In traditional network design, devices on a local area network (LAN) are usually connected to a physical switch and belong to the same broadcast domain. This way, broadcasts sent by one device are received by all other devices, regardless of whether they are intended for them. This can create performance issues and security risks.
A VLAN (Virtual LAN) is a type of network architecture that enables network engineers to segment a physical network into smaller logical networks without having to physically reconfigure the network. This segmentation can improve network security, increase performance, and simplify network management.
In a VLAN, devices are part of the same logical network and can communicate with each other as if they were on the same physical network, even if they are physically separated. VLANs can be created based on many criteria, such as department, location, function, or security level.
Each VLAN represents a separate Layer 2 broadcast domain mapped to a unique IP subnet. In other words, each VLAN belongs to a different network, and intra-VLAN communication is allowed by default on Layer 2 switches.
As you can see from the image above, employees in the enterprise belong to several different departments (IT, HR, and the sales department). Let’s assume that the corporate building has two floors, and on each floor, some employees should belong to these three departments.
Although the employees are physically connected to the same switch on each floor, they are logically separated because they belong to different VLANs. This approach ensures that users on different network segments, such as employees on different floors, can belong to the same VLAN (or network) while being physically connected to the same switch.
For instance, employees belonging to the IT department are assigned to VLAN 10 and are part of the 192.168.10.0/24 network. This way, regardless of their location within the network (such as different floors as in our example), employees belonging to the IT department are always part of the same logical network. The same principle applies to the HR and sales departments.
Note: Cisco switches have preconfigured default VLANs supporting different media and protocols. The default Ethernet VLAN is VLAN 1 (named “default”), which includes all ethernet ports.
You can configure as many VLANs as you need based on your requirements. The switch automatically creates VLANs 1 and 1002-1005, while the others have to be created manually. Although the maximum number of VLANs is switch-dependent, many Cisco switches allow an extended range from 1006 to 4094.
You must configure an IP address (management IP address) to manage the switch remotely, and usually, this is the default VLAN 1. Additionally, you can also configure IP addresses for the other VLANs.
Benefits of Using VLANs
VLANs can help networks in several ways:
- Improved security: VLANs can segregate devices based on their function, department, or location, improving security by ensuring that sensitive data is only accessible to authorized users. This helps to prevent unauthorized access to sensitive data by limiting the exposure of network resources.
- Enhanced performance: By reducing the number of devices in a single broadcast domain, VLANs can reduce the amount of network traffic and prevent congestion, leading to improved performance.
- Simplified network management: VLANs can help simplify network management by grouping devices based on logical criteria rather than physical location. This can make it easier to manage network policies and implement changes across the network.
Creating a VLAN and Assigning a Port to a VLAN
Configuring a VLAN on a Cisco switch is a straightforward process and involves several steps. All you have to do is enter global configuration mode and start the configuration process there.
- Create VLANs: Use the vlan [vlan-id] command to create a new VLAN, where vlan-id represents the number of the VLAN you want to create.
- Name the VLANs: Once created, you can change the default name (VLAN#### where #### represents the VLAN number, for example, VLAN0001 would be the default name for VLAN 1) in the VLAN configuration mode. Type the name [name] command to assign a name to each VLAN. It is recommended to use descriptive names for the VLANs.
- Assign ports to VLANs: Enter the mode of the interface that you want to assign to the desired VLAN. Then, use the switchport mode access command to configure the port as an access port. This allows the port to participate in only one VLAN. Finally, use the switchport access vlan [vlan-id] command to assign the port to the desired VLAN. By default, all switch interfaces belong to VLAN 1.
- Verify VLAN configuration: Use the show vlan command to verify the VLAN configuration.
All of the extra VLANs you create are saved in the VLAN database, a file (vlan.dat) on the flash drive. If you delete this file, all explicitly created VLANs will be discarded except the default ones, including VLAN 1.
Based on the image above, let’s find out how to configure VLANs 10, 20, and 30, name them accordingly, and assign the FastEthernet interfaces to the corresponding VLANs. The following configuration shows the commands you need to enter on the switch to achieve the desired goal.
The following output verifies the VLAN configuration and interface assignments:
Important: The show vlan command shows only access ports, meaning ports that belong to a single VLAN. Trunk ports do not appear in the output of this command. If some ports are missing, they are configured as trunks instead of access ports.
You can use the show vlan brief command for a more filtered output. This command displays one line for each VLAN with the VLAN name, status, and ports. On the other hand, if you want to display information about a particular VLAN only instead of all VLANs, you can use the show vlan id [vlan_number] or show vlan name [vlan-name] commands.
You can use the show interface [interface-id] switchport command to verify the VLAN configuration of an interface and get information such as administrative and operational mode, VLAN assignment, and other related information.