5.12 Using VLANs
VLANs and Voice over IP
> VLANs are commonly used with Voice over IP (VoIP) to distinguish voice traffic from data traffic. You can give traffic on the voice VLAN higher priority to ensure timely delivery. > When using VLANS for VoIP, consider the following facts: > To create a voice VLAN, use the switchport voice vlan [number] command. > By default, IP phone traffic on a voice VLAN is tagged with an 802.1Q priority of 5. > When an interface is configured with a voice VLAN, the PortFast feature is automatically enabled on the interface. > A Cisco IP phone automatically uses the VLAN ID of the port it is connected to. Non-Cisco IP phones require the VLAN ID to be manually configured on the IP phone.
VLAN Advantages and Disadvantages
> VLANs with switches offer the following administrative benefits: > You can create virtual LANs based on criteria other than physical location, such as workgroup, protocol, or service. > You can simplify device moves. Devices are moved to new VLANs by modifying the port assignment. > You can control broadcast traffic and create collision domains based on logical criteria. > You can control security (isolate traffic within a VLAN). > You can load-balance network traffic (divide traffic logically, rather than physically). > Creating VLANs with switches offers the following benefits over using routers to create distinct networks: > Switches are easier to administer than routers. > Switches are less expensive than routers. > Switches offer higher performance because they introduce less latency. > A disadvantage of using switches to create VLANs is that you might be tied to a specific vendor. How VLANs are created and identified can vary from vendor to vendor. Creating a VLAN using switches might mean you must use only that vendor's switches throughout the network. *If you want to implement VLANs when using multiple vendors in a switched network, be sure each switch supports the 802.1Q standards. > Despite advances in switch technology, routers are still typically used to: > Filter WAN traffic. > Route traffic between separate networks. > Route packets between VLANs, though Layer 3 switches can also do this.
This lesson covers the following topics:
> Virtual LAN (VLAN) overview > VLAN defaults > VLAN advantages and disadvantages > VLANs and Voice over IP
As you study this section, answer the following questions:
> What are two advantages to creating VLANs on your network? > You have two VLANs configured on a single switch. How many broadcast domains are there? How many collision domains are there? > What happens if two devices on the same switch are assigned to different VLANs? In this section, you will learn to: > Configure VLANs from the CLI. > Configure VLANs.
Virtual LAN (VLAN)
A logical collection of devices that belong together and act as if they are connected to the same wire or physical switch.
VLAN Overview
A virtual LAN can be defined as: > A logical collection of devices that belong together and act as if they are connected to the same wire or physical switch. > A grouping of devices based on service need, protocol, or other criteria, rather than physical proximity. > VLANs let you assign devices on different switch ports to different logical (virtual) LANs. Although each switch can be connected to multiple VLANs, each switch port can be assigned to only one VLAN at a time. The following graphic shows a single-switch configured with two VLANs: *See Photograph - In this example: > FastEthernet ports (fa) 0/1 and 0/2 are members of VLAN 1. > FastEthernet ports (fa) 0/3 and 0/4 are members of VLAN 2. > Workstations in VLAN 1 are not able to communicate with workstations in VLAN 2, even though they are connected to the same physical switch. > There are two broadcast domains, each of which corresponds to one of the VLANs. Defining VLANs creates additional and separate broadcast domains.
VLAN Defaults
Be aware of the following facts about VLANs: > Many switches have default VLANs. For example most Cisco switches have the following default VLANs: - VLAN 1 is the default VLAN. You can use this VLAN but you cannot delete it. - VLAN 1002 - VLAN 1005 are reserved for backward compatibility with old VLAN implementations, which are no longer being used. You cannot use or delete these VLANs. > By default, all ports are members of VLAN 1. > Depending on the VLAN number, a VLAN is either normal or extended. 1 - 1005 is the normal range for VLANs. 1006 - 4094 is the extended range for VLANs.
5.12.4 Explore VLANs Lab
You are the IT security administrator for a small corporate network. You need to increase the networking closet's security by implementing a CCTV system with IP cameras. As part of this task, you need to separate the CCTV data traffic on the network using a separate VLAN on the switch. The patch panel connections for the networking closet, lobby, and IT administration office are installed and ready for use (ports 18-20). A DHCP server is already configured to provide the IP cameras and the laptop in the IT administration office with the correct TCP/IP settings (port 21). For an easier implementation, create the logical VLAN first and then establish the physical connections of the IP cameras and the laptop. In this lab, your task is to perform the following: > Access the switch management console from ITAdmin using the following credentials: Address: http://192.168.0.2 Username: ITSwitchAdmin Password: Admin$only (the password is case-sensitive) > Create and configure a VLAN on the switch as follows: VLAN ID: 2 VLAN Name: IPCameras Configure ports GE18, GE19, GE20, GE21 as untagged. *Port 18 is connected to the network jack next to the laptop in the IT administration office. *Port 19 is connected to the camera mount in the lobby. *Port 20 is connected to the camera mount in the networking closet. *Port 21 is connected to a DHCP server that provides IP addresses to the camera and the laptop. > In the lobby and networking closet, perform the following: Connect a Cat5e cable to the RJ-45 ports on the IP camera and the IP camera wall plate. Mount the IP camera on the wall plate. > In the networking closet, connect the DHCP server to the VLAN using a Cat5e cable from switch port 21 to patch panel port 21 in the rack. > In the IT administration office, connect a Cat5e cable to the laptop's network port and the open port on the wall plate. > On ITAdmin-Lap, verify the VLAN configuration and IP camera installation as follows: 1. Select Start > IP Cameras. 2. Verify that the program detects the IP cameras on the VLAN 2 network. > Complete this lab as follows: 1. From the ITAdmin computer, log into the CISCO switch. a. From the taskbar, open Google Chrome. b. Maximize the window for easier viewing. c. In the URL field, enter 192.168.0.2 and press Enter. d. For Username, enter ITSwitchAdmin. e. For Password, enter Admin$only (password is case-sensitive). f. Select Log In. 2. Create a VLAN. a. From the Getting Started pane, under Initial Setup, select Create VLAN. b. Select Add. c. For VLAN ID, enter 2. d. For VLAN Name, enter IPCameras. e. Select Apply. f. Select Close. 3. Configure a VLAN. a. From the left pane, under VLAN Management, select Port to VLAN. b. From the the VLAN ID equals to drop-down menu, select 2. c. Select Go. d. For ports GE18, GE19, GE20, and GE21, select Untagged. e. Select Apply. 4. Connect the IP camera in the lobby to the VLAN and mount the IP cameras. a. From the top navigation area, select Floor 1. b. Under Lobby, select Hardware. c. Under Shelf, expand CCTV Cameras. d. Drag the IP Camera (Lobby) to the workspace. e. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. f. Under Shelf, expand Cables and then select a Cat5e Cable, RJ45. g. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera wall mount plate. h. From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera. i. Drag the IP camera to the IP camera wall plate. 5. Connect the IP camera in the networking closet to the VLAN and mount the IP cameras. a. From the top navigation area, select Floor 1. b. Under Networking Closet, select Hardware. c. Under Shelf, expand CCTV Cameras. d. Drag the IP Camera (Networking Closet) to the workspace. e. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. f. Under Shelf, expand Cables and then select Cat5e Cable, RJ45. g. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera mount wall plate. h. Under Selected Component, drag the unconnected RJ45 cable to the RJ-45 port on the back of the IP camera. i. To mount the IP camera, drag the IP camera to the IP camera wall plate. 6. Connect the DHCP server and laptop to the VLAN. a. In the networking closet, under Shelf, select a Cat5e Cable, RJ45. b. Under Selected Component, drag a RJ45 Connector to port 21 on the switch. c. Under Selected Component, drag the unconnected RJ45 Connector to port 21 on the patch panel. 7. Connect the laptop to the VLAN. a. From the top menu, select Floor 1. b. Under IT Administration, select Hardware. c. Above the laptop, select Back to switch to the back view of the laptop. d. Under Shelf, select Cat5e Cable, RJ45. e. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the laptop. f. Under Selected Component, drag the unconnected RJ45 Connector to the open RJ-45 port on the wall plate. *To verify that all components are connected, you can change location to the network closet hardware view. You should see green link/activity lights on ports 18 - 21 of the switch. You should also see amber Power Over Ethernet (POE) lights on ports 19 and 20, which are connected to the IP cameras. 8. Launch the IP camera monitoring software. a. Under the laptop's workspace, select Front. b. On the IT-Laptop2, select Click to view Windows 10. c. From the taskbar, select Start. d. Select IP Cameras. e. Verify that both cameras are detected on the network.