Introduction to VLANs

Hello Justin,

I hope you are doing well. To answer your question, the switch knows which interface to forward a packet based on a few things.

First thing to know is by default all ports on a switch start in VLAN 1 this is the “native” vlan by default. As an administrator, you are going to decide what VLAN an interface should participate in.

For example, if we wanted to place an interface in VLAN 7 we would use the following commands:

switch(config#)vlan 7 (tells the switch to create vlan 7)
!
switch(config-vlan)# name VOIP (tells the switch vlan 7 is named VOIP)
!
exit
!
switch(config)# int fa0/7
!
switch(config#) switchport mode access (Tells the switch this port is an access port)
!
switch(config)# switchhport access vlan 7 

(tells the switch what vlan the port belongs to)

When the above commands are completed this information is placed in the vlan.dat file located in NVRAM.

You can see this information when you run “sh vlan”, below you can see a network I have been working on in packet tracer and the results of the “sh vlan” command.

the sh vlan command will show all the access ports and their corresponding vlan. This information is pulled from the vlan.dat file.

Also in the mac address table you can see what vlan is assigned to a port. I have attached an example of this below.

A trunk is different than an access port, by default a trunk lets all VLANs traverse the interface.

An example config would be

switch(config)# int fa0/24
!
switch(config-if)# switchport mode trunk (turns the interface into a trunk)
!
switch(config-if)# switchport trunk allowed vlan 1,7,10,20,35 

(denys all other vlans from traversing trunk)

This info is also added to the vlan.dat you can look at what trunks have been created (if the interface is up/up) by running the command sh int trunk

Now this explains how the switch knows what ports are apart of what VLAN but this does not explain how the switch decides what vlan the traffic is coming from.

An access port does not expect to see tagged traffic

A trunk port expects to see tagged traffic (except for the native vlan)

So, for example, say I have a PC attached to fa0/7 this port is an access port assigned to vlan 7. When my PC sends data it does not know to tag the traffic to identify it as part of vlan 7. When the packet goes into the interface, the switch will then add a 4 byte tag to the frame. Now the switch knows what ports are a part of each vlan and what vlan the traffic belongs to. The exception to this rule is that native vlan is never tagged unless configured to be tagged.

Now say I have a wireless access point that is configured with 3 SSID’s/networks. Each SSID is apart of its own vlan. However, the access point only has one data port. In this case we would use a trunk. The access point can be set to send x tag for x network, So that way when we send traffic over the trunk it will know what vlan the traffic is apart of.

So to recap:
vlans are defined by the admin, this info is put into the vlan.dat file to use
the mac address table also has a list of interfaces and what vlan they are apart of
(as long as traffic has been seen on the ports in question)
the switch or endpoint device will tag the traffic, so that the switch knows what vlan the traffic belongs to and sends it to the proper port. I hope this answers your vlan question!
Thanks,
Scott

I guess my question is does a switch check the hash of the frame and compare it to the cam table? For instance, a switch gets a frame with a vlan membership of 10 and its an arp request. Does the switch get the frame, run a hash(including the vlan) and then forward it out only the ports where it found an exact match? I am curious how does the switch separate its own vlans? I mean I think that if you try to put one subnet on two different vlans the switch will yell at you. Is there any real seperation other than the switch not allowing it?

Hello Justin

Let’s say a switch has 24 access ports where ports 1-12 are on VLAN 10 and ports 13-24 are on VLAN 20. Let’s say a broadcast frame is sent on port 1. The switch will receive that frame and send it out of ports 2 to 12. Why? Because it knows that it entered port 1, therefore it is on VLAN 10, therefore it will send it out of all ports that have been configured on VLAN 10. It doesn’t even look at the details of the frame itself, because there is no data in the frame that gives the switch VLAN information. The information comes only from the fact that the egress port is on VLAN 10.

Now if we have a trunk, where multiple VLANs are used, the frame must have additional information in order for the switch to determine on which VLAN to place it. However, when a tagged frame enters a trunk port, the tag is immediately stripped, and the frame is forwarded only to ports that are configured on the VLAN of the tag that was just removed.

The CAM table has nothing to do with the VLANs that ports belong to. The CAM table will map MAC addresses to ports. If a frame enters a port on VLAN 10, with a destination MAC address of a device on VLAN 20, even if that entry is in the CAM table, the switch will not allow this frame to be forwarded due to the mismatch in VLANs.

I hope this has been helpful!

Laz

Laz,

All of your posts are extremely well written. Thank you for explaining things much simpler than I can
Thanks,
Scott

Hello Scott

Thanks so much for the encouragement! I’m glad I could be of help!!

Laz

I loved the explanation on the virtual aspect vs the physical cabling. very clarifying. Thank you!

Hi ,

May I know what’s main different things between Standard Valn and Extended Van ?
After through internet , I’ve met Extended only support VTP3 …is there any other different between those vlan range ?

Hello Aung

Before Cisco IOS Release 12.4(15)T, users were permitted to configure VLANs numbered from 2 to 1001. The remaining VLANs (numbered from 1006 to 4094) were reserved for use as internal VLANs configured by applications.

Because this number of VLANs was not always enough, especially for ISPs, beginning with Cisco IOS Release 12.4(15)T, all VLAN numbers except those reserved for default and reserved VLANs are available for user configuration. The result is that users and applications share the VLAN number space from 1006 to 4094.

VTP, the protocol that allows switches to share VLAN names, numbers and configurations, does not propagate configuration information for extended-range VLANs (VLAN numbers 1006 to 4094). You must configure extended-range VLANs manually on each network device.

I hope this has been helpful!

Laz

Great lesson on Vlans,

I would like to know when we assign a switchport to a particular vlan, how does the switch know which ports belongs to which VLANS so it can forward frames to the correct destination. For example, the CAM table shows mac address mapped to interfaces, how does the switch know what vlans are assigned especially since the frames do not carry vlan information ? Thank you!

Hello Kevin

The information of which ports belong to which VLAN is kept in the configuration. The running configuration resides in RAM and is used by the switch to determine to which VLAN each port is assigned.

I hope this has been helpful

Laz

Hi, how the router interpret a VLAN?.

For example, if i have this type of topology:

R - SW - H

The router have an ip addres that face up to the SW, for example 192.168.100.1, the SW that face up to the router have an acces port for the vlan 10, and the same thing to the host.

Why this communication is valid, even when the router to the switch didn’t have any vlan?

Hello Max

Take a look at this diagram:

image.png554×600 22.2 KB

Assume that ports 1, 5, and 10 have been assigned to VLAN 10 (the green ports). If the host communicates with the router, it sends a frame that enters the switch on port 1. The switch will have the ability to forward that frame to any port that is configured VLAN 10. This means that the frame can exit from ports 5 or 10 depending on where the destination MAC is found. The router doesn’t actually have to know what VLAN it is connected to, nor does the host. They just send their frames and the switch deals with where they can be forwarded to.

Now i the router was plugged into port 5, then the communication would still be successful, since 1, 5 and 10 are on the same VLAN. However, if the router was plugged into port 7 for example, communication would be blocked because the switch cannot allow devices on different VLANs to communicate.

I hope this has been helpful!

Laz

Hello,
First, they can’t be in the same network. VLAN’s separate networks and broadcasts domains. Every VLAN would have its own subnet. 1 for each group. They can’t talk of course without a layer 3 (router) device. Layer 3 switch has the capability but I wouldn’t dig too much into that for the CCNA.

Hello,

What if we have below situation,

MLS Switch-1 ( Int VLAN-10 , SVI Ip: 192.168.10.10/24) , Access port - VLAN 10 -----connected with ------- Access port - VLAN 20 , ( Int VLAN-20 , SVI Ip: 192.168.10.11/24) MLS Switch-2.

is it logically fine if they communicate with each other ? I have same scenario and both SVI ip can ping each other via access ports.

Hello Usman

Yes, this will function correctly. Since both ports on both switches are access ports, there is no VLAN information sent in the frames that are exchanged. As a result, communication will occur correctly.

It is a good idea however to keep some sort of consistency on the VLANs on all switches within an enterprise network. In the future, you may want to connect those switches using a trunk. You may want to span a particular VLAN across multiple switches. You would not be able to do so unless the VLAN numbers and subnets match correctly. It can be a time consuming exercise to have to change the VLAN numbers and subnets on L3 switches throughout your network in order to get such a configuration to function. It’s best practice to keep these consistent from the beginning…

I hope this has been helpful!

Laz

How common are VLANs in the business world, are they used everywhere? Or are there still many businesses that employ “normal” LANs?

Hello Marit

VLANs are very common in businesses today. I would say that for businesses with over 10 workstations, VLANs are literally ubiquitous. They are essential if you want to segment your network into logical segments/subnets without needing to buy a physical switch for each segment/subnet. They are a huge money saver and thus will be found in almost every business network.

I hope this has been helpful!

Laz

Hi Laz,

Very helpful, thank you!

HI Laz,

Please let me know if I got this correct. So access port on the switch adds a vlan tag to the frame if the frame is destined to a host on a different switch it is supposed to go through the trunk port, trunk port by default allows all vlans to pass through it, as soon as the frame is injected in to the trunk port it strips off the vlan tag that was added by the access port?. If it does that how come when the frame reaches the 2nd switch will it know which vlan is it supposed to be sent to.

Apologies if I am not clear.

Thanks
Teja

Hello Teja

A VLAN tag will only be added to a frame when it is exiting a trunk port. The VLAN tag will then be stripped when it enters the trunk port on the other end. So a VLAN tag will only exist on the frame while the fame is on the physical trunk link.

A VLAN tag will never be added to a frame on an access port. Because the access port is configured to function on a particular VLAN, the switch knows that any frames entering that port must be kept within that VLAN. A tag is only necessary on the parts of the path that the frame takes, where you can have more than one possible VLAN, in other words, a trunk.

One exception to the above is when using a voice VLAN, with a PC connected to the IP phone. IN such a case, the frames coming from the phone are tagged, while the frames coming from the PC are not. The phone in this case is connected to an access port, one that is specially configured to accommodate such traffic. More about the Voice VLAN can be found at the following lesson:

I hope this has been helpful!

Laz