Solved

Interconnecting VLANs

Posted on 2013-11-14
15
252 Views
Last Modified: 2013-11-22
This is a "how does it work?" question.  There is no problem to be solved.

My assumption has always been that VLANs were handy for segmenting broadcast domains (keepingn subnets reasonably small) and for isolating subnets.  The two objectives are likely disjoint in that the first objective may not at all include the second.  That is, one wants limited-size subnets but wants them to be able to intercommunicate.

My understanding is that one needs a router to accomplish the intercommunication.  Whether, in practice, this is a separate router or part of a more-capable switch, both seem likely.

So, the questions:
- What are a few of the most typical ways to set up multiple VLANs and then allow them to communicate from one to the other?  
- Is this indeed a common situation?
0
Comment
Question by:Fred Marshall
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 250 total points
Comment Utility
- What are a few of the most typical ways to set up multiple VLANs and then allow them to communicate from one to the other?  

Using a "Core" switch which has the VLAN's for switching AND for routing. Such a switch has VLAN Interfaces with IP adresses and routes packet between those interfaces.

I use this concept all the time at our customers to segment networks. I do this for security, logging and mistakes made by users.

When security is an important factor I use a firewall to route/firewall between the VLAN's. This will decrease the troughput as a switch can route faster then a firewall (or you have to buy a very expensive firewall).

And this is very common!
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
Your understanding of the fundamentals is totally accurate.

And the two common methods for inter-VLAN communications are exactly as you described.

Which method is used depends on the purpose and function of the VLANs.  If the primary reason is the reduce the size of the broadcast domain, then a multilayer switch is used.  If the reason is security (not allowing one VLAN access to another) then a separate routing device (router or firewall) is used.  That's not to say that it can't be done differently, but that's what I would define as "typical".
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
VLANS are routable layer 3 interfaces. There is an invisible "no switchport" comand on it meaning it doesn't work like switchports.

Broadcasts are stopped by routed interfaces unless you configure relay.

In a nutshell, there are many reasons to use vlans and they all fall under 3 main categories (could be more)
- Administration
- Security (eg Separation of guest network from local lan)
- Ease of Management

You can configure vlans to talk to each other or isolate some vlans from others etc.

Cisco generally recommends that a network over 500 should be segmented and the purpose is to minimize broadcast storms. this hoever assumes you have optimum network bandwidth. Smaller bandwidths will experience more congestion.

Ease of management gives you flexibility. That's totally discretional.
0
 
LVL 25

Author Comment

by:Fred Marshall
Comment Utility
VLANS are routable layer 3 interfaces
I'm a bit of a stickler for terminology.  I don't know what a "layer 3 interface" is.  I do know that Layer 2 switches can implement VLANs.  So I'm a bit confused by the statement here.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
That statement is simply not correct.

I'm guessing they are referring to a VLAN interface.  But that's just a guess.
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
People just get confused by terminology and do not pay attention to the root
VLAN - Virtual Local Area Network. You need interfaces to have a network, in this case, it is virtual. To assign IP address to a virtual interface, you would need to access interface VLAN .....

Same thing goes for WLAN
Wireless Local Area Network

To refresh your knowledge, read up on Local Area Network.

You don't classify something you don't know as incorrect and wrongly mislead other people.
0
 
LVL 25

Author Comment

by:Fred Marshall
Comment Utility
Akinsd:  

Perhaps you should have responded to my ID: 39650007.  I was / am confused by the words you used.  Perhaps I was less direct than donjohnson's but my feeling was the same.  So, the only confusion I see about terminology was made clear (that it existed) and clarification was requested.  I still don't see any clarification.

I am trying to expand my knowledge.  That knowledge on these topics that I already have doesn't particularly need refreshing, thank you.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
People just get confused by terminology and do not pay attention to the root
You don't classify something you don't know as incorrect and wrongly mislead other people.
I'm not sure who this is addressed to, but allow me to respond.

VLANS are routable layer 3 interfaces. There is an invisible "no switchport" comand on it meaning it doesn't work like switchports.
Not correct.

1.

If you're on a layer-2 switch, only one VLAN interface can be operational at any given time. And it's used to communicate with the switch for management purposes and is not routed.

2.

The "no switchport" command is only available on multilayer switches. It does not exist on layer-2 switches.

3.

Finally, a VLAN is not an "interface". The SVI (switched virtual interface) also referred to as a "VLAN interface" is the the interface that is typically associated with a VLAN.  But it is not required.
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
You just proved my point partially.

The SVI (switched virtual interface) also referred to as a "VLAN interface" is the the interface that is typically associated with a VLAN

But it is not required.
Not required when you have a "Routed" layer 3 interface on a router. Can you create a VLAN without specifying the associated subnet? Definitely no.

Can you create an SVI on a layer 2 switch? Definitely no.

Have you ever wondered why switches are assigned to vlan 1 by default and you have no way of deleting it?
Have you also given it a thought why only 1 vlan can be operational on layer 2 switches at any given time like you mentioned?

Lastly, why would no switchport be available on layer 2 switch when it has no capability of converting to a layer 3 interface.
FYI, no switchport is not a magical command. Cisco designed the "No" command to be used to minimize and simplify commands on a device. "No" is meant to toggle things off.

People just get confused by terminology and do not pay attention to the root
You've just gone ahead and proved that statement even further!

This question is closed - Please let it stay closed. I'm not asking the Author to change anything even if he was connived or misled.
I will not reply to anything after this!
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
Not required when you have a "Routed" layer 3 interface on a router. Can you create a VLAN without specifying the associated subnet? Definitely no.
What do you mean with "without specifying the associated subnet"? A VLAN does not need a SVI on a switch. And a SVI does not need an ip address with a subnet to function (e.g. using IPX).

I think you may be right about some things but the way you explain them is confusing, at least to me it is.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Can you create a VLAN without specifying the associated subnet? Definitely no.
I guess that depends on your definition of "specifying the associated subnet". If you mean assigning an IP address on the switch, then that is incorrect. I am currently consoled into a 2950 switch with 8 VLANs. On this switch, only one VLAN has an IP address assigned to it (the management VLAN which in this case is VLAN 23).
Can you create an SVI on a layer 2 switch? Definitely no.
Same as above. There is an SVI defined on a layer-2 switch.
Have you also given it a thought why only 1 vlan can be operational on layer 2 switches at any given time like you mentioned?
Same as above... again. A 2950 switch with 8 VLANs. All 8 VLANs are operational.  Now, like I said before, only one VLAN interface is operational. But all of the user defined VLANs are active and functional.

I suspect that you are confusing "VLANs" with "VLAN interfaces".

I'm done with this.
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
Thanks for the gentleman tone and etiquette in your statement, Henkva.

VLAN = Virtual Local Area Network.
Network is a link between locations - usually an identifiable location. Otherwise, it will be impossible to link something you cannot identify by location.

The way we identify locations (interfaces) in Networking is by IP Address
The interfaces must be layer 3 capable in order to assign an address.
The interfaces in themselves can also be virtual also.
The virtual in VLAN refers to the absence of direct cabling between interfaces

VLAN is therefore an invincible connection between devices all linked to a routable interface. That is not the technological definition, it's just a way of breaking it down.
You interchange VLAN with Subnet if you like (not exactly the same but interchangeable in most situations)


There is no confusing VLANs with VLAN interface. All I am saying is there you can't have water flowing through your tap and acknowledge the water but deny the existence of the tap. Without the tap, the water has no where of flowing from.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
I can see where you are going but I think you will agree with me that engineers think in two kind of VLAN's,

The first kind you just make available on your switch trough assigning them to ports as access or trunk ports.

The second kind is just like the first kind except they add IP address information to the interfaces and thus makes routing between them available.

I think we all know what we mean by now. Thanks for participating and we will meet again in another question probably :).
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
Correct
The 1st kind is an extension of the 2nd in order to span through multiple switches.

@ DonJohnson.
All I did was quote you and you still disagreed with my quote meaning you disagree with your statement. I am confused by this.
May I recommend to please try to use "disagree" rather than "not correct".
We are all here to learn even while helping others. No single person knows it all.

A cup that is half full does not mean it is not half empty.
To emphatically say "half full" is incorrect is disagreeable, likewise otherwise.
0
 
LVL 25

Author Comment

by:Fred Marshall
Comment Utility
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now