Introduction to VLANs

Hello Maksym

If you have one host on the 192.168.10.128/25 subnet, and another host on the 192.168.10.192/26 subnet, then there may be a problem in communication. For example, if you had Host1 and Host2 connected to a switch with the following addresses:

• Host1 192.168.10.200/25
• Host2 192.168.10.201/26

then these two hosts would communicate directly.

If you had the following addresses:

• Host1 192.168.10.150/25
• Host2 192.168.10.201/26

Then they wouldn’t communicate directly. This is because, from Host2’s point of view, Host1 is in a different subnet. (192.168.10.150 is outside of the 192.168.10.192/26 network). But from Host1’s point of view, Host2 is in the same subnet. (192.168.10.201 is inside of the 192.168.10.128/25 network). So a ping from Host1 to Host2 would reach Host2, but the reply would not.

Now in your explanation, you are also referring to VLANs 10 and 20, and hosts being trunked to both VLANs. I’m not sure what you mean there, as hosts are typically connected to an access port that has a single VLAN. Can you elaborate on this?

I hope I have addressed your questions sufficiently. If not, please clarify with a network diagram so that we can further understand your question.

I hope this has been helpful!

Laz

Hi Rene, can you please tell why the inter VLAN routing is not included in your new CCNP course, if I’m wrong please refer me to the right link within the course, i know you do have that course in the website but it is separate from the CCNP course.

Thanks

Hello!

Take a look at this post:

I hope this has been helpful!

Laz

I got a question about vlans, wifi and a guestnetwork. I give the guest their own vlan, but uow can prohibit people in that guest vlan access to critical server/printers? Because, when having one router, somewhere i need to add that guest vlan into the vlans trunk list.

Hello Joh

Regardless of whether you are applying this to a wireless or wired network, when you create a VLAN, users in that VLAN will have direct access to all other hosts within that VLAN. They will not have any access to other VLANs, unless you explicitly configure routing between VLANs.

By separating a network into VLANs, you can then decide which VLANs will have access to each other, and which will not. You can also apply access lists to block traffic to particular IP addresses within VLANs, thus providing you with more granular control of what communication to allow and what communication to deny.

In your particular case, if you ensure that you have no servers, printers, or other critical hosts on the same VLAN as your Wi-Fi guest hosts, then you can simply deny any routing between the guest VLAN and other VLANs that you don’t want guests to have access to. Simply route them out to the Internet.

For more information on how to achieve many of these features, take a look at the following lesson:

I hope this has been helpful!

Laz

many thanks for the reply, so acl’s to deny access to the regular network should do the trick?

Hello Joh

ACLs when applied can block or permit traffic based on source and/or destination IP address, as well as TCP/UDP port numbers, to name a few. So yes, ACLs should do the trick. Take a look at the following lessons for more information:

I hope this has been helpful!

Laz

How does the L3 switch handle routing after receiving VLAN information?
Remove VLAN header from Frame??
For example, suppose you have the following configuration:
vlan10: 10.10.10.0/24
vlan20: 20.20.20.0/24
SW1(v10) --------- (v10) SW2 (v20) --------- (v20)SW3
I would like to know in detail the process of routing by SW2 that received Vlan10 frame to SW3 of vlan20 by step-by-step.

Hello YongHun

So SW2 is an L3 switch, and it has interVLAN routing configured so that it can route traffic between VLAN 10 and VLAN 20. So what happens to the VLAN information on the frames when this happens? Here’s a short step-by-step description:

1. SW2 receives a frame with a tag of VLAN 10, thus the frame is placed on VLAN 10.
2. The destination MAC is read and is found to be the SVI VLAN 10 on the switch
3. The frame is decapsulated, the Ethernet header is removed, and the IP header is examined
4. The destination IP is the SVI of VLAN 10 on SW2, so the packet is routed
5. The routing table indicates that the exit interface is the SVI of VLAN 20
6. The packet is re-encapsulated and an Ethernet frame is added, and the frame is sent out of SVI VLAN 20
7. Since VLAN 20 is allowed on the trunk between SW2 and SW3, as it exits the trunk interface, a VLAN tag of 20 is added to the Ethernet frame header
8. The frame is received by SW3 where the VLAN tag is read, removed, and the frame is placed on VLAN 20 for further forwarding.

Let us know if you require any further clarifications o this process.

I hope this has been helpful!

Laz

on Cisco Layer 2 switch, what is management VLAN and how to assign IP address on switch for Telnet.

Hello Ajeet

Take a look at this post about the management VLAN. Although it speaks about the ASA, the concepts are the same for a Layer 2 switch.

For a Layer 2 switch, you must create an SVI for that VLAN and assign an IP address to it. You can then use that address to Telnet or SSH into the device to obtain a CLI prompt.

If you need any further help in this, please let us know!

I hope this has been helpful!

Laz

Hello Rene, I have a problem playing your videos on my PC. I can read them using my Amazon Fire tablet, but on my Windows 10 PC,

Screenshot_321439×759 71.8 KB

Hello Yannick

I will let Rene know to take a look and he’ll get back to you.

Laz

Hello @yannick_libam ,

Our videos are hosted on vimeo.com and set so that they can only play from the domain networklessons.com.

Do you have any browser add-ons/plugins that could interfere with this? A proxy, perhaps?

If you try it in incognito mode, does it work? Or another browser?

Rene

Hi,
I was wondering if you could shed any light on this -
I have been told many times that a Vlan does not equal a broadcast domain.
I totally understand that 99.9% of the time a vlan will be used with a single subnet and this makes perfect sense.

But I have on occasion ran into situations where secondary ip addresses have been used in the same subnet.

Even with secondary Ip addresses aside I more recently have came across a large network where one of the vlans is a large stretched vlan that traverses about 40 switches.
The SVI for this specific Vlan on each switch is carved up into separate subnets.

So what I’m wondering is and what has being puzzling me is how exactly broadcasts etc. work in such a scenario ?

If I have several subnets inside one Vlan then is a broadcast from one of those subnets only sent to that specific subnet or is it broadcast to all those subnets on that Vlan ?

Thanks.

Hello Sean

There are several issues you’ve touched upon so I’ll try to respond to each:

From a Layer 2 perspective, a VLAN does indeed define a broadcast domain. Any layer 2 broadcast sent within a VLAN will be contained within that VLAN. Even from a Layer 3 perspective, if we’re talking about the broadcast address of a subnet, the destination MAC address will still be a broadcast address, so the same VLAN will indeed define the border of the broadcast domain. Under what circumstances would you say that a VLAN does not define a broadcast domain?

There are three related concepts or entities that are involved here. We have VLANs, broadcast domains, and subnets. VLANs and broadcast domains are typically defined as the same. And in most cases, as you mention, VLANs and subnets are typically configured to line up as well. We have a configured VLAN, which defines a specific broadcast domain, which in turn is used by a single subnet.

However, because these entities actually function independently (especially subnets and VLANs because they operate at different OSI layers) they can be configured in such a way that they do not have a one-to-one correspondence.

For example, on a single VLAN, you can have hosts from multiple subnets. This just has to do with the configuration of the NIC of each individual host. This is not generally done, however, it can be done. Similarly, you can have an SVI on a switch of a particular VLAN with multiple IP addresses (secondary), so again, you are losing that one-to-one relationship between VLAN and subnet.

Even in such a case, the VLAN defines the broadcast domain, however, you can have SVIs of multiple switches on that VLAN belonging to different subnets. The broadcast domain remains intact, but there is no one-to-one relationship between the subnets used on that VLAN and the VLAN itself.

What you are describing sounds like a management VLAN. Could it be that this VLAN is being used to communicate with the switches themselves? It’s not very efficient to have such a setup unless it is being used for management. But you mention that the IP addresses on the SVIs are on different subnets, which wouldn’t make sense.

Another thing to remember is that the SVI of a switch on a VLAN is not always used as a gateway to reach other subnets. It could be that each SVI has a different IP address, but the default gateway configured on a particular host is what defines how to get out of the local subnet, and that can be any device connected to the VLAN.

I think I answered this above, but let me state it explicitly. In such a scenario, if you send an IP packet with a destination of 192.168.1.255/24 (this is a broadcast address), during encapsulation, the destination MAC address that will be used is FF:FF:FF:FF:FF:FF. This means that all hosts on that broadcast domain/VLAN will receive the packet, even if they belong to other IP subnets. As they decapsulate the packet they will see a destination IP address of 192.168.1.255, and will then determine if they are to process it (if it belongs to their subnet) or if they are to discard it (if it does not belong to their subnet.) In such a case, a host with an IP address of 192.168.1.55/24 will process it while a host with an IP address of 192.168.5.22/24 will not process it. Does that make sense?

I hope this has been helpful!

Laz

Many thanks for the detailed answer Lazaros.
You are absolutely correct in that that Vlan is being used as a management Vlan.
But what would be the benefit of having the management Vlan chopped up into different subnets on the same Vlan rather than just have it all on the same subnet ?

Hello Sean

So just to confirm, you have multiple switches in a topology that are configured with SVIs in the same VLAN, and this VLAN is allowed on all trunks between all switches. This VLAN is used for management, and the IP addresses on the SVIs are used as destination addresses for SSH or Telnet sessions, or other management sessions. So far, this sounds reasonable.

Now you’re saying that the IP addresses assigned to some SVIs on some switches are in one subnet while others are in another subnet. The only benefit that I can see from this is that you can segregate your management VLAN into two (or more) subnets, each one reachable only via a management PC on one subnet or the other (or via routing to one or the other subnet.) This segregation can be useful if you want to somehow categorize subsets of network devices differently. However, it is not the best way to employ it. This is inefficient because of the fact that broadcasts on one subnet will reach all hosts (SVIs) regardless of subnet, something which is undesirable. It is preferable to create two or more management VLANs to achieve this.

Now having said that, traffic within a management VLAN is not typically very large, so you would probably not even perceive any inefficiencies with such a setup. But still, it is not considered best practice, and it is unexpected, especially if you are “inheriting” a network from a previous network administrator, it can be confusing.

I hope this has been helpful!

Laz

Thanks very much Lazaros.

Hi, I’m kicking off my CCNP CORE journey.