Step-By-Step Networking: Configuring VLANs
In the previous post in this series, Step-By-Step Networking: Switching & VLANS, we discussed the theory of how switches work and how we can utilize VLANs to optimize our network. In this article, we will be configuring our VLANs and diving into a concept known as inter-vlan routing.
If you have not read the previous article in this series, below is an index containing each post in sequential order.
Index
- Step-By-Step Networking: A Project-Based Approach
- Step-By-Step Networking: The Foundation
- Step-By-Step Networking: Switching & VLANs
Configuring VLANs
We left off with our physical connections to each device. Below is the current topology. You can neglect any IP addresses configured on any of the node interfaces as we will not be using them.
Let's connect to SW02. To verify that there are no VLANs assigned other than the default VLAN, type the following commands:
Switch>en Switch#sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/0/24 Gig1/1/1, Gig1/1/2, Gig1/1/3, Gig1/1/4 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active
We'll need to see which VLANs need to be created and assigned to which port. Referencing our network design, we can find this information easily.
On SW02, looks like we need to create VLANs 20, 21, 40, 41, and 60. So, 5 VLANs in total.
Let's create VLANs 20 and 21 with the following commands from privileged EXEC mode:
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 20 Switch(config-vlan)#name "IT Data" Switch(config-vlan)#vlan 21 Switch(config-vlan)#name "IT Voice" Switch(config-vlan)#end Switch#
Now we need to verify that these VLANs were created. Enter the following commands:
Switch#sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/0/24 Gig1/1/1, Gig1/1/2, Gig1/1/3, Gig1/1/4 20 IT Data active 21 IT Voice active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch#
We can see our two VLANs were created with the names "IT Data" and "IT Voice." Notice that no interfaces are assigned to these VLANs under the "Ports" column.
Now, do the same for VLANs 40, 41, and 60 with the names "Finance Data", "Finance Voice", and "Datacenter Data", respectively.
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 40 Switch(config-vlan)#name "Finance Data" Switch(config-vlan)#vlan 41 Switch(config-vlan)#name "Finance Voice" Switch(config-vlan)#vlan 60 Switch(config-vlan)#name "Datacenter Data" Switch(config-vlan)#do sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/0/24 Gig1/1/1, Gig1/1/2, Gig1/1/3, Gig1/1/4 20 IT Data active 21 IT Voice active 40 Finance Data active 41 Finance Voice active 60 Datacenter Data active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-vlan)#
And while we're at it, let's open the terminal for SW01 and add the Datacenter VLAN. Since the IT and Finance VLANs won't be used on the datacenter switch, then we can leave those out for now.
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 60 Switch(config-vlan)#name "Datacenter Data" Switch(config-vlan)#do sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/0/24 Gig1/1/1, Gig1/1/2, Gig1/1/3, Gig1/1/4 60 Datacenter Data active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-vlan)#
And there you have it. All the necessary VLANs are created on our switches. However, they're not actually useful until we assign them to interfaces. If they aren't assigned, then they will not be used. So, the smart thing to do is assign our interfaces, otherwise we might as well delete what we just created.
Sometimes, you might not physically know exactly which interfaces have connections going to them. Most of the time, you'll be configuring the equipment remotely, so physical access may not be feasible. You can find the status of each interface with the following on SW02:
Switch#show int status Port Name Status Vlan Duplex Speed Type Gig1/0/1 connected 1 auto auto 10/100BaseTX Gig1/0/2 notconnect 1 auto auto 10/100BaseTX Gig1/0/3 notconnect 1 auto auto 10/100BaseTX Gig1/0/4 notconnect 1 auto auto 10/100BaseTX Gig1/0/5 notconnect 1 auto auto 10/100BaseTX Gig1/0/6 notconnect 1 auto auto 10/100BaseTX Gig1/0/7 notconnect 1 auto auto 10/100BaseTX Gig1/0/8 notconnect 1 auto auto 10/100BaseTX Gig1/0/9 notconnect 1 auto auto 10/100BaseTX Gig1/0/10 notconnect 1 auto auto 10/100BaseTX Gig1/0/11 notconnect 1 auto auto 10/100BaseTX Gig1/0/12 notconnect 1 auto auto 10/100BaseTX Gig1/0/13 notconnect 1 auto auto 10/100BaseTX Gig1/0/14 notconnect 1 auto auto 10/100BaseTX Gig1/0/15 notconnect 1 auto auto 10/100BaseTX Gig1/0/16 notconnect 1 auto auto 10/100BaseTX Gig1/0/17 notconnect 1 auto auto 10/100BaseTX Gig1/0/18 notconnect 1 auto auto 10/100BaseTX Gig1/0/19 notconnect 1 auto auto 10/100BaseTX Gig1/0/20 notconnect 1 auto auto 10/100BaseTX Gig1/0/21 notconnect 1 auto auto 10/100BaseTX Gig1/0/22 notconnect 1 auto auto 10/100BaseTX Gig1/0/23 connected 1 auto auto 10/100BaseTX Gig1/0/24 connected 1 auto auto 10/100BaseTX Gig1/1/1 notconnect 1 auto auto 10/100BaseTX Gig1/1/2 notconnect 1 auto auto 10/100BaseTX Gig1/1/3 notconnect 1 auto auto 10/100BaseTX Gig1/1/4 notconnect 1 auto auto 10/100BaseTX Switch#
The Cisco IOS gives us a nice overview of each interface's status as well as VLAN, duplex, speed, and ethernet standard settings. We know for certain our uplinks to the router are on Gig1/0/1 on both switches, so Gig1/0/23 and Gig1/0//24 interfaces must be our clients.
Gig1/0/23 is connected to the IT Department, so let's place the interface in our IT VLANs:
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int gi1/0/23 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 20 Switch(config-if)#switchport voice vlan 21 Switch(config-if)#do sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/0/24, Gig1/1/1 Gig1/1/2, Gig1/1/3, Gig1/1/4 20 IT Data active Gig1/0/23 21 IT Voice active Gig1/0/23 40 Finance Data active 41 Finance Voice active 60 Datacenter Data active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-if)#
See that our interfaces are now in the IT VLANs? In this case, we have two VLANs- data and voice. Cisco IOS separates data and voice VLANs for different endpoints. For voice over IP (VoIP) devices, the voice VLAN is used, and for computers, the data VLAN is used. The voice VLAN is not a necessary requirement unless your network has VoIP endpoints. In our network we do have VoIP endpoints in the form of IP phones.
For the Finance VLANs, enter the same commands for Gig1/0/24 using VLAN IDs 40 and 41:
Switch(config-if)#int gig1/0/24 Switch(config-if)#switchport mode acces Switch(config-if)#switchport access vlan 40 Switch(config-if)#switchport voice vlan 41 Switch(config-if)#do sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/1/1, Gig1/1/2 Gig1/1/3, Gig1/1/4 20 IT Data active Gig1/0/23 21 IT Voice active Gig1/0/23 40 Finance Data active Gig1/0/24 41 Finance Voice active Gig1/0/24 60 Datacenter Data active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-if)#
Do the same on SW01, finding the connected interface going to the server and configure VLAN 60:
Switch#sh int status Port Name Status Vlan Duplex Speed Type Gig1/0/1 connected 1 auto auto 10/100BaseTX Gig1/0/2 notconnect 1 auto auto 10/100BaseTX Gig1/0/3 notconnect 1 auto auto 10/100BaseTX Gig1/0/4 notconnect 1 auto auto 10/100BaseTX Gig1/0/5 notconnect 1 auto auto 10/100BaseTX Gig1/0/6 notconnect 1 auto auto 10/100BaseTX Gig1/0/7 notconnect 1 auto auto 10/100BaseTX Gig1/0/8 notconnect 1 auto auto 10/100BaseTX Gig1/0/9 notconnect 1 auto auto 10/100BaseTX Gig1/0/10 notconnect 1 auto auto 10/100BaseTX Gig1/0/11 notconnect 1 auto auto 10/100BaseTX Gig1/0/12 notconnect 1 auto auto 10/100BaseTX Gig1/0/13 notconnect 1 auto auto 10/100BaseTX Gig1/0/14 notconnect 1 auto auto 10/100BaseTX Gig1/0/15 notconnect 1 auto auto 10/100BaseTX Gig1/0/16 notconnect 1 auto auto 10/100BaseTX Gig1/0/17 notconnect 1 auto auto 10/100BaseTX Gig1/0/18 notconnect 1 auto auto 10/100BaseTX Gig1/0/19 notconnect 1 auto auto 10/100BaseTX Gig1/0/20 notconnect 1 auto auto 10/100BaseTX Gig1/0/21 notconnect 1 auto auto 10/100BaseTX Gig1/0/22 notconnect 1 auto auto 10/100BaseTX Gig1/0/23 notconnect 1 auto auto 10/100BaseTX Gig1/0/24 connected 1 auto auto 10/100BaseTX Gig1/1/1 notconnect 1 auto auto 10/100BaseTX Gig1/1/2 notconnect 1 auto auto 10/100BaseTX Gig1/1/3 notconnect 1 auto auto 10/100BaseTX Gig1/1/4 notconnect 1 auto auto 10/100BaseTX Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int gig1/0/24 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 60 Switch(config-if)#do sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4 Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8 Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12 Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16 Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20 Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/1/1 Gig1/1/2, Gig1/1/3, Gig1/1/4 60 Datacenter Data active Gig1/0/24 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config-if)#
Nice, our VLANs are fully configured on our switches! Before we finish, make sure to save your configuration by typing "wr" in privileged EXEC mode on SW01 and SW02.
Something I should note here is the Cisco Discovery Protocol (CDP). Remember when I said that you will likely not know every device connected to every interface? Well, if you're in a completely Cisco-proprietary environment, CDP can be a valuable tool at your disposal.
To confirm that our router is connected to Gig1/0/1, type the following command:
Switch#sh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID Router Gig 1/0/1 167 R C2800 Fas 0/0 Switch#
Just like that, we can map our network from the local node and even see the model of device. Isn't that cool?
Inter-VLAN Routing
Understanding VLANs means understanding the logical separations of a network. Once VLANs are configured, a node from VLAN 20 will not be able to communicate with a node on VLAN 40 over layer two. Routing will need to be done via a router over layer 3 for nodes to converse.
However, note that layer 2 and layer 3 are separate layers on a network. Thus, even though VLANs have been created to separate our layer 2 broadcast domains, nodes can still communicate through layer 3. It wouldn't make sense to allow that to happen if we're trying to segregate off different parts of our network.
Because of this, the general rule of thumb is to pair a VLAN to a subnet. For example, in our network design VLAN 20 is paired with 192.168.20.0/24, while VLAN 40 is paired with 192.168.40.0/24. All nodes in the 192.168.20.0/24 network should only be connected to interfaces assigned with VLAN 20, and so on. This maintains security principles and ensures that logical separation is consistent.
We will discuss inter-VLAN routing in the next part of this series. For now, understand that there are a few methods to achieving this. Two common methods are router-on-a-stick (ROAS) and switched virtual interfaces (SVIs) using layer 3 switches.
Conclusion
In this article, we reviewed how to configure our VLANs and discussed key concepts for inter-VLAN routing.
In the next article, we will go over the different configuration types for inter-VLAN routing.