Skip to content
Networking

4.1 VLAN Introduction

Play

What is a VLAN?

1. What are VLANs?

VLANs (Virtual Local Area Networks) are a logical segmentation of a network into smaller, isolated broadcast domains. Unlike traditional LANs, where all devices are part of the same broadcast domain, VLANs allow you to group devices logically, regardless of their physical location. VLANs are configured on switches and operate at Layer 2 (Data Link Layer) of the OSI model.

2. Why are VLANs Useful?

  1. Improved Network Performance:

    • VLANs reduce the size of broadcast domains, limiting the scope of broadcast traffic (e.g., ARP requests). This reduces unnecessary network congestion and improves performance.

  2. Enhanced Security:

    • Devices in one VLAN cannot communicate with devices in another VLAN without a router or Layer 3 switch. This isolation prevents unauthorized access between VLANs.

  3. Simplified Network Management:

    • VLANs allow network administrators to group devices logically (e.g., by department, function, or application) rather than by physical location. This makes it easier to manage and troubleshoot the network.

  4. Cost Efficiency:

    • VLANs eliminate the need for additional hardware (e.g., separate switches for each department) by logically segmenting a single physical network.

  5. Flexibility:

    • Devices can be moved to different VLANs without physically relocating them. This is especially useful in dynamic environments like offices or campuses.

3. Intra-VLAN Example

An intra-VLAN network refers to communication between devices within the same VLAN. Since devices in the same VLAN are part of the same broadcast domain, they can communicate directly without the need for a router.

Scenario

Imagine a small office with the following setup:

  • VLAN 10: Sales Department
  • VLAN 20: IT Department
  • VLAN 30: Management Department

All devices in the Sales Department (e.g., PCs, printers) are assigned to VLAN 10, IT devices to VLAN 20, and management devices to VLAN 30.

Steps to Configure Intra-VLAN Communication

  1. Create VLANs on the Switch:

    • Access the switch CLI and create the VLANs:
      Terminal window
      Switch(config)# vlan 10
      Switch(config-vlan)# name Sales
      Switch(config-vlan)# exit
      Switch(config)# vlan 20
      Switch(config-vlan)# name IT
      Switch(config-vlan)# exit
      Switch(config)# vlan 30
      Switch(config-vlan)# name Management
      Switch(config-vlan)# exit

  2. Assign Ports to VLANs:

    • Assign switch ports to the appropriate VLANs:
      Terminal window
      Switch(config)# interface FastEthernet0/1
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan 10
      Switch(config-if)# exit
      

      Switch(config)# interface FastEthernet0/2
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan 20
      Switch(config-if)# exit
      

      Switch(config)# interface FastEthernet0/3
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan 30
      Switch(config-if)# exit

  3. Verify VLAN Configuration:

    • Use the following command to verify VLAN assignments:
      Terminal window
      Switch# show vlan brief

  4. Test Intra-VLAN Communication:

    • Devices within the same VLAN (e.g., two PCs in VLAN 10) can communicate directly. For example:
      • PC1 (VLAN 10, IP: 192.168.10.2) can ping PC2 (VLAN 10, IP: 192.168.10.3).
      • PC3 (VLAN 20, IP: 192.168.20.2) cannot ping PC1 or PC2 because they are in different VLANs.
Key Points About Intra-VLAN Communication
  • No Router Required: Devices in the same VLAN can communicate directly because they are part of the same broadcast domain.
  • Switch Handles Traffic: The switch forwards frames between devices in the same VLAN based on MAC addresses.
  • Isolation from Other VLANs: Devices in one VLAN cannot communicate with devices in another VLAN without a router or Layer 3 switch.

Real-World Use Case for VLANs

In a university network:

  • VLAN for Students: All student devices are placed in one VLAN to restrict access to administrative resources.
  • VLAN for Faculty: Faculty devices are placed in a separate VLAN with access to additional resources like research servers.
  • VLAN for Administration: Administrative staff have their own VLAN with access to sensitive data.

This segmentation ensures that students cannot access faculty or administrative resources, improving security and network performance.

4 What is Inter-VLAN Communication?

Inter-VLAN communication refers to the process of enabling devices in different VLANs to communicate with each other. Since VLANs are isolated broadcast domains, devices in one VLAN cannot directly communicate with devices in another VLAN. To enable inter-VLAN communication, a Layer 3 device (such as a router or a Layer 3 switch) is required to route traffic between VLANs.

4.1 Inter-VLAN Example

Scenario

Imagine a small office with the following setup:

  • VLAN 10: Sales Department (IP subnet: 192.168.10.0/24)
  • VLAN 20: IT Department (IP subnet: 192.168.20.0/24)
  • VLAN 30: Management Department (IP subnet: 192.168.30.0/24)

The goal is to allow devices in the Sales VLAN (VLAN 10) to communicate with devices in the IT VLAN (VLAN 20) and Management VLAN (VLAN 30).

Steps to Configure Inter-VLAN Communicatio*

  1. Create VLANs on the Switch:

    • Access the switch CLI and create the VLANs: 
      Switch(config)# vlan 10
      Switch(config-vlan)# name Sales
      Switch(config-vlan)# exit
      Switch(config)# vlan 20
      Switch(config-vlan)# name IT
      Switch(config-vlan)# exit
      Switch(config)# vlan 30
      Switch(config-vlan)# name Management
      Switch(config-vlan)# exit

  2. Assign Ports to VLANs:

    • Assign switch ports to the appropriate VLANs: 
      Switch(config)# interface FastEthernet0/1
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan 10
      Switch(config-if)# exit
      

      Switch(config)# interface FastEthernet0/2
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan 20
      Switch(config-if)# exit
      

      Switch(config)# interface FastEthernet0/3
      Switch(config-if)# switchport mode access
      Switch(config-if)# switchport access vlan 30
      Switch(config-if)# exit

  3. Configure a Trunk Port:

    • Configure a trunk port to connect the switch to the router (or Layer 3 switch). A trunk port carries traffic for multiple VLANs. 
      Switch(config)# interface GigabitEthernet0/1
      Switch(config-if)# switchport mode trunk
      Switch(config-if)# exit

  4. Configure the Router for Inter-VLAN Routing:

    • Use a router with subinterfaces to route traffic between VLANs. This is known as the “Router on a Stick” method.

      • Assign IP addresses to the router’s subinterfaces, each corresponding to a VLAN.
      • Enable encapsulation (dot1Q) to tag VLAN traffic.
      Router(config)# interface GigabitEthernet0/0.10
      Router(config-subif)# encapsulation dot1Q 10
      Router(config-subif)# ip address 192.168.10.1 255.255.255.0
      Router(config-subif)# exit
      

      Router(config)# interface GigabitEthernet0/0.20
      Router(config-subif)# encapsulation dot1Q 20
      Router(config-subif)# ip address 192.168.20.1 255.255.255.0
      Router(config-subif)# exit
      

      Router(config)# interface GigabitEthernet0/0.30
      Router(config-subif)# encapsulation dot1Q 30
      Router(config-subif)# ip address 192.168.30.1 255.255.255.0
      Router(config-subif)# exit

  5. Configure Default Gateways on Devices:

    • Assign the router’s subinterface IP addresses as the default gateways for devices in each VLAN.
      • Devices in VLAN 10 (Sales): Default gateway = 192.168.10.1
      • Devices in VLAN 20 (IT): Default gateway = 192.168.20.1
      • Devices in VLAN 30 (Management): Default gateway = 192.168.30.1

  6. Test Inter-VLAN Communication:

    • Use the ping command to test connectivity between devices in different VLANs.
      • For example, a PC in VLAN 10 (IP: 192.168.10.2) should be able to ping a PC in VLAN 20 (IP: 192.168.20.2).

4.2 How Inter-VLAN Communication Works

  1. A device in VLAN 10 sends a packet to a device in VLAN 20.
  2. The switch forwards the packet to the router via the trunk port.
  3. The router examines the packet’s destination IP address and determines that it belongs to VLAN 20.
  4. The router routes the packet to the appropriate subinterface (VLAN 20).
  5. The switch receives the packet from the router and forwards it to the destination device in VLAN 20.

4.5 Alternative: Using a Layer 3 Switch

Instead of a router, a Layer 3 switch can be used for inter-VLAN routing. Layer 3 switches can perform routing at hardware speed, making them more efficient than routers for this purpose.

Configuration on a Layer 3 Switch

  1. Enable IP routing on the switch: 
    Switch(config)# ip routing
  2. Create VLAN interfaces (SVIs) and assign IP addresses: 
    Switch(config)# interface Vlan10
    Switch(config-if)# ip address 192.168.10.1 255.255.255.0
    Switch(config-if)# no shutdown
    Switch(config-if)# exit
    

    Switch(config)# interface Vlan20
    Switch(config-if)# ip address 192.168.20.1 255.255.255.0
    Switch(config-if)# no shutdown
    Switch(config-if)# exit
    

    Switch(config)# interface Vlan30
    Switch(config-if)# ip address 192.168.30.1 255.255.255.0
    Switch(config-if)# no shutdown
    Switch(config-if)# exit
  3. Devices in each VLAN use the SVI IP addresses as their default gateways.

4.6 Real-World Use Case for Inter-VLAN Communication

In a corporate network:

  • VLAN for HR: Contains sensitive employee data.
  • VLAN for Engineering: Contains development servers and workstations.
  • VLAN for Guest Wi-Fi: Provides internet access to visitors.

Inter-VLAN routing allows the HR department to access engineering resources (e.g., shared files) while maintaining isolation for the guest Wi-Fi network.