Solved

Can someone help me implement VLANs?

Posted on 2004-08-24
40
812 Views
Last Modified: 2013-11-29
I designated a few ports on my Cisco Switch for a second VLAN. However, I cannot get that VLAN to access the internet now.  I know that each VLAN must be on a separate network than the other VLANs.  I think my problem may be in choosing the IP addressing. I just chose a random IP address to throw on my new VLAN. Do I need to configure anything else?  Oh and by the way, my network is not capable of routing in between VLANs. I have no layer 3 switch or 2600 series router.

Here's my network. VLAN 2 cant access the internet. ideas? http://mvpbaseball.cc/switch2.jpg
Thanks
0
Comment
Question by:dissolved
  • 10
  • 10
  • 7
  • +6
40 Comments
 
LVL 10

Expert Comment

by:dis1931
ID: 11889354
I think you will have a problem...my understanding of VLANs and the times that I have setup VLANS....I have needed routers to have them route correctly...however, depending on your setup it might work if you change the IP for VLAN2 so that they conincide with the network you are on if not you will definitely need a router....i have never made seperate VLANS and then put them all into another switch so i am not sure....but you definitely need to change the IP scheme of VLAN2 if you want to have any chance at making it work without a router.

Dis
0
 

Author Comment

by:dissolved
ID: 11889437
im just confused. When you makde a separate VLAN, you can have the network address anything you want right?  Say I do need a router, would the router need any additional changes to accomodate the VLAN?
0
 
LVL 10

Expert Comment

by:dis1931
ID: 11889498
well this is the thing....a VLAN is basically an entirely seperate segment...yes it can be addressed anything you like however jsut like any other LAN situation when you have devices on different subnets/network then you will need a router if you intend to function properly.  A VLAN only segregates the network into parts, it doesn't provide any extra communication abilities for these parts.  All PCs on VLAN 2 can connect to VLAN2 but not to VLAN1 unless you provide this seperate network a gateway(router) that it can use to reach the other network.  The router will need to be configured with two interfaces..one on VLAN1 and one on VLAN2 with the appropriate IP for the VLAN.  It will be used to route packets to VLAN1 from VLAN2 or vice verse.
0
 
LVL 3

Expert Comment

by:Magistus
ID: 11889718
Hi,

As you can read from the link posted below, the VLAN is supposed to connect machines on network, not connected physically, but wishing to share same resources (servers, printers, etc.) - therfore I cannot understand the reason you wish to use VLAN in your network. Moreover, to use VLANs you'll have to obtain Switching Router (Cisco 26xx family or any other trend), so you'll get routing abilities for both networks.

http://www.nwfusion.com/details/471.html?def

P.S. By the way, I am not sure, but I think your computer's IP address (192.168.3.1) is a preserved address, I meen X.X.X.1 is a preserved address for routing purpose.
0
 
LVL 5

Expert Comment

by:Dragonmen
ID: 11890804
You must configure (allow) new segment to have access to internet trough router interface.
By now, probalby, you have something like 192.168.1.x to access the internet in the router rules (netmask 255.255.255.0)...
Changing that netmask to 255.255.0.0 could solve the problem (also grant everyone from 192.168.x.x to access internet). Other solution could be that you have another rule like 192.168.5.x with netmask 255.255.255.0.
0
 
LVL 3

Expert Comment

by:Caltor
ID: 11890962
A look at your diagram shows that you have a problem with your ip configuration. As the 2 VLANs are effectively separate subnets (192.168.1.x and 192.168.3.x) conventional ip thinking says that computer 3 will not be able to use 192.168.1.40 as a gateway as it is on a different subnet.
Step back a stage and let us know why you have these computers in separate vlans? If you really do need them in separate vlans then you need to either get another router on the 192.168.3.x subnet or add another lan interface to your router and put it on the 192.168.3.x subnet.
By the way x.x.x.1 is convention for a router ip address but I am not aware of this being enforced anywhere. It wouldn't hurt to start your client computer numbers at 10 or even higher though to give you room for routers and servers etc.
0
 

Author Comment

by:dissolved
ID: 11891061
The third computer needs to be secured.

Anyway, would the answer be in this case, to assign a secondary IP address to my router's e0? An IP address in the 192.168.3.0 network?

What about the router on a stick method?   How is that accomplished withonly one e0 in the router?

How are VLANs usually implemented

0
 
LVL 3

Expert Comment

by:Caltor
ID: 11891125
If that is possible it should work. I have never personally assigned multiple addresses to a single interface in a router. You would obviously also need to change the default gateway of computer3 to the newly assigned 192.168.3.x address of the router.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 11891126
Agree, PC3 won't get off it's network (VLAN) because it has no gateway.  

You could do a router on a stick, IF you can trunk the port to the router and it understands trunking.  Look up 802.1q - the link between the router and the switch would have to be members of BOTH VLANs in order for the router to route between them.

VLANs are normally implemented just the way you're doing it - however, the routers are usually connected one interface per VLAN or use a layer 3 switch.
0
 
LVL 3

Expert Comment

by:Caltor
ID: 11891135
I do not have personal experience of VLAN's. They are new to me too. I am just going off my tcp/ip knowledge. From what I have read VLAN's appear to be a way of separating a single switch into separate subnets and/or creating subnets across switches.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 11891223
>>VLAN's appear to be a way of separating a single switch into separate subnets and/or creating subnets across switches.

Sort of, kind of.  VLANs are Virtual LANS which exist at layer 2 of the OSI model.  Just like LANS can carry IP - they have nothing to do with how you design your layer 3 IP network except that they must be linked through a layer 3 device (a router) to communicate.

Usually, you would have different IP networks on different vlans however they don't have to be subnets, they can just be regular networks.

You could even use the SAME IP network on different VLANs - like if 2 companies merged or if you shared office space, as long as they're NOT connected with a router.
0
 

Author Comment

by:dissolved
ID: 11891875
Ok , so in order to get my VLAN2 to access the internet......I have to either:

A) create a sub interface on my ethernet interface in router

B)  I need to have multiple available interfaces on my router?

C)  Or I need to have a layer 3 switch somewhere.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11892056
If you are creating a sub-interface on a router you will not need an additional physical interface, the existing one will be split up by the IOS into two logical ones.

Log on to your router, and enter priveldged global configuration mode (enable, conf term etc.)

Type "interface type x.1" (where type is either fast ethernet or ethernet and x is the number)
type "ip address 192.168.3.40 255.255.255.0"

As long as you have IP routing enabled then computer 3 will be able to access the Internet, of course it will be able to reach all the other machines as well so not sure why you think this will be a better solution that having everything on the same VLAN?

Regards

FatLad
0
 
LVL 3

Expert Comment

by:Caltor
ID: 11892127
That will depend upon the routing tables on the router won't it. You should be able to create an entry in the routing tables to give you a route to the internet but not the other VLAN.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 11892482
No, I think it will automatically route them since they're both directly connected.  You'll need an Access Control List, if it's a Cisco router to block them.

However, I think you'll need to use trunking (with tagging) in order to get the right vlan info from the switch to the router.  The port on the switch that the router is connected to will have to be in BOTH vlans - unless you use two interfaces one in each vlan.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11892756
Good point pseudocyber,

I forgot to add the trunk at the switch to router port.  To do this log onto the switch, and go to the interface configuration mode and change it from switchport mode access to switchport mode trunk. To do this try:

Type "set trunk mod_num/port_num 1-2"
        "set trunk mod_num/port_num on"

pseudocyber is correct the router will route automatically between the VLANs, and from the VLANs to the Internet (assuming there is already a default route for the existing VLAN), because they are directly connected.

BTW A layer 3 switch is just a fancy marketing name for a router with lots of interfaces.

Hope that helps

FatLad
0
 
LVL 3

Expert Comment

by:krazieintent
ID: 11893250
Hey Dissolved,

I saw your question but didnt have time to read all of the response comments.

But based on your situation, Ill give you a general reason as to why your having the problem and tell you your only solutions.

VLANS (virtual LANS) are networks broken into different segments by layer 2 switches. Each VLAN has its own IP addressing scheme therefore each VLAN is its own networks.

In Lemans terms, a VLAN is a LAN inside of a LAN. This is done for security reasons. It is more resourceful then simple subnetting because VLANS are not regulated by location therefore you can have the same VLAN in many different departments of a building. Subnets are restricted by the location of the port and can only be limited to that geographic area.

The trick is, each and every VLAN can not communicate with eachother off the bat. They are considered seperate networks. Each VLAN is its own broadcast domain meaning it will never foward packets out of its VLAN unless you teach it how.

The reason why you are not able to go on the internet from the other VLAN is because VLAN1 and VLAN 2 cant communicate.

from a comp on VLAN 2 ping a comp VLAN 1 you should get destination unreachable or host unknown.

In order to solve this you pretty much have to do one thing. Enable routing between the VLANS, that is the only way it will work.

you can do this by using a layer 3 device, a router. And adding the VLAN network numbers to its routing table.

I noticed some people saying to check your IP configs, you dont need too, each VLAN can have its own IP sheme as long as the VLANs are consistant within it self

for example VLAN 1 comp ip address

192.168.1.1
192.168.1.2
192.168.1.3

VLAN 2 ip address
10.10.68.1
10.10.68.2
10.10.68.3

this is totally fine, even if you put the same address you will still never be able to communicate different VLANs without a router.

So everything else in your solution is correct, dont go checking your subnet mask and wasting time with your IP configurations, each VLAN can have its own sheme.

Your problem lies in routing and you will need to enable routing.

Since your only playing with 2 vlans a simple solution would be to have 2 ports on a router.

And assign each port an ip address of each vlan

for example, port0 part of VLan 1 192.168.1.X
and port1 part of vlan 2 10.10.68.X

and add the network numbers to the routing table either statically or use a routing protocal such as rip or igrp and have them dynamically update

this is a very eacy way of having communications between a small amount of vlans

if you had a large amount say more then the number of ports on your router.

Then you would have to set up sub interfaces on one ethernet port of the router and assigne each of these sub interfaces to one vlan, and then enter all of the vlan network numbers into the router.

but since you only have one switch with vlans and only playing with 2 vlans for your solution 2 ports or 3 ports on arouter will suit you fine.

if you ever need to expand to more vlans or would like to know how just for knowlege and allow all of them to router between eachother, i would be happy to go over that with you.

another solution if you dont want to pop for a router, is grab a comp with 2 NICS and add the network numbers into the comps routing table, and plug each of the nics into a different vlan. Comps can be routers too :).

hope this helps

- Kevin
0
 

Author Comment

by:dissolved
ID: 11893283
Ok thanks for the advice guys. Let me see if I have this straight

If I have 2 vlans running (default VLAN1 and my VLAN2) on the same switch, trunking MUST be enabled on the port that is connected to the router. This way, the frames exiting the switch are properly tagged when sent to the router.

I am not going to be able to do this. As my switch (2924cXL 4mb w/enterprise edition) is not *supposed* to be capable of trunking. Also, my router (2501) does not support routing in between VLANs. I guess I am up $hits creek on this one?
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11893379
dissolved, I just gave you the commands for a 2900 to perform trunking and intervlan routing!! what version of software are you running on each device?
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11893787
check out http://www.cisco.com/en/US/tech/tk389/tk390/technologies_configuration_example09186a00800949fd.shtml for a description of how to do this on a 2900xl.

Maybe that the commands I gave you were for CatOS, rather than IOS, it is even easier if you are using IOS. Go to the relevant interface on the switch that you want as the trunk and type "switchport mode trunk 1-2" an "switchport trunk encapsulation dot1q"

Go to the router and configure both subinterfaces (eg Fa0/0.1 and Fa0/0,2 with the command "encapsulation dot1Q 1 native"
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 3

Expert Comment

by:fatlad
ID: 11893824
still not clear why you think VLAN are the answer to you problems?
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11894057
just realised you meant that the problem is with the 2501, you are correct this will not work, did not realise this from your diagram.

Perhaps something other than VLANs are the way forward?
0
 
LVL 3

Expert Comment

by:krazieintent
ID: 11894130
trunking only needs to be enabled if ur going to have one interface with sub interfaces on the router for all the vlans

to make it sound simple,basically trunking allows multiple transactions to be sent down one link. So the router can handle proccess per vlan and send them down the same link simultaneously.

if ur router cant router between vlans

2 ports on the router will allow it to do so.

when a router says it cant router between vlans its because it doesnt support 802.10 router between switchr or ISL (inter-switch link0 protocols.

but in reality the router doesnt know that they are vlans it thinks they are seperate networks in different locations.

so you could use a general protocol and assign a different port on the router to each vlan and enter in the networks to eneable routing between them

and it will work without you having to buy a new router.

- Kevin
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11894187
> A) create a sub interface on my ethernet interface in router

  This requires a trunk configuration between the router and switch.  Trunking the switch port that the router is plugged into allows it to be a member of both VLANs, and allows a single cable to carry both sets of traffic.  Your router needs to be one that supports trunking using the same standard as your switch does.

> B)  I need to have multiple available interfaces on my router?

  This allows you to connect one interface to VLAN 1 and another to VLAN 2.  (The fact that these VLANs are on the same physical switch is not really visible to anyone.)

> C)  Or I need to have a layer 3 switch somewhere.

  A "layer 3 switch" has its own integrated routing.  It will physically look a bit different (layer 2), but logically (layer 3) it's the same as A or B.

---

Some new switch models include an ability to interpose access lists between switch ports, but the 2924XL does not.  Implementing VLANs forces traffic from VLAN 2 to go to the router (and back...) to get to ports in VLAN 1.  At the router, you can insert an access list that blocks that flow, allowing machines in VLAN 2 to connect to the Internet but NOT to VLAN 1.



0
 
LVL 3

Expert Comment

by:fatlad
ID: 11894212
The 2501 is a fixed config router!
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11894276
still not clear why you think VLAN are the answer to you problems? Please give us some more detail saying it needs to be secured is not really enough, if you do manage to enable intervlan routing somehow PC 3 will be no more secure than if it was in the same VLAN.
0
 

Author Comment

by:dissolved
ID: 11894590
Thanks guys.
Fatlad, this is a home lab. Whats really connecting to VLAN2 is not a PC (as depicted in the diagram). It is a wireless access point.  I wanted to put it on it's own network. I'm doing it more for practice than anything.

So to make subinterfaces on a router (router on a stick?) and having VLANs route to them, means trunking has to be enabled so the frames are tagged. Gotcha.

My other option is to buy a router with 2 ethernet interfaces. And connect one vlan to e0, and the other vlan to e1.  Then I have to use some kind of routing protocol to make the two networks speak? (in this case, they are the same physical network but not the same logical network, correct?)

My brain hurts.
Thanks again guys

0
 
LVL 3

Expert Comment

by:fatlad
ID: 11894637
Everything is as you say but a router will automatically route packets between directly connected networks so in your case as you will have two networks one on e0 and one on e1 they will automatically route between them.

In your case I would consider buying a a three port firewall and placing that in between the router and the switch and hanging the AP off of that. That will allow you to have more control over the traffic, and you can practice your firewall configs to!

Regards,

FatLad
0
 
LVL 3

Expert Comment

by:krazieintent
ID: 11894821
lolzz. seems like your getting it.

Just so you know your reference to router on a stick is correct. it does mean a trunked link to a swtich for routing purposes. Seems like you have everthing processed correctly.

you understand your two options. the subinterface method usually takes a lot more time, and is only meant if you have more vlans then the scope of the ports on the router.

But if you want to just learn a great understand of how vlan works, your getting it right now (busting your brain) dont worryevery1 on this site has been thru it at one point or another, and still are busting our brains that why we are always here at this site :).

you mentioned you wanted pc 3 to be more secure then the others. you can do this by tricky configuration on your router, to allow it to reach all the other networks but not have any of just a few of the vlans be able to communicate with it.

but eitherway just so you know, both solutions leads ultimately to the same physical network but not logical.

since your doing this for practice, i can use this time to explain why we use VLANS and give u a pratical example. Maybe this can help you understand why we use vlans to begin with.

we like to keep them seperate, we dont want to route between vlans becaus its great security. For example you had a office with a finace department and sales. each were on different vlans, we wouldnt want the sales department to access the finance department resources and vice versa so we put them on different vlans so they are art of the same network but cant communicate.

and then what we would do is have a router to have the vlans route to the vlans to the internet. so the vlans stay private but can still go online.

if you wanted your vlans to communicate with eachother such as sharing files and of the such then you would route between vlans like you want to do.

Another great feature is that its not based on location, any switch port in any location of the network can be any vlan you asign it. A nice properly configured vlan (my preference) is to configure the vlan ports by the user its connecting too, not by switch.

in a complete switched network, most admins make one switch in one location 1 vlan andother a second vlan and so on.

That is okay, but then say one department is full and has no more workstations but u need to hire someone new for that department. SO u decide to sit him in the saled department because u have a free desk their but he really works in the finance department. When he boots up his computer he sees all sales files because hes pluged into the sales vlan switch.

if it was on a port basis all u had to do was change his port to the vlan of the finance department and presto hes sitting in sales but he has access to everything in finance that he needs.

most admins dont do this because it takes too long, i do because im a good admin :-D

another reason why we use vlans is because its faster then routing. It takes a lot of planning but a good segmentd vlan network is grouped by wich computers will commincate with eachother the most. Data transferes faster because it only goes to layer 2 (switching) before its foward, not layer 3. The only time it does go to layer 3 is the first them when it needed to go across vlans, but after it learns that route

the swtich maps it, and then the switch performs the process of swtiching packets between, vlans. The router only tells it the first time how to send packets between vlans, it then learns it and does it on its own.

these were just some practically reasons y we use vlans and how they help us to create better networks.

but overall you are correct, and seems like you understand the 2 options I explained to you earlier.

hope this helps.

Kevin

 
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 11894834
Or... get a hold of a cisco router with multiple ethernet interfaces and then practice your Access Control Lists.
0
 
LVL 3

Expert Comment

by:krazieintent
ID: 11895100
ACLs is what i meant by tricky router configs
0
 
LVL 3

Expert Comment

by:krazieintent
ID: 11895102
i think its best to learn one thing at a time
0
 

Author Comment

by:dissolved
ID: 11895405
Thanks everyone. Thanks for the great explanation krazieintent
0
 

Author Comment

by:dissolved
ID: 11895454
I'm going to post a diagram to make sure I understand correctly. Standby
0
 

Author Comment

by:dissolved
ID: 11895648
ok, here is a router on a stick (sub interfaces):

http://mvpbaseball.cc/diagram.jpg




Here is using a dual ethernet router:

http://mvpbaseball.cc/diagram2.jpg

Is that correct??
Just wondering if the links (in diagram 2) have to be trunked when it hits the router.
Thanks!
0
 

Author Comment

by:dissolved
ID: 11895825
sorry, here is diagram 1. Didnt show up previously before
http://mvpbaseball.cc/85.jpg
0
 
LVL 3

Accepted Solution

by:
krazieintent earned 500 total points
ID: 11896108
those are correct.

I dont think you quite graspe the idea of a trunk. So ill explain it to you.

A trunk is a link that handles information for more then one port.

ports that have logically been divided by subinterfaces need trunk links because trunks allow them to send data about different ports to different places using the same line.

you do not need a trunk when a port is just communicating with anopther port, trunks are only used when a line had to carry infomation about mutiplue ports, protocols, multiple destinations ect.

so no the links in diagram 2 do not need to be trunked because its not logically divided nor does it have to send information to multiple destinations.

- Kevin
0
 

Author Comment

by:dissolved
ID: 11896395
you da man kevin. Thanks again
0
 
LVL 3

Expert Comment

by:krazieintent
ID: 11897147
thats what were all here for, if you need any other help setting up your vlans or just any other aspect of networking, post back anytime and ill be happy to help

-Kevin
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11900247
In a Jerry Springer final thoughts stylee:

I would not recommend to anyone that they rely on VLANs as a method of securing a network, unless port security is enabled on a switch. Without this it is trivial to get a switch to ignore VLANs and send traffic out of ports it is not meant to.

I do also have another reason for using VLANs, the main one that I have come across is to break up large broadcast domains into smaller, more practical areas. For example take an office with 500-600 people in it. It would not be ideal if a broadcast from one machine was propagated to all PCs, you would want to have a maximum of about 200 clients per layer 2 network. VLANs allow you to do this quite easily and effectively.

Finally, although Kevin is correct in saying that you can have VLANs extended across more than one switch this is not possible if there is a layer 3 link between the switches, e.g. a VLAN at a head office would not be the same VLAN as one at a branch office if there is a routed WAN link in between, even if they have the same name and IP range. Remember every router marks the edge of a VTP (vlan trunkin protocol) domain.


Happy networking

FatLad
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now