VLAN Concepts and Applications
When you plug a bunch of PCs in to a switch and give them all IP addresses in the same network, you create a LAN. A VLAN is a Virtual LAN. The difference is that with VLANs, you still connect all the PCs to a single switch but you make the switch behave as if it were multiple, independent switches. Each VLAN is its own broadcast domain and IP subnet. In this way, you get the ability to use switches to segment broadcast domains, which up to this point was possible only with routers. Figure 12.7 illustrates a simple VLAN configuration:
Figure 12.7 VLANs provide a logical segmentation of broadcast domains.
The Definition of a VLAN
A VLAN can be defined as a virtual broadcast domain. Instead of segmenting the broadcast domain with routers at Layer 3, you segment using switches at Layer 2. Each VLAN should be associated with its own IP subnet. (No, this is not technically a requirement, but you really want to do it this way!)
Benefits of VLANs
The advantages of using VLANs are as follows:
- VLANs increase the number of broadcast domains while reducing their size; this is the same effect that routers have, but without the need to buy a lot of routers or a big router with a lot of ports, so it's less expensive and easier to administer.
- VLANs provide an additional layer of security: No device in any VLAN can communicate with a device in any other VLAN until you deliberately configure a way for it to do so. An example might be a server in VLAN 10 that holds sensitive employee files for HR; no PCs from other VLANs can access VLAN 10 (or the server in it), unless you specifically configure it to do so.
- VLANs are flexible in terms of how they are used in network equipment: Imagine a building that has LAN cabling and a single switch installed, but four different tenants. You can create four different VLANs, one for each tenant, and no tenant will see or hear from the other tenants on the other VLANs.
- VLANs can span across multiple switches using trunk links. This allows you to create a logical grouping of network users by function instead of location. If you want all the marketing people to be in their own broadcast domain and IP subnet, you can create a VLAN for them on the first switch; then, you can connect another switch using a trunk link, define the same VLAN on that switch, and the marketing users on the second switch are in the same VLAN and can communicate with the marketing users on the first switch, and are isolated from other VLANs on both switches. This capability can be extended across an enterprise network campus, so that marketing users in the Whitaker Pavilion could in theory be in a VLAN with other marketing users in the Valentine Pavilion.
- The ability to trunk VLANs across multiple switches makes adding users, moving users, and changing users' VLAN memberships much easier.
Figure 12.8 illustrates a multi-switch VLAN system.
Figure 12.8 VLANs over trunk links allows a logical grouping of users by function.
Implementing VLANs is done in three steps:
- Create the VLAN.
- Name the VLAN (this is optional but expected).
- Assign switch ports to the VLAN.
The commands to create a VLAN vary depending on the switch model and IOS version; we stick with the Catalyst 2960 using an IOS later than 12.1(9) as our example.
The command to create a VLAN is simply vlan [vlan_#]. To name the VLAN, the equally simple command is name [vlan_name]. These commands are entered starting at the Global Config prompt.
To create VLAN 10 named HR, VLAN 20 named Marketing, and VLAN 30 named Engineering, the commands look like this:
2960#configure terminal 2960(config)#vlan 10 2960(config-vlan)#name HR 2960(config-vlan)#vlan 20 2960(config-vlan)#name Marketing 2960(config-vlan)#vlan 30 2960(config-vlan)#name Engineering 2960(config-vlan)#exit 2960(config)#exit 2960#
The global config prompt changes to the config-vlan prompt when you create the first VLAN; it is okay to stay in that prompt to continue creating VLANs.
With these commands, you can create all your VLANs at once, or you can go back later and add some more as needed. The VLAN configuration (names and numbers) is not stored in the Running-Config or Startup-Config file in NVRAM; rather, it is stored in Flash memory in a special file called vlan.dat. This means that it is possible to erase the Startup-Config file, reload the router, and be confused by the reappearance of VLANs that you thought you just deleted. To delete VLANs, you can do it one at a time using the no vlan [vlan_#] command, or to get rid of all of them at once, you can use the command delete flash:vlan.dat, which erases and resets the entire VLAN database.
VLANs can exist without any ports actually being in them. Adding switch ports to a VLAN is done when you want to put a host into a particular VLAN. Obviously, you need to know which physical ports your hosts are connected to so that you can add the correct port to the correct VLAN; it would be an unpopular move to put a marketing user into the Engineering VLAN; these two groups are mutually hostile.
The commands to add a switch port to a VLAN are executed at the Interface Config prompt—if you think about that, it makes sense because you are putting the port itself into the VLAN. The command is switchport access vlan [vlan_#]. What you are saying is "this port shall access VLAN X."
The following example puts ports Fa0/8 into VLAN 10, Fa0/13 into VLAN 20, and Fa0/14 into VLAN 30:
2960#config t 2960(config)#interface fa0/8 2960(config-if)#switchport access vlan 10 2960(config-if)#int fa0/13 2960(config-if)#switchport access vlan 20 2960(config-if)#int fa0/14 2960(config-if)#switchport access vlan 30 2960(config-if)#exit 2960(config)#exit 2960#
The commands in the previous section assign particular ports to a particular VLAN statically. (Static VLAN assignment is sometimes called port-based VLAN membership.) When a user changes ports (moves around the office or campus), you need to repeat the commands at the Switch(config-if)# prompt for the correct new interface. As you can imagine, if there are a lot of moves, this can become an administrative pain.
There is an alternative called Dynamic VLAN Membership. This feature allows you to dynamically assign VLAN membership to switch ports based on the MAC address of the host connecting to the port. You need a little service called the VLAN Membership Policy Server (VMPS) that holds a database of all the MAC addresses and the correct VLAN for each one; then you tell the switch ports to do dynamic VLAN assignment. When a host connects to a switch port configured to do Dynamic membership, the switch checks the MAC of the host and asks the VMPS what VLAN that MAC should be in. The switch then changes the VLAN membership of that port dynamically.
This sounds like a wonderful idea, and it can be, but it is difficult to create the VMPS database and to maintain it if your network grows quickly. Imagine having to get and maintain certain knowledge of every MAC address of every host in your network, and then keep the VMPS database updated. Dynamic VLAN membership is a good option if you have a lot of users in a lot of different VLANs moving around to many switch ports, but be ready to wrestle with some administrative issues.