VLANs define broadcast domains in a Layer 2 network. A broadcast domain is the set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains are typically bounded by routers because routers do not forward broadcast frames. Layer 2 switches create broadcast domains based on the configuration of the switch. Switches are multiport bridges that allow you to create multiple broadcast domains. Each broadcast domain is like a distinct virtual bridge within a switch.
in the early days of computer networks, we were using a device called the bridge for separating the broadcast domain. In a bridge, each port belongs to a separate broadcast domain so one port’s broadcast traffic cant be forwarded to another broadcast domain. But the disadvantage of the bridge as it had a very limited number of ports and due to the insufficient port, it was very difficult to scale the network.
With switches, it’s easier to define the broadcast domain, and also it’s a scalable solution for layer2 by using switches instead of bridges, and that’s the reason bridge is replaced by the switches these days. By creating the VLANs you can create multiple broadcast domains. so basically each VLAN is a part of separate broadcast domain.
Advantages of VLAN.
- A VLAN is a single broadcast domain which means that if a user in the VLAN sales would send a broadcast frame only users in the same VLAN will receive it.
- Users are only able to communicate within the same VLAN unless you use a router.
- In layer-2 Broadcast is one of the most important things we need to understand.
- Most of the protocol uses the broadcast like ARP request and DHCP etc. so you have to create the VLAN for making the partition to a flat LAN network.
- VLAN provides you security, Traffic separation, etc.
- Switches maintain a separate mac address table for separate VLAN. Each VLAN is one broadcast domain.
- By default, there is a VLAN 1 and all ports belong to it .so you can’t delete VLAN 1 because VLAN 1 is associated with lots of control plane protocols.
VLAN Ranges
- Total VLAN ranges are between 1-4094.
- 1-1001 is usable normal-range VLANs.
- 1002-1005 are reserved for token rings.
- 1006-4094 are extended-range VLANs.
Configuring VLAN
in most old switches, to create the VLAN we need to go into the VLAN database and then we used to create the VLAN directly in the database. but in new and recent switches we can create the VLAN without going into the VLAN database.
Legacy method with VLAN database. Sw1# vlan database Sw1(vlan-database)# vlan <vlan-id> Sw1(vlan-database)# end
Modern method of configuring VLAN. Sw1(config)# vlan <vlan id> Sw1(config-vlan)# name <vlan name>
To verify the VLAN configuration we need to use a command called show vlan.
// By default as you can see all the port are associated with vlan 1.
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa/11,Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Configuring VLANs.
Now let’s create a VLAN and we will assign a port and then we will verify,By default as you can see all my ports belong to VLAN 1 .
SW1#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/12
Fa0/13, Fa0/14, Fa0/22
Fa0/23, Fa0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Now let’s create the VLANs. and we will give a descriptive name for better understanding called Sales.
SW1(config)#vlan 40 SW1(config-vlan)#name Sales SW1(config-vlan)#exit
Now let’s verify.
SW1#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15,
Fa0/23, Fa0/24
40 Sales active
As you can see now we have VLAN 40 created but we have not assigned any port to VLAN 40 yet.
Access Port configuration.
Access ports are part of only one VLAN and are normally used to terminate end devices like Laptops, PC, and printers, and access ports are called Single Untagged VLAN.
Using the “switch port mode access” command forces the port to be an access port about its configuration part. Similarly, if any device is plugged into this port, then it will only be able to communicate with other devices that are in the same VLAN.
Access port sends and receives frames that are not tagged and only have access to VLAN Value. The frames that arrive on an access port are assumed to be part of the access VLAN.
Now let’s configure fa0/1 & fa0/2 ports as a member of VLAN 40 which is our sales VLAN.
SW1(config)interface fa0/1 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 40
SW1#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10,, Fa0/12
Fa0/13, Fa0/14, Fa0/15,
Fa0/23, Fa0/24, Gi0/2
40 Sales active Fa0/1, Fa0/2
Now as you can see above the port Fa0/1 & Fa0/2 is a part of vlan 40 .
Note:-VLAN information is not saved in the running-config or startup-config but in a separate file called vlan.dat on your flash memory. If you want to delete the VLAN information you should delete this file by typing delete flash:vlan.dat.
VLAN 1 Use Cases.
VLAN 1 contains control plane traffic such as VTP, CDP, and PAgP protocols that are tagged with VLAN 1 information and are forwarded to a trunk regardless if the trunk has pruned VLAN 1.
Vlan 1 can also contain user traffic. It is recommended that user traffic should not be configured on VLANs 1. Because you don’t want those users will receive your control plane multicast traffics.
Note:– It’s highly recommended not to use the VLAN 1 as your management VLAN because VLAN 1 is not secure and the hackers first target on VLAN 1 to enter into your Layer 2 domain.