VLAN - Virtual Local Area Network ====================================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is VLAN?** * VLAN stands for Virtual Local Area Network. It is a network configuration that allows devices on different physical LANs to be grouped into the same logical network, as if they were on the same physical LAN. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is VLAN useful?** * Segmentation – Separates network traffic for better performance and security. * Security – Limits broadcast domains and isolates sensitive data. * Efficiency – Reduces unnecessary traffic and improves bandwidth usage. * Flexibility – Devices can be grouped logically regardless of physical location. * Simplified Management – Easier to manage and troubleshoot network segments. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Switch Configuration: VLANs are configured on managed switches. * Port Assignment – Each switch port is assigned to a specific VLAN. * Tagging (802.1Q) – VLAN tags are added to Ethernet frames to identify VLAN membership. * Traffic Isolation – Devices in different VLANs cannot communicate unless routed. * Inter-VLAN Routing – A Layer 3 device (router or Layer 3 switch) enables communication between VLANs. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is VLAN used?** * Enterprise Networks – To separate departments like HR, Finance, and IT. * Data Centers – For isolating services and tenants in virtualized environments. * Educational Institutions – To separate student, faculty, and administrative networks. * VoIP and IP Cameras – To isolate voice and video traffic from data traffic. * Guest Networks – To provide internet access without exposing internal resources. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * VLAN operates at Layer 2 of the OSI model. * It modifies Ethernet frames using VLAN tags (IEEE 802.1Q). * VLAN-aware switches use these tags to forward traffic within the correct VLAN. * Although VLANs are Layer 2, inter-VLAN routing requires Layer 3 functionality. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`VLAN Version&RFC Details ` * :ref:`VLAN Basic Setup on Ubuntu using IPv4 ` * :ref:`VLAN Basic Setup on Ubuntu using IPv6 ` * :ref:`VLAN Protocol Packet Details ` * :ref:`VLAN Usecases ` * :ref:`VLAN Basic Features ` * :ref:`VLAN Feature : Logical Segmentation ` * :ref:`VLAN Feature : Broadcast Control ` * :ref:`VLAN Feature : Improved Security ` * :ref:`VLAN Feature : Traffic Management ` * :ref:`VLAN Feature : Simplified Administration ` * :ref:`VLAN Feature : Scalability ` * :ref:`VLAN Feature : Quality of Service (QoS) ` * :ref:`VLAN Feature : Support for Multi-Tenancy ` * :ref:`VLAN Feature : Dynamic Assignment ` * :ref `VLAN Feature : Integration with STP ` * :ref:`Reference links ` .. _VLAN_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _VLAN_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _VLAN_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _VLAN_step5: .. tab-set:: .. tab-item:: VLAN Version&RFC Details .. csv-table:: :file: ./VLAN/vlan_rfc_details.csv :widths: 10,10,10,30 :header-rows: 1 .. _VLAN_step20: .. tab-set:: .. tab-item:: VLAN Basic Setup on Ubuntu using IPv4 **VLAN Interface Creation Test Case** * This test verifies that a VLAN interface can be successfully created on a Linux system using the `ip` command. The interface should be visible in the system with the specified VLAN ID and IP configuration. * Step-1: Identify your physical interface. .. note:: In this example, we assume `eth0` is the physical interface. Adjust according to your system. * Step-2: Create VLAN interface. .. code-block:: shell test:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100 test:~$ sudo ip link set dev eth0.100 up * Step-3: Verify VLAN interface creation. .. code-block:: shell test:~$ ip -d link show eth0.100 * Expected result: * VLAN interface `eth0.100` is created successfully. * It appears in the `ip -d link show` output with the correct VLAN ID. * Interface should be UP and have the IP address `192.168.100.1/24` assigned. * Step-4: Validation .. code-block:: shell test:~$ ip addr show eth0.100 eth0.100@eth0: ... inet 192.168.100.1/24 scope global eth0.100 vlan protocol 802.1Q id 100 ... * Result: VLAN interface is created with name `eth0.100`. **VLAN Ping Test Case** * This test verifies basic connectivity between two machines on the same VLAN using ICMP ping. Successful ping confirms correct VLAN setup and tagging (802.1Q). * Step-1: Configure VLAN interface on test1. .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up test1:~$ ip -d link show eth0.100 * Step-2: Configure VLAN interface on test2. .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up test2:~$ ip -d link show eth0.100 * Step-3: Ping from test1 to test2 and vice versa. .. code-block:: shell test1:~$ ping 192.168.100.2 test2:~$ ping 192.168.100.1 * Step-4: Verify ICMP echo and reply packets are tagged with 802.1Q VLAN header using packet capture (e.g., Wireshark or tcpdump). * Expected result: * Ping should succeed between test1 and test2 with 0% packet loss. * ICMP echo request/reply packets are visible and correctly tagged with VLAN ID 100. * Step-5: Wireshark Capture :download:`Download wireshark capture ` **VLAN Isolation Test Case** * This test verifies that devices on different VLANs cannot communicate directly. When VLAN isolation is functioning correctly, ping between devices in different VLANs will fail. * Step-1: Configure VLAN 100 on test1. .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up test1:~$ ip -d link show eth0.100 * Step-2: Configure VLAN 200 on test2. .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.200 type vlan id 200 test2:~$ sudo ip addr add 192.168.200.1/24 dev eth0.200 test2:~$ sudo ip link set dev eth0.200 up test2:~$ ip -d link show eth0.200 * Step-3: Attempt to ping from test1 to test2. .. code-block:: shell test1:~$ ping 192.168.200.1 * Step-4: Capture packets using Wireshark to verify that no ICMP traffic is exchanged between VLANs. * Expected result: * Ping fails with 100% packet loss. * No ICMP echo request/reply packets are seen. * Confirms VLAN isolation is working as expected. * Step-5: Wireshark Capture :download:`Download wireshark capture ` **VLAN Persistence Across Reboots Test Case** * This test verifies that VLAN interfaces persist after a system reboot by using persistent network configuration via Netplan. * Step-1: Edit the Netplan configuration file on test1 to define a VLAN interface. .. code-block:: yaml network: version: 2 ethernets: eth0: dhcp4: no vlans: vlan100: id: 100 link: eth0 addresses: - 192.168.100.1/24 * Save the file as `/etc/netplan/01-netcfg.yaml` (or the appropriate Netplan config file for your system). * Step-2: Apply the Netplan configuration. .. code-block:: shell test1:~$ sudo netplan apply * Step-3: Reboot the system. .. code-block:: shell test1:~$ sudo reboot * Step-4: After reboot, verify that `vlan100` interface exists and has the correct IP address. .. code-block:: shell test1:~$ ip addr show vlan100 * Expected result: * The interface `vlan100` should be present after reboot. * It should have the correct IP address `192.168.100.1/24`. * Confirms VLAN persistence via Netplan. **ARP Resolution with VLAN Tag Test Case** * This test verifies that ARP request and reply packets are correctly tagged with a VLAN ID (802.1Q) when VLAN interfaces are used. It also confirms basic IP connectivity through successful ping. * Step-1: Configure VLAN interface on test1. .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up test1:~$ ip -d link show eth0.100 * Step-2: Configure VLAN interface on test2. .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up test2:~$ ip -d link show eth0.100 * Step-3: Ping between test1 and test2. .. code-block:: shell test1:~$ ping 192.168.100.2 test2:~$ ping 192.168.100.1 * Step-4: Use Wireshark to capture packets and inspect for ARP resolution. * Look specifically for ARP request and reply frames tagged with VLAN ID 100. * Confirm that ICMP packets are also properly VLAN tagged. * Expected result: * Ping should succeed with 0% packet loss between test1 and test2. * ARP packets (request and reply) must include the VLAN tag (802.1Q) in packet capture. * ICMP packets must also include VLAN tag. * Step-5: Wireshark Capture :download:`Download wireshark capture ` **TCP 3-Way Handshake with VLAN Tag Test Case** * This test verifies that TCP 3-way handshake packets and data packets are properly VLAN-tagged (802.1Q) when transmitted between two machines with VLAN interfaces on the same subnet. * Step-1: Configure VLAN interface on test1. .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up test1:~$ ip -d link show eth0.100 * Step-2: Configure VLAN interface on test2. .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up test2:~$ ip -d link show eth0.100 * Step-3: Create a basic TCP server on test2. .. code-block:: shell test2:~$ vi tcp_server.c // Insert basic TCP server code test2:~$ gcc tcp_server.c -o tcp_server * Step-4: Create a basic TCP client on test1. .. code-block:: shell test1:~$ vi tcp_client.c // Insert basic TCP client code test1:~$ gcc tcp_client.c -o tcp_client * Step-5: Run the TCP server and client to establish a connection. .. code-block:: shell test2:~$ ./tcp_server test1:~$ ./tcp_client * Step-6: Capture packets using Wireshark on either side. * Look for TCP 3-way handshake packets (SYN, SYN-ACK, ACK) and ensure they are tagged with VLAN ID 100. * Also verify that any data packets exchanged are VLAN tagged. * Expected result: * TCP connection is successfully established. * Packet capture shows TCP handshake and data packets tagged with VLAN ID (802.1Q). * Confirms correct VLAN tagging for TCP traffic. * Step-7: Wireshark Capture :download:`Download wireshark capture ` **UDP Packets with VLAN Tag Test Case** * This test verifies that UDP packets are properly tagged with a VLAN ID (802.1Q) when transmitted between two machines with VLAN interfaces on the same subnet. * Step-1: Configure VLAN interface on test1. .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up test1:~$ ip -d link show eth0.100 * Step-2: Configure VLAN interface on test2. .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up test2:~$ ip -d link show eth0.100 * Step-3: Create a basic UDP server on test2. .. code-block:: shell test2:~$ vi udp_server.c // Insert basic UDP server code test2:~$ gcc udp_server.c -o udp_server * Step-4: Create a basic UDP client on test1. .. code-block:: shell test1:~$ vi udp_client.c // Insert basic UDP client code test1:~$ gcc udp_client.c -o udp_client * Step-5: Run the UDP server and client to exchange packets. .. code-block:: shell test2:~$ ./udp_server test1:~$ ./udp_client * Step-6: Capture packets using Wireshark * Inspect the UDP packets for VLAN tagging with VLAN ID 100. * Expected result: * UDP client-server communication is successfully established. * Wireshark capture confirms that UDP packets are tagged with VLAN ID (802.1Q). * Step-7: Wireshark Capture :download:`Download wireshark capture ` **Ping Using Hostname (DNS) with VLAN Tag Test Case** * This test verifies that DNS queries and ICMP packets are correctly VLAN tagged when hostname-based communication is performed over VLAN interfaces. * Step-1: Configure VLAN interface on test1. .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up * Step-2: Configure VLAN interface on test2. .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up * Step-3: Install and configure dnsmasq on test1. .. code-block:: shell test1:~$ sudo apt update test1:~$ sudo apt install dnsmasq * Edit `/etc/dnsmasq.conf` and add: .. code-block:: none address=/vm1.local/192.168.100.2 address=/vm2.local/192.168.100.3 * Restart the dnsmasq service: .. code-block:: shell test1:~$ sudo systemctl restart dnsmasq test1:~$ sudo systemctl status dnsmasq * Step-4: Configure test2 to use test1 as its DNS server. * Edit `/etc/resolv.conf` on test2: .. code-block:: none nameserver 192.168.100.2 search local * Save and close the file. * Step-5: Test ping using hostname. .. code-block:: shell test2:~$ ping vm1 * Step-6: Capture packets using Wireshark on test1 or test2. * Look for DNS query/response packets and ICMP packets. * Confirm that all packets include VLAN tag (802.1Q) with VLAN ID 100. * Expected result: * DNS query resolves hostname successfully. * Ping to hostname succeeds with 0% packet loss. * Both DNS and ICMP packets are correctly VLAN tagged. * Step-7: Wireshark Capture :download:`Download wireshark capture ` **Ping Between Two Machines (DHCP) with VLAN Tag Test Case** * This test verifies that a VLAN-tagged interface can receive an IP address via DHCP, and confirms that both DHCP and ICMP packets carry VLAN tags (802.1Q). * Step-1: Configure VLAN interface on test1 (DHCP Server). .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.1/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up test1:~$ ip -d link show eth0.100 * Step-2: Install and configure DHCP server on test1. .. code-block:: shell test1:~$ sudo apt update test1:~$ sudo apt install isc-dhcp-server * Edit DHCP server interface configuration file: .. code-block:: shell test1:~$ sudo nano /etc/default/isc-dhcp-server * Change the line: .. code-block:: shell INTERFACESv4="" *To:* .. code-block:: shell INTERFACESv4="eth0.100" * Configure DHCP range in `/etc/dhcp/dhcpd.conf`: .. code-block:: none subnet 192.168.100.0 netmask 255.255.255.0 { range 192.168.100.50 192.168.100.100; option routers 192.168.100.1; option subnet-mask 255.255.255.0; option domain-name-servers 8.8.8.8; default-lease-time 600; max-lease-time 7200; } * Save and restart DHCP server: .. code-block:: shell test1:~$ sudo systemctl restart isc-dhcp-server test1:~$ sudo systemctl enable isc-dhcp-server test1:~$ sudo systemctl status isc-dhcp-server * Step-3: Configure VLAN interface on test2 (DHCP Client). .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip link set dev eth0.100 up * Step-4: Install DHCP client and request an IP address. .. code-block:: shell test2:~$ sudo apt install isc-dhcp-client test2:~$ sudo dhclient eth0.100 * Step-5: Verify IP address on test2. .. code-block:: shell test2:~$ ip a show eth0.100 * Step-6: Ping from test1 to the dynamically assigned IP on test2. .. code-block:: shell test1:~$ ping * Step-7: Packet Capture and VLAN Verification * Capture packets using Wireshark or tcpdump on either machine. * Look for: - DHCP Discover / Offer / Request / ACK packets - ICMP Echo Request / Reply - All packets should contain VLAN ID 100 (802.1Q tag) * Expected result: * DHCP IP address is successfully assigned to test2 on VLAN interface. * Ping between test1 and test2 succeeds with 0% packet loss. * All DHCP and ICMP packets are VLAN tagged. * Step-8: Wireshark Capture :download:`Download wireshark capture ` **VLAN Tested with IPv4 Web Server (Own) - Test Case** * This test verifies that a self-hosted IPv4 web server is reachable via a VLAN-tagged interface and that all traffic (TCP 3-way handshake and HTTP content) carries VLAN tags. * Step-1: Configure VLAN interface on test1 (Web Server). .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up * Step-2: Install and configure Apache2 on test1. .. code-block:: shell test1:~$ sudo apt update test1:~$ sudo apt install apache2 -y test1:~$ sudo ufw allow 'Apache Full' test1:~$ sudo systemctl start apache2 test1:~$ sudo systemctl enable apache2 * Step-3: Create custom HTML page for the web server. .. code-block:: shell test1:~$ sudo mkdir -p /var/www/myvlanweb.com/html test1:~$ sudo nano /var/www/myvlanweb.com/html/index.html * Sample HTML page: .. code-block:: html VLAN Web Test

Welcome to VLAN Web Server

This is a test page served over VLAN 100

.. code-block:: shell test1:~$ sudo chown -R www-data:www-data /var/www/myvlanweb.com/html test1:~$ sudo chmod -R 755 /var/www/myvlanweb.com * Step-4: Configure Apache virtual host. .. code-block:: shell test1:~$ sudo nano /etc/apache2/sites-available/myvlanweb.com.conf * Add the following content: .. code-block:: apache ServerAdmin webmaster@localhost ServerName myvlanweb.com DocumentRoot /var/www/myvlanweb.com/html Options Indexes FollowSymLinks AllowOverride None Require all granted ErrorLog ${APACHE_LOG_DIR}/myvlanweb_error.log CustomLog ${APACHE_LOG_DIR}/myvlanweb_access.log combined .. code-block:: shell test1:~$ sudo a2ensite myvlanweb.com.conf test1:~$ sudo a2dissite 000-default.conf test1:~$ sudo apache2ctl configtest test1:~$ sudo systemctl reload apache2 * Step-5: Configure VLAN interface on test2 (Client). .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up * Step-6: Test connectivity and fetch webpage. .. code-block:: shell test2:~$ curl http://192.168.100.3 * Step-7: Capture packets using Wireshark. * Verify presence of: - TCP 3-way handshake (SYN, SYN-ACK, ACK) - HTTP GET / 200 OK responses - All packets must have VLAN ID 100 (802.1Q tag) * Expected Result: * Client receives full HTML response from server. * Ping and HTTP communication succeed. * VLAN tags are present in TCP and HTTP packets. * Step-8: Wireshark Capture :download:`Download wireshark capture ` **VLAN Tested with IPv6 Web Server (Own) - Test Case** * This test verifies that an IPv6 web server hosted on a VLAN-tagged interface is reachable from another VLAN-tagged client, and that all traffic (TCP handshake and HTTP response) carries the correct 802.1Q VLAN tags. * Step-1: Configure VLAN interface with IPv6 address on test1 (Web Server). .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test1:~$ sudo ip addr add 192.168.100.3/24 dev eth0.100 test1:~$ sudo ip addr add 2001:db8:100::3/64 dev eth0.100 test1:~$ sudo ip link set dev eth0.100 up * Step-2: Install and configure Apache2 on test1. .. code-block:: shell test1:~$ sudo apt update test1:~$ sudo apt install apache2 -y test1:~$ sudo ufw allow 'Apache Full' test1:~$ sudo systemctl start apache2 test1:~$ sudo systemctl enable apache2 * Step-3: Create custom HTML content for the website. .. code-block:: shell test1:~$ sudo mkdir -p /var/www/myvlanweb.com/html test1:~$ sudo nano /var/www/myvlanweb.com/html/index.html * Sample HTML page: .. code-block:: html IPv6 VLAN Web Test

Welcome to VLAN IPv6 Web Server

This page is served over IPv6 and VLAN 100.

.. code-block:: shell test1:~$ sudo chown -R www-data:www-data /var/www/myvlanweb.com/html test1:~$ sudo chmod -R 755 /var/www/myvlanweb.com * Step-4: Configure Apache virtual host. .. code-block:: shell test1:~$ sudo nano /etc/apache2/sites-available/myvlanweb.com.conf * Add the following content: .. code-block:: apache ServerAdmin webmaster@localhost ServerName myvlanweb.com DocumentRoot /var/www/myvlanweb.com/html Options Indexes FollowSymLinks AllowOverride None Require all granted ErrorLog ${APACHE_LOG_DIR}/myvlanweb_error.log CustomLog ${APACHE_LOG_DIR}/myvlanweb_access.log combined .. code-block:: shell test1:~$ sudo a2ensite myvlanweb.com.conf test1:~$ sudo a2dissite 000-default.conf test1:~$ sudo apache2ctl configtest test1:~$ sudo systemctl reload apache2 * Step-5: Configure VLAN interface with IPv6 on test2 (Client). .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.100 type vlan id 100 test2:~$ sudo ip addr add 192.168.100.2/24 dev eth0.100 test2:~$ sudo ip addr add 2001:db8:100::2/64 dev eth0.100 test2:~$ sudo ip link set dev eth0.100 up * Step-6: Test connectivity and fetch web content. .. code-block:: shell test2:~$ ping6 2001:db8:100::3 test2:~$ curl http://[2001:db8:100::3]/ * Step-7: Packet capture and VLAN verification. * Use Wireshark to capture traffic on `eth0` or `eth0.100`. * Confirm presence of: - TCP 3-way handshake packets - HTTP GET and 200 OK responses - All packets tagged with VLAN ID 100 (802.1Q) * Expected Result: * Web server is accessible from client over IPv6 on VLAN. * Curl outputs the expected HTML content. * TCP and HTTP packets show correct VLAN tagging in the capture. * Step-8: Wireshark Capture :download:`Download wireshark capture ` **Switch-to-Switch VLAN Trunk Test Case** * This test verifies that a trunk connection between two Layer 2 switches correctly allows VLAN-tagged traffic to pass between two VPCS nodes in the same VLAN. * Step-1: Setup and connect topology in simulation tool (e.g., Cisco Packet Tracer, GNS3, or EVE-NG). - Drag and drop: - 2 Layer 2 switches (Switch A and Switch B) - 2 VPCS nodes (PC1 and PC2) - Connect as follows: .. code-block:: PC1 <--> Gi0/1 (Switch A) Switch A Gi0/2 <--> Gi0/2 Switch B Gi0/1 (Switch B) <--> PC2 * Step-2: Configure VLAN 10 and ports on **Switch A**. .. code-block:: console SwitchA> enable SwitchA# configure terminal SwitchA(config)# vlan 10 SwitchA(config-vlan)# name VLAN10 SwitchA(config-vlan)# exit SwitchA(config)# interface Gi0/1 SwitchA(config-if)# switchport mode access SwitchA(config-if)# switchport access vlan 10 SwitchA(config-if)# no shutdown SwitchA(config-if)# exit SwitchA(config)# interface Gi0/2 SwitchA(config-if)# switchport trunk encapsulation dot1q SwitchA(config-if)# switchport mode trunk SwitchA(config-if)# no shutdown SwitchA(config-if)# exit * Step-3: Configure VLAN 10 and ports on **Switch B** (repeat similar steps). .. code-block:: console SwitchB> enable SwitchB# configure terminal SwitchB(config)# vlan 10 SwitchB(config-vlan)# name VLAN10 SwitchB(config-vlan)# exit SwitchB(config)# interface Gi0/1 SwitchB(config-if)# switchport mode access SwitchB(config-if)# switchport access vlan 10 SwitchB(config-if)# no shutdown SwitchB(config-if)# exit SwitchB(config)# interface Gi0/2 SwitchB(config-if)# switchport trunk encapsulation dot1q SwitchB(config-if)# switchport mode trunk SwitchB(config-if)# no shutdown SwitchB(config-if)# exit * Step-4: Configure IP addresses on **VPCS nodes**. .. code-block:: shell PC1> ip 192.168.10.2 255.255.255.0 PC2> ip 192.168.10.3 255.255.255.0 * Step-5: Perform Ping Test. .. code-block:: shell PC1> ping 192.168.10.3 PC2> ping 192.168.10.2 * Step-6: Capture traffic using Wireshark on the trunk link (Gi0/2 <--> Gi0/2). * Filter: `vlan` * Check for: - ICMP Echo Requests and Replies - 802.1Q VLAN tags (ID: 10) * Expected Result: * Ping should be successful with 0% packet loss. * ICMP packets are encapsulated with 802.1Q VLAN tags on trunk port. * Step-7: Wireshark Capture :download:`Download wireshark capture ` **Linux-to-Linux VLAN Trunk Test Case** * This test verifies that VLAN trunking works between two Linux machines configured with multiple VLAN interfaces, allowing communication over multiple VLANs (e.g., VLAN 10 and VLAN 20). * Step-1: Configure VLAN interfaces on test1 (Linux Machine 1). .. code-block:: shell test1:~$ sudo ip link add link eth0 name eth0.10 type vlan id 10 test1:~$ sudo ip addr add 192.168.10.1/24 dev eth0.10 test1:~$ sudo ip link set dev eth0.10 up test1:~$ sudo ip link add link eth0 name eth0.20 type vlan id 20 test1:~$ sudo ip addr add 192.168.20.1/24 dev eth0.20 test1:~$ sudo ip link set dev eth0.20 up * Step-2: Configure VLAN interfaces on test2 (Linux Machine 2). .. code-block:: shell test2:~$ sudo ip link add link eth0 name eth0.10 type vlan id 10 test2:~$ sudo ip addr add 192.168.10.2/24 dev eth0.10 test2:~$ sudo ip link set dev eth0.10 up test2:~$ sudo ip link add link eth0 name eth0.20 type vlan id 20 test2:~$ sudo ip addr add 192.168.20.2/24 dev eth0.20 test2:~$ sudo ip link set dev eth0.20 up * Step-3: Test connectivity over VLAN interfaces from test1. .. code-block:: shell test1:~$ ping 192.168.10.2 # VLAN 10 test1:~$ ping 192.168.20.2 # VLAN 20 * Step-4: Verify VLAN tag presence in packets using Wireshark. - Confirm: - ICMP Echo Requests and Replies - VLAN 802.1Q tags (ID 10 and 20) * Expected Result: * Ping should be successful for both VLAN 10 and VLAN 20. * VLAN tags (802.1Q) should be present in ICMP packets during capture. * Step-5: Wireshark Capture :download:`Download wireshark capture ` **VLAN Tag Priority Bits (PCP) Test Case** * This test verifies that all 7 combinations of PCP (Priority Code Point) values (001 to 111) in the 802.1Q VLAN tag are correctly set and visible in packet captures using Wireshark. * Step-1: Prepare the common VLAN packet send code (`vlan_send_template.c`) .. code-block:: shell test1:~$ vi vlan_send_template.c # (Write the common C code that constructs and sends a VLAN tagged Ethernet frame) # (This includes logic to set the TCI field using PCP_VALUE macro) :download:`Download vlan_send_template.c ` * Step-2: Create one example wrapper file (`send_pcp1.c`) for PCP value = 1 .. code-block:: shell #define PCP_VALUE 1 #include "vlan_send_template.c" .. code-block:: shell test1:~$ gcc send_pcp1.c -o send_pcp1 test1:~$ sudo ./send_pcp1 * Step-3: Repeat Step-2 for remaining PCP values (2, 3, 4, 5, 6, 7) - Create `send_pcp0.c`, `send_pcp2.c`, ..., `send_pcp7.c` by changing `PCP_VALUE` - Compile and run each one similarly to generate corresponding packets * Step-4: Capture packets using Wireshark while each binary is run - Apply display filter in Wireshark: `vlan` - Observe the “Priority” field in the VLAN tag - Confirm PCP field shows values 1–7 as expected * Expected Result: * Each compiled binary should send a packet with correct PCP bits (0–7). * Wireshark should display the VLAN tag with corresponding PCP (Priority) field value. * Step-5: Wireshark Capture :download:`Download wireshark capture ` **VLAN Tag DEI (Drop Eligible Indicator) Bit Test Case** * This test verifies that the DEI (Drop Eligible Indicator) bit in the 802.1Q VLAN tag can be set to `1` using raw socket programming in Linux and is visible in packet captures using Wireshark. * Step-1: Write a C program to send ICMP packet with VLAN tag (DEI = 1) :download:`Download dei_bit.c source code ` * Step-2: Compile and run the code on a Linux machine with proper permissions .. code-block:: shell test1:~$ gcc dei_bit.c -o dei_bit test1:~$ sudo ./dei_bit * Step-3: Capture the outgoing packet using Wireshark on the same interface - Apply display filter: `vlan` - Check the **DEI (Drop Eligible Indicator)** field in the VLAN header - Ensure **DEI = 1** is present in the packet * Expected Result: * The ICMP Echo Request packet should be visible in Wireshark. * VLAN tag with **DEI = 1** should be clearly shown under VLAN header details. * Step-4: Wireshark Capture :download:`Download wireshark capture ` * Notes: - DEI field is useful in congestion management. It marks the frame as eligible for discard if congestion occurs. - Default DEI is `0`. This test explicitly sets it to `1`. **Same VLAN, Different Subnets Ping Test Case** * This test verifies that devices in the **same VLAN** but assigned to **different subnets** can communicate when routed via a router subinterface using `dot1Q` encapsulation. * Step-1: Configure VLAN 10 on the Switch (Layer 2) .. code-block:: shell Switch> enable Switch# configure terminal Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/0 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk allowed vlan 10 Switch(config-if)# exit Switch(config)# exit Switch# write memory * Step-2: Configure Router subinterfaces for inter-subnet routing over VLAN 10 .. code-block:: shell Router> enable Router# configure terminal Router(config)# interface FastEthernet0/0.10 Router(config-subif)# encapsulation dot1Q 10 Router(config-subif)# ip address 192.168.1.1 255.255.255.224 Router(config-subif)# ip address 192.168.1.33 255.255.255.224 secondary Router(config-subif)# exit Router(config)# interface FastEthernet0/0 Router(config-if)# no ip address Router(config-if)# no shutdown Router(config-if)# exit Router# write memory * Step-3: Assign IP addresses to PCs in different subnets (still in same VLAN) .. code-block:: shell PC1> ip 192.168.1.10 255.255.255.224 192.168.1.1 PC2> ip 192.168.1.40 255.255.255.224 192.168.1.33 * Step-4: Test inter-subnet connectivity .. code-block:: shell PC1> ping 192.168.1.40 PC2> ping 192.168.1.10 * Step-5: Verify packets using Wireshark (capture on trunk or router interface) - Confirm: - ICMP Echo Request and Reply packets - 802.1Q VLAN tags with **VLAN ID 10** - Routing is performed between subnets even within the same VLAN * Expected Result: * Ping should succeed between hosts on different subnets but within the same VLAN. * ICMP packets should contain 802.1Q VLAN tag with VLAN ID 10. * Routing should occur on the router's subinterface with multiple subnet addresses. * Step-6: Wireshark Capture :download:`Download wireshark capture ` **IP Communication Across Aggregated VLANs (IRB with BVI) Test Case** * This test verifies communication between hosts in **different VLANs but in the same IP subnet** using **Integrated Routing and Bridging (IRB)** with a **Bridge Virtual Interface (BVI)** on the router. * Step-1: Enable Integrated Routing on the Router .. code-block:: shell Router> enable Router# configure terminal Router(config)# bridge irb * Step-2: Configure VLANs on the Switch .. code-block:: shell Switch> enable Switch# configure terminal Switch(config)# vlan 10 Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# exit Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 20 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/3 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20 Switch(config-if)# exit Switch# write memory * Step-3: Configure Router Subinterfaces for VLANs .. code-block:: shell Router(config)# interface FastEthernet0/0.10 Router(config-subif)# encapsulation dot1Q 10 Router(config-subif)# bridge-group 1 Router(config-subif)# no ip address Router(config-subif)# exit Router(config)# interface FastEthernet0/0.20 Router(config-subif)# encapsulation dot1Q 20 Router(config-subif)# bridge-group 1 Router(config-subif)# no ip address Router(config-subif)# exit * Step-4: Configure Bridge Virtual Interface (BVI) .. code-block:: shell Router(config)# interface BVI1 Router(config-if)# ip address 192.168.10.1 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# exit Router(config)# bridge 1 protocol ieee Router(config)# bridge 1 route ip * Step-5: Assign IP addresses to PCs in different VLANs but same subnet .. code-block:: shell PC1> ip 192.168.10.10 255.255.255.0 192.168.10.1 PC2> ip 192.168.10.20 255.255.255.0 192.168.10.1 * Step-6: Test Connectivity Between PCs .. code-block:: shell PC1> ping 192.168.10.20 PC2> ping 192.168.10.10 * Step-7: Wireshark Capture Verification - Confirm: - ICMP Echo Request and Echo Reply - VLAN tags (802.1Q) for **VLAN 10** and **VLAN 20** - Communication is successful across VLANs through the **BVI interface** * Expected Result: * Ping should succeed between devices on different VLANs but within the same subnet. * VLAN-tagged packets (with VLAN IDs 10 and 20) should be visible in the capture. * Routing is achieved via the router’s BVI interface, enabling cross-VLAN communication. * Step-8: Wireshark Capture :download:`Download wireshark capture ` **Broadcast Isolation Across VLANs Test Case** * This test verifies that **layer 2 broadcasts** are isolated between VLANs, **even if the IP subnet is shared**, by sending a directed broadcast from one VLAN and ensuring it is **not propagated** to hosts in another VLAN. * Prerequisite: * Use the same setup as described in the previous test case (IRB routing via router subinterfaces and BVI). * PC1 is in VLAN 10 and PC2 is in VLAN 20. * Both are in the same IP subnet `192.168.10.0/24`. * Step-1: Send Directed Broadcast from PC1 (VLAN 10) .. code-block:: shell PC1> ping 192.168.10.255 * Step-2: Monitor PC2 (VLAN 20) for Response - No response should be observed. - Optionally, run Wireshark or packet capture on PC2 or on a trunk port between switch and router. * Step-3: Wireshark Verification - On VLAN 20 side (PC2 or router trunk): - No ICMP Echo Requests for destination `192.168.10.255` should be seen. - On VLAN 10 side: - ICMP Echo Request should be seen. - Destination MAC should be broadcast (FF:FF:FF:FF:FF:FF) - VLAN tag with ID 10 should be present. * Expected Result: * PC2 (in VLAN 20) should **not** receive any of the broadcast ICMP packets sent by PC1 (in VLAN 10). * Layer 2 broadcast traffic is **contained within VLAN 10**. * Step-4: Wireshark Capture :download:`Download broadcast isolation capture ` **Super VLAN Hierarchy Communication Test Case** * This test verifies communication between hosts assigned to **different Sub-VLANs** under a common **Super VLAN**, using Integrated Routing and Bridging (IRB) on a router to forward traffic. * Step-1: Configure VLANs and Ports on the Switch .. code-block:: shell Switch> enable Switch# configure terminal Switch(config)# vlan 100 Switch(config-vlan)# name SuperVLAN Switch(config-vlan)# exit Switch(config)# vlan 101 Switch(config-vlan)# name SubVLAN1 Switch(config-vlan)# exit Switch(config)# vlan 102 Switch(config-vlan)# name SubVLAN2 Switch(config-vlan)# exit Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 101 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 102 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/3 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 101,102 Switch(config-if)# exit Switch(config)# write memory * Step-2: Configure Router IRB and Subinterfaces .. code-block:: shell Router> enable Router# configure terminal Router(config)# bridge irb Router(config)# interface FastEthernet0/0.101 Router(config-subif)# encapsulation dot1Q 101 Router(config-subif)# bridge-group 1 Router(config-subif)# no ip address Router(config-subif)# exit Router(config)# interface FastEthernet0/0.102 Router(config-subif)# encapsulation dot1Q 102 Router(config-subif)# bridge-group 1 Router(config-subif)# no ip address Router(config-subif)# exit Router(config)# interface BVI1 Router(config-if)# ip address 10.0.0.1 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# exit Router(config)# bridge 1 protocol ieee Router(config)# bridge 1 route ip * Step-3: Configure IP Addresses on End Devices (PC1 & PC2) .. code-block:: shell PC1> ip 10.0.0.10 255.255.255.0 10.0.0.1 PC2> ip 10.0.0.20 255.255.255.0 10.0.0.1 * Step-4: Test IP Connectivity .. code-block:: shell PC1> ping 10.0.0.20 # To PC2 PC1> ping 10.0.0.1 # To Router BVI1 PC2> ping 10.0.0.10 # To PC1 * Step-5: Wireshark Verification - Verify on router or switch trunk port: - ICMP Echo Requests and Replies are seen - VLAN tags (802.1Q) with IDs 101 and 102 are present - Destination MAC reflects correct endpoint * Expected Result: * Ping between PC1 and PC2 (from different Sub-VLANs) is **successful** * Router forwards packets between sub-VLANs under the same Super VLAN * 802.1Q tags with VLAN ID 101/102 are visible in packet captures * Step-6: Wireshark Capture :download:`Download VLAN Hierarchy pcap ` .. _VLAN_step21: .. tab-set:: .. tab-item:: VLAN Basic Setup on Ubuntu using IPv6 * Setup .. _VLAN_step6: .. tab-set:: .. tab-item:: VLAN Protocol Packet Details **Echo Request Packet** .. csv-table:: :file: ./VLAN/vlan_packet1_details.csv :widths: 10,20,30,10 :header-rows: 1 **Echo Reply Packet** .. csv-table:: :file: ./VLAN/vlan_packet2_details.csv :widths: 10,20,30,10 :header-rows: 1 **DNS Query Packet** .. csv-table:: :file: ./VLAN/vlan_packet3_details.csv :widths: 10,20,30,10 :header-rows: 1 **DNS Response Packet** .. csv-table:: :file: ./VLAN/vlan_packet4_details.csv :widths: 10,20,30,10 :header-rows: 1 **DHCP Discover Packet** .. csv-table:: :file: ./VLAN/vlan_packet5_details.csv :widths: 10,20,30,10 :header-rows: 1 **DHCP Offer Packet** .. csv-table:: :file: ./VLAN/vlan_packet6_details.csv :widths: 10,20,30,10 :header-rows: 1 **DHCP Request Packet** .. csv-table:: :file: ./VLAN/vlan_packet7_details.csv :widths: 10,20,30,10 :header-rows: 1 **DHCP ACK Packet** .. csv-table:: :file: ./VLAN/vlan_packet8_details.csv :widths: 10,20,30,10 :header-rows: 1 **SYN Packet** .. csv-table:: :file: ./VLAN/vlan_packet9_details.csv :widths: 10,20,30,10 :header-rows: 1 **SYN-ACK Packet** .. csv-table:: :file: ./VLAN/vlan_packet10_details.csv :widths: 10,20,30,10 :header-rows: 1 **ACK Packet** .. csv-table:: :file: ./VLAN/vlan_packet11_details.csv :widths: 10,20,30,10 :header-rows: 1 **PSH-ACK Packet** .. csv-table:: :file: ./VLAN/vlan_packet12_details.csv :widths: 10,20,30,10 :header-rows: 1 **FIN Packet** .. csv-table:: :file: ./VLAN/vlan_packet13_details.csv :widths: 10,20,30,10 :header-rows: 1 **FIN-ACK Packet** .. csv-table:: :file: ./VLAN/vlan_packet14_details.csv :widths: 10,20,30,10 :header-rows: 1 **UDP Packet** .. csv-table:: :file: ./VLAN/vlan_packet15_details.csv :widths: 10,20,30,10 :header-rows: 1 **ARP Request Packet** .. csv-table:: :file: ./VLAN/vlan_packet16_details.csv :widths: 10,20,30,10 :header-rows: 1 **ARP Reply Packet** .. csv-table:: :file: ./VLAN/vlan_packet17_details.csv :widths: 10,20,30,10 :header-rows: 1 .. _VLAN_step7: .. tab-set:: .. tab-item:: VLAN Usecases .. csv-table:: :file: ./VLAN/vlan_usecases.csv :widths: 10,20,30 :header-rows: 1 .. _VLAN_step8: .. tab-set:: .. tab-item:: VLAN Basic Features .. csv-table:: :file: ./VLAN/vlan_features.csv :widths: 10,10,30 :header-rows: 1 .. _VLAN_step9: .. tab-set:: .. tab-item:: VLAN Feature : Logical Segmentation **Logical Segmentation - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature1_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step10: .. tab-set:: .. tab-item:: VLAN Feature : Broadcast Control **Broadcast Control - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature2_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step11: .. tab-set:: .. tab-item:: VLAN Feature : Improved Security **Improved Security - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature3_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step12: .. tab-set:: .. tab-item:: VLAN Feature : Traffic Management **Traffic Management - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature4_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step13: .. tab-set:: .. tab-item:: VLAN Feature : Simplified Administration **Simplified Administration - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature5_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step14: .. tab-set:: .. tab-item:: VLAN Feature : Scalability **Scalability - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature6_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step15: .. tab-set:: .. tab-item:: VLAN Feature : Quality of Service (QoS) **Quality of Service (QoS) - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature7_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step16: .. tab-set:: .. tab-item:: VLAN Feature : Support for Multi-Tenancy **Support for Multi-Tenancy - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature8_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step17: .. tab-set:: .. tab-item:: VLAN Feature : Dynamic Assignment **Dynamic Assignment - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature9_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step18: .. tab-set:: .. tab-item:: VLAN Feature : Integration with STP **Integration with STP - Testcases** .. csv-table:: :file: ./VLAN/vlan_feature10_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _VLAN_step19: .. tab-set:: .. tab-item:: Reference links * Reference links