it would be helpful to let the user aware what model switches and model routers that are being used when explaining the steps.
Hi Jeffery,
Those commands are all you need to put two interfaces in VLAN 50. Whatâs the output of the following commands?
- show vlan (to verify that the VLAN exists)
- show ip interface brief (to check the interface statuses
- show run int fa0/1 and show run int fa0/2 (to make sure no other commands are applied
The configuration of VLANs is the same on any of the Catalyst switchesâŚthe 2950, 2960, 3550, 3560, 3750 and 4500/6500 series use the same commands. The same thing applies to most of the routers.
Also, make sure your windows firewall is not blocking ICMP between your computersâŚmight be wise to disable it for the moment.
Rene
Sir, I have two queries:
Q1. what is the purpose of native vlan , default vlan?
Q2. what is the difference between native and default vlan ?
thanking you in anticipation.
with best regards.
Hi Muhammad,
On 802.1Q trunk links, we can send tagged and untagged Ethernet frames. Frames that are untagged are considered to belong to the native VLAN. It is possible to configure your switches to tag the native VLAN btw.
On the native VLAN, youâll find frames from protocols like CDP, DTP, etc.
On 802.1Q trunk links, we can send tagged and untagged Ethernet frames. Frames that are untagged are considered to belong to the native VLAN. It is possible to configure your switches to tag the native VLAN btw.
On the native VLAN, youâll find frames from protocols like CDP, DTP, etc.
When you configure an interface in access mode, it will always belong to a default VLAN. On Cisco switches, this is VLAN 1.
The native VLAN is also VLAN 1 by default.
Hope this helps!
Rene
Hi Rene,
just a short question about the âactiveâ state of Vlan50. In the example mentioned above you create Vlan50 and with âsh vlanâ we can see that its active right away, but i thought a Vlan is only active if it has at least one Up/Up interface in it OR if a SVI is configured!?
Thanks
Florian
Hello Florian.
The status of a VLAN that shows up in the show vlancommand is by default âactiveâ. Note Ciscoâs explanation:
By default, a newly created VLAN is operational; that is, the VLAN is in the no shutdown condition. Additionally, you can configure VLANs to be in the active state, which is passing traffic, or the suspended state, in which the VLANs are not passing packets. By default, the VLANs are in the active state and pass traffic.
What I believe you are referring to are the conditions under which the VLANâs SVI would be in an UP/UP state.
In order to have an SVI be in an UP/UP state, there must be at least one physical interface assigned to the VLAN as an access port that is not shut down or a trunk port where this vlan is âallowedâ that is not shut down.
I hope this has been helpful!
Laz
Hi Laz,
thanks a lot for the explanation! I think i really confused a VLAN with a SVI.
Regards
Florian
Hi Florian.
Glad I could be of help!
Laz
Hi Rene,
in a typical enterprise design , can you help me understandin what is the role of VLANs between router and SW 3850, if there is any . while mkaing a trunk link , do i need to create any vlans between âFWâŚSWâRouterâ ?
Also is there any role of VLANs post fw , once natting is done ?
ISP
|
Router
|
| trunk
|
cisco 3850
|
| Access
|
fw (NATting)
|
|
LAN (User VLANs)
Hello Abhishek.
There are advantages and disadvantages to creating a trunk between the Router and the Cisco 3850 switch. It all depends on what you want to achieve.
You would want to do this if:
- you want all of the routing of your network to take place at the Router
a) advantages of this include: to be able to apply security, access lists and other policies at a single location
b) disadvantages include single point of failure for routing - if you want to allow VLANs to span multiple areas of your network (if the Router is a layer 3 switch)
You would avoid doing this to:
- limit the extent of your VLANs to avoid broadcast traffic going to other access areas of your network
- Avoid a single point of failure. The 3850 switch is a layer 3 device and can do routing for all of the local VLANs.
Keep in mind that since you have an access port at the Cisco 3850 you will not create any VLANs beyond this device (lower down in your diagram).
To answer your other questions, please clarify:
What is the FW device and what is the purpose of implementing NAT at this location?
I hope this was helpful!
Laz
Hello Rene,
it would be good to mention somewhere about default-gateway vs default-network config. I have never had a chance to use default-network command. Is it usable? if so in what scenarios. I assume it can be pointing to L3 GW network address if L3 routing is enabled on a L3 switch. Please elaborate either privately or add some content if possible.
Hello Vitaly
There are essentially three ways to configure a gateway of last resort on an L3 switch or on a router. These differ in their implementation and their functionality.
The ip default-gateway command should only be used when routing is disabled. It essentially tells the device what its default gateway is much like a PC has the default gateway configured. It is used only for the purposes of connectivity with subnets other than its own.
The ip default-network command can be used only when routing is enabled. When you configure ip default-network the router considers routes to that network for installation as the gateway of last resort on the router. In other words, routes to that network become candidate default routes.
A third way of configuring a gateway of last resort is to install a static default route with the command ip route 0.0.0.0 0.0.0.0. Of course, routing must be enabled for this case as well.
You can find more information about these three commands and their uses at this Cisco documentation.
I hope this has been helpful!
Laz
1 Like
renee or laz do you know where the voice vlan is stored on a switch also in the vlan.dat file or is it depend on wether it is a normal or extended vlan then stored accordingly to the either vlan.dat or nvram according to rules ? many thanks
Hello William
A voice VLAN is the same as any other VLAN. What makes it a voice VLAN is the fact that you define it as such on an interface where a phone is installed. Otherwise, it is no different than any other VLAN. So as far as where it is stored, it is stored in the same place and in the same way as all other VLANs.
I hope this has been helpful!
Laz
Hi all,
what is the different beetween a creation of a VLAN beetween following configuration examples:
!
interface vlan10
description Clients
ip address 10.10.10.1 255.255.255.0
exit
!
!
interface vlan20
description Servers
ip address 10.10.20.1 255.255.255.0
exit
!
!
interface vlan30
description IP-Cameras
no ip address
shutdown
exit
!
!
vlan 40
name Video-Conference
exit
!
!
From my understanding:
vlan 10 can comunicate with vlan 20 ( intra vlan routing )
But whats the difference beetween vlan 30 and vlan 40?
Both have no ip address so both are isolated from other vlans?
I dont understand on which case i just create a vlan ( like vlan 40 ) and a vlan with an interface but without IP address ( like vlan 30 )
Thanks!
Salvatore
Hello Salvatore
First of all, we must define the difference between a VLAN and a VLAN Interface.
A VLAN is a virtual LAN found within the switch. Itâs definition simply states that a subdivision of the switch exists within which a single subnet will function. A VLAN is created using the vlan command such as vlan 40. Such a command just defines the new VLAN with a VLAN ID.
A VLAN Interface, more correctly known as a Switched Virtual Interface (SVI) is a virtual interface that functions in the same way as a layer 3 physical interface. It is an interface that exists on the VLAN number it represents, and can be assigned an IP address, be shutdown or enabled, or have other configurations that can be applied to any interface. An SVI will most often function as the default gateway of the subnet that corresponds to the VLAN ID. In other words, the VLAN10 interface functions as the default gateway for all clients in the 10.10.10.0/24 subnet.
In order for a layer 3 switch to function correctly, you MUST configure both a VLAN and an SVI. By creating the VLAN interface, the VLAN is automatically created, but it doesnât go the other way around.
So, in the above configuration, you have created an SVI in VLAN 10 (this automatically creates the VLAN as well) and assigned it an IP address. The same happend for VLAN 20, and yes you are correct, that interVLAN routing makes those two VLANs communicate.
Now you created another SVI for VLAN30, so VLAN 30 was also created. But, you havenât assigned an IP address to this interface. Thatâs fine, but you wonât be able to have inter-VLAN routing between VLAN 30 and the other VLANs if you donât, and SVIs are usually created for this purpose.
Finally, you created VLAN 40 but this does not automatically create a corresponding SVI, you must do that manually, so any ports on VLAN 40 will be isolated from any other networks.
None of the above configurations are wrong, it really depends on what you want to do. You may want VLAN 40 to be completely isolated from everything else, and thatâs fine. I hope the above explanations have made the various entities you create for VLANs clearer for you. If you have any other questions for clarification, please feel free to ask!
I hope this has been helpful!
Laz
1 Like
Hi Laz,
thank you very much for your reply!
I understood the difference now.
I have another question regarding VLAN:
Letâs take VLAN 40.
I configure 3 ports in the VLAN 40, on all ports a client is connected.
Client 1 has the IP 192.168.240.10/24
CLient 2 has the IP 192.168.240.11/24
Client 3 hast the IP 192.168.242.10/24
How do both clients communicate with each other with no gateway in the VLAN 40 ?
I think Client 1 & 2 can comunicate because they are in the same Subnet?
e.g. The client 1 sent a Brodcast and reach the Client 2 because they are in the same Brodacast Domain.
Client 3 is not able to comunicate because it is in a differnet Subnet / Broadcast Domain.
Are my thoughts right?
Thanks!
Salvatore
Hello Salvatore
Yes you are correct. Client 1 and Client 2 will be able to communicate because they are on the same subnet, and the same VLAN. Client 3 however will not be able to communicate. However, even if you have an SVI configured on VLAN 40, Client 3 will still not be able to communicate. This is because it is in the same VLAN, but in a different subnet. All clients within a single VLAN should be configured on the same subnet. In other words, each VLAN should correspond to a specific subnet. For example:
VLAN 10 --> 192.168.210.0/24
VLAN 20 --> 192.168.220.0/24
VLAN 30 --> 192.168.230.0/24
VLAN 40 --> 192.168.240.0/24
VLAN 50 --> 192.168.241.0/24
etc
Otherwise if you put 192.168.242.10/24 and 192.168.240.10/24 on the same VLAN, itâs like connecting these two devices to an unmanaged 8 port switch. If their subnets are different, they donât have any hope of communicating. Even if you create an SVI as a gateway, what would the IP address of the SVI be? Would it be in the 192.168.242.0/24 or the 192.168.240.0/24 subnet? If it is in one of the two, the other host will not have connectivity.
I hope this has been helpful!
Laz
1 Like
Excellent explanation