|
|
VLAN
In
order to implement VLANs in a network environment, you'll
need a Layer 2 switch that supports them. Almost all
switches sold today that are described as "managed" switches
provide the ability to make ports members of different VLANs.
However, switches that don't provide any configuration
function (such as many basic, lower-end switches) don't
provide the ability to configure VLANs. Almost any Cisco
Catalyst switch that you'll come across today provides the
ability to make ports part of different VLANs.
Before
getting into the details of how a VLAN functions, it's worth
exploring some of the advantages that a VLAN provides. First
and foremost, VLANs provide the ability to define broadcast
domains without the constraint of physical location. For
example, instead of making all of the users on the third
floor part of the same broadcast domain, you might use VLANs
to make all of the users in the HR department part of the
same broadcast domain. The benefits of doing this are many.
Firstly, these users might be spread throughout different
floors on a building, so a VLAN would allow you to make all
of these users part of the same broadcast domain. To that
end, this can also be viewed as a security feature - since
all HR users are part of the same broadcast domain, you
could later use policies such as access lists to control
which areas of the network these users have access to, or
which users have access to the HR broadcast domain.
Furthermore, if the HR department's server were placed on
the same VLAN, HR users would be able to access their server
without the need for traffic to cross routers and
potentially impact other parts of the network.
VLANs
are defined on a switch on a port-by-port basis. That is,
you might choose to make ports 1-6 part of VLAN 1, and ports
7-12 part of VLAN 2. There's no need for ports in the same
VLAN to be contiguous at all - you could make ports 1, 3 and
5 on a switch part of VLAN 1, for example. On almost all
switches today, all ports are part of VLAN 1 by default. If
you want to implement additional VLANs, these must first be
defined in the switch's software (such as the IOS on a Cisco
switch), and then ports must be made members of that VLAN. A
VLAN isn't limited to a single switch, either. If trunk
links are used to interconnect switches, a VLAN might have 3
ports on one switch, and 7 ports on another, as shown below.
The logical nature of a VLAN makes it a very effective tool,
especially in larger networking environments.
Inter-VLAN Communication
I
mentioned a few times already that a VLAN is simply a
special type of broadcast domain, in that it is defined on a
switch port basis rather than on traditional physical
boundaries. Recall from the earlier articles in this series
that when a host in one broadcast domain wishes to
communicate with another, a router must be involved. This
same holds true for VLANs. For example, imagine that port 1
on a switch is part of VLAN 1, and port 2 part of VLAN 99.
If all of the switch's ports were part of VLAN 1, the hosts
connected to these ports could communicate without issue.
However, once the ports are made part of different VLANs,
this is no longer true. In order for a host connected to
port 1 to communicate with another connected to port 2, a
router must be involved.
You
may already be familiar with the concept of a Layer 3
switch. A Layer 3 switch is generally a Layer 2 switching
device that also includes the ability to act as a router,
usually through the use of additional hardware and software
features. If a switch includes Layer 3 capabilities, it can
be configured to route traffic between VLANs defined in the
switch, without the need for packets to ever leave the
switch. However, if a switch only includes Layer 2
functionaility, an external router must be configured to
route traffic between the VLANs. In some cases, it's
entirely possible that a packet will leave switch port 1, be
forwarded to an external router, and then be routed right
back to port 2 on the originating switch. For this reason,
many companies have decided to implement Layer 3 switches
strategically throughout their network. Regardless of the
method chosen, it's most important for you to recognize that
when a host on one VLAN wants to communicate with a host on
another, a router must somehow be involved.
Extending VLANs Between Switches
In
order to extend VLANs across different switches, a trunk
link must interconnect the switches. Think of a trunk link
as being similar to an uplink between hubs - usually a trunk
link is implemented between fast switch ports on two
different switches using a crossover cable. For example, you
might interconnect two Gigabit Ethernet ports on different
switches using fiber optics, or two 100 Mbps switch ports
using a traditional Cat5 crossover cable. In most cases it
is generally recommended that you use the fastest port
available for trunk connections, since this link will often
carry a great deal of traffic, possibly for multiple VLANs.
To
begin, let's assume that you have connected a link between
the 100 Mbps ports of two switches, as shown below. Notice
that each of these ports are members of VLAN 1 on each
switch. By default, without any additional configuration,
these ports will act as a trunk link, but will only pass
traffic for the VLAN associated with their port connections
- VLAN 1. This type of link, where only traffic for a single
VLAN is passed, is referred to as an "Access Link". While an
access link does the job for a single VLAN environment,
multiple access links would be required if you wanted
traffic from multiple VLANs to be passed between switches.
Having multiple access links between the same pair of
switches would be a big waste of switch ports. Obviously
another solution is required when traffic for multiple VLANs
needs to be transferred across a single trunk link. The
solution for this comes through the use of VLAN tagging.
VLAN
Tagging
When
you want traffic from multiple VLANs to be able to traverse
a link that interconnects two switches, you need to
configure a VLAN tagging method on the ports that supply the
link. Although there are a number of tagging methods in use
for different technologies, the two that you need to be
aware of for the purpose of the CCNA exam are known as
InterSwitch Link (ISL) and 802.1q. ISL is a Cisco
proprietary VLAN tagging methods, while 802.1q is a open
standard. When interconnecting two Cisco switches, ISL is
usually the best choice, but if you need to interconnect
switches of different types (a Cisco switch and an Avaya
switch, for example), then you'll need to use IETF.
For
the CCNA exam, the only thing that you really need to know
about 802.1q is that it is the open standard for VLAN
tagging, and should be used in mixed environments. The exam
expects you to have a somewhat deeper understanding of ISL,
including how it works, when it can be used, and ultimately,
its purpose.
First
and foremost, you need to be aware that ISL will only
function on ports with a speed of 100 Mbps or greater. That
is, you cannot use ISL in conjunction with a 10 Mbps port.
That shouldn't be an issue, since most Cisco Catalyst
switches provide at least one or two Fast Ethernet ports,
even on lower-end models like the 1912. Secondly, the ports
on either end of the link need to support and be configured
for ISL.
ISL is
referred to as a VLAN tagging method. Essentially, what ISL
does is tag a frame as it leaves a switch with information
about the VLAN that the frame belongs to. For example, if a
frame from VLAN 99 is leaving a switch, the ISL port will
add information to the frame header, designating that the
frame is part of VLAN 99. When this ISL frame reaches the
port at the other end of the switch, it will look at the ISL
header, determine that the frame is meant for VLAN 99, will
strip off the ISL information, and will forward it into VLAN
99. One of the issues with VLAN tagging is that by adding
information to an Ethernet frame, the size of the frame can
move beyond the Ethernet maximum of 1518 bytes, to 1522
bytes. Because of this, all non-ISL ports will see frames
larger than 1518 bytes as giants, and as such, invalid. This
is the reason why a port needs to be configured for ISL in
order for it to understand this different frame format.
One
VLAN tagging is configured on the ports associated with the
link connecting switches, the link is known as a "Trunk
Link". A trunk link is capable of transferring frames from
many different VLANs through the use of technologies like
ISL or 802.1q.
A
better strategy here would be to configure ISL tagging on
one of the router's Fast Ethernet interfaces, and then
configure ISL on the connected switch port. This
configuration, also known as a "router on a stick", would
allow the router to process the traffic of multiple VLANs,
and route traffic between them. We'll get into the details
of routing within the next few articles.
Beyond
its intended purpose of configuring trunk links between
switches, ISL is often used in other ways. For example, it
is possible to purchase network interface cards that support
ISL. If a server were configured with an ISL-capable network
card, it could be connected to an ISL port on a switch.
This
would allow a server to be made part of multiple VLANs
simultaneously, the benefit being that hosts from different
broadcast domains could then access the server without the
need for their packets to be routed. While this may seem
like a perfect solution, you need to remember than the
server would now see all traffic from these VLANs, which
could negatively impact performance.
|
|