Transcript Virtual LAN
Virtual LAN Using Hubs Layer 1 devices Inexpensive In one port, out the others One collision domain One broadcast domain Hub 1 172.30.1.21 255.255.255.0 172.30.1.24 255.255.255.0 172.30.1.22 255.255.255.0 172.30.1.23 255.255.255.0 Single Hub Ÿ One Network (IP Network Address - usually) Ÿ One Collision Domain Ÿ One Broadcast Domain This is fine for small workgroups, but does not scale well for larger workgroups or heavy traffic. Hub 1 172.30.1.21 255.255.255.0 172.30.2.22 255.255.255.0 172.30.1.22 255.255.255.0 172.30.2.21 255.255.255.0 Single Hub - Two subnets Ÿ Two subnets Ÿ One Collision Domain Ÿ One Broadcast Domain What if the computers were on two different subnets? Could they communicate within their own subnet? Yes Between subnets? No, need a router. Hub 1 172.30.1.21 255.255.255.0 172.30.1.22 255.255.255.0 172.30.1.23 255.255.255.0 All Hubs Ÿ One Network Address Ÿ One Collision Domain Ÿ One Broadcast Domain Hub 2 172.30.1.27 255.255.255.0 172.30.1.24 255.255.255.0 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 Same issues as before, with more of an impact on the network. Using Switches Layer 2 devices Moderate expense for common access switches, but can be very expensive. Layer 2 filtering based on Destination MAC addresses and Source Address Table One collision domain per port One broadcast domain Two parallel paths: (complete SAT tables) Data traffic from 172.30.1.24 to 172.30.1.25 and from 172.30.1.26 to 172.30.1.27 Hub 172.30.1.21 255.255.255.0 172.30.1.22 255.255.255.0 172.30.1.23 255.255.255.0 Switch and Hub Network Ÿ One Network Ÿ Several Collision Domains Ÿ One per switch port Ÿ One for the entire Hub Ÿ One Broadcast Domain Switch 172.30.1.27 255.255.255.0 172.30.1.24 255.255.255.0 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 As opposed to the Hub: Data traffic from 172.30.1.21 to 172.30.1.22 and from 172.30.1.23 to 172.30.1.24 Collision! Hub 172.30.1.21 255.255.255.0 172.30.1.22 255.255.255.0 172.30.1.23 255.255.255.0 Switch and Hub Network Ÿ One Network Ÿ Several Collision Domains Ÿ One per switch port Ÿ One for the entire Hub Ÿ One Broadcast Domain Switch 172.30.1.27 255.255.255.0 172.30.1.24 255.255.255.0 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 Collisions and Switches: What happens when two devices on a switch, send data to another device on the switch. 172.30.1.24 to 172.30.1.25 and 172.30.1.26 to 172.30.1.25 Hub 172.30.1.21 255.255.255.0 172.30.1.22 255.255.255.0 172.30.1.23 255.255.255.0 Switch and Hub Network Ÿ One Network Ÿ Several Collision Domains Ÿ One per switch port Ÿ One for the entire Hub Ÿ One Broadcast Domain Switch 172.30.1.27 255.255.255.0 172.30.1.24 255.255.255.0 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 The switch keeps the frames in buffer memory, and queues the traffic for the host 172.30.1.25. This means that the sending hosts do not know about the collisions and do not have to re-send the frames. Hub Frames in buffer 172.30.1.21 255.255.255.0 172.30.1.22 255.255.255.0 172.30.1.23 255.255.255.0 Switch and Hub Network Ÿ One Network Ÿ Several Collision Domains Ÿ One per switch port Ÿ One for the entire Hub Ÿ One Broadcast Domain Switch 172.30.1.27 255.255.255.0 172.30.1.24 255.255.255.0 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 Other Switching Features Review Asymmetric ports: 10 Mbps and 100 Mbps Full-duplex ports Cut-through versus Store-and-Forward switching Ports between switches and server ports are good candidates for higher bandwidth ports (100 Mbps) and full-duplex ports. 172.30.1.21 255.255.255.0 172.30.1.22 255.255.255.0 Switch 1 172.30.1.23 255.255.255.0 172.30.1.24 255.255.255.0 All Switched Network Ÿ One Network Ÿ Several Collision Domains Ÿ One per switch port Ÿ One Broadcast Domain Switch 2 172.30.1.28 255.255.255.0 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 172.30.1.27 255.255.255.0 Introducing Multiple Subnets/Networks without Routers Switches are Layer 2 devices Router are Layer 3 devices Data between subnets/networks must pass through a router. A Switched Network with two subnets: What are the issues? Can data travel within the subnet? Yes Can data travel between subnets? No, need a router! What is the impact of a layer 2 broadcast, like an ARP Request? ARP Request 172.30.1.21 255.255.255.0 172.30.2.10 255.255.255.0 Switch 1 172.30.1.23 255.255.255.0 172.30.2.12 255.255.255.0 All Switched Network - Two Networks Ÿ Two Subnets Ÿ Several Collision Domains Ÿ One per switch port Ÿ One Broadcast Domain Switch 2 172.30.2.16 255.255.255.0 172.30.1.25 255.255.255.0 172.30.2.14 255.255.255.0 172.30.1.27 255.255.255.0 All devices see the ARP Request. One broadcast domain means the switches flood all broadcast out all ports, except the incoming port. Switches have no idea of the layer 3 information contained in the ARP Request. This consumes bandwidth on the network and processing cycles on the hosts. 172.30.1.21 255.255.255.0 172.30.2.10 255.255.255.0 Switch 1 172.30.1.23 255.255.255.0 172.30.2.12 255.255.255.0 All Switched Network - Two Networks Ÿ Two Subnets Ÿ Several Collision Domains Ÿ One per switch port Ÿ One Broadcast Domain Switch 2 172.30.2.16 255.255.255.0 172.30.1.25 255.255.255.0 172.30.2.14 255.255.255.0 172.30.1.27 255.255.255.0 One Solution: Physically separate the subnets. But still no data can travel between the subnets. How can we get the data to travel between the two subnets? 172.30.1.21 255.255.255.0 172.30.1.23 255.255.255.0 Switch 1 172.30.1.25 255.255.255.0 Two Switched Networks Ÿ Two Subnets Ÿ Several Collision Domains Ÿ One per switch port Ÿ Two Broadcast Domain 172.30.1.26 255.255.255.0 Switch 2 172.30.2.16 255.255.255.0 172.30.2.10 255.255.255.0 172.30.2.12 255.255.255.0 172.30.2.14 255.255.255.0 Introducing Multiple Subnets/Networks with Routers Switches are Layer 2 devices Router are Layer 3 devices Data between subnets/networks must pass through a router. Routed Network: Two separate broadcast domains, because the router will not forward the layer 2 broadcasts such as ARP Requests. 172.30.1.21 255.255.255.0 172.30.1.23 255.255.255.0 172.30.1.1 255.255.255.0 Switch 1 172.30.2.1 255.255.255.0 Router 172.30.1.25 255.255.255.0 172.30.1.26 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Several Collision Domains Ÿ One per switch port Ÿ Communication between subnets Switch 2 172.30.2.16 255.255.255.0 172.30.2.10 255.255.255.0 172.30.2.12 255.255.255.0 172.30.2.14 255.255.255.0 Switches with multiple subnets So far this should have been a review. Lets see what happens when we have two subnets on a single switch and we want to route between the two subnets. Router-on-a-stick: When a single interface is used to route between subnets or networks, this is know as a router-on-a-stick. To assign multiple ip addresses to the same interface, secondary addresses or subinterfaces are used. interface e 0 ip address 172.30.1.1 255.255.255.0 ip address 172.30.2.1 255.255.255.0 secondary 172.30.1.21 255.255.255.0 Router 172.30.1.1 172.30.2.1 sec 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Communication between subnets Router-on-a-stick Advantages Useful when there are limited Ethernet interfaces on the router. Disadvantage Because a single link is used to connect multiple subnets, one link is having to carry the traffic for multiple subnets. Be sure this is link can handle the traffic. You may wish to use a high-speed link (100 Mbps) and full-duplex. Gotcha’s 1. Remember to have the proper default gateway set for each host. 172.30.1.0 hosts - default gateway is 172.30.1.1 172.30.2.0 hosts - default gateway is 172.30.2.1 2. The router must still route between subnets, so you must include: Router (config)# router rip Router (config-router)# network 172.30.0.0 Multiple interfaces: Two Ethernet router ports may be used instead of one. However this may be difficult if you do not have enough Ethernet ports on your router. E0 172.30.1.1 255.255.255.0 172.30.1.21 255.255.255.0 E1 Router 172.30.2.1 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Communication between subnets One switch two subnets: Good News: Data can travel between subnets and we have two separate broadcast domains. Bad News: Hosts are on different subnets but on a single layer 2 broadcast domain. Router 172.30.1.1 172.30.2.1 sec 255.255.255.0 ARP Request 172.30.1.21 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Communication between subnets An ARP Request from 172.30.1.21 for 172.30.1.23 will still be seen by all hosts on the switch. The switch is a layer 2 device and will flood broadcast traffic out all ports, except the incoming port. Router 172.30.1.21 255.255.255.0 172.30.1.1 172.30.2.1 sec 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Communication between subnets Introducing VLANs VLANs create separate broadcast domains Routers are needed to pass information between different VLANs VLANs are not necessary to have separate subnets on a switched network, but as we will see they give us more advantages when it comes to things like data link (layer 2) broadcasts. VLAN Definition A logical subgroup within a local area network that is created via software rather than manually moving cables in the wiring closet. It combines user stations and network devices into a single unit regardless of the physical LAN segment they are attached to and allows traffic to flow more efficiently within populations of mutual interest. VLANs are implemented in port switching hubs and LAN switches and generally offer proprietary solutions. VLANs reduce the time it takes to implement moves, adds and changes. VLANs function at layer 2. Since their purpose is to isolate traffic within the VLAN, in order to bridge from one VLAN to another, a router is required. The router works at the higher layer 3 network protocol, which requires that network layer segments are identified and coordinated with the VLANs. This is a complicated job, and VLANs tend to break down as networks expand and more routers are encountered. Layer 2 broadcast control: An ARP Request from 172.30.1.21 for 172.30.1.23 will only be seen by hosts on that VLAN. The switch will flood broadcast traffic out only those ports belonging to that particular VLAN, in this case VLAN 1. ARP Request Switch Port: VLAN ID 172.30.1.21 255.255.255.0 VLAN 1 Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 Two VLANs Ÿ Two Subnets Port-centric VLAN Switches Remember, as the Network Administrator, it is your job to assign switch ports to the proper VLAN. This assignment is only done at the switch and not at the host. Note: The following diagrams show the VLAN below the host, but it is actually assigned within the switch. 1 2 3 4 5 6 . Port 1 2 1 2 2 1 . VLAN Catalyst 1900 - VLAN Membership Configuration Port VLAN Membership Type ----------------------------1 1 Static 2 2 Static 3 1 Static 4 2 Static 5 2 Static 6 1 Static 7 1 Static 8 1 Static 9 1 Static 10 1 Static 11 1 Static 12 2 Static AUI 1 Static A 1 Static B 1 Static [M] Membership type [V] VLAN assignment [R] Reconfirm dynamic membership [X] Exit to previous menu Enter Selection: Layer 2 broadcast control: Without VLANs, the ARP Request would be seen by all hosts. Again, consuming unnecessary network bandwidth and host processing cycles. ARP Request 172.30.1.21 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 No VLANs Ÿ Same as a single VLAN Ÿ Two Subnets 172.30.1.23 255.255.255.0 With VLANs: Data will only travel within the VLAN. Remember that switches are Layer 2 devices and they can only pass traffic within the VLAN. ARP Request Switch Port: VLAN ID 172.30.1.21 255.255.255.0 VLAN 1 Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 Two VLANs Ÿ Two Subnets Switch Port: VLAN ID 1 2 3 4 5 6 . Port 1 2 1 2 2 1 . VLAN With VLANs: A switch cannot route data between different VLANs. Example: Data from 172.30.1.21 to 172.30.2.12 X 172.30.1.21 255.255.255.0 VLAN 1 Switch Port: VLAN ID Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 Two VLANs Ÿ Two Subnets Gotcha’s 1. Remember that VLAN IDs (numbers) are assigned to the switch port and not to the host. (Port-centric VLAN switches) 2. Be sure to have all of the hosts on the same subnet belong to the same VLAN, or you will have problems. Hosts on subnet 172.30.1.0/24 - VLAN 1 Hosts on subnet 172.30.2.0/24 - VLAN 2 etc. Routing and VLANs In the previous example data could travel within the VLAN, but not between VLANs. Just like subnets, a router is needed to route information between different VLANs. The advantage is the switch propagates broadcast traffic only within the VLAN. Data between VLANs is routed through the router. Data from 172.30.1.21 to 172.30.2.12 172.30.1.1 255.255.255.0 VLAN 1 172.30.1.21 255.255.255.0 VLAN 1 Router 172.30.2.1 255.255.255.0 VLAN 2 Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 VLANs Ÿ Two Subnets Ÿ Communication between VLANs Ÿ NOTE: VLANs assigned only to the ports Gotcha’s 1. Remember to have the proper default gateway set for each host. 172.30.1.0 hosts - default gateway is 172.30.1.1 172.30.2.0 hosts - default gateway is 172.30.2.1 2. The router must still route between subnets, so you must include: Router (config)# router rip Router (config-router)# network 172.30.0.0 3. The switch ports to the router must have the corresponding VLAN ID to that subnet. Switch port to 172.30.1.1 must be on VLAN 1 Switch port to 172.30.2.1 must be on VLAN 2 Switch Port: VLAN ID (VLAN ID not set at router.) 172.30.1.1 255.255.255.0 (VLAN 1) Router 172.30.2.1 255.255.255.0 (VLAN 2) 1 2 3 4 5 6 . Port 1 2 1 2 2 1 . VLAN So, what’s the difference? One of the main differences between subnets with VLANs and subnets without VLANs on switched networks, is that VLANs offer layer 2 broadcast control. Here is an ARP Request example without VLANs. 172.30.1.1 255.255.255.0 Router 172.30.2.1 255.255.255.0 ARP Request 172.30.1.21 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Communication between subnets Here is an ARP Request example with VLANs. Notice that the broadcast is isolated only to the VLAN that it came from, in this case VLAN 1. 172.30.1.1 255.255.255.0 VLAN 1 Router 172.30.2.1 255.255.255.0 VLAN 2 ARP Request 172.30.1.21 255.255.255.0 VLAN 1 Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 VLANs Ÿ Two Subnets Ÿ Communication between VLANs Ÿ NOTE: VLANs assigned only to the ports Can I use the Router-on-a-stick method with multiple VLANs? Can you remind me what Router-on-astick is? What is Router-on-a-stick? When a single interface is used to route between subnets or networks, this is know as a router-on-a-stick. To assign multiple ip addresses to the same interface, secondary addresses or subinterfaces are used. interface e 0 ip address 172.30.1.1 255.255.255.0 ip address 172.30.2.1 255.255.255.0 secondary 172.30.1.21 255.255.255.0 Router 172.30.1.1 172.30.2.1 sec 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 Routed Networks Ÿ Two Subnets Ÿ Communication between subnets With Router-on-a-stick, ISL or 802.1Q trunking is needed. We will talk about tagging and trunking in the next section. Router 172.30.1.1 172.30.2.1 secondary 255.255.255.0 Trunking ISLor 802.1Q Trunking ISL or 802.1Q 172.30.1.21 255.255.255.0 VLAN 1 Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 VLANs Ÿ Two Subnets Ÿ Communication between VLANs using trunking Ÿ NOTE: VLANs assigned only to the ports . VLAN introduction VLANs provide segmentation based on broadcast domains. VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless of the physical location or connections to the network. All workstations and servers used by a particular workgroup share the same VLAN, regardless of the physical connection or location. . VLAN introduction VLANs are created to provide segmentation services traditionally provided by physical routers in LAN configurations. VLANs address scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, and traffic flow management. Switches may not bridge any traffic between VLANs, as this would violate the integrity of the VLAN broadcast domain. Traffic should only be routed between VLANs. . Broadcast domains with VLANs and routers A VLAN is a broadcast domain created by one or more switches. The network design above creates three separate broadcast domains. Broadcast domains with VLANs and routers 1) Without VLANs 10.0.0.0/8 2) With or without VLANs 10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 1) No VLANs, or in other words, One VLAN. Single IP network. 2) With or without VLANs. However this can be and example of no VLANS. In both examples, each group (switch) is on a different IP network. 3) Using VLANs. Switch is One link per VLAN or a single VLAN Trunk (later) 10.1.0.0/16 1) With VLANs 10.2.0.0/16 10.3.0.0/16 Tagging and Trunking Non-tagging Switches Lets first see how multiple VLANs are interconnected using switches that do not have the tagging capability. Non-tagging Switches For each VLAN, there must be a link between the two switches. One link per VLAN. Be sure the switch ports on the switches are configured for the proper VLAN. Port 1 = VLAN 1 & Port 2 = VLAN 2 100BaseT Ports Moe 1 2 VLAN 1: Port 1 on switch Moe is connected to Port 1 on Switch Larry. VLAN 2: Port 2 on switch Moe is connected to Port 2 on Switch Larry. 1 2 Larry Port 1 = VLAN 1 & Port 2 = VLAN 2 100BaseT Ports Advantages Each VLAN gets its own dedicated link with its own bandwidth. Disadvantages This requires a separate link for each VLAN. There may not be enough ports on the switch to accommodate a lot of different VLANs. Introducing Tagging and Trunking Some quick terminology Channel - multiple links that carry a single VLAN (I.e. Fast-Etherchannel) Trunk - one link that carries multiple VLANs Tagging - used to Identify which VLAN a frame belongs to Reminder: Switches and Routers It is important to remember that hosts on different switches, can communicate with hosts which belong to their same subnet, without VLANs. It is also important to remember that if hosts on different subnets wish to communicate, then that traffic must be routed via a router. VLANs and Switches However, if you put those hosts that are on different subnets, into different VLANs, then the switches will need to communicate the VLAN IDs. Again, this can be done without VLANs, but as we saw one of the benefits to VLANs is layer 2 broadcast control. Trunking (or tagging) is needed between switches, or a switch and a router, to pass traffic for multiple VLANs, if a single link is used. Your switches must have ports that can do this trunking or tagging. Advantages: A single port on a switch or router can be used to send and receive traffic for multiple VLANs. Disadvantages: This can put a lot of traffic on a single link, so be sure the link has enough bandwidth to handle it. This also requires the switch and/or router ports that are used for tagging to be capable of doing the tagging/trunking. Tagging needed between the switches. Note, that there is no router here, so there is no communications between the VLANs. Here is an example of 172.30.1.20 sending information to 172.30.1.25 172.30.1.20 255.255.255.0 VLAN 1 172.30.2.30 255.255.255.0 VLAN 2 172.30.1.21 255.255.255.0 VLAN 1 Port A Switch 1 Port A Trunk <- Tagging -> ISL or 802.1Q Switch 2 172.30.2.32 255.255.255.0 VLAN 2 172.30.1.22 255.255.255.0 VLAN 1 172.30.2.31 255.255.255.0 VLAN 2 172.30.1.25 255.255.255.0 VLAN 1 172.30.2.35 255.255.255.0 VLAN 2 VLAN Network - Inter-switch VLANs Two separate Broadcast Domains (VLAN 1 and VLAN 2) Communications over the trunk links (i.e. between switches) uses Tagging 802.1q ISL (Inter-Switch Link) - Cisco 802.10 - FDDI ATM LANE Tagging needed between the switches No communications between the VLANs, because there is not a router NOTE: VLAN ID is on the switches not on the hosts. Catalyst 1900 - VLAN Membership Configuration Port VLAN Membership Type ----------------------------1 1 Static 2 2 Static 3 1 Static NOTE: This is just an example 4 2 Static of a switch configuration menu 5 2 Static 6 1 Static and does not show represent the 7 1 Static configuration of the previous 8 1 Static example. 9 1 Static 10 1 Static 11 1 Static 12 2 Static AUI 1 Static A 1 Static B 1 Static [M] Membership type [V] VLAN assignment [R] Reconfirm dynamic membership [X] Exit to previous menu Enter Selection: The router is now connected, so we can see how to communicate between the VLANs. Because we are using Router-on-a-stick, the router will also need to be configured to include the ISL or 802.1Q tagging. 172.30.1.1 172.30.2.1 secondary 255.255.255.0 172.30.1.20 255.255.255.0 VLAN 1 172.30.2.30 255.255.255.0 VLAN 2 172.30.1.21 255.255.255.0 VLAN 1 Port A Switch 1 Router Tagging ISL or 802.1Q Port A Trunk <- Tagging -> ISL or 802.1Q Switch 2 172.30.2.32 255.255.255.0 VLAN 2 172.30.1.22 255.255.255.0 VLAN 1 172.30.2.31 255.255.255.0 VLAN 2 172.30.1.25 255.255.255.0 VLAN 1 172.30.2.35 255.255.255.0 VLAN 2 Same Gotcha’s 1. Remember to have the proper default gateway set for each host. 172.30.1.0 hosts - default gateway is 172.30.1.1 172.30.2.0 hosts - default gateway is 172.30.2.1 2. The router must still route between subnets, so you must include: Router (config)# router rip Router (config-router)# network 172.30.0.0 3. The switch ports to the router must have the corresponding VLAN ID to that subnet. Switch port to 172.30.1.1 must be on VLAN 1 Switch port to 172.30.2.1 must be on VLAN 2 New Gotcha’s 4. Ports interconnecting switches must be capable of doing VLAN trunking, with either ISL or 802.1Q. 5. If you are using Router-on-a-stick, then the switch port and the router interface must be capable and configured to do trunking/tagging with either ISL or 802.1Q. 6. Remember, all traffic between different VLANs must be routed via the router. Question What if the router is not capable of doing the tagging or trunking? How can we use the router to switch between VLANs? That’s right! You use two interfaces on the router instead of one. One for each VLAN. On the switch you will not need to use trunk ports for the router. No ISL or 802.1Q tagging is needed. Ethernet 0 172.30.1.1 255.255.255.0 172.30.1.20 255.255.255.0 VLAN 1 172.30.2.30 255.255.255.0 VLAN 2 172.30.1.21 255.255.255.0 VLAN 1 Port A Switch 1 Router Ethernet 1 172.30.2.1 255.255.255.0 No tagging Port A Trunk <- Tagging -> ISL or 802.1Q Switch 2 172.30.2.32 255.255.255.0 VLAN 2 172.30.1.22 255.255.255.0 VLAN 1 172.30.2.31 255.255.255.0 VLAN 2 172.30.1.25 255.255.255.0 VLAN 1 172.30.2.35 255.255.255.0 VLAN 2 Would you like to see how the router is configured, with and without trunking? Well, we will do it anyways. :-) Instead of using secondary addresses, we will use something more current, know as subinterfaces. This allows you to configure multiple interfaces on a single physical interface. Cisco has said that secondary addresses will eventually not be a part of future IOS releases. Router-on-a-stick, the router will also need to be configured to include the ISL or 802.1Q tagging. Secondary or subinterfaces can be used. 172.30.1.1 172.30.2.1 secondary 255.255.255.0 172.30.1.20 255.255.255.0 VLAN 1 172.30.2.30 255.255.255.0 VLAN 2 172.30.1.21 255.255.255.0 VLAN 1 Port A Switch 1 Router Tagging ISL or 802.1Q Port A Trunk <- Tagging -> ISL or 802.1Q Switch 2 172.30.2.32 255.255.255.0 VLAN 2 172.30.1.22 255.255.255.0 VLAN 1 172.30.2.31 255.255.255.0 VLAN 2 172.30.1.25 255.255.255.0 VLAN 1 172.30.2.35 255.255.255.0 VLAN 2 Using multiple Ethernet interfaces. On the switch you will not need to use trunk ports for the router. No ISL or 802.1Q tagging is needed. Each switch port is on a separate VLAN. Ethernet 0 172.30.1.1 255.255.255.0 172.30.1.20 255.255.255.0 VLAN 1 172.30.2.30 255.255.255.0 VLAN 2 172.30.1.21 255.255.255.0 VLAN 1 Port A Switch 1 Router Ethernet 1 172.30.2.1 255.255.255.0 No tagging Port A Trunk <- Tagging -> ISL or 802.1Q Switch 2 172.30.2.32 255.255.255.0 VLAN 2 172.30.1.22 255.255.255.0 VLAN 1 172.30.2.31 255.255.255.0 VLAN 2 172.30.1.25 255.255.255.0 VLAN 1 172.30.2.35 255.255.255.0 VLAN 2 Fast Etherchannel Fast Etherchannel Allows two or four contiguous 100 Mbps ports to operate as a single link, giving twice the throughput. (command: port-channel mode on) 100BaseT Ports 10BaseT Ports (12) Moe Two 100BaseT Full-duplex ports: A B 2 x (100 x 2) = 400 Mbps throughput A B 10BaseT Ports (12) Larry 100BaseT Ports Fast Etherchannel is a Cisco proprietary feature, although other vendors have a similar solution. Fast Etherchannel allows some Cisco switches to use either two or four 100 Mbps ports as a single, virtual port. To the switch the multiple links will look like one, single, higher-bandwidth connection, combining the bandwidth of the two or four links between the two switches. NetFlow Switching NetFlow Switching provides network layer switching to campus switches at high forwarding rates. The first packet of the “flow” is routed via the router. When a flow is detected, NetFlow switching establishes a cut-through path for all remaining packets in the flow. These can be switched by the switch and not routed by the router. . VLAN operation Each switch port can be assigned to a different VLAN. Ports assigned to the same VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts. . VLAN operation Static membership VLANs are called port-based and portcentric membership VLANs. As a device enters the network, it automatically assumes the VLAN membership of the port to which it is attached. “The default VLAN for every port in the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be deleted.” This statement does not give the whole story. We will examine Management, Default and other VLANs at the end. All other ports on the switch may be reassigned to alternate VLANs. More on VLAN 1 later. . VLAN operation 172.30.1.21 255.255.255.0 VLAN 1 1 2 3 4 5 6 . Port 1 2 1 2 2 1 . VLAN Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 Two VLANs Ÿ Two Subnets Important notes on VLANs: 1. VLANs are assigned on the switch port. There is no “VLAN” assignment done on the host (usually). 2. In order for a host to be a part of that VLAN, it must be assigned an IP address that belongs to the proper subnet. Remember: VLAN = Subnet . VLAN operation Dynamic membership VLANs are created through network management software. (Not as common as static VLANs) CiscoWorks 2000 or CiscoWorks for Switched Internetworks is used to create Dynamic VLANs. Dynamic VLANs allow for membership based on the MAC address of the device connected to the switch port. As a device enters the network, it queries a database within the switch for a VLAN membership. Benefits of VLANs If a hub is connected to VLAN port on a switch, all devices on that hub must belong to the same VLAN. The key benefit of VLANs is that they permit the network administrator to organize the LAN logically instead of physically. Note: Can be done without VLANs, but VLANs limit the broadcast domains This means that an administrator is able to do all of the following: Easily move workstations on the LAN. Easily add workstations to the LAN. Easily change the LAN configuration. Easily control network traffic. Improve security. Without VLANs – No Broadcast Control ARP Request 172.30.1.21 255.255.255.0 Switch 1 172.30.2.12 255.255.255.0 172.30.2.10 255.255.255.0 172.30.1.23 255.255.255.0 No VLANs Ÿ Same as a single VLAN Ÿ Two Subnets • Without VLANs, the ARP Request would be seen by all hosts. • Again, consuming unnecessary network bandwidth and host processing cycles. With VLANs – Broadcast Control Switch Port: VLAN ID ARP Request 172.30.1.21 255.255.255.0 VLAN 1 Switch 1 172.30.2.12 255.255.255.0 VLAN 2 172.30.2.10 255.255.255.0 VLAN 2 172.30.1.23 255.255.255.0 VLAN 1 Two VLANs Ÿ Two Subnets 1 2 3 4 5 6 . Port 1 2 1 2 2 1 . VLAN VLAN Types . MAC address Based VLANs Rarely implemented. . Two Types of VLANs End-to-End or Campus-wide VLANs Geographic or Local VLANs . End-to-End or Campus-wide VLANs . Geographic or Local VLANs . End-to-End or Campus-wide VLANs End-to-End or Campus-wide VLANs Same VLAN/Subnet no matter what the location is on the network Trunking at the Core Usually not recommended by Cisco or other Vendors Adds complexity to network administration Does not resolve Layer 2 Spanning Tree issues Use to be recommended with routing at the Core was . End-to-End or Campus-wide VLANs The core layer router is being used to route between subnets (VLANs). The network is engineered, based on traffic flow patterns, to have 80 percent of the traffic contained within a VLAN. The remaining 20 percent crosses the router to . Geographic or Local VLANs Geographic or Local VLANs More common Routing at the core Different VLAN/Subnet depending upon location Geographic or Local VLANs As many corporate networks have moved to centralize their resources, end-to-end VLANs have become more difficult to maintain. Users are required to use many different resources, many of which are no longer in their VLAN. . Geographic or Local VLANs This geographic location can be as large as an entire building or as small as a single switch inside a wiring closet. In a VLAN structure, it is typical to find the new 20/80 rule in effect. 80 percent of the traffic is remote to the user and 20 percent of the traffic is local to the user.