cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
602
Views
0
Helpful
8
Replies

Layer 2 & 3 switch question\understanding

Hello,

I would like to have a nice explanation on a couple of things regarding layer 2 & 3 switches. The last time I asked this question it kind of went in different directions, so to avoid that I'll try and be clearer. These things below are what I do not need explanations on (followed below that I will explain what I need to understand better). What I do not need explanations on:

- I understand what vlans are

- I understand the difference between layer 2 & 3 switches

- I know what vlan trunking\tagging is

- I know what a default gateway is

- I understand that Layer 3 switches does the IP routing and layer 2 doesn't (mac addresses).

What I need to understand clearly is:

When I look at a layer 2 switch (show run) I see that the default vlan1 has no ip address and is shut down, a new vlan was created vlan10 and this vlan was given an IP address and default gateway. But the switch its self was given an IP address as well.

For ex:

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 10.10.50.2 255.255.255.0

ip helper-address 10.10.50.101

no ip route-cache

!

ip default-gateway 10.10.50.20

So I'm assuming the default gateway for the pc's that connect to this switch is 10.10.50.20 which is also the IP of the inside interface of the firewall.

So if that is correct then this is what I don't understand:

Why is there an IP for interface and DG address for vlan10?

Why do I read that there can only be 1 management vlan per switch? What do they specifically mean by management vlan? There has to be obviously an IP address to telnet into (10.10.40.2)? But if its used for management only why then are almost all the interfaces associated with that vlan10?

Shouldn't there be a vlan interface to access the switch and another vlan for all the computers to associate with?

So basically I need to understand better the concept of interface vlan and management vlan and ip default gateway.

Thanks!

            

Hello,

I would like to have a nice explanation on a couple of things regarding layer 2 & 3 switches. The last time I asked this question it kind of went in different directions, so to avoid that I'll try and be clearer. These things below are what I do not need explanations on (followed below that I will explain what I need to understand better). What I do not need explanations on:

- I understand what vlans are

- I understand the difference between layer 2 & 3 switches

- I know what vlan trunking\tagging is

- I know what a default gateway is

- I understand that Layer 3 switches does the IP routing and layer 2 doesn't (mac addresses).

What I need to understand clearly is:

When I look at a layer 2 switch (show run) I see that the default vlan1 has no ip address and is shut down, a new vlan was created vlan10 and this vlan was given an IP address and default gateway. But the switch its self was given an IP address as well.

For ex:

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 10.10.50.2 255.255.255.0

ip helper-address 10.10.50.101

no ip route-cache

!

ip default-gateway 10.10.50.20

So I'm assuming the default gateway for the pc's that connect to this switch is 10.10.50.20 which is also the IP of the inside interface of the firewall.

So if that is correct then this is what I don't understand:

Why is there an IP for interface and DG address for vlan10?

Why do I read that there can only be 1 management vlan per switch? What do they specifically mean by management vlan? There has to be obviously an IP address to telnet into (10.10.40.2)? But if its used for management only why then are almost all the interfaces associated with that vlan10?

Shouldn't there be a vlan interface to access the switch and another vlan for all the computers to associate with?

So basically I need to understand better the concept of interface vlan and management vlan and ip default gateway.

Thanks!

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

The IP address on the vlan interface on a L2 switch is never used by clients ie. PCs. servers etc. as a default gateway because a L2 switch does not route packets for end devices. The  IP and default gateway are used so you can manage the switch ie. so you can logon to the switch and modify the config, update the IOS, reload etc.

The default gateway is needed so you can connect to the switch from a remote subnet. Think of it like a PC ie. that has only an IP and a default gateway.  The default gateway would actually be a L3 device ie. a router or more likely a L3 switch that routes between vlans.

Jon

View solution in original post

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

The IP address on the vlan interface on a L2 switch is never used by clients ie. PCs. servers etc. as a default gateway because a L2 switch does not route packets for end devices. The  IP and default gateway are used so you can manage the switch ie. so you can logon to the switch and modify the config, update the IOS, reload etc.

The default gateway is needed so you can connect to the switch from a remote subnet. Think of it like a PC ie. that has only an IP and a default gateway.  The default gateway would actually be a L3 device ie. a router or more likely a L3 switch that routes between vlans.

Jon

ok, so the switch I'm looking at, the layer 2 switch, when it says:

interface Vlan10

ip address 10.10.50.2 255.255.255.0

That is only used for management. So right now as I'm in the switch (I used telnet and the IP address of 10.10.50.2 to connect to the switch). If the IP address ont he vlan interface is never used for clients,why then are alot of the interface ports part of this vlan10, servers, workstations?

The ip default-gateway 10.10.50.20 on the switch is the IP address all the clients are using as their default gateway.

Sorry I still need to understand.

The ports are in vlan 10 because you want the clients in vlan 10. The fact that the switch also uses vlan 10 for it's management is a coincidence. You could as just easily have all the ports in vlan 10 but use the vlan 1 interface (or any other vlan you want to setup) for managing the switch.

The default gateway configured on a L2 switch is only used by the switch. It has to be the same default gateway as the clients because the switch management vlan is vlan 10. So the clients and the switch both use the same default gateway ie. the firewall. If you used a different vlan to manage the switch then you wouldn't have the same default gateway as the clients.

I think the confusion is coming simply because the switch uses the same vlan for management as the clients connected to the switch.

No need to apolgise, if you still have doubts feel free to ask more questions.

Jon

"The ports are in vlan 10 because you want the clients in vlan 10. The fact that the switch also uses vlan 10 for it's management is a coincidence. You could as just easily have all the ports in vlan 10 but use the vlan 1 interface (or any other vlan you want to setup) for managing the switch. "

Ok but the book I'm reading says there can only be one management vlan per switch for management traffic. So all the clients in vlan10 is just a name, doesnt mean anything to them?

"The default gateway configured on a L2 switch is only used by the switch. It has to be the same default gateway as the clients because the switch management vlan is vlan 10. So the clients and the switch both use the same default gateway ie. the firewall. If you used a different vlan to manage the switch then you wouldn't have the same default gateway as the clients. "

Ok, I understand all clients (switch included) use the ip address 10.10.50.2 255.255.255.0 as the default gateway (the firewall). I dont understand "If you used a different vlan to manage the switch then you wouldn't have the same default gateway as the clients. "

As already stated, the VLAN Ip address on a L2 switch is used only for remote management via telnet or SSH. Having all your user ports on this VLAN is not required but is oftem setup that way for simplicity. You can have many VLANs on a L2 switch and ports assigned to each. two or more VLAN's on a L2 switch are not able to see each other without comong off box to a L3 route device of some kind. You could, for example, take a IOS router and configure an Ethernet port for 802.1q trunking and connect it to the L2 switch also in a trunk port. This would allow machines on different VLANs to "route" to each other via the IOS router.

Also keep in mind that although a L2 switch can have multiple VLANs, only one of them can be designated as the management VLAN and have an IP address assigned.

Hope this helps a little.

--Patrick

Ok but the book I'm reading says there can only be one management vlan per switch for management traffic. So all the clients in vlan10 is just a name, doesnt mean anything to them?

Yes there can be only one management vlan.  But remember a L2 switch can have multiple vlans configured on it at L2 ie. in the vlan database. The restriction on a L2 switch is that you can only have one L3 vlan interface. So if you configured the management vlan to be vlan 3 for example the the switch would have 2 vlans at L2  but you would only have a L3 vlan interface for vlan 11 So -

"sh vlan brief"  would show vlan 10 and vlan 11

"sh ip int brief | include Vlan" would show only one vlan interface up/up and that would be vlan 11. The only other vlan interface you would see would be for vlan 1 but it would be down with no ip address configured.

Ok, I understand all clients (switch included) use the ip address 10.10.50.2 255.255.255.0 as the default gateway (the firewall). I dont understand "If you used a different vlan to manage the switch then you wouldn't have the same default gateway as the clients. "

The default gateway is tied to IP subnet. So lets say as above you use vlan 11 for management with an IP subnet of 192.168.5.0/24. 

int vlan 11

ip address 192.168.5.2 255.255.255.0

ip default-gateway 192.168.5.1    <--- the default gateway needs to be in the same subnet.

So the clients in vlan 10 attached to the switch are still using 10.10.50.2 as their default gateway but the switch is using 192.168.5.1 as it's default gateway. The device with the IP address 192.168.5.1 could be another interface on the firewall, it could be a vlan interface on a L3 switch, it could be on a router.

Now  to make things simple lets say instead of the firewall both default gateways IPs are on a L3 switch.

int vlan 10

ip address 10.10.50.2 255.255.255.0

int vlan 11

ip address 192.168.5.1 255.255.255.0

the L2 switch is connnected to the L3 switch with a L2 trunk. It needs to be because you need both vlan 10 and 11 to go via the trunk.

From a PC in vlan 10 you want to connect to the switch. You telnet to the switch.

1) the PC compares it's IP and subnet mask with the IP of the switch and realises it is on a different subnet so it needs to send the packets to it's default gateway

2) the packet goes from the PC down the trunk (tagged with vlan 10) to the L3 switch

3) the L3 switch looks up the destination IP and sees it is for a 192.168.5.x address

4) the L3 switch has an interface on the 192.168.5.x subnet so it routes the packet onto that vlan and sends it back down the trunk link to the L2 switch. This time the packet is tagged with a vlan 11 tag.

5) the L2 switch receives the packet.

The return traffic is just the same but done in reverse.

Note i assumed the PC had the mac address of it's default gateway in it's arp table. I also assumed the L2 and L3 switches had all the mac address to port mappings in their respective mac address tables.

Again, please feel free to come back.

Jon

ok, great, that explains things better, sometimes for me its the way its explained that makes it understandable.

One last question, if I have the management vlan (interface vlan 10 for ex) and telnet/ssh to it, althought its not a physical interface, which physical interface does the traffic for the management of the switch (telnet/ssh) actually use? It has to connect to it physically somehow.

In the previous example where the L2 switch is connected to a L3 switch the packets would come in and go out of the trunk port connecting the L2 switch to the L3 switch.

In your original example where everything is in vlan 10 if one of the PCs connected to the switch did aa telnet to the switch management address it would come through the port the PC was connected to.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco