VLAN help

datchcha

Hello,

I am trying to put together a simple vlan map on my simulator, and on paper. What do most do with Vlan 1, and what is real world practice.

Q: Is vlan1 set aside for trunk ports directly to the router usually? Where vlan2 is your main work group, and vlan 3 maybe a department?

If using vlan1 as a trunk port only wouldn't this be the case for configuration?

2950 switch
en
config
int f0/1
switchport mode trunk
!
vlan2
name global
!
int
f0/2
switchport access vlan2

Router
config t
int f0/0
no ip address
no shut
int f0/0.1
encapsulation datlq 1
ip address 192.168.10.1 255.255.255.0
int f0/0.2
encapsulation datlq 2
ip address 192.168.20.1 255.255.255.0

2950 switch
config t
int vlan 1
ip address 192.168.10.2 255.255.255.0
no shut

kafifi13

Try dot1.q

Netstudent

Fa0/1 will be in VLAN1 by default. Making it a trunk port makes it a member of all VLANS. VLAN1 is the native vlan by default in dot1q, which means that VLAN1 traffic will not be tagged.
Other switches know that a frame is destined for the native vlan when they notice an absence of a VLAN tag. You can change the native vlan if you want. If you change the native vlan, you have to make sure that the native vlans match on the router and switch. Thats about all there is to VLAN1.

datchcha

ok, thank you. But would you add hosts to vlan1 or would you leave it as it's own broadcast domain? I guess i do not understand if you would use vlan1 for hosts, or empty only adding the link to the router to vlan1 and the trunkport.

thank you

datchcha

kafifi13 wrote:

Try dot1.q

lol...my mistake, dotlq = dot1q

Thank you,

Netstudent

datchcha wrote:

ok, thank you. But would you add hosts to vlan1 or would you leave it as it's own broadcast domain? I guess i do not understand if you would use vlan1 for hosts, or empty only adding the link to the router to vlan1 and the trunkport.

thank you

You can add hosts to VLAN 1 if you want. It will still be separated from other VLANS or other broadcast domains. In the real world, i think it just depends on the scenario. You can use VLAN1 or not use it.

mikearama

Well explained, Netstudent.

In our network, the senior admin, for security reasons (I suppose), created a new native vlan (99) and disabled vlan 1 on every device.

As for trunking, trunk ports no longer belong to a vlan. Remember, to make a port part of a vlan requires this command:
SRV-SW1(config-if)#switchport access vlan 21

but to put a port into a trunk requires:
SRV-SW1(config-if)#switchport mode trunk (or dynamic, though I haven't used it yet).

That wasn't how you described it, datch, but I think you see it from your config... you assigned a vlan to an individual switch port, but you don't mention vlans at all when configuring your trunks.

Here's a quick copy of one of our switches... give you an idea of how we use vlans:

vlan 128
name NetworkMgmnt
!
vlan 129
name NetworkSwitches
!
vlan 130
name ISTestlab
!
vlan 132
name IPKVM
!
vlan 133
name SMS
!
vlan 140
name Servers140
!
vlan 150
!
vlan 160
name Servers160
!
vlan 163
name SRServers
!
vlan 216
name StaticClient
!
vlan 99
name NativeVLAN

!
interface Vlan1
no ip address
shutdown
!
interface Vlan129
ip address 10.22.129.11 255.255.255.0


Hope that didn't make things worse,
Mike

Netstudent

mikearama wrote:

Well explained, Netstudent.

In our network, the senior admin, for security reasons (I suppose), created a new native vlan (99) and disabled vlan 1 on every device.

As for trunking, trunk ports no longer belong to a vlan. Remember, to make a port part of a vlan requires this command:
SRV-SW1(config-if)#switchport access vlan 21

but to put a port into a trunk requires:
SRV-SW1(config-if)#switchport mode trunk (or dynamic, though I haven't used it yet).

That wasn't how you described it, datch, but I think you see it from your config... you assigned a vlan to an individual switch port, but you don't mention vlans at all when configuring your trunks.

Here's a quick copy of one of our switches... give you an idea of how we use vlans:

vlan 128
name NetworkMgmnt
!
vlan 129
name NetworkSwitches
!
vlan 130
name ISTestlab
!
vlan 132
name IPKVM
!
vlan 133
name SMS
!
vlan 140
name Servers140
!
vlan 150
!
vlan 160
name Servers160
!
vlan 163
name SRServers
!
vlan 216
name StaticClient
!
vlan 99
name NativeVLAN

!
interface Vlan1
no ip address
shutdown
!
interface Vlan129
ip address 10.22.129.11 255.255.255.0


Hope that didn't make things worse,
Mike

Thanks mike, ya from what I have learned from others is that Vlan1 is actually not used very often. Come to think of it, everyone in the world knows that vlan1 exsists and that it is not encapsulated. So there is an attack called VLAN hopping, in which a malicious frame is tagged with 2 vlans. I don't know all the details about the attack, but I do know that for security reasons, it may be a good idea to not use vlan1 as the native vlan. Just a thought....