|
VLAN
In order to implement VLANs in a
network environment, you'll need a Layer
2 switch that supports them. Almost all
switches sold today that are described
as "managed" switches provide the
ability to make ports members of
different VLANs. However, switches that
don't provide any configuration function
(such as many basic, lower-end switches)
don't provide the ability to configure
VLANs. Almost any Cisco Catalyst switch
that you'll come across today provides
the ability to make ports part of
different VLANs.
Before getting into the details of
how a VLAN functions, it's worth
exploring some of the advantages that a
VLAN provides. First and foremost, VLANs
provide the ability to define broadcast
domains without the constraint of
physical location. For example, instead
of making all of the users on the third
floor part of the same broadcast domain,
you might use VLANs to make all of the
users in the HR department part of the
same broadcast domain. The benefits of
doing this are many. Firstly, these
users might be spread throughout
different floors on a building, so a
VLAN would allow you to make all of
these users part of the same broadcast
domain. To that end, this can also be
viewed as a security feature - since all
HR users are part of the same broadcast
domain, you could later use policies
such as access lists to control which
areas of the network these users have
access to, or which users have access to
the HR broadcast domain. Furthermore, if
the HR department's server were placed
on the same VLAN, HR users would be able
to access their server without the need
for traffic to cross routers and
potentially impact other parts of the
network.
VLANs are defined on a switch on a
port-by-port basis. That is, you might
choose to make ports 1-6 part of VLAN 1,
and ports 7-12 part of VLAN 2. There's
no need for ports in the same VLAN to be
contiguous at all - you could make ports
1, 3 and 5 on a switch part of VLAN 1,
for example. On almost all switches
today, all ports are part of VLAN 1 by
default. If you want to implement
additional VLANs, these must first be
defined in the switch's software (such
as the IOS on a Cisco switch), and then
ports must be made members of that VLAN.
A VLAN isn't limited to a single switch,
either. If trunk links are used to
interconnect switches, a VLAN might have
3 ports on one switch, and 7 ports on
another, as shown below. The logical
nature of a VLAN makes it a very
effective tool, especially in larger
networking environments.
Inter-VLAN Communication
I mentioned a few times already that
a VLAN is simply a special type of
broadcast domain, in that it is defined
on a switch port basis rather than on
traditional physical boundaries. Recall
from the earlier articles in this series
that when a host in one broadcast domain
wishes to communicate with another, a
router must be involved. This same holds
true for VLANs. For example, imagine
that port 1 on a switch is part of VLAN
1, and port 2 part of VLAN 99. If all of
the switch's ports were part of VLAN 1,
the hosts connected to these ports could
communicate without issue. However, once
the ports are made part of different
VLANs, this is no longer true. In order
for a host connected to port 1 to
communicate with another connected to
port 2, a router must be involved.
You may already be familiar with the
concept of a Layer 3 switch. A Layer 3
switch is generally a Layer 2 switching
device that also includes the ability to
act as a router, usually through the use
of additional hardware and software
features. If a switch includes Layer 3
capabilities, it can be configured to
route traffic between VLANs defined in
the switch, without the need for packets
to ever leave the switch. However, if a
switch only includes Layer 2
functionaility, an external router must
be configured to route traffic between
the VLANs. In some cases, it's entirely
possible that a packet will leave switch
port 1, be forwarded to an external
router, and then be routed right back to
port 2 on the originating switch. For
this reason, many companies have decided
to implement Layer 3 switches
strategically throughout their network.
Regardless of the method chosen, it's
most important for you to recognize that
when a host on one VLAN wants to
communicate with a host on another, a
router must somehow be involved.
Extending VLANs Between
Switches
In order to extend VLANs across
different switches, a trunk link must
interconnect the switches. Think of a
trunk link as being similar to an uplink
between hubs - usually a trunk link is
implemented between fast switch ports on
two different switches using a crossover
cable. For example, you might
interconnect two Gigabit Ethernet ports
on different switches using fiber
optics, or two 100 Mbps switch ports
using a traditional Cat5 crossover
cable. In most cases it is generally
recommended that you use the fastest
port available for trunk connections,
since this link will often carry a great
deal of traffic, possibly for multiple
VLANs.
To begin, let's assume that you have
connected a link between the 100 Mbps
ports of two switches, as shown below.
Notice that each of these ports are
members of VLAN 1 on each switch. By
default, without any additional
configuration, these ports will act as a
trunk link, but will only pass traffic
for the VLAN associated with their port
connections - VLAN 1. This type of link,
where only traffic for a single VLAN is
passed, is referred to as an "Access
Link". While an access link does the job
for a single VLAN environment, multiple
access links would be required if you
wanted traffic from multiple VLANs to be
passed between switches. Having multiple
access links between the same pair of
switches would be a big waste of switch
ports. Obviously another solution is
required when traffic for multiple VLANs
needs to be transferred across a single
trunk link. The solution for this comes
through the use of VLAN tagging.
VLAN Tagging
When you want traffic from multiple
VLANs to be able to traverse a link that
interconnects two switches, you need to
configure a VLAN tagging method on the
ports that supply the link. Although
there are a number of tagging methods in
use for different technologies, the two
that you need to be aware of for the
purpose of the CCNA exam are known as
InterSwitch Link (ISL) and 802.1q. ISL
is a Cisco proprietary VLAN tagging
methods, while 802.1q is a open
standard. When interconnecting two Cisco
switches, ISL is usually the best
choice, but if you need to interconnect
switches of different types (a Cisco
switch and an Avaya switch, for
example), then you'll need to use IETF.
For the CCNA exam, the only thing
that you really need to know about
802.1q is that it is the open standard
for VLAN tagging, and should be used in
mixed environments. The exam expects you
to have a somewhat deeper understanding
of ISL, including how it works, when it
can be used, and ultimately, its
purpose.
First and foremost, you need to be
aware that ISL will only function on
ports with a speed of 100 Mbps or
greater. That is, you cannot use ISL in
conjunction with a 10 Mbps port. That
shouldn't be an issue, since most Cisco
Catalyst switches provide at least one
or two Fast Ethernet ports, even on
lower-end models like the 1912.
Secondly, the ports on either end of the
link need to support and be configured
for ISL.
ISL is referred to as a VLAN tagging
method. Essentially, what ISL does is
tag a frame as it leaves a switch with
information about the VLAN that the
frame belongs to. For example, if a
frame from VLAN 99 is leaving a switch,
the ISL port will add information to the
frame header, designating that the frame
is part of VLAN 99. When this ISL frame
reaches the port at the other end of the
switch, it will look at the ISL header,
determine that the frame is meant for
VLAN 99, will strip off the ISL
information, and will forward it into
VLAN 99. One of the issues with VLAN
tagging is that by adding information to
an Ethernet frame, the size of the frame
can move beyond the Ethernet maximum of
1518 bytes, to 1522 bytes. Because of
this, all non-ISL ports will see frames
larger than 1518 bytes as giants, and as
such, invalid. This is the reason why a
port needs to be configured for ISL in
order for it to understand this
different frame format.
One VLAN tagging is configured on the
ports associated with the link
connecting switches, the link is known
as a "Trunk Link". A trunk link is
capable of transferring frames from many
different VLANs through the use of
technologies like ISL or 802.1q.
A better strategy here would be to
configure ISL tagging on one of the
router's Fast Ethernet interfaces, and
then configure ISL on the connected
switch port. This configuration, also
known as a "router on a stick", would
allow the router to process the traffic
of multiple VLANs, and route traffic
between them. We'll get into the details
of routing within the next few articles.
Beyond its intended purpose of
configuring trunk links between
switches, ISL is often used in other
ways. For example, it is possible to
purchase network interface cards that
support ISL. If a server were configured
with an ISL-capable network card, it
could be connected to an ISL port on a
switch.
This would allow a server to be made
part of multiple VLANs simultaneously,
the benefit being that hosts from
different broadcast domains could then
access the server without the need for
their packets to be routed. While this
may seem like a perfect solution, you
need to remember than the server would
now see all traffic from these VLANs,
which could negatively impact
performance.
http://www.justvb.net/it/ |