Training Cisco 200-125 CCNA v3.0. Day 11. VLAN Basics

Original author: Imran Rafai
  • Transfer
  • Tutorial
Before we get down to the basics of VLAN, I would ask all of you to pause this video, click on the icon in the lower left corner, where it says Networking consultant, go to our Facebook page and like it. Then go back to the video and click on the King icon in the lower right corner to subscribe to our official YouTube channel. We are constantly adding new series, now it concerns the CCNA course, then we plan to start the CCNA Security, Network +, PMP, ITIL, Prince2 video course and publish these wonderful series on our channel.

So, today we’ll talk about the basics of VLAN and answer 3 questions: what is VLAN, why do we need VLAN and how to configure it. I hope that after watching this video tutorial you can answer all three questions.

What is a VLAN? VLAN is an abbreviation of the name "virtual local area network". Later in the course of our lesson, we will examine why this network is virtual, but before we move on to VLAN, we need to understand how the switch works. We will once again repeat some of the issues discussed in previous lessons.



First, let's discuss what a Multiple Collision Domain, or collision domain, is. We know that this 48-port switch has 48 collision domains. This means that each of these ports or devices connected to these ports can interact with another device on the other port independently, without affecting each other.

All 48 ports of this switch are part of the same Broadcast Domain. This means that if several devices are connected to several ports, and one of them broadcasts, then it will appear on all ports to which other devices are connected. This is how the switch works.

It is as if people were sitting in one room close to each other, and when one of them says something loudly, everyone else hears it. However, this is completely ineffective - the more people appear in the room, the noisier it will become and those present will stop hearing each other. A similar situation occurs with computers - the more devices are connected to the same network, the greater the "volume" of broadcasting, which does not allow to establish an effective connection.

We know that if one of these devices is connected to a network 192.168.1.0/24, all other devices are part of the same network. The switch must also be connected to the network with the same IP address. But here a switch may have a problem as an OSI level 2 device. If two devices are connected to the same network, they can easily communicate with each other's computers. Suppose our company has a “bad guy,” a hacker whom I will draw on top. Below me is my computer. So, it is very easy for this hacker to penetrate my computer, because our computers are part of the same network. That is the problem.



If I belong to the administrative leadership, and this new guy will be able to access the files on my computer, it will not be good at all. Of course, on my computer there is a firewall that protects against many threats, but it will not be difficult for a hacker to bypass it.

The second danger that exists for everyone who is a member of this broadcast domain is that if someone has problems broadcasting, this interference will affect other devices on the network. Although all 48 ports can be connected to different hosts, a failure in one host will affect the remaining 47, which is completely unnecessary for us.
To solve this problem, we use the concept of VLAN, or virtual local area network. It works very simply, dividing this one large 48-port switch into several smaller switches.



We know that subnets divide one large network into several small networks, and VLAN works in a similar way. It divides the 48-port switch, for example, into 4 switches of 12 ports, each of which is part of a new connected network. At the same time, we can use 12 ports for management, 12 ports for IP telephony and so on, that is, to divide the switch not physically, but logically, virtually.

I allocated three ports of the upper switch, marked in blue, for the “blue” VLAN10 network, and assigned three orange ports for VLAN20. Thus, any traffic from one of these blue ports will go only to the other blue ports, without affecting the other ports of this switch. Similarly, traffic from orange ports will be distributed, that is, we are supposedly using two different physical switches. Thus, VLAN is a way of dividing a switch into several switches for different networks.

I drew two switches on top, here we have a situation where only the blue ports for one network are involved on the left switch, and only orange for the other network on the right switch, and these switches are not connected to each other.

Let's say you go to use more ports. Imagine that we have 2 buildings, each of which has its own management staff, and two orange ports of the lower switch are used for management. Therefore, we need these ports to be connected to all the orange ports of other switches. A similar situation with blue ports - all blue ports of the upper switch should be connected with other ports of the same color. To do this, we need to physically connect these two switches in different buildings with a separate communication line, in the figure this is the line between the two green ports. As we know, if two switches are physically connected, we form a trunk, or trunk.

What is the difference between a regular and a VLAN switch? This is not a big difference. When you buy a new switch, by default all ports are configured for VLAN mode and are part of the same network, referred to as VLAN1. That's why when we connect some device to one port, it turns out to be connected to all other ports, because all 48 ports belong to the same virtual network VLAN1. But if we configure the blue ports to work in the VLAN10 network, the orange ones in the VLAN20 network, and the green ones - VLAN1, then we get 3 different switches. Thus, the use of virtual network mode allows us to logically group ports for specific networks, divide the broadcast into parts and create subnets. Moreover, each of the ports of a particular color belongs to a separate network. If the blue ports will work on the 192.168.1 network. 0 and the orange ports will work on the 192.168.1.0 network, then despite the same IP address, they will not be connected to each other, because logically they will belong to different switches. And as we know, different physical switches do not communicate with each other if they are not connected by a common communication line. Thus, we create different subnets for different VLANs.



I want to draw your attention to the fact that the concept of VLAN applies only to switches. Anyone familiar with encapsulation protocols such as .1Q or ISL knows that neither routers nor computers have any VLANs. When you connect your computer, for example, to one of the blue ports, you do not change anything in the computer, all changes occur only at the second OSI level, the switch level. When we configure ports to work with a specific VLAN10 or VLAN20 network, the switch creates a VLAN database. He “writes” to his memory that ports 1,3 and 5 belong to VLAN10, 14,15 and 18 ports are part of VLAN20, and the other ports involved are parts of VLAN1. Therefore, if some traffic comes from blue port 1, it only gets to ports 3 and 5 of the same VLAN10 network. The switch “looks” at its database and sees

However, the computer does not know anything about these VLANs. When we connect 2 switches, a trunk forms between the green ports. The term “trunk” is relevant only for Cisco devices, while other manufacturers of network devices, such as Juniper, use the term Tag port, or “tagged port”. I find the name Tag port to be more appropriate. When traffic comes from this network, the trunk sends it to all ports of the next switch, that is, we connect two 48-port switches and get one 96-port switch. At the same time, when we send traffic from VLAN10, it becomes tagged, that is, it is supplied with a label that indicates that it is intended only for the ports of the VLAN10 network. The second switch, having received this traffic, reads the tag and understands that this is traffic for the VLAN10 network and should only go to the blue ports.

We also mentioned encapsulation, and there are two methods of encapsulation. The first is .1Q, that is, when we organize the trunk, we need to provide encapsulation. Encapsulation Protocol .1Q is an open standard that describes the procedure for tagging traffic. There is another protocol called ISL, an Inter-Switch link developed by Cisco, which indicates traffic belongs to a specific VLAN. All modern switches work with the .1Q protocol, so when you get a new switch out of the box, you do not need to use any encapsulation commands, because by default it is implemented by the .1Q protocol. Thus, after creating the trunk, traffic encapsulation occurs automatically, which allows you to read tags.

Now let's get started on setting up a VLAN. Let's create a network in which there will be 2 switches and two end devices - computers PC1 and PC2, which we will connect with the cable to switch # 0. Let's start with the basic settings of the Basic Configuration switch.



To do this, click on the switch and go to the command line interface, and then set the host name, naming this switch sw1. Now let's move on to the settings of the first computer and set the static IP address 192.168.1.1 and the subnet mask 255.255. 255.0. The default gateway address is not needed, because all our devices are on the same network. Next, we will do the same for the second computer, assigning it the IP address 192.168.1.2.

Now back to the first computer to ping the second computer. As you can see, the ping was successful because both of these computers are connected to the same switch and are part of the same default network VLAN1. If we look at the switch interfaces now, we will see that all FastEthernet ports from 1 to 24 and two GigabitEthernet ports are configured on VLAN # 1. However, such excessive accessibility is not needed, so we go into the switch settings and enter the show vlan command to look at the virtual networks database.



You see here the name of the network VLAN1 and the fact that all switch ports belong to this network. This means that you can connect to any port, and all of them will be able to "communicate" with each other, because they are part of the same network.

We will change this situation, for this we first create two virtual networks, that is, add VLAN10. To create a virtual network, a command of the form “vlan network number” is used.
As you can see, when trying to create a network, the system issued a message with a list of VLAN configuration commands that should be used for this action:

exit - apply the changes and exit the settings;
name - enter the user name of the VLAN;
no - cancel the command or set it to default.

This means that before you enter the create VLAN command, you need to enter the name command, which turns on the name management mode, and then proceed to create a new network. At the same time, the system gives a hint that the VLAN number can be assigned in the range from 1 to 1005.
So, now we enter the command to create a VLAN under the number 20 - vlan 20, and then give it a name for the user, which shows what kind of network it is. In our case, we use the name Employees team, or a network for company employees.



Now we need to assign a specific port for this VLAN. We go into the switch settings mode int f0 / 1, then manually switch the port to Access mode with the switchport mode access command and specify which port should be switched to this mode - this is the port for the VLAN10 network.



We see that after this, the color of the connection point of PC0 and the switch, the color of the port, changed from green to orange. It will turn green again as soon as the setting changes take effect. Let's try to ping a second computer. We did not make any changes to the network settings for computers; they still have the IP addresses 192.168.1.1 and 192.168.1.2. But if we try to ping PC1 from PC0, we won’t succeed, because now these computers belong to different networks: the first to VLAN10, the second to native VLAN1.

Let's go back to the switch interface and configure the second port. To do this, I will enter the int f0 / 2 command and repeat the same steps for VLAN 20 as when setting up the previous virtual network.
We see that now the lower port of the switch, to which the second computer is connected, also changed its color from green to orange - it should take several seconds before the changes in the settings take effect and it turns green again. If we start pinging the second computer again, we will not succeed, because the computers still belong to different networks, only PC1 is now part of VLAN20 rather than VLAN1.
Thus, you divided one physical switch into two different logical switches. You see that now the port color has changed from orange to green, the port has earned, but still does not respond, because it belongs to another network.

We will make changes to our scheme - disconnect the PC1 computer from the first switch and connect it to the second switch, and connect the switches themselves by cable.



In order to establish a connection between them, I will go into the settings of the second switch and create VLAN10, assigning it the name Management, that is, the management network. Then I turn on Access mode and indicate that this mode is for VLAN10. Now the color of the ports through which the switches are connected has changed from orange to green, because they are both configured on VLAN10. Now we need to create a trunk between the two switches. Both of these ports are Fa0 / 2, so you need to create a trunk for the Fa0 / 2 port of the first switch using the switchport mode trunk command. The same thing needs to be done for the second switch, after which a trunk is formed between these two ports.

Now, if I want to ping computer PC1 from the first computer, everything will work out, because the connection between PC0 and switch # 0 is VLAN10, between switch # 1 and PC1 it is also VLAN10, and both switches are connected by trunk.

So, if the devices are located in different VLANs, then they are not connected to each other, but if they are on the same network, then you can freely exchange traffic between them. Let's try to add one more device to each switch.



In the network settings of the added PC2 computer, I will set the IP address 192.168.2.1, and in the PC3 settings I will set the address 192.168.2.2. In this case, the ports to which these two PCs are connected will receive the designation Fa0 / 3. In the settings of switch # 0, we will set the Access mode and indicate that this port is for VLAN20, and we will do the same for switch # 1.

If I use the switchport access vlan 20 command and the VLAN20 network has not yet been created, the system will generate an error like “Access VLAN does not exist”, because the switches are configured to work only with VLAN10.

Let's create a VLAN20. I use the show VLAN command to view the virtual network database.



You can see that the default network is VLAN1, to which ports Fa0 / 4 through Fa0 / 24 and Gig0 / 1, Gig0 / 2 are connected. The virtual network number 10 with the name Management is connected to the port Fa0 / 1, and the VLAN number 20 with the default name VLAN0020 is connected to the port Fa0 / 3.

In principle, the name of the network does not matter, the main thing is that it does not repeat for different networks. If I want to replace the network name that the system assigns by default, I use the vlan 20 command and name Employees. I can change this name to another one, for example, IPphones, and if we ping the IP address 192.168.2.2, we will see that the VLAN name does not matter.
The last thing I want to mention is the appointment of Management IP, which we talked about in the last lesson. To do this, we use the int vlan1 command and enter the IP address 10.1.1.1 and the subnet mask 255.255.255.0, and then add the no shutdown command. We did not assign Management IP for the entire switch, but only for VLAN1 ports, that is, we assigned the IP address from which VLAN1 is managed. If we want to manage VLAN2, we need to create an appropriate interface for VLAN2. In our case, there are blue VLAN10 ports and orange VLAN20 ports, which correspond to the addresses 192.168.1.0 and 192.168.2.0.
VLAN10 must have addresses located in the same range so that appropriate devices can connect to it. A similar configuration should be made for VLAN20.

This switch command window shows the interface settings for VLAN1, that is, native VLAN.



In order to configure Management IP for VLAN10, we need to create an int vlan 10 interface, and then add the IP address 192.168.1.10 and the subnet mask 255.255.255.0.

To configure VLAN20, we need to create an int vlan 20 interface, and then add the IP address 192.168.2.10 and the subnet mask 255.255.255.0.



Why is this needed? If the PC0 computer and the upper left port of switch # 0 belong to the 192.168.1.0 network, PC2 belongs to the 192.168.2.0 network and is connected to the native VLAN1 port, which belongs to the 10.1.1.1 network, then PC0 cannot communicate with this switch using the protocol SSH because they belong to different networks. Therefore, in order for PC0 to communicate with the switch via SSH or Telnet, we must give it Access access. That's why we need network management.

We should be able to connect PC0 using SSH or Telnet with the IP address of the VLAN20 interface and make any changes we need through SSH. Therefore, Management IP is needed specifically for VLAN configuration, because each virtual network must have its own access control.

In today's video, we discussed a lot of issues: basic switch settings, creating VLANs, assigning VLAN ports, assigning Management IP for VLANs and configuring trunks. Let it not bother you if you do not understand something, this is natural, because VLAN is a very complex and extensive topic, which we will return to in the next lessons. I guarantee that with my help you can become “masters” of VLAN, but the point of this lesson was to explain 3 questions to you: what are VLANs, why do we need them and how to configure them.


Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read aboutHow to build the infrastructure of the building. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?

Also popular now: