Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. It
is used to group end stations that have a common set of requirements, independent of their
physical locations. A VLAN has the same attributes as a physical LAN, except that it lets
you group end stations even when they are not physically located on the same LAN
segment. A VLAN also lets you group ports on a switch so that you can limit unicast,
multicast, and broadcast traffic flooding. Flooded traffic that originates from a particular
VLAN floods to only the ports belonging to that VLAN.
14 Chapter 2: Medium-Sized Switched Network Construction
Understanding VLANs
Understanding how VLANs operate and what the associated protocols are is important for
configuring, verifying, and troubleshooting VLANs on Cisco access switches. This section
describes VLAN operations and their associated protocols.
A poorly designed network has increased support costs, reduced service availability,
security risks, and limited support for new applications and solutions. Less-than-optimal
performance affects end users and access to central resources directly. Some of the issues
that stem from a poorly designed network include the following:
■ Failure domains: One of the most important reasons to implement an effective
network design is to minimize the extent of problems when they occur. When Layer 2
and Layer 3 boundaries are not clearly defined, failure in one network area can have a
far-reaching effect.
■ Broadcast domains: Broadcasts exist in every network. Many applications and
network operations require broadcasts to function properly; therefore, it is not possible
to eliminate them completely. In the same way that avoiding failure domains involves
clearly defining boundaries, broadcast domains should have clear boundaries and
include an optimal number of devices to minimize the negative impact of broadcasts.
■ Large amount of unknown MAC unicast traffic: Cisco Catalyst switches limit
unicast frame forwarding to ports that are associated with the specific unicast address.
However, when frames arrive at a destination MAC address that is not recorded in the
MAC table, they are flooded out of the switch ports in the same VLAN except for the
port that received the frame. This behavior is called unknown MAC unicast flooding.
Because this type of flooding causes excessive traffic on all the switch ports, network
interface cards (NIC) must contend with a larger number of frames on the wire. When
data is propagated on a wire for which it was not intended, security can be compromised.
■ Multicast traffic on ports where it is not intended: IP multicast is a technique that
allows IP traffic to be propagated from one source to a multicast group that is identified
by a single IP and MAC destination-group address pair. Similar to unicast flooding and
broadcasting, multicast frames are flooded out all the switch ports. A proper design
allows for the containment of multicast frames while allowing them to be functional.
■ Difficulty in management and support: A poorly designed network may be
disorganized and poorly documented and lack easily identified traffic flows, which can
make support, maintenance, and problem resolution time-consuming and arduous tasks.
■ Possible security vulnerabilities: A switched network that has been designed with
little attention to security requirements at the access layer can compromise the integrity
of the entire network.
Implementing VLANs and Trunks 15
A poorly designed network always has a negative impact and becomes a support and cost
burden for any organization. Figure 2-1 shows a network with a single broadcast domain.
VLANs can help alleviate some of the problems associated with this design.
Figure 2-1 Network with Single Broadcast Domain
VLAN Overview
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. In
the switched internetwork, VLANs provide segmentation and organizational flexibility.
You can design a VLAN structure that lets you group stations that are segmented logically
by functions, project teams, and applications without regard to the physical location of the
users. You can assign each switch port to only one VLAN, thereby adding a layer of
security. Ports in a VLAN share broadcasts; ports in different VLANs do not. Containing
broadcasts in a VLAN improves the overall performance of the network.
In the switched internetwork, VLANs provide segmentation and organizational flexibility.
Using VLAN technology, you can group switch ports and their connected users into
To Branch Offices
Manufacturing Marketing Executives Administration and IT
Accounting Engineering Sales Human Resources
Internet
WAN
16 Chapter 2: Medium-Sized Switched Network Construction
logically defined communities, such as coworkers in the same department, a crossfunctional
product team, or diverse user groups sharing the same network application.
A VLAN can exist on a single switch or span multiple switches. VLANs can include stations
in a single building or multiple-building infrastructures. This is illustrated in Figure 2-2.
Figure 2-2 VLANs Can Span Multiple Switches
Grouping Business Functions into VLANs
Each VLAN in a switched network corresponds to an IP network. So VLAN design must
take into consideration the implementation of a hierarchical network-addressing scheme.
Hierarchical network addressing means that IP network numbers are applied to network
segments or VLANs in an orderly fashion that considers the network as a whole. Blocks of
contiguous network addresses are reserved for and configured on devices in a specific area
of the network.
Some of the benefits of hierarchical addressing include the following:
■ Ease of management and troubleshooting: A hierarchical addressing scheme groups
network addresses contiguously. Because a hierarchical IP addressing scheme makes
problem components easier to locate, network management and troubleshooting are
more efficient.
VLAN = Broadcast Domain = Logical Network (Subnet)
First Floor
Sales HR Eng
Second Floor
Third Floor
Implementing VLANs and Trunks 17
■ Fewer errors: Orderly network address assignment can minimize errors and duplicate
address assignments.
■ Reduced routing table entries: In a hierarchical addressing plan, routing protocols
are able to perform route summarization, allowing a single routing table entry to
represent a collection of IP network numbers. Route summarization makes routing
table entries more manageable and provides these benefits:
— Fewer CPU cycles when recalculating a routing table or sorting through
the routing table entries to find a match
— Reduced router memory requirements
— Faster convergence after a change in the network
— Easier troubleshooting
Applying IP Address Space in the Enterprise Network
The Cisco Enterprise Architecture model provides a modular framework for designing and
deploying networks. It also provides the ideal structure for overlaying a hierarchical IP
addressing scheme. Following are some guidelines:
■ Design the IP addressing scheme so that blocks of 2n contiguous network numbers
(such as 4, 8, 16, 32, 64, and so on) can be assigned to the subnets in a given building
distribution and access switch block. This approach lets you summarize each switch
block into one large address block.
■ At the building distribution layer, continue to assign network numbers contiguously to
the access layer devices.
■ Have a single IP subnet correspond to a single VLAN. Each VLAN is a separate
broadcast domain.
■ When possible, subnet at the same binary value on all network numbers to avoid
variable-length subnet masks. This approach helps minimize errors and confusion
when troubleshooting or configuring new devices and segments.
Figure 2-3 shows how this architectural model is deployed and illustrates IP address
allocation between various groups in the enterprise. You will notice that each building has
unique subnets. Each of these subnets would be assigned to a single VLAN. Each building
has been assigned a range with four IP subnets even though only two departments are
shown. The additional subnets could be used from growth.
18 Chapter 2: Medium-Sized Switched Network Construction
Figure 2-3 IP Addressing per VLAN
Example: Network Design
A business with approximately 250 employees wants to migrate to the Cisco Enterprise
Architecture.
Table 2-1 shows the number of users in each department.
Six VLANs are required to accommodate one VLAN per user community. Following the
guidelines of the Cisco Enterprise Architecture, six IP subnets are required.
Table 2-1 Users per Department
Department Number of Users Location
IT 45 Building A
Human Resources 10 Building A
Sales 102 Building B
Marketing 29 Building B
Finance 18 Building C
Accounting 26 Building C
Core
10.1.1.0–10.1.4.0/24
IT, Human Resources
10.2.1.0–10.2.4.0/24
Sales, Marketing
10.3.1.0–10.3.4.0/24
Finance, Accounting
Implementing VLANs and Trunks 19
The business has decided to use network 10.0.0.0 as its base address.
To accommodate future growth, there will be one block of IP addresses per building, as
follows:
■ Building A is allocated 10.1.0.0/16.
■ Building B is allocated 10.2.0.0/16.
■ Building C is allocated 10.3.0.0/16.
The sales department is the largest department, requiring a minimum of 102 addresses for
its users. A subnet mask of 255.255.255.0 (/24) is chosen, which provides a maximum
number of 254 hosts per subnet.
Tables 2-2, 2-3, and 2-4 show the allocation of VLANs and IP subnets in the buildings.
Table 2-2 Building A: VLANs and IP Subnets
Department VLAN IP Subnet Address
IT VLAN 11 10.1.1.0/24
Human Resources VLAN 12 10.1.2.0/24
For future growth 10.1.3.0–10.1.255.0
Table 2-3 Building B: VLANs and IP Subnets
Department VLAN IP Subnet Address
Sales VLAN 21 10.2.1.0/24
Marketing VLAN 22 10.2.2.0/24
For future growth 10.2.3.0–10.2.255.0
Table 2-4 Building C: VLANs and IP Subnets
Department VLAN IP Subnet Address
Finance VLAN 31 10.3.1.0/24
Accounting VLAN 32 10.3.2.0/24
For future growth 10.3.3.0–10.3.255.0
20 Chapter 2: Medium-Sized Switched Network Construction
Some of the currently unused VLANs and IP subnets will be used to manage the network
devices. If the company decides to implement IP telephony, for example, some of the
unused VLANs and IP subnets are allocated to the voice VLANs.
Considering Traffic Source to Destination Paths
When you are designing and implementing networks, a key factor for VLAN deployment
is understanding the traffic patterns and the various traffic types. Figure 2-4 displays some
common components of a network; this along with the traffic requirements should be a
baseline for designing VLANs.
Figure 2-4 Network Enterprise Components
1 Gbps
Server Farm
Multicast
Server
Cisco
Unified
CallManager
Departmental
Switch Block 1
Departmental
Switch Block 2
Scavenger
IP
IP
IP Telephony
Implementing VLANs and Trunks 21
Table 2-5 lists the common types of network traffic that should be considered before placing
devices and configuring the VLAN.
1 BPDUs = bridge protocol data units
2 CDP = Cisco Discovery Protocol
3 SNMP = Simple Network Management Protocol
4 RMON = Remote Monitoring
5 QoS = quality of service
6 SMB = Server Message Block
7 NCP = Netware Core Protocol
8 SMTP = Simple Mail Transfer Protocol
9 SQL = Structured Query Language
Table 2-5 Traffic Types
Traffic Type Description
Network
management
Many different types of network management traffic can be present on the
network, such as BPDUs1, CDP2 updates, SNMP3 traffic, and RMON4
traffic. To make network troubleshooting easier, some designers assign a
separate VLAN to carry certain types of network management traffic.
IP telephony There are two types of IP telephony traffic: signaling information between end
devices (IP phones and softswitches, such as Cisco Unified CallManager) and
the data packets of the voice conversation. Designers often configure the data
to and from the IP phones on a separate VLAN designated for voice traffic so
that they can apply QoS5 measures to give high priority to voice traffic.
IP multicast IP multicast traffic is sent from a particular source address to a multicast group
that is identified by a single IP and MAC destination-group address pair.
Examples of applications that generate this type of traffic are Cisco IP/TV
broadcasts and imaging software used to quickly configure workstations and
servers. Multicast traffic can produce a large amount of data streaming across
the network. For example, video traffic from online training, security
applications, Cisco Meeting Place, and Cisco TelePresence is proliferating on
some networks. Switches must be configured to keep this traffic from flooding
to devices that have not requested it, and routers must be configured to ensure
that multicast traffic is forwarded to the network areas where it is requested.
Normal data Normal data traffic is typical application traffic that is related to file and print
services, e-mail, Internet browsing, database access, and other shared
network applications. This data will need to be treated in either the same
ways or different ways in different parts of the network, depending on the
volume of each type. Examples of this type of traffic are SMB6, NCP7,
SMTP8, SQL9, and HTTP.
Scavenger
class
Scavenger class includes all traffic with protocols or patterns that exceed
their normal data flows. This type of traffic is used to protect the network
from exceptional traffic flows that may be the result of malicious programs
executing on end-system PCs. Scavenger class is also used for “less than
best effort” traffic, such as peer-to-peer traffic.
22 Chapter 2: Medium-Sized Switched Network Construction
Voice VLAN Essentials
Some Cisco Catalyst switches offer a unique feature called a voice VLAN, which lets you
overlay a voice topology onto a data network. You can segment phones into separate logical
networks, even though the data and voice infrastructure are physically the same, as
illustrated in Figure 2-5.
Figure 2-5 Voice VLANs
The voice VLAN feature places the phones into their own VLANs without any end-user
intervention. The user simply plugs the phone into the switch, and the switch provides the
phone with the necessary VLAN information.
Using voice VLANs offers several advantages. Network administrators can seamlessly
maintain these VLAN assignments, even if the phones move to new locations. By placing
phones into their own VLANs, network administrators gain the advantages of network
segmentation and control. Voice VLANs also allow administrators to preserve their existing
IP topology for the data end stations and easily assign IP phones to different IP subnets
using standards-based DHCP operation.
In addition, with the phones in their own IP subnets and VLANs, network administrators
can more easily identify and troubleshoot network problems and create and enforce QoS or
security policies.
Building
Distribution
Switches
VLAN=11
IP
VLAN=10 VLAN=32
IP
VLAN=31
IP
VLAN=30
IP IP
VVID=110 VVID=111 VVID=310 VVID=311 VVID=312
Implementing VLANs and Trunks 23
With the voice VLAN feature, network administrators have all the advantages of the
physical infrastructure convergence, while maintaining separate logical topologies for
voice and data terminals. This configuration creates the most effective way to manage a
multiservice network.
No comments:
Post a Comment