- All devices reside in the same LAN are in the same broadcast domain. All devices connected to a switch are normally reside in the same broadcast domain. However, a technology called VLAN allows a switch to create multiple broadcast domains.
- A Virtual LAN (VLAN) is a broadcast domain created by one or more switches. A switch creates VLANs by assigning its interfaces to different VLANs.
- Below are some benefits of implementing VLANs:
i) Allows logical grouping of users or devices based on their functions or departments instead of their physical locations.
ii) Reduces network overhead by limiting the size of each broadcast domain.
iii) Offers enhanced network security by keeping sensitive devices on a separate VLAN. - VLAN trunking is used when a VLAN span across multiple switches. When a switch receives a
frame from another switch, it uses the frame tag created by other switch to identify the VLAN membership of the frame and forwards it out to ports associated for the corresponding VLAN.
Figure 7-1: Network Setup for VLAN Trunking
- When SW1 receives a broadcast from a device in VLAN 2, it will add a header to the frame and forward to SW2. SW2 will know which interfaces it should forward to all other members of VLAN 2. The VLAN identifier will be removed when the frame is forwarded out an access link. - Where is VLAN 1? VLAN 1 is the administrative VLAN which is recommended for management purposes only; even though it still can be used for workgroup access purpose. - Catalyst switches support 2 VLAN encapsulation methods for inter-switch VLAN communication:
ISL – Inter-Switch Link IEEE 802.1Q
Cisco-proprietary. Industry standard. Standardized by IEEE. Encapsulates the entire original frame with a
new header and trailer (CRC), increasing the network overhead.
Does not encapsulate the original frame. Adds a 4-byte tag to the original Ethernet header and a recalculated FCS to the trailer. Supports multiple spanning trees (one STP
instance per VLAN) with PVST+.
Supports multiple spanning trees (one STP instance per VLAN) with PVST+ and 802.1S
Multiple Spanning Tree Protocol (MSTP).
Does not have the concept of native VLAN. Uses a native VLAN. 0/1 0/2 0/3 0/4 VLAN 2 VLAN 3 0/1 0/2 0/3 0/4 VLAN 2 VLAN 3 0/12 0/12 SW1 SW2 Trunk
- Both protocols utilize a 12-bit VLAN ID field, and hence support the same number of VLANs.
Figure 7-2: VLAN Identification and Encapsulation Formats
- Below shows the trunking actions for different types of switch port modes:
Switch Port Mode Trunking Action
access Never try to trunk.
trunk Permanent trunking mode – always becomes a trunk link even if the interface at the other end is not configured as a trunk port.
dynamic desirable Trunks to trunk, dynamic desirable, and dynamic auto interfaces. dynamic auto Trunks to trunk and dynamic desirable interfaces.
Note: A trunk link will never be established if the interfaces at both ends of a trunk link were
configured as the dynamic auto mode!
- The switchport nonegotiate interface subcommand prevents an interface from generating
Dynamic Trunking Protocol (DTP) frames, which are used for trunking negotiation.
- Per-VLAN Spanning Tree Plus (PVST+) allows each VLAN to have its own instance of spanning tree. Figure 7-3 shows 6 interfaces on 3 switches with 2 VLANs. STP parameters in each VLAN are configured to block different interfaces in different spanning trees for VLAN 2 and VLAN 3 on SW3. SW3 would use the link to SW1 for traffic in VLAN 3 and link to SW2 for traffic in VLAN 2. STP will converge to find a new path for a VLAN if one of the links fails.
Figure 7-3: Per-VLAN Spanning Tree Plus (PVST+)
- 802.1Q defines a VLAN on a trunk as the native VLAN, where frames associated with the native VLAN are not tagged. A switch recognizes a native VLAN frame when a frame
without 802.1Q tag is received from an 802.1Q trunk. ISL does not have this concept –
every frame will be encapsulated and has an ISL header.
ISL Header (26 bytes)
Encapsulated Ethernet Frame
CRC
(4 bytes) Dest Src Data FCS
Dest Src Tag Data FCS
Original Frame Tagged Frame ISL Header 802.1Q Tag ISL Trailer SW1 SW2 SW3 Blocking – VLAN 3 Blocking – VLAN 2
Forwarding – VLAN 3 Forwarding – VLAN 2 VLAN 3
Root Bridge
VLAN 2 Root Bridge
(Odd VLANs) (Even VLANs)
Figure 7-4: Network Setup for Native VLAN
- Figure 7-4 shows the usage of native VLAN. 2 PCs are connected to 2 separate switches. The organization would like to install an IP phone near each PC. Normal PCs do not understand 802.1Q but the built-in switches in the IP phones do. The IP phones are reside between the PCs and switches, and the PCs and IP phones are assigned to different VLANs. All the switch ports are configured for 802.1Q while the PCs are placed in the native VLAN. IP phones and switches can understand 802.1Q traffic between them. The IP phones can simply forward the native VLAN traffic (frames without 802.1Q tags) between the PCs and the switches.
- Switches use the same switching logic when implemented VLANs, but in per-VLAN basis – there is a MAC address table for each VLAN and the tables are separated for different VLANs. Hence, unicasts and broadcasts for a VLAN cannot be forwarded out to ports in other VLANs. - L2 switches are unable to forward traffic between VLANs. L3 to L7 switches are able to perform
multilayer switching. Below are the available methods for passing traffic between VLANs: L3 Forwarding using a Router In the 1st option (Figure 7-5A), each router interface is
connected to an access link to a VLAN of the switch. Each router interface’s IP address would be the default gateway address for each host in each VLAN.
In the 2nd option (Figure 7-5B), instead of using a router interface for each VLAN, just a single Fast Ethernet interface that supports ISL or 802.1Q trunking is used, which allows all VLANs to communicate through one interface. This setup is also known as router-on-a-stick.
L3 Forwarding using a L3 switch L3 switches are switches that have L2 switching and L3 routing capabilities. Performing routing with an external router and with the internal processing of an L3 switch provide the same result. L3 switches are able to run routing protocols to build their routing table, and make forwarding decisions based on destination IP addresses.
PC1 PC2 IP Phone 1 IP Phone 2 SW1 SW2 VLAN 1 (Native VLAN) VLAN 2
Layer 4 Switching
(Content Switching)
L4 switches consider the information in the L4 headers when forwarding packets. The forwarding decision can either be based upon information in the L4 headers (typically the port numbers), the IP addresses (L3 forwarding), and even the MAC addresses. L4 switches support accounting by keeping track of the numbers of packets and bytes sent per TCP port number. Ex: A server farm consists of 2 replicated web servers and a FTP server. Clients’ requests are directed to a single IP address which has been associated to all 3 servers. Packets destined to port 80 will be switched to either of the web servers and packets destined to port 21 will be switched to the only single FTP server.
The first request of a client will be directed to either web servers and subsequent connections for that client will be switched to the same server. L4 switching requires more processing capacity that L3 switching.
NetFlow switching can be enabled on Cisco Catalyst
switches to perform L4 (and network traffic) accounting.
Layer 5 – Layer 7 Switching
(Content Switching)
Refers to the type of switching that able to look into the application layer headers to make switching decisions. Also known as L7 switching, application layer switching, and content switching. It falls into a category of products called Content Delivery Networks (CDN).
Figure 7-5: L3 Forwarding using a Router
VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4 Figure 7-5A:
One interface for each VLAN
Figure 7-5B:
Using only one interface switchport
mode access
switchport mode trunk