NETWizz
Well-Known Member
- Reaction score
- 1,900
Good Morning:
Earlier this year I indicated I would be making a VLAN tutorial. I think the purpose should be to bridge the gap from what the average IT person who probably focuses predominantly in an area of study other than network knows about VLANs to what a true network professional knows about VLANs.
First let's start off with what virtually every candidate I interviewed for a network administration position I had posted said... Basically, they rattled off the definition of a VLAN as a "Virtual Local Area Network" and described it as "like a private network." I found it interesting they ultimately gave the same answer they did when asked what a subnet is and how it works. To me this indicated the vast majority of folks were keyword interviewees, and they had little or no actual experience working with them and the many possible use cases.
You see, everyone pretty much knows that if you take a given network switch and divide its ports into different VLANs the traffic in each VLAN is isolated from the traffic in another VLAN... that essentially the device acts as if it were separate devices. Take a Cisco, Brocade, ProCurve etc. 48 port switch and put the first 24 ports into one VLAN and the next 24 into another VLAN and for all intents and purposes as far as most folks are concerned it behaves like two (2) logical 24-port switches. That is the extent of knowledge most IT folks have, and it is not to be condescending to them but because they predominantly focus in another area of study.
**************************
With VLANs there are a ton of Terms that get thrown around, but they are not all well understood, and to make matters worse, different vendors use different terminology for the same thing, and achieve identical configuration parameters using completely different configuration methodologies even though their CLI Language is virtually identical! An example of one of the most confusing concepts for example is that of a default VLAN vs a native VLAN.
For example, in the Cisco world, you ultimately configure the VLAN membership(s) on a particular interface. In the Brocade, ProCruve etc. it is the reverse where you make interfaces a member of particular VLAN... it achieves the same configurations but with a different methodology.
Either way it is critical that people know how VLANs work AND the terminology as well or they end up with crazy problems they created such as this gentleman I helped out:
http://community.brocade.com/t5/Eth...s/two-ports-on-same-vlan-wont-talk/td-p/90184
My response was here:
http://community.brocade.com/t5/Eth...orts-on-same-vlan-wont-talk/td-p/90184/page/2
*************
First let's talk about the OSI Model:
Most of my job is dealing with the lower four layers.
1. Physical <== Everyone says this is the wiring. It is and more such as the media types like 10BaseT, 1000-BaseT, 1000BaseSX, 10GBaseSR, etc. (Basically, your speed and duplex stuff go here)
2. Data Link <== This is where your Layer-2 Switches operate. It is point A to point B MAC address to MAC address communication. Switches are just smarter than hubs and create and maintain an ARP table such that when transmitting to an unknown client they do an ARP broadcast then populate the ARP table dynamically. A can talk to B while C talks to D withoout saturating the bandwidth or experiencing collisions. These are called FRAMES
3. Network <== This is where Layer-3 Routing takes place. This is your source and destination IP addresses. NAT for example would edit the packets potentially changing the values in these fields. Standard Access Control Lists work here, routers receive packets and ultimately consult routing tables and pick the best destination based on administrative distance metricks. These datagrams are referred to as PACKETS.
4. Transport <== This is where TCP, UDP, and other Transport protocols like ICMP function. Where TCP and UDP have ports, which are a 16-bit unsigned integer (i.e. 0 to 65,535). Everyone talks as if there are 65,535 ports toatal... well, thee are really 65,535 UDP ports, AND there are 65,535 TCP ports. That is that TCP port 80 is unique from UDP port 80 because they are an entirely different protocol. ICMP actually does NOT have ports but rather flags like "destination network unreachable." IT still functions at the transport layer. We use the term SEGMENTS to describe the datagrams here. Something that might make a change to a SEGMENT might be PAT (port address translation).
5. Session
6. Presentation
7. Application
Inner Workings:
Important: The VLAN is a field of a Layer-2 Frame (just like the Source and Destination MAC addresses). FRAMES are NOT routable via layer-3 (unless of course you go way out of your way to encapsulate the frames into layer-3 packets). Each time a FRAME moves from a switch interface to another switch interface, the existing FRAME is stripped off (leaving the packet Layer-3 and higher layers within the packet i.e. 4 - 7 unchanged). The switch then re-encapsulates that packet into a new FRAME and transmits it via the appropriate interface toward another switch. Specifically each of these Layer-2 transmissions result in the the source and destination MAC addresses being re-written, and that is the basic switching process.
Where VLANs come into play is each switch has completely separate memory space for each VLAN. Any given FRAME can be a member of ONLY one VLAN. There is only one field for a VLAN tag on any given FRAME. That field can be populated 1 to 4095 OR it can be left blank.
*****************************
I am going to start with terminology... Specifically Cisco's
****************************
Okay, Cisco uses two (2) types of interfaces (as does everyone else)... Cisco calls theirs: Trunk ports and Access ports. This is Cisco's terminology.
On a Cisco device the configuration to create a VLAN instance in memory is:
Switch(config)# vlan 123
Switch(config-vlan)# name Technibble
In the configuration it will look like this:
vlan 123
name Technibble
!
Now you can make an interface a member of a VLAN as an Access port (for connecting devices like computers, servers, printers, etc.) What is important is to recognize these devices transmit with the VLAN field blank/empty unless you go out of your way to make a change on the Ethernet adapter.
To make a particular interface a member of that VLAN as an Access Port it works like this on Cisco:
Switch(config)# int gig 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 123
Again, you can make a port an access port for only one (1) VLAN because there is only one type of empty null value.
That is any traffic coming into GigabitEthernet0/1 without a VLAN tag will become a member of VLAN 123. Any traffic being transmitted for VLAN 123 will transmitted (without a VLAN tag) on GigabitEthernet0/23 at least with respect to ARP, and PVST+ (Per VLAN Spanning Tree).
********************
Now here is where it gets more interesting... Cisco's terminology TRUNK.
A Trunk port simply receives and transmits WITH a VLAN tag. It can be a member of multiple VLANs because it can transmit frames with say VLAN 123 and VLAN 2 even though any given FRAME it transmits can belong to only one VLAN.
Configuration example:
Switch(config)# int gig 0/48
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 2,123
That Ssame FRAME above that was a member of VLAN 123 would be transmitted on GigabitEthernet0/48 with respect to ARP, PVST+ etc. The difference is that should a FRAME be transmitted from VLAN 123 on this port, it WILL have the VLAN field set to 123 before being transmitted across the trunk. The receiving switch on the other side of trunk will read this VLAN number and put the frame into the appropriate VLAN memory space when received. If it then transmits it to say a server the receiving switch will surely have another access port configured within VLAN 123 whereby it will send it without a TAG to the server.
Important Take Aways: dot1q is Cisco speak for 802.1q, and it is the industry standard. The only other choice I know of is ISL, which is proprietary Cisco, and hopefully nobody uses it even on Cisco. If they do there would be no interoperability between Cisco and Other Vendors. In contrast 802.1q is vendor agnostic. It is important to also recognize that should a FRAME arrive with no VLAN tag specified OR not be for VLAN 2 or VLAN 123, the frame will get dropped.
It is important to therefore please take notice that an Access Port and a plain Trunk Port will NOT communicate with each other!
****************
Now let us touch on the terminology used by many other, non-Cisco Vendors. TAGGED and UNTAGGED ports.
Essentially a TAGGED port is synonymous with a TRUNK port
.. also an UNTAGGED port is synonymous with an ACCESS port.
Okay, so I do a TON with Brocade, which is virtually identical to HP ProCurve...
Here would be the BROCADE equivalent of the above CISCO configuration:
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 name Something by port
tagged ethe 1/1/48
!
vlan 123 Technibble by port
tagged ethe 1/1/48
untagged ethe 1/1/1
!
**************
NATIVE and DEFAULT VLANs
**************
What is the difference?
A Default VLAN is nothing but a parking space.
A Default VLAN is nothing more than the VLAN the interfaces belong to by default. Hence, if you delete a a VLAN by default the interfaces return to the default VLAN. On every device and vendor I know the default is VLAN .
A NATIVE VLAN is where FRAMES in this VLAN are untagged when sent across a trunk.
They are the same as what BROCADE calls a dual-mode port. The definition is that a dual-mode port allows it to accept and transmit both tagged traffic and untagged traffic.
Okay, so what does this mean exactly?
Well, let's say you have all your traffic on your Technibble VLAN 123 as access ports:
vlan 123 Technibble by port
untagged ethe 1/1/1 to 1/1/48
!
Let's instead say you want to have VOICE traffic on VLAN 500 as well as your Technibble DATA traffic on VLAN 123:
vlan 123 Technibble by port
tagged ethe 1/1/1 to 1/1/48
!
vlan 500 Voice by port
tagged ethe 1/1/1 to 1/1/48
!
interface ethernet 1/1/1
dual-mode 123
!
...< truncated for brevity>...
interface ethernet 1/1/48
dual-mode 123
!
What this would do is make it such that any VoIP device such as an IP phone would talk applying a VLAN TAG of 500 to the FRAMES. This would cause that traffic to become part of VLAN 500.
Now, any traffic without a tag (i.e. untagged) traffic would go into VLAN 123.
In CISCOland, a native VLAN statement would do the same thing.
*******************
There are numerous use cases. I have used them to trunk together Wireless Access points between different floors, separate voice and data, break out areas of data centers by usage, provide management security... etc.
Just remember they are NOT private when connected together via routing tables. Specifically, the FRAMES are stripped off at each Layer-3 Boundary at the instant in time routing happens; hence, on a Layer-3 switch you can easily communicate between the VLANs.
It would be like having a separate switch for DATA and a separate switch for VOICE, yet you then route the traffic for the different, associated subnets in the same routing-table space. Suddenly, you have full communication via the devices' IPs.
Earlier this year I indicated I would be making a VLAN tutorial. I think the purpose should be to bridge the gap from what the average IT person who probably focuses predominantly in an area of study other than network knows about VLANs to what a true network professional knows about VLANs.
First let's start off with what virtually every candidate I interviewed for a network administration position I had posted said... Basically, they rattled off the definition of a VLAN as a "Virtual Local Area Network" and described it as "like a private network." I found it interesting they ultimately gave the same answer they did when asked what a subnet is and how it works. To me this indicated the vast majority of folks were keyword interviewees, and they had little or no actual experience working with them and the many possible use cases.
You see, everyone pretty much knows that if you take a given network switch and divide its ports into different VLANs the traffic in each VLAN is isolated from the traffic in another VLAN... that essentially the device acts as if it were separate devices. Take a Cisco, Brocade, ProCurve etc. 48 port switch and put the first 24 ports into one VLAN and the next 24 into another VLAN and for all intents and purposes as far as most folks are concerned it behaves like two (2) logical 24-port switches. That is the extent of knowledge most IT folks have, and it is not to be condescending to them but because they predominantly focus in another area of study.
**************************
With VLANs there are a ton of Terms that get thrown around, but they are not all well understood, and to make matters worse, different vendors use different terminology for the same thing, and achieve identical configuration parameters using completely different configuration methodologies even though their CLI Language is virtually identical! An example of one of the most confusing concepts for example is that of a default VLAN vs a native VLAN.
For example, in the Cisco world, you ultimately configure the VLAN membership(s) on a particular interface. In the Brocade, ProCruve etc. it is the reverse where you make interfaces a member of particular VLAN... it achieves the same configurations but with a different methodology.
Either way it is critical that people know how VLANs work AND the terminology as well or they end up with crazy problems they created such as this gentleman I helped out:
http://community.brocade.com/t5/Eth...s/two-ports-on-same-vlan-wont-talk/td-p/90184
My response was here:
http://community.brocade.com/t5/Eth...orts-on-same-vlan-wont-talk/td-p/90184/page/2
*************
First let's talk about the OSI Model:
Most of my job is dealing with the lower four layers.
1. Physical <== Everyone says this is the wiring. It is and more such as the media types like 10BaseT, 1000-BaseT, 1000BaseSX, 10GBaseSR, etc. (Basically, your speed and duplex stuff go here)
2. Data Link <== This is where your Layer-2 Switches operate. It is point A to point B MAC address to MAC address communication. Switches are just smarter than hubs and create and maintain an ARP table such that when transmitting to an unknown client they do an ARP broadcast then populate the ARP table dynamically. A can talk to B while C talks to D withoout saturating the bandwidth or experiencing collisions. These are called FRAMES
3. Network <== This is where Layer-3 Routing takes place. This is your source and destination IP addresses. NAT for example would edit the packets potentially changing the values in these fields. Standard Access Control Lists work here, routers receive packets and ultimately consult routing tables and pick the best destination based on administrative distance metricks. These datagrams are referred to as PACKETS.
4. Transport <== This is where TCP, UDP, and other Transport protocols like ICMP function. Where TCP and UDP have ports, which are a 16-bit unsigned integer (i.e. 0 to 65,535). Everyone talks as if there are 65,535 ports toatal... well, thee are really 65,535 UDP ports, AND there are 65,535 TCP ports. That is that TCP port 80 is unique from UDP port 80 because they are an entirely different protocol. ICMP actually does NOT have ports but rather flags like "destination network unreachable." IT still functions at the transport layer. We use the term SEGMENTS to describe the datagrams here. Something that might make a change to a SEGMENT might be PAT (port address translation).
5. Session
6. Presentation
7. Application
Inner Workings:
Important: The VLAN is a field of a Layer-2 Frame (just like the Source and Destination MAC addresses). FRAMES are NOT routable via layer-3 (unless of course you go way out of your way to encapsulate the frames into layer-3 packets). Each time a FRAME moves from a switch interface to another switch interface, the existing FRAME is stripped off (leaving the packet Layer-3 and higher layers within the packet i.e. 4 - 7 unchanged). The switch then re-encapsulates that packet into a new FRAME and transmits it via the appropriate interface toward another switch. Specifically each of these Layer-2 transmissions result in the the source and destination MAC addresses being re-written, and that is the basic switching process.
Where VLANs come into play is each switch has completely separate memory space for each VLAN. Any given FRAME can be a member of ONLY one VLAN. There is only one field for a VLAN tag on any given FRAME. That field can be populated 1 to 4095 OR it can be left blank.
*****************************
I am going to start with terminology... Specifically Cisco's
****************************
Okay, Cisco uses two (2) types of interfaces (as does everyone else)... Cisco calls theirs: Trunk ports and Access ports. This is Cisco's terminology.
On a Cisco device the configuration to create a VLAN instance in memory is:
Switch(config)# vlan 123
Switch(config-vlan)# name Technibble
In the configuration it will look like this:
vlan 123
name Technibble
!
Now you can make an interface a member of a VLAN as an Access port (for connecting devices like computers, servers, printers, etc.) What is important is to recognize these devices transmit with the VLAN field blank/empty unless you go out of your way to make a change on the Ethernet adapter.
To make a particular interface a member of that VLAN as an Access Port it works like this on Cisco:
Switch(config)# int gig 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 123
Again, you can make a port an access port for only one (1) VLAN because there is only one type of empty null value.
That is any traffic coming into GigabitEthernet0/1 without a VLAN tag will become a member of VLAN 123. Any traffic being transmitted for VLAN 123 will transmitted (without a VLAN tag) on GigabitEthernet0/23 at least with respect to ARP, and PVST+ (Per VLAN Spanning Tree).
********************
Now here is where it gets more interesting... Cisco's terminology TRUNK.
A Trunk port simply receives and transmits WITH a VLAN tag. It can be a member of multiple VLANs because it can transmit frames with say VLAN 123 and VLAN 2 even though any given FRAME it transmits can belong to only one VLAN.
Configuration example:
Switch(config)# int gig 0/48
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 2,123
That Ssame FRAME above that was a member of VLAN 123 would be transmitted on GigabitEthernet0/48 with respect to ARP, PVST+ etc. The difference is that should a FRAME be transmitted from VLAN 123 on this port, it WILL have the VLAN field set to 123 before being transmitted across the trunk. The receiving switch on the other side of trunk will read this VLAN number and put the frame into the appropriate VLAN memory space when received. If it then transmits it to say a server the receiving switch will surely have another access port configured within VLAN 123 whereby it will send it without a TAG to the server.
Important Take Aways: dot1q is Cisco speak for 802.1q, and it is the industry standard. The only other choice I know of is ISL, which is proprietary Cisco, and hopefully nobody uses it even on Cisco. If they do there would be no interoperability between Cisco and Other Vendors. In contrast 802.1q is vendor agnostic. It is important to also recognize that should a FRAME arrive with no VLAN tag specified OR not be for VLAN 2 or VLAN 123, the frame will get dropped.
It is important to therefore please take notice that an Access Port and a plain Trunk Port will NOT communicate with each other!
****************
Now let us touch on the terminology used by many other, non-Cisco Vendors. TAGGED and UNTAGGED ports.
Essentially a TAGGED port is synonymous with a TRUNK port
.. also an UNTAGGED port is synonymous with an ACCESS port.
Okay, so I do a TON with Brocade, which is virtually identical to HP ProCurve...
Here would be the BROCADE equivalent of the above CISCO configuration:
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 name Something by port
tagged ethe 1/1/48
!
vlan 123 Technibble by port
tagged ethe 1/1/48
untagged ethe 1/1/1
!
**************
NATIVE and DEFAULT VLANs
**************
What is the difference?
A Default VLAN is nothing but a parking space.
A Default VLAN is nothing more than the VLAN the interfaces belong to by default. Hence, if you delete a a VLAN by default the interfaces return to the default VLAN. On every device and vendor I know the default is VLAN .
A NATIVE VLAN is where FRAMES in this VLAN are untagged when sent across a trunk.
They are the same as what BROCADE calls a dual-mode port. The definition is that a dual-mode port allows it to accept and transmit both tagged traffic and untagged traffic.
Okay, so what does this mean exactly?
Well, let's say you have all your traffic on your Technibble VLAN 123 as access ports:
vlan 123 Technibble by port
untagged ethe 1/1/1 to 1/1/48
!
Let's instead say you want to have VOICE traffic on VLAN 500 as well as your Technibble DATA traffic on VLAN 123:
vlan 123 Technibble by port
tagged ethe 1/1/1 to 1/1/48
!
vlan 500 Voice by port
tagged ethe 1/1/1 to 1/1/48
!
interface ethernet 1/1/1
dual-mode 123
!
...< truncated for brevity>...
interface ethernet 1/1/48
dual-mode 123
!
What this would do is make it such that any VoIP device such as an IP phone would talk applying a VLAN TAG of 500 to the FRAMES. This would cause that traffic to become part of VLAN 500.
Now, any traffic without a tag (i.e. untagged) traffic would go into VLAN 123.
In CISCOland, a native VLAN statement would do the same thing.
*******************
There are numerous use cases. I have used them to trunk together Wireless Access points between different floors, separate voice and data, break out areas of data centers by usage, provide management security... etc.
Just remember they are NOT private when connected together via routing tables. Specifically, the FRAMES are stripped off at each Layer-3 Boundary at the instant in time routing happens; hence, on a Layer-3 switch you can easily communicate between the VLANs.
It would be like having a separate switch for DATA and a separate switch for VOICE, yet you then route the traffic for the different, associated subnets in the same routing-table space. Suddenly, you have full communication via the devices' IPs.
it was very helpful.
