NETWORK - VLAN

BASICS OF VLANS:

A LAN is a local area network and is defined as all devices in the same broadcast domain. (Broadcast domain: Devices in the same subnet, so no device is needed to find each other) If you remember, routers stop broadcasts, switches just forward them.

As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than the default VLAN (VLAN 1). All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on "switch A" can be in "VLAN 10" and other ports on "switch B" can be in "VLAN 10". Broadcasts between these devices will not be seen on any other port in any other VLAN, other than "VLAN 10". However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.

---

VLAN is a technology used for establishing virtual network segments on top of physical switch devices. If configured appropriately, a VLAN definition can straddle multiple switches. Typically, a VLAN is a broadcast domain that enables all nodes in the VLAN to communicate each other without routing or bridging.
For example, two VLANs (VLAN 1 and 2) are defined on three switches (Switch A, B, and C). Although nodes C-1 and C-2 are physically connected to the same switch C, traffic between two nodes can be blocked. To enable communication between VLAN 1 and 2 some routing or bridging device is needed.


VLAN technologies:
-port based VLAN
-policy based VLAN
-802.1Q VLAN

# Port-based VLAN. A defined VLAN based on the port number of the switch. This is easy to configure but often limited to one single switch.

# 802.1q Tag VLAN. In 802.1q, the VLAN information is written into the Ethernet packet itself. Each packet carries a VLAN ID, called a tag. This allows VLANs to be configured across multiple switches. (The Ethernet frame size for tagged frames was increased from 1518 bytes to 1522 bytes and the Ethernet header format was slightly modified with the introduction of IEEE802.1Q.)

---------------------

What is 802.1Q VLAN?

Opposite to the port based vlan, the 802.1Q VLAN uses additional information in the Ethernet frame to differentiate network traffic. The additional information, called VLAN tag, is four bytes long and, optionally, can be inserted into the Ethernet frame.


Network nodes connected to the 802.1Q VLAN ports are expected to implement virtual network interfaces in order to explicitly specify VLAN IDs. A VLAN ID is a digit number ranging from 1 to 4094 (the VLAN ID 1 is used as the default value). An Ethernet frame that does not contain the VLAN tag information (or contains the VLAN tag information with null VLAN ID) is called an untagged frame. All untagged frames are grouped into a VLAN, called the default VLAN, regardless of the source physical ports, MAC addresses, or IP addresses.

If IP addresses with different subnets are assigned on VLAN interfaces, these VLANs can be seen as logically split subnets, even though a single physical network adapter on the node is connected to a single physical port. (A port that is used for multiple VLAN interfaces is generally called a trunk port.)

On node A, in addition to the base network interface, there are two VLAN interfaces defined; one is with VLAN ID 2, another is with VLAN ID 3. On Node B, a VLAN interface with VLAN ID 2 is defined.


To use 802.1Q VLAN, the following must be understood:
-VLANs with associated VLAN tag IDs must be defined on switches.

-Although it is possible to define multiple VLAN interfaces on a single network adapter, it is not always the best approach from the availability. Should the adapter or port fail, all VLAN interfaces become unavailable.


AIX support for 802.1Q VLAN

smitty vlan


root@aix2: / # lsdev -Cc adapter
ent0      Available 07-08 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent1      Available 07-09 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent2      Available 09-08 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent3      Available 09-09 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent4      Available       EtherChannel / IEEE 802.3ad Link Aggregation
ent5      Available       VALN
ent6      Available       VLAN


root@aix2: / # lsattr -El ent5
base_adapter  ent4 VLAN Base Adapter True
vlan_priority 0    VLAN Priority     True
vlan_tag_id   839  VLAN Tag ID       True

Some consideration:

- The VLAN ID added to the packets leaving the partition is removed only when entering the other partition if it matches with its PVID.
(The VLAN tag is not stripped off by the SEA because the VLAN ID does not match the PVID of the virtual Ethernet adapter in the SEA)

---------------------

What is trunking? What is a trunk port?
(http://publib.boulder.ibm.com/infocenter/tivihelp/v14r1/index.jsp?topic=/com.ibm.tivoli.tpm.net.doc/network/cnet_trunking.html)

When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port. A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.

A trunk connection is a link that carries VLAN information between network devices. These devices could be two switches, a switch and a router, or even a switch and an end station. The advantage of the trunk is that through one connection, many VLANs can be transported between the two switches; therefore we do not have to implement a dedicated (and costly) connection for each VLAN. Trunking can dramatically improve the performance, manageability, and reliability for applications.

For example, let us assume, we have connected a link between the ports of two switches. If the switch ports defined on the switches are members of the same VLAN, the ports will pass any traffic only for the VLAN associated with their port connections. By default, the ports are in a non- trunk mode called an Access link. If you want the traffic to pass between multiple VLANs established on multiple switches, you will need to first establish a trunk connection between the switch ports.

Note: When a VLAN is split and the trunk connection is disabled between the two switches or endpoints, a single VLAN is divided into two new VLANs, one for each of the broadcast domains. All the switches in the domains are updated with the correct VLAN ID, based on which domain it was originally in. The NIC templates however do not get updated with the new VLAN ID information after the trunking is disabled between the switches. You will need to manually update the NIC templates, with information about one of the new VLAN IDs.


The main capabilities of trunking are:

-Aggregating multiple switches into a single logical trunk group, supports efficient high-speed communications throughout the network.
-Administrative workload is reduced, as the switches or devices connected using the trunk connection can be managed as a single entity rather than individually.
-Trunking significantly increases data availability. For example, even if an individual switch failure occurs, the input and output can continue at a reduced bandwidth as long as at least one switch or router in the trunk group remains available.

---------------------

What is VTP?

Unfortunately, if you have more than a couple of switches, configuring VLAN’s can be a real pain. To make life easier, Cisco developed VLAN Trunking Protocol (VTP). Let’s find out what VTP can do for you.

Say that you have 20 switches in your large office building. On each of these switches, you have four VLAN’s. Without VTP, you have to create each of these four VLANs on each of these switches. With VTP, you only have to create the four VLANs once, on one switch, and all other switches learn about the four VLANs.

In other words, the job of VTP is to distribute VLAN configuration information between all the switches.

The job of VTP is best explained from the perspective of the VTP server. All switches, by default, are VTP servers. The VTP server is where you would create, remove, or modify VLANs.

This VTP server sends an advertisement, across the domain, every 5 minutes or whenever a change is made in the VLAN database. That advertisement contains all the different VLAN names, VLAN numbers, what switches have ports in what VLANs, and a revision number. Whenever a switch receives an update with a larger revision number than the last one it applied, it applies that revision.

Keep in mind that VTP is a Cisco proprietary protocol. So, to use VTP between your switches, you must have all Cisco switches.

6 comments:

  1. How to decide the port vlan id number in the virtual adapter

    ReplyDelete
    Replies
    1. I can't tell you a definite answer it depends on your setup and the purpose of the Virtual Adapter. Probably discussing it with network guys could help. Usually, in Virtual environments where SEA is in use, SEA is expecting tagged packets only. In this case port vlan id (PVID) on VIOS virtual adapters in the SEA should be any number which is not in use (otherwise it will be untagged). Of course on VIO clients you have more options, but the simplest one, is to use the PVID on virtual adapters of the necessary tag. (In this case VIO client looks like it is unaware of the VLAN tags.)
      For more info I suggest you to read PowerVM Introduction and Configuration Redbook.

      Delete
  2. what is the use VLANID

    ReplyDelete
  3. Hi,
    You have written:
    // - The VLAN ID added to the packets leaving the partition is removed only when entering the other partition if it matches with its PVID.

    Are you sure its PVID ? I am consfused here. Could you please explain the relation b/w VLAN ID and PVID here ?

    ReplyDelete
  4. PVID in this case stands for Port Virtual LAN ID, not Physical Volume ID

    ReplyDelete
  5. (The VLAN tag is not stripped off by the SEA because the VLAN ID does not match the PVID of the virtual Ethernet adapter in the SEA)


    so, PVID AND VID should be the same(for every port)?

    ReplyDelete