How VLANs Work Network Fundamentals Part 12


So tell me what you think is it better to have a large network or a few smaller networks this is a question that you’re going to face eventually if you haven’t already and at some point you’re going to realize that in many cases, it’s easier if you cut up a network into smaller parts maybe you’ll be doing this for security or to make it easier to manage in any case a critical piece of the puzzle that you’ll need to use is the VLAN and that’s the core of this article we’re talking about what VLANs do and why we use them.

Why we need VLANs?

we’ve talked about lands or local area networks before the trouble with lands is that it’s hard to define what they are to some people they are the entire network in a building to others lands a part of the network connected with routers for this article though we’re going to define a LAN as a layer to broadcast domain you’ll probably remember from the last article that we talked about a broadcast frame with the destination MAC address of all F’s and it will go to all devices the switches, and bridges will forward these frames out routers will receive them, but they won’t pass them on this as a whole is our layer 2 broadcasters main, and for this article that is what we’re calling a LAN, and we’re using the symbol here with devices connected to it to represent each land as I said earlier though we might want to cut this up into smaller networks to take this network, for example where everything is on one single LAN maybe this isnt suiting our needs maybe the server’s have sensitive information on them and should be kept separate from the rest of the networks so one thing we can do is to cut this into two separate lands we can keep our servers on one land, and everything else in the other land if we want we could even put a firewall between the two networks we haven’t talked about firewalls yet, but no doubt you’ve heard of them there are security devices which we can use to permit or deny different types of traffic so by creating two different lands we can put a firewall in between and now we’re in the control of the type of traffic that goes between the regular network and the server network we’ll have a look at creating these form it and deny rules in a few articles time but for now we’re focusing on how to break one land into smaller lands so how can we do this how does we break up a lamb into smaller lands well an obvious solution is to buy an extra switch the regular land can use one switch and the server LAN can use the other they can be joined together with another device such as a router or a firewall in our example the problem is that this is often expensive especially if we want to create lots of lands not just to.

How VLNAs Work?

fortunately, we can create virtual lands also known as VLANs on our switch think of this as if you’ve got a few different switches inside that one box some ports will be parted of one VLAN while other ports will be parted of a different VLAN and I want to be forthright with you here and say that everyone has troubles understanding VLANs to start with, and that is completely fine I think that you will make more sense over time as you use them more often so dont worry too much if you dont get all of this right away you will definitely get there and it will all make sense I won’t spend a lot of time on this but there are a few other reasons why we might use VLANs we’ve already spoken about security and removing the need for buying more Hardware another thing we can do be separate devices by their functions this can be a tool in making management easier we could also use this to separate a guest network for office visitors or perhaps a separate network for each department in the office, but we could also use it to separate certain types of traffic For example, we can have a data VLAN for regular traffic and a completely separate VLAN for voice traffic this way we can apply different settings to each VLAN which we can use to commit different resources, depending on their need we can also limit broadcasts and flooding with VLANs will see more on this soon but as each VLAN is a separate network, we can restrict traffic to a single VLAN only rather than letting it flood everywhere this is also a way of creating smaller failure domains say something goes wrong on one VLAN it depends on the failure but the problem may be restricted just to that one VLAN rather than spreading to the entire network if you can think of more reasons you may want to use V let’s put them in the comments below so now let’s take a few moments to try to understand how VLANs work under the hood and a bit later on, we’ll put it into practice in a lab each VLAN has an identifier this ID is just a number that’s used to identify each VLAN this ID is a 12 bit number ranging from 0 to 4095 however IDs number 0 and ID number 4095 are both reserved so our usable range is from 1 to 4 thousand and ninety for each port on a switch is assigned to a different VLAN by using this ID, and when we add VLANs to a switch we change the broadcast domain if a broadcast frame arrives at a switch port he will be sent out all other ports in the VLAN but it will not be sent to ports in other villains, and the same is true with flooding if a frame needs to be flooded he will only be flooded on ports within that VLAN and with less flooding we reduce our security risk VLANs are a switching technology which operates at layer two, but as you know from the OSI and tcp/ip articles there are other layers in the network that need to interact with each other Ivy addressing for example is a layer 3 technology but IP addresses and subnets still interact with VLANs typically you would have one subnet per VLAN this is not technical requirement, you could have devices from different subnets in a single VLAN but this is considered poor form as we like nice boundaries between our networks so try to remember this best practice 1 subnet per VLAN when it comes to VLANs Cisco do a couple of things a little differently to the standard mostly just things from the old days that have hung around so the VLAN ranges from one to four thousand 94 but on many of their switches cisco reserved VLANs 1002 – 1005 for compatibility with their older equipment also Cisco breaks the VLAN space into two, ranges these are normal and extended their original switches only supported the normal range with the extended range being added later inside some of their switches the normal range is handled a little differently to the extended range also Cisco use technologies like VTP which handle these ranges differently this is something we’re not going to cover in this series but if you continue on to do Cisco as icnd2 exam you will come across this technology we’ll also see in the next article that some of Cisco’s terminology is also very different to everyone else.

Routing between VLNAs

I think there might be a question in the back of your minds how do we get devices on different VLANs to talk to each other after all some separation is good, but we still have a network to run, and we still need communication and that is a good question in most cases we will need to allow some traffic between devices in different VLANs if you know your OSI and TCP/IP models well it’s going to pay off for you now I’ve said this before but it bears repeating VLANs are a switching technology, and they live at layer two they provide a layer two boundary and frames from one VLAN will not pass through to another villain, so we can use technologies in other layers to help and this is where layer 3 comes in layer 3 is all about IP addressing and moving packets from one network to another and this is what routers are made for each VLAN should be associated with only one subnet the router has an interface connected to each VLAN and each interface is connected with IP address from that subnet devices in each network will configure their default gateway to be the IP address of the router when a device needs to send a frame outside his local VLAN it will send the frame to the router using the MAC address of the router as the destination address the router as it is connected to both networks will know where to send the frame so it will rewrite the destination address field with the MAC address of the destination device, and then it will forward the frame on this has been a quick refresher of some previous articles so if you want to have a look in more detail again take a look back at the cabling devices article, and you may be wondering at this point how

do the devices, and the router know which IPS match up to which MAC addresses after all they have to work with both of these these two is a very good question the short answer is that they use a protocol called ARP or address resolution protocol we’ll go into the details of how these works in a few articles time but basically the devices broadcast an ARP message asking who owns a particular IP address if the owner is in the local network it will respond with its MAC address dont worry too much if this is not making a lot of sense, yet, I’ll explain this one in a bit more detail in a few articles time.

Quiz Time

but before we move on take a moment to challenge your understanding with these five questions dont just go straight for the answers though try to work them out for yourself


and now it’s time to see it in action, and this is our topology what we have here is two different ways to view our lab network on the right, we have the physical diagram as the name suggests this describes how our network physically connects together it includes details like the devices used in our case, a single physical switch and the ports that the cables connect to on the left is our logical diagram now that we’re using VLANs there’s a lot of happenings insides the switches that we can’t physically see, so we use a separate logical diagram to explain what’s happening internally from these two diagrams we can see that we have two workstations on VLAN 10 and 2 servers on VLAN 20 and a router joining the two VLANs so in this lab, we’re gonna configure VLAN 10 and 20 and put all of these devices inside them to start with the interfaces that the routers connected to will be left disabled we’ll do this, so we can truly see that traffic separation and eventually will enable it, so we can see routing between the two VLANs as always parts of this lab are pre-configured to save time lab files are downloadable for the channel supporters I recommend downloading the lab or building it from scratch so you can try it out yourself our first step is to jump onto our switch and create our VLANs the VLAN ID is the important part here we can optionally give each VLAN a name, but this is just for organizational purposes it’s not mandatory if we want to see the VLANs we’ve created we use show VLAN brief this shows us all the VLANs on the switch including the ones we’ve just created this includes the VLAN IDs their names statuses, and the ports that use them notice there are a few extra VLANs these include the reserved VLANs that we’ve already talked about it also includes the VLAN one which is always there by default and VLAN to which my lab software created on its own for some reason but for VLSI have an effect we need to add in a few interfaces to do this we start by entering interface configuration mode VLANs are set with the switch port command there’s plenty of switch port options, but the one we want right now is access we’ll talk more about access trunk and voice ports in the next article but basically an access port has a printer workstation server or some other ends device connected to it access ports are the ones that you’ll see the most often, so we’ll finish up with access VLAN 10 and bring the port up these puts the port in VLAN 10 as the command suggests of course we need to set our 3 of the ports in the same way one more in VLAN 10 and 2 in VLAN 20 you if we go back and look at our VLAN list again we can see that VLAN 10 and 20 are now assigned to a few ports if we move over to workstation one we can test this with a tool called ping, you may be familiar with this tool already, but we haven’t discussed it before so let me give you a quick overview this tool is going to be your best friend ping sends a small piece of information over the network to IP address if the IP is reachable the destination will send a small message back as a response have you seen the movie hunt for the Red October the captain uses sonar to pin the other submarine verify our range to target one ping only packet just like that we’re sending out our message and if we see a response we know that it’s working so let’s ping workstation 2 we’re getting responses back which is great that means our VLAN is working what happens if we try to ping server one we dont get a response but that is not surprising after all this is what we wanted workstations and servers are in different VLANs and therefore they can’t reach each other, but what if we do want them to reach each other to join the two networks we need to use our router first we have a quick look at the workstation settings we can see here our IP address is 1 9 2 1 6 8 10.1 and let’s have a look at the e default gateway that’s not fitting on the screen very well just let me expand this, and we’ll try it again that’s much better our workstation uses one on two one six eight ten to five four as the default gateway this is our router, but we can’t reach it yet as we haven’t configured the switch ports that it connects to so let’s do that now this is the same as before the router is connected to two interfaces on the switch we need to put one into VLAN 10 and 1 into VLAN 20 sorry I’ve got this back to front in this lab gi0 one is in VLAN 10 you the router itself is already configured, so we won’t worry about that right here in this lab but is it working let’s go back to the workstation to find out to start with us’ll try to ping the router itself, and that’s working well now we’ll try to ping a server in a different VLAN and that’s good too but how do we know that this traffic is actually going through the router, and it’s not some sort of switching trickery let me show you another tool you may also have seen this one but if you haven’t this is going to be your second the best friend it’s called traceroute this is just like ping as it sends small pieces of information, and it looks for responses but it doesnt just test the end of the path it tries to fight each layer 3 devices along the path so what it will do is it will find the IP addresses of every router along the path from the start to the finish and you can see here that our router is indeed in this path if we wanted to we could add some rules to the router to allow some traffic but not others this is something we’ll do in a few articles time so watch out for that one now I want to give you a little of bonus information you can feel free to skip this if you want to notice that when I use trace route the command has a dash n do you want to know why I use this to speed up trace route by default traceroute tries to figure out the hostname of every device in the network path our network is just not set up for this, so I have this dash n to tell it not to bother trying to figure out the name of every device just give me their IP addresses as you can see without the dash n it takes a lot longer, and I mean a lot longer traceroute is trying to work out the names of every device in the path using a system called DNS and that is something we’ll cover later on in a different article and if you’re wondering it’s and in Linux but D in Windows so are you feeling comfortable with VLANs now I really hope you are but dont worry if you just dont get it, yet we’ll add some more detail into the next article where we’re going to look at stretching our VLANs across a few different switches so if you dont get it right now stick with me, and we’ll clear it up I hope to see you in the next article.

Add Comment