Understanding and Configuring VLANs
All devices that are connected in a switch or switching environment (with the default settings) belong to a single broadcast domain. But what is a broadcast domain? There are certain frames that when a switch receives them, it has to broadcast them out to all its ports (except the port where it received them from). This regards frames with unknown destination MAC address or with broadcast destination address. For more detailed information about how a switch forwards frames, you can read my post: Switch Learning and Forwarding.
So in other words, all devices that belong to that switch environment will be able to receive those broadcast messages, and that is what we call a single broadcast domain. The picture below shows an example of four users connected to four ports of a switch. They are all connected with the default port configuration, and they belong to the same broadcast domain. So if one of these users sends a frame with a destination that the switch needs to broadcast, then all of the rest three PCs will receive that message.
Although that sounds like a simple implementation, it is not very efficient solution as it introduces unnecessary broadcast traffic and security weaknesses.
That’s why we can divide our broadcast domain in smaller domains by using Virtual LANs (VLANs). A VLAN is, as the name states, a virtual “LAN” which consists its own broadcast domain and only devices that belong to that domain receive the broadcast traffic. How does this work? Basically you assign each port of the switch to a VLAN (several ports can be assigned to the same VLAN). For example, in an enterprise environment the “Sales” team can belong to one VLAN and the “Technical” team to another. In this way, each team can be configured with their own unique network settings (for example IP subnet, security methods, etc.) as well as they will avoid receiving unnecessary broadcast traffic from each other.
The picture below shows an example of a switch with two VLANs configured on it:
Ports 1 and 2 belong to the “Green” VLAN, while ports 3 and 4 belong to the “Red VLAN”. That means that broadcast frames from “GREEN” users will not be sent out to “RED” users and vice versa.
Now, how can we configure this in a Cisco switch? Two steps are needed:
1. Define the VLAN
In order to define a VLAN, you need to assign a number to it (VLAN number range is 1-1005, where 1, 1002-1005 are reserved for other purposes, some switches can also offer extended ranges). Optionally, you can also define a name. In this example, we need to configure two VLANs with numbers 10 and 11, and names “Green” and “Red” respectively:
Switch(config)# vlan 10
Switch(config-vlan)# name Green
Switch(config)# vlan 11
Switch(config-vlan)# name Red
As soon as you configure the VLAN number, you enter the “config-vlan” level, where you can configure a name. If you do not wish to configure a VLAN name, you can simply type “exit”.
2. Assign interfaces to that VLAN
So far we created our two VLANs (10 and 11) but they haven’t been assigned to any port yet. In order to do this, we configure:
Switch(config)# interface range fa0/1-2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config)# interface range fa0/3-4
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 11
The “switchport” command defines a port as a Layer 2 interface. The “mode” defines that this port should be an “access port”, in other words it will belong only to one VLAN. The other mode is called “trunk” which can carry multiple VLANs, but that it outside the scope of this post. Finally with the “access vlan” command, we assign the interface in a specific VLAN. Note that the “interface range” command has been used here, which allows the configuration of several interfaces at once.
Finally, in order to verify the configuration, you can use the command:
Switch# show vlan
which lists all the VLANs that exist in the switch and the interfaces assigned to them.
Based on the above configuration, any user connected to ports 1 or 2, will be assigned to VLAN 10, while any user connected to ports 3 or 4, will be assigned to VLAN 11.
A certain VLAN can be “extended” in more than one switches, meaning that the same VLAN can be configured in more than one switches in our switching environment. Any device connected to any of those switch ports, will belong to the same VLAN and share the same broadcast domain. The communication between the same VLANs in different switches is possible via a technique called “trunking” which will be explained in a later post.