Download VLAN Trunking

Virtual LAN
2017/5/25
1
VLAN
• What is VLAN?
– 簡言之, VLAN 就是以軟體的方式, 讓 Switch
能夠切割網路為 “不同的 Broadcast
Domains”
• HOW?
– 分屬不同 VLAN 的 PCs 間無法經由 Switch
溝通
– 對網路規劃與管理者而言, VLAN 是傳統
Switch 與 Router 外之另一 “工具”, “觀念”
或 “武器”
2017/5/25
• VLAN 不是一個 “裝置”, VLAN 的達成, 仍需
仰賴 Switch 與 Router
2
傳統 LAN 架構與 VLAN 之不同
2017/5/25
3
VLAN (更詳細 …)
• A VLAN is a logical grouping of network devices
or users that are not restricted to a physical
switch segment.
2017/5/25
4
VLAN (更詳細 …)
• The devices or users in a VLAN can be grouped
by function, department, project teams,
applications, and so on, regardless of the
physical location or connections to the network
• A VLAN creates a single broadcast domain that
is not restricted to a physical segment and is
treated like a subnet.
– Packets are only switched between ports that are
designated for the same VLAN.
– VLAN setup is done in the switch by software.
2017/5/25
5
VLAN (更詳細 …)
2017/5/25
6
2017/5/25
7
傳統 LANs & broadcast domains
2017/5/25
8
VLANs & Broadcast Domains
2017/5/25
9
Relationship between ports,
VLANs & Broadcast
• Each switch port can be assigned to a
VLAN.
• Ports assigned to the same VLAN share
broadcasts.
• Ports that do not belong to that VLAN do
not share these broadcasts. This improves
the overall performance of the network.
2017/5/25
10
VLAN makes workstations
addition, moves & changes easier
• Without VLANs, moving a user from one office to another
might require a router to be reconfigured, changes in the
patch cables in the wiring closet, and IP address
reconfiguration on the host.
• A host connected to a VLAN-capable switch, however,
simply stays in the same VLAN (i.e., same broadcast
domain and subnetwork), with no router changes, patch
cable changes or IP address changes.
– This may not sound like a big deal when 1 host is moved; but
when many hosts are moving over the course of a year the savings
in time and trouble is tremendous.
2017/5/25
11
VLAN Configuration
• VLAN 的運作 (or 設定) 方式
– Static
• port-centric (port-based)
– Dynamic
2017/5/25
12
Static (Port-Based/Centric) VLAN
2017/5/25
13
Static (port-centric) VLAN
2017/5/25
1 2 3 4 5 6 .
Port
1 2 1 2 2 1 .
VLAN
14
Port-Baesd/Centric
• Users are assigned by port.
• VLANs are easily administered.
• It provides increased security between
VLANs.
• Packets do not "leak" into other domains.
2017/5/25
15
Dynamic VLAN
2017/5/25
16
A Scenario …
2017/5/25
17
A small college
Faculty & student LAN, each has different security features
2017/5/25
18
A year later …
What if we still want each has different security features?
2017/5/25
19
VLAN can be the rescue …
2017/5/25
20
More details …
2017/5/25
21
Benefits of VLAN
2017/5/25
22
Security
• Groups that have sensitive data are
separated from the rest of the network,
decreasing the chances of confidential
information breaches.
– Faculty computers are on VLAN 10 and
completely separated from student and guest
data traffic.
2017/5/25
23
More on Security with VLAN
• Restrict the number of users in a VLAN
group
• Prevent another user from joining without
first receiving approval from the VLAN
network management application
• Configure all unused ports to a default lowservice VLAN
2017/5/25
24
2017/5/25
25
Cost reduction
• Cost savings result from less need for
expensive network upgrades and more
efficient use of existing bandwidth and
uplinks.
2017/5/25
26
Higher performance
• Dividing flat Layer 2 networks into multiple
logical workgroups (broadcast domains)
reduces unnecessary traffic on the network
and boosts performance.
2017/5/25
27
Broadcast storm mitigation
• Dividing a network into VLANs reduces the
number of devices that may participate in a
broadcast storm.
2017/5/25
28
Improved IT staff efficiency
• VLANs make it easier to manage the network
because users with similar network requirements
share the same VLAN.
• When you provision a new switch, all the policies
and procedures already configured for the
particular VLAN are implemented when the ports
are assigned.
• It is also easy for the IT staff to identify the
function of a VLAN by giving it an appropriate
name.
2017/5/25
29
Simpler project or application
management
• VLANs aggregate users and network
devices to support business or geographic
requirements.
• Having separate functions makes managing
a project or working with a specialized
application easier
2017/5/25
30
Types of VLAN
•
•
•
•
•
2017/5/25
Data VLAN
Default VLAN
Native VLAN
Management VLAN
Voice VLAN
31
Data VLAN
• A data VLAN is a VLAN that is configured to
carry only user-generated traffic
• A VLAN could carry voice-based traffic or traffic
used to manage the switch, but this traffic would
not be part of a data VLAN.
– It is common practice to separate voice and
management traffic from data traffic
• A data VLAN is sometimes referred to as a user
VLAN.
2017/5/25
32
Default VLAN
• All switch ports become a member of the default
VLAN after the initial boot up of the switch
– Having all the switch ports participate in the default
VLAN makes them all part of the same broadcast
domain.
• The default VLAN for Cisco switches is VLAN 1
– VLAN 1 has all the features of any VLAN, except that
you cannot rename it and you can not delete it.
– Layer 2 control traffic, such as CDP and spanning tree
protocol traffic, will always be associated with VLAN 1
- this cannot be changed.
– VLAN 1 traffic is forwarded over the VLAN trunks
connecting the S1, S2, and S3 switches.
– It is a security best practice to change the default
VLAN to a VLAN other than VLAN 1
2017/5/25
33
Default VLAN
2017/5/25
34
Native VLAN
• A native VLAN is assigned to an 802.1Q trunk
port.
• An 802.1Q trunk port supports traffic coming
from many VLANs (tagged traffic) as well as
traffic that does not come from a VLAN (untagged
traffic).
– The 802.1Q trunk port places untagged traffic on
the native VLAN.
• Native VLANs are set out in the IEEE 802.1Q
specification to maintain backward compatibility
with untagged traffic common to legacy LAN
scenarios.
2017/5/25
– It is a best practice to use a VLAN other than VLAN 1
as the native VLAN.
35
Management VLAN
• A management VLAN is any VLAN you
configure to access the management capabilities of
a switch.
– VLAN 1 would serve as the management VLAN if you
did not proactively define a unique VLAN to serve as
the management VLAN.
– You assign the management VLAN an IP address and
subnet mask.
• A switch can be managed via HTTP, Telnet, SSH, or SNMP.
– Since the out-of-the-box configuration of a Cisco
switch has VLAN 1 as the default VLAN, you see that
VLAN 1 would be a bad choice as the management
VLAN
2017/5/25
• an arbitrary user connecting to a switch to default to the
management VLAN.
36
And, one more …
2017/5/25
37
Voice VLAN details
2017/5/25
38
2017/5/25
39
VLAN Switch Port Modes
2017/5/25
40
Static Mode Setup
2017/5/25
41
Voice Mode Setup
2017/5/25
The configuration command
# mls qos trust cos // cos : class of service
ensures that voice traffic is identified as priority traffic.
Remember that the entire network must be set up to
prioritize voice traffic.
By default, the Cisco IP Phone forwards the voice traffic
with an 802.1Q priority of 5
42
Voice VLAN Verification
2017/5/25
43
Controlling broadcast w/o VLAN
2017/5/25
44
Controlling broadcast with VLAN
2017/5/25
45
Controlling Broadcast Domains with
Switches and Routers
• Breaking up broadcast domains can be
performed either with VLANs (on switches)
or with routers.
• A router is needed any time devices on
different Layer 3 networks need to
communicate, regardless whether VLANs
are used.
2017/5/25
46
VLAN Trunking
2017/5/25
47
目前為止, 我們主要討論的是一個
Switch 下的 VLAN
2017/5/25
48
VLAN 跨越兩個以上 Switches 時 …
VLAN Trunking
2017/5/25
49
Trunking?
(電話線路的例子)
2017/5/25
50
Trunking Concept
One physical link for each VLAN (will need
10 links for 10 VLANs  not practical)
With VLAN Trunking
2017/5/25
51
VLAN Trunking
A trunk is a physical and logical connection between
two switches across which network traffic travels
2017/5/25
52
Definition of a VLAN Trunk
• A trunk is a point-to-point link between one or more
Ethernet switch interfaces and another networking device,
such as a router or a switch.
– Ethernet trunks carry the traffic of multiple VLANs over a single
link.
– A VLAN trunk allows you to extend the VLANs across an entire
network.
– Cisco supports IEEE 802.1Q for coordinating trunks on Fast
Ethernet and Gigabit Ethernet interfaces.
• A VLAN trunk does not belong to a specific VLAN, rather
it is a conduit for VLANs between switches and routers.
2017/5/25
53
Trunking Mechanisms (機制)
• Frame Filtering
• Frame Tagging
– IEEE 802.1Q
2017/5/25
54
Frame Filtering
2017/5/25
55
Frame Tagging
2017/5/25
56
IEEE 802.1q Frame Format
Re-Calculated FCS
VLAN ID (12-bit)
2017/5/25
57
802.1Q Frame Tagging
2017/5/25
58
VLAN Trunk
2017/5/25
59
Trunk Configuration
2017/5/25
60
Trunk Configuration
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol.
Switches from other vendors do not support DTP. DTP is automatically
enabled on a switch port when certain trunking modes are configured
on the switch port.
DTP manages trunk negotiation only if the port on the other switch
is configured in a trunk mode that supports DTP.
2017/5/25
61
Trunk Configuration
2017/5/25
62
Configuring VLAN & Trunk
2017/5/25
63
VLAN ID Ranges
2017/5/25
64
Create a VLAN
2017/5/25
65
Command Syntax
2017/5/25
66
Add a VLAN
2017/5/25
67
Add a VLAN - verification
2017/5/25
68
Assign a Switch Port
2017/5/25
69
Command Syntax
2017/5/25
70
Assign a Switch Port
2017/5/25
71
Delete a Switch Port - verification
2017/5/25
72
Port Memberships Deletion
2017/5/25
73
Verify VLANs and Port
Memberships
2017/5/25
74
Command Syntax
2017/5/25
75
Verify VLANs and Port Memberships
2017/5/25
76
Verify VLANs and Port Memberships
2017/5/25
77
Verify VLANs and Port Memberships
2017/5/25
78
Configure Trunking
2017/5/25
79
Command Syntax
2017/5/25
80
Configure an 802.1Q Trunk Topology
2017/5/25
81
Configure an 802.1Q Trunk example
2017/5/25
82
Configure an 802.1Q Trunk verification
2017/5/25
83
Reset Trunking
2017/5/25
84
Common Problems with Trunks
2017/5/25
85
Native VLAN mismatches
• Trunk ports are configured with different
native VLANs
– for example, if one port has defined VLAN 99
as the native VLAN and the other trunk port
has defined VLAN 100 as the native VLAN.
• This configuration error
– generates console notifications, causes control
and management traffic to be misdirected,
poses a security risk.
2017/5/25
86
Trunk mode mismatches
• One trunk port is configured with trunk
mode "off" and the other with trunk mode
"on".
– This configuration error causes the trunk link to
stop working.
2017/5/25
87
Allowed VLANs on trunks
• The list of allowed VLANs on a trunk has
not been updated with the current VLAN
trunking requirements. In this situation,
unexpected traffic or no traffic is being sent
over the trunk.
2017/5/25
88
Trouble Shooting – Native VLAN
Mismatches
2017/5/25
89
Trouble Shooting – S3 configuration
2017/5/25
90
Trouble Shooting – Solution
2017/5/25
91
Trouble Shooting – Trunk Mode
Mismatches
2017/5/25
92
Trouble Shooting – S1 & S3 configuration
2017/5/25
93
Trouble Shooting – Solution
2017/5/25
94
Trouble Shooting – Incorrect VLAN List
2017/5/25
95
Trouble Shooting – S1 & S3 configuration
2017/5/25
96
Trouble Shooting – Solution
2017/5/25
97
Trouble Shooting – VLAN and IP
Subnets
2017/5/25
98
Trouble Shooting – S1 & S3 configuration
2017/5/25
99
Trouble Shooting – Solution
2017/5/25
100