frame due to the flooding process. Host B replies to the frame. The bridge receives the frame, examines the source address (bbbb.bbbb.bbbb), and writes an entry to the bridge table, associating Host B with the port upon which the reply has been received (port 1/2). The bridge then examines the destination address (aaaa.aaaa.aaaa), looks in the bridging table, and finds the entry for Host A generated by step 1. Thus, the bridge only forwards the frame out the specified egress port (port 1/0) towards Host A.
  4. Filtering— Assume that Host C and Host D are communicating and the bridge knows that these hosts exist and has respective entries for each in the local bridging table. When Host C sends a frame to Host D, the frame will be propagated to the bridge. The bridge follows the procedure of Figure 2-1 and finds that the source and destination address are associated with the same port (1/1). Thus, the bridge filters (drops) the frame, because the frame has already reached its destination.
  5. Aging— When the entry for Host B is created in the bridging table, an idle timer is started for that entry. Every time a new frame is received from Host B, this idle timer is reset to zero. Assume Host B is shut down. No more traffic is generated from Host B; thus, the idle timer keeps on incrementing. Once the timer reaches the aging timeout value (e.g., 5 minutes), the entry for Host B is removed from the table, which saves precious memory resources and also ensures any location changes for Host B are reflected in the bridge table. If Host B comes back online, the bridging table is repopulated as soon as Host B sends a frame towards the bridge.

LAN Segmentation

One of the key requirements of a LAN protocol is performance; users expect to be able to transfer information between locally connected systems quickly and are not very forgiving when the LAN is running slow. LAN performance can be affected by many factors—one very important factor is the concept of LAN segmentation or rather the lack of. Ethernet is a shared media technology, and the performance of Ethernet diminishes as more and more devices contend for the shared bandwidth. LAN segmentation breaks up the LAN into smaller pieces, both at a physical level (Layer 1) and at a Layer 2 level. This segmentation ensures the performance and scalability of the LAN. LAN segmentation involves two key design parameters:

  • Collision domains
  • Broadcast domains

Collision Domains

A collision domain is an area of a single LAN where end stations contend for access to the network because all end stations are connected to a shared physical medium. If two connected devices transmit onto the media at the same time, a collision occurs. When a collision occurs, a JAM signal is sent on the network, indicating that a collision has occurred and that devices should ignore any fragmented data associated with the collision. Both sending devices back off sending their data for a random amount and then try again if the medium is free for transmission. Therefore, collisions effectively delay transmission of data, lowering the effective throughput available to a device. The more devices that are attached to a collision domain, the greater the chances of collisions; this results in lower bandwidth and performance for each device attached to the collision domain. Bridges and switches terminate the physical signal path of a collision domain, allowing you to segment separate collision domains, breaking them up into multiple smaller pieces to provide more bandwidth per user within the new collision domains formed.

Broadcast Domains

A broadcast domain is the area over which LAN broadcast frames are propagated, or the area over which LAN devices can communicate directly with each other using Ethernet. Unlike collision domains, which are bounded by a shared physical media, broadcast domains are not so restricted. The devices that terminate a broadcast domain are Layer 3 devices, such as routers, which will not normally forward LAN (Layer 2) broadcasts. A broadcast domain typically maps to a Layer 3 subnetwork, such as an IP subnet, and is also commonly referred to as a LAN. If a broadcast domain becomes too large, due to the sheer number of devices attached to the LAN, it is likely that the LAN will suffer from performance problems due to the high proportion of broadcast traffic. This varies depending on the operating system of your LAN devices, because some operating systems make use of broadcast traffic more than others. You can increase the performance of a broadcast domain by splitting it into two or more pieces, which in turn creates several smaller broadcast domains. You segment broadcast domains using a Layer 3 device, such as a router.

Increasing Performance Using LAN Segmentation

In a worst-case scenario, a LAN consists of a single broadcast domain with one large collision domain. This arrangement means that all devices attached to the LAN are contending for access to the same physical shared media and that a broadcast sent by any device is propagated throughout the LAN.

LAN segmentation allows you to split a large collision domain into smaller collision domains, which increases the available bandwidth to devices because fewer devices are contending for shared bandwidth within the smaller collision domains. To segment large collision domains into smaller collision domains, you need bridges and switches.

LAN segmentation also allows you to split a large broadcast domain into several smaller broadcast domains, which reduces the proportion of broadcast traffic in each broadcast domain, increasing network efficiency and performance. You need Layer 3 switches or routers to segment broadcast domains into smaller broadcast domains.

Figure 2-3 shows a simple LAN, which has two broadcast domains, each with one or more collision domains.

02fig03.gif

Figure 2-3 Two-LAN Internetwork

In Figure 2-3 notice that all hubs and connected devices comprise a collision domain, while each bridge terminates collision domains. This termination occurs because a bridge (or switch) terminates the electrical signal path, inspects frames received, and forwards the frames appropriately. A hub merely propagates signals (frames) out all other ports, effectively extending the electrical signal path.

Both bridges and switches allow you to reduce the size of collision domains in a LAN. A major and important difference between bridges and switches is that bridges typically connect only to other networking devices (such as hubs or bridges), while switches connect to both end devices and other networking devices. This difference is not a technical limitation, but rather one driven by cost. Bridges historically were expensive, with low port density, meaning it didn't make sense to connect users to bridges. Switches, however, are relatively cheap and have high port densities, so the benefits of a bridge/switch can be extended to user devices.

In a fully switched network, each switch port represents a separate collision domain, if half-duplex operation is used. You can totally eliminate all collision domains by configuring full duplex, provided of course that each device supports full-duplex 10-Mbps or 100-Mbps operation. Thus in Figure 2-3, if the router ports are working at full-duplex operation, no collision domain exists between the router and bridges, assuming of course that the connected bridge ports are also operating in full-duplex mode. Eliminating collision domains altogether means devices can use 80-90 percent of the available bandwidth (e.g., 80-90 Mbps on a Fast Ethernet port) because devices do not need to execute the carrier sense multiple access collision detect (CSMA/CD) algorithm. This available bandwidth is compared with a maximum of 40-50 percent on two or more devices sharing Ethernet media (i.e., when a collision domain exists).

Ethernet devices can operate at half duplex or full duplex when connected to LAN switches. In half-duplex operation, the transmit and receive wires on the network interface card (NIC) are connected to the same transmission circuit, so a collision can occur if the local device and remote switch port transmit at the same time. In full-duplex operation, the transmit circuit is wired directly to the remote receive circuit and vice versa, which eliminates the possibility of a collision at all. Figure 2-4 compares a 4-port switch containing 2 half-duplex ports and 2 full-duplex ports with a 4-port hub.

02fig04.gif

Figure 2-4 Switch Versus Hub Comparison

In Figure 2-4, notice that even if a device connected to a switch operates at half duplex, the collision domain is limited to just the device and the switch port it is connected to. If the device is connected using full-duplex operation, no collisions will ever occur, because the signal pathways are physically separate for transmit and receive on a full-duplex port. The switched environment experiences significantly fewer collisions than the hub environment, increasing network performance and efficiency.

VLAN Concepts

VLANs provide a mechanism that enables you to split LAN infrastructure into multiple broadcast domains, in effect creating virtual LANs (hence, the name). Each VLAN places a group of physical ports into a logical broadcast domain, which allows devices within the VLAN to communicate at Layer 2. Multiple VLANs can be supported on a switch, meaning that although devices may be connected to the same physical switch, these devices can communicate at Layer 2 only with devices that belong to the same VLAN. VLANs can also be extended over multiple switches, which means that a user that belongs to a particular VLAN can move to another floor or building, connect to a physical port on a separate switch, and still belong to the same broadcast domain (VLAN). Cisco Catalyst switches all support VLANs because VLANs are an essential component of modern LANs. In this section the following topics are discussed:

  • Introduction to VLANs
  • Cisco Catalyst VLAN implementation

Introduction to VLANs

So far you have seen basically how LANs functioned up until the early to mid-1990s. Around this time, a new device known as the switch emerged. Essentially, a switch is a bridge and performs all the functions of a bridge; however, it does have some differences:

  • A bridge is normally limited to a few ports and, hence, connects only to other networking equipment and not to end devices. A switch typically has high port densities that allow end devices to connect to it.
  • A bridge normally operates in a single LAN; a switch can operate in multiple LANs, appearing as a virtual bridge for each LAN.

A bridge operates in software, while a switch typically operates in hardware, which means that a switch has much higher performance.

Today, the bridge has all but disappeared, supplanted by switches, which have much lower costs per port and much higher performance. The cost per port today for switches is low enough that many LANs are completely switched, which means all devices are connected to switches on the network. The most important technical feature of a switch is its ability to service multiple logical LANs or broadcast domains at once. Refer back to Figure 2-3; separate bridges and hubs service each LAN, which is the legacy method of LAN networking. Figure 2-5 shows the network of Figure 2-3, this time with a switch included.

02fig05.gif

Figure 2-5 Two-LAN Internetwork with a Switch

Notice in Figure 2-5 that a single physical switch is capable of servicing each broadcast domain. Within each broadcast domain, or VLAN, devices can communicate at a Layer 2 level (intra-VLAN communications). The switch maintains complete separation between each broadcast domain, which means that devices in separate VLANs cannot communicate directly with each other at a Layer 2 level. To enable inter-VLAN communications, a Layer 3 protocol, such as IP, is required; this means that any traffic between devices in separate VLANs must traverse the router.

Each LAN in Figure 2-5 is referred to as a virtual LAN (VLAN). The switch emulates a single LAN for each device connected to it (hence, the term virtual), yet supports devices from multiple LANs.

Cisco Catalyst VLAN Implementation

Cisco Catalyst switches support VLANs. Some newer Cisco Catalyst switches support up to 4096 VLANs, but traditionally, Cisco Catalyst switches support only up to 1024 VLANs. For most networks, 1024 VLANs are more than enough because implementing even 50 VLANs for a single LAN infrastructure can become impractical.

Cisco Catalyst switches historically have supported only up to 1024 VLANs due to the use of 10-bit VLAN ID tag used in the Cisco proprietary Inter-Switch Link (ISL) trunking protocol. Trunking provides the ability for a single Layer 2 port to transport the traffic from multiple VLANs, rather than from just a single VLAN. To support this functionality, a tag is required that identifies the VLAN ID the frame is associated with. You learn more about trunking in Chapter 3, "Trunking and Bandwidth Aggregation." Later versions of ISL use a 15-bit VLAN ID tag and the standards-based IEEE 802.1Q trunking protocol uses a 12-bit VLAN ID tag, which provides for up to 4096 VLANs. ISL was used before 802.1Q protocol support was present; hence, a large number of Catalyst switches support only 1024 VLANs.

A Catalyst switch maintains a VLAN database, which is a listing of all VLANs, associated parameters such as VLAN ID and name, and a list of each port associated with each VLAN. Table 2-2 shows a sample VLAN database.

Table 2-2. Sample VLAN Database

VLAN ID

VLAN Parameter

Value

1

Name

VLAN0001

 

Type

Ethernet

 

MTU

1500

 

Ports

2/1-10, 2/12, 2/15-24

2

Name

Marketing

 

Type

Ethernet

 

MTU

1500

 

Ports

2/11, 2/13-14

Table 2-2 shows some of the basic parameters for each VLAN; many others are not shown. As you can see, each VLAN is associated with a set of ports. Only ports within the same VLAN can communicate with each other at a Layer 2 level (e.g., Ethernet). In Table 2-2, port 2/11 can communicate directly only with ports 2/13 and 2/14. If a device connected to port 2/11 wanted to communicate with a device on port 2/1, the frame has to be sent to a Layer 3 router with connectivity to both VLANs.

The VLAN database implementation varies based upon the Catalyst switch operating system. The next sections examine the VLAN database implementation for each of the following operating systems:

  • Catalyst OS
  • Cisco IOS

Catalyst OS

The Catalyst OS (CatOS) VLAN database implementation is simple to understand. It is stored in the switch configuration file that is loaded during bootup. This configuration file contains all of the configuration settings for the switch, so this makes it a single, central configuration storage point.

Cisco IOS

Cisco IOS-based switches differ from CatOS-based switches in that they store the VLAN database separately from the main configuration file. By default, the VLAN database is saved in a file called VLAN.DAT, which is located in the root file system on the local Flash storage device. That the VLAN database is stored separately is an important point to remember; even if you clear the main configuration of a Cisco IOS-based switch, the VLAN database is still maintained. The VLAN.DAT file is a binary file that you should not manually delete or edit. Make any configuration changes to the VLAN database through the Cisco IOS interface; the binary file is updated appropriately by Cisco IOS after changes have been made.

+ Share This