What is VLAN? Setting up VLAN (Virtual Local Area Network) on Mikrotik network equipment. Separation of a local network using VLAN

Unfortunately, many modern enterprises and organizations practically do not use such a useful, and often simply necessary, opportunity provided by most modern local area network (LAN) switches as the organization of virtual LANs (VLANs, VLANs) within the network infrastructure. It's hard to say what caused this. Perhaps there is a lack of information about the benefits provided by VLAN technology, its apparent complexity, or a reluctance to use a “crude” tool that does not guarantee interoperability between network devices from different manufacturers (although VLAN technology has been standardized for a year now, and all leading manufacturers of active network equipment support this standard ). Therefore, this article is devoted to VLAN technology. It will discuss the benefits of using VLANs, the most common methods of organizing VLANs and interaction between them, as well as the features of constructing VLANs when using switches from some well-known manufacturers.

why is this needed

What is a VLAN? This is a group of computers connected to a network, logically united into a domain for sending broadcast messages according to some criterion. For example, groups of computers can be allocated in accordance with the organizational structure of the enterprise (by departments and
divisions) or based on work on a joint project or task.

There are three main benefits to using VLANs. This is a significantly more efficient use of bandwidth than in traditional LANs, an increased level of protection of transmitted information from unauthorized access and simplified network administration.

Because VLANs logically divide the entire network into broadcast domains, members of a VLAN transmit information only to other members of the same VLAN, and not to all computers on the physical network. In this way, broadcast traffic (usually generated by servers announcing their presence and capabilities to other devices on the network) is limited to a predefined domain rather than broadcast to all stations on the network. This achieves optimal distribution of network bandwidth between logical groups of computers: workstations and servers from different VLANs “do not see” each other and do not interfere with each other.

Since communication is carried out only within a specific VLAN, computers from different virtual networks cannot receive traffic generated in other VLANs. Using protocol analyzers and network monitoring tools to collect traffic on VLANs other than the one to which the user wants to do so poses significant challenges. That is why, in a VLAN environment, information transmitted over the network is much better protected from unauthorized access.

Another benefit of using VLANs is that it simplifies network administration. This is especially true for tasks such as adding new elements to the network, moving them, and deleting them. For example, when a VLAN user moves to another room, even if it is on a different floor or in a different building of the enterprise, the network administrator does not need to reconnect the cables. He only needs to configure the network equipment accordingly from his workplace. Additionally, some VLAN implementations can control the movement of VLAN members automatically without requiring administrator intervention. The network administrator can also carry out operations to create new logical user groups and add new members to groups over the network, without leaving his workplace. All this significantly saves the administrator’s working time, which can be used to solve other equally important tasks.

VLAN organization methods

Leading manufacturers of department and workgroup switches use in their devices, as a rule, one of three methods of organizing VLANs: based on ports, MAC addresses or third-layer protocols. Each of these methods corresponds to one of the three lower layers of the OSI interaction model: physical, link and network, respectively. There is a fourth way to organize a VLAN - based on rules. It is currently rarely used, although it provides greater flexibility in VLAN organization, and may be widely used in devices in the near future. Let's briefly look at each of the above methods of organizing VLANs, their advantages and disadvantages.

Port-based VLAN. As the name of the method suggests, VLANs are organized by logically combining selected physical switch ports. For example, a network administrator can specify that switch ports numbered 1, 2, 5 form VLAN1, and ports numbered 3, 4, 6 form VLAN2, etc. Several computers can be connected to one switch port (for example, through hub). All of them will belong to the same VLAN - the one to which the switch port serving them is assigned. This strict binding of VLAN membership is a disadvantage of the port-based way of organizing virtual networks.

VLAN based on MAC addresses. This method allows you to build a VLAN based on the unique hexadecimal link-level address that each server or workstation network adapter on the network has. This is a more flexible way of organizing VLANs compared to the previous one, since devices belonging to different VLANs can be connected to one switch port. In addition, the movement of computers from one switch port to another is tracked by the switch automatically and allows you to maintain the belonging of the moved computer to a specific VLAN without the intervention of a network administrator. It works quite simply: the switch maintains a table of correspondence between the MAC addresses of computers and virtual networks. As soon as the computer switches to another switch port, comparing the source MAC address field in the header of the first frame transmitted after the computer has moved with the data in its table, the switch correctly concludes that the moved computer belongs to the VLAN. The disadvantage of this method of organizing VLANs is the initial complexity of configuring VLANs, which is fraught with errors. Although the table of MAC addresses is built automatically by switches, the network administrator needs to look through it all and determine that a given hexadecimal MAC address corresponds to such and such a workstation, and then assign it to the corresponding virtual network. True, subsequent reconfiguration of VLANs based on MAC addresses will require significantly less effort than in the case of VLANs based on ports.

VLAN based on layer 3 protocols. This method is rarely used in department and workgroup switches. It is typical for backbone routing switches that have built-in routing tools for the main LAN protocols - IP, IPX and AppleTalk. In this method, a group of switch ports belonging to a specific VLAN are associated with a specific IP subnet or IPX network. Flexibility here is provided by the fact that user movements to another port belonging to the same VLAN are monitored by the switch and do not require reconfiguration. The advantage of this method is also the simplicity of VLAN configuration, which can be done automatically, since the switch analyzes the network addresses of computers associated with each VLAN. In addition, as already mentioned, devices that support the method of organizing VLANs based on layer 3 protocols have built-in routing tools, which provides the ability to interact between different VLANs without the use of additional tools. This method has, perhaps, only one drawback - the high price of the switches in which it is implemented.

VLAN based on rules. It is assumed that the switch has the ability to analyze in detail predefined fields and even individual bits of packets passing through it as mechanisms for constructing VLANs. This method provides virtually unlimited possibilities for creating virtual networks based on multiple criteria. For example, even by the principle of including in the VLAN all users whose computers have network adapters from the specified manufacturer installed. Despite its enormous flexibility, the process of rules-based VLAN configuration is very labor-intensive. In addition, the presence of complex rules can negatively affect the throughput of the switch, since a significant part of its processing power will be spent on packet analysis.

Devices can also be automatically moved to VLANs based on user or device authentication data when using the 802.1x protocol.

building distributed VLANs

Modern LANs often contain more than one switch. Computers belonging to the same VLAN can be connected to different switches. Therefore, in order to properly route traffic, there must be a mechanism for switches to exchange information about the VLAN membership of devices connected to them. Previously, each manufacturer implemented proprietary mechanisms for exchanging such information in its devices. For example, 3Com called this technology VLT (Virtual LAN Trunk), Cisco Systems called it ISL (Inter-Switch Link). Therefore, to build distributed VLANs, it was necessary to use devices from one manufacturer. The situation radically improved when the standard for building tagged VLANs was adopted - IEEE 802.1Q, which now dominates the VLAN world. Among other things, it also regulates the mechanism for exchanging VLAN information between switches. This mechanism allows you to supplement frames transmitted between switches with fields indicating membership in a particular VLAN. Today, all leading manufacturers of LAN switches support the 802.1Q standard in their devices. Consequently, today it is already possible to build virtual networks using switches from different manufacturers. Although, as you will see later, even when working in accordance with 802.1Q, switches from different manufacturers provide far from the same capabilities for organizing VLANs.

organization of interaction between VLANs

Computers located in different VLANs cannot directly communicate with each other. To organize such interaction, you must use a router. Previously, regular routers were used for this. Moreover, it was required that the router have as many physical network interfaces as there are VLANs. In addition, the switches had to allocate one port from each VLAN to connect the router. Considering the high cost of router ports, the cost of such a solution was very high. In addition, a conventional router introduced significant delay in data transfer between VLANs. Today, to transfer data between VLANs, routing switches are used, which have a low price per port and carry out hardware routing of traffic at the speed of the communication channel. Routing switches also comply with the IEEE 802.1Q standard, and to organize communication between distributed VLANs, they need to use only one port to connect each of the workgroup switches that connect devices corresponding to different VLANs to the network. In other words, information can be exchanged between devices from different VLANs through one port of a modern routing switch.

use of shared network resources by computers of different VLANs

Very interesting is the possibility of organizing access to shared network resources (network servers, printers, etc.) for computers belonging to different VLANs. The advantages of this possibility are obvious. Firstly, there is no need to purchase a router or routing switch unless you need to organize direct data exchange between computers from different VLANs. Interaction between computers of different VLANs can be ensured through a network server, to which all or several VLANs have access. Secondly, while maintaining all the advantages of using VLANs, you do not have to purchase servers for each VLAN separately, but use common ones.

The easiest way to give access to one server to users from different VLANs is to install several network adapters in the server and connect each of these adapters to switch ports belonging to different VLANs. However, this approach has a limitation on the number of VLANs (many network adapters cannot be installed in the server), imposes strict requirements on the server components (network adapter drivers require an increase in the amount of RAM, creates a large load on the CPU and the server I/O bus, etc.) and does not help save money (using multiple network adapters and additional switch ports).

With the advent of the IEEE 802.1Q standard, it became possible to transmit information related to all or several VLANs through one switch port. As mentioned above, to do this, the switch (or other device that supports 802.1Q) adds a field to the frame transmitted over the network that uniquely determines whether the frame belongs to a specific VLAN. A server common to all VLANs can be connected to such a port with just one communication line. The only condition for this is that the server’s network adapter must support the 802.1Q standard so that the server can know from which VLAN the request came and, accordingly, where to send the response. This is how the server is divided between VLANs in managed department and workgroup switches from 3Com, Hewlett-Packard and Cisco Systems.

conclusion

As you can see, VLANs are a powerful network organization tool that can solve problems of administration, data transmission security, access control to information resources, and significantly increase the efficiency of using network bandwidth.

Oleg Podukov, head of the technical department of COMPLETE Company

Let's imagine this situation. We have an office for a small company with 100 computers and 5 servers. At the same time, this company employs various categories of employees: managers, accountants, personnel officers, technical specialists, administrators. It is necessary for each department to work in its own subnet. How to delimit the traffic of this network? In general, there are two such methods: the first method is to divide the pool of IP addresses into subdivisions and allocate its own subnet for each department, the second method is to use a VLAN.

VLAN (Virtual Local Area Network) is a group of network nodes whose traffic, including broadcast traffic, is completely isolated at the link level from the traffic of other network nodes. In modern networks, VLAN is the main mechanism for creating a logical network topology that is independent of its physical topology.

VLAN technology is defined in IEEE 802.1q, an open standard that describes a tagging procedure for conveying VLAN membership information. 802.1q places a tag inside an ethernet frame that conveys information about the traffic's membership in a VLAN.

Let's look at the VLAN TAG fields:

TPID (Tag Protocol Identifier) - tagging protocol identifier. Indicates which protocol is used for tagging. For 802.1Q the value is 0x8100.
Priority - priority. Used to set the priority of transmitted traffic (QoS).
CFI (Canoncial Format Indicator) - indicates the MAC address format (Ethernet or Token Ring).
VID (Vlan Indentifier) - VLAN identifier. Indicates which VLAN the frame belongs to. You can set a number from 0 to 4094.

When sending frames, the computer does not know what VLAN it is in - the switch does this. The switch knows which port the computer is connected to and, based on this, will determine in which VLAN this computer is located.

The switch has two types of ports:

Tagged port (tagged, trunk) - a port through which traffic of several VLAN groups can be transmitted or received. When transmitted over a tagged port, a VLAN tag is added to the frame. Used to connect to switches, routers (that is, those devices that recognize VLAN tags).
Untagged port (untagged, access) - the port through which untagged frames are transmitted. Used to connect to end nodes (computers, servers). Each untagged port is in a specific VLAN. When transmitting traffic from this port, the VLAN tag is removed and untagged traffic goes to the computer (which does not recognize the VLAN). Otherwise, when traffic is received on an untagged port, a VLAN tag is added to it.

Configuring VLAN on the Dlink DES-3528 managed switch

The DES-3528/3552 xStack switch series includes stackable L2+ access switches that securely connect end users to large enterprise and small-to-medium business (SMB) networks. The switches provide physical stacking, static routing, multicast group support, and advanced security features. All this makes this device an ideal access level solution. The switch easily integrates with L3 core switches to form a multi-level network structure with a high-speed backbone and centralized servers. The DES-3528/3552 series switches are equipped with 24 or 48 10/100Mbps Ethernet ports and support up to 4 Gigabit Ethernet uplink ports.

Let's look at the principles of configuring VLANs on managed Dlink switches. During the work, we will study ways to create, delete, change VLANs, and add different types of ports (tagged and untagged).

Connection to the switch is made through the console port using the HyperTerminal program.

Using the show vlan command, we will see information about existing VLANs.

In the figure above, you can see that initially only one default VLAN is created on the switch, named default. The show vlan command displays the following fields:

VID – VLAN identifier
VLAN Type – VLAN type
Member Ports – participating ports
Static Ports – static ports
Current Tagged Ports – current tagged ports
Current Untagged Ports – current untagged ports
Static Tagged Ports – static tagged ports
Static Untagged Ports – static untagged ports
Total Entries – total entries
VLAN Name – VLAN name
Advertisement – status

Let's create a new VLAN, in which the initials AA are used as the name, and the number 22 is used as the identifier. To do this, we will use the create vlan command.

The new VLAN does not yet include a single port. Using config vlan, we will change VLAN AA so that tagged ports 10, 14-17 and untagged ports 2-5 appear in it.

Using the show vlan command we will display information about the created VLANs.

Early in Ethernet's history, local area networks were limited to single domain collisions. With the advent of bridges with two or more ports, it became possible to segment a large network into smaller collision domains, significantly improving network performance. However, this did not reduce the network congestion caused by the sudden broadcast storm. Broadcast traffic moved freely across Ethernet bridges.

With the advent of Ethernet routers, network users began to be grouped into work groups with a common collision domain. This not only improved network efficiency within each group, but also reduced overall network congestion caused by sudden broadcast storms. However, the division of the general network by routers into work groups caused other problems. Communication between workgroups became possible only through Layer 3 routers. This slowed down access to the company's global servers.

With the advent of switched VLAN Ethernet technology, it is now possible to logically segment a network into multiple broadcast domains, improving network performance and reducing broadcast traffic, without slowing down access to the company's global servers.

Switched VLAN Ethernet

With the advent of switched Ethernet, the need for it in the market grew and grew. For several years, the number of switched ports in corporate networks has been constantly increasing. In this case, each switched port was shared by fewer and fewer network users, and even reached a single connection of each network user to the switched ports. This type of network infrastructure is best suited for deploying Virtual Local Area Networks (VLANs).

Virtual networks can be defined as groups of users assigned to specific departments or performing common functions, without limiting the physical location of the users and without even limiting the use of different network devices (switches) to which they are physically connected.

The above sentence seems to define the boundaries of the Virtual Local Network (VLAN). More often, a Virtual Local Area Network is thought of as a general broadcast domain. VLAN technology divides a large broadcast domain into smaller broadcast domains, limiting broadcast traffic to a single user group.

Port oriented VLAN

This type of virtual local area networks (VLANs) determines the membership of each VLAN based on the connected port number. See the following example of a port oriented VLAN.

Example 1. Ports 3,6,8 and 9 belong to VLAN1 and ports 1,2,4,5 and 7 belong to VLAN2

Table 1. Membership of each VLAN is determined by port number

PORT	1	2	3	4	5	6	7	8	9
VLAN 1			x			x		x	x
VLAN 2	x	x		x	x		x

Figure 1 shows an example implementation of a port-oriented VLAN (based on the SXP1224WM switch and the two-speed DX2216 hub from Compex).

Rice. 1.

In this example, two DX2216 hubs are connected to separate ports on the SXP1224WM switch. Since a port-oriented VLAN determines VLAN membership based on the port number, all workstations connected to the ports of the hub (DX2216) belong to the same VLAN. In our case, workstations connected through a DX2216 hub to port 1 of the switch belong to VLAN2, and workstations connected through a DX2216 hub to port 3 of the switch belong to VLAN1. Since these workstations are connected through the DX2216 hub, they must be physically located close to each other. On the other hand, there are 7 workstations connected directly to the switch ports (Private Port Switching). Workstations connected to ports 6, 8 and 9 of the SXP1224WM switch are physically remote from other stations (connected through a hub), however, they all belong to VLAN2.

For one SXP1224WM switch, the maximum number of users with a direct (not shared) connection to a switched port is 24, according to the number of ports on this switch. How can VLAN be implemented if more than one SXP1224WM type switch is used and users of the same VLAN are connected to different switches?
Figure 2 shows an example of connecting VLAN users across multiple switches.

Fig.2.

The VLAN memberships for this example are shown in Tables 2 and 3.

Table 2. VLAN membership of SXP1224WM *1

PORT	2	3	4	5	6	7	8	9	10
VLAN	x	x		x	x				x
VLAN			x			x	x	x

Table 3. VLAN membership of SXP1224WM *2

PORT	2	3	4	5	6	7	8
VLAN			x		x	x
VLAN	x	x		x			x

In this example, two common virtual subnets (VLANs) are defined on both switches. VLAN1 on switch #1 and VLAN1 on switch #2 have the same common VLAN for which a common port must be defined. In this case, port 6 on switch #1 and port 7 on switch #2 are members of VLAN1 and these ports (port 6 on switch #1 and port 7 on switch #2) are bundled together. Considering that port 7 of switch #1 and port 8 of switch #2 are members of VLAN2, they are also connected together.

VLAN with tagged frames (IEEE 802.1Q)

This type of VLAN uses the second layer of the network model. An ID tag is inserted into each frame identifying their membership in a specific VLAN. This technology is used to create virtual networks (VLANs) covering many switches. Figure 3 shows an example of such a VLAN.

Rice. 3.

ID tags can be added explicitly or implicitly to such a VLAN. If the network has network cards that support IEEE 802.1Q, and the corresponding options are enabled on these cards, then outgoing Ethernet frames from these cards will contain VLAN identification tags. These VLAN identification tags are added explicitly. Switches supporting IEEE 802.1Q identify VLAN membership by checking ID tags in Ethernet frames.

If the network adapters (connected to this network) do not support the IEEE 802.1Q protocol, VLAN tagging can still be done based on port grouping. Let's assume that ports 1-3 are grouped into some VLAN. An IEEE 802.1Q-enabled switch will add an ID tag to incoming Ethernet frames on this port with the corresponding VLAN ID. But these tags will be removed by the switch from outgoing frames.

If VLAN identification with 802.1Q protocol tags has been accomplished using both explicit and implicit methods, incoming frames to switch ports may consist of both (tagged and untagged) frame types. In this situation, VLAN ID tags described by the port grouping method will be added to untagged incoming frames. While tagged frames already support VLAN membership defined explicitly. For example, if port 5 was implicitly grouped under VLAN1, incoming frames to port 5 tagged with VLAN 2 network IDs retain their membership in VLAN2 even though port 5 was grouped under VLAN1.

VLAN based on high-level protocols

Protocol-based VLANs are implemented at layer 3 of the network model, grouping workstations with a specific transport protocol under a specific VLAN. For example, if a network consists of Apple computers and Unix workstations, respectively using the AppleTalk and TCP/IP protocols, the Apple computers may be grouped into one VLAN while the Unix stations are grouped into another. A protocol-based VLAN examines Layer 3 protocol information in packets and allows packets with a specific transport protocol (AppleTalk or TCP/IP) to participate in the appropriate broadcast domain. Figure 4 shows an example of the implementation of such a VLAN.

Rice. 4

Benefits of VLANs

Virtual Working Groups

The main function of virtual networks is to create virtual workgroups based on the common functions of users and the shared resources to which they need access. For example, an enterprise consists of many departments - accounting, procurement, marketing, sales, etc. Users of each department need access to certain of their resources. By implementing VLANs, users in each department can be logically described and grouped into different workgroups with different network resources available.

Improve network performance

Because we agreed that a VLAN is like a broadcast domain, and that VLANs correspond to real broadcast domains in multi-VLAN networks. Let's assume there is a network with 1000 workstations located in one broadcast domain. Each workstation on this network receives broadcast traffic generated by other workstations. Using VLAN technology, this large network with a lot of broadcast traffic is segmented into many broadcast domains with multiple workstations per broadcast domain. Consequently, the frequency (density) of broadcasting will be reduced. The performance of each subnet increases because all network devices on the network are less distracted from transmitting actual data when receiving broadcast traffic.

Rice. 5

Breaking down traditional concepts of network boundaries

In the past, workstations in the same workgroup or department were usually physically located in the same location. With VLAN technology, network users within the same workgroup or department are less constrained by their physical location. This freedom depends on the capabilities of the Ethernet switches used. In the case of using VLAN, network users of the same workgroup or department can be located on different floors and even in different buildings and still belong to the same virtual network, as shown in Figure 6.

Rice. 6

Figure 6 shows a network located on two different floors of a building. On the second floor, all 5 workstations are connected directly to an Ethernet switch (private port switching). Note that 3 workstations on the 1st floor are connected to a 2-speed DX2216 hub, and the other two workstations are connected directly to the switch ports, the same as on the 2nd floor. The switch port through which the DX2216 hub is cascaded is assigned to VLAN2, therefore all three computers connected to the DS2216 belong to VLAN2. Workstations connected to the DX2216 dual-speed hub must be physically close to each other and belong to the same workgroup or department. On the other hand, workstations connected to the same VLAN-enabled switch do not necessarily belong to the same workgroup or department. And workstations connected to different switches, not connected by physical location, can belong to the same workgroup or department and participate in the same broadcast domain.

Security and separation of access to network resources

Many managed switches (such as the SXP1216/24WM and SGX3224/PLUS from Compex) allow a single switch port to have membership in multiple VLANs. For example, Port 5 of a switch can simultaneously belong to VLAN1, VLAN2 and VLAN3, and participate in the broadcast of all three virtual networks. Thanks to this feature, a server connected to port 5 can provide access to workstations on all three networks. On the other hand, access to servers of the same department connected to ports with membership in the same VLAN is possible only within the corresponding VLAN.

Rice. 7

Reducing costs when moving personnel

Suppose there is a need to move personnel jobs from various departments within the company, or change the physical location of a specific department. When using a tagged VLAN (IEEE 802.1Q) with direct connections to switched ports, the cost of relocation only includes the physical relocation of personnel workstations because the VLAN membership IDs will be migrated along with the network workstations. There is no need to redesign connections on existing Ethernet switches.

Conclusion

Even though there are approved standards for organizing virtual local networks, the methods for constructing a VLAN and the methods for assigning membership in a VLAN depend on the characteristics of the equipment provided by various vendors. For example, VLANs can be created by grouping membership by switch port numbers. And when processing the contents of Ethernet frames, it is possible to group membership based on the MAC address table or the contents of a special Ethernet frame ID tag.

If you need or have decided to independently connect a router/modem from Rostelecom, if you need to connect IPTV or digital telephony services, then you should know what a VLAN ID is and how to find it.

VLAN ID is an identification 12-bit set of numbers, thanks to which you can create multi-level virtual networks, bypassing any physical obstacles, such as geographic location, and transfer certain information to the necessary devices. ViLan technology is present in devices that ensure the creation of one common network. In simple terms, “ViLan” ID is an address to which special devices that recognize it (switches) send data packets.

The technology is quite convenient, has its own advantages and disadvantages, and is used by Rostelecom for data transmission: for example, for digital television (IPTV). That is, if you decide to connect or set up IPTV yourself, then you need to know the identifier. As you might guess, the Russian company uses these special sets of numbers so that people at a common “address” can use their modems/routers to watch IPTV. That is, this “beacon” allows different people to receive the same information.

This is done not only for convenience and bypassing physical boundaries. The ID allows you to secure access to various virtual networks. For example, separate guest connections from enterprise connections or, in the case of IPTV, provide access only to certain users.

Tagging traffic

There are tagged and untagged ports. This means that there are ports that use tags, and there are those that do not. An untagged port can only transmit personal VLAN, a tagged port can receive and send traffic from various “beacons”.

Tags are “attached” to traffic so that network switches can recognize and accept it. Tags are also used by Rostelecom.

The most interesting thing that tags allow is that computers can be connected to one switch (switch) and receive a Wi-Fi signal from one point. But at the same time, they will not see each other and will not receive the same data if they belong to different “beacons”. This is due to the fact that for one “ViLan” certain tags are used, while another may be completely untagged and not allow this traffic to pass through.

Enable this feature

This identifier must be enabled so that devices receiving information can see it. Otherwise, all encrypted information will not be visible.

Thus, it is worth activating the VLAN for each specific service. If it has already been activated, and it was not you who did it, it is still worth knowing your “address”.

How to find out your ID?

If you don’t have an ID, and you really need to find it as quickly as possible, then you can ask your housemates. Another option is to leave a request by calling the Rostelecom hotline. Afterwards, your application will be sent to the technical support of the region where the ID addresses of your locality are known.

So, now you know by what principle IPTV from Rostelecom works. You also know what tags are used for, how to find out your VLAN, and what role it plays.

VLANs- these are virtual networks that exist at the second level of the model OSI. That is, VLAN can be configured on a second layer switch. If we look at VLANs, abstracting from the concept of “virtual networks,” we can say that a VLAN is simply a label in a frame that is transmitted over the network. The label contains the VLAN number (called VLAN ID or VID), which is allocated 12 bits, that is, the VLAN can be numbered from 0 to 4095. The first and last numbers are reserved and cannot be used. Typically, workstations know nothing about VLANs (unless you specifically configure VLANs on the cards). Switches think about them. The switch ports indicate which VLAN they are in. Depending on this, all traffic that goes out through the port is marked with a label, that is, a VLAN. So each port has a PVID ( port vlan identifier This traffic may then go through other ports on the switch(es) that are in this VLAN and will not go through all other ports. As a result, an isolated environment (subnet) is created, which, without an additional device (router), cannot interact with other subnets.

Why are vilans needed?

The ability to build a network whose logical structure does not depend on the physical one. That is, the network topology at the data link level is built regardless of the geographic location of the constituent components of the network.
The ability to split one broadcast domain into several broadcast domains. That is, broadcast traffic from one domain does not pass to another domain and vice versa. This reduces the load on network devices.
The ability to secure the network from unauthorized access. That is, at the link level, frames from other vilans will be cut off by the switch port, regardless of which source IP address the packet is encapsulated in this frame.
The ability to apply policies to a group of devices that are located in the same vilana.
Ability to use virtual interfaces for routing.

VLAN usage examples

Connecting computers connected to different switches into a single network. Let's say you have computers that are connected to different switches, but they need to be combined into one network. We will connect some computers into a virtual local network VLAN 1, and others - to the network VLAN 2. Thanks to the function VLAN computers in each virtual network will work as if connected to the same switch. Computers from different virtual networks VLAN 1 And VLAN 2 will be invisible to each other.

Dividing computers connected to the same switch into different subnets. In the figure, computers are physically connected to the same switch, but separated into different virtual networks VLAN 1 And VLAN 2. Computers from different virtual subnets will be invisible to each other.

Separation of guest Wi-Fi network and enterprise Wi-Fi network. In the figure, one Wi-Fi access point is physically connected to the router. Two virtual Wi-Fi points with names have been created at the point HotSpot And Office. TO HotSpot Guest laptops will be connected via Wi-Fi to access the Internet, and Office- enterprise laptops. For security purposes, it is important that guest laptops do not have access to the enterprise network. For this purpose, enterprise computers and a virtual Wi-Fi point Office united into a virtual local network VLAN 1, and guest laptops will be on a virtual network VLAN 2. Guest laptops from the network VLAN 2 will not have access to the enterprise network VLAN 1.

Advantages of using VLAN

Flexible division of devices into groups
As a rule, one VLAN corresponds to one subnet. Computers located in different VLANs will be isolated from each other. You can also combine computers connected to different switches into one virtual network.
Reducing broadcast traffic on the network
Each VLAN represents a separate broadcast domain. Broadcast traffic will not be broadcast between different VLANs. If you configure the same VLAN on different switches, then the ports of different switches will form one broadcast domain.
Increased network security and manageability
In a network divided into virtual subnets, it is convenient to apply security policies and rules for each VLAN. The policy will be applied to the entire subnet, rather than to an individual device.
Reducing the number of equipment and network cables
To create a new virtual local network, you do not need to purchase a switch or install a network cable. However, you should use more expensive managed switches with VLAN support.

Tagged and untagged ports

When a port must be able to receive or send traffic from different VLANs, it must be in a tagged or trunked state. The concepts of a trunk port and a tagged port are the same. A trunked or tagged port can carry both individually specified VLANs and all default VLANs unless otherwise specified. If a port is untagged, then it can only carry one VLAN (native). If a port does not indicate which VLAN it is in, then it is assumed that it is in an untagged state in the first VLAN (VID 1).

Different equipment is configured differently in this case. For one equipment, you need to indicate on the physical interface what state this interface is in, and on the other, in a specific VLAN, you need to indicate which port is positioned as - with or without a tag. And if it is necessary for this port to pass through several VLANs, then in each of these VLANs you need to register this port with a tag. For example, in switches Enterasys Networks we must indicate which VLAN a certain port is in and add this port to the egress list of this VLAN so that traffic can pass through this port. If we want the traffic of another VLAN to pass through our port, then we add this port to the egress list of this VLAN as well. On equipment HP(for example, switches ProCurve) in the VLAN itself, we indicate which ports can pass traffic from this VLAN and add the status of the ports - tagged or untagged. Easiest on hardware Cisco Systems. On such switches, we simply indicate which ports are untagged with which VLANs (are in access) and which ports are in the tagged state (in trunk).

To configure ports in mode trunk special protocols have been created. One of these has the IEEE 802.1Q standard. This is an international standard that is supported by all manufacturers and is most often used to configure virtual networks. In addition, different manufacturers may have their own data transfer protocols. For example, Cisco created a protocol for its equipment ISL (Inter Switch Lisk).

Intervlan routing

What is inter-vlan routing? This is normal subnet routing. The only difference is that each subnet corresponds to a VLAN at the second level. What does it mean. Let's say we have two VLANs: VID = 10 and VID = 20. At the second level, these VLANs split one network into two subnets. Hosts that are located in these subnets do not see each other. That is, the traffic is completely isolated. In order for hosts to communicate with each other, it is necessary to route the traffic of these VLANs. To do this, we need to assign an interface to each VLAN at the third level, that is, attach an IP address to them. For example, for VID = 10 IP address it will be 10.0.10.1/24, and for VID = 20 IP address it will be 10.0.20.1/24. These addresses will further act as gateways for access to other subnets. Thus, we can route host traffic from one VLAN to another VLAN. What does VLAN routing do compared to simply routing networks without VLANs? Here's what:

The ability to become a member of another subnet on the client side is blocked. That is, if a host is in a certain VLAN, then even if it changes its addressing from another subnet, it will still remain in the VLAN it was in. This means that it will not gain access to another subnet. And this, in turn, will protect the network from “bad” clients.
We can put multiple physical switch interfaces into a VLAN. That is, we have the opportunity to immediately configure routing on a third-level switch by connecting network clients to it, without using an external router. Or we can use an external router connected to a second-layer switch on which VLANs are configured, and create as many subinterfaces on the router port as there are total VLANs it must route.
It is very convenient to use the second level in the form of a VLAN between the first and third levels. It is convenient to mark subnets as VLANs with specific interfaces. It is convenient to configure one VLAN and place a bunch of switch ports in it. And in general, it’s convenient to do a lot of things when there is a VLAN.

9) Routing: static and dynamic using the example of RIP, OSPF and EIGRP.
10) Network address translation: NAT and PAT.
11) First hop reservation protocols: FHRP.
12) Computer network security and virtual private networks: VPN.
13) Global networks and protocols used: PPP, HDLC, Frame Relay.
14) Introduction to IPv6, configuration and routing.
15) Network management and network monitoring.

P.S. Perhaps over time the list will be expanded.

In previous articles, we have already worked with many network devices, understood how they differ from each other and looked at what frames, packets and other PDUs consist of. In principle, with this knowledge you can organize a simple local network and work in it. But the world does not stand still. More and more devices are appearing that load the network or, even worse, create a security threat. And, as a rule, “danger” appears before “safety”. Now I will show this using a very simple example.

We will not touch on routers and different subnets for now. Let's say all nodes are on the same subnet.

Let me give you a list of IP addresses:

PC1 – 192.168.1.2/24
PC2 – 192.168.1.3/24
PC3 – 192.168.1.4/24
PC4 – 192.168.1.5/24
PC5 – 192.168.1.6/24
PC6 – 192.168.1.7/24

We have 3 departments: directorate, accounting, human resources department. Each department has its own switch and they are connected through the central top one. And so PC1 sends a ping to PC2.

Who wants to see this in animation, open the spoiler (it shows ping from PC1 to PC5).

Network operation in one broadcast domain

Beautiful right? In previous articles we have already talked more than once about the operation of the ARP protocol, but that was last year, so I will briefly explain. Since PC1 does not know the MAC address (or link layer address) of PC2, it sends an ARP to reconnaissance so that it can tell it. It comes to the switch, from where it is relayed to all active ports, that is, to PC2 and to the central switch. From the central switch it will fly out to neighboring switches and so on until it reaches everyone. This is not a small amount of traffic caused by one ARP message. All network participants received it. Large and unnecessary traffic is the first problem. The second problem is security. I think they noticed that the message even reached the accounting department, whose computers were not involved in this at all. Any attacker connecting to any of the switches will have access to the entire network. In principle, this is how networks used to work. The computers were located in the same channel environment and were separated only by routers. But time passed and it was necessary to solve this problem at the link level. Cisco, as a pioneer, came up with its own protocol that tagged frames and determined belonging to a specific channel environment. It was called ISL (Inter-Switch Link). Everyone liked this idea and IEEE decided to develop a similar open standard. The standard was named 802.1q. It gained enormous popularity and Cisco decided to switch to it too.
And it is VLAN technology that is based on the operation of the 802.1q protocol. Let's start talking about her already.

In I showed what an ethernet frame looks like. Look at it and refresh your memory. This is what an untagged frame looks like.

Now let's take a look at the tagged one.

As you can see, the difference is that a certain Tag. This is what is interesting to us. Let's dig deeper. It consists of 4 parts.

1) TPID (Tag Protocol ID) or Tagged Protocol Identifier- consists of 2 bytes and for VLAN is always equal to 0x8100.
2) PCP (Priority Code Point) or priority value- consists of 3 bits. Used to prioritize traffic. Cool and bearded system administrators know how to manage it correctly and operate it when there is different traffic on the network (voice, video, data, etc.)
3) CFI (Canonical Format Indicator) or canonical format indicator- a simple field consisting of one bit. If it is 0, then this is the standard MAC address format.
4) VID (English VLAN ID) or VLAN identifier- consists of 12 bits and shows in which VLAN the frame is located.

I would like to draw attention to the fact that frame tagging is carried out between network devices (switches, routers, etc.), but frames are not tagged between the end node (computer, laptop) and the network device. Therefore, a network device port can be in 2 states: access or trunk.

Access port or access port- a port located in a specific VLAN and transmitting untagged frames. Typically this is the port facing the user device.
Trunk port or trunk port- port transmitting tagged traffic. Typically, this port rises between network devices.

Now I will show this in practice. I'm opening the same lab. I won’t repeat the picture, but will immediately open the switch and see what it has with VLAN.

I'm recruiting a team show vlan.

Several tables are lined up. In fact, only the very first one is important to us. Now I'll show you how to read it.

1 column is the VLAN number. Number 1 is initially present here - this is a standard VLAN, which is initially present on every switch. It performs another function, which I will write about below. There are also reserved ones from 1002-1005. This is for other channel media that are unlikely to be used today. You can't delete them either.

Switch(config)#no vlan 1005 Default VLAN 1005 may not be deleted.
When deleting, Cisco displays a message that this VLAN cannot be deleted. Therefore, we live and do not touch these 4 VLANs.

2nd column is the VLAN name. When creating VLANs, you can use your discretion to come up with meaningful names for them in order to identify them later. There is already default, fddi-default, token-ring-default, fddinet-default, trnet-default.

3 column- status. This shows what state the VLAN is in. At the moment, VLAN 1 or default is in the active state, and the next 4 are act/unsup (although active, they are not supported).

4 column- ports. This shows which VLANs the ports belong to. Now that we haven't touched anything yet, they are in default.

Let's start setting up the switches. It is good practice to give your switches meaningful names. That's what we'll do. I'm bringing the team.

Switch(config)#hostname CentrSW CentrSW(config)#
The rest are configured in the same way, so I’ll show you the updated topology diagram.

Let's start setting up with switch SW1. First, let's create a VLAN on the switch.

SW1(config)#vlan 2 - create VLAN 2 (VLAN 1 is reserved by default, so take the next one). SW1(config-vlan)#name Dir-ya - we get into the VLAN settings and give it a name.
VLAN has been created. Now let's move on to the ports. The FastEthernet0/1 interface looks at PC1, and FastEthernet0/2 looks at PC2. As mentioned earlier, frames between them must be transmitted untagged, so let’s transfer them to the Access state.

SW1(config)#interface fastEthernet 0/1 - proceed to setting up the 1st port. SW1(config-if)#switchport mode access - switch the port to access mode. SW1(config-if)#switchport access vlan 2 - assign the 2nd VLAN to the port. SW1(config)#interface fastEthernet 0/2 - proceed to setting up the 2nd port. SW1(config-if)#switchport mode access - switch the port to access mode. SW1(config-if)#switchport access vlan 2 - assign the 2nd VLAN to the port.
Since both ports are assigned to the same VLAN, they could still be configured as a group.

SW1(config)#interface range fastEthernet 0/1-2 - that is, select a pool and then set up the same. SW1(config-if-range)#switchport mode access SW1(config-if-range)#switchport access vlan 2
Configured access ports. Now let's configure a trunk between SW1 and CentrSW.

SW1(config)#interface fastEthernet 0/24 - proceed to setting up the 24th port. SW1(config-if)#switchport mode trunk - switch the port to trunk mode. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
We immediately see that the port has been reconfigured. In principle, this is enough for work. But from a security point of view, only those VLANs that are really needed should be allowed for transmission. Let's get started.

SW1(config-if)#switchport trunk allowed vlan 2 - allow only the 2nd VLAN to be transmitted.
Without this command, all available VLANs will be transmitted. Let's see how the table has changed with the command show vlan.

A 2nd VLAN with the name Dir-ya has appeared and we see the ports fa0/1 and fa0/2 belonging to it.

To display only the top table, you can use the command show vlan brief.

You can further shorten the output if you specify a specific VLAN ID.

Or his name.

All VLAN information is stored in flash memory in the vlan.dat file.

As you noticed, none of the commands contain information about trunk. It can be viewed by another team show interfaces trunk.

There is information here about trunk ports and what VLANs they transmit. There is also a column here Native vlan. This is exactly the kind of traffic that should not be tagged. If an untagged frame arrives at the switch, it is automatically assigned to the Native Vlan (by default, and in our case, this is VLAN 1). Native VLAN is possible, but many say it needs to be changed for security reasons. To do this, in the trunk port configuration mode, you need to use the command - switchport trunk native vlan X, Where X- number of the assigned VLAN. We will not change this topology, but it is useful to know how to do it.

All that remains is to configure the remaining devices.

CentrSW:
The central switch is the connecting link, which means it must know about all VLANs. Therefore, we first create them, and then transfer all interfaces to trunk mode.

CentrSW(config)#vlan 2 CentrSW(config-vlan)# name Dir-ya CentrSW(config)#vlan 3 CentrSW(config-vlan)# name buhgalter CentrSW(config)#vlan 4 CentrSW(config-vlan)# name otdel -kadrov CentrSW(config)#interface range fastEthernet 0/1-3 CentrSW(config-if-range)#switchport mode trunk
Don't forget to save the config. Team copy running-config startup-config.

SW2(config)#vlan 3 SW2(config-vlan)#name buhgalter SW2(config)#interface range fastEthernet 0/1-2 SW2(config-if-range)#switchport mode access SW2(config-if-range)# switchport access vlan 3 SW2(config)#interface fastEthernet 0/24 SW2(config-if)#switchport mode trunk SW2(config-if)#switchport trunk allowed vlan 3
SW3:

SW3(config)#vlan 4 SW3(config-vlan)#name otdel kadrov SW3(config)#interface range fastEthernet 0/1-2 SW3(config-if-range)#switchport mode access SW3(config-if-range) #switchport access vlan 4 SW3(config)#interface fastEthernet 0/24 SW3(config-if)#switchport mode trunk SW3(config-if)#switchport trunk allowed vlan 4
Please note that we raised and configured the VLAN, but left the addressing of the nodes the same. That is, virtually all nodes are on the same subnet, but separated by VLANs. You can't do that. Each VLAN must be assigned a separate subnet. I did this solely for educational purposes. If each department sat in its own subnet, then they would be a priori limited, since the switch does not know how to route traffic from one subnet to another (plus this is already a limitation at the network level). And we need to limit departments at the link level.
I ping PC1 to PC3 again.

ARP is being used, which is what we need now. Let's open it.

Nothing new yet. ARP is encapsulated in ethernet.

The frame arrives at the switch and is tagged. Now there is not ordinary ethernet, but 802.1q. The fields that I wrote about earlier have been added. This TPID, which is equal to 8100 and indicating that it is 802.1q. AND TCI, which combines 3 fields PCP, CFI and VID. The number in this field is the VLAN number. Let's move on.

After the tag, it sends the frame to PC2 (since it is in the same VLAN) and to the central switch via the trunk port.

Since it was not strictly defined which VLAN types to pass through which ports, it will send to both switches. And here the switches, having seen the VLAN number, understand that they do not have devices with such a VLAN and boldly discard it.

PC1 is waiting for a response, but it never comes. You can see it under the spoiler in the form of animation.

Animation

Now the next situation. Another person is hired to join the directorate, but there is no room in the directorate’s office and they are temporarily asked to place a person in the accounting department. Let's solve this problem.

We connected the computer to FastEthernet port 0/3 of the switch and assigned the IP address 192.168.1.8/24.
Now I'll configure the switch SW2. Since the computer must be in the 2nd VLAN, which the switch does not know about, I will create it on the switch.

SW2(config)#vlan 2 SW2(config-vlan)#name Dir-ya
Next we configure the FastEthernet 0/3 port, which looks at PC7.

SW2(config)#interface fastEthernet 0/3 SW2(config-if)#switchport mode access SW2(config-if)#switchport access vlan 2
And the last thing is to configure the trunk port.

SW2(config)#interface fastEthernet 0/24 SW2(config-if)#switchport trunk allowed vlan add 2 - pay attention to this command. Namely, the keyword "add". If you do not add this word, you will erase all other VLANs allowed for transmission on this port. Therefore, if you already had a trunk raised on the port and other VLANs were transmitted, then you need to add it this way.
To make the frames flow beautifully, I’ll adjust the central switch CentrSW.

CentrSW(config)#interface fastEthernet 0/1 CentrSW(config-if)#switchport trunk allowed vlan 2 CentrSW(config)#interface fastEthernet 0/2 CentrSW(config-if)#switchport trunk allowed vlan 2,3 CentrSW(config) #interface fastEthernet 0/3 CentrSW(config-if)#switchport trunk allowed vlan 4
Check time. I'm sending a ping from PC1 to PC7.

So far, the entire path is similar to the previous one. But from this moment (from the picture below) the central switch will make a different decision. He receives the frame and sees that it is tagged with the 2nd VLAN. This means that it must be sent only to where it is allowed, that is, to port fa0/2.

And now he comes to SW2. We open it and see that it is still tagged. But the next node is a computer and the tag must be removed. Click on “Outbound PDU Details” to see how the frame will leave the switch.

And indeed. The switch will send the frame in a “clean” form, that is, without tags.

ARP reaches PC7. We open it and make sure that the untagged frame PC7 recognizes itself and sends a response.

We open the frame on the switch and see that it will be sent tagged. Then the frame will travel the same way it came.

ARP reaches PC1, as evidenced by the checkmark on the envelope. Now he knows the MAC address and uses ICMP.

We open the package on the switch and see the same picture. At the link layer, the frame is tagged by the switch. This will happen with every message.

We see that the package successfully reaches PC7. I will not show the way back, since it is similar. If anyone is interested, you can see the whole path in the animation under the spoiler below. And if you want to dig into this topology yourself, I’m attaching a link to the laboratory.

VLAN operation logic

This is, in principle, the most popular use of VLANs. Regardless of the physical location, you can logically combine nodes into groups, thereby isolating them from others. It is very convenient when employees physically work in different places, but must be united. And of course, from a security point of view, VLANs are not interchangeable. The main thing is that a limited circle of people have access to network devices, but this is a separate topic.
We achieved restrictions at the link level. Traffic no longer goes anywhere, but goes strictly as intended. But now the question arises that departments need to communicate with each other. And since they are in different channel environments, routing comes into play. But before we begin, let's put the topology in order. The very first thing we will put our hand to is addressing nodes. I repeat that each department must be in its own subnet. In total we get:

Directorate - 192.168.1.0/24
Accounting - 192.168.2.0/24
HR department - 192.168.3.0/24

Once the subnets are defined, we immediately address the nodes.

PC1:
IP: 192.168.1.2
Mask: 255.255.255.0 or /24
Gateway: 192.168.1.1
PC2:
IP: 192.168.1.3
Mask: 255.255.255.0 or /24
Gateway: 192.168.1.1
PC3:
IP: 192.168.2.2
Mask: 255.255.255.0 or /24
Gateway: 192.168.2.1
PC4:
IP: 192.168.2.3
Mask: 255.255.255.0 or /24
Gateway: 192.168.2.1
PC5:
IP: 192.168.3.2
Mask: 255.255.255.0 or /24
Gateway: 192.168.3.1
PC6:
IP: 192.168.3.3
Mask: 255.255.255.0 or /24
Gateway: 192.168.3.1
PC7:
IP: 192.168.1.4
Mask: 255.255.255.0 or /24
Gateway: 192.168.1.1

Now about changes in topology. We see that a router has been added. It will just transfer traffic from one VLAN to another (in other words, route). Initially, there is no connection between it and the switch, since the interfaces are disabled.
Nodes have now added a parameter such as a gateway address. They use this address when they need to send a message to a node located on a different subnet. Accordingly, each subnet has its own gateway.

All that remains is to configure the router, and I open its CLI. According to tradition, I will give a meaningful name.

Router(config)#hostname Gateway Gateway(config)#
Next we move on to setting up interfaces.

Gateway(config)#interface fastEthernet 0/0 - go to the required interface. Gateway(config-if)#no shutdown - enable it. %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Now attention! We enabled the interface, but did not assign an IP address to it. The fact is that only a link or channel is needed from the physical interface (fastethernet 0/0). The role of gateways will be performed by virtual interfaces or subinterfaces. Currently there are 3 types of VLAN. This means there will be 3 subinterfaces. Let’s start setting up.

Gateway(config)#interface fastEthernet 0/0.2 Gateway(config-if)#encapsulation dot1Q 2 Gateway(config-if)#ip address 192.168.1.1 255.255.255.0 Gateway(config)#interface fastEthernet 0/0.3 Gateway(config-if )#encapsulation dot1Q 3 Gateway(config-if)#ip address 192.168.2.1 255.255.255.0 Gateway(config)#interface fastEthernet 0/0.4 Gateway(config-if)#encapsulation dot1Q 4 Gateway(config-if)#ip address 192.168 .3.1 255.255.255.0
The router is configured. Let's go to the central switch and configure a trunk port on it so that it passes tagged frames to the router.

CentrSW(config)#interface fastEthernet 0/24 CentrSW(config-if)#switchport mode trunk CentrSW(config-if)#switchport trunk allowed vlan 2,3,4
The configuration is complete and let's move on to practice. I send a ping from PC1 to PC6 (that is, to 192.168.3.3).

PC1 has no idea who PC6 or 192.168.3.3 is, but knows that they are on different subnets (as he understands this is described in the article). Therefore, it will send the message through the default gateway, the address of which is specified in its settings. And although PC1 knows the IP address of the main gateway, it lacks a MAC address to be completely happy. And he launches ARP.

Note. Once a frame arrives at CentrSW, the switch does not broadcast it to just anyone. It sends only to those ports where the 2nd VLAN is allowed to pass through. That is, on the router and on SW2 (there is a user sitting in the 2nd VLAN).

The router recognizes itself and sends a response (shown by an arrow). And pay attention to the bottom frame. When SW2 received ARP from the central switch, it similarly did not send it to all computers, but sent only PC7, which sits in the 2nd VLAN. But PC7 rejects it because it is not for him. Let's look further.

ARP reached PC1. Now he knows everything and can send ICMP. Let me draw your attention once again to the fact that the destination MAC address (link layer) will be the address of the router, and the destination IP address (network layer) will be the PC6 address.

ICMP reaches the router. He looks at his spreadsheet and realizes that he doesn't know anyone at 192.168.3.3. Discards the arriving ICMP and lets the ARP reconnoiter.

PC6 recognizes itself and sends a response.

The response reaches the router and it adds an entry in its table. You can view the ARP table with the command show arp.
Let's move on. PC1 is unhappy that no one is answering him and sends the following ICMP message.

This time ICMP arrives without problems. He will follow the same route back. I'll just show you the end result.

The first packet was lost (as a result of ARP), but the second arrived without problems.
Who is interested in seeing it in animation, welcome to the spoiler.

InterVLAN Routing

So. We have achieved that if nodes are in the same subnet and in the same VLAN, then they will go directly through the switches. In the case when you need to transmit a message to another subnet and VLAN, it will be transmitted through the Gateway router, which performs “inter-vlan” routing. This topology is called "router on a stick" or "router on a stick". As you understand, it is very convenient. We created 3 virtual interfaces and sent different tagged frames along one wire. Without using subinterfaces and VLANs, you would have to use a separate physical interface for each subnet, which is not at all profitable.

By the way, this question is discussed very well in this video (the video is about 3 hours long, so the link is linked to that exact moment in time). If after reading and watching the video you want to finish everything with your own hands, I am attaching a download link.

We have dealt with VLANs and move on to one of the protocols that works with it.
DTP (Dynamic Trunking Protocol) or in Russian dynamic trunk protocol- Cisco proprietary protocol used to implement trunk mode between switches. Although, depending on the state, they can also be consistent in access mode.

DTP has 4 modes: Dynamic auto, Dynamic desirable, Trunk, Access. Let's see how they fit together.

Modes	Dynamic auto	Dynamic desirable	Trunk	Access
Dynamic auto	Access	Trunk	Trunk	Access
Dynamic desirable	Trunk	Trunk	Trunk	Access
Trunk	Trunk	Trunk	Trunk	No connection
Access	Access	Access	No connection	Access

That is, the left column is the 1st device, and the top line is the 2nd device. By default, switches are in “dynamic auto” mode. If you look at the mapping table, two switches in the “dynamic auto” mode are matched to the “access” mode. Let's check this out. I'm creating a new lab and adding 2 switches.

I won't connect them yet. I need to make sure that both switches are in "dynamic auto" mode. I'll check with the team show interfaces switchport.

The result of this command is very large, so I trimmed it and highlighted the points of interest. Let's start with Administrative Mode. This line shows which of the 4 modes a given port on the switch operates in. Make sure that the ports on both switches are in “Dynamic auto” mode. And the line Operational Mode shows in which mode of operation they agreed to operate. We have not connected them yet, so they are in the “down” state.

I'll give you good advice right away. When testing any protocol, use filters. Disable the display of all protocols you don’t need.

I switch CPT to simulation mode and filter out all protocols except DTP.

I think everything is clear here. I connect the switches with a cable and, when the links are raised, one of the switches generates a DTP message.

I open it and see that it is DTP encapsulated in an Ethernet frame. He sends it to the multicast address “0100.0ccc.cccc”, which refers to the DTP, VTP, CDP protocols.
And let me draw your attention to 2 fields in the DTP header.

1) DTP Type- here the sender inserts a proposal. That is, what mode does he want to conform to? In our case, he suggests agreeing on “access”.
2) Neighbor MAC address- in this field he writes the MAC address of his port.

He sends it and waits for a reaction from his neighbor.

The message reaches SW1 and it generates a response. Where it also negotiates the “access” mode, inserts its MAC address and sends it on its way to SW2.

DTP reaches successfully. In theory, they should have been agreed upon in the “access” mode. I'll check.

As expected, they agreed to the “access” mode.
Some people say that the technology is convenient and use it. But I highly recommend not using this protocol on your network. I’m not the only one who recommends this, and now I’ll explain why. The point is that this protocol opens a big security hole. I will open the laboratory in which the “Router on a stick” work was analyzed and add another switch there.

Now I’ll go into the settings of the new switch and hardcode the port to operate in trunk mode.

New_SW(config)#interface fastEthernet 0/1 New_SW(config-if)#switchport mode trunk
I connect them and see how they match.

That's right. The “dynamic auto” and “trunk” modes are coordinated into the trunk. Now we are waiting for someone to start being active. Let's say PC1 decided to send a message to someone. Generates an ARP and releases it onto the network.

Let's skip his path until he gets to SW2.

And here's the interesting part.

It sends it to the newly connected switch. I explain what happened. As soon as we have agreed on a trunk with him, he begins to send him all incoming frames. Although the diagram shows that the switch is discarding frames, this does not mean anything. You can connect any intercepting device (sniffer) to the switch or instead of the switch and calmly view what is happening on the network. It seems that he intercepted a harmless ARP. But if you look deeper, you can see that the MAC address “0000.0C1C.05DD” and the IP address “192.168.1.2” are already known. That is, PC1 gave himself away without thinking. Now the attacker knows about such a computer. In addition, he knows that he is sitting in the 2nd VLAN. Then he can do a lot of things. The most common thing is to replace your MAC address, IP address, quickly agree in Access and impersonate PC1. But the most interesting thing. After all, you may not understand this right away. Usually, when we specify the operating mode of a port, it is immediately displayed in the configuration. I enter show running-config.

But here the port settings are empty. I enter show interfaces switchport and scroll to fa0/4.

And here we see that the trunk has been agreed upon. show running-config does not always provide comprehensive information. Therefore, remember other commands as well.

I think it’s clear why you can’t trust this protocol. It seems to make life easier, but at the same time it can create a huge problem. So rely on the manual method. When setting up, immediately decide which ports will operate in trunk mode and which in access. And most importantly, always turn off reconciliation. So that switches do not try to agree with anyone. This is done with the “switchport nonegotiate” command.

Let's move on to the next protocol.

VTP (VLAN Trunking Protocol)- a proprietary protocol from Cisco that is used to exchange information about VLANs.

Imagine a situation where you have 40 switches and 70 VLANs. As a good idea, you need to manually create them on each switch and specify which trunk ports to allow transmission. This is a tedious and long process. Therefore, VTP can take on this task. You create a VLAN on one switch, and all others are synchronized with its base. Take a look at the following topology.

There are 4 switches here. One of them is a VTP server, and the other 3 are clients. Those VLANs that will be created on the server are automatically synchronized on clients. I'll explain how VTP works and what it can do.

So. VTP can create, modify and delete VLANs. Each such action causes the revision number to increase (each action increases the number by +1). Afterwards he sends out advertisements containing the revision number. Customers who receive this announcement compare their revision number with the one they received. And if the number that comes is higher, they synchronize their database with it. Otherwise, the advertisement is ignored.

But that is not all. VTPs have roles. By default, all switches operate as a server. I'll tell you about them.

VTP Server. He can do everything. That is, creates, changes, deletes VLAN. If it receives an advertisement in which a revision is older than it, it is synchronized. Constantly sends out announcements and relays from neighbors.
VTP Client- This role is already limited. You cannot create, change, or delete VLANs. All VLANs receive and synchronize from the server. Periodically informs neighbors about its VLAN base.
VTP Transparent- this is such an independent role. Can create, change and delete VLANs only in its database. He does not impose anything on anyone and does not accept anything from anyone. If it receives some kind of advertisement, it passes it on, but does not synchronize it with its database. If in previous roles the revision number increased with each change, then in this mode the revision number is always 0.

That's all for VTP version 2. VTP version 3 added one more role - VTP Off. It does not transmit any advertisements. Otherwise the operation is similar to the mode Transparent.

We've read enough theory and let's move on to practice. Let's check that the central switch is in Server mode. Enter the command show vtp status.

We see that VTP Operating Mode: Server. You can also notice that the VTP version is 2nd. Unfortunately, CPT version 3 is not supported. The revision version is zero.
Now let's configure the lower switches.

SW1(config)#vtp mode client Setting device to VTP CLIENT mode.
We see a message that the device has entered client mode. The rest are configured in exactly the same way.

For devices to be able to exchange advertisements, they must be in the same domain. And there is a peculiarity here. If the device (in Server or Client mode) is not a member of any domain, then at the first advertisement received, it will go to the advertised domain. If the client is a member of a certain domain, then it will not accept advertisements from other domains. Let's open SW1 and make sure that it is not a member of any domain.

Let's make sure it's empty.

Now we go to the central switch and transfer it to the domain.

CentrSW(config)#vtp domain cisadmin.ru Changing VTP domain name from NULL to cisadmin.ru
We see a message that he has been transferred to the cisadmin.ru domain.
Let's check the status.

And indeed. The domain name has changed. Please note that the revision number is currently zero. It will change as soon as we create a VLAN on it. But before creating it, you need to switch the simulator to simulation mode to see how it generates ads. We create the 20th VLAN and see the following picture.

Once the VLAN is created and the revision number is increased, the server generates advertisements. He has two of them. First, let's open the one to the left. This advertisement is called “Summary Advertisement” or in Russian “summary advertisement”. This announcement is generated by the switch once every 5 minutes, where it talks about the domain name and the current revision. Let's see what it looks like.

In the Ethernet frame, pay attention to the Destination MAC address. It is the same as above when DTP was generated. That is, in our case, only those who have VTP running will respond to it. Now let's look at the next field.

Here's all the information. I'll go through the most important fields.

Management Domain Name - the name of the domain itself (in this case cisadmin.ru).
Updater Identity - identifier of the one who updates. The IP address is usually written here. But since the address was not assigned to the switch, the field is empty
Update Timestamp - update time. The time on the switch has not been changed, so it is set to the factory time.
MD5 Digest - MD5 hash. It is used to check credentials. That is, if the VTP has a password. We did not change the password, so the hash is the default.

Now let's look at the next message generated (the one on the right). It's called a "Subset Advertisement" or "detailed advertisement." This is such detailed information about each transmitted VLAN.
I think this is clear. Separate header for each VLAN type. The list is so long that it doesn't fit on the screen. But they are exactly the same, except for the names. I won’t bother with what each code means. And in CPT they are more of a convention.
Let's see what happens next.

Clients receive advertisements. They see that the revision number is higher than theirs and synchronize the database. And they send a message to the server that the VLAN base has changed.

How the VTP protocol works

This is how the VTP protocol basically works. But it has very big disadvantages. And these are disadvantages in terms of security. I will explain using the example of the same laboratory. We have a central switch on which VLANs are created, and then via multicast it synchronizes them with all switches. In our case, he talks about VLAN 20. I suggest taking another look at its configuration.

Note. A VTP message reaches the server, where the revision number is higher than its own. He understands that the network has changed and he needs to adapt to it. Let's check the configuration.

The configuration of the central server has changed and now it will broadcast exactly this.
Now imagine that we have not one VLAN, but hundreds. This is a simple way to install a network. Of course, the domain may be password protected and it will be more difficult for an attacker to cause harm. Imagine a situation where your switch is broken and you urgently need to replace it. You or your colleague run to the warehouse to buy an old switch and forget to check the revision number. It turns out to be higher than the others. You've already seen what happens next. Therefore, I recommend not using this protocol. Especially in large corporate networks. If you are using VTP version 3, then feel free to switch the switches to “Off” mode. If you are using version 2, then switch to “Transparent” mode.

dtp

trunk

access

Add tags

why is this needed

VLAN organization methods

Leading manufacturers of department and workgroup switches use in their devices, as a rule, one of three methods of organizing VLANs: based on ports, MAC addresses or third-layer protocols. Each of these methods corresponds to one of the three lower layers of the OSI open systems interconnection model: physical, link and network, respectively. There is a fourth way to organize a VLAN - based on rules. It is currently rarely used, although it provides greater flexibility in VLAN organization, and may be widely used in devices in the near future. Let's briefly look at each of the above methods of organizing VLANs, their advantages and disadvantages.

Devices can also be automatically moved to VLANs based on user or device authentication data when using the 802.1x protocol.

building distributed VLANs

organization of interaction between VLANs

use of shared network resources by computers of different VLANs

conclusion

Oleg Podukov, head of the technical department of COMPLETE Company

Today I will start a small series of articles about VLANs. Let's start with what it is, what it is for, how to configure it, and then we will go deeper and gradually study, if not all, then most of all the possibilities that VLANs provide us.

So, remember, we talked about such a concept as? I think you remember. We also talked about the fact that there are several types of addresses: .

Based on this, let's make one more introductory concept. Broadcast domain. What he really is?

If a broadcast frame/packet is sent (if it is a frame, then all bits in the Destination Address field are equal to ones, or in the 16th form the MAC address will be equal to: FF FF FF FF FF FF), then this frame will be forwarded to all ports of the switch, except the one from which this frame was received. This will happen if, for example, our switch is not managed, or if it is managed, but everyone is in the same VLAN (more on that later).
This list of devices that receives these broadcast frames is called the broadcast domain.

Now let's decide, what is a VLAN?

VLAN - Virtual Local Area Network, i.e. some kind of virtual network. What is it for?

VLAN allows us to separate broadcast domains in one switch. Those. if we have one switch, we will assign some ports to one VLAN, and others to another. And we will have two different broadcast domains. Of course, the possibilities don't stop there. I will talk about them further, gradually.

In short, VLAN allows the administrator to create a network more flexibly, dividing it into certain subnets (for example, a network of accountants, a network of managers, and so on), in other words, VLAN helps unite devices with some common set of requirements into a single group, and separate it from other similar isolated groups.

Let me make a reservation right away that VLANs operate at the OSI Layer 2 level.
Let us remember that when we looked at the frame, there was no field for VLAN there. How then can you determine which VLAN a particular frame belongs to?

There are several standards.

1. IEEE 802.1Q - this standard is open. This standard marks a particular frame that is “tied” to some VLAN by tagging.
Tagging is a function of the switch (or any other device that “understands” VLAN) that inserts a certain tag consisting of 4 bytes into the ethernet frame. The tagging procedure does not change the header data, so equipment that does not support VLAN technology can easily transmit such a frame further along the network, preserving the tag.

This is what the frame will look like after inserting the VLAN tag.

Based on their figure, we see that the VLAN tag consists of 4 fields, we will describe them:

- 2 bytes Tag Protocol Identifier (TPID) - this is the protocol identifier, in our case it is 802.1Q, in the 16th form this field will look like: 0x8100.

— Priority — field for setting priority according to the 802.1p standard (about it in the following articles). The size of this field is 3 bits (8 values 0-7).

— Canonical Format Indicator (CFI). Canonical format indicator, this field is 1 bit in size. This field indicates the format of the mac address (1 is canonical, 0 is not canonical.)

— VLAN ID, this is actually what we have gathered for today :) VLAN ID. The field size is 12 bits, can take a value from 0 to 4095.

When using VLAN (tagging) according to the 802.1Q standard, changes are made to the frame, therefore it is necessary to recalculate the FCS value, which is actually done by the switch.

The 802.1Q standard has such a thing as Native VLAN, by default the Native VLAN ID is equal to one (can be changed), Native VLAN is characterized by the fact that this VLAN is not tagged.

2. Inter-switch-link (ISL). A protocol developed by Cisco and can only be used on its equipment.
This protocol was developed before the adoption of 802.1Q.
Currently, ISL is no longer supported on newer hardware, but you may still encounter this protocol in action, so we need to familiarize ourselves with it.

Unlike 802.1Q, where simple tagging of the frame was carried out (inserting 4 bytes inside the frame), encapsulation technology is used here, that is, a certain header is added that contains information about the VLAN. VLAN ISL, unlike 802.1Q, supports up to 1000 VLANs.

Let's look at the frame in graphical form to see what this encapsulation looks like.

Here we can immediately see the first and perhaps the most basic drawback of ISL - it increases the frame by 30 bytes (26 bytes header and 4 bytes FCS).

Let's look at the ISL Header in more detail, let's see what is stored there in so many bytes!

Destination Address (DA) - the recipient’s address; a special multicast address is indicated here, which indicates that the frame being used is encapsulated using ISL. The multicast address can be 0x01-00-0C-00-00 or 0x03-00-0c-00-00.
Type - field length 4 bits, indicates the protocol that is encapsulated in the frame. Can take several values:

0000 - Ethernet
0001 - Token-Ring
0010 - FDDI
0011 - ATM

In our case, since we are considering Ethernet, this value will be equal to all 0.

USER is a kind of “stripped-down” analogue of the Priority field in 802.1Q, used to set the priority of a frame. Although the field occupies 4 bits, it can take 4 values (in 802.1Q - 8).
Source Address (SA) - source address; the value of the MAC address of the port from which this encapsulated frame was sent is substituted in this place.
LEN - frame length. Fields such as DA,TYPE,USER,SA,LEN,FCS are not taken into account here. Thus, it turns out that this value is equal to the encapsulated frame - 18 bytes.
AAAA03 (SNAP) - SNAP and LLC (this field contains the value AAAA03).
HSA - High Bits of Source Address - 3 high bytes of the MAC address (remember that these bytes contain the manufacturer code), for Cisco it is 00-00-0C
VLAN - we finally got to the main field. The VLAN identifier is actually indicated here. The field has a size of 15 bits.
BPDU - Bridge Protocol Data Unit and Cisco Discovery Protocol. Field for BPDU and CDP protocols. We will get to know what it is and why in the following articles.
INDX - Index, indicates the index of the sender's port, used for diagnostic purposes.
RES — Reserved for Token Ring and FDDI. Reserve field for Token Ring and FDDI. The field has 16 bit size. If the ethernet protocol is used, then all zeros are placed in this field.
Encapsulated Frame is a regular frame that has been encapsulated. This frame has its own fields, such as DA, SA, LEN, FCS and so on.
FCS is FCS's own ISL (since the frame is completely changed, a new frame check is needed, the last 4 bytes are intended for this).

We can draw some conclusions in favor of 802.1Q.

Tagging adds only 4 bytes to the frame, as opposed to ISL (30 bytes).
802.1Q is supported on any equipment that supports VLAN, while ISL only works on Cisco devices, and not all of them.

In this article, we briefly introduced the concept of VLAN. Next we will look into the details.