Solved

VLAN Confusion

Posted on 2011-03-11
6
1,416 Views
Last Modified: 2012-05-11
Hello Experts,

I am hoping some of you can help explain VLANs to me, and provide me with a solution to my problem.

Here is an overview of the network setup:

We span 3 floors and have switches in 3 central locations. The main switches are all managed switches of the Dell variety. Some 34xx, some 54xx. We have unmanaged switches are random locations throughout the office where we needed them. These are of varying variety, mostly Linksys or Netgear.

Recently we picked up a Dell 2824 switch to go in a server rack. We want to setup a VLAN to isolate some server traffic from the rest of the network, but still allow the VLANS to talk to each other.

Right now there are no VLANS, everything is on VLAN1 (the default created one).

Here is what I setup on the 2824:
VLAN2: Ports 11-20. Untagged.
VLAN1 (default): all other ports
Port 23 is set to Tagged for VLAN2, but is still in VLAN1.

Connecting the switch to the rest of the infrastructure (on port 23), VLAN1 can talk to the network and get internet access, but VLAN2 is still completely isolated (no internet, cannot ping anything outside VLAN2).

I assume this is because no trunk port has been designated. So in this case, since port23 is connected to the rest of the infrastructure, I would make port23 a trunk port, correct?

I read in one of my many online searches a comment that mentioned all managed switches in the network need to know about every VLAN. If this is true, how does one go about doing this? Do I have to connect to every switch and create a "VLAN2", even if no ports are assigned to it? I'm a little confused on this aspect.

If someone can help me try to understand a little better about how VLANs communicate through the network, and in my specific case what I would need to do to accomplish what I set out to do, I would be much appreciative!

Thank you!
0
Comment
Question by:nick-pecoraro
  • 3
  • 2
6 Comments
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 35113954
Ok so lets break it down.  VLANs are at layer 2.  IP networks are at layer 3.  So what you currently have is called a flat network.  That means you have a single ip network on a single vlan spanning your entire network.    So lets say I have a switch that I create 2 vlans in, vlan 1 and vlan 2.  The first 24 ports are in vlan 1 and the second 24 ports are in vlan 2.   Then you need to assign ip addressing to each vlan.  Each vlan gets a unique IP network assignment.  So for vlan 1 we will assign 192.168.1.0 / 24 and for vlan 2 we will assign 192.168.2.0 / 24.  

Ok right now this virtually with VLANs did the same you could have done by doing this method.  Take 2 switches but do not connect them.  The first switch we assign 192.168.1.0 / 24 and the second switch we assign 192.168.2.0 / 24 to hosts on it.  At this point, the two vlans above or the the two switches below cannot communicate with each other.

Trunking is also at layer 2.   So trunking does not deal with IP addresses but with VLANs.  Trunking is a way for switches to connect to one another and carry traffic between the switches on multiple vlans.  Let me explain.


In the example where we just had 2 switches each with its own IP address space..  If we take a 3rd switch and hang it off the 1st switch it just becomes an extension off of the 1st switch.  So its now part of the same network.

Also, if I take an unmanaged switch and connect it to one of the second group of 24 ports on the switch above where we assigned those to vlan 2, then the unmanaged switch simply becomes an extension off of vlan 2 is part of the vlan 2 network.

Still devices on vlan 1 and vlan 2 cannot talk to each other via IP at this point.

But now what I want to do is have 2 different switches but each switch needs to have ports in vlan 1 and vlan 2.  So now what we do is make a connection between the switches called an 802.1q trunk.   This is where we tell the switch which vlans it should carry across this connection.  So we tell it vlan 1 is untagged and vlan 2 is tagged on that connecting port on each switch.  Now we have a trunk.

So devices on vlan 1 on switch A can talk to devices on vlan 1 on switch B, and devices on vlan 2 on switch A can talk to devices on vlan 2 on switch B.  This is trunking --carrying multiple vlans between switches.

Again, devices on vlan 1 and vlan 2 cannot talk to each other via IP.

In order to do that you have use routing which is at layer 3.  So an actual router can do this or a layer 3 switch.  Lets use the router example first.

So if we take the two switches above which were each on a separate network, 192.168.1.0 / 24 and 192.168.2.0 / 24 and we take a router and connect an ethernet interface from the router to switch A and another ethernet interface to switch B.  Then we need to assign an ip address from each network to each router interface.  

Now the router routes traffic between the networks and 192.168.1.0 can talk to 192.168.2.0.

So the layer 3 switch example works the same way, its just that instead of physical router interfaces that get assigned an ip address for each network and are physically plugged into a switch, its a virtual interface that gets created at layer 3 and is assigned to be the layer 3 interface that is associated with the layer 2 vlan.  The layer 3 interface gets assigned an ip address on the network that is on that vlan.

So in your example for vlan 2 to talk to vlan 1 you will need to have a layer 3 device (router or l3 switch) act as the router that is needed to route traffic between the ip networks.

I don't know much about Dell switches, but if what you have are layer 2 only switches then you will need to buy a router or a layer 3 switch.  If you have a layer 3 switch, you will need to configure the layer 3 interface associated with the vlans and turn on routing in order to do what you want to do.

Hope this helps.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35114419
I think you have a decent understanding of vlans, but lacking the communciation between vlans; as the previous expert explained, in a nutshell, you are requiring what is called inter-vlan communication and yes, requires ip routing and 802.1q.

This should get you going:
PowerConnect 6224 Switch

Configure tagging for the connection between the switches, create a virtual interface and assign ip addresses (This would be your hosts default gateway); there is of course the question of Internet access as well as connectivity to any other networks. This you will need to account for with some minor tweaking, but getting a layer 3 switch will accomplish your task.


Billy
0
 
LVL 2

Author Comment

by:nick-pecoraro
ID: 35131263
Ken-

That was an excellent explanation! I think I have a much clearer grasp of how VLANs work within networks now. Thanks!

However I am still a little confused on how this applies to an infrastructure with lots of stacked switches, such as the one I have to work with.  Here is a basic outline of the connection route between the new 2824, back to the router.

[--Router--]
       |
[-Switch1-]
       |
[-Switch2-]
       |
[---2824---]

There are several other managed switches connected to the network, but I left them out because they don't directly affect the route from the new switch, just branch or extend other areas.

- The 2824 is a Layer 2 Switch.
- Switch2 is a Layer 3 Switch, but running as Layer 2 (routing is all handled by the Router).

Right now VLAN2 only exists on the 2824. All other switches have only VLAN1.

If I were to continue to use the router as the only L3 device, I would need to:
- Create VLAN2 on Switch 2
- Create VLAN2 on Switch 1
- Trunk port23 from 2824 to port23 on Switch 2
- Trunk port24 from Switch 2 to port24 on Switch 1
- Tell the router about the IP network on VLAN2

(ports 23/24 are just what I would use, can be whatever as long as its tagged as trunk I assume)

Is that correct? And if so, I wouldn't need to create VLAN2 on any of the other managed switches (ones that I left out) because they all connect back to the router through Switch 1 or Switch 2?

But if I were to enable routing on Switch 2, I could save having to touch Switch 1 and the router, and just create VLAN2 on Switch 2, trunk to 2824, then let Switch 2 handle the routing for IPs in VLAN2?

Let me know if I am on target or veering way off.

Thanks!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:nick-pecoraro
ID: 35131304
Sorry I should clarify-

The switches aren't actually setup in a "Stacked" mode, they are just daisy-chained through uplink ports.
0
 
LVL 24

Assisted Solution

by:Ken Boone
Ken Boone earned 500 total points
ID: 35131498
If I were to continue to use the router as the only L3 device, I would need to:
- Create VLAN2 on Switch 2
- Create VLAN2 on Switch 1
- Trunk port23 from 2824 to port23 on Switch 2
- Trunk port24 from Switch 2 to port24 on Switch 1
- Tell the router about the IP network on VLAN2

That is correct but by telling the router about the ip network of vlan2 you would need to do one of the following:
#1) connect another ethernet port from the router to another port on switch 1 that is a vlan 2 port and assign a vlan 2 ip address to that router's interface.
or #2) make the current connection between switch 1 and the router an 802.1q trunk and trunk both vlan 1 and 2 to the router.  Don't know what kind of router you have but if it is cisco you would then configure the subinterfaces under the physical interface assigning a subinterface to each vlan.



Is that correct?   Yes

And if so, I wouldn't need to create VLAN2 on any of the other managed switches (ones that I left out) because they all connect back to the router through Switch 1 or Switch 2?  
That is correct

But if I were to enable routing on Switch 2, I could save having to touch Switch 1 and the router, and just create VLAN2 on Switch 2, trunk to 2824, then let Switch 2 handle the routing for IPs in VLAN2?  
Kinda...  you will still need to touch the router in order to tell him the route he needs to use to reach vlan 2.  So you would probably have to add a static route statement to vlan 2 by pointing him the vlan ip address on switch 2.


Let me know if I am on target or veering way off.
Sounds like you are getting it!
0
 
LVL 2

Author Closing Comment

by:nick-pecoraro
ID: 35161390
Thanks for all the great information. It helped me greatly with my understanding of VLANs and configuring my network.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now