VLANs, trunking and VTP

Virtual LANs

If you would think of pure Level 2 switch then all hosts connected to it are considered as a single LAN, even though they might be in several different LANs. It means that when a broadcast frame (or frame to a host with an unknown MAC) comes in, it is flooded to all ports. It’s insecure and it can overwhelm mid-size to large networks. And this is the reason why concept of VLANs, as well as IEEE 802.1Q, ISL and VTP protocols were developed. VLAN segments Ethernet traffic to a number of particular ports. In almost all cases VLAN consists of hosts from one network. To create VLAN you run:

configure terminal interface range Fastethernet 0/15 – 16 switchport access vlan 2

Since VLAN 2 doesn’t exist it is created. Ports 15 and 16 are included in the VLAN 2. VLAN 1 is a default VLAN where all ports initially are and is reserved.

VLAN Trunking

Now lets consider situation when you have hosts from one network connected to two switches. It’s rare, but possible. For example you have a network with 100 Mbit devices (tape library, UPS NMC) and 1000 Mbit devices (storage, servers) and you don’t want to waste 1000 ports on 100 devices and connect them to a second 100 Mbit switch. Now when host from one switch sends packet to the unknown host from another switch (or send a broadcast frame) and packet is flooded, switch on the other side needs to know what VLAN it goes from. Otherwise, switch has to discard it, since it floods frames only inside VLANs and VLAN ID is unknown in this case. Here you need to configure the link between the switches as trunk. It means that before sending the packet switch will mark it with VLAN ID and the other switch will forward it only to ports from this VLAN. There are two VLAN trunking protocols: proprietary Cisco ISL (outdated) and IEEE 802.1Q (most used). By default Cisco switches are configured to negotiate to use trunking if asked to do so. But you need to configure switch from either side to initiate negotiating:

configure terminal interface gigabit 0/1 switchport mode dynamic desirable

Rationale behind trunking

Networks splitted between switches is not that frequent case. Say, you want to use VLANs for security and/or efficiency reasons but each particular network is bounded to one switch.  All broadcast and unicast traffic to hosts within the same network do not travel outside the switch where it is connected. And unicast traffic to other networks can travel right to the router (according to basic routing rules) and from the router down to the particular host. Corresponding port where destination host is connected can be identified using destination MAC. It seems that nobody needs to know VLAN IDs in this case. And the question is: “Do you need trunking here?”. And the answer is – yes.

It’s worth starting by saying that ports on Cisco switch can be either access – where end hosts are connected and trunk – links between switches or routers. So when packet travel through trunk port it’s marked using tag by design. There are several reasons behind that. The most simple answer to this question is ARP requests. When router receives packet to route to another network it first needs to know MAC of the destination host. To find it out, router sends ARP request which is a broadcast packet. If there is no VLAN tag on this ARP request it would have to be flooded on all ports on all switches along the path to the destination. And it would break VLAN concept in its core – broadcast traffic has to be limited to the particular VLAN.

Another reason for marking each packet with VLAN ID is efficiency. When switch receives packet and looks up for destination in its MAC address table it’s faster to find MAC, when MAC addresses are grouped by VLAN ID. Switch doesn’t need to look through all MACs, but only those which are in the same VLAN.

In fact, there are many other reasons for using VLAN tags by default. I gave two, which answer the question without digging into details.

VLAN Trunking Protocol

There is an another Cisco proprietary feature called VTP. VTP exchanges information about VLAN IDs and names. It means you configure particular VLAN once on one switch and then all switches will pull this information from it. Not frequently used feature, so I won’t describe it in detail.

Advertisement

Switching Logic

If you are a junior admin in a small to medium organization then building campus network is simple. Buy several switches, connect desktops and switches together and that’s it. You don’t need any additional configuration, all switches work right out of the box. However, it’s important to understand how packet switching work to troubleshoot problems that can show up later in your work.

Switching works on TCP/IP Layer 2. It means that networking hardware logic operates with MAC addresses. Each time switch receives a packet from any workstation or server it remembers its MAC address and port it was received from. It’s called MAC address or switching table. When somebody wants to send a packet to an other host with particular IP address he sends an ARP request packet. Like tell me who has 12.34.56.78 IP address. Host replies with its MAC address and sender can form a package to it.

Initially switch has empty switching table and does not know where to send packets. When switch doesn’t have particular MAC address in its table it forwards (floods) the packet to all ports. If the next switch doesn’t know this MAC, it further forwards the packet. When packet finally reaches its destination, host answers and switch adds its MAC address into the table.

If you don’t use VLANs, all switches in your network form a broadcast domain. It means that when host sends a broadcast message, ARP request for example, and host with this IP address is powered off then this ARP request will traverse the whole network. It’s important to bear in mind that if you have many hosts in your network, broadcast messages can eventually slow it down. VLANs are usually a solution here.

TCP/IP layers in a nutshell

In contrast to the reference OSI networking model (which is not used in any contemporary OS), TCP/IP in its modern updated version has five layers: Application, Transport, Internet, Data Link and Physical.

Application layer deals with everything in regards to high level protocols, like HTTP for example. Say HTTP header with code 200 which means “OK” is a part of the Application layer. This layer is implemented as standard APIs, like WinHTTP API in Windows for example.

Next layer is the Transport Layer. TCP is the most obvious implementation of it and is responsible for error detection. TCP adds a number to each segment, which allows simple packet loss detection on the other end. I believe Unix Socket is an implementation of Transport Layer (as well as Internet Layer, probably) in Unix/Linux.

Internet Layer adds IP addressing and routing to the TCP/IP Networking Model and includes numerous protocols.

Data Link Layer is the Ethernet. It implements MAC addressing, framing and error detection in terms of corrupted data inside a frame.

Physical Layer is focused mostly on transferring data across media. Examples of Physical Layer for Ethernet are: 10BASE-T (ancient coaxial cabling), 100BASE-TX, 1000BASE-T, etc. I guess it is implemented on the NIC driver level.