VLANs
A VLAN is a group of switch ports administratively configured to share the same broadcast domain. L2 switches are not able to forward packets between VLANs. In that case, a L3 switch, also known as Multilayer Switch (MLS), or a router would be necessary.
Granting VLAN membership to devices can be performed using Static VLAN configuration (port based) or by Dynamic VLAN Configuration (device’s MAC address based).
Dynamic VLAN configuration requires the use of Cisco Works and a VLAN Membership Policy Server (VPMS). VPMS stores the client MAC address database which is queried by switches to establish VLAN membership.
Due to its tendency to make troubleshooting process rather awkward, Dynamic VLANs must be used if extremely necessary. Besides, Dynamic VLANs considerably increase the administrative overhead.
The rest of this post will deal with Static VLANs configuration processes only.
Configuring VLANsS in Cisco switches is pretty simple. To achieve that, one would need to perform only two steps:
- create the VLAN(s)
- associate the correct ports to each VLAN (at this point the VLAN is considered to be “operational”)
On Cisco switches, VLAN creation can be done using either: VLAN Database Mode or Configuration mode.
Using VLAN Database Mode
Switch#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. Switch(vlan)#vlan 101 name CCIE VLAN 101 added: Name: CCIE Switch(vlan)#show changes ADDED: VLAN ISL Id: 101 Name: CCIE Media Type: Ethernet VLAN 802.10 Id: 100101 State: Operational MTU: 1500 Switch(vlan)#exit APPLY completed. Exiting.... Switch#As you have noticed, configuring VLANs through Database mode is considered to be deprecated.
When using database mode, some useful commands are also available:
Switch(vlan)#? VLAN database editing buffer manipulation commands: abort Exit mode without applying the changes apply Apply current changes and bump revision number exit Apply changes, bump revision number, and exit mode no Negate a command or set its defaults reset Abandon current changes and reread current database show Show database information vlan Add, delete, or modify values associated with a single VLAN vtp Perform VTP administrative functions. Switch(vlan)#show ? changes Show the changes to the database since modification began (or since 'reset') current Show the database installed when modification began (or since 'reset') proposed Show the database as it would be modified if applied Switch(vlan)#Only normal VLAN range (1-1005) can be configured in VLAN Database mode and furthermore VLANs’ data are stored in the vlan.dat flash file.
Using Configuration Mode
Configuration Mode allows switch port assignment to an existing VLAN and dynamic VLAN creation when binding a port to a non existing VLAN. The latter is possible when in interface configuration mode.
The main difference between VLAN Database and Configuration modes is that in the former, VLANs are created only when the new configuration is applied using either exit, apply or ‘Crtl+Z’ VLAN database commands while in the latter case, VLANs are effectively created as soon as the commands are issued.
Switch# Switch#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active ! only standard well-known vlan settings displayed Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 101 ! once the command is isseued, vlan 101 is both created and available to port assignment Switch(config-vlan)#name CCIE-LAB Switch(config-vlan)#do show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 101 CCIE-LAB active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-vlan)#end Switch#As mentioned earlier, VLANs are immediately created using interface configuration mode method.
In this case, two objectives can be achieved at once: VLAN creation and port assignment. Notice that this kind of step is done mainly in access layer switches so clients’ hosts are instantly able to be a VLAN member and the new VLAN is created as well.
Switch#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 101 CCIE-LAB active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active ! only the last examples' vlans existed at this point Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int gig0/1 ! entering interface configuration mode Switch(config-if)#switchport access vlan 102 % Access VLAN does not exist. Creating vlan 102 ! IOS dyplays a message informing that vlan 102 does not exist and this command will create it. ! Since 'switchport access vlan [vlan-num]' binds an access port to a vlan, that was done too. Switch(config-if)#do show vlan brief ! checking currently existing vlans and its assigned ports from interface configuration mode VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/2 101 CCIE-LAB active 102 VLAN0102 active Gig0/1 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-if)#It may be necessary to set a meaningful name to the new VLAN. This is easily accomplished by entering vlan configuration mode and name it.
Private VLANs
Private VLANs (PVLANs) are used mainly by service providers. As explained earlier, VLANs are a set of switch ports which share the same broadcast domain. The practical meaning of this statement is that this group of devices shares the same layer 2 domain.
Considering that a frame flowing from a port in a vlan to a port in that same vlan does not transverse any interface boundary, how could one provide selected access to business critical devices from ports that are member of the same VLAN ?
There are two approaches available: VLAN Access Lists (VACLs) and Private VLANs.
VACLs are used in enterprise to grant or deny devices’ access to certain ports sharing the same VLAN number. Its configuration process involves setting some vlan access maps, matching conditions and their actions. The last mandatory step is to configure vlan filters that are applied to a set of vlans (or to a single vlan), based on their number.
Unfortunately I don’t have access to a real Catalyst Switch. There’s no Catalyst simulator available out there. Therefore the example below was taken from the excellent CiscoPress book “BCMSN Official Exam Certification Guide”, by David Hucaby, page 414, with a few notes of mine:
Switch(config)# ip access-list extended local-17 Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255 ! 192.168.99.0/24 is supposed to belong to VLAN's 99 address space ! permit means that the host is eligible to be filtered by the VACL ! it is possible to deny or permit traffic based on other TCP/IP parameters as well Switch(config-acl)# exit Switch(config)# vlan access-map block-17 10 ! vlan access maps and route maps configuration steps are pretty similar Switch(config-access-map)# match ip address local-17 Switch(config-access-map)# action drop ! all traffic from host 192.168.99.17, configured in 'local-17' access list, will be dropped ! possible actions are: drop, forward or capture Switch(config-access-map)# vlan access-map block-17 20 Switch(config-access-map)# action forward ! default action is to deny all the traffic, unless explicitly stated, as above Switch(config-access-map)# exit Switch(config)# vlan filter block-17 vlan-list 99 ! vlan block-17 will filter out all the traffic in vlan 99. Needless to say that VLAN number and IP ! addresses to be filtered must correlate with each otherPrivate VLANs (PVLANs) offer devices the possibility to be completely isolated from other PVLAN members without the need to set access-lists.
A PVLAN can be either primary or secondary.
Secondary PVLANs must be associated with a primary PVLAN.
The main purpose of the primary PVLAN is to provide a single exit point to outside world for secondary PVLANs. Ports on different secondary PVLANs never communicate directly with each other even if they belong to the same primary PVLAN.
There are two kinds of secondary PVLANs: isolated and community. The former, as the name implies, does not allow its members to convey data directly between them. To achieve that they must use ports on their primary PVLAN. The latter behaves just like a standard VLAN. Notice that community secondary VLANs can communicate only with their fellow members and with ports on the primary VLAN.
Setting up PVLANs can be tricky. The steps are:
- create all the secondary PVLANs
- create the primary PVLAN
- associate switch ports with PVLANs
Step 1: Creating secondary PVLANs
Define each secondary PVLAN and its type (isolated or community):
Switch(config)# vlan vlan-id Switch(config-vlan)# private-vlan {isolated | community}Step 2: Creating a primary PVLAN
Create the primary PVLAN and associate its secondary PVLANs:
Switch(config)# vlan vlan-id Switch(config-vlan)# private-vlan primary Switch(config-vlan)# private-vlan association {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list}Step 3: Associating switch ports with PVLANs
Last, but not least, promiscuous (primay PVLANs’ ports) and host (secondary PVLANS’ ports) are either mapped or associated.
If the port is a secondary PVLAN member (host) it’s necessary to associate it with its primary and secondary PVLANs:
Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association primary-vlan-id secondary-vlan-idOtherwise, the port must be declared as promiscuous and mapped to the primary PVLAN and its associated secondary PVLANs:
Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping primary-vlan-id secondary-vlan-list | {add secondary-vlan-list} | {remove secondary-vlan-list}Cya
setsockopt() 
Really it is very help full and thanks
Comment by Nanda — 05/12/2009 @ 8:48 |