Here are my current notes about VLANs as I prepare for the CCNA exam. I have broken this down into a few sections. You can click on the links below to go the corresponding section within this blog post. Please comment below if there is information you would like me to add but this is a working post that will updated and edited over the next two or three weeks.
But before we dive into it, you know what? VLANs can be confusing at first, most things are complex and hard to understand at first. 🙂 But don't give up, keep at it and it will make sense. I'm still learning and adding to my knowledge of VLANs all the time. If you have questions you can always ask at the bottom of this post or send me a message using the "Contact" link above.
Table of Contents
VLANs 101
- Vlan’s were created to segment off different parts of the network. In the past this problems was solved by using routers to segment off networks. Vlan’s provide security.
- Networks, Subnets, Broadcast Domains, are all synonims for Vlan’s.
- To send VLAN’s between switches you must configure a trunk (tag) port. Cisco calls it a trunk port, other vendors call it a tagged port. Whenever a frame is sent between switches on a trunk port it’s tagged with a VLAN-id (802.1QTAG). A layer is added between the data-link layer and the network layer called the 802.1Q.
- Go to the port you want to change. If you do
switchport mode ?
You see the three options a port can have. Access, Dynamic or Trunk. Dynamic is not best practice or recommended. To make a port an access port you do:switchport access vlan "vlan-number
". To assign multiple ports at a time:interface range g1/0/1 - 18
. - We can also break it up.
interface range g1/0/1 - 18 , g1/0/20 - 24 , g3/0/5 - 48 , g5/0/5 , g 7/0/22 - 24
. - To enable trunk on a port:
switchport trunk encapsulation dot1q
, then do:switchport mode trunk
. By default this allows all VLANs to be transmitted over the trunk link. To restrict the link to carry only specific VLANs us the VLAN allow command:switchport trunk allowed vlan 1,2,3,4
. - To see trunks:
show interfaces trunk
. - To get a VLAN status report.
show interface fastEthernet 0/1 switchport
. - Routers do not forward broadcast traffic by default but switches do by default.
Default VLAN
- Packets can go across a trunk /without being tagged with 802.1Q tags in the following scenarios.
- The switch originated the traffic. E.g., all Cisco switches out of the box run CDP, Cisco Device Discovery Protocol. Every 60 seconds it sends out a multicast message to discover neighbors. This goes over the default vlan. Telnet or SSH goes over the default vlan. The default VLAN is usually, and by default VLAN 1.
- Pass-through devices. VOIP is a passthrough device. A computer is connected to the phone which has an internal switch. A computer doesn’t know anything about VLANs, it drops VLAN packets. The phone needs to be on its own VLAN, and the traffic from the computer is not tagged, so it goes to the default VLAN interface.
Dynamic Trunking Protocol (DTP)
- Trunking allows you to send multiple VLANs across a single port.
show interfaces trunk
.- Cisco calls it trunking, every other vendor calls it tagging.
- When enabling trunk ports we should use a manual configuration instead of dynamic.
- Dynamic Trunking Protocol (DTP) is the default state on many Cisco switches.
- The default mode of DTP is Dynamic Desirable. It sends out DTP packets that it desires to be a trunk port. Most devices such as computers, servers etc., respond with, I can’t be that so I’ll be an access port instead and this is the security risk. If an attacker puts a switch in between the computer and the switch that’s sending out the DTP packets, then they have the trunk port. A VLAN hopping attack is then possible.
- Switchportmode, only use either access or trunk.
- Switchportmode dynamic has two options, if you write
switchport mode dynamic ?
You will see both options. - Dynamic auto is the port saying “I'm sure something will happen.” I’m not sending any DTP packets, if there is a switch on the other end that has DTP Desirable enabled it will send out DTP packets that it desires to a be a DTP port and the Dynamic Auto will respond, thank you for sending the packets, that’s what I want, let’s be a trunk. Two switches set to auto will never trunk, they are both passive, one needs to be the active one.
- Both sides are desirable, you have a trunk.
- One side is auto, the other side is desirable, you have a trunk.
- Both sides are auto, you don’t have a trunk.
- If one side is set to trunk manually, it will send out DTP packets and if the other side is set to auto, desirable or trunk, you have a trunk.
- Best method is to set it manually to trunk and set the port to nonegotiate, no DTP packets.
switchport nonegotiate
distables DTP.
Voice
interface FastEthernet 0/10
description IP Phone
switchport mode access
switchport mode vlan 10
switchport voice vlan 20
- It doesnt need to be configured as a trunk port, this is a special case where both can be on the same port and we want to seperate voice from data, we don't want it on the same VLAN.
Limiting or adding VLANs to trunk
- Go under the interface and type
switchport mode allowed vlan xx
(and the complete list of allowed VLANs) don’t add just one! - Let's say you have allowed VLANs 10, 20, 30, and 99 on a trunk and you type in
switchport mode allowed VLAN 150
, only VLAN 150 will be allowed and you have just removed the other VLANS that were defined previously.
Inter-VLAN Routing
Router With Seperate Interfaces
- There is typically a one-to-one relationship between an IP subnet and a VLAN in the LAN campus. For example, Engineering hosts are in IP subnet 10.10.10.0/24 and VLAN 10, and Sales hosts are in IP subnet 10.10.20.0/24 and VLAN 20. Hosts are segregated at Layer 3 by being in different IP subnets, and at Layer 2 by being in different VLANs. Hosts in different IP subnets need to send traffic via a router to communicate with each other.
Router On A Stick
- Let’s say we wanted to use fastEthernet 0/1. We could do
interface fastEthernet 0/1.?
To see the options. If it was being assigned to vlan 10, we would write:int fastEthernet 0/1.10
We don’t have to use 10 but it’s good to have the number align with the vlan number it’s associated with. - Before we can assing an IP address to that subinterface we must do
encapsulation dot1Q 10
if the VLAN number is 10. - The interface that hosts the subinterfaces does not need an IP address.
interface FastEthernet 0/1
no ip address
no shutdown
interface FastEthernet 0/1.20
encapsulation dot1q 20
ip address 10.10.20.1 255.255.255.0
- Remember to make the port on the switch that's connected to the Router a trunk port.
- If we want to route the default (native) vlan 1 we need to do
encapsulation dot1Q 1 native
- When we use ip default-gateway on a switch we have to make sure that ip routing is disabled.
Layer 3 Switch
- Uses SVI (Switch Virtual Interfaces) to route between different VLANs.
- The command
ip routing
in global config mode turns on routing for a layer 3 capable switch. - If the switch does not accept the
ip routing
command, upgrade to either SMI image Cisco IOS Software Release12.1(11)EA1 or later, or an EMI image, and repeat this step. - The port that's connected to the router needs to be configured as
no switchport
and have an IP address. - No switchport convert the port to a layer 3 port so we can put an IP address on it, without it, we couldn't.
- I have seen people post this question on the Cisco forum so I want to write it down in my notes since I did this once myself. 🙂
- It is not enough to create the VLAN. Let's say we created VLAN 199. That only means we created the VLAN in the VLAN database. We have not created the VLAN interface.
- Here we created VLAN 199 and gave it the name Sales.
- If we do
show ip interfaces brief
we will not see that VLAN under interfaces.
- To create the VLAN interface we must do the following.
- This command creates the actual VLAN 199 interface. You can see that the state changed to up and we are now in the CLI for the VLAN 199 interface. After the interface is up I did ? to show you the options that are now available for us, for instance we should
do no shutdown
. - If you do a no shutdown for the VLAN and it's still shows that the Protocol state is down, it's because it's the line protocol is down for that interface, nothing is connected to it.
- Remember to do
show vlan
and check that the VLAN is connected to a physical interface.
- Here is Keith Barker's video on Inter-Vlan Routing.
VTP VLAN Trunking Protocol
- VTP is not a trunking protocol!
- The Cisco Press book ignores and disables VTP all together. I still want to understand it, know how to use it and be prepared for any situation that could happen in the future.
Show vtp status
- The default VTP operating mode is server.
- There are three modes: Server, client, and transparent. Server can do anything, client can’t add or delete VLANs, transparent passes VTP updates but it doesn’t do anything with them. That mode basically disables VTP. To set or change the VTP mode in global config:
vtp mode client | server | transparent
.
- In global configuration mode do:
vtp ?
to see options. show VTP domain
- For VTP to work you must set a d
- omain name. In global config mode:
vtp domain domain-name
. - Be careful if using VTP - if you accidentally introduce a switch with a higher VLAN database revision number into the domain it can wipe out all your production VLANs.
- If using both DTP and VTP, the VTP domain name has to match on neighbour switches for trunks to be formed by VTP.
show vtp password
To see if a VTP password is set.show vtp counters
To see if the error counter is growing.- VTP Troubleshooting documentation.
So these are my CCNA notes about VLANs. I hope my write up helped you out and I will keep adding to it. Remember to lab all the time, read, watch videos and if your motivation is running low, follow people online and in real life that keep you passionate and motivated towards the goals you are working towards.