Introduction
This post aims to discuss how to configure Cisco switches to split connections into VLANs in such a way where you can interconnect devices that are in the same network but are geographically distant, meaning that it is impossible to connect them through the same switch.
Step by step. First of all, a VLAN stands for Virtual Local Area Network, and the idea consists on "splitting" the physical switch into various different "virtual switches" so that the traffic of one network comes and goes through the assigned ports. This way, no device will be able to sniff packets from another network.
For this configuration we need to use the terminal provided by CPT in each switch and router. In a real environment we would have to connect to each device through the console port and a physical cable, or access remotely if every switch is configured with an IP to do so.
Layout
Let's start with the schema we need. A very basic example to see how things would work. We set three switches (A, B and Trunk), 3 PC's connected to A, 3 connected to B and 3 Servers connected to what we call the Trunk Switch (this will make more sense later). The catch is that Switch A will have two devices that belong to "Network A" and one that belongs to "Network B", and vice versa with Switch B.
After that, we will plant our Router to connect different networks and enable communication with the public network, but we won't cover the latter here.
Draw the appropriate cables to connect each and every single device and you should have something that conceptually looks like this.
Router Configuration
As you can see, every interface in the router is shut down so far. Since nothing is configured yet, the router is effectively down and no device can establish communication with it. Let's assign an IP address for every interface and activate them.
The commands for this are the following:
1) Router> enable
2) Router# configure terminal
3) Router(config)# interface Gig0/0
When we first access the router's terminal we do so in a non-privileged way (for obvious reasons), and to change any kind of configuration we need administrator privileges (done by entering the enable command). This usually requires a password in real routers.
The next command we use is meant to access the configuration section of the router, and the final one to make changes in the specific interface we want (this could be Gig0/1, Gig0/2, Fa0/0...).
After entering all these commands the prompt should look like this:
Now we're in the configuration section of the interface GigabitEthernet0/0, so let's assign an IP address to the interface and activate it by using the commands
4)Router(config-if)# ip address 10.10.0.1 255.255.255.0
5)Router(config-if)# no shutdown
Remember that you cannot use the network's ID (10.10.0.0) for the router.
Once that's completed, we proceed to configure the next interface, in our case GigabitEthernet0/1, by typing the command
6) Router(config-if)# interface Gig0/1
Note that we don't need to exit the prompt of configuration for one interface to jump to the next.
We just have to repeat the process done for Gig0/0 in both Gig0/1 and Gig0/2. When you're done, the red triangles in the router's connections should've turned to green. If that's not the case, most likely the interfaces are still down.
It's always convenient to double check everything we've done to make sure that we didn't misconfigure anything. To do that, we need to exit configuration mode by using the shortcut Ctrl+Z or typing exit repeatedly until the prompt's last symbol is the sharp (#). Once out of the configuration we type the command below to check the information of the interfaces
7)Router# show ip interface brief
The output should be decently similar to the following:
Device configuration
With the router ready, we know which network has which IP range and we can proceed to assign addresses for each device. You can do this via a DHCP server if you want but, for simplicity reasons, I'll configure it manually.
Just in case remember that a device being connected to the same switch doesn't mean it belongs to the same network, so be careful if you choose to use DHCP.
Since this is the easy part, I'm assuming you already know how to give IP addresses to devices in CPT, so what I'm going to do here is tell you which IP goes with which device.
Servers:
- Server0: 10.10.2.2
- Server1: 10.10.2.3
- Server2: 10.10.2.4
Network A:
- A-01: 10.10.0.2
- A-02: 10.10.0.3
- A-03: 10.10.0.4
Network B:
- B-01: 10.10.1.2
- B-02: 10.10.1.3
- B-03: 10.10.1.4
You can make an ICMP request (commonly known as ping) to check the connectivity among devices. If you do so, you'll realize that every device in the same network can communicate with each other, even if they don't share the switch. Even more, all the devices outside of the network can communicate with each other so, what's the point of creating VLANs in the first place?
Well, there are a few problems. The first and most obvious one is security. Having all packets being transmitted by all switches is not the most common or appropriated way of dealing with the situation. It's far better to force all the traffic to go through the router in case any packet has to jump networks. This way you ensure that no one can illicitly access the switch and capture potential sensitive information. Although, all things said, if anyone can physically access your switch without you noticing, software security might not be your biggest concern.
Other problem is network saturation. If you don't have any kind of filtering packets might travel further than they need to, thus staying longer in the network than required. This increases the chance of collisions among packets and causing a use of the network that's completely unnecessary.
Theory behind a VLAN architecture
So far we just established the basic infrastructure, configuring everything to have connectivity. Most likely, you already knew how to do everything described above. Anyway, now it's time to get our hands dirty and approach the actual problem, and the main point of the post.
In the introduction I briefly described what a VLAN is and what the general idea behind it. Now it's time to get into how this affects switches' behavior.
When we define VLAN in a switch, what we are really telling the switch to do is, as a general idea, to filter the traffic coming from certain interface and allow it to go only through those outlets that belong to the same Virtual Network.
As an example, let's say that our hypothetical switch has 10 interfaces. The first five belong to VLAN 10, whereas the other 5 belong to VLAN 20. If in this scenario a device connected to Interface-1 sends a broadcast/multicast request packet, it will only be able to go through interfaces 2-5 since they are in the same network. The same principle applies if a device connected to Interface-6; the traffic will only go through interfaces 7-10.
The keen eye might have realized that VLAN numbering did not start from one. The reason for this is that VLAN 1 is set by default in every switch, meaning that every device connected initially belongs to that network. Obviously you should keep yourself from creating any VLAN with the number 1 for this specific reason.
It's useful to think of VLAN numbering as unique labels instead of actual numbers. There's no need for them to be consecutive, in any particular order or anything like that, as long as they're not repeated.
When it comes to interconnecting switches, you can configure two different types of ports. There are Access Ports and Trunk Ports. Ports that are declared as Access will only let through traffic that belongs to the same VLAN. On the other hand, ports declared as Trunk can allow traffic to more than one VLAN that has been registered in the switch.
Switches that behave as Trunks are meant to act as a bridge between two or more Access Switches in such a way that the communication between them is actually possible. However, keep in mind that traffic will only be allowed through the trunk ports, not any port.
Switch Configuration
Access Ports configuration (Devices)
Theory aside, let's get started. To modify any configuration in a switch, we need to access the terminal and type the same commands we did to access the router's configuration. I will start by configuring the right switch in our diagram.
1) Switch> enable
2) Switch# configure terminal
The first thing we have to do is to register a VLAN in our switch. For that, we type the following command:
3) Switch(config)# vlan [label]
In my case I'll name the VLANs as 10 for the first network, 20 for the second and 30 for the third, but you are free to choose your own labels, just keep in mind to avoid number 1.
Right after that command has been executed, the prompt should have changed to this:
4) Switch(config-vlan)#
This means that we have successfully registered a VLAN in the switch and that we're able to add some ports to it. In order to do that, we have to first enter the configuration mode for an interface/port by typing:
5) Switch(config-vlan)# interface[type#/#]
6) Switch(config-interface)# swtichport access vlan [label]
You should know what type and numbers have the ports you used in your switches. If you don't and don't know how to check it, you can go to Options > Preferences > Always show port labels in logical workspace.
Now that you have assigned a interface to a VLAN, is time to do the exact same thing for the other that belongs to the same network, and jump to the other switch.
In my example, the process is as follows:
Okay, so far we've given both PC's A-01 and A-02 the VLAN 10, but we still have another device to add. The only problem being that it does not belong to the same network. What does this mean? Basically that we need to register another VLAN in the switch to assign it to the port that's connected to the PC named B-03.
The commands are the same. First you create the VLAN, then proceed to enter the correct interface's configuration, and set it as an access port.
After finishing with that, we can check if we did everything correctly by typing:
7) Switch# show vlan
It should yield the following information:
Now we proceed to do the same thing in all three switches. For the Switch B we have to create a VLAN 20 to add interfaces Fa0/2 and Fa0/3 and a VLAN10 to add Fa0/4, whereas, for Switch Trunk we have to register a VLAN 30 to which we will add ports Fa0/4, Fa0/5 and Fa0/6 (connected to the servers 0, 1 and 2 respectively).
The process is exactly the same we followed for Switch A, so I trust you can manage to complete it with no guidance.
If you try now to ping the router it won't work, because we never assigned the switch port connected to the router's interface to a VLAN. I'd encourage you to check what happens with packets if you throw a ping right now. Where do the packets get lost? If the PC you're using knows the MAC address of the router, they should be blocked at the switch. Otherwise, ICMP requests won't leave the PC. As for the why, that's up to you to find out.
Access Ports configuration (router)
Okay, so we know that we still have to configure the router for every switch. Is the process any different? No. Why didn't we do it while we were configuring the other devices? Because I wanted you to see what happens when devices are in different VLANs even though they belong to the same network.
So, to finish this, repeat the steps followed previously (for the PCs and Servers) with the interface that has the router connected to it. Remember that in every switch the VLAN number is different, which means that in Switch A you should connect Fa0/1 (or whichever interface you connected the router to) to VLAN 10, in Switch B to VLAN 20 and in Trunk Switch to VLAN 30.
As an example, this is how it's done in Switch A:
Now a ping request sent to the router should work. Try it for every network just to make sure.
Trunk Port configuration
This is the final step. It's time to configure the bridge that will allow communication between Network A with PC A-03 and Network B with PC B-03.
For this we will need to register both VLAN 10 and VLAN 20 into our Trunk Switch and then allow traffic to go from Switches A and B to Trunk.
To configure it, let's jump into Trunk Switch's and start by entering configuration mode. Right after that, we need to register the VLANs we want to allow traffic from and to.
Once that's out of the way, we need to change the configuration for the interfaces that are affected. In this case, the ones connected to switches A and B (those being Fa0/2 and Fa0/3). To configure them as trunk ports, type the following commands:
8)Switch(config)# interface Fa0/2
9)Switch(config-if)# switchport mode trunk
10)Switch(config-if)# switchport trunk allowed vlan add 10
11)Switch(config-if)# switchport trunk allowed vlan add 20
This has to be done for Fa0/3 as well, otherwise the connection will be one-way based, instead of bidirectional.
Now repeat the process for Fa0/3 and our Trunk Switch has officially been fully configured.
Finally, our last step. Time to open the ports of both A and B switches to traffic. In this example the interface that connects A with Trunk is Fa0/5 (same applies for Switch B) so let's configure it. Commands are exactly the same, however, in this case we want allow traffic from VLAN 20 to go through Fa0/5 in Switch A. Why? Because we only want to allow communication that starts or goes to PC B-03 from/to devices belonging to Network B.
For Switch B, same principle applies, however, keep in mind that it's reversed. In B we want to allow traffic from PC A-03 to go to devices on Network A, meaning that Fa0/5 needs to allow traffic belonging to VLAN 10.
I will show you how to configure Switch A, and B is up to you. With all we've been through so far I'm confident you know what you're doing.
Now ping every device in the network from PCs in Networks A and B in simulation mode and see if the behavior is as expected.
When you make a request from let's say PC B-01 to B-03 the packets should travel through the switches, however, if you throw a request to A-01 then the information should go to the router and hop networks.
Final Note
If you paid attention throughout the entirety of the post (admirable by the way), you probably noticed that the names the Switches give to the VLANs are not particularly nice, or descriptive. It's a name set by default, however, if you wish to do so, you can change it by stepping into the Virtual Network's configuration doing so as follows:
Comments
Post a Comment