VLAN (1)

LAN

  • It is a group of devices (PCs, servers, routers, switches) in a single location.

LAN is a single broadcast domain, including all devices in that broadcast domain.

  • A broadcast domain is the group of devices which will receive a broadcast frame (destination MAC : FFFF.FFFF.FFFF) sent by any one of the members.

Here, there a 4 broadcast domains. Thus, 4 LANs.

(Note: Router does not forward a broadcast frame. It will receive the frame, but it won't send it to other networks.)

VLAN

Problem in LAN

  • Consider a small LAN of a company. There are 3 depts. in the office : Engg, Sales, HR.

  • It is advised to split the network (say, 192.168.1.0/24) into different subnets.

  • Otherwise, if a PC from Engg dept sends a broadcast intended for other PCs in the same dept, it will be fowarded to other depts and router too (since the Switch will flood the broadcast thorugh all of its interfaces).

  • It is a problem for both security and network performance purposes

    • Performace: Lots of unnecessary broadcast traffic can reduce network performance.

    • Security : You want to limit who has access to what, even within the same office. You can apply security policies to routers and firewalls. Since this is a single LAN, PCs can reach others directly without traffic passing through the router.

  • So, let's split depts into diff subnets.

  • The router is going to need an IP in each subnet, so it will need one interface in each subnet.

  • Replace single connection between Switch and Router with 3 connections, one in each subnet.

  • More efficient way : [[VLAN (2)#Trunk ports]]

  • If PC1 wants to send data to PC2, PC1 will recognize that PC2 is in a diff subnet, so it will set the destination MAC to its default gateway, R1.

  • PC1 will forward the frame to switch, which will send it to R1, which will then change the source MAC to its own and destination MAC to PC2's MAC.

  • It will forward the frame back to the switch, which will then forward it to the destination, PC2.

Instead of PC1 directly sending traffic to PC2, we forced the traffic through R1 first, where we would have configured some security policies to control what traffic is allowed to pass between these subnets.

There's still a problem, if the frame is a broadcast or unknown unicast frame - the switch will flood the frame out of all interfaces. Example :

  • The source IP is PC1's IP and the destination IP is its subnet's broadcast address. So, this is a broadcast frame intended to the Engg dept.

  • The source MAC is PC1's MAC and the destination MAC is the broadcast MAC of all F's.

A switch is only aware up to Layer 2. It does not care about Layer 3, 4 etc.

  • The Switch looks only at Layer 2 info like source and destination MAC.

  • Even though there are 3 different subnets, the switch does not know that (since subnetting is done at Layer 3 level).

  • PC1 will send the frame to the switch, it will see the destination MAC of all F's and flood the frame.

  • This is bad in terms of network performance and security.

Although, we separated the three depts into 3 subnets (Layer 3), they are still in the same broadcast domain / LAN (Layer 2).

One possible solution : Buy a separate switch for each dept - not very flexible and costly.

VLAN as Solution

Although these PCs are in the same LAN, we can use VLAN (Virtual LAN) to separate them at Layer 2.

  • You configure the switch interface to be in a specific VLAN, and then the end host connected to that interface is part of that VLAN.

  • The switch will consider each VLAN as a separate LAN and will not forward traffic between VLANs, including broadcast or unicast traffic.

VLANs logically separate end hosts at Layer 2.

  • So, we will assign each dept to a particular VLAN.

  • Broadcast frame :

    • If PC1 sends a broadcast frame, and after the frame arrives at the switch, it will be forwarded to all interfaces in the same VLAN.

    • Since the broadcast arrived on an interface configured in VLAN10, the switch will only forward the frame to other interfaces in VLAN10.

  • Unicast frame :

    • PC1 -> Swictch -> Router (changes the source and dest MAC) -> Swictch -> PC2.

    • The traffic arrives on a VLAN10 interface and is forwarded out of a VLAN10 interface.

    • The traffic that arrives on a VLAN30 interface is forwarded out of a VLAN30 interface.

  • Router is used to route between VLANs, since the switch does not forward between VLANs.

    • Here, both PC1 and PC2 are in diff subnets, so PC1 will send the frame to its default gateway.

    • Even if they were in the same subnet, the switch would not forward from PC1 to PC2, because they are in separate VLANs.

Switch does not perform inter-VLAN routing. It has to send through the router.

VLAN Configuration

  • SW1# show vlan brief (displays the VLANs that exist on the switch and which interfaces are in each VLAN)

  • VLAN1 = default. Even if you don't configure any VLANs, all interfaces are in VLAN1 by default.

  • VLAN 1002-1005 also exist by default.

  • Default VLANs cannot be deleted.

Assign interfaces to VLAN

  • SW1(config)# interface range g1/0-3 SW1(config-if-range)# switchport mode access SW1(config-if-range)# switchport access vlan 10

  • Use 'switchport mode access' command to set interface as an access port.

  • 'switchport access vlan 10' assigns the VLAN to the port.

Access port : a switchport which belongs to a single VLAN, and usually connects to end hosts like PCs. ^accessport

Trunkport : switchports which carry multiple VLANs. (VLAN (2)#Trunk ports)

A switchport connected to an end host should enter access mode by default. However, it is a good idea to explicitly configure the setting and not rely on autonegotiation.

  • After you enter those commands, you get a message 'Access VLAN does not exist. Creating vlan 10'. Because VLAN10 didn't exist on the device yet, it was created automatically when we assigned the interface to VLAN10.

  • Do the same for VLAN20 and VLAN30, assigning the respective interfaces.

  • You can see the 3 VLANs created and the ports assigned to each VLAN using the 'show vlan brief'.

Change VLAN names

  • SW1(config)# vlan 10 (also the command to create VLAN) SW1(config-vlan)# name ENGG

  • Do the same for VLAN20 and VLAN30

  • Check for the changes with 'show vlan brief'

Now if we use ping 255.255.255.255 on PC1, which sends a ping with destination MAC of all F's, the broadcast MAC, the broadcast will only reach the hosts in VLAN10.

PreviousSubnetting (3)NextVLAN (2)

Last updated