Great and very well explained
Great and very well explained
gr8, well explained
Excellent. Very nicely explained, just like the other videos. Keep up the great work. It’s helpful.
Do u have ccie complete book? Great work
Not at the moment, maybe sometime I will convert a lot of posts here into a book but for now I’ll publish everything that I create online here on networklessons.com.
I learned from http://www.netcontractor.pl/blog/?p=184 that control traffic from Layer 2 protocols like ( DTP, VTP , CDP , PAgP , STP, etc ) use VLAN 1.
And I make sure of that by doing this experience :
- I made a simple topology of connection two switches and making connectivity as trunk.
- I made one switch VTP server and another as VTP client.
- I also setup RSPAN to monitor the packets.
- Results, I saw VTP, CDP traffic marked with VLAN ID 1.
- Then, I made another vlan and disallowed Vlan 1 in the trunk.
- Results still the same.
- I thought it might be that traffic might be sent untagged as native vlan, so then i changed the native vlan on both switches, expecting that either VTP, CDP will fail OR it will be marked as VLAN ID of new native vlan.
- However, to my surprise it was still showing as VLAN ID 1.
- So I’m baffeled and confused on this type of behaviour where Vlan 1 is NOT allowed in trunk and also native vlan has been changed, still VTP and CDP control traffic is shown as sourced from Vlan 1.
After this experience I have only one question ?
As I know that it is work, so my question is not whether should work or not work… But how actually it is working? I mean how does these protocols use VLAN 1 when it’s not allowed in trunk port or even when it’s shutdown ? can you shed some light please and explain how the packet is send on vlan 1 despite it pruning on trunk because I’m very confused ?
First of all, it is indeed confusing. By default VLAN1 is the native VLAN and it’s untagged.
I do believe however that “control” frames like VTP, CDP, DTP, etc. don’t really belong to a VLAN. They are untagged and like you have seen, even when you block VLAN1 then this traffic is still sent and received.
I must agree with every one else that you are a talented teacher.
Hi Rene, what do you think what is a sensible number of hosts to have in a broadcast domain before splitting up the network into VLANs? Do you have any experience from the field about that? Thanks, Daniel
There’s a “technical” and “practical” aspect to this question
Let’s start with the technical part…a lot of networking people will tell you that you shouldn’t have > 200 hosts in a subnet since there will be too much broadcast traffic and it will slow down your network. This might be true 10 years ago but nowadays, your computers won’t be bothered much with broadcast traffic and it shouldn’t be an issue for your switches. You could probably put ~1000 hosts in a single subnet and not notice any performance issues.
The more important issue (the practical aspect) is that a single subnet/VLAN is one failure domain. Let’s say we put 1000 hosts in a single subnet and one computer has a broken NIC, sending non-stop garbage broadcast frames. This will affect the entire VLAN and your 999 remaining hosts.
By breaking down this big VLAN into four smaller VLANs, a broken NIC would only affect one VLAN…not the other three.
So for practical reasons I think it’s best to stick with /24 subnets. They are easy to work with and you’ll have multiple failure domains.
So if I have a 48 port switch on the 126.96.36.199/24 network…… and all 48 ports are connected to host. All the host have IP addresses on the 188.8.131.52/24 network. And lets say I create 4 VLANs. Help Desk is on VLAN 10 (interface 1-12), MGMT is on VLAN 20 (int 13-24), Accounting is on VLAN 30 (int 25-36), and Supply is on VLAN 40 (int-37-48). OK…. So these 4 VLANs would basically share the same network (184.108.40.206/24) right? VLANS don’t have to be on different networks/subnets?
What if there were some other MGMT host on another router on a 10.10.10.0/24 network…. Could those join the above VLAN 20 as well?
Except in the unusual case of Private VLANs, VLANs are 1:1 with subnets. When you assign ports to VLANs on your switch, you will have to think about what will be the layer 3 device that connects them together. If your switch is a layer 3 switch, the switch itself can route traffic between your VLANs. Otherwise, you will need a separate router to do it.
Your MGMT host could be part of VLAN 20, but you would need to make sure that all the hosts in VLAN 20 share the same 10.10.10.0/24 network as MGMT.
Forgive me for asking so many questions…. But I am new to networking… this question pertains to IP address on routers and switches (which will make me understand VLANs better).
I was under the assumption that a routers interface has only one IP address configured on it. So R1’s int fa0/1 will have 220.127.116.11. On that R1 int fa0/1, 18.104.22.168 is a switch (24 port). So I thought every port on that switch had to have an IP address in the 22.214.171.124 network. So Switch port 1 host would be 126.96.36.199, port 2 would be 188.8.131.52, port 3 would be 184.108.40.206, etc, etc.
All these ports could be in the same VLAN, or it could be chopped up to multiple VLANs…… How does a switch – connected to a router interface with a 220.127.116.11 address… how does this switch have other IP addresses (10.10.10.2, 172.16.100.0, etc, etc) on it?
I was under the impression… IP address were like a water hose. The primary source of water (18.104.22.168) is flowing into the switch from R1’s interface 0/1. R1’s 0/1 can have only one IP address configured on it. How can Switch 1 ports have any other IP address other than the 22.214.171.124 network configured on it? If 10.10.10.2 is on Switch port 4.
How would that IP address traffic travel up to R1’s fa0/1 if only 126.96.36.199 is configured on the router?
If you are talking about a switch that has IP addresses on, it this implies you are speaking about what’s known as a Layer-3 switch. Layer 3 switches have something called “Switch Virtual Interfaces” (SVIs) which are just logical interfaces–they don’t necessarily correspond to physical ones. An SVI is paired with a particular vlan. So, for example, you could have a VLAN 168, and you would assign ip address 192.168.1.1 to that VLAN. The syntax to do this is:
(config)#interface vlan 168 (config-if)#ip address 192.168.1.1 255.255.255.0
You can repeat this for any number of vlans you want. So, for, say, VLAN 10:
(config)#interface vlan 10 (config-if)#ip address 10.10.10.1 255.255.255.0
Next, you can assign a particular physical switch port to a vlan, in this case Fa0/1 to VLAN 168
(config)#interface fa0/1 (config-if)#switchport mode access (config-if)#switchport access vlan 168
Now, if you plug in a device to port Fa0/1, and configure it to use an IP in the range of 192.168.1.2 - 192.168.1 254, it will be able to use the SVI for vlan 168 (192.168.1.1) as its gateway to get elsewhere.
If you repeat this process by assigning another physical port to VLAN 10, configure a host plugged into that port in the 10.10.10.0/24 range, then the hosts on ports 1 and 2 will be able to talk even though they are in different subnets.
Users are only able to communicate within the same VLAN unless you use a router. Or MLS
Not sure I’d but this down as an advantage.
Depends on the situation. If you have a large number of computers, it is certainly an advantage to have a reduced size broadcast domain. Additionally, grouping similar users into the same VLANs, but separating different kinds of users/departments across VLANs gives you much more flexibility from a security standpoint.
A quick question about VLAN and ip assignment. Let’s say we have 3 offices. Can we do the same VLAN at different locations?
VLAN 10 guest - 10.10.10.0/24
VLAN 10 guest - 10.10.11.0/24
VLAN 10 guest - 10.10.12.0/24
Can we deploy the upper design or should we do this–
VLAN 10 guest - 10.10.10.0/24
VLAN 20 guest - 10.10.11.0/24
VLAN 30 guest - 10.10.12.0/24
VLAN information is carried within an 802.1Q tag (discounting Cisco’s legacy ISL), and 802.1Q tags are created on trunk ports. In most circumstances you will not have sites connected in such a way that 802.1Q tags can traverse the links between them, but it is possible. For example, there is a technology called MPLS ATOM that will allows direct layer 2 connectivity between sites.
So, in most circumstances this won’t matter, but since VLANs are just an arbitrary number, I would still ensure that each site has unique vlans to “future-proof” your design.
Thank you for information. Just wanted to make sure. So, this is the design I should go with?
VLAN 10 guest – 10.10.10.0/24
VLAN 20 guest – 10.10.11.0/24
VLAN 30 guest – 10.10.12.0/24