1 00:00:09,010 --> 00:00:09,940 Welcome back. 2 00:00:09,970 --> 00:00:14,800 In this section, we're going to look at VLANs or virtual local area networks. 3 00:00:15,130 --> 00:00:18,100 We're going to virtualize our infrastructure. 4 00:00:18,430 --> 00:00:23,820 Virtualization is a big topic today with companies such as VMware virtualizing servers. 5 00:00:23,830 --> 00:00:26,080 But VLANs have been around for many years. 6 00:00:26,080 --> 00:00:31,150 And in a similar way, we're going to be virtualizing our switches where one physical switch is virtually 7 00:00:31,150 --> 00:00:32,369 multiple switches. 8 00:00:32,380 --> 00:00:34,240 This is not full virtualization. 9 00:00:34,240 --> 00:00:38,350 We're just virtualizing the local area networks on that specific switch. 10 00:00:38,590 --> 00:00:41,830 So I want to give you an overview of VLANs and how they operate. 11 00:00:41,920 --> 00:00:47,770 We need to talk about trunking protocols like ED or one Q and Iocl or Interswitch link. 12 00:00:47,950 --> 00:00:54,040 I want to explain virtual trunking protocol or HTTP, which allows us to create VLANs on a single switch 13 00:00:54,040 --> 00:00:58,060 and have that VLAN information propagated to other switches in the topology. 14 00:00:58,480 --> 00:01:04,810 VoIP can be a very useful protocol but can be extremely dangerous and has caused a lot of problems for 15 00:01:04,810 --> 00:01:10,990 Cisco engineers over the years and these days a lot of us will just turn it off and never use it because 16 00:01:10,990 --> 00:01:12,670 of its inherent dangers. 17 00:01:13,540 --> 00:01:19,450 Now, an incorrectly designed network or poorly designed network has multiple issues in a simple topology 18 00:01:19,450 --> 00:01:20,480 as an example. 19 00:01:20,500 --> 00:01:22,600 We have a switch with a hub. 20 00:01:22,960 --> 00:01:25,270 This is a single broadcast domain. 21 00:01:25,510 --> 00:01:31,510 So if this host a started broadcasting, that broadcast would be received by everyone. 22 00:01:31,840 --> 00:01:37,900 Now that may not be a problem, but if the NIC starts jabbering, in other words, sending our broadcast 23 00:01:37,900 --> 00:01:43,480 off to broadcast off the broadcast, it can flood through your entire network and cause a lot of issues. 24 00:01:43,480 --> 00:01:46,900 As every device in the network needs to process that broadcast. 25 00:01:47,380 --> 00:01:52,930 This issue exponentially increases as the number of hosts on the network increases. 26 00:01:53,200 --> 00:01:55,450 More and more hosts are sending broadcasts. 27 00:01:55,450 --> 00:02:01,510 More and more hosts are affected by those broadcasts, and thus broadcasts should be contained or limited 28 00:02:01,510 --> 00:02:02,800 as far as possible. 29 00:02:03,950 --> 00:02:06,380 This is an example of a poorly designed network. 30 00:02:06,980 --> 00:02:11,210 If the central switch went down, it would affect all devices and the topology. 31 00:02:11,240 --> 00:02:17,420 No host would be able to communicate with each other because all communication needs to go via the single 32 00:02:17,420 --> 00:02:20,330 device, which is now a single point of failure. 33 00:02:20,900 --> 00:02:23,870 Broadcasts once again will flood throughout the network. 34 00:02:24,410 --> 00:02:30,980 The broadcast is received on all links and will consume the bandwidth on every single link in this topology. 35 00:02:31,160 --> 00:02:38,540 Once again, every single device has to process that broadcast and its CPU will be interrupted by the 36 00:02:38,540 --> 00:02:39,410 broadcast. 37 00:02:39,560 --> 00:02:43,100 Continuous broadcasts will slow down the entire network. 38 00:02:44,120 --> 00:02:49,970 Because of the way Mac address tables work traffic going to a unicast address where the Mac address 39 00:02:50,000 --> 00:02:53,840 is not learnt by the switches will also be flooded throughout the topology. 40 00:02:54,700 --> 00:02:59,590 Multi costs are treated in the same way as brought costs by most layer two switches. 41 00:02:59,830 --> 00:03:04,990 So multi costs will be flooded throughout the network and affect all devices. 42 00:03:06,250 --> 00:03:11,950 A poorly designed network may be disorganized and poorly documented and lack easily identified traffic 43 00:03:11,950 --> 00:03:18,190 flows which make support, maintenance and problem resolution very time consuming and very difficult. 44 00:03:18,460 --> 00:03:20,380 You also have the issue of security. 45 00:03:20,740 --> 00:03:26,380 If this host on the left hand side is in marketing and the host on the right hand side is in the accounts 46 00:03:26,380 --> 00:03:32,890 department, the person in marketing has access to that machine across the network because security 47 00:03:32,890 --> 00:03:34,690 might not be implemented properly. 48 00:03:34,810 --> 00:03:38,890 It becomes very difficult to manage a poorly designed network. 49 00:03:39,650 --> 00:03:42,050 So what is a virtual lan or v lan? 50 00:03:42,290 --> 00:03:50,120 A v lan is essentially a single broadcast domain or logical subnet or logical network. 51 00:03:50,390 --> 00:03:55,910 You could say it's a group of hosts with a common set of requirements attached to the same broadcast 52 00:03:55,910 --> 00:03:56,690 domain. 53 00:03:56,690 --> 00:04:03,830 Regardless of where they are physically located, you're able to group multiple devices together logically 54 00:04:03,830 --> 00:04:05,300 rather than physically. 55 00:04:05,570 --> 00:04:12,830 So it is possible to span a subnet or VLAN across multiple switches, even though that's not recommended 56 00:04:12,830 --> 00:04:13,460 today. 57 00:04:14,000 --> 00:04:20,630 You can design a VLAN structure that allows you to group together stations or hosts that are segmented 58 00:04:20,630 --> 00:04:26,810 logically by functions, project teams and other types of applications once again without regard to 59 00:04:26,810 --> 00:04:28,040 physical location. 60 00:04:28,370 --> 00:04:34,670 So some of the advantages of VLANs include segmentation where you segment or separate users based on 61 00:04:34,670 --> 00:04:35,540 function. 62 00:04:35,540 --> 00:04:40,580 For instance, the sales department will go into specific VLAN and the accountancy department will go 63 00:04:40,580 --> 00:04:41,720 into different VLAN. 64 00:04:41,900 --> 00:04:43,070 It's very flexible. 65 00:04:43,070 --> 00:04:47,750 Without changing physical cabling, you can move a user from one VLAN to another. 66 00:04:48,080 --> 00:04:54,140 It also provides security because users are in separate VLANs and therefore have to traverse a layer 67 00:04:54,140 --> 00:04:57,920 three device like a router to get from one VLAN to another. 68 00:04:58,130 --> 00:05:04,730 On the router you can implement access lists to control which users have access to various VLANs. 69 00:05:04,730 --> 00:05:09,590 We'll be talking a lot about access lists later in the course, but for now understand that it gives 70 00:05:09,590 --> 00:05:13,490 you the ability to enhance security by separating users. 71 00:05:13,520 --> 00:05:18,890 These days, VLANs also have other advantages, specifically when implementing voice over IP. 72 00:05:18,890 --> 00:05:24,800 You can put your IP phones into a separate VLAN to your workstations and therefore provide a better 73 00:05:24,800 --> 00:05:27,080 quality of service to the IP phones. 74 00:05:27,380 --> 00:05:31,850 So implementing VLANs has many advantages in modern networks today. 75 00:05:32,590 --> 00:05:37,900 Something that I find that always confuses people is the difference between a physical topology and 76 00:05:37,900 --> 00:05:39,280 a logical topology. 77 00:05:39,580 --> 00:05:45,520 You need to change your paradigm and no longer think about the physical topology of the network, but 78 00:05:45,520 --> 00:05:48,680 rather envision what the logical topology looks like. 79 00:05:48,700 --> 00:05:52,570 The logical topology will be very different to the physical topology. 80 00:05:52,600 --> 00:05:54,400 As soon as VLANs are implemented. 81 00:05:54,820 --> 00:05:58,090 So he has an example of what a physical topology may look like. 82 00:05:58,120 --> 00:06:07,330 You have four physical machines connected to a single physical switch on ports 010203 and zero four. 83 00:06:07,600 --> 00:06:09,700 So that's the physical topology. 84 00:06:10,450 --> 00:06:15,160 However, logically we can put interfaces into different VLANs. 85 00:06:15,730 --> 00:06:20,980 So all you need to do is go onto the interface and I'll show you the commands in a moment and you put 86 00:06:20,980 --> 00:06:23,590 that interface into a specific VLAN. 87 00:06:23,800 --> 00:06:29,440 Let's say for argument's sake, the red VLAN now VLANs on switches are configured with numbers, but 88 00:06:29,440 --> 00:06:34,870 often when we discuss VLANs we talk about colors to try and differentiate between the VLANs and make 89 00:06:34,870 --> 00:06:36,310 it easier to understand. 90 00:06:36,520 --> 00:06:44,410 So assume for the moment that PCI and PCI DX have been put into the red VLAN by typing commands on the 91 00:06:44,410 --> 00:06:50,320 switch ports, PCB and PCC have been put into the green VLAN. 92 00:06:50,590 --> 00:06:53,680 Please note that the hosts are oblivious to what's happened. 93 00:06:53,890 --> 00:07:00,520 You as the administrator have just gone onto the switch and changed the VLAN that the port belongs to. 94 00:07:00,820 --> 00:07:07,210 By default, all ports belong to VLAN one on Cisco switches, but by using a single command you can 95 00:07:07,210 --> 00:07:09,370 move that port to a separate VLAN. 96 00:07:09,670 --> 00:07:13,240 So once again the physical topology looks as follows. 97 00:07:13,240 --> 00:07:17,860 But you've just got to imagine that these pieces are in separate VLANs. 98 00:07:18,630 --> 00:07:22,800 However, when looking at the logical topology, things are dramatically different. 99 00:07:22,890 --> 00:07:28,470 PC A and PCD are in the red VLAN on our switch. 100 00:07:29,010 --> 00:07:33,390 PCC and PCB are on the green VLAN. 101 00:07:33,660 --> 00:07:38,400 Logically, there are two separate switches or two separate LANs. 102 00:07:38,400 --> 00:07:45,030 Here we have virtualized our LAN infrastructure and created two separate local area networks. 103 00:07:45,270 --> 00:07:50,070 These networks cannot communicate with each other from a layer two point of view. 104 00:07:50,460 --> 00:07:56,970 VLANs are implemented at layer two and the only way to move from one VLAN to another is to go via a 105 00:07:56,970 --> 00:07:58,920 layer three device such as a router. 106 00:07:59,250 --> 00:08:05,160 Remember please, a VLAN is a separate logical subnet or separate broadcast domain. 107 00:08:05,430 --> 00:08:09,870 If a center broadcast, that broadcast would only be received by DH. 108 00:08:10,350 --> 00:08:16,560 If C Center broadcasts, that broadcast would only be received by B, which is very different with all 109 00:08:16,560 --> 00:08:20,580 the devices on the same VLAN or same physical switch. 110 00:08:20,610 --> 00:08:25,150 Once again, ports can be put into a VLAN using different mechanisms. 111 00:08:25,170 --> 00:08:30,570 For the moment, just assume that you as the administrator statically put the port into the relevant 112 00:08:30,570 --> 00:08:31,230 VLAN. 113 00:08:31,770 --> 00:08:36,929 So going back to our physical view of the topology, in this topology, we're not going to use 48 bit 114 00:08:36,929 --> 00:08:40,280 MAC addresses because I want to simplify what's going on. 115 00:08:40,289 --> 00:08:47,550 So just assume that these numbers A, B, C and D are the MAC addresses of these devices. 116 00:08:48,310 --> 00:08:55,620 When A sends a broadcast, that broadcast will be forwarded to the switch with a source address of a 117 00:08:55,630 --> 00:08:58,130 and the destination will contain ifs. 118 00:08:58,150 --> 00:08:59,830 In other words, broadcast. 119 00:09:00,160 --> 00:09:06,220 When that frame hits the switch, the switch will make a note of which VLAN that port belongs to, so 120 00:09:06,220 --> 00:09:09,670 that frame is internally tagged with the red VLAN. 121 00:09:09,700 --> 00:09:12,960 Please note the PC is oblivious to what's going on. 122 00:09:12,970 --> 00:09:18,910 The PC just sees this link as standard Ethernet and doesn't understand the concept of VLANs. 123 00:09:19,510 --> 00:09:21,520 I'm going to digress just for a second. 124 00:09:21,550 --> 00:09:23,860 The architecture of switches vary. 125 00:09:23,860 --> 00:09:29,070 Cisco have documents like this one explaining the architecture of a 6500 switch. 126 00:09:30,450 --> 00:09:36,630 So for example, looking at the different chassis and different line codes and different supervisors, 127 00:09:36,870 --> 00:09:40,620 this document will explain how the architecture is set up. 128 00:09:40,920 --> 00:09:46,110 The detail of this is totally out of the scope of the course, but it's just to try and explain a little 129 00:09:46,110 --> 00:09:48,210 bit about what happens behind the scenes. 130 00:09:48,570 --> 00:09:54,810 One of the things that they explain in this document is the day in the life of a packet going through 131 00:09:54,810 --> 00:09:56,130 a 6500. 132 00:09:56,400 --> 00:09:58,980 And in this example, they've got centralised forwarding. 133 00:09:59,920 --> 00:10:07,270 So they'll explain how a packet will arrive on an interface and based on different application, specific 134 00:10:07,270 --> 00:10:14,800 integrated circuits or A6, how that packet will flow from the ingress port to an egress port going 135 00:10:14,800 --> 00:10:17,800 via the data bus on the back plain of the switch. 136 00:10:18,010 --> 00:10:23,980 You can learn more about the actual flow of the packet through the switch by going and looking at documents 137 00:10:23,980 --> 00:10:24,790 like this. 138 00:10:25,820 --> 00:10:30,290 All I want you to realize is that the architecture of different switches work differently. 139 00:10:30,290 --> 00:10:35,120 And if you want to look at the internals of a switch, they are really good documents on Cisco's website 140 00:10:35,150 --> 00:10:38,270 explaining how packets flow through a switch. 141 00:10:38,970 --> 00:10:41,250 Well, this course we're going to explain it as follows. 142 00:10:41,520 --> 00:10:46,170 When the frame arrives on this port, it's internally tagged with a red VLAN. 143 00:10:46,200 --> 00:10:49,860 That frame is then copied to all other ports on the switch. 144 00:10:50,160 --> 00:10:55,920 However, that broadcast will not be forwarded out of this port because the port is in a different VLAN 145 00:10:55,920 --> 00:10:57,270 to the original frame. 146 00:10:58,130 --> 00:11:04,100 The frame will also not be forwarded out of this port zero three because the frame is in a different 147 00:11:04,100 --> 00:11:05,360 VLAN to the port. 148 00:11:05,900 --> 00:11:11,930 However, on this port the frame will be forwarded out because the VLAN number or color is the same. 149 00:11:12,320 --> 00:11:16,100 Please note only the original frame is sent out of the port. 150 00:11:16,130 --> 00:11:18,570 No internal tagging leaves the switch. 151 00:11:18,590 --> 00:11:25,580 The PCs once again are oblivious to any tagging or changing of frames, so the frame leaves the switch 152 00:11:25,580 --> 00:11:28,640 and arrives at PCD in its original form. 153 00:11:28,730 --> 00:11:31,040 Source addresses a destination. 154 00:11:31,040 --> 00:11:32,420 Address is a broadcast. 155 00:11:32,420 --> 00:11:34,700 So physically we have one switch here. 156 00:11:35,090 --> 00:11:42,320 But logically, PCA can only send traffic to PCD, not to PCB or PCC. 157 00:11:42,770 --> 00:11:47,300 They are on a separate VLAN or separate logical switch. 158 00:11:48,170 --> 00:11:50,570 If I try to send a unicorn to sea. 159 00:11:51,050 --> 00:11:59,060 So the source address is a in the frame and the destination address is C, which is this PC on the green 160 00:11:59,060 --> 00:11:59,900 VLAN. 161 00:11:59,930 --> 00:12:06,890 That frame would be sent to the switch as a standard Ethernet frame and we were assuming here that A 162 00:12:06,890 --> 00:12:12,290 is somehow learnt the MAC address of C, so he is sending a frame directly to C. 163 00:12:12,320 --> 00:12:15,110 Normally he wouldn't even be able to learn that Mac address. 164 00:12:15,530 --> 00:12:19,490 So in this example, the person on a could be up to no good. 165 00:12:19,640 --> 00:12:25,040 The frame arrives at the switch and the switch tags the frame internally with the red VLAN, that frame 166 00:12:25,040 --> 00:12:27,680 is copied to all ports on the switch. 167 00:12:28,100 --> 00:12:30,350 Now once again, that depends on the switch architecture. 168 00:12:30,350 --> 00:12:34,280 So let's just assume for the moment that that's what's going to happen on this specific switch. 169 00:12:34,880 --> 00:12:40,730 Now, the central ASC checks the Mac address table and sees that C can be found on Port zero three. 170 00:12:40,730 --> 00:12:46,250 So the central A6 sends a flush message to the other ports to remove the copies of the frame. 171 00:12:46,250 --> 00:12:49,610 So the frame is only available on port zero three. 172 00:12:49,880 --> 00:12:54,470 However, just before sending out the frame, the port VLAN colours checked against the frame. 173 00:12:54,680 --> 00:12:58,430 The frame is a red VLAN frame because it arrived on a red port. 174 00:12:58,430 --> 00:13:04,820 But this is a green VLAN interface, so the frame is not transmitted and is dropped so the frame never 175 00:13:04,820 --> 00:13:06,080 gets to PCC. 176 00:13:06,350 --> 00:13:08,900 Therefore A is not able to access the green VLAN. 177 00:13:09,440 --> 00:13:15,560 Logically, A is separated from C and from a layer two point of view there is no connection between 178 00:13:15,560 --> 00:13:17,930 the red VLAN and the green VLAN. 179 00:13:18,080 --> 00:13:23,000 As mentioned previously, the only way to get from one VLAN to another is to traverse a layer three 180 00:13:23,000 --> 00:13:25,460 device such as a router and as there is no router. 181 00:13:25,460 --> 00:13:28,370 In this example, the traffic is totally separated. 182 00:13:29,360 --> 00:13:31,520 He has a slightly more complicated example. 183 00:13:31,550 --> 00:13:35,210 A is still in the red VLAN but is connected to switch one. 184 00:13:36,050 --> 00:13:37,040 Is in the red van. 185 00:13:37,040 --> 00:13:38,360 But is in this case connected to. 186 00:13:38,360 --> 00:13:39,170 Switch to. 187 00:13:40,120 --> 00:13:46,330 Sees in the green VLAN connected to switch two and B is in the green VLAN connected to switch one. 188 00:13:46,840 --> 00:13:51,940 A special type of link is required between the two switches so that they can communicate VLAN information 189 00:13:51,940 --> 00:13:54,850 between them and that is known as a trunk port. 190 00:13:55,270 --> 00:14:01,780 This interface will run a trunking protocol so that VLAN information can be transmitted from one switch 191 00:14:01,780 --> 00:14:02,500 to another. 192 00:14:02,890 --> 00:14:08,740 The two trunking protocols that are used are Eesl or Interswitch link and ed or one q. 193 00:14:09,070 --> 00:14:14,590 Now, Eesl was a Cisco proprietary protocol and tends not to be used today. 194 00:14:14,800 --> 00:14:21,250 ED one Q The industry standard is the protocol of choice for communicating VLAN information between 195 00:14:21,250 --> 00:14:23,680 switches across trunking ports. 196 00:14:24,130 --> 00:14:29,230 Now once again, it's important to remember what the physical topology looks like, which is as follows 197 00:14:29,320 --> 00:14:35,620 and then the logical topology which looks like this PCA is connected to switch one. 198 00:14:36,640 --> 00:14:40,870 PCC is connected to switch two, but they are in the red VLAN. 199 00:14:41,940 --> 00:14:48,180 PCB is connected to switch one and PCB is connected to switch two, but they are on the green VLAN, 200 00:14:48,180 --> 00:14:52,710 so there's logical separation between the devices across the two switches. 201 00:14:53,070 --> 00:14:57,690 Physically, please remember there are only two switches in this topology, but logically we are creating 202 00:14:57,690 --> 00:15:03,420 four switches with the red VLAN separated from the green VLAN and the switches are linked using a trunking 203 00:15:03,420 --> 00:15:04,200 interface. 204 00:15:04,500 --> 00:15:09,450 So trunking once again allows multiple VLANs to traverse a single physical link. 205 00:15:09,450 --> 00:15:16,200 The two protocols are ed or one Q the industry standard which tends to be used today and eesl, which 206 00:15:16,200 --> 00:15:20,670 was Cisco's proprietary method, which tends not to be used in today's environments. 207 00:15:20,670 --> 00:15:26,280 Cisco IP phones, for example, do not support Iocl and a lot of new switches do not provide support 208 00:15:26,280 --> 00:15:27,180 for Eesl. 209 00:15:27,660 --> 00:15:32,730 So in this course, we're going to concentrate on 82.1 key and 82.1. 210 00:15:32,730 --> 00:15:35,760 Q Frame is different to a standard Ethernet frame. 211 00:15:36,060 --> 00:15:38,130 The standard Ethernet frame would look something like this. 212 00:15:38,130 --> 00:15:43,500 You have a destination field, a source field, a length or ether type field. 213 00:15:43,800 --> 00:15:48,360 You have the data and then you have the frame check sequence, an attitude or one. 214 00:15:48,360 --> 00:15:55,500 Q Frame has a four by tag inserted into the header between the source address field and the either type 215 00:15:55,500 --> 00:15:56,490 or length field. 216 00:15:56,700 --> 00:16:03,120 Because the frame is being altered, the frame check sequence is re computed and replaced in the modified 217 00:16:03,120 --> 00:16:03,690 frame. 218 00:16:04,730 --> 00:16:13,730 The tag consists of two main parts the tag protocol identifier, which is set to 0x8100 to identify 219 00:16:13,730 --> 00:16:21,020 this as an I triple e, a 2 to 1 tag frame and thus allows switches and devices to distinguish and editor 220 00:16:21,020 --> 00:16:23,330 of one Q frame from untagged frames. 221 00:16:23,990 --> 00:16:26,900 This is 16 bits in length or two bytes. 222 00:16:27,350 --> 00:16:31,520 The remaining two bytes or 16 bits is split as follows. 223 00:16:31,880 --> 00:16:35,720 Three bits represent the priority or priority code point. 224 00:16:36,540 --> 00:16:41,760 Which is a three bit field used to prioritize certain traffic types over others. 225 00:16:42,120 --> 00:16:47,760 This is used very heavily in quality of service where for instance, a decimal value of five is used 226 00:16:47,760 --> 00:16:49,140 to represent voice. 227 00:16:49,740 --> 00:16:56,340 The canonical format identifier or CFI was used in the old days for compatibility between Ethernet and 228 00:16:56,340 --> 00:16:57,630 token ring networks. 229 00:16:57,660 --> 00:17:00,030 It's very unlikely that you're going to use that today. 230 00:17:00,570 --> 00:17:07,589 And the important piece is the VLAN identifier, which is a 12 bit field specifying the VLAN to which 231 00:17:07,589 --> 00:17:08,819 this frame belongs. 232 00:17:08,970 --> 00:17:12,510 A value of zero would mean that this frame does not belong to any VLAN. 233 00:17:13,109 --> 00:17:18,839 It's because of this field that switches are able to communicate the VLAN number to each other. 234 00:17:19,230 --> 00:17:26,609 It is 12 bits and size, which allows for 4096 VLANs to be created in an 80201 queue environment. 235 00:17:27,240 --> 00:17:29,610 You can work that out as follows to. 236 00:17:29,610 --> 00:17:30,990 To the power. 237 00:17:31,830 --> 00:17:35,520 Of 12 equals 4096. 238 00:17:35,700 --> 00:17:41,130 So in theory, 4096, VLANs could be configured on an 802 to 1 Q switch. 239 00:17:41,700 --> 00:17:45,690 Switches, however, do not necessarily support that number of VLANs.