VLAN Concept Details

he most important topic in the networking field – Virtual LANs (VLANs). It is a simple yet very powerful concept that changed the network industry and is nowadays used in EVERY network.

LAN switches and BUM traffic

Before understanding the VLAN concept, you must first understand two core concepts about the Ethernet standard – what is a broadcast domain and what BUM traffic is. Let’s start with the BUM data type. BUM stands for broadcast, unknown unicast, and multicast. When a LAN switch receives a frame that belongs to one of these types, it sends the frame to all its ports except the port it received the frame on. This behavior is shown in the diagram below.

Back in the old days, a broadcast domain was equal to one physical switch. Every BUM frame was sent out to all switchports except the port it was received on. However, the introduction of VLANs changed that forever.

Why do we need VLANs?

By default, all interfaces on a Cisco switch are in the same broadcast domain. Therefore, when a broadcast frame is received on any switch port, the switch forwards it out to all its other ports. At the same time, organizations want to isolate different users into separate broadcast domains. For example, the R&D department must be isolated from the HR department.

R&D needs to keep their secret project work confidential.
HR must protect sensitive information like employee salaries.

However, if they share the same broadcast domain, R&D’s BUM traffic reaches HR users, and HR traffic reaches R&D users. This creates security and privacy issues. By placing each department in its own broadcast domain, organizations keep traffic separated and improve both control and privacy.

But how do we separate some users into different broadcast domains? (if VLANs don’t exist)

You must connect each different group of users to a different physical switch. But how many different physical switches can you have in the network? What if the organizations want to have hundreds or thousands of separate broadcast domains? Can you really have thousands of physical switches to isolate some BUM traffic from others? Of course not. At some point, people realized that there is another way – we can isolate broadcast domains logically.

What are VLANs?

We have said that to create two separate LANs (such as one for servers and one for users), we must use two different physical switches, as shown in the diagram above. This approach is not scalable; imagine if your organization wants to have a thousand separate LANs, it has to have thousands of physical switches. This scaling limitation is the reason why Virtual LANs were introduced.

By using VLANs, a single switch can act as multiple logical switches and create multiple broadcast domains. This is done on a port-by-port basis. Using the following diagram as an example, the ports where the users are connected are configured to be part of VLAN10 (or, in other words, to be connected to virtual switch 10), and the ports where the servers are connected are configured to be part of VLAN20 (or in other words to be connected to virtual switch 20). The switch will then never forward a frame sent by any user to any of the servers and vice-versa because they are part of different broadcast domains.

The switch uses the port’s VLAN assignment to decide which broadcast domain the traffic belongs to. If two devices are on different VLANs, even if they are connected to the same switch, they cannot communicate directly.

Benefits of using VLANs

Using VLANs not only improves the scaling of the LAN. It has many more advantages, such as:

It improves security by reducing the number of end stations that receive copies of BUM traffic.
It creates smaller fault domains by isolating different groups of devices in separate broadcast domains.
It reduces the CPU overhead on each device in the LAN by limiting the number of broadcast frames received.
It improves network performance and speed of failure recovery.

Creating VLANs on a Cisco switch

Cisco switches do not require any initial configuration to work. You just unbox the device, install the cabling, power it up, and it works. By default, all interfaces are in VLAN 1. This means that all devices connected to the switch are in the same broadcast domain and must be in one subnet. This logic also applies if you connect multiple default setting switches together. They create one multiswitch broadcast domain, which implies all connected clients must be on the same IP subnet. At some point, you will need to connect clients that are in different subnets, though. This means that VLANs must be created.

To configure VLANs on a Cisco switch, additional configuration must be added. There are two main steps for creating a new VLAN:

Step 1. Create a new VLAN in the switch VLAN database
- In global configuration mode, we use the vlan [vlan-id] command to create the new VLAN in the switch’s database.
- (Optional) In VLAN configuration mode, we use the name [name] command to assign a name to the VLAN.
Step 2. Assign interfaces to the newly created VLAN.
- In global configuration mode, we use the interface [number] command to move into the interface configuration mode.
- We then use the switchport access vlan [id] to specify the VLAN number associated with the interface.
- (Optional) We use switchport mode access to make the port always operate as an access port.

For this example we will use the following topology. We will create two VLANs – VLAN10 named CLIENTS and VLAN20 named SERVERS and will assign four access ports to each VLAN as shown in the diagram below.

				
					Switch# show vlan brief 
 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
1002 fddi-default                     act/unsup    
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup

				
					Switch# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# vlan 10
Switch(config-vlan)# name CLIENTS
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# end

				
					Switch#show vlan brief 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
10   CLIENTS                          active 
20   SERVERS                          active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

				
					Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface range fastEthernet 0/1 - 4
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# switchport mode access 
Switch(config-if-range)# exit
Switch(config)# interface range fastEthernet 0/15 - 18
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# switchport mode access 
Switch(config-if-range)# end

				
					Switch#show vlan brief 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
10   CLIENTS                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
20   SERVERS                          active    Fa0/15, Fa0/16, Fa0/17, Fa0/18
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup

				
					C:\> ipconfig

FastEthernet0 Connection:(default port)
   Link-local IPv6 Address.........: FE80::20A:41FF:FE83:371A
   IP Address......................: 192.168.1.10
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 0.0.0.0
   
C:\>ping 192.168.1.11
Pinging 192.168.1.11 with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

				
					C:\> ping 10.1.0.10
Pinging 10.1.0.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.0.10:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

VLAN Trunking

This lesson discusses VLAN trunking – a technology that switches use to carry traffic for multiple VLANs over a single physical link called a trunk link. It is a fundamental topic of the CCNA exam and the networking field in general.

Why do we need trunk links?

Soon after VLANs were introduced, people realized they needed to extend them across multiple switches. But some challenges had to be solved first. How do we span multiple VLANs between switches? Let’s find out.

Multiswitch broadcast domains

Recall that when a broadcast frame is received on any switch port, the switch forwards it out to all its other ports. Having that in mind, if we connect two default setting switches, as shown in the diagram below, any broadcast frame received by either switch is forwarded to the other one and then out all its ports. Therefore, a broadcast domain is not limited to one switch only; it includes all devices that get a copy of any broadcast frame, even if they are connected to other

Notice that the link between switch SW1 and switch SW2 is a trunk link. Both VLAN 10 and VLAN 20 pass through it.

How does a Trunk link work?

A trunk link keeps track of which VLAN each frame belongs to. The sending device adds a special header to the original Ethernet frame. This header includes a VLAN ID, which tells the receiving side which VLAN this frame belongs to.

Over the years, two trunking protocols have been used on Cisco switches: Inter-Switch Link (ISL) and IEEE 802.1Q.

ISL was a Cisco proprietary tagging protocol predecessor of 802.1Q, it has been deprecated and is not used anymore.
IEEE 802.1Q is the industry-standard trunking encapsulation at present and is typically the only one supported on modern switches.

The IEEE 802.1q trunking protocol works by adding an additional 4-byte header to Ethernet frames that pass through the trunk link. The 802.1q header is shown in the diagram below.

It is important to note that the tag adds 4 additional bytes to the Ethernet header of the frames. The most important field in the tag is the VLAN ID, which is 12 bits long. It specifies the VLAN to which the frame belongs. Because values of 0x000 and 0xFFF are reserved, there are 4,094 possible VLAN numbers.

802.1Q VLAN Tagging

VLAN trunking allows switches to forward frames from different VLANs over a single link called a trunk. This is done by adding an additional header information called tag to the Ethernet frame. The process of adding this small header is called VLAN tagging. If you look at the diagram below, PC1 is sending a broadcast frame. When switch SW1 receives the frame, it knows that this is a broadcast, and it has to send it out to all its ports. However, SW1 must tell SW2 that this frame belongs to VLAN10. So before sending the frame over the 802.1Q trunk link, SW1 adds a VLAN header to the original ethernet frame, with VLAN number 10, as shown below.

When switch SW2 receives the frame, it sees that the frame belongs to VLAN 10, then it removes the header and forwards to the original ethernet frame to all its interfaces configured in VLAN10.

In the given example, ethernet frames sent between the switches over the trunk link are tagged with a VLAN header. When the receiving switch receives them, it removes the VLAN tag and sends them to the clients in the VLAN as untagged frames (original Ethernet frames).

KEY NOTE: It is very important to remember that VLAN tagging only happens between switches over a trunk link. When a frame is sent to an end device, the switch removes the VLAN tag before forwarding it (as shown in the diagram above). End devices do not see or process VLAN tags.

Switch interface modes

Each switch interface can operate as an access or trunk port. Because a typical LAN deployment has hundreds or even thousands of switch ports, Cisco has introduced a proprietary protocol called Dynamic Trunking Protocol (DTP) that helps switches automatically determine their operational mode. How DTP works? Each port is configured with a mode like access, trunk, dynamic auto, or dynamic desirable. DTP advertises this mode on the remote side and tries to negotiate a trunk link if the configuration of the two sides is compatible.

Notice that DTP only works on switch-to-switch links. End hosts do not understand and process it. Additionally, it only works between Cisco devices because it is a Cisco-proprietary protocol.

By default, all Cisco switch ports are in operational state dynamic auto, which means that this Dynamic Trunking Protocol (DTP) is listening and trying to understand what is configured on the other side of the cable and, based on that, to decide whether to become an access or trunk port. For example, if we have a link between SW1 and SW2, if we configure the interface on SW1 to be a trunk port, DTP will advertise this to the other side, and the interface on SW2 will automatically set itself in trunk mode, and a trunk link will be formed between the switches.

Table 1. Switchport modes
Mode	Behaviour
switchport mode dynamic auto	DEFAULT MODE for layer 2 interfaces of modern Cisco switches Passively waiting to convert the port into a trunk. (DTP listening for messages from the far side saying “let’s form a trunk”) Becomes a trunk if the other side of the link is configured with trunk or dynamic desirable mode
switchport mode dynamic desirable	Actively trying to convert the link to a trunk. (DTP actively sending messages to the far side saying “let’s form a trunk”) Becomes a trunk if the other side of the link is configured with trunk or dynamic desirable or dynamic auto.
switchport mode access	The interface becomes an access port. DTP negotiates the link as nontrunk link.
switchport mode trunk	The interface becomes a trunk port. DTP negotiates the link as trunk link. (DTP actively sending messages to the far side saying “let’s form a trunk”)
switchport mode nonegotiate	Disables the Dynamic Trunking Protocol (DTP). Interface mode is configured manually.

As you can see, there are quite a few switchport operational modes, so there are several possible combinations for both ends of a link between two switches. Depending on the configuration of both sides, the switches could form a trunk link or not. All combinations are shown in the diagram below.

				
					SW1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)# interface GigabitEthernet 0/1
SW1(config-if)#switchport mode dynamic ?
  auto       Set trunking mode dynamic negotiation parameter to AUTO
  desirable  Set trunking mode dynamic negotiation parameter to DESIRABLE

SW1(config-if)# switchport mode dynamic desirable
SW1(config-if)# end
%SYS-5-CONFIG_I: Configured from console by console

				
					SW1# show interface trunk 

Port        Mode         Encapsulation  Status        Native vlan
Gig0/1      desirable    n-802.1q       trunking      1

Port        Vlans allowed on trunk
Gig0/1      1-1005

Port        Vlans allowed and active in management domain
Gig0/1      1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gig0/1      1,10,20

				
					SW2#sh interfaces trunk 

Port        Mode         Encapsulation  Status        Native vlan
Gig0/1      auto         n-802.1q       trunking      1

Port        Vlans allowed on trunk
Gig0/1      1-1005

Port        Vlans allowed and active in management domain
Gig0/1      1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gig0/1      1,10,20

Trunk Native VLAN

This lesson discusses the Native VLAN – one of the most confusing and challenging topics in the CCNA exam — and networking overall. Although it may seem simple at first, it often causes misunderstandings and mistakes in real-world setups. This lesson will help you clearly understand the topic through many diagrams and animated examples.

Why do we need the Native VLAN?

Recall that a trunk port sends and receives Ethernet frames tagged with IEEE 802.1q VLAN tags. The primary idea behind this is to be able to transport frames from multiple VLANs over a single physical link between switches. This means that both ends of a trunk will always receive tagged frames, as shown in the diagram below.

However, when these untagged frames reach the switches over the trunk link, SW1 and SW2 must decide which MAC address table to look into for the destination MAC address and which VLAN these frames belong to. But how can the switches decide which VLAN to use?

Native VLAN has been introduced to solve this specific scenario. Let’s see how.

What is the Native VLAN?

The Native VLAN is a VLAN number configured per trunk port; it is locally significant, and it instructs the switch the following:

“If you receive an untagged frame on this trunk port, forward it as if it is part of the native VLAN number.”

For example, if we configure the native VLAN on a trunk to be 20, if a frame without IEEE 802.1q header comes in that port, it will be forwarded to VLAN 20. You can see an example of this in the diagram below. PC3 is somehow connected to the trunk and is sending untagged frames. When they are received on both sides of the link, they are forwarded into the VLAN 20 because it is the Native VLAN configured on the trunk ports.

				
					SW2# show interface Gi0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

				
					SW2#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (20), with SW1 GigabitEthernet0/1 (10).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (20), with SW1 GigabitEthernet0/1 (10).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (20), with SW1 GigabitEthernet0/1 (10).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (20), with SW1 GigabitEthernet0/1 (10).

Native VLAN mismatch can cause some major issues and security implications, such as:

Misdirected traffic—Frames originating in the VLAN configured as Native is sent untagged across the trunk. Upon receiving on the other side of the link, they are forwarded in a different VLAN because trunk settings don’t match on both sides.
VLAN hopping—malicious traffic can cross VLAN boundaries.

Allowed VLANs on a Trunk port

By default, on Cisco switches, frames from all VLANs are transported over the trunk link. However, there is a way to specify exactly which VLAN numbers are allowed to be carried across. There are many cases in which you would want to specify only certain VLANs and not send frames from all VLANs. If we take Figure 5 as an example, the switch on the left has four VLANs, 10,20,30 and 40, but the switch on the right has VLANs 10, 20, 50, and 60. So you would probably want to send only traffic for 10 and 20 over the trunk link. This can be configured using the switchport trunk allowed vlan command.

				
					SW1# show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/2
10   USERS                            active    Fa0/2, Fa0/3, Fa0/4
20   SERVERS                          active    Fa0/15, Fa0/16, Fa0/17
30   SALES                            active    Fa0/8
40   MGMT                             active    Fa0/18, Fa0/19
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active

				
					SW2# show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/19
                                                Fa0/22, Fa0/23, Fa0/24,
                                                Gig0/2
10   USERS                            active    Fa0/2, Fa0/3, Fa0/4
20   SERVERS                          active    Fa0/12, Fa0/13, Fa0/14
50   IT                               active    Fa0/15, Fa0/16, Fa0/17, Fa0/18
60   SENSORS                          active    Fa0/20, Fa0/21
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active

				
					SW1#sh int trunk 

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1
     
Port        Vlans allowed on trunk
Gi0/1       1-1005

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,30,40

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20,30,40

				
					SW2#sh int trunk 

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1
     
Port        Vlans allowed on trunk
Gi0/1       1-1005

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,50,60

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20,50,60

				
					SW2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)# interface Gi0/1
SW2(config-if)# switchport trunk ?
  allowed  Set allowed VLAN characteristics when interface is in trunking mode
  native   Set trunking native characteristics when interface is in trunking
           mode
  
SW2(config-if)# switchport trunk allowed vlan 10,20
SW2(config-if)# end
SW2#
%SYS-5-CONFIG_I: Configured from console by console

				
					SW2# show interfaces trunk 

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1
     
Port        Vlans allowed on trunk
Gi0/1       10,20

Port        Vlans allowed and active in management domain
Gi0/1       10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       10,20

Using this feature is very common in scenarios where a switch owned by one organization is connected to another external switch. Usually, there is an agreement to exchange data in one VLAN, so you would want to filter all other VLANs out.

Key Takeaways

Inbound: Untagged frames received on a trunk port are forwarded into the VLAN configured as Native.
Outbound: Frames from the VLAN configured as Native are forwarded untagged.
Control-plane messages such as DTP and BPDUs are sent out untagged.
Control-plane messages such as CDP and VTP are sent out untagged if the Native VLAN is 1; otherwise, they are tagged with VLAN1.
Native VLAN is configured per trunk port and is locally significant. Therefore, different VLAN numbers can be configured on both sides of a single trunk link leading to native VLAN mismatch.
Native VLAN mismatch leads to misdirected traffic and is a security implication.
Allowed VLANs can be specified on any trunk port with the switchport trunk allowed vlan command.

Forwarding Data Between VLANs

This lesson discusses the most basic method of forwarding data between VLANs using a router with multiple Interfaces. Each VLAN connects to a separate physical interface on the router. This method is older and not common today. However, it is fundamental to use the most modern methods, which we will see in the following lessons.

Connectivity between VLANs

Recall that LAN switches forward frames based on Layer 2 logic. This means that when a switch receives an Ethernet frame, it looks at the destination MAC address and forwards the frame out to another interface or multiple interfaces if it is a BUM frame. This type of switch is often called a Layer 2 switch.

A Layer 2 switch cannot forward traffic between VLANs. It only sends frames within the same VLAN. To send data from one VLAN to another, we need a device that can route traffic — like a router or a Layer 3 switch.

Routing between VLANs with a router

Ultimately, when we design networks, we want to have any-to-any connectivity between all devices. Following the logic that we have learned in the previous lessons, that

VLAN = Broadcast Domain = Subnet

Enabling connectivity between two VLANs means enabling connectivity between IP subnets. Therefore, we need to have a device that acts as a router. There are two possible solutions: we can use an actual router to do the routing, or the switch itself can perform routing functionalities. Switches that can perform Layer 3 routing functions are called Layer 3 switches or Multilayer switches.

The downside of this approach for forwarding data between VLANs is that the router must have physical interfaces for every VLAN. The above example is a feasible design option, but if we have 10+ VLANs, for example, it will obviously not scale well because we will use 10+ interfaces on both the router and the switch. Routers typically have only a few routing interfaces, so this approach is only applicable in very small-scale deployments.

Configuring InterVLAN routing

Now, let’s go through a configuration example that shows the concept we’ve covered so far. We will use the topology shown in Figure 3 above. This is a new environment with all devices in their default state and no configurations applied. We will configure each device to allow communication between clients in VLAN10 and servers in VLAN20.

Configuring the switch

Let’s first start with the switch. It’s a brand-new device in its factory-default settings. First, we are going to define the VLANs:

				
					Switch(config)# vlan 10
Switch(config-vlan)# name CLIENTS
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# end

				
					Switch(config)# interface range Fa0/1-4
Switch(config-if-range)# description CLIENTS
Switch(config-if-range)# switchport mode access 
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# exit

				
					Switch(config)# interface range Fa0/13-16
Switch(config-if-range)# description SERVERS
Switch(config-if-range)# switchport mode access 
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# end

				
					interface FastEthernet0/7

 description Link-to R1-Gi0/0
 switchport access vlan 10
!
interface FastEthernet0/9
 description Link-to R1-Gi0/1
 switchport access vlan 20
!

				
					SW1# show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/8
                                                Fa0/10, Fa0/11, Fa0/12
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig0/1, Gig0/2
10   CLIENTS                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/7
20   SERVERS                          active    Fa0/9, Fa0/13, Fa0/14, Fa0/15, Fa0/16
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active

				
					Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# interface gi0/0
Router(config-if)# no shutdown 
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, 
changed state to up

Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)#description CLIENTS
Router(config-if)# exit

Router(config)# int gigabitEthernet 0/1
Router(config-if)# no shutdown 
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, 
changed state to up

Router(config-if)# ip address 10.1.0.1 255.255.255.0
Router(config-if)# description SERVERS
Router(config-if)# end

				
					Router#sh ip interface brief
Interface            IP-Address      OK? Method Status                Protocol 
GigabitEthernet0/0   192.168.1.1     YES manual up                    up 
GigabitEthernet0/1   10.1.0.1        YES manual up                    up 
GigabitEthernet0/2   unassigned      YES unset  administratively down down 
Vlan1                unassigned      YES unset  administratively down down

				
					Router# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.0.0/24 is directly connected, GigabitEthernet0/1
L       10.1.0.1/32 is directly connected, GigabitEthernet0/1
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/24 is directly connected, GigabitEthernet0/0
L       192.168.1.1/32 is directly connected, GigabitEthernet0/0

				
					C:\> ipconfig

FastEthernet0 Connection:(default port)

   Connection-specific DNS Suffix..: 
   Link-local IPv6 Address.........: FE80::20D:BDFF:FEE0:46C1
   IPv6 Address....................: ::
   IPv4 Address....................: 192.168.1.10
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 192.168.1.1

				
					C:\> ping 10.1.0.10

Pinging 10.1.0.10 with 32 bytes of data:

Reply from 10.1.0.10: bytes=32 time<1ms TTL=127
Reply from 10.1.0.10: bytes=32 time=1ms TTL=127
Reply from 10.1.0.10: bytes=32 time=8ms TTL=127
Reply from 10.1.0.10: bytes=32 time<1ms TTL=127

Ping statistics for 10.1.0.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 8ms, Average = 2ms

Router on a stick (ROAS)

Almost all networks in the world use Virtual Local Area Networks (VLANs) nowadays. In our previous lessons on VLANs, we have learned a general rule of thumb that is:

VLAN = Broadcast Domain = Subnet

This means that if we have nodes connected in different VLANs, they most probably are part of different subnets. If we take the topology shown in Figure 1, for example, we have four clients in VLAN10 with addresses in subnet 192.168.1.0/24 and four servers in VLAN20 with addresses in 10.1.0.0/24. Therefore, the communication between the two VLANs must be handled by a device that can perform IP routing between subnets. This device must have an IP address in each network and clients need then to use these addresses as their default gateways respectively.

There are two typical devices that are used to perform routing between VLANs (InterVLAN routing):

Multilayer Switch (Layer 3 switch) – MLS switches work at both Layer 2 and Layer 3 of the OSI model. They can switch frames and perform IP routing between VLANs. We are examining this InterVLAN routing technique in our next lesson.
Router – There are two ways to use a router as a device that performs IP routing between VLANs.
- Connecting a separate router interface to each VLAN and giving each interface an IP address from the respective VLAN subnet. Then, it is just regular routing between networks. We have already discussed this technique in detail in one of our previous lessons.
- Connecting a router with a single link to a switch trunk port and defining sub-interfaces for each vlan. An IP address is then configured on each sub-interface from the respective VLAN. This technique is called router-on-a-stick (ROAS) because there is only one physical link between the router and the switch, as you can see in Figure 1.

What is router-on-a-stick?

Router-on-a-stick (ROAS) is a technique to connect a router with a single physical link to a switch and perform IP routing between VLANs. From the switch’s perspective, this physical link is configured as a trunk port allowing all VLANs that are going to be routed. From the router’s perspective, this physical interface is represented as multiple virtual sub-interfaces, one for each VLAN. An IP address from each VLAN is then configured on each sub-interface, and the router performs IP routing between connected networks.

Comparing this approach to the other scenario where we can use a physical interface for each VLAN, it is obviously a better, more scalable technique to use a single trunk link between the switch and the router, as shown in the diagram below.

Let’s look more closely at the above physical diagram. There is a single cable connecting the router to the switch. From the switch’s perspective, port 9 is an 802.1q trunk that sends all frames toward the router with a VLAN tag.

From the router’s perspective, all frames are coming in tagged. Therefore, based on this tag, the router can differentiate which incoming frames are part of which VLAN. Knowing the VLAN number of each frame, the router also knows which subnet it is part of because VLAN = Broadcast Domain = Subnet. Having this logic in mind, we can create a virtual interface on the router that treats all frames tagged with VLAN 10 as connected to a virtual interface Gi0/0.10 and all frames tagged with VLAN20 as connected to sub-interface Gi0/0.20.

We create a sub-interface using the following command:

				
					Router(config)# interface [interface-name].[sub-interface-number]

				
					Router(config-subif)# encapsulation dot1Q [vlan-id]

				
					Router1(config)# interface GigabitEthernet 0/0.10 
Router1(config-subif)# encapsulation dot1Q ?
  <1-4094>  IEEE 802.1Q VLAN ID

				
					Router1(config-subif)# encapsulation dot1Q 10
Router1(config-subif)# ip address 192.168.1.1 255.255.255.0
Router1(config-subif)# no shutdown

Notice something important: at the IP level, each router subinterface has an IP address for each VLAN. This IP address must be set as the default gateway on all hosts in that VLAN.

The default gateway is used when a host wants to send traffic to a different network. The host sends the traffic to the router’s subinterface, and the router forwards it to the correct VLAN.

Configuring ROAS

Now, let’s walk through a configuration example that will demonstrate all the concepts that we have discussed so far.

Physical diagram

The following diagram shows the physical topology that we are going to use in this configuration example. Note that there is only one physical link between the switch and the router which will be used for all VLANs. Compare this topology to the one from the previous lesson, where there was a physical link for every VLAN.

				
					Switch1(config)# vlan 10
Switch1(config-vlan)# name CLIENTS
Switch1(config-vlan)# vlan 20
Switch1(config-vlan)# name SERVERS
Switch1(config-vlan)# exit

				
					Switch1(config)# interface range fastEthernet 0/1-4
Switch1(config-if-range)# description CLIENTS
Switch1(config-if-range)# switchport mode access 
Switch1(config-if-range)# switchport access vlan 10
Switch1(config-if-range)# exit

				
					Switch1(config)# interface range fastEthernet 0/15-18
Switch1(config-if-range)# description SERVERS
Switch1(config-if-range)# switchport mode access 
Switch1(config-if-range)# switchport access vlan 20
Switch1(config-if-range)# end

				
					Switch1(config)# interface fastEthernet 0/9
Switch1(config-if)# description LINK-TO-ROUTER1
Switch1(config-if)# switchport mode trunk 
Switch1(config-if)# exit

				
					Router# show ip int brief 
 
Interface              IP-Address      OK? Method Status                Protocol 
GigabitEthernet0/0     unassigned      YES unset  administratively down down 
GigabitEthernet0/1     unassigned      YES unset  administratively down down 
GigabitEthernet0/2     unassigned      YES unset  administratively down down

				
					Router1# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface gigabitEthernet 0/0
Router1(config-if)# no shutdown 

%LINK-5-CHANGED:Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN:Line protocol on Interface GigabitEthernet0/0, changed state to up

				
					Router1(config)# interface gigabitEthernet 0/0.10
%LINK-5-CHANGED: Interface GigabitEthernet0/0.10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.10,
changed state to up

Router1(config-subif)# encapsulation dot1Q 10
Router1(config-subif)# ip address 192.168.1.1 255.255.255.0
Router1(config-subif)# exit

				
					Router1(config-if)# interface gigabitEthernet 0/0.20
%LINK-5-CHANGED: Interface GigabitEthernet0/0.20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.20,
 changed state to up
 
Router1(config-subif)# encapsulation dot1Q 20
Router1(config-subif)# ip address 10.1.0.1 255.255.255.0
Router1(config-subif)# exit

				
					C:\> ipconfig

FastEthernet0 Connection:(default port)
   Connection-specific DNS Suffix..: 
   Link-local IPv6 Address.........: FE80::2D0:FFFF:FE31:697A
   IPv6 Address....................: ::
   IPv4 Address....................: 192.168.1.10
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 192.168.1.1

				
					C:\> ping 10.1.0.10

Pinging 10.1.0.10 with 32 bytes of data:
Reply from 10.1.0.10: bytes=32 time<1ms TTL=127
Reply from 10.1.0.10: bytes=32 time<1ms TTL=127
Reply from 10.1.0.10: bytes=32 time<1ms TTL=127
Reply from 10.1.0.10: bytes=32 time<1ms TTL=127

Ping statistics for 10.1.0.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

InterVLAN routing using Layer 3 switch

In this lesson, we will learn to configure a multilayer switch (also called Layer 3 switch) to perform inter-VLAN routing, which was previously done using an actual router. Multilayer switches can forward frames based on MAC address information and can also forward IP packets based on IP destination. That is why they are also referred to as Layer 3 switches.

Multilayer Switches

A switch is a device that typically operates at layer 2 of the OSI model. It inspects frames and switches them between interfaces based on MAC addresses found in the Ethernet header. This type of device is referred to as just a switch or a Layer 2 switch. It does not look deeper than the Ethernet header and does not make any decisions based on information in the IP header. Routers, on the other hand, strip the Ethernet header of frames and look at the packet in the frame’s payload. They make routing decisions based on the IP addresses found in the Layer 3 header and place a new Ethernet header before switching the frame out to another interface.

A multilayer switch can perform both functions explained above at incredibly fast speeds. It can switch frames as a regular switch and can perform IP routing as a router. Therefore, it can perform functions at layer 2 and layer 3 of the OSI model. That is why such a device is called a Multilayer Switch or a Layer 3 switch.

Why do we need Layer 3 switches?

Back in the old days, when the networks started to grow rapidly, people realized that it was unscalable to perform InterVlan routing at the router layer of the network. For example, when the network scales to the point where there are multiple layers of switches: access, distribution, and core, if you want to perform InterVLAN routing using routers, you must extend the VLANs up to the routers. This creates some serious problems:

Unscalable—Look where the routers are in the three-tier design. If these devices are to perform inter-VLAN routing, we must extend the VLANs all the way to the top of the network topology. However, large Layer 2 networks with many switches and VLANs are hard to manage. Additionally, the Spanning Tree Protocol (STP) blocks all redundant ports and slows down the convergence.
Large fault domain—If there’s a loop or broadcast storm in the Layer 2 network, it can bring down the whole network. There’s no fault isolation between sections of the network.

The industry realized that switches needed to be able to perform switching and routing at the same time. With InterVLAN routing done by switches at the distribution layer, the network could be separated into access, distribution, and core layers. This improved fault isolation and allowed the network to scale.

On the other side of the spectrum, there was also a problem: very small networks with only one switch with multiple VLANs needed a router to do the InterVLAN routing. For example, if we look closer at the topology shown in the diagram below, we have four clients in Vlan 10 and four servers in Vlan 20. Clients and Servers are in separate broadcast domains and different subnets. Therefore, for clients in VLAN 10 to be able to communicate with the Servers in VLAN20, IP routing is required.

However, routers are usually much more expensive than switches. In many cases, a router can cost 5 to 10 times more than a similar switch. This is because routers are built for advanced features, like wide-area networks (WAN) and complex routing protocols. They also have fewer interfaces than switches.

The industry realized that it doesn’t make sense to use an expensive router in the LAN simply to perform InterVLAN routing. It is not cost-efficient for small and medium businesses.

Those two inefficiencies of using routers for InterVLAN routing have led to the introduction of switches with embedded routing functionality called Layer 3 switches.

What is a Layer 3 switch?

A Layer 3 switch has an IP routing process that can route packets based on the IP address information in the Layer 3 header. This means it checks the destination IP address in each packet and decides where to send it, just like a router.

It uses a routing table to find the best path to the destination network. The routing is done in hardware (using ASICs), so it’s much faster than traditional routers that use software-based routing. So, a Layer 3 switch can forward packets between different IP subnets using this built-in routing function.

				
					L3Switch(config)# interface Vlan10
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, 
changed state to up

				
					L3Switch(config-if)# description VLAN10
L3Switch(config-if)# ip address 192.168.1.1 255.255.255.0
L3Switch(config-if)# no shutdown

Notice that instead of a physical external router, the inter-Vlan routing functionality is performed by the switch itself.

Configuration Example

Now, let’s demonstrate how we configure a multiplayer switch to route between two virtual LANs.

Physical diagram

In this example, we will learn to configure a multilayer switch (also called Layer 3 switch) to perform inter-VLAN routing, which was previously done using an actual router. Multilayer switches can forward frames based on MAC address information and can also forward IP packets based on IP destination. That is why they are also referred to as Layer 3 switches.

The diagram below shows the physical topology that we are going to use for this demonstration. Note that there is no router present because the switch itself will perform the Inter-VLAN routing.

				
					L3Switch# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol 
FastEthernet0/1        unassigned      YES unset  up                    up 
FastEthernet0/2        unassigned      YES unset  up                    up 
FastEthernet0/3        unassigned      YES unset  up                    up 
FastEthernet0/4        unassigned      YES unset  up                    up 
FastEthernet0/5        unassigned      YES unset  down                  down 
FastEthernet0/6        unassigned      YES unset  down                  down 
FastEthernet0/7        unassigned      YES unset  down                  down 
FastEthernet0/8        unassigned      YES unset  down                  down 
FastEthernet0/9        unassigned      YES unset  down                  down 
FastEthernet0/10       unassigned      YES unset  down                  down 
FastEthernet0/11       unassigned      YES unset  down                  down 
FastEthernet0/12       unassigned      YES unset  down                  down 
FastEthernet0/13       unassigned      YES unset  down                  down 
FastEthernet0/14       unassigned      YES unset  down                  down 
FastEthernet0/15       unassigned      YES unset  up                    up 
FastEthernet0/16       unassigned      YES unset  up                    up 
FastEthernet0/17       unassigned      YES unset  up                    up 
FastEthernet0/18       unassigned      YES unset  up                    up 
GigabitEthernet0/1     unassigned      YES unset  down                  down 
GigabitEthernet0/2     unassigned      YES unset  down                  down 
Vlan1                  unassigned      YES unset  administratively down down

				
					L3Switch(config)# vlan 10
L3Switch(config-vlan)# name CLIENTS
L3Switch(config-vlan)# exit
!
L3Switch(config)# vlan 20
L3Switch(config-vlan)# name SERVERS
L3Switch(config-vlan)# exit

				
					L3Swtich(config)# ip routing

				
					L3Swtich# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
L3Swtich(config)# interface Vlan10
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
L3Swtich(config-if)# description CLIENTS
L3Swtich(config-if)# ip address 192.168.1.1 255.255.255.0
L3Swtich(config-if)# exit

L3Swtich(config)# interface Vlan20
%LINK-5-CHANGED: Interface Vlan20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
L3Swtich(config-if)# description SERVERS
L3Swtich(config-if)# ip address 10.1.0.1 255.255.255.0
L3Swtich(config-if)# end

				
					L3Switch# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set
     10.0.0.0/24 is subnetted, 1 subnets
C    10.1.0.0 is directly connected, Vlan20
C    192.168.1.0/24 is directly connected, Vlan10

This allows the host to send traffic to devices in other VLANs through the switch’s Layer 3 routing process. Without the correct gateway, devices can only talk to others on the same VLAN.