4.2 VLAN Implementation

Play

VLANs and Trunks - Part 1

Play

VLANs and Trunks - Part 2

Play

VLANs and Trunks - Part 3

Play

VLANs and Trunks - Part 4

Play

VLANs and Trunks - Part 5 (Native VLAN)

1. Access Ports and Trunk Ports

In VLAN (Virtual Local Area Network) configurations, access ports and trunk ports are two types of switch ports that serve different purposes. Understanding the difference between them is crucial for designing and managing VLAN-based networks.

Access Ports

• Definition: An access port is a switch port that carries traffic for a single VLAN. It is typically used to connect end devices like computers, printers, or IP phones to the network.
• Purpose: Access ports are used to provide network access to devices that do not need to communicate with multiple VLANs.
• Characteristics:
  • Belongs to only one VLAN (the access VLAN).
  • Does not add or interpret VLAN tags (frames are untagged).
  • Ideal for connecting end-user devices.
• Configuration:
  • Set the port mode to access:

    Switch(config)# interface FastEthernet0/1
    Switch(config-if)# switchport mode access

  • Assign the port to a specific VLAN:

    Switch(config-if)# switchport access vlan 10

Trunk Ports

• Definition: A trunk port is a switch port that carries traffic for multiple VLANs. It is typically used to connect switches, routers, or servers that need to communicate across multiple VLANs.
• Purpose: Trunk ports are used to transport traffic between switches or between a switch and a router while preserving VLAN information.
• Characteristics:
  • Carries traffic for multiple VLANs.
  • Adds a VLAN tag (using IEEE 802.1Q encapsulation) to frames to identify which VLAN they belong to.
  • Supports both tagged (for VLAN traffic) and untagged (for the Native VLAN) traffic.
• Configuration:
  • Set the port mode to trunk:

    Switch(config)# interface GigabitEthernet0/1
    Switch(config-if)# switchport mode trunk

  • Optionally, specify the allowed VLANs on the trunk:

    Switch(config-if)# switchport trunk allowed vlan 10,20,30

  • Optionally, change the Native VLAN (default is VLAN 1):

    Switch(config-if)# switchport trunk native vlan 999

1.1 Key Differences Between Access Ports and Trunk Ports

Aspect	Access Port	Trunk Port
Traffic Carried	Traffic for a single VLAN.	Traffic for multiple VLANs.
VLAN Tagging	Frames are untagged.	Frames are tagged (except for the Native VLAN).
Typical Use Case	Connects end devices (e.g., PCs, printers).	Connects switches, routers, or servers.
Configuration	switchport mode access	switchport mode trunk
VLAN Assignment	switchport access vlan [vlan-id]	switchport trunk allowed vlan [vlan-list]

1.2 Purpose of Access Ports and Trunk Ports?

Access Ports

• Simplified Connectivity: Access ports provide a straightforward way to connect end devices to a specific VLAN without requiring VLAN tagging.
• Security: By limiting a port to a single VLAN, access ports help isolate traffic and improve network security.
• Ease of Configuration: Access ports are easy to configure and are ideal for environments where devices do not need to communicate across multiple VLANs.

Trunk Ports

• Inter-Switch Communication: Trunk ports allow switches to share VLAN information and transport traffic for multiple VLANs over a single link.
• Inter-VLAN Routing: Trunk ports are essential for connecting switches to routers or Layer 3 switches to enable inter-VLAN routing.
• Scalability: Trunk ports reduce the number of physical links required to connect switches, making the network more scalable and efficient.

1.3 Example Scenarios

Scenario 1: Access Port

• A PC in the Sales department is connected to an access port assigned to VLAN 10.
• The PC sends untagged traffic to the switch, and the switch forwards the traffic within VLAN 10.

Configuration:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

Scenario 2: Trunk Port

• Two switches are connected via a trunk port to carry traffic for VLANs 10, 20, and 30.
• A frame from VLAN 10 is tagged with the VLAN ID when it passes through the trunk port, ensuring it reaches the correct VLAN on the other switch.

Configuration:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 999

1..4 Best Practices for Access Ports and Trunk Ports

1. Use Access Ports for End Devices:

   • Always connect end devices (e.g., PCs, printers) to access ports to simplify configuration and improve security.

2. Use Trunk Ports for Inter-Switch Links:

   • Use trunk ports to connect switches, routers, or servers that need to handle multiple VLANs.

3. Change the Native VLAN:

   • Change the Native VLAN on trunk ports to something other than VLAN 1 (e.g., VLAN 999) to reduce the risk of VLAN hopping attacks.

4. Limit Allowed VLANs on Trunk Ports:

   • Use the switchport trunk allowed vlan command to specify which VLANs are allowed on a trunk port. This improves security and reduces unnecessary traffic.

5. Disable Unused Ports:

   • Disable unused ports and assign them to an unused VLAN to prevent unauthorized access.

IMPORTANT

• Access ports are used to connect end devices to a single VLAN, while trunk ports are used to carry traffic for multiple VLANs between switches or routers.
• Access ports simplify connectivity for end devices, while trunk ports enable scalability and inter-VLAN communication.
• Proper configuration of access and trunk ports is essential for building secure, efficient, and scalable VLAN-based networks. By following best practices, you can ensure optimal network performance and security.

2. Native VLAN and Default VLAN

In VLAN (Virtual Local Area Network) configurations, the terms Native VLAN and Default VLAN are often used. While they are related to VLANs, they serve different purposes. Below is an in-depth explanation of both concepts, their differences, and why they are important.

Default VLAN

• Definition: The Default VLAN is the VLAN that all switch ports are assigned to when the switch is first powered on or reset to factory settings. By default, this is VLAN 1 on most Cisco switches.
• Purpose:
  • Provides a basic configuration for the switch out of the box.
  • Allows devices to communicate without any additional VLAN configuration.
• Characteristics:
  • VLAN 1 is the default VLAN for management traffic (e.g., CDP, VTP, and STP).
  • All ports on the switch are members of VLAN 1 by default unless explicitly configured otherwise.
• Why It’s Needed:
  • Simplifies initial setup and allows devices to communicate immediately after the switch is powered on.
  • Serves as a fallback VLAN for unconfigured ports.

Native VLAN

• Definition: The Native VLAN is a concept used in trunk ports. It is the VLAN that carries untagged traffic on a trunk link. By default, the Native VLAN is also VLAN 1 on most Cisco switches.
• Purpose:
  • Allows untagged traffic to be transmitted over a trunk link.
  • Ensures backward compatibility with devices that do not support VLAN tagging (e.g., older switches or network devices).
• Characteristics:
  • Untagged traffic on a trunk port is assumed to belong to the Native VLAN.
  • The Native VLAN must match on both ends of a trunk link; otherwise, VLAN leakage or miscommunication can occur.
• Why It’s Needed:
  • Supports legacy devices that do not understand VLAN tags.
  • Provides a way to handle untagged traffic in a VLAN-aware network.

2.1 Key Differences Between Default VLAN and Native VLAN

Aspect	Default VLAN	Native VLAN
Definition	The VLAN assigned to all ports by default.	The VLAN that carries untagged traffic on a trunk port.
Default Value	VLAN 1	VLAN 1 (but can be changed).
Purpose	Simplifies initial switch configuration.	Handles untagged traffic on trunk links.
Scope	Applies to all ports on the switch.	Applies only to trunk ports.
Traffic Handling	Handles both tagged and untagged traffic.	Specifically handles untagged traffic.

2.2 Purpose of Default VLAN and Native VLAN?

Default VLAN

• Ease of Use: Provides a working network configuration out of the box, allowing devices to communicate without additional setup.
• Management Traffic: VLAN 1 is used for management protocols like CDP (Cisco Discovery Protocol), VTP (VLAN Trunking Protocol), and STP (Spanning Tree Protocol).
• Fallback Configuration: Acts as a fallback for ports that are not explicitly assigned to another VLAN.

Native VLAN

• Backward Compatibility: Supports devices that do not understand VLAN tagging, ensuring they can still communicate over trunk links.
• Untagged Traffic Handling: Provides a way to handle traffic that is not tagged with a VLAN ID, which is common in mixed environments.
• Security: By changing the Native VLAN to something other than VLAN 1, you can improve security by reducing the risk of VLAN hopping attacks.

2.3 Best Practices for Default VLAN and Native VLAN

1. Change the Default VLAN:

   • Avoid using VLAN 1 for user traffic. Instead, create separate VLANs for different departments or functions.
   • Disable VLAN 1 on access ports to improve security.

2. Change the Native VLAN:

   • Change the Native VLAN to something other than VLAN 1 (e.g., VLAN 999) to reduce the risk of VLAN hopping attacks.
   • Ensure the Native VLAN matches on both ends of a trunk link.

3. Disable Unused Ports:

   • Disable unused ports and assign them to an unused VLAN to prevent unauthorized access.

4. Use VLANs for Management:

   • Create a dedicated VLAN for management traffic (e.g., VLAN 100) and restrict access to authorized devices.

2.4 Example Configuration

Changing the Native VLAN

To change the Native VLAN on a trunk port:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport trunk native vlan 999
Switch(config-if)# exit

Disabling VLAN 1 on Access Ports

To disable VLAN 1 on an access port:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport mode access
Switch(config-if)# exit

Creating a Management VLAN

To create a management VLAN:

Switch(config)# vlan 100
Switch(config-vlan)# name Management
Switch(config-vlan)# exit
Switch(config)# interface Vlan100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit

IMPORTANT

• The Default VLAN (VLAN 1) is the initial VLAN assigned to all switch ports, simplifying setup and handling management traffic.
• The Native VLAN is used on trunk ports to handle untagged traffic, ensuring compatibility with non-VLAN-aware devices.
• Both concepts are essential for network functionality, but they should be configured carefully to improve security and performance. By following best practices, you can create a robust and secure VLAN-based network.