VLANS

Recall we had a scenario with two switches each with a different subnet connected together by a router. It is possible through switch programming to achieve the same thing with a single switch or multiple switches – that is we can make groups of ports on a switch act as though they are a single switch (virtual lan or vlan). ports in the one vlan are part of the broadcast domain but frames will not be sent outside the vlan

What is more tricky is that the segregation can be across multiple switches. Say we have 2 10 port switches and we put 4 ports of each in to vlan 1 (ports 1-4) and 4 ports in to vlan 2 (5-8) . We will have the remaining ports as trunk ports.

frames from devices connected to vlan 1 cannot travel to vlan 2 and vice versa, they are blocked. The communication between the vlans must be through a router that connects the two vlans together. High end switches are capable of doing this routing but often lack the firewall capabilities needed for true network segmentation

It is usually assumed that an end point device such as computer or printer does not understand vlans and that the vlan tag (801.q) should be removed. This is done by setting the type of port that the end device connects to as an access port and assigning it to the correct vlan. For example, if we had a computer vlan (1) and secure vlan (100) we would connect host computer to port 1 with that port assigned as an access port vlan 1. Frames coming into that port would then be tagged as vlan 1 and would not be forwarded or flooded to ports assigned to other vlans. The secure server on port 5 does not receive the frame

For the server to get the frame, it needs to be routed at layer 3 – the server is in another subnet. So we have a router with two interfaces. For example port G1 is in vlan 1 and in the subnet 192.168.0.0/24 . Port G2 is in vlan 100 and subnet 192.168.100.0/24.

This strategy can conserve hardware but can make for vastly increased complexity. Ports that carry multiple vlans are called trunks. These should not be plugged into end devices. We could use a trunk to conserve a port on both switch and router on the above scenario by configuring the port on the switch as a trunk and then configuring subinterfaces on the router with vlan and ip subnet set,

it is a very difficult and confusing topic.