Introduction to VLANs

jmwalker24 · March 16, 2016, 3:59pm

Forgive me for asking so many questions…. But I am new to networking… this question pertains to IP address on routers and switches (which will make me understand VLANs better).

I was under the assumption that a routers interface has only one IP address configured on it. So R1’s int fa0/1 will have 198.168.1.0. On that R1 int fa0/1, 198.168.1.0 is a switch (24 port). So I thought every port on that switch had to have an IP address in the 198.168.1.0 network. So Switch port 1 host would be 198.168.1.10, port 2 would be 198.168.1.11, port 3 would be 198.168.1.12, etc, etc.

All these ports could be in the same VLAN, or it could be chopped up to multiple VLANs…… How does a switch – connected to a router interface with a 198.168.1.0 address… how does this switch have other IP addresses (10.10.10.2, 172.16.100.0, etc, etc) on it?

I was under the impression… IP address were like a water hose. The primary source of water (198.168.1.0) is flowing into the switch from R1’s interface 0/1. R1’s 0/1 can have only one IP address configured on it. How can Switch 1 ports have any other IP address other than the 198.168.1.0 network configured on it? If 10.10.10.2 is on Switch port 4.

How would that IP address traffic travel up to R1’s fa0/1 if only 198.168.1.0 is configured on the router?

andrew · March 16, 2016, 8:56pm

If you are talking about a switch that has IP addresses on, it this implies you are speaking about what’s known as a Layer-3 switch. Layer 3 switches have something called “Switch Virtual Interfaces” (SVIs) which are just logical interfaces–they don’t necessarily correspond to physical ones. An SVI is paired with a particular vlan. So, for example, you could have a VLAN 168, and you would assign ip address 192.168.1.1 to that VLAN. The syntax to do this is:

(config)#interface vlan 168
(config-if)#ip address 192.168.1.1 255.255.255.0

You can repeat this for any number of vlans you want. So, for, say, VLAN 10:

(config)#interface vlan 10
(config-if)#ip address 10.10.10.1 255.255.255.0

Next, you can assign a particular physical switch port to a vlan, in this case Fa0/1 to VLAN 168

(config)#interface fa0/1
(config-if)#switchport mode access
(config-if)#switchport access vlan 168

Now, if you plug in a device to port Fa0/1, and configure it to use an IP in the range of 192.168.1.2 - 192.168.1 254, it will be able to use the SVI for vlan 168 (192.168.1.1) as its gateway to get elsewhere.

If you repeat this process by assigning another physical port to VLAN 10, configure a host plugged into that port in the 10.10.10.0/24 range, then the hosts on ports 1 and 2 will be able to talk even though they are in different subnets.

aarongarside · April 30, 2016, 6:20pm

Users are only able to communicate within the same VLAN unless you use a router. Or MLS

Not sure I’d but this down as an advantage.

andrew · April 30, 2016, 11:58pm

Depends on the situation. If you have a large number of computers, it is certainly an advantage to have a reduced size broadcast domain. Additionally, grouping similar users into the same VLANs, but separating different kinds of users/departments across VLANs gives you much more flexibility from a security standpoint.

parthmontu008 · May 20, 2016, 3:05am

Hello

A quick question about VLAN and ip assignment. Let’s say we have 3 offices. Can we do the same VLAN at different locations?

Paris HQ-

VLAN 10 guest - 10.10.10.0/24

Barcelona branch-

VLAN 10 guest - 10.10.11.0/24

Amsterdam branch-

VLAN 10 guest - 10.10.12.0/24

Can we deploy the upper design or should we do this–

Paris HQ-

VLAN 10 guest - 10.10.10.0/24

Barcelona branch-

VLAN 20 guest - 10.10.11.0/24

Amsterdam branch-

VLAN 30 guest - 10.10.12.0/24

andrew · May 20, 2016, 3:42pm

Parth,
VLAN information is carried within an 802.1Q tag (discounting Cisco’s legacy ISL), and 802.1Q tags are created on trunk ports. In most circumstances you will not have sites connected in such a way that 802.1Q tags can traverse the links between them, but it is possible. For example, there is a technology called MPLS ATOM that will allows direct layer 2 connectivity between sites.

So, in most circumstances this won’t matter, but since VLANs are just an arbitrary number, I would still ensure that each site has unique vlans to “future-proof” your design.

parthmontu008 · May 23, 2016, 8:53pm

Thank you for information. Just wanted to make sure. So, this is the design I should go with?

Paris HQ-

VLAN 10 guest – 10.10.10.0/24

Barcelona branch-

VLAN 20 guest – 10.10.11.0/24

Amsterdam branch-

VLAN 30 guest – 10.10.12.0/24

andrew · May 24, 2016, 1:24am

Parth,
In my opinion it is better to use different VLAN numbers even across sites. It appears as though your design has done that–so not knowing anything else about your network, yes, what have listed is better than using the same VLAN numbers everywhere.

parthmontu008 · May 25, 2016, 4:32am

Thank you. Also lets say the network design is for some high frequency trading company and we have 2 data center in different location like one in Amsterdam and another in Barcelona. Both of them has same number of servers like trade execution, trade application, emergency trade, expert trade system etc. In this case what type of VLAN and addressing should we go for? I mean like this-

Option A

Amsterdam
Vlan 100 - trade execution
vlan 101- trade application etc

Barcelona
vlan 110- trade execution
vlan 101- trade application etc

or

Option B

Amsterdam
Vlan 100- trade execution, trade application etc

Barcelona
vlan 101- trade execution, trade application etc

andrew · May 25, 2016, 8:24pm

Parth,
There is simply not enough information to answer this question. Considerations like security, the number of devices in a vlan, and how the applications should communicate with each other all factor in. Keep in mind that in the NetworkLessons forum we do not give advice about how to design your network.

If you have a specific question about Lesson that you don’t understand, we are happy to help!

adave1103 · July 31, 2016, 5:57pm

hi Rene,

I very basic doubt :
in above example - If many computers are connected to a Layer 2 switch (no vlans) , how the hosts will communicate with each other ? I mean will they have any IP address on them ? if yes what will be the gateway IP ?

Thanks
Abhishek

andrew · August 1, 2016, 4:35am

Abhishek,
In an ethernet network, where all computers are on the same subnet, all computer communication happens without the need for an IP gateway (which is only for communication off the subnet). I would recommend you read the lesson about Address Resolution Protocol (I have linked it here) which is responsible for translating the Layer 3 IP address to a Layer 2 MAC address.

All computers will have IP addresses, but they have no need for a gateway address, and they will ultimately use ARP and layer 2 for communication with each other.

satishpradhan · August 16, 2016, 9:24am

Explanations are very much understandable to the depth with easy writings. Your lessons are a complete package to clear the basic concepts.

naingnnlwin · September 17, 2016, 2:55am

create different vlans for user and server. i want to allow IT administrator to access server vlan but the server should be DHCP server. for this case how should i create vlan and configure?

andrew · September 17, 2016, 7:07pm

(Nyi)^2,
First thing you would have to decide whether you are going to be using a layer 3 switch or a router to join these VLANs together. In the case of a L3 switch, you would need to create an SVI (switched virtual interface) in each of the VLAN’s subnets. In the case of a router, you would have to create sub-interfaces (assuming you are using a router-on-a-stick model). I will assume you are using a L3 switch. Suppose you have vlans 10 (Server, 10.10.10.0/24) and 20 (Client 10.10.20.0/24). You would have to create an SVI like this: interface vlan 10, ip address 10.10.10.1 255.255.255.0.

After you create your SVIs, you would need to create a DHCP scope on the DHCP server for 10.10.20.0/24 and configure the Layer 3 switch to have that server as an ip helper-address (basically a DHCP relay).

You also mention that you wanted to ensure that an admin has access to the server vlan. This implies you are thinking about setting up ACLs to restrict access at layers 3 or 4. This is tricky to do, because you often don’t know all the protocols necessary to allow through between the VLANs. Generally, expect in very high security environments, ACLs are not used in this way. If you are concerned about this, it is far easier to put a proper firewall between the servers segment and your users, which will create what is called a DMZ.

karl.kassengue · December 7, 2016, 12:17pm

Thanks Rene. Great explanation

shantel · December 20, 2016, 10:07pm

19 posts were merged into an existing topic: Introduction to VLANs

wilder7bc · July 2, 2017, 5:01am

Hi I think I may have gotten a bad prep exam question as I cannot get it to work in labs and it does not make sense fully to me from how I learned VLANS. I will upload the practice test question from Boson and would like input please.

above is what they say is the answer and the topology its very brief. and below is their explanation.

Now I tried this in lab it does work if I make both Fa0/2 and Fa0/1 in the same VLAN 7 for Switch A that logically makes sense to me all the way around. I was able to ping from host A to Host B no problem.

However if I did the other part change Fa0/1 on Switch A to Vlan 6 where both ports on the switch was in VLAN 6 then I could no longer ping from Host A to Host B.

which that makes sense to me as VLANS are suppose to separate traffic that’s the entire point of VLANS to be able to ISOLATE traffic.

However, saying that what they did say about access ports only sending untagged frames, which are frames that do not contain VLAN information. that part sounded kind of logically to me as well but… now I am confused on a basic of switching and not to mention its like 12 midnight and my brain is shutting down and I cannot think very well…ugg anyway when in doubt create a lab and test it and I did and its not working like they say so I was hoping for some explanation like they are incorrect or partially right but basically looking for an answer.

Thanks!

EDITED:::

Ok when I tested this on Cisco VIRL Equipment which for most everything is same as real equipment I was indeed able to ping from VLAN 6 to VLAN 7; where VLAN 6 host had same subnet 192.168.1.2 255.255.255.0 and VLAN 7 host had IP 192.168.1.3 255.255.255.0

I have to admit this has kind of shaken my foundation of thinking as I liked to think of vlan as a pipe that traffic flowed through…

on my VIRL I used 4 switches with two of them acting as hostA and hostB. I setup hostA in VLAN 6 and then assigned the ip to that VLAN6 and for host B I did the same thing but for vlan 7.

Only other odd thing was when I set up the connection between the two switches one side in VLAN 6 and the other side in VLAN 7 I got a native VLAN mismatch error but the traffic still flowed and I was able to ping across VLAN.

Diagram below:

So Boson was correct.

when we use command: switchport access vlan 6

that seems to change the native vlan yet there is also a command to change the native vlan. I guess since a switchport can only have one vlan assigned to it (except in the case of the voice vlan which is special case) that works same on an access port as changing the native vlan.

The command to change the native vlan is not really needed for access port was created so you can change the native vlan on a trunk?

From a security aspect this means VLANs does not really separate traffic or protect it as untagged just goes… this is going to fill so many of my ways of thinking with holes as this was a foundation idea I had in my head.

anyway this shook my world a bit. feel free to post link to any good reading on this or talk about access ports and the communication of untagged traffic over different VLANS!

EDITED:

Ok I Think I am getting my head around some of this. at first this new idea crushed me I mean why have VLANS?? if traffic can go across them there is no security. I was literally stunned and very rattled.

I however then started reading carefully and see this is a very specific circumstance that takes advantage of a granular ingress rule and the lack of a similar egress rule which applies at least to cisco switching in general.

They the following:

Traffic received by a switch that arrives on one VLAN will be forwarded only to ports in the same VLAN(unless IP routing is enabled and setup). this is why in my example they say FA0/1 & FA0/2 must be in the same VLAN in order for traffic to pass between them. So right there is a specific requirement.
So its basically shoving(in my our example) untagged traffic to FA0/1 because it can receive traffic from the same VLAN according to the rules of the switch (Which it did). Then from there its moving along the port and gets over to Switch B who gets this untagged traffic and does what its suppose to which is move the traffic along.
So the rule is kind of an ingress rule now an egress rule so the rule says incoming has to be in the same vlan on the same switch in order for it to send. Makes sense. However, once its sent to another switch that is different. A switch receiving it would think everything is as it should be because its untagged and would just carry on as normal.
so basically a native vlan mismatch which is what this was can be dangerous security flaw and that’s why we are informed about it and the importance of it as it would allow traffic from another vlan to move to another switch and do something it normally should not.
I don’t know why they don’t have an egress rule that says unless your in the same VLAN you cannot enter… however if you think about it that’s what Trunking is!!! So actually I guess I do know or at least that is how it would seem to be logically.

So I think my world is once again safe but using this special circumstances to break the normal really helped to teach me something and please correct me if I am wrong but I think I have it figured out in my head.

lagapidis · July 4, 2017, 7:46am

Hello Brian

If I followed your reasoning correctly, then yes I believe you’ve got it!

Just keep in mind that the question involved all Access ports and no trunk ports. This means that VLAN numbers on either side of the connection between the switches can be absolutely anything. The important thing to allow for layer 2 connectivity from end to end is that ports on the same switch be on the same VLAN. That is, SW A ports Fa0/1 and 0/2 should be on the same VLAN and SW B ports Fa0/1 and 0/2 should also be on the same VLAN. That way you can have layer 2 connectivity from end to end.

You can immediately rule out any answers that involve routing by noting that Hosts A and B are in the same subnet. That way you can also eliminate any solutions involving trunking once again because both hosts are in the same subnet.

I hope this has been helpful!

Laz

jallen314 · July 11, 2018, 8:24pm

I understand that vlans segment network traffic. What is the technical process that separates vlans? How does a Switch know I can forward out of this port, but I am not allowed to forward out that port?