VLAN's for CISCO Networking

What is a VLAN

VLAN is a logical grouping of networking devices. When we create VLAN, we actually break large broadcast domain in smaller broadcast domains. Consider VLAN as a subnet. Same as two different subnets cannot communicate with each other without router, different VLANs also requires router to communicate. In another word A VLAN (Virtual LAN) is a way of creating multiple virtual switches inside one physical switch. So for instance ports configured to use VLAN 10 act as if they’re connected to the exact same switch. Ports in VLAN 20 cannot directly talk to ports in VLAN 10. They must be routed between the two (or have a link that bridges the two VLANs).

There are a lot of reasons to implement VLANs. Typically, the least of these reasons is the size of the network. I’ll bullet list a few reasons and then break each one open.

  • Security
  • Link Utilization
  • Service Separation
  • Service Isolation
  • Subnet Size

Security: Security isn’t itself achieved by creating a VLAN; however, how you connect that VLAN to other subnets could allow you to filter/block access to that subnet. For instance if you have an office building that has 50 computers and 5 servers you could create a VLAN for the server and a VLAN for the computers. For computers to communicate with the servers you could use a firewall to route and filter that traffic. This would then allow you to apply IPS/IDS,ACLs,Etc. to the connection between the servers and computers.

Link Utilisation: Link utilisation is another big reason to use VLANs. Spanning tree by function builds a single path through your layer 2 network to prevent loops. If you have multiple redundant links to your aggregating devices, then some of these links will go unused. To get around this you can build multiple STP topology with different VLANs. This is accomplished with Cisco Proprietary PVST, RPVST, or standards based MST. This allows you to have multiple STP typologies you can play with to utilise your previously unused links. In example if I had 50 desktops, I could place 25 of them in VLAN 10, and 25 of them in VLAN 20. I could then have VLAN 10 take the “left” side of the network and the remaining 25 in VLAN 20 would take the “right” side of the network.

Service Separation: This one is pretty straight forward. If you have IP security cameras, IP Phones, and Desktops all connecting into the same switch it might be easier to separate these services out into their own subnet. This would also allow you to apply QOS markings to these services based on VLAN instead of some higher layer service (Ex: NBAR). You can also apply ACLs on the device performing L3 routing to prevent communication between VLANs that might not be desired. For instance, I can prevent the desktops from accessing the phones/security cameras directly.

Service Isolation: If you have a pair of TOR switches in a single rack that has a few VMWare hosts and a SAN you could create a iSCSI VLAN that remains unrouted. This would allow you to have an entirely isolated iSCSI network so that no other device could attempt to access the SAN or disrupt communication between the hosts and the SAN. This is simply one example of service isolation.

Subnet Size: As stated before if a single site becomes too large you can break that site down into different VLANs which will reduce the number of hosts that see need to process each broadcast.

 

CREATING A VLAN FOR CISCO NETWORKING

When working with your Cisco network, you may want to separate users into different broadcast domains for security or traffic reduction. You can do this by implementing VLANs. The following example will create VLAN (VLAN2) and place the ports on a switch (from 1-12) into VLAN2.

Switch1>enable

Switch1#configure terminal

Switch1(config)# vlan 2

Switch1(config-if)#description Finance VLAN

Switch1(config-if)#exit

Switch1(config)#interface range FastEthernet 0/1 , FastEthernet 0/12

Switch1(config-if-range)#switchport mode access

Switch1(config-if-range)#switchport access vlan 2

If you are connecting two switches together, then you will want to allow all configured VLANs to pass between the two switches. This is accomplished by implementing a trunk port. To configure port 24 on your switch to be a trunk port, you will use the following code:

Switch1>enable

Switch1#configure terminal

Switch1(config)#interface FastEthernet 0/24

Switch1(config-if-range)#switchport mode trunk