This is part 1 of a 2-part article. For part 2, click here.
This article is purely aimed to provide an extensive guide on a core Cisco CCNA exam subject: VLAN.
It has been composed taking into consideration only the latest Cisco certification guide and official exam material and it is organized by topics: every topic includes theoretical concepts and collection of tips, recommendations on potential exam items. The last part of the article focuses on possible troubleshooting exam scenario.
Trust me, on this article you will find all you have to know about VLAN for the exam!
CCNA Training – Resources (Intense)
But before diving into this important switching technology, it is my recommendation to purchase the last available CCNA exam guide, the 3rd edition, written by Wendell Odom and published on December 28, 2011. The guide will not only help you to understand what is covered on this exam but it will be a reference resource when dealing with Cisco technologies.
It is essential to have some preliminary knowledge about IP addressing, switch and router basic functionalities and commands, CDP protocol to understand the entire content afterwards.
Also if you have already work experience in networking and particularly as Cisco Network Engineer, you will find this exam easy to pass.
VLAN is a L2 solution widely utilized in any modern Ethernet switched networks and while it is a standard, Cisco has developed proprietarily some related protocols like DTP (Dynamic Trunking Protocol) and VTP (Virtual Trunking Protocol) that must be fully clear to the student.
By definition “a virtual LAN (VLAN) is a group of networking devices in the same broadcast domain, logically”.
It means the devices in the same VLAN may be widely separated in the network, both by geography and by location. VLANs logically segment the network into different broadcast domains so packets are only switched between ports that are designated for the same VLAN over different switches. To make a paragon, I like to think to a VLAN as a religion where followers of a religious order (same VLAN) are spread geographically in all the countries (switches) across all world continents (floors, corporate offices and branches).
Figure 1 – VLANs as Logically Defined Networks
The reason I am writing this article is not to teach you about VLAN because there are plenty of books, tutorials, manuals, web-resources for this purpose but it is to provide you with some tips and knowledge on VLAN in order to pass the CCNA exam. And therefore any of the following treated notions need to be clearly understood to correctly answer the exam questions.
- VLAN benefits: there are multiple questions about benefits, advantages and limitations of VLAN.
VLAN allows logical grouping of users by functions permitting access to network services based on department and not physical location and consequently enhancing security by separating sensitive data traffic from other network traffic. By configuring VLAN, the admin can separate voice from data, server farm traffic from client traffic, printers from scanners achieving isolation of broadcast domains.Also it simplifies moving, deleting, adding, changing host in the network but at the same time it increases switch administration because designing, configuring, maintaining and troubleshooting VLAN adds complexity generally.
- General knowledge: 2 hosts into the same VLAN can communicate each other in unicast fashion without the need of a L3 device while 2 hosts belong to different VLANs require a L3 device (a router or a L3 switch). Bear in mind that VLANs are also subnets and establish broadcast domains in switched networks. In fact a subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer 3 devices, provides this boundary function. And to move from one network subnet to another, a router is mandatory.
This is the basic of VLAN and extensively tested on the exam in fact there are plenty of questions on this matter.
On the exam you will be asked to troubleshoot connectivity issues between an host that belongs to VLAN A and another to VLAN B where make sure the 2 hosts IP addresses are in different subnets and the TCP/IP host settings don’t overlap falling into the same subnet.Another potential tricky exam item could be to recognize that communication problem between hosts on different VLAN is due to a lack of L3 device.
- Switchport configurations: when dealing with VLANs, switches support two types of switch port, access-links and trunks. You will need to know what type of connection a switch interface should use and configure it appropriately.
An access-link connection can be associated only with a single VLAN. End users workstations are always connected to switch access ports using a straight-through cable.By default, all ports are static-access ports assigned to the management VLAN 1 (default native VLAN).
Communication with the switch management interfaces occurs through the switch IP address that is associated with the management VLAN 1.To assign a switch access port to a VLAN rather than VLAN 1, you require first to create the VLAN running the configuration terminal mode command vlan X, second you have to run the interface configuration mode command switchport mode access to enable the port in access port modality and finally apply the command switchport access vlan X.
Note that the latter command, switchport access vlan X creates the vlan x if not present in the VLAN database yet.
Unlike access-link connections, trunk connections are capable of carrying traffic for multiple VLANs and can extend VLANs across an entire network.Trunk links are common between certain combinations of devices, including switch-to-switch, switch-to-router and switch-to-file server connections.To statically set a switchport as trunk, enter the interface configuration mode and run the command switchport mode trunk: by default all VLAN on the VLAN database are allowed over the trunk.During the exam, you will be challenged to recognize which switchport is an access port and which one is a trunk port. Or you have to spot which Ethernet segments are trunk links in a given network diagram; either you should be able to recognize which path the packets take when traversing a network when 2 hosts in different VLAN communicate.
Possible drag&drop can be present on the exam to test the difference between an access and trunk ports.
Figure 2 – 802.1Q trunk links
- Trunking: as you can see from the Figure number 2, trunking connections are fundamental to allow communications between hosts connected to different switches.In this case if the host connected to a Catalyst 2900XL switch on VLAN1 wants to access the server on VLAN 3 connected to a Catalyst 3500XL switch, the packets need to flow through 2 trunk links.Cisco supports two Ethernet trunking methods:
- Cisco’s proprietary InterSwitch Link (ISL) protocol for Ethernet.
- IEEE’s 802.1Q and it allows trunks between different vendors devices.
Technically when in trunking modality, the switch adds the source port’s VLAN identifier to the frame so that the device at the other end of the trunk understands what VLAN originated this frame and the destination switch can make intelligent forwarding decisions on not just the destination MAC address, but also the source VLAN identifier.
In order to achieve that, the 802.1Q protocol adds a 32-bit field between the source MAC address and the EtherType/Length fields of the original frame, extending the minimum and maximum frame sizes from 64 and 1,518 bytes (octets) to 64 and 1,522 bytes: 12 of these 32 bit are used to identified the VLAN ID (VID) allowing up to 4,094 VLANs.
Therefore, you need to ensure that when a trunk connection is set up on a switch interface, the device at the other end also supports the same trunking protocol and has it configured.
To accomplish the latter, enter the interface configuration mode and run the command switchport trunk encapsulation dot1.q.
If the device at the other end doesn’t understand these modified frames or is not set up for trunking, it will, in most situations, drop them.
Frames belonging to the native VLAN (by default VLAN 1) do not carry VLAN tags when sent over the trunk. Conversely, if an untagged frame is received on a trunk port, the frame is associated with the native VLAN configured on that port.
Moreover if you want to designate the X VLAN to be the native one, run the command switchport trunk native vlan X.
For the exam purposes, make sure that the same native or untagged VLAN is configured on switches 802.1Q trunk ports at both ends and remember that if there is a native VLAN mismatch between different switches, an error will appear on the CLI.
Furthermore memorize the definitions and the basic differences of the 2 trunking protocols supported by Cisco over Ethernet links, 802.1Q and ISL.
- Router-on-a-stick: by definition a router-on-a-stick is a router that has a single trunk connection to a switch and routes between the VLANs on this trunk connection. It accomplishes the inter-VLAN function by leveraging sub-interfaces. The physical interface where the trunk link resides is broken into multiple logical sub-interfaces: router will treat this logical interface just like a physical interface in fact you can assign layer 3 addressing to it, enable it, disable it. When setting up your sub-interface for a router-on-a-stick, remember there must be one sub-interface per VLAN and per subnet, every sub-interface must have encapsulation enabled and the encapsulation identifiers matching the VLAN. For example in the Figure number 3, Fa0.2 is the gateway for VLAN2 and Fa0.4 is the GW for VLAN 4 where there is a 1:1 correspondence between the sub-interface number and the VLAN number.Also direct inter-VLAN routing communication doesn’t require any dynamic routing protocol because the switch has directly connected sub-interfaces configured for the network subnets.In the below diagram, the router is aware of the networks 220.127.116.11/24 and 18.104.22.168/24 because directly connected to the sub-interfaces so no routing protocol needs to run.
Figure 3 – An example of Routing-On-A-Stick implementation
- DTP: Cisco has developed a proprietary protocol called DTP (Dynamic Trunking Protocol) used on trunk connections to form trunks dynamically between 2 VLAN-aware Cisco switches. It works on the L2 of the OSI model.
The following switch port mode settings exist:
- auto: causes the port to passively be willing to convert to trunking. The port will not trunk unless the neighbor is set to on or desirable. This is the default mode. Note that auto-auto (both ends default) links will not become trunks.
- on: forces the link into permanent trunking, even if the neighbor doesn’t agree.
- off: forces the link to permanently not trunk, even if the neighbor doesn’t agree.
- desirable: causes the port to actively attempt to become a trunk, subject to neighbor agreement (neighbor set to on, desirable, or auto.)
- nonegotiate: disables the sending of DTP frames on the port. Trunking is indentified as off whether the on or off keywords have been entered on the device. This command generates an error if dynamic modes are configured. And this command is required especially when non-Cisco switches compose the network.
As this is a Cisco proprietary protocol, surely Cisco will test you on possible combinations of switch port modes between neighbor switches so I advise you to memorize the following table:
|Local Switch DTP Modes||Remote Switch DTP Modes|
|On||On, desirable, auto|
|Desirable||On, desirable, auto|
Table 1 – How to form trunk with DTP
In the second part, we will discuss VTP, VLAN database and commands, and troubleshooting.