5. VLAN Access Ports
In this lecture you’ll learn about VLAN access ports and how to configure them. So our access ports are configured on switch interfaces where end hosts are plugged in and access ports are configured with one specific VLAN. For example, we’ve got an engineering PC. It gets plugged into the switch on that port. We configure it as an access port in the Engineering VLAN. The configuration is all on the switch. The end host is not VLAN aware. It doesn’t even know that the VLAN exists. The end host doesn’t need to know anything about VLANs. Switches only allow traffic within the same VLAN.
But the benefit we get from configuring VLANs, they segment our campus land into smaller broadcast domains. So we are going to have an Engineering VLAN and a Sales VLAN. In the example here, all my Engineering PCs and the router interface and the Engineering IP subnet go into the Engineering VLAN and all of my Sales PCs and the router interface for the Sales subnet go into the Sales VLAN. Whenever I send unicast traffic within the same IP subnet, for example, from Sales PC Two to Sales PC One, the traffic comes into the switch and the switch already knows the Mac address of Sales PC One.
In this example it just sends it out that one part. Now if we misconfigured our VLANs, for example, Sales PC One, if we put that in the Engineering VLAN by accident instead of a Sales VLAN, then our Sales PCs are not going to be able to talk to it anymore. Well, nobody’s going to be able to talk to it anymore. See, if it was Sales PC Two, send some traffic with a destination IP address of 1010 2011. Well, the switch does not forward traffic between different VLANs. That would have to go via a router. So the traffic is not going to make it to Sales PC One.
So you need to be careful when you’re configuring VLANs traffic. Hosts which are in the same IP subnet should be in the same VLAN. Hosts which are in a different IP subnet should also be in the same VLAN, but that’s a different VLAN. So engineering goes into the engineering VLAN. Sales PCs go into the sales VLAN. The default. VLAN is vlon one. So by default all parts on a switch are in Vlon One. And until you manually configure VLANs, your campus line is going to be one big broadcast domain.
We don’t want that. It’s bad for performance and for security. So we are going to configure specific VLANs the command to do that using our same example again. So if I look at the topology then our engineering PCs are on interfaces Fast, Ethernet 30 Four and five and six. We also need to put the port on the router into that VLAN as well for the VLAN subnet. So Fast zero One is also going to go into the Engineering VLAN interfaces fast zero Two, fast zero Six and fast zero seven are going to go into the Sales VLAN. So looking at the configuration, we’ll do the engineering VLAN. First off, we have to create the VLAN to do that. The command is simply VLAN and then the number you want to use for this VLAN at global config. So we say VLAN ten. That gets us into the VLAN subconfiguration. Optionally, you can give it a name. It’s a good idea to give it a logical name. Here. We’ve called it engine. Next, we need to configure our switch ports as axis ports in the correct VLAN. So we say Interface Fast Ethernet zero one, switch Port mode axis to make it an access port and Switch port access VLAN ten. If you’re wondering about the other type of ports we can have, we can have trunk ports as well. We’ll cover that in the next lecture. We also need to put Interfaces Fast Ethernet zero three to five into the VLAN as well. Rather than having to do these commands over and over again for each individual port, we can configure a range of ports.
So we say Interface Range Fast Ethernet 0325 and you have to do it in this exact format here. If you try to say Interface Range Fast Ethernet zero three to zero five, it will give you an error message. This is the correct syntax to use to specify a range of interfaces. We then say switchboard mode axis again and switchboard. Access VLAN ten. So that’s our Engineering VLAN completed. We also need to do the Sales VLAN as well. So we say VLAN 20 is the number we’re going to use for this example for sales name sales and then interface fast Ethernet, two switchboard mode access switchboard access VLAN 20 and interface range fast Ethernet, zero six to seven again, switch port mode access and switchboard access VLAN 20 So that’s how you configure them to verify.
Best command is Show VLAN brief that shows all of the VLANs that are available on the switch and it also shows you which ports are in which VLAN. So you can see we just did the configuration. So interfaces Fast 0134 and five are in the Engine VLAN ten and 26 and seven are in the Sales VLAN 20. All of the other physical parts are in the default VLAN one. So that shows you global information about all your VLANs and all of your parts. If you want to see information specific to an individual part, you can say show Interface Fast Ethernet zero one for example, and then put Switch port at the end. In the example here, you can see that it’s an access port in VLAN Ten which is the engine needing VLAN. Okay, so that’s how we do the configuration for our access port. In the next lecture, I’ll show you with a lab demo.
6. VLAN Access Ports Lab Demo
Lecture, you’ll learn how to configure VLAN access ports with a lab demo. So I’ve got a simple topology for the lab here. I’ve got a single switch, switch one, and I’ve got a couple of engineering PCs plugged in there. Engine one is plugged into portfast zero one. It’s got IP address ten dot 1010 and engine two is plugged into fast zero slash two and it’s in the same IP subnet with IP address 1010 1011. I’ve also got a sales PC sales Three, which is plugged into fast zero slash three and it’s in a different IP subnet with IP address 1010 2012. Right now I haven’t done any configuration on the switch, so I’ll just show you that. So I’ll go into switch one and if I do a show interface fast zero one and then switch port to see VLAN information, you can see that this is configured as an access port and it’s currently in the default VLAN one. And if I do a show VLAN brief, you see that VLAN one is actually the only VLAN that is configured on here and all parts are in VLAN one.
So now if I go on to engineering PC one because all PCs are in the same VLAN and engineering two is also in the same IP subnet, I should have connectivity. So I’ll ping it at 1010 1011 and you see that the ping succeeds. If I try to ping the sales PC though, which is at 1010 2012, this is going to fail. They’re in the same VLAN at layer two, but it’s in a different IP subnet at layer three. So I would need a router to be able to route traffic between the two different IP subnets. Now let’s look and see what happens with broadcast traffic. So if I ping 10 10 25, which is the broadcast address for the subnet that this PC is in, I see, I get a reply from edge two at 1010 1011.
If we have a look at the lab topology, that traffic it’s broadcast isn’t just hitting edge two, it’s also hitting sales three as well because it’s in the same VLAN. The switch is a layer two switch. It’s not layer three aware it doesn’t know anything about different IP subnets. So it’s flooding that broadcast traffic everywhere. So it’s bad for performance and security that traffic is hitting the sales PC as well as the engineering PCs. So that’s why we’re going to configure our VLANs. So let’s do that now. So I’ll go back onto the switch. I need to create my VLANs first. So I’ll go to global configuration and I will create VLAN. We’re going to use VLAN number ten for the engineering subnet and I’m going to give it a name as well, name engine. You always want to give your VLANs a name.
So if an ever engineer is looking at your config layer, it’s going to be obvious about what you’ve configured. And I’ll also configure my sales VLAN. We were going to use VLAN 20 for that so VLAN 20 and name sales. Then the next thing I’m going to do is I’m going to put my engineering PC one into the engineering VLAN. I’m not going to put n two in there yet because I want to show you the effect of this. So engine one PC was on interface fast zero one. I’ll say switch port mode access to make it an access port. In case you’re wondering, the other type of port we can have as a trunk port. I’ll cover that in the next lecture. So switchport mode access and switch port access VLAN ten. So if you look back at the topology diagram again, inc one is in VLAN ten. The other two PCs are still in the default VLAN one. If I go on to the command line on engine one and I try to ping inch two at ten 1011 now the command is going to fail. We’re in the same IP subnet but they’re in different VLANs at layer two and the switch does not send traffic between different VLANs. So that’s why the traffic is failing. And if I send broadcast traffic ping 1025 because this PC is the only thing in VLAN ten, this won’t hit anything else at all. This is good. This was the point of doing VLANs it’s to segment our broadcast domains.
The problem is that we want the two PCs to be in the same VLAN fill. Right now we don’t have any connectivity with each other, so let’s fix that next. So I’ll go back onto the switch configuration and inch two was on interfacefast zero two and I’ll use the up arrow to put in the command switch port mode access and switchboard access VLAN ten. And if I now go back onto inch one again, and if I try pinging the PC at 1010 1011 now, then the ping should succeed. If this fails, sometimes packet tracer will do this. I’m using packet tracer for the lab demo. So let’s just flap the interface. So I’ll go back onto the switch and I’ll do a shut and a no shut down on interface fast zero two.
Flap it. Let’s just do interface fast zero slash one as well. But we’re at it so shut and no shut on there and that should bring it back up again. So let’s try the ping again. Now ping ten 1011 and it’s probably just taking a minute for the interface to come back up since I did a no shut. So let’s give this a few seconds for the interface to come back and I’ll waffle for a few seconds until it does. I might need to do another ping here. So let’s just wait for this one to time out. Okay, let’s ping it again. Ping ten 1011. Okay, there we go. So we got the reply now. So that’s just a quirk in packet tracer in a real world network you would not need to shut down. And no shutting interface because you changed the VLAN on it.
Okay, so that’s my engineering PCs with connectivity. Now next thing to do, let’s go back onto the switch and put the sales PC in the correct VLAN. So that was on interface fast zero three. And I’ll say switch port mode access and switch port access VLAN 20. So looking back at the topology again, both my engineering PCs are in VLAN ten, my sales PC is in VLAN 20. So I’ve completed my configuration, everything should be all good. Now for verification, we’ll go back onto the switch and I’ll do a show VLAN brief. And you can see there’s my engineering VLAN VLAN ten and interfaces fast one and two are there. And my sales VLAN is configured with fast ethernet zero three. All of the other ports I haven’t touched yet. So they are still in the default VLAN one. Okay, so that was how we configure our VLAN access ports. See in the next lecture for trunk ports.
7. VLAN Trunk Ports
In this lecture you’ll learn about VLAN trunk ports. We covered access ports in the previous lecture. You saw in the example lab topology, we hit a switch with some engineering and some sales PCs plugged in, which were in different IP subnets at layer three. We also put them into different VLANs at layer layer two, and that segmented the broadcast domains at both layer two and layer three, giving us better performance and better security. But what about the links between switches? So that previous example, we just had one switch there.
The example here now is similar. We’ve got our engineering PCs, our sales PCs, and our router to route traffic between them. But we’re not all plugged into the same switch. We’ve got multiple switches here. So if you look at NPC one, if I also had another engineering PC plugged into that same switch, they would be able to communicate with each other. But the problem is that right now, all of my links between my switches are in the default VLAN one. So PCs in the same VLAN on the same switch can talk to each other, but they can’t communicate with other PCs on another switch, even if that was in the same VLAN.
So what we could do with help, to help with this, we could configure those links between switches. We could put them in the engineering VLAN, for example, and great. Now all of our engineering PCs can communicate with each other no matter what switch they’re on. But the problem is that the sales PCs still can’t talk to each other. So we need PCs in different VLANs to be able to talk to with each other across different switches. And the way we do that is by configuring a trunk port. The protocol that’s used for our trunking is one Q. So on the links between switches, rather than configuring them as an access port which can only carry traffic for one VLAN, we configure them as a trunk port which will carry traffic for all of our VLANs. So an access port carries traffic for one specific VLAN dot. One Q trunks are configured on the links between switches where we need to carry traffic for multiple VLANs. The old or one of the old protocols that was available to do this was ISL inter switch and link. That was a Cisco proprietary trunking protocol which is now obsolete.
The industry is standardized always on using one Q. Now, the way that one Q works, when this switch forwards traffic to another switch over a trunk port, it tags the layer two, one Q header with the correct VLAN. So in the packet, we’ve got the layer two header in there, and it inserts into the layer two header the VLAN information. The receiving switch will only forward the traffic outputs that are in that VLAN.
And when the switch sends the traffic to an end host, it removes the one Qvlan tag because our end hosts are not VLAN aware. They don’t need to see that tag. It would confuse them. This is how the format of the Ethernet frame looks. So up at the top there, there’s the standard Ethernet frame that comes into the switch from the host. When the switch sends it out a trunk port to another switch, it will insert the dot one Q tag into the header stating which VLAN this traffic is for. And again, it removes it at the other end when it sends it out to an end host.
So let’s look at how this works and we’ll look at some broadcast traffic. So the sales PC two down in the bottom left corner, it sends out some broadcast traffic that hits its switch. Switch one. There’s no other sales PCs on there, so it doesn’t send it to any other end hosts. But switch one is configured with a trunk port going up to switch two, so it will send the traffic up to switch two. When it does that, it’s going over a trunk port, so it will insert the VLAN information into the layer two header. It says this traffic is for the Sales VLAN. It comes in the switch two and it sees that it’s got the engineering PC on there. But it’s in the Engineering VLAN, so it knows the traffic is not for it.
It doesn’t send it there. It does have a trunk port, so it sends up a trunk port to switch three. Again, it puts on the dot one Q tag saying this is for the Sales VLAN on switch three. We do have an end host in the sales VLAN. It’s the router. The port connected to the router is configured as an access port in the Sales VLAN, so the switch will send the traffic up to the router. When it does that, it’s going out in axis port, so it strips off the dot one Q tag. Switch three is also connected to switch four with a trunk port, so it will send the traffic down there. Again, it will tag it with the dot one Q tag saying it’s for Vasella’s VLAN. When it comes into switch four.
It’s also got an end host configured with an axis port in Missiles VLAN, so it will send the traffic out there to Sales PC one strips off the one Q header when it sends it down to switch five. That is again on a trunk port. So it will say that this is for the Sales VLAN. Okay, so that is how our one Q trunks work. Now, just a little aside here. You don’t need to know this for the CCNA exam, but you’re going to run into this and review a world. So I wanted to mention it here as well. Your end hosts, like your normal desktop PCs, are typically members of only one VLAN and they’re not VLAN aware. So for those hosts, the switch is configured as an access part but a special case of end hosts is virtualized hosts like VMware or Microsoft HyperV, where there’s virtual machines in different IP subnets on the host.
So that one host, it’s maybe running a virtual machine for engineering. It’s also running a virtual machine for sales. So in that case, you need to trunk the VLANs down to that host so it knows which virtual machine to send the traffic to. So you can see the example here. I’ve got a VMware Coast in the example. It’s got virtual machines for both sales and for engineering. We’ve got one physical port on the Ethernet switch interface, fast Ethernet one. Here we configure that as a trunk port rather than as an access port. Okay? So where you’ve got normal end hosts, like a normal desktop PC or a normal server which is running just one application on there, you configure your switch as access ports. When you’ve got parts going to another switch, you configure that as a trunk.
When you’ve got a virtualized host, like a VMware host that is also configured as a trunk. Another special use case is IP phones. When you’re using IP phones, the switch is physically connected to the IP phone and then the PC is plugged into the back of the phone for that particular user. The benefit that you get from this is it only uses up one physical part on your switch. So you don’t have the phone and the PC both plugged into two different parts on the switch. You have the phone plugged into the switch and then the PC plugged into the back of the phone. Now with this, we want to be able to segregate our phone calls from our data traffic, but they’re both going through the same cable here. The reason that we want to have them separate is that we need to give different treatment to the voice traffic. We need to have that prioritized because it’s very sensitive to delay.
And the other reason is for security as well. We don’t want our voice, our phone calls and our data traffic in the same IP subnet and the same VLAN because that would make it easier for somebody to sniff at traffic and listen in to our phone calls. So we’re going to have our voice traffic, our actual phone calls and our data traffic on our PC. We’re going to have those in different IP subnets and in different VLANs. And you can see here that we’re both going through the same physical cable from the switch to the IP phone. So we need to configure that as a trunk port which is going to carry the voice VLAN traffic and the data VLAN traffic.
All right, let’s have a look at how to actually configure this very simple configuration. So the example here, interface fast Ethernet 00:24 is connected to another switch optionally. I can put in a description, I’ve said description trunk to switch to, then the trunking commands I say switch port trunk encapsulation one Q and switchport mode trunk. Now with the switch port trunk encapsulation one Q command. Modern switches only support one Q. So if you put this command in on them, it will give you an error message saying it doesn’t understand the command.
Older switches support both ISL and one Q. So on older switches you have to say switch port trunk encapsulation dot one Q because they’ll default to ISL. But we always use dot one Q. On modern switches there’s no need to put that command in, but if you put the command in and it gives you an error message, that’s okay, no harm done. Okay, so that’s how we manually configure a port as a trunk port. I would need to configure this on the other side on the other switch as well. So that’s how we do the configuration on a switch port which is connected to another switch or to a virtualized host such as VMware. Another configuration to show you here is the special configuration where the switch port is plugged into an IP phone with a PC connected in behind that.
The configuration here is for example, interface fast Ethernet 00:10 I’ve said description IP phone. And this port is going to act as a trunk port. It is going to be sending traffic for multiple VLANs, for the voice VLAN and for Vida VLAN down to the phone. But we don’t configure it as switchport mode trunk, we configure it as switch port mode access. So it is actually a trunk port, but you configure switch port mode access. It’s a special case where we’ve got an IP phone plugged in. Then we say switch port access VLAN ten. That is our data VLAN. And then switchport voice VLAN 20.
Here is where you configure the voice VLAN. When you’ve got a Cisco IP phone plugged into a Cisco switch, the switch will detect that it is an IP phone and it knows they both talk to each other. They know that this is the VLAN for the PC and this is the VLAN for the voice traffic on the phone. Last thing to tell you here is about the native VLAN. The switch needs to know which VLAN to assign any traffic to which comes in untagged on a trunk port that used to be required for when a switch was connected to a hub. Hubs are long gone, so you can’t even buy hubs anymore.
Hubs were layer one devices so not VLAN aware. So that’s why we have the native VLAN layer to support hubs. The default native VLAN is VLAN one. But there are some security issues with using VLAN one as the native VLAN. There are some knowing attacks that can exploit that. So best practice is to change it to an unused VLAN. The native VLAN must match on both sides of a trunk. So on both switches that are connected to each other for the trunk to come up. So looking at the fuel config for our trunk, including setting the native VLAN, we need to create a VLAN for us. It’s first.
So I’ve said VLAN 199, name native. This is a dedicated VLAN that is not going to be used for anything else and you’re not going to have any end hosts actually using this VLAN. Then on my port that’s connected to the other switch, I’ve got interface gigabit, ethernet, one description trunk to switch to switchboard trunk, encapsulation one q, switch port, mode trunk. So the same commands we covered just a minute ago and then switchport trunk, native VLAN one nine nine on the switch. On the other side, I put in exactly the same configuration. To verify this, we use the command show interface gigabit zero one, switch port. And here I can see that the operational mode is it’s a trunk port.
The encapsulation being used is one Q and the native VLAN is 199. It’s saying inactive just because we don’t have any access ports configured in VLAN 199. That’s good. That’s the way that we should configure it. The last thing that I want to tell you about here is limiting allowed VLANs and similarly to changing the native VLAN, this is done mainly for security reasons, but it also improves performance as well. So you can see in the diagram here on the bottom switch I’ve got PCs in the end sales and accounts VLAN. But on the top switch there’s only PCs for engine and accounts, no sales PCs on that top switch. So there’s no point in sending sales traffic up to that top switch. And if we did, it would take up bandwidth, which would decrease performance.
And also it could be a security concern. We don’t want to send traffic anywhere where it’s not actually required. So to prevent that from happening on the bottom switch, actually on both switches, on that interswitch link between the two switches, we can configure the allowed VLAN’s list. So in the example here, we would allow traffic for the engine and accounts VLAN, but we’re not going to send traffic for the sales VLAN over that link. So the way that we configure it is go to the interface which is the trunk interface gigabit ethernet one for this example and the command switchport trunk allowed VLAN ten comma 30. If you don’t use this command, then all VLANs that are configured switch will be sent over the link. By doing this, you limit it to only the VLANs that are required. Okay, that was the last thing for trunking. See you in the next lecture where we’ll do it with a lab demo.
