Virtual LANs (VLANs)

A VLAN (Virtual Local Area Network) is a logical grouping of devices on different physical network segments into a single broadcast domain. 

VLANs provide network segmentation without requiring separate physical switches.

Why Use VLANs?

Benefits:

  • Security: Isolates sensitive traffic from general network
  • Performance: Reduces broadcast domain size, improving bandwidth
  • Flexibility: Logically groups users regardless of physical location
  • Cost-effective: No need for separate physical infrastructure
  • Simplified management: Easier moves, adds, and changes

How VLANs Work

Without VLANs, all ports on a switch belong to one broadcast domain. 

With VLANs, you create multiple isolated broadcast domains on a single switch.

Key Concepts:

  • VLAN 1: Default VLAN (native), cannot be deleted
  • Data VLANs: Carry user-generated traffic (VLAN 10-1005)
  • Voice VLANs: Dedicated for VoIP traffic
  • Management VLAN: Used for switch management

Configuration Example

Scenario: Office Network Segmentation

Requirements:

  • VLAN 10: Management (IT Department)
  • VLAN 20: Sales Department
  • VLAN 30: Finance Department
  • VLAN 40: Guest Network

Basic VLAN Configuration

Switch(config)# vlan 10
Switch(config-vlan)# name MANAGEMENT
Switch(config-vlan)# exit

Switch(config)# vlan 20
Switch(config-vlan)# name SALES
Switch(config-vlan)# exit

Switch(config)# vlan 30
Switch(config-vlan)# name FINANCE
Switch(config-vlan)# exit

Switch(config)# vlan 40
Switch(config-vlan)# name GUEST
Switch(config-vlan)# exit

Assigning Ports to VLANs (Access Ports)

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface range FastEthernet0/2-5
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# exit

Switch(config)# interface range FastEthernet0/6-10
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 30
Switch(config-if-range)# exit

Switch(config)# interface range FastEthernet0/11-15
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 40

Verification Commands

Switch# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/16-24, Gi0/1-2
10   MANAGEMENT                       active    Fa0/1
20   SALES                            active    Fa0/2-5
30   FINANCE                          active    Fa0/6-10
40   GUEST                            active    Fa0/11-15

Switch# show interfaces FastEthernet0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: access
Operational Mode: access
Access Mode VLAN: 20 (SALES)
Trunking Native Mode VLAN: 1 (default)

VLAN Trunking (Inter-Switch Communication)

To allow VLANs to span multiple switches, configure trunk ports using 802.1Q.

Trunk Configuration

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30,40
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# exit

Verification:

Switch# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi0/1       10,20,30,40

Port        Vlans allowed and active in management domain
Gi0/1       10,20,30,40

Inter-VLAN Routing (Router-on-a-Stick)

VLANs cannot communicate without a Layer 3 device (router or Layer 3 switch).

Router Configuration

Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0
Router(config-subif)# exit

Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0
Router(config-subif)# exit

Router(config)# interface GigabitEthernet0/0.30
Router(config-subif)# encapsulation dot1Q 30
Router(config-subif)# ip address 192.168.30.1 255.255.255.0

Layer 3 Switch (SVI) Method

Switch(config)# ip routing
Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# no shutdown

Voice VLAN Example

Separates voice traffic from data traffic on the same port.

Switch(config)# interface FastEthernet0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# switchport voice vlan 50
Switch(config-if)# mls qos trust cos

Result: PC traffic uses VLAN 20, IP phone uses VLAN 50.

Troubleshooting Commands

Switch# show vlan
Switch# show vlan id 20
Switch# show interfaces switchport
Switch# show interfaces trunk
Switch# show mac address-table vlan 20

Best Practices

  1. Don't use VLAN 1 for production traffic (security risk)
  2. Document VLAN assignments clearly
  3. Use descriptive names for VLANs
  4. Implement proper security with port-security
  5. Prune unnecessary VLANs from trunks
  6. Use native VLAN other than 1 on trunks
  7. Limit broadcast domains to reasonable sizes (250-500 hosts)

VLANs are essential for modern network design, providing logical segmentation, improved security, and efficient traffic management across enterprise networks.

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)