Saturday, October 2, 2010

Lesson 16 - VLANs In Practice

Lesson 15 introduced another layer 2 concept called VLANs (Virtual Local Area Networks). If you understand their purpose, it is time to get the juices flow by configuring them.

In this post, I am going to show you how to configure VLANs in a simple design, routing between VLANs and how to verify their operation. I am going to use the following network topology to accomplish our goals (Pic. 1).


Pic. 1 - VLAN Topology
Icons designed by: Andrzej Szoblik - http://www.newo.pl


NOTICE!
In my testing topology (pic.1) I have already configured the management VLAN (500), for the purpose of accessing the switches and R1 remotely from my computer.

VLANs 10 and 20 as well as the R1 routing configuration have not been configure yet. This is going to be our main task in this lesson.


Before we begin, take a closer look at the the topology (click at the picture to enlarge it). Please, pay a special attention to the IP addresses of the computers. Have you noticed that they belong to two DIFFERENT layer 3 networks? The blue numbers below denote the network address and they are different. If you are not familiar with IP addresses, and you have no clue what I'm talking about, don't worry. I'm going to explain those in the upcoming lessons. 
  • PC1 address is 192.168.10.1 255.255.255.0 
  • PC2 address is 192.168.20.1 255.255.255.0

For now though, take for granted that if computers are members of different layer 3 networks, the applications installed on them cannot communicate without a router.

Okay, it's time to type in our first command: show vlans.

Pic. 2 - 'show vlans' command.

The output (Pic.2) gives you a plethora of information. Take a closer look and then read on to know what you're looking at.

  1. VLAN - This column shows all VLANs that exist in a switch database. In the case of my switch, there is only one VLAN I have created (VLAN 500). I've named it HOME_LAN. I use it be able to access my equipment using Telnet. All other VLANs listed exist on a switch by default. You can safely ignore these as they are not even supported by the switch (VLANs 1002-1005). Important is VLAN 1, which is the default one. All interfaces belong to VLAN 1 by default.
  2. Name - This column lists the names given to VLANs. Switches use numbers to differentiate between VLANs, not names. You name VLANs using friendly names, so we know which VLAN number is which group. If you do not give a name to a newly created VLAN, the default name is given (e.g. Vlan0002 for VLAN 2, Vlan0003 for VLAN 3 etc.).
  3. Status - It tells you what VLANs are active and supported by a switch. If you delete VLAN from the database, and the port is still configured as member of this VLAN, the port is not going to forward any frames. Default VLAN (VLAN=1) CANNOT be removed. You can try, but it won't work.
  4. Ports - The last column, shows which ports belong to VLANs. Simple as that. In order to change VLAN's membership of the interface, you have to do it manually.
Below, you can see some additional parameters related to the VLANs such as MTU (Maximum Transmission Unit), which for Ethernet is 1500 bytes.

A more handy command is: show vlan brief. Take a look at its output (pic. 3).

Pic. 3 - 'show vlan brief' output.

This is probably more often used command if you want to check the VLANs and port membership.

Interfaces have default settings which are not seen in the running configuration:
show running-config.

In order to verify what are the default settings of the interface use the following command (here interface f0/1 is used):
show interface f0/1 switchport.

Familiarize yourself with the output of this command. Pay a special attention to the lines I highlighted.

Pic. 4 - 'show interface f0/1 switchport' output.


Recall from the previous lesson (Lesson 15) the two types of the ports used in VLAN infrastructure: trunk and access. I need to ramble a tad more before we proceed to the configuration.

  1. Administrative Mode: dynamic desirable - This option means that the port is running Dynamic Trunk Protocol (DTP). Port int this mode (the default setting on this particular switch), will send special frames to the device connected to it, trying to negotiate trunk connection. If the other end responds to this proposal, both interfaces become trunks. Since in my case, it is a PC that is connected to port F0/1, and did not respond to this negotiation (no DTP), the port became a 'static access' (member of one VLAN only).
  2. Operational Mode: static access – This tells you what the real mode of the port is. Here, the interface did not negotiate trunk connections so automatically became an 'access' interface.
  3. Negotiation of Trunking: On – This option informs you, that the DTP protocol is active on the interface. The port will be sending DTP frames out trying to negotiate trunk mode.
  4. Access Mode VLAN: 1 (default) – Since the interface did not become trunk, and there is no manual configuration regarding the VLAN it should belong to, the interface ended up as a member of the default VLAN (VLAN 1).
  5. Trunking VLANs Enabled: All – In case the interface transitions to a trunking mode, ALL VLANs are going to be allowed on this interface (1-4094).

Now, it is time to define our configuration tasks and complete our mission.

CONFIGURATION STEPS

Given the topology diagram (pic. 1), configure the following:
  1. Configure end-to-end VLANs (the same set of VLANs on all switches).
  2. Assign ports to VLANs.
  3. Create an unconditional trunking between the switches.
  4. Enable routing between VLANs using 'router on a stick' (yes, it is a real name of this method).
SOLUTION
Step 1
Configure end-to-end VLANs (the same set of VLANs on all switches).

On SW1:
SW1#configure terminal
SW1(config)#vlan 10,20
SW1(config-vlan)#exit
SW1(config)#

On SW2:
SW2#configure terminal
SW2(config)#vlan 10,20
SW2(config-vlan)#exit
SW2(config)#

On SW3:
SW3#configure terminal
SW3(config)#vlan 10,20
SW3(config-vlan)#exit
SW3(config)#

Verification
On all switches you should see the VLANs created (here SW1 output).

Pic. 5 – VLANs in the database

Steps 2
Assign ports to VLANs.

Since we are going to use port-to-vlan assignment (recommended in most cases) , this option puts the ports permanently in a given VLAN and disables DTP.

On SW1:
SW1(config)#interface f0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#exit
SW1(config)#

On SW2:
SW2(config)#int f0/1
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 20
SW2(config-if)#exit
SW2(config)#

Explanation!
The command: 'switchport mode access' puts the port in an unconditional 'access mode' in which DTP is turned off. The port CANNOT become trunk anymore.

The command: 'switchport access vlan 10' places the interface in VLAN 10 (broadcast domain). From now on, the port can communicate with other hosts in VLAN 10 but not other VLANs.

Verification (here only SW1 output)

Pic.6 – show vlan brief

As you can see the port f0/1 is now a member of VLAN 10.

Step 3
Create an unconditional trunking between the switches.

NOTICE!
The trunking should be enabled on ports f0/15, f0/16 and also on f0/1 since this port will use trunking mode to connect multiple R1's sub-interfaces ('router on a stick') for the purpose of routing unicast between VLANs 10 and 20.

Also, in my case SW3 is Catalyst 2950 which supports only DOT1q protocol. That is why the command 'switchport trunk encapsulation' does NOT exist on this switch. I will use that command on SW1 and SW2 though, in order to select this type of trunking protocol.


On SW1:
SW1(config)#interface range f0/13 - 15
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#exit
SW1(config)#

On SW2:
SW2(config)#interface range f0/13 - 14 , f0/16
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#exit
SW2(config)#

On SW3:
SW3(config)#interface range f0/1 , f0/15 - 16
SW3(config-if-range)#switchport mode trunk
SW3(config-if-range)#exit
SW3(config)#

Verification (here SW1 only):

Pic. 7 – show interface trunk

An alternate method of verifying trunk ports is shown below. However, this way you can see one port at a time. But the output is more verbose.

Pic. 8 – 'show int f0/15 switchport'

Step 4
Enable routing between VLANs using 'router on a stick'.

On R1:
R1(config)#
R1(config)#int f0/0
R1(config-if)#no ip address
R1(config-if)#no shutdown
!
! Create sub-interface with IP address to be gateway for VLAN 10.
R1(config-if)#int f0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip address 192.168.10.254 255.255.255.0
R1(config-subif)#
!
! Create sub-interface with IP address to be gateway for VLAN20.
R1(config-subif)#int f0/0.20
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip address 192.168.20.254 255.255.255.0
R1(config-subif)#end
R1#

Verification
The ultimate test to verify the connectivity between VLANs is to use ping utility and check if PC1 talks to PC2. If successful, it is proving that our configuration is correct.

The routing table on R1 should show you that router knows both networks: 192.168.10.0/24 and 192.168.20.0/24 (pic. 9). So it can transmit the packets between these two.


Pic. 9 - Routing Table on R1
 

Soon, video is going to be available with the above configuration and additional options for inter-VLAN routing.

In my next post, we will look at what is really happening 'behind the curtain'. I will show you the traffic flow using our VLAN's configuration step by step.