How to configure VLANs on Cisco Catalyst Switch

kksh999 · September 23, 2020, 11:00am

HI Team,

I have tried the below scenario and came across the belwo query.

Two PCs connected to two ports of the SWITCH:

PC1 IP : 192.168.1.10/24
PC2 IP : 192.168.1.20/24

Ping successful

PC1 IP : 192.168.1.10/24
PC2 IP : 192.168.1.20/8

Ping successful

PC1 IP : 192.168.1.10/24
PC2 IP : 192.168.2.20/8

Ping is not successful from PC2 with ICMP timeout messages and from PC1 gateway not found.

Can you please xplain like how switch is taking decision based on different subnet masks for ping requests?

lagapidis · September 25, 2020, 5:43am

Hello Kirshan

This is an excellent question and helps to understand the meaning of the subnet mask and how it works.

Whenever a host sends out a packet, it must check to see what the next hop will be . If the destination IP is in the same subnet, the next hop will be the destination host itself. If the destination IP is not in the same subnet, the next hop will be the default gateway. How does a host determine if the destination IP is in the same subnet? By using its own configured subnet mask.

Take your third scenario. PC1 sends a ping to 192.168.2.20. PC1 knows that its own subnet is the range of IP addresses from 192.168.1.0 to 192.168.1.255, and it can determine this from its own IP address and its own subnet mask. So the destination IP is outside its own subnet, so the packet is sent to the default gateway. However, it seems that there is no gateway configured or the gateway is non existant, so the ping fails.

What if PC2 pinged PC1? Well, PC2 knows its own subnet has a range of 192.0.0.0 to 192.255.255.255 based on its IP address and subnet mask. Now the destination IP of 192.168.1.10 is indeed within that range, so the ping would be sent directly to PC1. PC1 would receive the ping, and attempt to respond. But once again, it looks at the destination IP of PC2 and says “this is not in my subnet” and therefore sends the packet to the gateway, and the same failure as before occurs.

So you can see that communication in one direction in this scenario is possible, but not in the other. Even so, since bidirectional communication is not possible, the communication fails.

You can do the same exercise for your second scenario, and you will see that both hosts consider the IP address of the other host in their own subnet, even though the subnet masks do not match, so they send the pings directly to each other.

I hope this has been helpful!

Laz

cpj_68 · November 11, 2020, 7:29am

Hi Team,

I’m a bit confused with the VLAN with IP.

interface vlan10
description Clients
ip address 10.10.10.1 255.255.255.0

I saw your previous explanation about the differences between VLAN and VLAN interface.
SVI has the feature of L3 physical interface.

I’m wondering how how does the ethernet frames look with under SVI?
Is every frame passthrough vlan10 will have source IP on it?

Thank you in advance.

lagapidis · November 13, 2020, 9:25am

Hello Po

Yes, that is correct. The VLAN itself can be considered a virtual layer 2 switch. The SVI interface, which is the same thing as the VLAN interface, is a virtual interface that exists within the VLAN and is assigned an IP address. It functions as the default gateway of the specific VLAN/subnet.

When a host on the VLAN wants to send data to some device on another network, say to a web server on the Internet, it will send an IP packet with a destination IP of the webserver in the IP header. However, it knows that the destination IP is outside of its own subnet, so it puts the MAC address of the SVI (which is the default gateway) in the destination address field of the frame. More detail on this process is found in this post:

Keep in mind that this process is the same whether you use an SVI as the default gateway or an actual physical router.

I hope this has been helpful!

Laz

aneba · May 31, 2021, 2:54am

Hi Laz,
I followed your discussion with Alexis regarding default and native vlans and i try to lab it but the results is still not making sense to me.
I have two switches as seen below.

vlan 10 is in subnet: 192.168.10.0/24
vlan 20 is in subnet: 192.168.20.0/24
vlan 99 is the native vlan

when i configure two PCs on both switches connected to any interface on vlan 1 at 192.168.2.0/24, pings are still successful… how is that possible.
I thought changing the native vlan from vlan 1 to vlan 99 while avoid that but it did not, so how is it a security reason to change the default native vlan?

I was expecting that, pings will fail when i change the native vlan from vlan 1 to vlan 99 since the switchports on both switches are still in vlan 1. Please, I will be super clad if you clarify this to me.

Host_SW#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa3/0/4, Fa3/0/5, Fa3/0/6
                                                Fa3/0/7, Fa3/0/8, Fa3/0/9
                                                Fa3/0/10, Fa3/0/11, Fa3/0/12
                                                Fa3/0/13, Fa3/0/14, Fa3/0/15
                                                Fa3/0/16, Fa3/0/17, Fa3/0/18
                                                Fa3/0/19, Fa3/0/20, Fa3/0/21
                                                Fa3/0/22, Fa3/0/23, Fa3/0/24
                                                Fa3/0/25, Fa3/0/26, Fa3/0/27
                                                Fa3/0/28, Fa3/0/29, Fa3/0/30
                                                Fa3/0/31, Fa3/0/32, Fa3/0/33
                                                Fa3/0/34, Fa3/0/35, Fa3/0/36
                                                Fa3/0/37, Fa3/0/38, Fa3/0/39
                                                Fa3/0/40, Fa3/0/41, Fa3/0/42
                                                Fa3/0/43, Fa3/0/44, Fa3/0/45
                                                Fa3/0/46, Fa3/0/47, Fa3/0/48
                                                Gi3/0/1, Gi3/0/2, Gi3/0/3
                                                Gi3/0/4
10   VLAN0010                         active    Fa3/0/2
20   VLAN0020                         active    Fa3/0/3
99   native                           active
1002 fddi-default                     act/unsup

Host_SW#
Host_SW#
Host_SW#show int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa3/0/1     on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa3/0/1     1-4094

Port        Vlans allowed and active in management domain
Fa3/0/1     1,10,20,99

Port        Vlans in spanning tree forwarding state and not pruned
Fa3/0/1     1,10,20,99
Host_SW#
WAN_Sw#
WAN_Sw#show vlan brie

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/4, Fa0/5, Fa0/6, Fa0/7
                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11
                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15
                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19
                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23
                                                Fa0/24, Gi0/1, Gi0/2
10   VLAN0010                         active    Fa0/2
20   VLAN0020                         active    Fa0/3
99   VLAN0099                         active
500  VLAN0500                         active
501  VLAN0501                         active
502  VLAN0502                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
WAN_Sw#
WAN_Sw#
WAN_Sw#show int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/1       on               802.1q         trunking      99

Port        Vlans allowed on trunk
Fa0/1       1-4094

Port        Vlans allowed and active in management domain
Fa0/1       1,10,20,99,500-502

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,20,99,500-502

lagapidis · June 1, 2021, 5:52am

Hello Ayong

The reason you are still able to ping from one PC to another is that VLAN 1 is allowed on the trunk. The choice of the native VLAN will not affect the connectivity between hosts on VLAN 1. In general, native VLAN configuration will not affect connectivity.

Trunk ports always expect to receive frames that are tagged. That’s how they know to which VLAN a particular frame belongs. What happens if a trunk port receives an untagged frame? It won’t know to which VLAN it belongs because the tag is missing. The native VLAN configuration tells the trunk port to which VLAN any untagged frames received should belong.

Native VLAN configurations will affect how some control protocols operate and also play a role in the implementation of Voice VLAN.

As far as security goes, it’s a good idea to change the native VLAN to mitigate against VLAN hopping attacks as described in the following lesson.

I hope this has been helpful!

Laz

aneba · June 8, 2021, 1:14am

Thank you Laz. That clarifies my doubts.
Best Regards.

Moeedeng · July 3, 2021, 6:57pm

I’m Currently Working With Packet Tracer Labs . How To Share My packet tracer Lab Topologies . So Others will benefit from it .

I’m Make same lab like network lessons.com

What Do you think about EveNG ?

For switching labs what is good emulator choices ?

hi,

both of them are static access what are these and what is administrative & whats operational ?
(1)administrative Mode: static access
(2)Operational Mode: static access

whats this ?
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native

lagapidis · July 6, 2021, 8:28am

Hello Abdul

If you create some packet tracer lab topologies for specific lessons, you can feel free to upload them as an attachment to a post. You can do this by saving your topology in a .pkt file and dragging and dropping the file into your post.

Concerning which emulator to use, I have personally used GNS3 as well as Cisco CML. Both are good for most topologies, for both routing and switching. I haven’t personally used EveNG, however, from what I know it too is more than sufficient for most certification needs.

Concerning administrative and operational modes, take a look at this post:

I hope this has been helpful!

Laz

DERFORSTER · February 7, 2022, 10:17pm

Thank you, Rene!
Suggested addition: Following the lesson, I tried to add one interface to multiple VLANs. (I would want to do this for my DHCP server, for e.g.) Perhaps this lesson could include a pointer to the lesson that would discuss this.

lagapidis · February 9, 2022, 7:07am

Hello David

Glad to see that you found the lesson useful!

In order to configure a single interface to operate on multiple VLANs, you would have to make that interface a trunk port. For more information about configuring trunks, take a look at the very next lessons in the course:

However, I will let Rene know of your suggestion as well!

I hope this has been helpful!

Laz

ananth.gmk · March 9, 2022, 9:17am

Hi Rene,

Can we configure multiple VLANs in an access port. Suppose we have a scenario where single link which carries traffic from multiple VLANs is connected to a port . Then during this time , access port needs to carry multiple VLAN . Is that correct?

lagapidis · March 11, 2022, 5:27am

Hello Ananth

Strictly speaking, an access port by definition is assigned to a single VLAN. Any frame coming into that port will be placed on that single assigned VLAN. A trunk port, by definition, can be assigned multiple VLANs, and frames entering such a port will be identified with a VLAN tag indicating the VLAN they belong to.

The only case where you would have what you describe, an access port receiving frames belonging on multiple VLANs is in a feature called 802.1Q tunneling, or Q-in-Q tunneling. This is described in detail in the following lesson:

You can also find further clarifications in this NetworkLessons Note on 802.1Q tunneling.

If you have further questions after going over this material, feel free to let us know!

I hope this has been helpful!

Laz

ananth.gmk · March 15, 2022, 11:12am

Hi Laz,

Thanks. So for example, the access ports might receive different VLans say 10,20,30 from an ixia port. Then what vlan I need to configure at the access port. Do I need to configure SVLAN say SVLAN 50 and then send it as double tagged?

Like 50 and 10 , 50 and 20 , 50 and 30?

lagapidis · March 19, 2022, 6:15am

Hello Ananth

First of all, let’s make it clear that in a typical configuration, an access port on a switch should be connected to either an end device (PC, camera, printer, etc…) or to another access port on another switch. Similarly, a trunk port should only be connected to another trunk port on another switch, with the appropriate allowed VLANs.

Now having said that, let’s say you have a customer with VLANs 10, 20, and 30, and an ISP that wants to encapsulate all of the customer traffic into their own VLAN 50. If you want to implement the QinQ feature, then:

The port on the customer side will be configured as a trunk, with VLANs 10, 20, and 30 allowed.
The port on the other end of the link (ISP equipment) must be configured as an access port that is on VLAN 50. This port must include the switchport mode dot1q-tunnel command. This is what makes the QinQ tunnel possible.

Now note that the access port configured with this command doesn’t care about what VLAN tags are being sent by the trunk port on the other end of the link. It will receive the frames, ignore the tags, and add a second (double) tag with VLAN 50. So all of the inner VLANs of the customer are encapsulated into a single ISP VLAN that carries all of the traffic of that particular customer.

I hope this has been helpful!

Laz

Moeedeng · May 15, 2022, 6:36pm

Hi i get it now i researched a lot on google as well now it’s getting clear .

Show interfaces switchport
# show interfaces switchport command gives output of each and every port in the switch. For every switch port there are Two modes, which are Administrative Mode and Operational mode.

Administrative Mode: This mode denotes what we configure onto that particular port… like Trunk or Access or LaGP or PaGP or ON and Administrative encapsulation etc…

Operational Mode: This mode is what a switch-port behaves in response to the configuration done onto a particular port.

For example… if we configure Trunk on one switch port and on the other end on another switch, if we configure access… how it behaves… though it’s configured as trunk, it doesn’t work as a trunk. Here the “ Administrative" mode is “Trunk”… but “Operational” mode is “Access”.

Hope this is some informative. Thanks a lot.

In fact, it means that the management mode is the mode we configured, but the actual working mode is different. Enter show interfaces switchport in the packet tracer.

@lagapides as per this scenario Sw1 & Sw2 . Sw2 is configured as trunk and sw2 is configured as access

administrative mode is Trunk and operation mode is access because sw2 is access mode ?

on sw2 it will be

administrative mode : Access
operation mode : Trunk ?

last question what is

Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native

sorry for very long question im revising my CCNA so soon i will pass my exam

what about if there are more than 4 switches what it will choose ?

lagapidis · May 21, 2022, 3:16pm

Hello Abdul

Yes, that’s a good explanation. You can also take a look at this NetworkLessons Note on the topic for more information.

If you configure SW1 as access, and SW2 as trunk, then the link will not function. There is no scenario where this would work. (Take a look at the table in the lesson). However, Administrative mode may be dynamic desirable, while the Operational mode may be trunk. As you mentioned, the Administrative mode is whatever command you inputted while the actual state of operation (as a result of negotiation if present), is the Operational mode.

Similar to the logic behind the Administrative and Operational modes, these terms indicate the administrative and operational encapsulations. Because negotiation can take place on these as well, the Administrative and Operational encapsulation may be different.

If you use the switchport trunk negotiate command, and the other end of the trunk is using ISL, then the administrative trunking encapsulation will be negotiate while the operational will be ISL. The term native simply means that the default dot1q is being used. (in older platforms, ISL was the default, so ensure what native refers to in each case.

I hope this has been helpful!

Laz

davidilles · February 4, 2024, 2:33pm

Hello, everyone!

I am just wondering out of curiosity, from the complete VLAN range - 1 → 4094, why are 0 and 4095 unusable? Is there any design reason why they made it this way?

Thank you.

David.

lagapidis · February 9, 2024, 3:04pm

Hello David

VLAN ID values of 0 and 4095 are unusable as actual VLAN IDs. If these values are found in the VLAN ID field of a VLAN tag, then they are interpreted like so:

VLAN ID of 0

This value is used for what is called “priority tagging”. Remember, a VLAN tag, other than the VLAN ID itself, also includes priority fields that contain Class of Service (CoS) values used by Layer 2 QoS mechanisms. If a frame is sent that needs to be handled with particular Layer 2 QoS priorities, but doesn’t need to be associated with a specific VLAN, then a VLAN ID of 0 would be used.

On the other hand, VLAN ID 4095 is reserved for implementation-specific use and is often used in conjunction with VTP Pruning. It can also be used internally by network devices to designate “untagged” or “forbidden” VLANs in certain network scenarios.

I hope this has been helpful!

Laz