In networking, a VLAN (Virtual Local Area Network) is a logical subdivision of a physical network, which allows devices to be grouped together into different broadcast domains, even if they are connected to the same physical network. VLANs help segment the network to improve performance, security, and management by reducing the size of broadcast domains and isolating traffic.
Key Features of VLAN:
Segmentation: Devices in different VLANs cannot communicate directly with each other unless a router or Layer 3 switch is configured to route between them.
Broadcast Domain Reduction: A VLAN limits the scope of broadcast traffic, reducing network congestion.
Security: VLANs provide isolation between different network groups, enhancing security. For example, separating users from management traffic or isolating guest networks.
How VLAN Works in the Given Picture:
there are two VLANs defined:
VLAN 1: Contains PC1 and PC4.
VLAN 2: Contains PC2 and PC5.
Each VLAN is set up to ensure that devices within the same VLAN can communicate with each other, but not with devices in a different VLAN unless routing is configured.
Description of the Network:
Switch0 and Switch1 are connected via a trunk link (represented by the dashed line), which is designed to carry traffic for both VLAN 1 and VLAN 2.
VLAN 1 (192.168.1.x network):
PC1 (IP: 192.168.1.1) and PC4 (IP: 192.168.1.2) are part of VLAN 1.
These two PCs are in the same VLAN, so they can communicate with each other through the switch, even though they are connected to different physical switches (Switch0 and Switch1).
VLAN 2 (192.168.2.x network):
PC2 (IP: 192.168.2.1) and PC5 (IP: 192.168.2.2) are part of VLAN 2.
These two PCs can communicate with each other because they are in the same VLAN, even though they are also connected to different switches.
Trunk Link:
The trunk link between Switch0 and Switch1 allows traffic from both VLANs to pass between the switches. A trunk is configured to carry traffic for multiple VLANs, tagging packets with VLAN identifiers so the receiving switch can direct the traffic to the correct VLAN.
VLAN Configuration in the Picture:
Switch0 and Switch1:
Both switches have two VLANs configured: VLAN 1 and VLAN 2.
Each PC is connected to the correct port associated with its VLAN.
PCs in VLAN 1:
PC1 and PC4 belong to VLAN 1 (IP range 192.168.1.x).
They can communicate with each other over the network, and any broadcast traffic within VLAN 1 will only be shared between devices in this VLAN.
PCs in VLAN 2:
PC2 and PC5 belong to VLAN 2 (IP range 192.168.2.x).
Similarly, these devices can communicate with each other within their VLAN, but they are isolated from devices in VLAN 1.
Why Use VLANs?
Network Efficiency: VLANs reduce the size of the broadcast domain, ensuring that broadcast traffic is limited to devices within the same VLAN. This improves network performance.
Security: By separating devices into different VLANs, you can isolate sensitive traffic (e.g., finance or HR departments) from general users or guests.
Flexibility: VLANs make it easier to manage networks by allowing devices to be grouped logically rather than by physical location. For example, devices in different buildings can belong to the same VLAN.
Real-World Example:
In a company, VLANs can be used to separate different departments:
VLAN 1: Used for employees working in the IT department.
VLAN 2: Used for employees in the HR department.
Even though these devices might be physically connected to the same switch or network, VLANs ensure that HR and IT traffic is isolated unless explicitly allowed to communicate through a router.
In the network setup shown in the picture, VLANs are used to logically separate the devices (PCs) into different network segments, ensuring that devices in the same VLAN can communicate, while isolating them from devices in other VLANs
AFTER VIEWING THE VLANS ON CLI YOU HAVE TO PRESS SHIFT +
Here are the basic commands for configuring Switch0 and Switch1:
Configuration for Switch0:
Enter global configuration mode:
Switch0> enable
Switch0# configure terminal
Create VLAN 2 and VLAN 3:
Switch0(config)# vlan 2
Switch0(config-vlan)# name VLAN2
Switch0(config-vlan)# exit
Switch0(config)# vlan 3
Switch0(config-vlan)# name VLAN3
Switch0(config-vlan)# exit
Assign ports to VLANs:
Assuming that PC1 is connected to FastEthernet 0/1 and PC2 to FastEthernet 0/2.
For PC1 (VLAN 2):
Switch0(config)# interface fastethernet 0/1
Switch0(config-if)# switchport mode access
Switch0(config-if)# switchport access vlan 2
Switch0(config-if)# exit
For PC2 (VLAN 3):
Switch0(config)# interface fastethernet 0/2
Switch0(config-if)# switchport mode access
Switch0(config-if)# switchport access vlan 3
Switch0(config-if)# exit
Configure trunk link between Switch0 and Switch1:
Assuming the trunk link is on FirstEthernet 0/3:
Switch0(config)# interface gigabitethernet 0/1
Switch0(config-if)# switchport mode trunk
Switch0(config-if)# switchport trunk allowed vlan 2,3
Switch0(config-if)# exit
Configuration for Switch1:
same as switch_0
Enter global configuration mode:
Switch1> enable
Switch1# configure terminal
Create VLAN 2 and VLAN 3:
Switch1(config)# vlan 2
Switch1(config-vlan)# name VLAN2
Switch1(config-vlan)# exit
Switch1(config)# vlan 3
Switch1(config-vlan)# name VLAN3
Switch1(config-vlan)# exit
Assign ports to VLANs:
Assuming that PC4 is connected to FastEthernet 0/1 and PC5 to FastEthernet 0/2.
For PC4 (VLAN 2):
Switch1(config)# interface fastethernet 0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# exit
For PC5 (VLAN 3):
Switch1(config)# interface fastethernet 0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 3
Switch1(config-if)# exit
Configure trunk link between Switch1 and Switch0:
Assuming the trunk link is on GigabitEthernet 0/1:
Switch1(config)# interface gigabitethernet 0/1
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk allowed vlan 2,3
Switch1(config-if)# exit
Verify Configuration:
After configuring both switches, you can verify the VLAN and trunk configuration using the following commands:
To check VLANs:
Switch# show vlan brief
To check trunk status:
Switch# show interfaces trunk
This should configure your network with the necessary VLANs and trunking to allow communication across the two switches for the respective VLANs
For testing the configuration:
(checkout the video bellow for better understand)
To test whether your VLAN configuration is working correctly, you can perform several tests using both commands on the switches and ping tests between the connected devices (PCs) to ensure communication works as expected within the same VLAN, but not across different VLANs (without routing).
1. Ping Test Between Devices on the Same VLAN
After configuring the VLANs, one of the simplest tests is to ping between PCs that are part of the same VLAN. This helps verify that devices in the same VLAN can communicate.
From PC1 (VLAN 1), ping PC4 (VLAN 1):
PC1 IP: 192.168.1.1
PC4 IP: 192.168.1.2
Steps to perform ping from PC1:
Go to PC1's command prompt (e.g., in Cisco Packet Tracer or an actual device terminal):
PC1> ping 192.168.1.2
Expected Result: Ping should be successful because both PCs are in VLAN 1.
From PC2 (VLAN 2), ping PC5 (VLAN 2):
PC2 IP: 192.168.2.1
PC5 IP: 192.168.2.2
Steps to perform ping from PC2:
Go to PC2's command prompt:
PC2> ping 192.168.2.2
Expected Result: Ping should be successful because both PCs are in VLAN 2.
2. Ping Test Between Devices on Different VLANs
Try to ping devices that are on different VLANs (e.g., PC1 (VLAN 1) and PC2 (VLAN 2)). If VLANs are correctly configured, this ping should fail, as VLANs logically separate network traffic.
From PC1 (VLAN 1), ping PC2 (VLAN 2):
PC1> ping 192.168.2.1
Expected Result: Ping should fail because the PCs are in different VLANs, and there's no routing between VLANs.
This is a good way to verify VLAN isolation.
3. Verify VLAN Configuration on Switches
You can use specific commands on your switches to check if the VLAN configuration is set up correctly:
Show VLANs on the Switches: Use the following command to verify the VLAN assignments on each switch:
Switch# show vlan brief
This will display a table showing which ports are assigned to which VLANs. Make sure the correct ports are in the correct VLANs (e.g., FastEthernet 0/1 on Switch0 is in VLAN 1 and FastEthernet 0/2 is in VLAN 2).
Check Trunk Status: Use the following command to verify that the trunk link between the two switches is correctly configured and allows both VLANs to pass traffic:
Switch# show interfaces trunk
This will show whether the trunk port (e.g., GigabitEthernet 0/1) is up and which VLANs are allowed across the trunk.
4. Show MAC Address Table
Use the MAC address table to verify that the switch has learned the MAC addresses of the devices in each VLAN:
Switch# show mac address-table
This command will show the MAC addresses learned on each port and the corresponding VLAN. If PCs are in the correct VLAN, you will see their MAC addresses associated with the correct ports and VLANs.
5. Using the CDP Protocol (Optional)
If you're using Cisco devices, the Cisco Discovery Protocol (CDP) can help you verify if neighboring devices (like the other switch) are detected correctly over the trunk port.
Switch# show cdp neighbors
This will show the neighboring switch connected over the trunk and its port.
Summary of Test Results:
Ping within same VLAN: Successful
Ping across different VLANs: Fails (as expected unless you configure routing between VLANs)
VLAN and trunk configuration check: show vlan brief and show interfaces trunk
MAC address table check: show mac address-table
These tests will help you ensure that your VLANs are functioning properly
what to do if ping fails?
If the ping test is failing despite your VLAN configuration, there could be several reasons for this, ranging from incorrect configuration to physical issues. Let's go through some common causes and troubleshooting steps to help identify and fix the issue.
1. Incorrect VLAN Assignment
One of the most common reasons for a ping failure is incorrect VLAN assignment on the switch ports.
Check:
Make sure that each device is connected to the correct VLAN.
Use the command:
Switch# show vlan brief
Verify that the ports connected to the PCs are assigned to the correct VLAN. For example:
PC1 (connected to FastEthernet0/1) should be in VLAN 1.
PC2 (connected to FastEthernet0/2) should be in VLAN 2.
Fix:
If you find that a port is assigned to the wrong VLAN, reconfigure it:
Assign the correct port to the correct VLAN:
Switch(config)# interface fastethernet 0/x
Switch(config-if)# switchport access vlan [vlan_id]
2. Trunk Port Configuration
If devices on the same VLAN but connected through different switches cannot communicate, the issue might be with the trunk link between the switches.
Check:
Verify that the trunk port is configured correctly on both switches.
Use the command:
Switch# show interfaces trunk
Ensure that:
The trunk link (e.g., GigabitEthernet 0/1) is active and functioning.
VLAN 1 and VLAN 2 are allowed on the trunk link (check "VLANs allowed on trunk" in the output).
Fix:
If the trunk is not correctly allowing both VLANs, reconfigure it:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 2,3
Switch(config-if)# exit
3. Check IP Configuration
Another possible reason for ping failure is that the PCs might not have the correct IP address configuration or subnet mask.
Check:
Ensure that the IP addresses and subnet masks of the PCs are properly configured.
PC1 (VLAN 1) should have an IP address like 192.168.1.1 and subnet mask 255.255.255.0.
PC4 (VLAN 1) should have an IP address like 192.168.1.2 and the same subnet mask 255.255.255.0.
Similarly, for VLAN 2:
PC2 (VLAN 2) should have an IP address like 192.168.2.1 and subnet mask 255.255.255.0.
PC5 (VLAN 2) should have an IP address like 192.168.2.2 and the same subnet mask 255.255.255.0.
Fix:
If any of the devices have incorrect IP configurations, fix them by manually assigning the correct IP addresses and subnet masks.
4. Check for Spanning Tree Protocol (STP) Issues
Sometimes the Spanning Tree Protocol (STP) might block a trunk port or access port temporarily due to loop prevention, which could cause the ping to fail.
Check:
Verify STP status using the command:
Switch# show spanning-tree
Check whether any ports are in the blocking or listening state.
Fix:
If the trunk or access port is blocked by STP, you may need to adjust STP settings or wait until the STP recalculates the topology. If you're sure there's no loop, consider adjusting the spanning-tree settings to use PortFast on access ports:
Switch(config)# interface fastethernet 0/x
Switch(config-if)# spanning-tree portfast
5. Check MAC Address Table
If the switches aren't learning the MAC addresses of the connected devices correctly, communication won't work.
Check:
Verify that the switches have learned the MAC addresses of the connected devices.
Switch# show mac address-table
Ensure that the MAC addresses of PCs on each VLAN are present on the correct ports. For example, PC1's MAC address should appear on FastEthernet 0/1 for VLAN 1.
Fix:
If the MAC address table is empty or incorrect, try clearing the MAC address table:
Switch# clear mac address-table dynamic
Then, test again by initiating new traffic (e.g., by pinging) so the switch can relearn the MAC addresses.
6. Physical Layer Issues
Sometimes, the issue could be as simple as a loose cable or a malfunctioning network interface card (NIC).
Check:
Ensure that the cables between the switches and PCs are properly connected and functional.
Verify that the link lights on the network interfaces (on both PCs and switches) are lit.
Fix:
Replace any faulty cables or hardware, if necessary.
7. Check for ACLs or Security Settings
If Access Control Lists (ACLs) or security policies are enabled, they may block traffic between VLANs.
Check:
Make sure no ACLs are applied on the interfaces that would prevent traffic from flowing.
Switch# show access-lists
Review the ACLs to ensure they are not unintentionally blocking ICMP (ping) traffic.
Fix:
If an ACL is blocking traffic, you can either modify it or remove it from the interface:
Switch(config)# no ip access-group [acl-name] in
8. Device-Level Firewall
If the PCs have firewalls enabled, they may block ping (ICMP) traffic by default.
Check:
Disable the firewall on the PCs temporarily and try pinging again.
Fix:
If the ping works after disabling the firewall, configure the firewall to allow ICMP traffic.
Conclusion:
To summarize, you can follow this troubleshooting guide in this order:
Verify VLAN and trunk port configurations.
Check IP addressing on the PCs.
Check for STP or physical layer issues.
Verify MAC address table learning.
Ensure there are no ACLs or firewalls blocking traffic.
If everything is configured correctly and no ping is successful, double-check the steps above and re-verify the VLAN assignments, trunk settings, and connectivity between the devices.
){kind=link}
0 Comments