VLAN operation clarification

JohnW63 · ‎03-20-2020

I'm sure this is extremely basic, but it's the first time I have been tasked with doing this , I want to be sure I have it down and not mess up our network.

If I create a VLAN , I can assign ports on a switch to that VLAN and as long as that switch is connected to other switches with that VLAN created on them, or has learned about the VLAN via VTP, the devices on those ports can communicate. As long as the switches in the sites have the same Native VLAN, does that also work across a network, from site to site as long as they have a trunk connecting the sites together ? I believe that is the case.

Most of our VLANs are associated with different subnets. These VLANs are defined as an interface and have an IP address and mask as part of the CLI command. What I am still unclear about is that if a VLAN can have data forwarded from one switch to another with just the VLAN tag , when does the IP address and the Layer 3 routing come into play ? Is that only when you need to send data from one VLAN to another through a router or L3 switch ?

Cristian Matei · ‎03-20-2020

Hi,

1. Layer 2 communication (intra-VLAN). You'll create VLAN's on switches, manually on each switch or dynamically via VTP, you'll configure ports facing users as access ports in one VLAN, and ports between switches as trunk ports so that all VLAN's(by default) are allowed in order to facilitate intra-VLAN communication between users connected to different switches. At this point, after STP has converged, everyone can speak in their own VLAN, and frames are forwarded by the switches based on the destination MAC address; the switches were users are connected can be multilayer (perform layer 2 function of switching, but additionally could also perform layer 3 function of routing), but at this point the switches, for intra-VLAN connectivity, perform the layer 2 function, frame switching. The native VLAN is relevant on trunk ports, and the only difference between a native VLAN and a regular VLAN is that frames forwarded on a trunk port that belong to the native VLAN are sent untagged (this was kept for backwards compatibility with older switches/bridges that did not support VLAN's). The native VLAN has to be the same on both ends of the trunk, but a with could have different native VLANs on different trunk ports (no sense to do it, but there is no problem).

2. Layer 3 communication (inter-VLAN). When users need to speak with devices outside the VLAN (Inter-VLAN), they need a default gateway (could be a router, a firewall, or a multilayer switch performing also layer 3 functions), a device with an IP address in the same subnet as them. This layer 3 device will receive the packet from the user and route it further to the next layer 3 hop towards the packet's destination, or switched it back to the proper VLAN, in case it's also attached to the network which includes the layer 3 IP destination of the packet (like a multilayer switch which behaves as default gateway for multiple VLAN's via the SVI interface, or a router on a stick which behaves as default gateway for multiple VLAN's via sub-interfaces). Example:

User IP: 10.10.10.1

User mask: 255.255.255.0

User default gateway: 10.10.10.254

User MAC address: aaaa.aaaa.aaaa

Default gateway MAC address: bbbb.bbbb.bbbb

For inter-VLAN routing, the packet has a layer 3 destination IP which belongs to the resource the user wants to reach, and a layer 2 destination MAC address which belongs to the default-gateway; the packet needs to reach the default gateway, which is the device from that VLAN that can route the packet:

SOURCE MAC(aaaa.aaaa.aaaa) DESTINATION MAC(bbbb.bbbb.bbbb) SOURCE IP(10.10.10.1) DESTINATION IP (X.X.X.X)

Regards,

Cristian Matei.

JohnW63 · ‎03-20-2020

Thanks for taking the time to write out a nice detailed explanation, Cristian.

JohnW63 · ‎03-20-2020

Christian,

I looked up the SVI ( Switch Virtual Interface ) and an explanation got me thinking of how our switches are configured. Here is an example:

interface Vlan1

ip address 10.12.119.254 255.255.248.0

.

interface Vlan90

ip address 10.15.240.254 255.255.255.0

ip helper-address 10.12.112.1

ip helper-address 10.12.112.7

ip access-group Guest-Wireless in

.

interface Vlan126

description VoIP-2

ip address 10.14.222.254 255.255.255.0

ip helper-address 10.12.112.200

Does the above mean this switch has 3 SVIs ? It is a layer 3 switch as most of our are.

Cristian Matei · ‎03-20-2020

That is correct.

Richard Burts · ‎03-20-2020

That switch certainly does have 3 SVIs. The other detail to check on is whether "ip routing" is enabled. If so then this switch is performing layer 3 forwarding in addition to the layer 2 forwarding that it does by default.

HTH

Rick

JohnW63 · ‎03-20-2020

I checked, and I believe it is routing those.

Output from the sh ip route....

C 10.12.112.0/21 is directly connected, Vlan1

L 10.12.119.254/32 is directly connected, Vlan1

C 10.14.222.0/24 is directly connected, Vlan126

L 10.14.222.254/32 is directly connected, Vlan126

C 10.15.240.0/24 is directly connected, Vlan90

L 10.15.240.254/32 is directly connected, Vlan90

There are actually others as well. This switch is the core switch in the data center, so we have lots of paths going on. Besides things in the Data center, it also connects all of our schools together via 10Gig fiber links as well as internet for the school district.

If I understand this correctly, these entries are what allows the Layer 3 switch become a router for these Vlans.

Richard Burts · ‎03-21-2020

Yes that output does indicate that the switch is performing layer 3 routing/forwarding as well as layer 2 forwarding. And your explanation that this switch is the core that connects multiple building with multiple subnets completes the conclusion that it is routing as well as switching.

HTH

Rick