07 VLAN Principle and Configuration.pdf
0 likes70 views
Tom was tasked with isolating communication between the technical and financial departments on the same floor. He considered using different IP subnets but the manager explained this could allow unauthorized access. The manager suggested using VLANs, which Tom learned: 1) Logically separate networks on a switch using VLAN IDs and allow communication within but not between VLANs. 2) He configured ports for each department into different VLANs, blocking inter-department communication while allowing intra-department communication. 3) He verified the VLAN configuration was working properly using commands to display VLAN mappings and the MAC address table.
07 VLAN Principle and Configuration.pdf
- 1. Layer2 Network Technology VLAN Principle and Configuration
- 2. VLAN Principle and Configuration Main Content
- 3. Common Technology Courses • After learning, Tom mastered the communication process between two PCs and showed greater interest in network technologies. The customer raised new requirements in this project: There are offices of both the technical department and financial department on the fifth and sixth floors, mutual communication is required inside departments, but communication of the technical department and that of the financial department need to be isolated from each other. Layer-2 switch Layer-2 switch Layer-3 switch Technical department Technical department Financial department Financial department 1 2 3 1 2 3 24 24 2 1
- 4. Common Technology Courses • At a glance of this topology, Tom thought of implementing isolation between the technical department and the financial department on the same switch first. • Tom recalled the IPv4 address knowledge and remembered that only hosts in the same network segment could communicate with each other directly. So, Tom thought that IP addresses in different network segments could be allocated to PCs to implement isolation. Layer-2 switch Technical department Financial department 1 2 3 Technical department: 192.168.1.0/24 Financial department: 192.168.2.0/24
- 5. Common Technology Courses • Tom told the manager his idea. The manager praised his idea but also reminded Tom that ARP Request packets would be broadcast in PC communication and the switch flooded the broadcast packets, which could cause junk traffic. In addition, the idea may put security in risks. If a staff in the technical department changes his/her IP address to be in the same network segment as IP addresses of the Financial department, he could access PCs of the Financial department. • Tom thought that the manager's consideration was right and comprehensive. The manager told Tom that VLANs and trunks were important features on the layer-2 switch and they could be a good solution. Layer-2 switch Technical department Financial department ARP Request ARP Request
- 6. VLAN Principle and Configuration • Virtual Local Area Network (VLAN) • A VLAN is a logical network configured on a physical network. Each VLAN is identified by a numeral ID ranging from 1 to 4094. Different VLANs configured on a layer-2 switch are physically isolated and cannot communicate with each other. • On the switch, each port can be added to a VLAN. Physical ports with the same VLAN ID belong to the same VLAN and hosts connected to such ports are in the same network. Physical ports with different VLAN IDs belong to different networks. Hosts connected to such ports cannot communicate with each other even if their IP addresses are in the same network segment. Each VLAN is equivalent to an independent switch. • All ports on a switch belong to VLAN 1 by default. VLAN 10 VLAN 20 Layer-2 switch Technical department Financial department 1 2 3
- 7. VLAN Principle and Configuration • Configuring VLANs • Step 1: Create VLANs. • Step 2: Add ports to VLANs on the switch. RG-S2652G(config)#vlan 10 //Creating a VLAN. RG-S2652G(config-vlan)# name Technical //Naming the VLAN for VLAN description. RG-S2652G(config)#vlan 20 RG-S2652G(config-vlan)# name Financial RG-S2652G(config)#interface range f0/1-2 RG-S2652G(config-if-range)#switchport access vlan 10 //Adding this port to VLAN 10. RG-S2652G(config)#interface f0/3 RG-S2652G(config-if)#switchport access vlan 20 VLAN 10 VLAN 20 Layer-2 switch Technical department Financial department 1 2 3
- 8. VLAN Principle and Configuration • Displaying VLAN Configuration Results • Run the show vlan command to display VLAN information and ports contained in each VLAN. Ruijie#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ----------------------------------- 1 VLAN0001 STATIC Fa0/4, Fa0/5, Fa0/6, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/25, Gi0/26 10 VLAN0010 STATIC Fa0/1, Fa0/2 20 VLAN0020 STATIC Fa0/3 VLAN 10 VLAN 20 Layer-2 switch Technical department Financial department 1 2 3
- 9. VLAN Principle and Configuration • Displaying the MAC Address Table of the Switch • The MAC address table contains VLAN information. The switch forwards data only between ports belonging to the same VLAN. VLAN 10 VLAN 20 Layer-2 switch Technicaldepartment Financial department 1 2 3 Ruijie#sh mac-address-table Vlan MAC Address Type Interface ---------- -------------------- -------- ------------------- 10 001a.a919.414d DYNAMIC FastEthernet 0/1 10 000d.9dd2.6587 DYNAMIC FastEthernet 0/2 20 0016.d32c.2070 DYNAMIC FastEthernet 0/3 …
- 10. VLAN Principle and Configuration • Summary • After study, Tom mastered the functions of VLANs and how to configure and display VLANs. It is an optimal way to isolate communication of the two departments via VLANs. • Tom added ports to different VLANs by department on the switch. The PCs of different departments could not communicate with each other even if their IP addresses are in the same network segment. Therefore, VLANs are really useful. • Exercises • What is the function of VLANs? Can physical ports in different VLANs on a layer-2 switch communicate with each other? • What are the steps for configuring VLANs? • How to display the mappings between VLANs and ports? Which VLAN is the default one of ports on the switch?
- 11. THANKS Ruijie Networks Co., Ltd. Address: Floor 11, East Wing, Zhongyipengao Plaza, No. 29 Fuxing Road, Haidian District, Beijing, China Post Code: 100036 Tel: (8610) 5171-5996 Fax: (8610) 5171-5872 www.ruijienetworks.com