Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

VLANs understanding
effective subnetting within Layer 2, private vlans and inter vlans routing

vlan-fig12Sooner or later every expanding network has to be divided onto broadcast domains. There are a few reasons why it should have been done, for example to separate broadcast storms, to sort out logical networks accordingly with employees functions or in order to implement higher level of security (Vlan access lists). So, how to separate network traffic efficiently, not involving layer 3 and router ports ?

I’m going to consider THE NETWORK which consists of 2 switches, placed on 2 different company floors. There are 2 departments : Engineering and Marketing which are mixed up on 2 floors. Network scheme looks like below.

vlany

Without VLANs we wouldn’t be able to divide our network on 2 departments (logical networks) having only Layer 2 switches. VLAN 1 and VLAN 2 are not visible for each other. Thanks to this, we can reduce significantly broadcast storms. Broadcast storms are not a problem if you have 50 hosts  in a network, but if your internal network has 1000 hosts then it becomes a problem. What may trigger a broadcast storms? For instance ARP request. The good practice is not exceed 450 hosts per broadcast domain in IP networks (/23 prefix). VLANs are responsible for nothing more then sorting out logical network in physical network area. Of course every single VLAN has different addressing scheme . For example:

VLAN 1 – 192.168.1.0 /24

VLAN 2 – 192.168.2.0 /24

VLAN 3 – 192.168.3.0 /24

What  happens if you create 3 VLANs within the same subnet ? Nothing . Hosts won’t be visible for each other, because VLANs works on Layer 2. So, when your computer sends ARP query for MAC address of another host even in the same subnet but in different VLAN, switch will reject this query, because from its point of view the most important is : to which VLAN is configured the port that a given host sends ARP request. If the query has been sent from VLAN 2 the switch will be searching ARP answer within VLAN 2 ports only !

How switch knows to which VLAN are assigned particular VLANs and ports ? Switch  stores the table with ports and attached VLANs in the memory. What if you don’t want to attache a port to any VLAN? No problem, if you don’t attache a port to any specified VLAN, it will be placed in the NATIVE VLAN . What happens if we have to send a frame to another switch on different floor ? Then the frames are being tagged on the trunk port. Tag can be imagined as a label which is attached to every frame within the switch with VLANs. Frames tagging has a huge meaning if you have to connect more switches within the same VLANs groups. For frames tagging responsible is 802.1q standard. Every frame which leaves a switch on Trunk Port is being tagged with a specific number of VLAN, unless the port which the frame comes from, doesn’t belong to any VLAN , then the untagged frame is being sent through the  Native Vlan (VLAN 1 out of the box). The numbers of NATIVE VLANs have to be the same on both connected switches, otherwise you will get NATIVE VLAN MISMATCH ERROR and exchange of frames which doesn’t belong to any VLAN  won’t be possible. Vlans which have been set as native on both sides will not work as well, but the other VLANs switches will be able to exchange.

In the first part, I’ve mentioned about plain VLANs, which enable network segmentation at Layer 2, with hosts in the different subnets. Private Vlans go one step further and enable segmentation hosts at Layer 2 but in the same subnet (broadcast domain). Private Vlans will work out  very well if you want to sort out DMZ (demilitarized zone ) or just for security reasons.

 

 

PRIVATEITBUNDLE

Before you get confused let me explain above names:

PRIMARY VLAN there can be only one primary vlan per domain. Secondary Vlans (Community and Isolated) are being associated with this VLAN. Primary Vlan forward frames from Promiscous ports to Community and Isolated Vlans.

SECONDARY VLAN – Community and Isolated Vlans belongs to this Vlan.Secondary Vlan forward frames from Community and Isolated Vlans to Promiscousc ports.

PROMISCOUS VLAN – ports belong to Primary Vlan can communicate with all interfaces: Community, Isolated hosts ports and other Promiscous ports.

COMMUNITY VLAN – devices in Community Vlan can only communicate with each other (within one Community Vlan) and with Promiscous Vlan

ISOLATED VLAN – devices in Isolated Vlan CAN’T communicate with each other and any Community Vlan. There can be only ONE Isolated Vlan per domain. Each device in Isolated Vlan can communicate ONLY with Promiscous Vlan

Configuration:

1 Creating Primary (200) and Secondary Vlans(201,202), and associating Secondary Vlans to primary Vlan

vlan 201
private-vlan isolated

vlan 202
private-vlan community

vlan 200
private-vlan primary
private-vlan association 201,202

2 Asigning particular switchports to particular Vlans. Firstly we join ports to the Primary Vlan and then to isolated or community vlan

Interface e0/0
switchport mode private-vlan host
switchport private-vlan host-association 200 201
exit
Interface e0/1
switchport mode private-vlan host
switchport private-vlan host-association 200 202
exit
Interface e0/2
switchport mode private-vlan host
switchport private-vlan host-association 200 201
exit
Interface e0/3
switchport mode private-vlan host
switchport private-vlan host-association 200 202

3 creating Promiscous Port in Primary Vlan that will have connectivity with
all other ports and vlans

interface e1/0
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200 add 201,202

 

Two crucial things regarding Private Vlans:

1. Promiscous Port in Primary Vlan is also being used to communicate with Default Gateway (Router Port).

2. In order to implement Private Vlans switch must be set in Transparent Mode in VTP domain

 

So far I have been talking VLANs over from layer 2 point of view. To end up “VLANs Understanding”  I have to mention about InterVLANs routing. In order to provide connectivity between VLANs we have to involve Layer 3. There are many various schemes to provide InterVlans routing what depends on environment.  I’m going to focus on the 4 most popular solutions, which  can be found in contemporary networks.

 

 “ROUTER ON THE STICK”

routeronthestick

This solution is obsolete and not recommended, unless network consists of not too much hosts. There is a TRUNK link between Layer 2 switch and a Router. This solution required deploying of sub-interfaces on a Router trunk port.

Configuration:

Router:
interface fa0/0
no shutdown
interface fa0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
exit
interface fa0/0.20
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0
exit
interface fa0/0.1
encapsulation dot1q 1 native
ip address 192.168.1.1 255.255.255.0

Switch:
interface gig0/2
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk

interface gig0/0
switchport mode access
switchport access vlan 10

interface gig0/1
switchport mode access
switchport access vlan 20

 

 

SWITCH VIRTUAL INTERFACEs (SVI)

layer3switch

Switch Virtual Interface rely on creating logical (virtual) VLAN Interfaces on Layer 3 switch and activating IP Routing on it.

ip routing
interface vlan 10
ip address 192.168.10.1 255.255.255.0

interface vlan 20 
ip address 192.168.20.1 255.255.255.0

 

 

LAYER 3 PORTS CONNECTION

2xlayer3switch2

Layer 3 consists of at least two layer 3 switches with activated SVIs and layer 3 ports for routing between them. Local VLANs are required.   

Sw1

ip routing
interface vlan 10
ip address 192.168.10.1 255.255.255.0

interface g0/1
no switchport 
ip address 172.16.0.1 255.255.255.0

ip route 192.168.20.0 255.255.255.0 172.16.0.2

 

SW2

ip routing
interface vlan 20 
ip address 192.168.20.1 255.255.255.0

interface g0/1
no switchport 
ip address 172.16.0.2 255.255.255.0

ip route 192.168.10.0 255.255.255.0 172.16.0.1

 

                             “SVI and Trunk”

Ok, so far we know how to configure  SVIs within the same switch, but what if have to relay traffic between 2 or more switches connected via trunk not L3 ports ? It would be a combination of SVI and L3 routed ports. In order to achieve this on the one (and only ONE!) of the switches we have to create SVI L3 Vlan interfaces for each of the Vlan subnet! Because we have L2 topology (Trunk is L2 link) Vlan L3 interfaces on one of the switches work as a gateways. Take a look on the below picture and configuration.

SW1

ip routing
interface g0/0
switchport trunk encapsulation dot1q
switchport mode trunk

interface g0/1
switchport mode access
switchport access vlan 10

interface g0/2
switchport mode access
switchport access vlan 20

interface vlan 10
ip address 192.168.1.1 255.255.255.0

interface vlan 20
ip address 192.168.2.1 255.255.255.0

SW2

ip routing
interface g0/0
switchport trunk encapsulation dot1q
switchport mode trunk

interface g0/1
switchport mode access
switchport access vlan 10

interface g0/2
switchport mode access
switchport access vlan 20

, ,

Onlain bookmaker bet365.com - the best bokie

Menu