Cisco also recommends a one−to−one ratio between VLANs and subnets. This means that you must understand how users are broken up by subnets. If you have 1,000 users in a building and 100 users are in each subnet, then you should have 10 VLANs.
VLAN Trunking
There are two types of VLAN links: a trunk link and an access link. An access link is part of only one VLAN, referred to as the native VLAN of the port. All the devices are attached to an access link, which connects your physical workstation to the network. Access link devices are totally unaware of a VLAN membership, or that a switched network exists at all. The devices only know that they are part of a broadcast domain. They have no understanding of the network they are attached to and don’t need to know this information.
Tip Remember, an access link device cannot communicate with devices outside of its VLAN or subnet without the use of a router or internal route processor.
Trunk links, on the other hand, can carry multiple VLANs. A trunk link is a link that carries all the VLANs in a network and tags each frame as it enters the trunk link and spans the network. You probably have heard this term used in telephone systems. The trunk link of a telephone system carries multiple telephone conversation and lines on a single cable. Trunk links that connect switches and carry VLANs to other switches, routers, or servers use the same theory.
When an administrator assigns a port to a VLAN, that port can be a member of only one VLAN. In order for VLANs to span multiple connected switches, a trunk link must be used. This link cannot be used to connect to the average Network Interface Card (NIC) found on the back of the PC.
Frame tagging is used when a frame travels between two devices that support a trunked link. Each switch that the frame reaches must be able to identify the VLAN the frame is a member of based on the tagging information, in order to determine what to do with the frame and how to apply it to the filtering table.
Because the trunk link uses frame tagging to identify which VLAN a frame belongs to, each device connecting to the trunk link must be able to interpret and read this VLAN tag. Intel has created some NICs for servers that understand the frame tagging involved with a trunk link. However, in most situations, this trunk link tagging is removed at the Access layer switch, and the destination address never knows that the frame it received was tagged with information to allow it to span the switch fabric.
What happens if the frame reaches a switch or router that has another trunk link? The device will simply forward the frame out of the proper trunk link port. Once the frame reaches a switch at the Access layer, the switch will remove the frame tagging. It does this because the end device needs to receive the frames without having to understand the VLAN tagging. Remember, the end device (such as a workstation) does not understand this frame tagging identification.
If you are using NetFlow switching hardware (discussed in Chapter 6) on your Cisco switches, it will allow devices on different VLANs to communicate after taking just the first packet through the router. The router will then send the correct routing information back to the NetFlow device. This process allows the router to be contacted only once to let VLAN frames be routed from port to port on a switch, rather than from port to router and back to the port for each frame.
Trunk Types
Trunk links are point−to−point, high−speed links from 100 to 1000Mbps. These trunked links between two switches, a switch and a router, or a switch and a server carry the traffic of up to 1,005 VLANs at any given time.
Four different methods or protocols allow you to track VLAN frames as they traverse the switch fabric:
94
∙IEEE 802.10
∙IEEE 802.1Q
∙Inter−Switch Link (ISL)
∙LAN Emulation (LANE)
IEEE 802.10
The IEEE 802.10 standard is used to send VLAN information over a Fiber Distributed Data Interface (FDDI) physical link. In this situation, ISL is disabled and IEEE 802.10 is used to forward the VLAN frames. The Clear Header on a FDDI frame contains a Security Association Identifier (SAID), a Link Service Access Point (LSAP), and the Management Defined Field (MDF). The SAID field in the frame header is used to identify the VLAN.
The 802.10 protocol is used primarily to transport VLAN information over FDDI, and you will only find it used on this type of physical media, primarily in FDDI backbones to transport VLAN information and data.
Cisco Standards
A standard is a basis that participating vendors use to maintain functionality and compatibility between different vendors’ products on a network. For example, when you get a 100BaseT NIC from one vendor and you purchase a second card from another vendor, standards ensure that they will work with each other in your network.
With so many ideas for the implementation of virtual LANs, Cisco found it essential to set certain standards. Cisco chose to submit its standardization to the IEEE Internetworking Subcommittee.
Other standards have been created for VLANs by the Internet Engineering Task Force (IETF). Standards related to the use of Asynchronous Transfer Mode (ATM) and LANE have been designated by the ATM forum. This section will concentrate on the standards created by the IEEE, IETF, and ATM forum. The main focus will be on those standards created and submitted for standardization by Cisco to enhance VLANs in their route processors and other switching products.
Organizations install high−speed switched networks in order to create a network that can efficiently handle the growing demands of software and hardware applications. These installations can cause some unexpected problems in the network. Some of the standards discussed in this section relate to monitoring and managing VLAN networks and resources. This management enables organizations to reduce problems in their networks and to increase functionality and compatibility of different vendor products on the networks.
IEEE 802.1Q
IEEE 802.1Q is called the “Standard for Virtual Bridged Local Area Networks”; it was created by the IEEE as a standard method of frame tagging. It actually inserts a field into the frame to identify the VLAN, and it creates a method used for identifying VLANs over a trunk link. The IEEE 802.1Q standard calls for a frame tag identifier to identify VLANs in the frame header. This protocol calls for no encapsulation of the data, and is used in only Ethernet physical media.
As a frame enters the switch fabric, it is tagged with additional information regarding the VLAN properties. Just as in ISL (discussed next), the tag remains in the frame while it is forwarded from switch to switch; the tag is removed prior to exiting the access link to the destination interface. Unlike ISL, which uses an external tagging process, 802.1Q uses an internal tagging process by modifying the existing Ethernet frame itself. To both access links and trunk links, the frame looks like a standard Ethernet frame. This process remains completely transparent to the source interface and the destination interface.
95
Unlike ISL, IEEE 802.1Q is not a Cisco proprietary protocol. It can be used to carry the traffic of more than one subnet down a single cable, and it is compatible with devices that are not running the Cisco IOS. 802.1Q changes the frame header with a standard VLAN format, which allows multiple−vendor VLAN implemen−tations. For example, a Bay Networks switch or a 3COM switch can work with a Cisco switch to pass VLAN information on a trunk link.
Inter−Switch Link (ISL) Protocol
Cisco created the ISL protocol, and therefore ISL is proprietary to Cisco devices. Several NIC cards from Intel and other companies support ISL trunking. If you need a non−proprietary VLAN protocol over Ethernet, you will need to use the 802.1Q protocol.
Along with being proprietary to Cisco switches, ISL is used for Fast Ethernet and Gigabit Ethernet trunk links only. ISL is a way of explicitly tagging VLAN information onto an Ethernet frame traversing the network through trunk links. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. Along with switches, you can also use ISL to create trunk links between two Cisco routers that support ISL, a switch and a router, and a switch and a server that has a NIC that supports ISL.
On a trunk port, each frame is tagged as it enters the switch. Once the frame is tagged with the appropriate VLAN information, it can go though multiple routers or switches without retagging the frame, which reduces latency. It is important to understand that ISL VLAN information is added to a frame only if the frame is forwarded out a port configured as a trunk link. The ISL encapsulation is removed from the frame if the frame is forwarded out an access link.
ISL is an external tagging process. The original frame is not altered; it is encapsulated within a new 26−byte ISL header. This tagging adds a new 4−byte frame check sequence (FCS) at the end of the frame, as shown in Figure 5.2.
Figure 5.2: A typical ISL frame.
Remember, only a Cisco device or an ISL−aware NIC is capable of interpreting frames with an ISL frame tag. By using ISL, the frame encapsulation means that the frame can violate the normal Ethernet maximum transmission unit size of 1,518 bytes.
The ISL header, shown in Figure 5.3, is entered into the frame. The ISL header contains the following:
Figure 5.3: The ISL header inserted into an ISL encapsulated packet.
∙Destination address (DA)—A 40−bit multicast address set to 01−00−0c−00−00. This address signals the receiver that this packet is in ISL format.
∙Frame type field—Indicates the media type the frame is supporting. The possible options are 0000 for Ethernet, 0001 for Token Ring, 0010 for FDDI, and 0011 for ATM.
∙4−bit User field—Identifies one of four possible priorities of the frame: XX00 for normal, XX01 for priority 1, XX02 for priority 2, and XX11 for the highest priority.
∙Source MAC address (SA)—Set to the sending switch port’s IEEE 802.3 MAC address. Some receiving devices ignore the SA field.
∙16−bit LEN field—Shows the length of the packet in bytes minus the excluded fields. The excluded fields are the CRC, DA, Type, User, Source Address, and LEN field itself. The total of the excluded fields is 18 bytes. Therefore, the LEN field contains the total packet size minus 18 bytes from the excluded fields.
∙802.2 LLC header—For ISL frames, this field is always set to AAAA03.
96