Shiratsuchi, Kenth F.

ECET515LA

ECE51 Engr. Warren Bejasa

Laboratory Exercise 6 Building a Small Wired and Wireless Network using ISR

Introduction

A VLAN (virtual local area network) is a subnetwork that can connect devices on different physical

local area networks (LANs). A local area network (LAN) is a collection of computers and devices

that share a communications line or wireless link with a server located within the same geographic

area. Without having to lay additional cables or make large changes to their current network

architecture, network administrators may easily partition a single switched network to fulfill the

functional and security requirements of their systems using VLANs. Larger enterprises frequently use

VLANs to re-partition devices for better traffic management.

VLANs are also essential because they can improve a network's overall performance by grouping

together devices that communicate the most. VLANs also improve network security by allowing for

more control over which devices have access to each other on larger networks. VLANs are more

flexible than physical connections because they are based on logical connections. Multiple,

independent VLANs can be supported by one or more network switches, resulting in Layer 2 (data

link) subnet implementations. A broadcast domain is linked to a VLAN. Typically, it consists of one

or more network switches.

Discussion

VLANs come in a variety of shapes and sizes.

Protocol-based, static, and dynamic VLANs are examples of VLAN types.

A Protocol VLAN is one in which traffic is routed according to a certain protocol. Depending on the

protocol, a switch will segregate or forward traffic.

A network administrator must assign the ports on a network switch to a virtual network in static VLAN,

also known as port-based VLAN; however, in dynamic VLAN, a network administrator must assign the

ports on a network switch to a virtual network; and in dynamic VLAN, a network administrator must assign

the ports on a network switch to a virtual network;

A network administrator can determine network membership based on device characteristics rather than

switch port location with dynamic VLAN.

Switch ports (interfaces) can be allocated to one or more VLANs, allowing systems to be separated into

logical groups based on which department they belong to and establishing rules for how systems in the

different groups can communicate with one another. These groups can range from the simple and

practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN

cannot) to the sophisticated and legal (computers in one VLAN can see the printer on that VLAN, but

computers beyond that VLAN cannot) (for example, computers in the retail banking departments cannot

interact with computers in the trading departments).

All hosts connected to switch ports configured with the same VLAN ID have data link access to each VLAN.

The VLAN tag is a 12-bit field in the Ethernet header that allows a switching domain to have up to 4,096

VLANs. IEEE (Institute of Electrical and Electronics Engineers) 802.1Q defines VLAN tagging, which is also

known as Dot1Q.

When an untagged frame is received from an associated host, the 802.1Q format is used to append the

VLAN ID tag set on that interface to the data link frame header. After that, the 802.1Q frame is forwarded

to the destination. The tag is used by each switch to keep each VLAN's traffic separate from that of other

VLANs, only forwarding it where the VLAN is specified. Multiple VLANs are handled through trunk links
between switches, which use the tag to keep them apart. Before the frame is sent to the destination

device, the VLAN tag is removed when it reaches the destination switch port.

A trunk setup, in which each frame sent across the port is tagged with the VLAN ID, can be used to setup

many VLANs on a single port, as mentioned above. To send and receive tagged frames, the neighboring

device's interface, which could be on another switch or on a host that supports 802.1Q tagging, must

enable trunk mode configuration. Any Ethernet frames that are not tagged are assigned to a default VLAN

that can be specified in the switch configuration.

A VLAN-enabled switch adds the VLAN tag allocated to the ingress interface to an untagged Ethernet

frame received from an associated host. The frame is forwarded to the host's port with the MAC address

of the destination (media access control address). BUM traffic (broadcast, unknown unicast, and

multicast) is transmitted to all VLAN ports. When an unknown host responds to an unknown unicast

frame, the switches learn its position and do not flood subsequent frames targeted to that host. Two

mechanisms keep the switch-forwarding tables up to date. To begin, outdated forwarding entries are

periodically removed from forwarding tables, usually using a programmable timeout.

Second, every topology change reduces the forwarding table refresh timer, causing a refresh to occur. To

build a loop-free topology among the switches in each Layer 2 domain, the Spanning Tree Protocol (STP)

is employed. If the topology is the same across several VLANs, a per-VLAN STP instance can be used to

enable different Layer 2 topologies, or a multi-instance STP (MISTP) can be used to reduce STP overhead.

STP creates a spanning tree from a selected root switch by blocking forwarding on links that may cause

forwarding loops. This means that some links will not be used for forwarding until another section of the

network fails, causing STP to make the link active again

A switch domain with four switches and two VLANs is depicted in the diagram above. A ring topology is

used to connect the switches. STP causes one port to become blocked, resulting in the formation of a tree
topology (i.e., no forwarding loops). The red bar across the link indicates that the port on switch D to

switch C is blocked. Trunking VLAN 10 (orange) and VLAN 20 (green) lines connect the switches to the

router (green). The hosts in VLAN 10 are able to communicate with server O. Server G can communicate

with hosts connected to VLAN 20. On each VLAN, the router has an IPv4 subnet configured to allow

connectivity for communications between the two VLANs.

Advantages to VLAN include reduced broadcast traffic, security, ease of administration and

broadcast domain confinement.

However, a disadvantage of VLANs includes the limitation of 4,096 VLANs per switching domain creates

problems for large hosting providers, which often need to allocate tens or hundreds of VLANs for each

customer. To address this limitation, other protocols, like VXLAN(Virtual Extensible

LAN), NVGRE (Network Virtualization using Generic Routing Encapsulation) and Geneve, support larger

tags and the ability to tunnel Layer 2 frames within Layer 3 (network) packets.

Finally, data communications between VLANs is performed by routers. Modern switches often

incorporate routing functionality and are called Layer 3 switches.

Reflection

A virtual LAN (VLAN) is a method of establishing several virtual switches within a single physical

switch. As a result, ports set for VLAN 10 behave as if they're all connected to the same switch.

VLAN 20 ports cannot communicate directly with VLAN 10 ports. They need to be routed between

the two of them (or have a link that bridges the two VLANs).

VLANs are virtual local area networks (VLANs) that are built within a physical network. Their major

function is to provide isolation, which is frequently used to reduce the size of a network's broadcast

domain, but they can also be used for a variety of other purposes. They are a tool that every

network engineer should be familiar with, yet they, like any tool, can be misused and/or employed

at inopportune moments. Because no single tool is appropriate for all networks and scenarios, the

more tools you have, the more environments you can work in. Knowing more about VLANs will

enable you to use them when you need them and do it correctly.

I presently work in an environment where SCADA (supervisory control and data acquisition) devices

are commonly employed as an example of how they might be employed. SCADA devices are often

simplistic and have a lengthy history of shoddy software development, which frequently exposes

severe security flaws. We've put the SCADA devices on their own VLAN, with no L3 gateway. The
only way into their logical network is through the server they connect with (which has two interfaces,

one of which is in the SCADA VLAN), which may be secured using host-based security, which is not

possible on the SCADA devices. The SCADA devices are separated from the rest of the network by

a firewall.

In terms of design concepts, the most frequent application is to align your VLANs with your

organizational structure, for example, engineering personnel in one VLAN, marketing personnel in

another, IP phones in yet another, and so on. VLANs can also be used to "transport" various network

functions across one (or more) cores in other systems. Layer 3 termination of VLANs ('SVI' in Cisco

lingo, 'VE' in Brocade lingo, etc.) is also achievable on some devices, obviating the requirement for

a separate piece of hardware when inter-VLAN communication is required.

At scale, VLANs become difficult to administer and maintain, as you've undoubtedly already seen

on NESE. In the service provider world, there's PB (Provider Bridging - also known as "QinQ," double

tagging, stacked tags, and so on), PBB (Provider Backbone Bridging - "MAC-in-MAC"), and PBB-TE,

all of which were created to address the issue of the limited number of VLAN IDs. PBB-TE aspires

to do away with dynamic learning, flooding, and spanning tree. The 4,094 limitation originates

from the fact that there are only 12 bits available for use as a VLAN ID in a C-TAG/S-TAG (0x000

and 0xFFF are reserved).

VPLS or PBB can be used to eliminate the traditional scaling ceilings involved with PB.

The fundamental use case for VLANs is nearly identical to the fundamental use case for segmenting

a network into numerous data link broadcast domains. The fundamental distinction is that in a

physical LAN, each broadcast domain requires at least one device (usually a switch), whereas in a

virtual LAN, broadcast domain membership is determined port-by-port and can be changed without

adding or replacing hardware.

VLANs should be designed in the same way as PLANs for simple applications. To do so, you must

understand the following three concepts:

Trunking - A trunk link is any connection that transmits frames from multiple VLANs. Trunk links are

typically configured on switch-to-switch and switch-to-router links.

When sending to a trunk connection, the device must tag each frame with the numeric VLAN ID to

which it belongs so that the receiving device can confine it to the relevant broadcast domain. Host-

facing ports are often untagged, although switch- and router-facing ports are. The data link

encapsulation includes a tag as well.

For simple applications, VLANs should be constructed similarly to PLANs. To accomplish so, you'll

need to grasp the following three ideas:

Trunking - Any connection that transports frames from numerous VLANs is referred to as a trunk link.

Switch-to-switch and switch-to-router links are the most common types of trunk connectivity.

When sending to a trunk connection, the device must assign a numeric VLAN ID to each frame so

that the receiving device can confine it to the appropriate broadcast domain. Switch and router-

facing ports are frequently untagged, although host-facing ports are frequently tagged. A tag is

also included in the data link encapsulation.

References

 https://networkengineering.stackexchange.com/questions/732/introductory-level-explanation-

of-vlans

 https://searchnetworking.techtarget.com/definition/virtual-LAN