VLAN
Basic Definition
The acronym VLAN means Virtual Local Area Network. A VLAN is a logical local area network (LAN) that extends beyond a single traditional LAN to a group of LAN segments. Its creation and configuration is done completely in software because a VLAN is a logical entity.
How to Identify a VLAN
VLAN is a software concept and identifiers and configurations for a VLAN must be properly configured for it to function as expected. The process used to ensure that VLAN members or groups are properly identified and handled is called Frame coloring. With frame coloring, packets are given the proper VLAN ID so that they may be properly processed. The VLAN ID is used to enable switching and routing engines to make the appropriate decisions defined in the configuration.
Reasons to Use VLANs
Traditional network designs use routers to prevent broadcast floods in larger networks from consuming resources, or causing unintentional denials of service. But traditional network design methodology has some flaws in design:
Geographic Focus – Traditional network designs focus on physical locations of equipment and personnel for addressing and LAN segment placement. Network segments for physically disjointed organizations cannot be part of the same address space since each physical location must be addressed independently, and be part of its own broadcast domain.
This can force personnel to be located in a central location, or to have additional latency or connectivity shortfalls.
Relocations of personnel and departments can become difficult, especially if the original location retains its network segments. Relocated equipment will have to be reconfigured based on the new network configuration.
A VLAN solution can solve these drawbacks by permitting the same broadcast domain to extend beyond a single segment.
Additional Bandwidth Usage – Traditional network designs are segmented and require additional bandwidth because packets have to pass through multiple levels of network connectivity. A proper VLAN design can ensure that only devices that have that VLAN defined on it will receive and forward packets intended as source or destination of the network flow.
Types of VLAN
There are only two types of VLAN: cell-based VLANs and frame-based VLANs.
Cell-based VLANs are used in ATM switched networks with LAN Emulation (or LANE) used to allow hosts on legacy LAN segments to communicate using ATM networks without using special hardware or software.
Frame-based VLANs are used in ethernet networks. The two primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a Cisco proprietary frame-tagging). The 802.10 standard makes it possible to deploy VLANs with 802.3 (Ethernet), 802.5 (Token-Ring), and FDDI.
VLAN modes
There are three different modes in which a VLAN can be configured. These modes are covered below:
• VLAN Switching Mode – The VLAN forms a switching bridge in which frames are forwarded unmodified.
• VLAN Translation Mode – VLAN translation mode is used when the frame tagging method is changed in the network path, or if the frame traverses from a VLAN group to a legacy or native interface which is not configured in a VLAN. When the packet is to pass into a native interface, the VLAN tag is removed so that the packet can properly enter the native interface.
• VLAN Routing Mode – When a packet is routed from one VLAN to a different VLAN, you use VLAN routing mode. The packet is modified, usually by a router, which places its own MAC address as the source, and then changes the VLAN ID of the packet.
VLAN configurations
Different terminology is used between different hardware manufacturers sometimes this causes confusion during implementation time. Following are a few details to help define your VLANs to eliminate this issue.
Cisco VLAN terminology
You need a few details to define a VLAN on most Cisco equipment.
VLAN ID – The VLAN ID is a unique value you assign to each VLAN on a single device. With a Cisco routing or switching device running IOS, your range is from 1-4096. When you define a VLAN you usually use the syntax “vlan x” where x is the number you would like to assign to the VLAN ID. VLAN 1 is reserved as an administrative VLAN. If VLAN technologies are enabled, all ports are a member of VLAN 1 by default.
VLAN Name – The VLAN name is an text based name you use to identify your VLAN, perhaps to help technical staff in understanding its function. The string you use can be between 1 and 32 characters in length.
Private VLAN – You also define if the VLAN is to be a private vlan in the VLAN definition, and what other VLAN might be associated with it in the definition section. When you configure a Cisco VLAN as a private-vlan, this means that ports that are members of the VLAN cannot communicate directly with each other by default. Normally all ports which are members of a VLAN can communicate directly with each other just as they would be able to would they have been a member of a standard network segment. Private vlans are created to enhance the security on a network where hosts coexisting on the network cannot or should not trust each other. This is a common practice to use on web farms or in other high risk environments where communication between hosts on the same subnet are not necessary. Check your Cisco documentation if you have questions about how to configure and deploy private VLANs.
VLAN modes – in Cisco IOS, there are only two modes an interface can operate in, “mode access” and “mode trunk”. Access mode is for end devices or devices that will not require multiple VLANs. Trunk mode is used for passing multiple VLANs to other network devices, or for end devices that need to have membership to multiple VLANs at once. If you are wondering what mode to use, the mode is probably “mode access”.
Cisco VLAN implementations
VLAN Definition
You need a VLAN ID, a VLAN name, ports you would like to participate in the VLAN, and the type of membership the port will have with the VLAN.
• Step 1 – Log into the router or switch in question and get into enable mode.
• Step 2 – Get into configuration mode using “conf t”.
• Step 3 – Create your VLAN by entering “vlan X” where X is the ID you would like to assign the VLAN.
• Step 4 – Name your VLAN by entering “name <VLAN Name>”. Replace <Vlan Name> with the string you would like to identify your VLAN by.
• Step 5 – If you want your new VLAN to be a private-vlan, you now enter “private-vlan primary” and “private-vlan association Y” where Y is the secondary VLAN you want to associate with the primary vlan. If you would like the private VLAN to be community based, you enter “private-vlan community” instead.
• Step 6 – Exit configuration mode by entering “end”.
• Step 7 – Save your configuration to memory by entering “wr mem” and to the network if you have need using “wr net”. You may have to supply additional information to write configurations to the network depending on your device configuration.
VLAN Configuration
In normal network segment configurations on routers, individual interfaces or groups of interfaces (called channels) are assigned IP addresses but when you use VLANs, individual interfaces are members of VLANs and do not have individual IP addresses.
The following steps detail one method of creating and configuring your VLAN interface.
• Step 1 – Enter “Interface VlanX” where X is the VLAN ID you used in the VLAN definition above.
• Step 2 – This step is optional. Enter “description ” where VLAN description details what the VLAN is going to be used for. You can just simply re-use the VLAN name you used above if you like.
• Step 3 – Enter “ip address <address> <netmask>” where <address> is the address you want to assign this device in the VLAN, and <netmask> is the network mask for the subnet you have assigned the VLAN.
• Step 4 – The step is optional. Create and apply an access list to the VLAN for inbound and outbound access controls. For a standard access list enter “access-group XXX in” and “access-group YYY out” where XXX and YYY corresponds to access-lists you have previously configured. Remember that the terms are taken in respect to the specific subnet or interface, so “in” means from the VLAN INTO the router, and “out” means from the router OUT to the VLAN.
• Step 5 – This step is optional. Enter the private VLAN mapping you would like to use if the port is part of a private VLAN. This should be the same secondary VLAN you associated with the primary VLAN in VLAN definition above. Enter “private-vlan mapping XX” where XX is the VLAN ID of the secondary VLAN you would like to associate with this VLAN.
• Step 6 – This step is optional. Configure HSRP and any other basic interface configurations you would normally use for your Cisco device.
• Step 7 – Exit configuration mode by entering “end”.
• Step 8 – Save your configuration to memory by entering “wr mem” and to the network if you have need using “wr net”. You may have to supply additional information to write configurations to the network depending on your device configuration.
Now you have your vlan defined and configured, but no physical ports are a member of the VLAN. Once you have determined which physical ports you want to be members of the VLAN you can use the following steps to configure it.
For access ports
• Step 1 – Enter “Interface <interface name>” where <interface name> is the name Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 – This step is optional. Enter “description <interface description>” where <interface description> is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
• Step 3 – This step depends on your equipment and IOS version, and requirements. Enter “switchport” if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don’t know the difference between a router port and a switch port.
• Step 4 – Only use this step if you used step 3 above. Enter “switchport access vlan X” where X is the VLAN ID of the VLAN you want the port to be a member of.
• Step 5 – Only use this step if you used step 3 above. Enter “switchport mode access” to tell the port that you want it to be used as an access port.
• Step 6 – Exit configuration mode by entering “end”.
• Step 7 – Save your configuration to memory by entering “wr mem” and to the network if you have need using “wr net”. You may have to supply additional information to write configurations to the network depending on your device configuration.
• For trunk ports
• Step 1 – Enter “Interface <interface name>” where <interface name> is the name Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 – This step is optional. Enter “description <interface description>” where <interface description> is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
• Step 3 – This step depends on your equipment and IOS version, and requirements. Enter “switchport” if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don’t know the difference between a router port and a switch port.
• Step 4 – Only use this step if you used step 3 above. Enter “switchport trunk encapsulation dot1q”. This tells the VLAN to use dot1q encapsulation for the VLAN, which is the industry standard encapsulation for trunking. There are other encapsulation options, but your equipment may not operate with non Cisco equipment if you use them.
• Step 5 – Only use this step if you used step 3 above. Enter “switchport trunk allowed vlan XX, YY, ZZ” where XX, YY, and ZZ are VLANs you want the trunk to include. You can define one or more VLANs to be allowed in the trunk.
• Step 6 – Only use this step if you used step 3 above. Enter “switchport mode trunk” to tell the port to operate as a VLAN trunk, and not as an access port.
• Step 7 – Exit configuration mode by entering “end”.
• Step 8 – Save your configuration to memory by entering “wr mem” and to the network if you have need using “wr net”. You may have to supply additional information to write configurations to the network depending on your device configuration.
• For private VLAN ports
• Step 1 – Enter “Interface <interface name>” where <interface name> is the name Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 – This step is optional. Enter “description <interface description>” where <interface description> is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function.
• Step 3 – This step depends on your equipment and IOS version, and requirements. Enter “switchport” if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don’t know the difference between a router port and a switch port.
• Step 4 – Enter “switchport private-vlan host association XX YY” where XX is the primary VLAN you want to assign, YY is the secondary VLAN you want to associate with it.
• Step 5 – Enter “switchport mode private-vlan host” to force the port to operate as a private-vlan in host mode.
• Step 6 – Exit configuration mode by entering “end”.
• Step 7 – Save your configuration to memory by entering “wr mem” and to the network if you have need using “wr net”. You may have to supply additional information to write configurations to the network depending on your device configuration.
HP VLAN terminology
HP’s line of switchgear is becoming more and more prevalent in enterprise, here are some of the VLAN terminology is defined so there is less opportunity for confusion.
• VLAN ID – Fortunately, VLAN id’s are pretty much the same everywhere, the only significant differences are the range of IDs that can be used. With Procurve devices, the number of VLANs is defined in the configuration. The default maximum VLANs supported on a Procurve device differs between models and firmware revisions, but is commonly set to 8. Newer Procurve hardware supports 4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device. VLAN ID 1 is reserved for the “DEFAULT_VLAN” or the default administrative VLAN.
• VLAN names – VLAN names are text fields that assist technicians to identify VLANs. Procurve allows names up to 32 characters, but if you want it to properly display in menu configuration mode, you should probably limit the name to 12 characters.
• VLAN modes – Procurve has three modes of operation for VLANs on the chassis, Untagged, Tagged, and No. Untagged mode is Cisco’s access mode. This mode is used for ports that connect to end nodes, or devices that will not be passing VLAN traffic forward. Tagged mode is the same as Cisco’s trunk mode. This mode is used for ports that are connecting to devices that will be passing VLAN traffic forward, or for trunking multiple VLANs. No mode means that the port in question has no association whatsoever with that VLAN.
HP Procurve VLAN implementations
VLAN Definition
Procurve switches enable VLAN use by default, VLAN definitions and configuration are created in the same place, so the configuration examples will be provided under the VLAN configuration topic.
VLAN Configuration
Configuring VLANs on a modern Procurve is pretty simple, you must first define the VLAN, set its properties, and then set up membership for ports and the VLAN mode they will support. The following list should help you accomplish these tasks.
• Step 1 – Log into the switch and get into manager mode. If, after logging in, you are in the configuration menu, exit the configuration menu by selecting item 5 (in most cases) or by using the arrow keys on your keyboard to highlight the “Command Line (CLI)” item.
• Step 2 – Enter “conf t” to get into terminal configuration mode.
• Step 3 – Enter “vlan X” where X is the VLAN id of the VLAN you would like to create.
• Step 4 – Name your VLAN by entering “name “<VLAN Name>”" where <VLAN Name> is a text string from 1 to 32 characters (12 characters if you care about the configuration menu display). You should use quotes when naming the VLAN.
• Step 5 – Give the VLAN an IP address by entering “ip address <ip address> <netmask>” where <ip address> is the IP address you want to assign this switch in that subnet, and <netmask> is the network mask for the subnet assigned.
• Step 6 – This step is optional. If you want to assign some end node ports to the VLAN enter “untagged <port-list>” where <port-list> is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is “untagged 1,3,5,7-16″. This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
• Step 7 – This step is optional. If you want to assign some VLAN trunk ports to the VLAN enter “tagged <port-list>” where <port-list> is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is “untagged 1,3,5,7-16″. This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
• Step 8 – Enter “exit” to leave VLAN configuration mode.
• Step 9 – Exit configuration mode by entering “exit” again.
• Step 10 – Save your configuration by entering “wr memory”.
Summary
If you are going to integrate Cisco and HP Procurve hardware on the same network, and you intend to use VLANs here are some things you need to remember:
• For end nodes – Cisco uses “mode access”, HP uses “untagged” mode.
• For VLAN dot1q trunks – Cisco uses “mode trunk”, HP uses “tagged” mode.
• For no VLAN association – Cisco uses no notation at all, HP uses “no” mode in the configuration menu, or you have VLAN support turned off.
Additional Reading on cell phone signal booster
This list should help keep you out of trouble the next time you have to integrate the two with VLANs.
