Sicher in 15 min.
CCNA (engl.)
Access Lists
Become Partner!

VLANs are used, to break the limits of a "normal" network.

VLANs are virtual Subnets or Broadcastdomains.

Normally, you have in the middle a router, and on the routerinterfaces there are connected some switches.
Each of these switches is ONE Broadcast Domain or Subnet.
With VLAN Technic, you can assign each of the switchports to be in another Broadcastdomain, or Subnet.
So you can logically put ports in one Broadcastdomain, and this by logical reasons, and not because of physical reasons.
So people in different buildings can be in ONE Broadcastdomain or Subnet,
no matter about the physical layout of the network.
To be able to send pakets from one vlan to another, there MUST be routing between them.

On Cisco Routers, you do this by creating subinterfaces and bind different vlans to each subinterface.
Another way to do it is to give the vlans ip addresses and to route between them.
The logical IP Address of the subinterface ior the vlan is the default gateway for the clients, whos pc is connected to a switchport, which is configured as access port and binded to one of these vlans or subnet.

Creating VLANs and bringing Layer 3 into the game....

Create some VLANs (with "vlan database" command or on newer switches with "vlan xy" command)

vlan database
vlan 2 name stuff

or if there is no "vlan database"

vlan 2
name stuff

vlan 3
name testnet

vlan 4
name office

To create a subinterface on a router interface use the command

interface FastEthernet0/1.1
ip address
no shutdown

interface FastEthernet0/1.2
ip address
no shutdown

interface FastEthernet0/1.3
ip address
no shutdown

To bind a special vlan to a special subinterface, use the command

interface FastEthernet0/1.1
encapsulation dot1q 1

interface FastEthernet0/1.2
encapsulation dot1q 2

interface FastEthernet0/1.3
encapsulation dot1q 3

The command "encapsulation dot1q" means that 802.1q tagging will be used.
Instead of 802.1q you could also use ISL, if you only use Cisco devices.
ISL is a Cisco-proprietary Protocol and can not be used on most other vendors network devices.
802.1q is a Standart which is supported by most other vendor network devices.
Some older Cisco devices only support ISL.
They are not useable in a multi vendor network if use of network-wide VLANs is needed.

To make it possible that pakets from a vlan can come to another vlan, configure some routes. But normally they will be created automatically, cause - hey, this is a router! For the router, if ip routing is enabled, the vlans with ip-addresses are like virtual interfaces and the routes are automatically added to the routing-table.

ip route FastEthernet0/1.1

ip route FastEthernet0/1.2

ip route FastEthernet0/1.3

To configure a switchport to be in a special vlan, use the command

interface fa0/24
switchport mode access
switchport access vlan 3

So, each PC which will be connected to Switchport 24, will automatically be in VLAN 3.
In our example, the PC which is connected to that port, must have an IP of the Subnet /24 and the gateway of the PC will be
Though a normal PC can not understand VLANs, it can communicate over that port.
The reason is simple - on an access port, the "VLAN ID"-tag is removed from each paket which
will pass the Interface.

There is also another way to configure routing between vlans.
You can give a vlan an ip-address and use a routing protocol, in the example its RIP, to route
between different vlans.

Router#configure terminal

Router(config)#ip routing

Router(config)#router rip

Router(config-router)#interface vlan 10
Router(config-if)#ip address
Router(config-if)#no shutdown

Router(config-router)#interface vlan 20
Router(config-if)#ip address
Router(config-if)#no shutdown

So - for VLAN 10, the Default Gateway for the clients in this vlan will be
For VLAN 20, the D.Gateway is
With RIP Routing in the example, Pakets from vlan 10 will be able to get to VLAN 20, and back.

What is Tagging?

To make a network device able to differ the pakets which belong to different vlans,
there must be "tagging".
If you use only ONE Vlan, you dont need tagging, because there is nothing you have to differ.
When you start to create and use more than one vlan, you have to decide,
which of the vlans pakets should be tagged.
Tagging is nothing else, but putting an extra tag into each of the pakets.
This tag contains the "vlan id". Its like "marking" the pakets with colours.
VLAN2 could be green, VLAN3 could be red and so on.

What is a Trunk?

To make it possible for network devices, to bring vlan pakets from one device to another,
the uplink ports between the devices must be configured as "trunk ports".
Between the devices must be established a "trunk".

Use this commands, to configure a trunkport and define what is the native VLAN on that port:

interface fa0/1
switchport mode trunk
switchport trunk encapsulation dot1q (or isl)
switchport trunk native vlan 1

You can imagine a trunk as a "bridge" which can carry multiple vlan pakets to another device.
Its important, that on each end of the trunk the same vlan must be configured as native vlan.
The native vlan (or default vlan) is the vlan which pakets are NOT tagged.
All other vlans MUST be tagged, or the devices will not be able to differ between them.
You dont have to put a special command to select which vlan has to be tagged.
You only can select, which vlans pakets will NOT be tagged.
You do this by using command

switchport trunk native vlan 1

That means, the pakets from vlan 1, which will pass this interface, will NOT contain a vlan id.
All other VLAN pakets from the other vlans used on that device will be tagged automatically.

On the path over multiple switches and routers, the pakets can on each uplink be encapsulated (tagged) or decapsulated.
But on each side of a uplink it must be configured to have the same native vlan.

In addition, you can give some options at trunk configuration, for example some negotiation,
so that the port automatically becomes trunkport, depending on the uplink device ports settings.

VLANs are used, to increase the number of broadcast domains, independent of the physical layout.
Trunks are used, to transport Pakets with different VLAN IDs over uplinks between network devices.

VLAN is NOT an encryption method!
With a sniffer in promiscuous mode, the pakets CAN be sniffed, and the data is not encrypted,
even if they have a vlan tag.

What is VTP?

With VTP (Virtual Trunking Protocol) we can make management of vlan creation and deletion easier. VLANs are created on ONE Switch (VTP Server) and this switch advertises the VLANs to all other Switches, which are in "VTP Client" Mode. So the VLANs have to be created and deleted only on one device, and the other switches synchronize automatically.
Now that we know, how to create VLANs, lets see what can VTP do for us.

We have 4 switches.
They are connected over uplink ports. The uplinks are all configured as trunk ports.

Switch 1

vtp mode server
vtp domain goodfood
vtp pruning

Switch 2

vtp mode transparent
vtp domain goodfood

Switch 3

vtp mode client
vtp domain goodfood

Switch 4

vtp mode client
vtp domain betterfood

We create VLANs on Switch 1, which is in vtp server mode.

The VLAN Informations are advertised to switch 2, which is in vtp transparent mode.
The switch 2 does not learn the vlans which were created on switch 1.
But switch 2 sends the vlan informations to switch 3, which is in vtp client mode.

Switch 3 now has the same vlans like switch 1, though we did not create them on it.
But the VLANs will not be learned by switch 4 - because it has another vtp domain name.

duno-netze.de | info<at>duno-netze.de