Cisco ICND2 – Describe how VLANs create logically separate networks and the need for routing between them

Chris Stark Cisco, ICND2

VLANs

A VLAN is a virtual logical area network. VLANs allow you to logically group ports on a switch. You may want to do this to ensure the IT department cannot see traffic from the Finance department for example. VLANs can be spanned across multiple switches, meaning all you have to do is change the VLAN number on a port and bingo you’re in that VLAN (assuming VTP is enabled across the switched network). VLANs break up broadcast domains by broadcasting frames only to the same VLAN.

We have the ability with VLANs to improve our security by controlling what VLANs have access to which other VLANs on the network. We can also isolated a VLAN so it cannot communicate with any devices but just have access to the internet (handy for open areas).

By default VLANs cannot communicate with other VLANs. However this can be achieved with either a layer 3 switch (not covered in the CCNA but is in the CCNP) or by you guessed it a router, as a routers job is to route frames. This method is known as a router on a stick.

Key Info

  • VLANs 0 and 4095 For system use only
  • VLAN 1 is Cisco default VLAN, all ports are by default a member of this VLAN
  • VLANs 2-1001 You can use, create and delete VLANS within this range
  • VLANs 1002-1005 are used with FDDI and TokenRing. You cannot delete these
  • VLANs 1006-4094 These VLANs are the extended range for Ethernet, can not be propagated by VTP
  • VLAN information can be found in VLAN.DAT which is stored in Flash memory. This can be viewed using “show flash”
  • VLANs cannot send between VLANs, a Layer 3 device is needed

Taken from Cisco Configuring VLANs

Router on a stick

The way router on a stick works is, say a device on VLAN 20 wanted to communicate with a device VLAN 30 both VLAN frames would need to be sent to a router via a trunk link from the Layer 2 switch. The router will look at its sub-interfaces and see if it has a match for the VLANs, if it does it will route the frame to the correct destination. Remembering that without this method VLAN 20 will not be able to communicate with VLAN 30.

Key Info

  • Layer 3 device such as a router or switch required
  • Links between the switch and router must be in trunk mode
  • Encapsulation between the switch and router must match either 802.1Q or ISL
  • Encapsulation can only be configured on a Fast Ethernet/Gigabit interface
  • Encapsulation must be configured on the subinterface to match the VLAN
  • Subinterfaces must be configured with an IP address that is on the same subnet of the VLAN, this will also be the default gateway for that VLAN
  • the parent interface of the subinterface must be up (no shutdown) for the subinterfaces to work