Before we start the VLAN basics, I would ask you all to pause this video, click on the icon in the lower left corner where it says Networking consultant, go to our Facebook page and like it. Then go back to the video and click on the King icon in the bottom right corner to subscribe to our official YouTube channel. We are constantly adding new series, now it concerns the CCNA course, then we plan to start the CCNA Security, Network +, PMP, ITIL, Prince2 video tutorials and publish these wonderful series on our channel.
So, today we will talk about the basics of VLAN and answer 3 questions: what is a VLAN, why do we need a VLAN and how to configure it. I hope that after watching this video tutorial you will be able to answer all three questions.
What is a VLAN? VLAN is an abbreviation for the name "virtual local area network". Later in the course of our lesson, we will look at why this network is virtual, but before we move on to VLANs, we need to understand how the switch works. We will revisit some of the questions we discussed in previous lessons.
Let's first discuss what a Multiple Collision Domain is. We know that this 48 port switch has 48 collision domains. This means that each of these ports, or devices connected to these ports, can communicate with another device on a different port independently without affecting each other.
All 48 ports of this switch are part of the same Broadcast Domain. This means that if multiple devices are connected to multiple ports, and one of them is broadcasting, it will appear on all ports to which other devices are connected. That's how the switch works.
It is as if people were sitting in the same room close to each other, and when one of them says something loudly, then everyone else hears it. However, this is completely inefficient - the more people appear in the room, the noisier it will become and those present will no longer hear each other. A similar situation occurs with computers - the more devices connected to the same network, the greater the "loudness" of the broadcast becomes, which does not allow effective communication.
We know that if one of these devices is connected to the 192.168.1.0/24 network, all other devices are part of the same network. The switch must also be connected to a network with the same IP address. But here the switch as an OSI layer 2 device may have a problem. If two devices are connected to the same network, they can easily communicate with each other's computers. Suppose our company has a "bad guy", a hacker, whom I will draw from above. Below it is my computer. Well, it's very easy for this hacker to get into my computer, since our computers are part of the same network. That's where the problem lies.
If I belong to the administrative leadership and this new guy can access the files on my computer, it will not be good at all. Of course, my computer has a firewall that protects against many threats, but it will not be difficult for a hacker to bypass it.
The second danger for anyone who is a member of this broadcast domain is that if anyone has a problem with the broadcast, the interference will affect other devices on the network. Although all 48 ports can be connected to different hosts, failure of one host will affect the other 47, which is not what we want.
To solve this problem, we use the concept of VLAN, or virtual local area network. It works very simply by dividing this one large 48-port switch into several smaller switches.
We know that subnets divide one large network into several small networks, and VLANs work in a similar way. It divides a 48-port switch, for example, into 4 switches of 12 ports, each of which is part of a new attached network. At the same time, we can use 12 ports for management, 12 ports for IP telephony, and so on, that is, to divide the switch not physically, but logically, virtually.
I allocated three ports of the upper switch, marked in blue, for the "blue" VLAN10 network, and assigned three orange ports for VLAN20. Thus, any traffic from one of these blue ports will only go to other blue ports, without affecting the other ports of this switch. Similarly, traffic from the orange ports will also be distributed, that is, we seem to be using two different physical switches. Thus, VLAN is a way to divide a switch into several switches for different networks.
I drew two switches on top, here we have a situation where only blue ports for one network are connected on the left switch, and only orange ports for another network on the right, and these switches are not connected to each other in any way.
Let's say you want to use more ports. Let's imagine that we have 2 buildings, each of which has its own management staff, and the two orange ports of the lower switch are used for management. Therefore, we need these ports to be connected to all orange ports of other switches. A similar situation with the blue ports - all the blue ports of the top switch must be connected to the rest of the ports of the same color. To do this, we need to physically connect these two switches in different buildings with a separate communication line, in the figure this is a line between two green ports. As we know, if two switches are physically connected, we have a backbone, or trunk.
What is the difference between a regular and VLAN switch? It's not a big difference. When you buy a new switch, by default all ports are set to VLAN mode and are part of the same network, referred to as VLAN1. That's why when we connect a device to one port, it is connected to all other ports, because all 48 ports belong to the same VLAN1. But if we configure the blue ports to work on the VLAN10 network, the orange ports on the VLAN20 network, and the green ports on VLAN1, we will get 3 different switches. Thus, using the virtual network mode allows us to logically group ports under specific networks, split the broadcast into parts and create subnets. In this case, each of the ports of a particular color belongs to a separate network. If the blue ports work on the 192.168.1.0 network and the orange ports work on the 192.168.1.0 network, then despite the same IP address, they will not be connected to each other, because they will logically belong to different switches. And as we know, different physical switches do not communicate with each other if they are not connected by a common communication line. Thus, we create different subnets for different VLANs.
I want to draw your attention to the fact that the VLAN concept applies only to switches. Anyone familiar with encapsulation protocols such as .1Q or ISL knows that neither routers nor computers have any VLANs. When you connect your computer, for example, to one of the blue ports, you do not change anything in the computer, all changes occur only at the second OSI level, the switch level. When we configure ports to work with a specific VLAN10 or VLAN20, the switch creates a VLAN database. It “writes” into its memory that ports 1,3 and 5 belong to VLAN10, ports 14,15 and 18 are part of VLAN20, and the remaining ports involved are part of VLAN1. Therefore, if some traffic comes from blue port 1, it only goes to ports 3 and 5 of the same VLAN10 network. The switch “looks” into its database and sees that if traffic comes from one of the orange ports, it should only go to the orange ports of the VLAN20 network.
However, the computer does not know anything about these VLANs. When we connect 2 switches, a trunk is formed between the green ports. The term “trunk” is relevant only for Cisco devices, other network device manufacturers, such as Juniper, use the term Tag port, or “tagged port”. I think Tag port is more appropriate. When traffic comes from this network, the trunk sends it to all ports of the next switch, that is, we connect two 48-port switches and get one 96-port switch. At the same time, when we send traffic from VLAN10, it becomes tagged, that is, it is provided with a label that shows that it is intended only for ports of the VLAN10 network. The second switch, having received this traffic, reads the tag and understands that this is traffic specifically for the VLAN10 network and should only go to the blue ports. Similarly, orange traffic for VLAN20 is tagged to indicate that it is destined for VLAN20 ports on the second switch.
We also mentioned encapsulation, and there are two methods of encapsulation. The first is .1Q, that is, when we organize a trunk, we must provide encapsulation. The .1Q encapsulation protocol is an open standard that describes how traffic is tagged. There is another protocol called ISL, Inter-Switch link, developed by Cisco, which indicates that the traffic belongs to a specific VLAN. All modern switches work with the .1Q protocol, therefore, when you take a new switch out of the box, you do not need to use any encapsulation commands, because by default it is carried out by the .1Q protocol. Thus, after the trunk is created, traffic is encapsulated automatically, which allows reading tags.
Now let's start configuring the VLAN. Let's create a network in which there will be 2 switches and two end devices - computers PC1 and PC2, which we will connect with cables to switch #0. Let's start with the basic settings of the Basic Configuration switch.
To do this, click on the switch and go to the command line interface, and then set the host name, calling this switch sw1. Now let's move on to the settings of the first computer and set the static IP address 192.168.1.1 and the subnet mask 255.255. 255.0. The default gateway address is not needed because all of our devices are on the same network. Next, we will do the same for the second computer, assigning it the IP address 192.168.1.2.
Now let's go back to the first computer to ping the second computer. As you can see, the ping was successful because both of these computers are connected to the same switch and are part of the same network by default VLAN1. If we now look at the switch interfaces, we will see that all FastEthernet ports from 1 to 24 and two GigabitEthernet ports are configured for VLAN #1. However, such excessive availability is not needed, so we enter the switch settings and enter the show vlan command to look at the virtual network database.
You see here the name of the VLAN1 network and the fact that all ports of the switch belong to this network. This means that you can connect to any port and they can all "talk" to each other because they are part of the same network.
We will change this situation, for this we will first create two virtual networks, that is, add VLAN10. To create a virtual network, a command like "vlan network number" is used.
As you can see, when trying to create a network, the system issued a message with a list of VLAN configuration commands that need to be used for this action:
exit - apply the changes and exit the settings;
name – enter a custom VLAN name;
no - Cancel the command or set it as default.
This means that before entering the create VLAN command, you must enter the name command, which turns on the name management mode, and then proceed to create a new network. At the same time, the system prompts that the VLAN number can be assigned in the range from 1 to 1005.
So, now we enter the command to create a VLAN at number 20 - vlan 20, and then give it a name for the user, which shows what kind of network it is. In our case, we use the name Employees command, or the network for company employees.
Now we need to assign a specific port to this VLAN. We enter the int f0 / 1 switch settings mode, then manually switch the port to Access mode with the switchport mode access command and indicate which port needs to be switched to this mode - this is the port for the VLAN10 network.
We see that after that the color of the PC0 connection point and the switch, the color of the port, changed from green to orange. It will turn green again as soon as the settings changes take effect. Let's try to ping the second computer. We have not made any changes to the network settings for the computers, they still have IP addresses 192.168.1.1 and 192.168.1.2. But if we try to ping PC0 from PC1, we will fail, because now these computers belong to different networks: the first to VLAN10, the second to native VLAN1.
Let's go back to the switch interface and configure the second port. To do this, I will enter the int f0/2 command and repeat the same steps for VLAN 20 as when setting up the previous virtual network.
We see that now the lower port of the switch, to which the second computer is connected, has also changed its color from green to orange - it should take a few seconds before the changes in the settings take effect and it will turn green again. If we start pinging the second computer again, nothing will work, because the computers still belong to different networks, only PC1 is now part of VLAN1, not VLAN20.
Thus, you have divided one physical switch into two different logical switches. You can see that now the color of the port has changed from orange to green, the port is working, but it still does not ping, because it belongs to another network.
Let's make changes to our scheme - disconnect the PC1 computer from the first switch and connect it to the second switch, and connect the switches themselves with a cable.
In order to establish a connection between them, I will enter the settings of the second switch and create VLAN10, giving it the name Management, that is, the management network. Then I will enable Access mode and indicate that this mode is for VLAN10. Now the color of the ports through which the switches are connected has changed from orange to green, because they are both configured for VLAN10. Now we need to create a trunk between both switches. Both of these ports are Fa0/2, so you need to create a trunk for the Fa0/2 port of the first switch using the switchport mode trunk command. The same must be done for the second switch, after which a trunk is formed between these two ports.
Now, if I want to ping PC1 from the first computer, everything will work out, because the connection between PC0 and switch #0 is a VLAN10 network, between switch #1 and PC1 is also VLAN10, and both switches are connected by a trunk.
So, if the devices are located in different VLANs, then they are not connected to each other, and if they are in the same network, then a free traffic exchange can be carried out between them. Let's try to add one more device to each switch.
In the network settings of the PC2 I added, I will set the IP address to 192.168.2.1, and in the PC3 settings to 192.168.2.2. In this case, the ports to which these two PCs are connected will be labeled Fa0/3. In the settings of switch #0, we will set the Access mode and indicate that this port is intended for VLAN20, and we will do the same for switch #1.
If I use the switchport access vlan 20 command, and the VLAN20 network has not yet been created, the system will give an error like “Access VLAN does not exist”, because the switches are configured to work only with VLAN10.
Let's create VLAN20. I am using the "show VLAN" command to view the database of virtual networks.
You can see that the default network is VLAN1, to which ports Fa0/4 to Fa0/24 and Gig0/1, Gig0/2 are connected. VLAN number 10, called Management, is connected to port Fa0/1, and VLAN number 20, named VLAN0020 by default, is connected to port Fa0/3.
In principle, the name of the network does not matter, the main thing is that it does not repeat for different networks. If I want to override the default network name that the system assigns, I use the command vlan 20 and name Employees. I can change this name to something else, for example, to IPphones, and if we ping the IP address 192.168.2.2, we will see that the VLAN name does not matter.
The last thing I want to mention is the Management IP assignment we talked about in the last lesson. To do this, we use the int vlan1 command and enter the IP address 10.1.1.1 and the subnet mask 255.255.255.0 and then add the no shutdown command. We assigned a Management IP not for the entire switch, but only for VLAN1 ports, that is, we assigned an IP address from which VLAN1 is managed. If we want to manage VLAN2, we need to create an appropriate interface for VLAN2. In our case, there are blue ports VLAN10 and orange ports VLAN20, which correspond to the addresses 192.168.1.0 and 192.168.2.0.
VLAN10 must have addresses located in the same range so that the appropriate devices can connect to it. A similar setting must be made for VLAN20.
This switch command line window shows the interface settings for VLAN1, that is, the native VLAN.
In order to configure the Management IP for VLAN10, we must create an int vlan 10 interface and then add the IP address 192.168.1.10 and the subnet mask 255.255.255.0.
To configure VLAN20, we must create an interface int vlan 20 and then add the IP address 192.168.2.10 and the subnet mask 255.255.255.0.
Why is this needed? If PC0 and the upper left port of switch #0 belong to the 192.168.1.0 network, PC2 belongs to the 192.168.2.0 network and is connected to the native VLAN1 port, which belongs to the 10.1.1.1 network, then PC0 cannot establish communication with this switch using the protocol SSH because they belong to different networks. Therefore, in order for PC0 to communicate with the switch via SSH or Telnet, we must give it Access access. That's why we need network management.
We should be able to bind PC0 using SSH or Telnet to the IP address of interface VLAN20 and make any changes we want via SSH. Thus, the Management IP is needed specifically to configure the VLAN, because each virtual network must have its own access control.
In today's video, we discussed many issues: basic switch settings, creating VLANs, assigning VLAN ports, assigning Management IP for VLANs, and configuring trunks. Do not be embarrassed if you do not understand something, this is natural, because VLAN is a very complex and extensive topic, which we will return to in the following lessons. I guarantee that with my help you can become VLAN "masters", but the point of this lesson was to clarify 3 questions for you: what are VLANs, why do we need them and how to configure them.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com