Contents

Introduction
Why VLAN
VLAN Setting
Trunk Link
Allowed VLAN
VLAN 1
Native VLAN
VLAN Internal Usage

Introduction

Most of you may know what is LAN, but what is the meaning of VLAN (Virtual LAN)? VLAN splits a physical LAN into many virtual independent LANs that cannot communicate with each other. There are two VLAN standards, ISL (Inter-Switch Link) and IEEE 802.1q (802.1q). ISL is Cisco proprietary protocol while 802.1q is an open standard. Since ISL is already out of the examination scope, we will only focus on 802.1q in this article.

Why VLAN

Why VLAN? 2 reasons. Network performance and security.

Broadcast messages are always appeared on the network and switches will send the broadcast to every hosts of a LAN. Every hosts need to spend computing power to process the broadcast. The network performance is also decreased. VLAN can split the LAN so that broadcast traffic of a VLAN is not allowed to spread to others. Each VLAN is a single Broadcast Domain.

On the other hand, broadcast messages create security issue. Packet capture software like Wireshark can be used to sniff the broadcast packet. Information such as IP Address and MAC Address of a host will be explored. VLAN can limit the broadcast message in a trust area.

In the following diagram, we use Wireshark to capture the network traffic. As you see, MAC Address and IP Address of a host can be found by the broadcast packets.

vlan

VLAN Setting

VLAN setting on a Cisco switch is an easy job! Use the following topology as an example. R1 to R4 act as four hosts. The IP addresses of their e0/0 are configured from 192.168.1.1/24 to 192.168.1.4/24.

vlan

hostname R1
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
hostname R2
!
interface Ethernet0/0
 ip address 192.168.1.2 255.255.255.0
hostname R3
!
interface Ethernet0/0
 ip address 192.168.1.3 255.255.255.0
hostname R4
!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0

Of course, R1 can ping R2, R3 and R4 successfully.

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/44 ms
R1#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
R1#ping 192.168.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/44 ms

Now, put R1 and R2 in VLAN 10 and put R3 and R4 in VLAN 20. In other words, assign VLAN 10 to e0/0 and e0/1. Then, assign VLAN 20 to e0/2 and e0/3 of SW1.

vlan

First, add VLAN 10 and VLAN 20 on SW1. 10 and 20 is called VLAN ID. Name represents the name of the VLAN but it is not necessary.

SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#name Yellow
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name Green
SW1(config-vlan)#exit

Use show vlan to verify. VLAN 1,1002,1003,1004 and 1005 are default VLANs and we do not discuss now. If you see 10 and 20, the setting should be fine.

SW1#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/1, Et0/2, Et0/3
                                                Et1/0, Et1/1, Et1/2, Et1/3
                                                Et2/0, Et2/1, Et2/2, Et2/3
                                                Et3/0, Et3/1, Et3/2, Et3/3
10   Yellow                           active
20   Green                            active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Next, assign VLAN 10 to e0/0 and e0/1.

SW1(config)#int ethernet 0/0
SW1(config-if)#switchport access vlan 10
SW1(config-if)#int ethernet 0/1
SW1(config-if)#switchport access vlan 10

Same steps for VLAN 20.

SW1(config)#int ethernet 0/2
SW1(config-if)#switchport access vlan 20
SW1(config-if)#int ethernet 0/3
SW1(config-if)#switchport access vlan 20

Use show vlan to verify again.

SW1#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et1/0, Et1/1, Et1/2, Et1/3
                                                Et2/0, Et2/1, Et2/2, Et2/3
                                                Et3/0, Et3/1, Et3/2, Et3/3
10   Yellow                           active    Et0/0, Et0/1
20   Green                            active    Et0/2, Et0/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Finally, try the ping test again. R1 can ping R2 only and R3 can ping R4 only. Because packets cannot be transmitted between VLANs.

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/266/776 ms
R1#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
!!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/19/20 ms

In real life configuration, we always assign VLANs to different subnets, for example, VLAN 10 for 192.168.10.0/24 and VLAN 20 for 192.168.20.0/24. We seldom put a subnet into different VLANs. The reasons that I do this in the previous example is to prove the impossibility of communication between VLANs.

Trunk Link

So, we know the configuration of VLANs in a single switch now. But what will happen if a VLAN is distributed in different switches? Think that when a SW1 throw some packets to SW2, how SW2 know that the packets are coming from which VLANs? If SW2 does not know the original VLAN, how to know which VLAN it should delivery the packets to? To solve the problem, SW1 will tag a VLAN number (VLAN ID) in the packet before it send out it. Other switches know the original VLAN by checking the VLAN ID. The tag is called 802.1q VLAN Tag. It is a label that switch add to the packet.

To deliver packets with VLAN Tag, trunk link in needed between the switches. Because trunk link can support multiple VLANs while access link can only support a single VLAN. There are many methods to configure a trunk link, please see Dynamic Trunking Protocol (DTP) for details. In this article, we only use the static mode.

vlan

The configuration of trunk link is not difficult. First, confirm that the VLANs are already created at the two switches. Remind that the VLAN ID should be same but VLAN name on the different switches are not necessary to be same. (But it is not make sense to have different VLAN name...)

SW1#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/3, Et1/0, Et1/1, Et1/2
                                                Et1/3, Et2/0, Et2/1, Et2/2
                                                Et2/3, Et3/0, Et3/1, Et3/2
                                                Et3/3
10   Yellow                           active    Et0/0
20   Green                            active    Et0/1
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

<--Output Omitted-->
SW2#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/3, Et1/0, Et1/1, Et1/2
                                                Et1/3, Et2/0, Et2/1, Et2/2
                                                Et2/3, Et3/0, Et3/1, Et3/2
                                                Et3/3
10   Yellow                           active    Et0/0
20   Green                            active    Et0/1
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

<--Output Omitted-->

Then, change the interfaces that connecting the two switches to 802.1q Trunk.

SW1(config)#int ethernet 0/2
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW2(config)#int ethernet 0/2
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk

show interfaces trunk can be used to find out which interface is a trunk link. For the allowed VLAN part, we will talk later.

SW1#show interfaces trunk

Port                Mode         Encapsulation  Status        Native vlan
Et0/2               on           802.1q         trunking      1

Port                Vlans allowed on trunk
Et0/2               1-4094

Port                Vlans allowed and active in management domain
Et0/2               1,10,20

Port                Vlans in spanning tree forwarding state and not pruned
Et0/2               1,10,20
SW2#show interfaces trunk

Port                Mode         Encapsulation  Status        Native vlan
Et0/2               on           802.1q         trunking      1

Port                Vlans allowed on trunk
Et0/2               1-4094

Port                Vlans allowed and active in management domain
Et0/2               1,10,20

Port                Vlans in spanning tree forwarding state and not pruned
Et0/2               1,10,20

Then, R1 can ping R2 which exists in the same VLAN but cannot communicate with hosts at the other VLANs.

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/150/212 ms
R1#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

VLAN ID can be seen when using packet capture software on the trunk link.

vlan

Allowed VLAN

We can set the trunk link to only allow specific VLANs to pass through. The default setting is allow 1-4094, that is all VLANs. We can use switchport trunk allowed vlan <vlan id> on the trunk interfaces to change the settings.

SW1(config-if)#switchport trunk allowed vlan 10,20,30
SW1(config-if)#end
SW1#show interfaces trunk

Port                Mode         Encapsulation  Status        Native vlan
Et0/2               on           802.1q         trunking      1

Port                Vlans allowed on trunk
Et0/2               10,20,30

Port                Vlans allowed and active in management domain
Et0/2               10,20

Port                Vlans in spanning tree forwarding state and not pruned
Et0/2               10,20

After modifying the configuration, use show interfaces trunk to verify. The meanings of the 3 rows description are as follow,

  • Vlans allowed on trunk is the configured allow VLANs. As you see at the command, we only allow VLAN 10, 20 and 30 to pass through this trunk link.
  • Vlans allowed and active in management domain means that we only have VLAN 10 and 20 on this switch. Although VLAN 10, 20 and 30 is allowed, actually, VLAN 30 is unable to pass through.
  • Finally, Vlans in spanning tree forwarding state and not pruned means the VLANs that is allowed to pass through which is not pruned. Pruned is a VTP setting, we will leave it to VLAN Trunking Protocol (VTP) tutorial.

Other than switchport trunk allowed vlan <vlan id> , the following commands can be used,

SW1(config-if)#switchport trunk allowed vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

add

Add some VLANs on the current Allowed VLAN Setting
Example
Original Settings: 1-100
Command: switchport trunk allowed vlan add 110-120
New Setting: 1-100,110-120

all

Allow all VLAN 1-4094
Example
Original Setting: 1-100
Command: switchport trunk allowed vlan all
New Setting: 1-4094

except

Allow VLAN 1-4094 except some VLANs
Example
Original Setting: 1-100
Command: switchport trunk allowed vlan except 110-120
New Setting: 1-109,121-4094

none

Do not allow any VLANs
Example
Original Setting: 1-100
Command: switchport trunk allowed vlan none
New Setting: none

remove

Remove some VLANs on the current Allowed VLAN Setting
Example
Original Setting: 1-100
Command: switchport trunk allowed vlan remove 20-30
New Setting: 1-19,31-100

VLAN 1

VLAN1 is a default VLAN and all ports are also assigned to VLAN1 by default. VLAN1 is a special VLAN that not only send data but also send control plane traffic such as VTP, CDP and PAgP. So, for security concerns, VLAN1 should never be assigned to hosts. Otherwise, the control plane packets may be captured by the attacker if he or she uses packet capturing software.

Native VLAN

VLAN1 is also a native VLAN of a trunk link by default. Native VLAN means it is not needed to tag when travelling on the trunk link. What does it means? Since all VLANs from 2 to 4096 have a VLAN ID, if the two switches that the trunk link connecting agree that the packets without any VLAN IDs are VLAN1, then, VLAN1 can be recognized even it do not have any VLAN ID. Think of an example, if we write different numbers on different color balls, red is 2, yellow is 3, blue is 4 etc. Then the colorless one is 1.

So, when VLAN 1 passes through the trunk link, the packet does not show VLAN ID 1 under packet capturing. There is no tag in the packet. Native VLAN can be set by using interface command switchport trunk native vlan <vlan id>. The interfaces on both switches must set the same native VLAN value to prevent Native VLAN mismatch.

SW1(config-if)#switchport trunk native vlan 100
SW1(config-if)#exit
SW1#show int trunk

Port                Mode         Encapsulation  Status        Native vlan
Et0/1               on           802.1q         trunking      100

Native VLAN 1 is fine, why do we need to change it? Actually, we always want to prevent the access port having the same VLAN ID to the Native VLAN. Otherwise, Double Tagging Attack may be occurred. For the same reason, we seldom assign VLAN 1 to user ports.

VLAN Internal Usage

One more thing, system always STEAL some VLANs for internal usage. When a multilayer switch uses the port as Layer 3, VLAN is used. Let us try.

First, use show vlan internal usage to confirm that no VLAN is used for Internal now.

SW1#show vlan internal usage

VLAN Usage
---- --------------------
Change the port to Layer 3. VLAN 1006 is used. Why 1006? Because the system will use 1006 first and in ascending order. The order can be changed and will be discussed later.
SW1(config)#int ethernet 0/1
SW1(config-if)#no switchport
SW1(config-if)#end
*Dec  3 11:15:24.478: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
SW1#show vlan internal usage

VLAN Usage
---- --------------------
1006 Ethernet0/1

Since VLAN 1006 is occupied. If we want to create VLAN 1006 now, error message will be prompted.

SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 1006
VLAN id: 1006 is an internal vlan id - cannot use it to create a VTP VLAN.

The only setting that we can change for the Internal Usage is changing from ascending order to descending order. The command is vlan internal allocation policy descending. For the next occupation, it will be used from 4096 with descending order.

SW1(config)#vlan internal allocation policy descending
SW1(config)#int range ethernet 1/1 - 2
SW1(config-if-range)#no switchport
SW1(config-if-range)#end
*Dec  3 11:27:17.794: %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to up
*Dec  3 11:27:17.798: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to up
SW1#show vlan internal usage

VLAN Usage
---- --------------------
1006 Ethernet0/1
4093 Ethernet1/2
4094 Ethernet1/1