VLAN (3)

Review

Native VLAN

  • Best practice is to set the native VLAN to an unused VLAN, as the native VLAN feature can cause some security issues.

  • That's why the native VLAN was set to 1001 in the previous lecture & lab.

Advantage

  • Since the frames in the native VLAN aren't tagged, each frame is smaller. So it allows the device to send more frames per second.

Native VLAN on a router

Considering, you want to use the native VLAN feature

  • Set the native VLAN back to a used VLAN, VLAN10 (from unused VLAN 1001 set in the previous video) on all trunks.

  • SW# switchport trunk native vlan 10 Do this on SW1's g0/0, SW2's g0/0, g0/1 interfaces

Configuring native VLAN on ROAS

Two methods:

  1. On router subinterface : 'encapsulation dot1q vlan-id native'

    • This tells the router that this subinterface belongs to the native VLAN, and it will function like the native VLAN on Switch.

    • Untagged frames are assumed to belong to the native VLAN and frames sent in native VLAN will not be tagged.

  2. Configure the IP address for the native VLAN on the router's physical interface (No need for subinterface and 'encapsulation dot1q' command).

Method 1

On the g0/0 interface of R1,

  • R1(config)# int g0/0.10 R1(config-subif)# encapsulation dot1q 10 native

(IP address is already configured, this is the continuation of the prev. lab)

Pinging PC in VLAN10 from VLAN20,

ICMP echo request goes from SW2 to R1,

  • It will be in VLAN20 and it is sent to R1 for inter-VLAN routing.

  • The dot1q field is inserted after the source MAC address field.

    • TPID : 0x8100 PCP : 0 DEI : 0 VID : 20

    • The PC that sent the ping is in VLAN20 and it is not the native VLAN, so that is why it is tagged.

R1 to SW2,

  • The ICMP frame will be in VLAN10, because the destination is in VLAN10.

  • Since VLAN10 is configured as native VLAN on R1 and SW2, this ethernet header does not have a dot1q tag.

  • This is native VLAN at work. Both R1 and SW2 understand that untagged frames belong to VLAN10, there is no need to tag each frame.

The ICMP echo req. will continue to its destination untagged all the way because VLAN10 is configured as the native VLAN on all devices.

When the PC in VLAN10 sends an ICMP echo reply, it will be untagged until it reaches R1, which will then tag it in VLAN20, and send it back to PC that sent the request.

Method 2

Configuring the IP address on the router's physical interface. No need for subinterface and 'encapsulation dot1q' command.

  • R1(config)# no interface g0/0.10 R1(config)# interface g0/0 R1(config-if)# ip address 192.168.1.62 255.255.255.192

The g0/0.10 subinterface is deleted and its IP address is now set to the physical interface g0/0 itself. The physical interface will now be used for the native VLAN, VLAN10. The other subinterfaces are just like we configured in the prev. video, with the encapsulation dot1q command and their own IP address.

  • SW2 will send VLAN10 packets in untagged frames to R1 and R1 will send them in untagged frames too.

It is recommended to change the native VLAN to an unused VLAN for security purposes.

Layer 3 switches

(a.k.a Multilayer Switch)

A multilayer switch is capable of both switching and routing.

  • It is 'Layer 3' aware.

  • You can assign IP addresses to its interfaces, like a router.

  • You can configure 'routed ports', which function like an interface on a router.

  • You can create virtual interfaces for each VLAN, and assign IP addresses to those interfaces (virtual interfaces in the software of the switch that can be used to route Layer3 traffic).

  • You can configure routes like static routes, just like a router.

  • It can be used for inter-VLAN routing.

Inter-VLAN routing previously,

  • One connection for each VLAN between the router and switch.

  • Router on a stick - single trunk connection which carries traffic from all VLANs between the switch and router.

    • VLAN (2)#Router on a Stick ROAS

    • Efficient in terms of no. of interfaces.

    • But in a busy network, all of the traffic going to the router and back to the switch can cause network congestion.

So, in large networks, a multilayer switch is the preferred method of inter-VLAN routing.

Inter-VLAN routing using SVI

When we used ROAS for inter-VLAN routing, traffic being routed between VLANS was sent to R1 first and then sent back to SW2, and then forwarded to the destination.

Now, SW2 is replaced with a multilayer switch and the trunk link between SW2 and R1 is replaced with a point-to-point Layer3 link (VLANs will no longer run across this).

Since, SW2 is a multilayer switch, it does not have to send the traffic to R1 for inter-VLAN routing. It can do that with Switch Virtual Interfaces.

Switch Virtual Interfaces

(like a mini router on a switch)

  • SVIs are virtual interfaces you can assign IP addresses to in a multilayer switch.

  • Configure each PC to use the SVI (not the router) as their gateway address (when using ROAS, the router was used as the PC's gateway).

  • To send traffic to different subnets/VLANs, the PCs will send traffic to the switch, and the switch will route the traffic.

These SVIs are configured on SW2. These are the same IP addresses configured on R1 (the last usable address in each subnet) when doing ROAS. These are already configured in each PC as their gateway addresses.

PC in VLAN20 to PC in VLAN10 (left) :

  • The frames arrives at SW2. SW2 now has its own routing table. So it looks up the destination in the routing table, and sees that the destination is connected to its VLAN10 SVI. So the traffic is routed to VLAN10.

  • If SW2 doesn't have the destination MAC address in its MAC address table, it will flood the frame to all VLAN10 interfaces. Let's assume it already learned the MAC address.

  • So, it forwards it to SW1 over its trunk interface, tagged as VLAN10. SW1 then forwards it to the destination.

Destinations outside of VLAN

  • Cloud connected to R1 represents the internet.

  • Because SW2 is the host's default gateway, any packets destined outside of their subnet will be sent to SW2.

  • But our prev. router on a stick configurations for the connection between SW2 and R1 will no longer work.

  • In addition to configuring virtual interfaces (SVIs) on multilayer switches, we can also configure their physical interfaces to operate like a router interface, rather than a switchport.

  • So, we can assign the subnet 192.168.1.192/30 for this point-to-point link between SW2 and R1, with SW2's g0/1 interface having an IP address of 192.168.1.193 and R1's g0/0 interface having an IP address of 192.168.1.194

  • Then we configure a default route on SW2 pointing towards R1, so all traffic destined outside of the LAN will be sent to R1.

Configuring multilayer switch

On R1

Remove ROAS config and configure that new IP on g0/0:

  • R1(config)# no interface g0/0.10 R1(config)# no interface g0/0.20 R1(config)# no interface g0/0.30 (the status of the subinterfaces will show as deleted in 'show ip interfaces brief')

Reset g0/0 to its default settings:

  • R1(config)# default interface g0/0

Enter the interface and configure the IP:

  • R1(config)# interface g0/0 R1(config-if)# ip address 192.168.1.194 255.255.255.252

On SW2

Reset the g0/1 interface to its default settings, because it was configured as a trunk for ROAS in the prev. lab:

  • SW2(config)# default interface g0/1

Change Layer2 switchport to Layer3 routed port:

  • SW2(config-if)# no switchport

Enable Layer3 routing on the switch and let it build its own routing table:

  • SW2(config)# ip routing

Assign IP address to the routed port:

  • SW2(config-if)# ip address 192.168.1.193 255.255.255.252 SW2(config-if)# do show ip inter br

Default route pointing to R1:

  • SW2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.194

To check:

  • SW2(config)# do show ip route (or) SW2# show interfaces status (* in the VLAN column the interface will show as routed*)

SVIs on SW2

Create SVIs for VLANs:

(SVIs are shutdown by default)

  • SW2(config)# interface vlan10 SW2(config-if)# ip address 192.168.1.62 255.255.255.192 SW2(config-if)# no shutdown

  • SW2(config-if)# interface vlan20 SW2(config-if)# ip address 192.168.1.126 255.255.255.192 SW2(config-if)# no shutdown

  • SW2(config-if)# interface vlan20 SW2(config-if)# ip address 192.168.1.192 255.255.255.192 SW2(config-if)# no shutdown

Conditions for SVI to be up/up

  1. The VLAN must exist on the switch.

    • If you have not created a VLAN (say VLAN40) on the switch but assigned IP address and enabled it (prev. step), the SVI won't become up/up

    • When you assign an access port to a VLAN and if the VLAN doesn't exist yet, the switch will automatically create the VLAN. If you create an SVI for a VLAN that doesn't exist yet, the switch will NOT automatically create the VLAN.

  2. The switch must have at least one access port in the VLAN in an up/up state, AND/OR one trunk port that allows the VLAN that is in up/up state.

    • In our topology, SW2 has hosts connected in VLAN10 and VLAN20, so their SVIs can go UP.

    • There are no connected hosts in VLAN 30, however it has a trunkport, g0/0, which allows VLAN30 over it, so VLAN30's SVI is UP.

  3. The VLAN must not be shutdown.

    • You can enter VLAN config mode and disable the VLAN with the 'shutdown' command. If you do this, the SVI for that VLAN can't become up/up.

  4. The SVI must not be shutdown.

    • SVIs are shutdown by default.

The connected and local routes will be added to the route table for the SVIs created ('show ip route' command - all shown as directly connected to the SVI for each VLAN).

Traffic to destination

PreviousVLAN (2)NextDTP & VTP

Last updated