It's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a single organization — without the headache of managing multiple cable plants and switches.

Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and security.

Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally well. The market has been flooded by thousands of switches that seem to do the job, but special consideration must be taken before making a purchase.

A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports.

Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything runs smoothly. The tasks of these switches include prioritizing network packets based on their source and destination (essentially Quality of Service), ensuring all edge switches are aware of the VLANs configured in the network, continuously monitoring for possible network loops on every VLAN, switching packets between VLANs as required and ensuring network security according to their configuration .

Edge switches, also known as access switches, are dedicated to the end devices: user workstations, network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers directly to the core- backbone switches). The edge switches must be compatible with the VLAN features that the core backbone switches support, otherwise unavoidable problems will arise because of incompatibilities among the switch devices.

This is one reason many organizations standardize when it comes to network equipment from companies that include Cisco Systems, HP and Juniper Networks.

When deploying VLANs, here are five key considerations to address:

1. Links on VLAN Switches

VLAN switches have two main types of links: access links and trunk links.

Access Links are the most common type of links on any VLAN capable switch. All network hosts connect to the switch's Access Links to gain access to the local network. These links are the ordinary ports found on every switch, but configured to access a particular VLAN.

Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all available VLANs.

2. Native VLAN, ISL and 802.1q

 When a port on a switch is configured as an access link, it has access to one specific VLAN. Any network device connecting to it will become part of that VLAN.

Ethernet frames entering or exiting the port are standard Ethernet II type frames, which are understood by the network device connected to the port. Because these frames belong only to one network, they are said to be “untagged” — meaning that they do not contain any information as to which VLAN they are assigned.

Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging.

Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q. Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors supporting VLAN trunking.

What might come as a surprise is that a trunk link can also be configured to act as an access link when a device (computer or switch) that does not support VLAN trunking connects to it. This means that if you have a trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN. The VLAN in this case is known as the native VLAN, a common term that refers to the VLAN a trunk port is configured for when acting as an access link.

3.Virtual Trunk Protocol and VTP Pruning

VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the core switch, is propagated to all network switches within the VTP domain.

During initial network configuration, all switches are configured members of the same VTP domain. With the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All information is then automatically sent to all members of the VTP domain. The VTP equivalent for other vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-tuned in the recent years and includes many features implemented previously only in Cisco's VTP Protocol .

VTP pruning, an extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN.

In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network.

4. Inter-VLAN Routing

Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one of the most important features found on advanced switches. Because inter-VLAN routing directs packets based on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3 switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases where a Layer 3 switch is not available, this function can also be performed by a server with two or more network cards or a router, a method often referred to as router on a stick.

Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.

5. Securing VLAN Devices

Even though many administrators and IT managers are aware of VLAN technologies and concepts, that doesn't necessarily hold true when it comes to VLAN security.

The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled. Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas.

Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result.

These best practices include:

• Removing console-port cables and introducing password-protected console or virtual terminal access with specified timeouts and restricted access policies;
• Applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-list to restrict telnet/SHH access from specific networks and hosts;
• Avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ;
• Disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD);
• Deploying VTP domain, VTP pruning and password protections;
• Controlling inter-VLAN routing through the use of IP access lists.

Raising the Throttle

VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.

Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks.

It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.

Summary

This article covered basic VLAN concepts such as Access Links, Trunk Links, Virtual Trunk Protocol (VTP), Inter-VLAN routing and more. We explained how VLAN networks operate, different methods on how VLANs communicate, and also referenced a few best VLAN security practices. This article is also available for download in pdf format here: VLAN Security - Making the Most of VLANs

For more information on VLAN Network, readers and visit our dedicated VLAN Network section.

The previous article introduced the VTP protocol, we examined how it can be used within a network, to help manage VLANs and ease the administrative overhead, providing a stress-free VLAN environment by automatically updating all the network switches with the latest VLAN information.

This article extends on the above by delving into the VTP protocol itself and analysing it's structure and format in order to gain a better understanding and enhance those troubleshooting skills.

The VTP Protocol Structure

We've mentioned that the VTP protocol runs only over trunk links interconnecting switches in the network. Whether you're using ISL or IEEE 802.1q as your encapsulation protocol, it really doesn't matter as the VTP structure in both cases remains the same.

Following are the fields which consist the VTP protocol:

• VTP Protocol Version (1 or 2)
• VTP Message Type (See Below)
• Management Domain Length
• Management Domain Name

What we need to note here is that because there are a variety of VTP Message Types, the VTP Header changes depending on these messages, but the fields we just mentioned above are always included.

To be more specific, here are the different messages currently supported by the VTP protocol:

• Summary Advertisements
• Subset Advertisement
• Advertisement Requests
• VTP Join Messages

It is obvious that all switches use these different messages to request information or advertise the VLANs they are aware of. These messages are extremely important to understand as they are the foundations of the VTP protocol.

We'll take each message and analyse them individually, explaining their purpose and usage, but before we proceed, let's take a quick visual look at the messages and their types to help make all the above clearer:

First up is the Summary Advertisements.

VTP Protocol - Summary Advertisement Message

The Summary Advertisement message is issued by all VTP Domain Servers in 5 minute intervals, or every 300 seconds. These advertisements inform nearby Catalyst switches with a variety of information, including the VTP Domain name, configuration revision number, timestamp, MD5 encryption hash code, and the number of subset advertisements to follow.

The configuration version number is a value each switch stores to help it identify new changes made in the VTP domain, similar to how DNS keeps track of changes to its resource records via the DNS serial number. Each time the VTP Server configuration is changed, the configuration revision number will automatically increment by one.

When a switch receives a summary advertisement message, it will first compare the VTP domain name (Mgmt Domain Name field) with its own.

If the Domain Name is found to be different, it will discard the message and forward it out its trunk links. However, in the likely case that the domain name is found to be the same, it will then check the configuration revision number (Config Revision No.) and if found to be the same or lower than it's own, it will ignore the advertisement. If however it is found to be greater, an advertisement request is sent out.

The Updater Identity field contains the IP Address of the switch that last incremented the Configuration Revision Number, while the Update Timestamp field gives the time the last update took place.

Message Digest 5 (MD5) carries the VTP password, if MD5 is configured and used to authenticate the validation of a VTP update. Further more, VTP takes the VTP domain name into account when calculating the VTP MD5 hash. MD5 hash is different each time a vtp update message is transmitted even though domain name and password (it is null by default) are same. This is because the configuration revision number is used to calculate the MD5 hash and as it is different after creating the vlan, therefore the MD5 will also be different.

Lastly, summary advertisements are usually followed by Subset Advertisements, this is indicated by the Followers field and is the next message we'll be closely examining.

VTP Protocol - Subset Advertisement

As mentioned in the previous message, when VLAN changes are made on the Catalyst VTP Server, it will then issue a Summary Advertisement, followed by a Subset Advertisement. Depending on how many VLANs are configured in the domain, there might be more than one Subset Advertisement sent to ensure all VLAN information is updated on the VTP Clients.

Comparing the fields of this message with the previous one, you'll notice most of them are identical, except for the Sequence No. and VLAN Info. Field.

The Code field for a Subset Advertisement of this type is set to 0x02 while the Sequence No. field contains the sequence of the packet in the stream of packets following a summary advertisement. The sequence starts with 1 and increments based on the number of packets in the stream.

Apart from these fields, we also have the VLAN Info Field, which happens to be the most important as it contains all the VLAN information the switches are waiting for.

The VLAN Info Field will be presented in segments. Complexity and importance requires us to break it up further and analyse the subfields it contains:

Each VLAN Info Field contains all the information required for one VLAN. This means that if our network is powered with 10 VLANs and a Subset Advertisement is triggered, the VTP Server will send a total of 10 Subset Advertisements since each VLAN Info Field contains data for one VLAN.

The most important subfields in the VLAN Info Field are the VLAN Name Length, ISL VLAN ID, MTU Size and VLAN Name. These subfields contain critical information about the VLAN advertised in the particular Subset Advertisement frame. Some might be suprised to see settings such as MTU's to be configurable in VLAN's, and this confirms that each VLAN is treated as a separate network, where even different MTU sizes are possible amongst your network's VLANS.

Advertisement Requests

Turning a Cisco switch off will result loosing all its VTP information stored in its memory (RAM). When the switch is next turned on, all its database information is reset and therefore requires to be updated with the latest version available from the VTP Server(s).

A switch will also send an Advertisement Request when it hears a VTP summary advertisement with a higher revision number than what it currently has. Another scenario where a request would be issued is when the VTP domain membership has changed, even though this is quite uncommon since the VTP domain name is rarely, if ever, changed after its initial configuration.

So what happens when an Advertisement Request is sent on the network?

As you would already be aware from the message types covered, the VTP Server will respond with Summary Advertisement, followed by as many Subset Advertisements required to inform the VTP Clients about the configured VLANs.

The diagram below shows the structure of an Advertisement Request sent by a VTP Client switch:

 Most fields as you can see, are similar to the previous messages we've seen, except two: The Reserved and Starting Advertisement To Request. The Reserved is exactly what it implies - reserved and not used in the Advertisement Request messages, while the Starting Advertisement To Request is the actual request sent by the VTP Client.

VTP Join Messages

VTP Join Messagesare similar to the Advertisement Request messages but with a different Message Type field value and a few more parameters. As indicated by the message name, a VTP Join Message is sent by the VTP Client, and directed to the VTP Server, when it first joins a VTP domain.

Other VTP Options - VTP Password

The VTP Password is a necessary feature to ensure the security and integrity of VTP messages. With the password feature, you are able to secure your VTP Domain since only switches configured with the correct password are able to properly decrypt the VTP messages advertised in the management VLAN.

By default the VTP Password option is not turned on and therefore most management VLANs are set to use non-secure advertisements. Once enabled on the VTP Domain Server(s), all switches participating in the domain must be manually configured with the same password, otherwise it will fail to decrypt all incoming VTP messages.

Summary

This page analysed the structure of each message the VTP protocol currently supports to maintain the network's switches in synchronisation with the VTP domain server(s):

• Summary Advertisements
• Subset Advertisement
• Advertisement Requests
• VTP Join Messages

We're sure you would agree that VLAN's are in fact a whole study case alone, but surely at the same time it's quite exciting as new concepts and methods of ensuring stability, speed and reliability are revealed.

This completes our in-depth discussion on the VTP Protocol messages. Next up is VTP Prunning, a much needed service that ensures our network backbone is not constantly flooded with unnecessary traffic. We are sure you'll enjoy the page, along with the awesome diagrams we have prepared.

VTP (VLAN Trunking Protocol) pruning is a feature that is used in Cisco switches to reduce unnecessary traffic in VLAN (Virtual Local Area Network) trunks. When VTP pruning is enabled on a trunk, the switch will stop forwarding broadcast, multicast, and unknown unicast traffic to VLANs that do not have any active ports.

This feature optimizes network bandwidth utilization by preventing unnecessary traffic from being sent across the network, which can help improve network performance. However, VTP pruning should only be used in situations where there are VLANs with no active ports, as enabling it on all trunks can cause connectivity issues if new ports are added to VLANs in the future.

The Broadcast And Unicast Problem In VLAN Networks

In VLAN (Virtual Local Area Network) networks, broadcast and unicast problems can occur due to the presence of multiple VLANs within a single physical network. Broadcast packets are sent to all hosts on a network, while unicast packets are sent to a specific host. When a broadcast or unicast packet is sent within a VLAN network, it is forwarded to all ports within the same VLAN. If a large number of broadcast or unicast packets are sent, it can lead to network congestion and slow down the overall network performance. To mitigate these issues, VLANs are used to logically separate network traffic, reducing the number of devices that receive unnecessary broadcast and unicast packets. However, proper configuration and management of VLANs are essential to prevent broadcast storms and ensure efficient use of network resources.

The below diagram is an example of how network broadcasts can flood the network, creating uncessary traffic through all trunk links:

As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports assigned to the same VLAN it was received from, that is, VLAN 2.

In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and immediately forwards it to its downlink ports to Switch 2 and Switch 3.

Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch 3 however has no ports assigned to VLAN 2 and therefore will drop the broadcast packet received. In this example, Switch 3's uplink received broadcast traffic that was not necessary, therefore wasting valuable bandwidth.

Whie the inefficent usage of Switch 3's uplink doesn't seem like a major issue, the magnitude of this problem can be easily appreciated within a large network of switches as shown in the below diagram:

Here we have a medium sized network powered by Cisco Catalyst switches. The two main switches up the top are the VTP servers and also perform Inter-VLAN routing by routing packets between the different VLAN networks.

Below the core switches are the distribution-layer Catalyst switches (2950) with redundant fiber trunk links. Directly below the 2950 switches are the access-layer Catalyst switches (2948) allowing  workstations connect to the network.

In this example, a workstation connected to VLAN 2 sends a network broadcast request (lower left corner) to the network. As shown on the diagram, this broadcast will be sent out all network ports assigned to VLAN 2 on the local switch, but also out through all uplink ports to other switches. The same will occur on all other switches, causing a large amount of uncessary traffic through network uplinks:

We can appreciate how much uncessary traffic is generated here and how easily switch uplinks can be flooding with broadcast traffic.

Once can still argue that in today's modern multi-gigabit networks, this would be insignificant traffic, however from a design perspective, this is by far not an efficient network design.

The Solution: Enabling VTP Pruning

VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames on a VLAN over trunk links only if the switch on the other end of the link has ports configured for that VLAN.

Looking at the above diagram you will notice that the Root Catalyst 3550 Switch receives a broadcast from Switch 1, but only forwards it out one of it's trunks. The Root Switch knows that the broadcast belongs to VLAN 2 and furthermore it's aware no port is assigned to VLAN 2 on Switch 3, therefore it won't forward it out the trunk link connecting to that switch.

Support For VTP Pruning

The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP 1, VTP pruning is possible with the use of additional VTP message types.

When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not.

VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network.

When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the clear vtp prune-eligible vlan-range command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: set vtp prune-eligible vlan-range where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'.

By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.

VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the set vtp pruning enable command on the VTP Server. This will also enable VTP pruning for the entire management domain.

Summary

VTP Pruning is a much welcomed feature within any VTP-enabled Cisco powered network, assiting in increasing bandwidth availability by restricting broadcast and unknown unicast traffic. We provided examples on how VTP can be configured and the effects it has in a small but also large network.