VLANs, or Virtual Local Area Networks used to confuse me to a great extent. I understood the concept, but didn't quite get when they would actually be implemented. Moreover, I needed to practice implementing it to remember the commands. Looking back, VLANs are incredibly simple, powerful, and useful.
At its core, a VLAN is a way to divide up a network. A simple way to remember is that
A VLAN = A subnet. I mean this in a way that they're both ways to divide up a network. Two VLANs cannot talk to each other without a router, just like 2 subnets cannot talk to each other without a router. What's the point of doing this? Well, remember all devices on a subnet share a broadcast domain. While this isn't a big deal on a subnet of 6 computers, imagine hundreds of computers and servers sending broadcasts. It can really slow down a network. There's also a good security implementation. Say you are an administrator at a high school where there are two labs, one lab houses all the student computers, and the other lab is for teachers. Obviously you wouldn't want the students to have access to the teacher's computers, so you decide to place the labs on separate VLANs. Now students cant access the teacher's computers, mission accomplished.
Lets consider a different scenario. You're a Network Administrator at a company that has multiple departments. You've noticed traffic is being dropped left and right because there's just too much broadcast traffic clogging up your switches. So you decide to segment each department into their own VLANs.
There are the following departments in your building:
Sales - 20 users
Billing - 16 users
Customer Support - 2 users (Thus the typical 50 minute wait to get support)
Your Network looks like this, where each computer represents all the machines in that department.
So the way the network is currently setup, each time a machine sends a broadcast, every other machine connect to that switch hears it. This is bad. The network is congested, and you can't afford another switch. VLANs to the rescue! By placing each department in a separate VLAN, you will segment the network, and the switch will only send broadcasts from billing to the other machines that are in the billing VLAN. This way, a Sales broadcast will never be heard by a billing machine. Wait, you say. What if the sales computers need to talk to the billing computers? Won't they be unable to now? Correct, but there's a reason there's a router in this picture. What you can do is configure inter-VLAN routing, but we'll get to that later.At its core, a VLAN is a way to divide up a network. A simple way to remember is that
A VLAN = A subnet. I mean this in a way that they're both ways to divide up a network. Two VLANs cannot talk to each other without a router, just like 2 subnets cannot talk to each other without a router. What's the point of doing this? Well, remember all devices on a subnet share a broadcast domain. While this isn't a big deal on a subnet of 6 computers, imagine hundreds of computers and servers sending broadcasts. It can really slow down a network. There's also a good security implementation. Say you are an administrator at a high school where there are two labs, one lab houses all the student computers, and the other lab is for teachers. Obviously you wouldn't want the students to have access to the teacher's computers, so you decide to place the labs on separate VLANs. Now students cant access the teacher's computers, mission accomplished.
Lets consider a different scenario. You're a Network Administrator at a company that has multiple departments. You've noticed traffic is being dropped left and right because there's just too much broadcast traffic clogging up your switches. So you decide to segment each department into their own VLANs.
There are the following departments in your building:
Sales - 20 users
Billing - 16 users
Customer Support - 2 users (Thus the typical 50 minute wait to get support)
Your Network looks like this, where each computer represents all the machines in that department.
Let's get down to configuring our VLANs on the switch. We'll make
Billing = VLAN 10
Sales = VLAN 20
Tech Support = VLAN 30
Switch> en
Switch# conf t
Switch(config)# vlan 10
Switch(config-vlan)#name BILLING
Switch(config-vlan)#exit
Switch(config)# vlan 20
Switch(config-vlan)#name SALES
Switch(config-vlan)#exit
Switch(config)# vlan 30
Switch(config-vlan)#name TECHSUPPORT
Switch(config-vlan)#exit
Now all our VLANs have been created, to confirm, let's do a
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa1/1, Fa2/1, Fa3/1
10 BILLING active
20 SALES active
30 TECHSUPPORT active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Great, you can see that our VLANs have been created. VLAN1 is the default VLAN for all ports, and the last 4 are standard on Cisco routers, but rarely used anymore. You can see all four ports are assigned to VLAN1, the management VLAN, so although we created our VLANs, there's nothing in them. Let's change that.
Now, there are two kinds of ports in the VLAN world. An access port and a trunk port (There's also dynamic, which dynamically negotiates trunk or access, but for various reasons we'll avoid it). Access ports are designed for the hosts. Trunk ports carry VLAN information over links in the event that there are multiple switches with machines on the same VLAN or you need to perform inter-VLAN routing. For now, we'll assign our switch ports connecting to the hosts as access mode and put them in their respective VLAN.
Switch(config)#int fa 1/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#int fa2/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#int fa3/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
Switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1
10 BILLING active Fa1/1
20 SALES active Fa2/1
30 TECHSUPPORT active Fa3/1
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Done. Machines in different departments can't talk to each other, broadcasts greatly reduced. Machines in the same department can talk to each other. Life is good.
Don't believe me? Try it yourself. Set up a small lab, if you're studying for a certification exam like me, I highly recommend it. If not, there's several simulators available online. Try pinging machines in different VLANs, it won't work!
Thanks for reading!
No comments:
Post a Comment