20When it comes to separating the multiple domain we can use a concept called VLAN. In this article I will tell you about VLAN also I will give you a brief on configuration as well. Let’s see about VLAN and Trunk.
Why VLAN?
In old days like years ago we were using bridges to separate the broadcast domains. Let’s say in the below picture I have separated two different departments i.e., SALES and DEVOPS in two different broadcast domains.
It increased the cost of hardware and also bridge was not that much suitable and up to the mark in many aspects so the Network Engineers thought to replace it with something we know called Switch.
Switch help separating broadcast domains using single network device and provide various features. We can achieve all those features using this network device.
What is VLAN?
VLAN also called virtual LAN is logical separation of port on the same switch dividing them using VLAN which divide the port in different subnets broadcast domain.
Features:
There are various features of using VLAN like -
It separate the broadcast domain. As I already told it divide multiple group of PC into small chunks. That is helpful while applying policies and security. It provide better security. Let say we want a some user to access the server and some not. Although we can achieve this without VLAN but that will be more complex. So in that case we use VLAN.
It controls Broadcast like ARP. When a frame goes to switch and if that don’t contain any unicast/multicast address the switch broadcast the frame to all the connected devices except from the wire it was received. Once it enters the user PC it reach to CPU and the process or you can say the investigation of that frame start. In the same way PC may get numerous numbers of broadcast to process and that might affect the other process running on PC like - Email may take time to load, or the requested web page load slowly or any other process that use network. So VLAN prevents from such incidents.
Provide hierarchical subnet usage.
VLAN Configuration
The configuration is easy and simple. Just start a switch. and go to configuration mode
Note: When we start a switch all ports are administratively up once the witch are powered on by default doesn’t matter we connect any wire to the port or not.
VLAN Ranges
We can create any number of vlan range between 1 to 4094
Note: By default all the port of switch are assigned to VLAN 1
The VLAN ranges are divided into 3 part that is normal VLAN range, reserved VLAN range and extended VLAN range
1 – 1001 are usable or normal VLAN range.
1002 – 1005 are reserved for token rings.
1006 – 4094 are extended VLAN range
Config
SW# config t
SW (config)# vlan <vlan-id>
SW (config)# name <vlan-name>
SW (config)# endOnce we create VLAN with any random VLAN number and name (optional). Now it’s time to assign port/s to that VLAN because switch is not a magical device we have to tell what ports need to be be assigned to that VLAN.
To assign VLAN to port we have to declare the port as an Access Port and then only we can assign VLAN to that port.
Accessport refers to a switchport configured for only single broadcast domain (VLAN)
Accessport configuration:
SW (config)# interface <interface-name or range>
SW (config-if)# switchport mode access
SW (config-if)# switchport access vlan <vlan-id>Note: On switchport the mode dictates what the interface is doing
Verification
SW# show vlan brief
SW# show vlan <vlan-id>
SW# show interface statusExample
Let say we have a topology containing a switch and 4 PC.
Connect each host with switch and assign some address and check the connectivity in my case -
PC1 - 192.168.1.1
PC2 - 192.168.1.2
PC3 - 192.168.1.3
PC4 - 192.168.1.4
As we know initially all ports of a switch are assigned to VLAN 1 by default. To verify hit the verification command i.e.,
For now all the ports can access each other it other words PC's connected to the same switch can access other PC.
Let's create two different VLAN i.e., VLAN 10 and VLAN 20 with name DEV and PAYROLL In order to create VLAN, enter the configuration commands i.e.,
ROOT # config t
ROOT (config)# vlan 10
ROOT (config-vlan)# name DEV
ROOT (config-vlan)# exit
ROOT (config)# vlan 20
ROOT (config-vlan)# name PAYROLL
ROOT (config)# endWe are not over yet, we have only created VLAN. If we verify the VLAN, you'll notice that only VLAN is created and it's active by default but the network is still the same that all PC's can talk to each other.
now it's time to assign the VLAN's to the respected interfaces
From the above picture we can say that interface Fa0/1 and Fa0/2 assigned to VLAN 10 (DEV) where Fa0/3 and Fa0/4 assigned to VLAN 20 (PAYROLL). In order to do that we must declare the interface as access port and then assign the respective VLAN to that interface.
ROOT (config)# interface range Fa0/1-Fa0/2
ROOT (config-if)# switchport mode access
ROOT (config-if)# switchport access vlan 10
ROOT (config-if)# exit
ROOT (config)# interface range Fa0/3-Fa0/4
ROOT (config-if)# switchport mode access
ROOT (config-if)# switchport access vlan 20Now we have assigned the interfaces to it's respective VLAN. Now, we have two subdomain named PAYROLL and DEV. Now both networks are separated that means no PC of one VLAN can talk to another PC.
Notice the interfaces we have assigned are now belong to VLAN 10 and VLAN 20.
Note: We cannot delete VLAN 1 (Default VLAN)
To verify the connectivity create a PING request from PC1 to PC2 and PC3. You'll notice that PC2 is able to reply the ping but PC3 not because of it belongs to different domain from PC2 belongs.
Hence this is how VLAN work and configured! Hope this will be useful.
Happy Learning! :)