VLAN Operations and Configuration

Stands for virtual local area network, but that doesn’t really tell us much about it, does it?

VLAN Overview

We have a need to put subnets into our switched environments. We have connectivity presented by switches. Why do we do that? They are fast, they’re inexpensive per port, and we can build out a large environment with 500 to 2,000 different ports down to the access layer and then we can have an architecture with high-speed connectivity between them. Okay. But we wouldn’t want to just put in one subnet in an environment that supported 2,000 workstations. What we would want to do is we would want to partition those into different broadcast domains. We would want to separate them.

The separation has another name called segmentation. It can help us enforce security through the separation, and the technology, really, here is the technology of VLANs, which is unbelievably flexible. Why do we say that? Because you can mould these into so many different things and there are very few rules. Let me give you the most important rule, the rule that should not be broken – 1 VLAN equals 1 subnet. You wouldn’t want to put two subnets in a VLAN and you certainly would never want to put multiple VLANs in one subnet. So when you boil things down, we have a need to deploy subnets and we create a VLAN for each of those.

So let’s see if that is what we are doing here. Are we following these rules that you have outlined? Let’s look at that.

VLANs Overview

How many subnets do we have here, folks? Take a good hard look. I see 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24. Well we see the subnet mask of /24, which means that if anything changes in the first 24 bits between the different IP addresses, then we’re in a different network space, we’re in a different subnet, if you will. And I can see that we’re incrementing by one in the third octet, which is, in fact, consistent with a block size of one, which is what we get with /24. So it looks like we are counting by one, we are getting three different subnets here, and so we are being consistent.

We are following that rule – a VLAN equals a broadcast domain equals a logical subnet. So perfect, one-to-one relationship here. Notice, how our VLANs span multiple floors in our building. Sales is on floor one, two, and three. So is HR and engineering. Since we are creating these different broadcast domains, what happens when the Sales VLAN or someone in the Sales VLAN, for example the user on the first floor, sends a broadcast, where will it go?

Well it will go to the entire scope of that broadcast domain, which is the VLAN, okay. So you could think of broadcasting like throwing a rock into a pond. If the rock is big enough, it is going to have a ripple effect that will reach all of the different shores or the shore for the entire pond and we would have that here. So if you throw a packet into broadcast domain, that’s going to have that same ripple effect. It’s going to hit every single PC that’s in that broadcast domain, but it will also take all the nooks and cranny pathways between the different switches here and these switches have links between them. Those are going to be trunk links and the broadcast will flow over those trunk links and the broadcast would also hit the router. So everywhere that that VLAN extends to, the broadcast will reach.

We’re not interfering with the other VLANs, meaning we are not interfering with the other subnets. Same thing is true when we are just focusing on a subnet connected to routers. The routers will not allow that broadcast traffic to cross into another subnet. Well this is great. We are down at layer 2 here, but we are segmenting our network and we’re keeping that traffic, that broadcast traffic, to the areas it should stay in. But now, what about communication between different subnets? How do we accomplish that? Let’s think about the device we need to allow traffic to flow from one subnet to another subnet. I hope you’re thinking about a layer 3 device right now, a layer 3 device, for example a router. So if I need a router or a layer 3 device to pass traffic from one subnet to another subnet, what type of device would I need to pass traffic from one VLAN to another VLAN?

Well it’s not a layer 2 switch. It has to be layer 3 and there are few options. Option one is a router. We see that on the image above. It’s a router-on-a-stick configuration because it’s plugged in via a trunk to all the different VLANs. We could use a multilayer switch. We could even use an adaptive security appliance, but ultimately we need something with layer 3 forwarding intelligence. And the layer 2 switch icons that you see here are only going to forward based on a Media Access Control, or MAC, address and they cannot possibly move the traffic from one VLAN to another.

You need to have a very solid understanding of this overall process for VLANs. It will be very difficult to troubleshoot anything VLAN related if you don’t understand these fundamentals. So I encourage you, if you’re still a little bit fuzzy and you’re not too sure about VLANs, review this over and over again until you are very comfortable with VLANs.

Creating and Configuring VLANs

There are two really important steps we need to accomplish in order to create and implement our VLANs. Number one is to create the VLAN and we do that in the global configuration mode.

We type in the command vlan followed by the numeric value. We already have VLAN 1. Remember that’s the default, we get that, it can’t be removed. You can even say vlan 2-32 and that would spawn the definition for that range of VLANs, and comma separation is also possible here. And when you type in that command, it moves you into a new mode that is there to provide adjustments to parameters. The only parameter we will adjust in this course for VLANs is the name, which is purely a description. The switch doesn’t care about the name. If you say name management, the switch doesn’t know that that’s the management VLAN. It just sees that as a character string and it will present that to you when you do the command show vlan brief or other commands that might list the VLANs. So that is for us as human beings and it really does help us.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 2
Switch(config-vlan)#name switchlab99

Once you do this, you don’t do it on just one switch in your environment. If you know you have a few PCs that are going to attach to VLAN 2 on this switch, well then you have to think more holistically than just localizing your thought on this one switch. Your switches work in concert with one another. We sometimes call that the switch fabric. So VLAN 2 or any other VLANs that you would create would need to be defined on all of the switches in which that broadcast domain touches. What that means is it’s probably going to be all of your access and distribution switches in that common wiring closet, that common building. We wouldn’t necessarily need to define them in the core, but access and distribution layer switches should all be prepared with the same VLAN definition.

Let’s say I know I have to put a PC into VLAN 2 so I create VLAN 2 in all my switches in that space on my access layer switches, the distribution layer, how does that PC then get put into VLAN 2? I had VLAN 1, now I have VLAN 2, right now it’s just kind of dangling there, isn’t it?

What we have to do is we have to associate a switch port with that particular VLAN. We go to the interface configuration mode, interface FastEthernet 0/2 in this example, and we type in switchport access vlan, switchport access vlan, and then we specify the VLAN number we want this port to be associated with. So now, in this example, we’ve created VLAN 2 and we’ve associated FastEthernet 0/2 with it. We still need to verify that, don’t we?

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface Ethernet 0/2
Switch(config-if)#switchport access vlan 2

We can verify where our VLANs are deployed by typing in the show vlan command. Now I do the show vlan brief command and in fact, the output omitted is pretty much the output that would be omitted by the brief parameter. Things like the MTU for VLAN show up there and then some more details that I don’t care about. But let’s not lose sight of the fact that we are trying to view where those VLANs are deployed on the switch. So we do show vlan or show vlan brief and then we see the different VLANs. We see VLAN 1, that would be the default. VLAN 2, and we can see that VLAN 2 is over there on the right hand side, listed in the Ports, Ethernet 0/2. So if I see this, I’m going to be quite confident that access port Eth0/2 is a member of VLAN 2.

Switch#sh vlan
VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
1    default                          active    Et0/0, Et0/1, Et0/3, Et1/0
                                                Et1/1, Et1/2, Et1/3
2    switchlab99                      active    Et0/2

Our Recommended Premium CCNA Training Resources

These are the best CCNA training resources online:

Click Here to get the Cisco CCNA Gold Bootcamp, the most comprehensive and highest rated CCNA course online with a 4.8 star rating from over 30,000 public reviews. I recommend this as your primary study source to learn all the topics on the exam. Cisco CCNA Gold Bootcamp
Want to take your practice tests to the next level? AlphaPreps purpose-built Cisco test engine has the largest question bank, adaptive questions, and advanced reporting which tells you exactly when you are ready to pass the real exam. Click here for your free trial. Cisco CCNA Gold Bootcamp