Why Do We Use VLAN?
- Because they help us group hosts by department, security clearances, or any category, rather than being limited to geographic location.
- Because they are kind of a security feature and help you increase security by hiding a logical group of host away from everyone else and we can do that wit regular VLANs, Advanced VLANs and Private VLANs.
- The big reason is that they help to prevent network performance degradation by limiting the scope of the network broadcasts and it will prevent “broadcast storm”
What is “ Broadcast Storm” ?
It is not a sudden event. It doesn’t happen out of nowhere. It is gradual. You may notice some slow downs and there is no explicit reason why. Slowly , the number of broadcasts that switches having to handle increases. Because BC tends to beget more BC and and as you add more hosts and you keep them all in one VLAN, you we’ll have even more BCs and when the storm hits at that points due to the sheer Number of BCs , the switch is so busy handling those BCs that’s it can carry out its Basic functions like forwarding our unicast frames and our multicast frames so efficiently. So it’s better to avoid such a storm in the first place.
In the following lab, we will assign an IP address to each of our hosts and will do some configs and some testing.
IP addresses run at Layer 3 and while we haven’t configured them yet, we have plenty of them coming.
Here are the four hosts which are connected to the switch. We are using Cisco routers. They are all in the same subnet and they can ping each other. These are the pings that I’ve sent from host 1 :
Now we have to do some verifications to make sure they are what we are seeing in the drawing:
- To make sure my physical connections are what I think they are.
and now we go to check the switch
And as you see, everything matches.
- Now we verify VLAN membership
The white area is what we need. So if we want to just receive the information wee need, we can use “ VLAN brief”
As you can see, VLAN 1 is named the “default VLAN” .
Note: 1002 to 1005 VLANs are also default. But we rarely use them.
Now we are going to create some other VLANs. Because every individual VLAN that we create, has its own individual BC Domain. So by putting a couple of devices in a separate VLAN in our lab, we are going to cut down on the number of broadcasts immediately.
We are going to put host 2 and 4 into VLAN 24 :
The command to do this is “switchport access” and we put ? to see the options ( which is just one option here : vlan )
Notice this message : access VLAN doesn’t exist. Creating VLAN 24 ! It’s because VLAN 24 really didn’t exist as you can see then we ran “show VLAN brief” . In this case Cisco switch will creates this VLAN for us ( Not Always ).
Now if we go to interface 4 , it won’t give us to same error message, because couple of seconds ago, that VLAN was created .
If you want to pre-create a VLAN or create one for any other reason, you can just ente “vlan” in global configuration mode I’m following by the number that’s you want to give it.
So we could create VLAN 45. As you can see the prompts changed to config-vlan configuration mode. So let’s see the results.
As you can see VLAN 24 and VLAN 45 are you now in the list and you’re also active. It also shows you the ports. When this screen gets crowded you can run “show VLAN brief” and your entire screen will the full of VLAN numbers and VLAN names and you’ll have ports all over the right hand side. So just mark the line like this :
As you can see VLAN 45 is empty because we haven’t allocated any ports to it.
What we’ve done now, is this logical segmentation:
What we just did?
We took one BD and we logically segmented the network and now we have 2 BDs, and at first it seems that we have more overall BCs, but actually the more BDs we have, the smaller they’ll be, which limits the scope of the BC, and you’ll end up with fewer BC in your network overall, and that’s the major benefit of using VLAN.
Imagine if we have 64 ports (instead of these 4 ports in the picture), if a switch is sending out 63 copies of every BC, and you segment the network in half with VLAN, then you just cut down the number of BCs to 32 copies. That would be a huge saving on that switch, and also a huge savings on Bandwidth, and also savings on the hosts that are not getting an unnecessary BCs because they still have to unpack those.
Now we check our connectivity. Because one thing we want to do after a “network change” is to check connectivity beforehand and also afterwards. (as we checked before, every host could ping every host.)
Sometimes we may lose the first pack on the ping if it’s been a while since you’ve pinged the address.(it didn’t happen this time)
Now as you can see, we can’t ping 10.1.1.2 ( something we did, has changed things!!!). But as you see, the ping to 10.1.1.3 goes through…
Now we try 10.1.1.4 :
It didn’t go through !
Now let’s go over the host 2, and ping 10.1.1.1
It didn’t go through!
It doesn’t look good for 10.1.1.3 either.
Then we tried 10.1.1.4 and it went through ( but we lost the first pack and the other 4 went through, so it’s better to do it again.)
As it’s marked here, we terminated the ping 10.1.1.3 after 3 packets. We actually did the “escape sequence” by pressing CTRL+SHIFT+6
Why do we need “escape sequence” ?
Because in more advanced labs, we are going to use pings to simulate data streams or create a stream force to work with, and we might need to stop it to correct something.
So let’s see what we have here:
- Our host in VLAN1 can ping the other host in VLAN1.
- Host 2 can’t ping host 1 or host 3, but can ping host 4.
- Each device can ping the other device in its VLAN but cant go across VLANs.
In fact, a regular Layer-2 switch can’t handle traffic going from one VLAN to another. It’s not able to process it and it’s not going to go through. It just can handle traffic going to other hosts in the same VLAN.
So we need to get layer-3 involved.
How we can involve layer-3 ?
We can use “Router” or we can use “Multi-layer Switch” which is capable of IP routing as well as handling everything in layer-2.
