VLAN help

datchchadatchcha Member Posts: 265
Hello,

I am trying to put together a simple vlan map on my simulator, and on paper. What do most do with Vlan 1, and what is real world practice.

Q: Is vlan1 set aside for trunk ports directly to the router usually? Where vlan2 is your main work group, and vlan 3 maybe a department?

If using vlan1 as a trunk port only wouldn't this be the case for configuration?

2950 switch
en
config
int f0/1
switchport mode trunk
!
vlan2
name global
!
int
f0/2
switchport access vlan2

Router
config t
int f0/0
no ip address
no shut
int f0/0.1
encapsulation datlq 1
ip address 192.168.10.1 255.255.255.0
int f0/0.2
encapsulation datlq 2
ip address 192.168.20.1 255.255.255.0

2950 switch
config t
int vlan 1
ip address 192.168.10.2 255.255.255.0
no shut
Arrakis

Comments

  • kafifi13kafifi13 Member Posts: 259
  • NetstudentNetstudent Member Posts: 1,694
    Fa0/1 will be in VLAN1 by default. Making it a trunk port makes it a member of all VLANS. VLAN1 is the native vlan by default in dot1q, which means that VLAN1 traffic will not be tagged.
    Other switches know that a frame is destined for the native vlan when they notice an absence of a VLAN tag. You can change the native vlan if you want. If you change the native vlan, you have to make sure that the native vlans match on the router and switch. Thats about all there is to VLAN1.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • datchchadatchcha Member Posts: 265
    ok, thank you. But would you add hosts to vlan1 or would you leave it as it's own broadcast domain? I guess i do not understand if you would use vlan1 for hosts, or empty only adding the link to the router to vlan1 and the trunkport.

    thank you
    Arrakis
  • datchchadatchcha Member Posts: 265
    kafifi13 wrote:
    Try dot1.q

    lol...my mistake, dotlq = dot1q

    Thank you,
    Arrakis
  • NetstudentNetstudent Member Posts: 1,694
    datchcha wrote:
    ok, thank you. But would you add hosts to vlan1 or would you leave it as it's own broadcast domain? I guess i do not understand if you would use vlan1 for hosts, or empty only adding the link to the router to vlan1 and the trunkport.

    thank you

    You can add hosts to VLAN 1 if you want. It will still be separated from other VLANS or other broadcast domains. In the real world, i think it just depends on the scenario. You can use VLAN1 or not use it.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • mikearamamikearama Member Posts: 749
    Well explained, Netstudent.

    In our network, the senior admin, for security reasons (I suppose), created a new native vlan (99) and disabled vlan 1 on every device.

    As for trunking, trunk ports no longer belong to a vlan. Remember, to make a port part of a vlan requires this command:
    SRV-SW1(config-if)#switchport access vlan 21

    but to put a port into a trunk requires:
    SRV-SW1(config-if)#switchport mode trunk (or dynamic, though I haven't used it yet).

    That wasn't how you described it, datch, but I think you see it from your config... you assigned a vlan to an individual switch port, but you don't mention vlans at all when configuring your trunks.

    Here's a quick copy of one of our switches... give you an idea of how we use vlans:

    vlan 128
    name NetworkMgmnt
    !
    vlan 129
    name NetworkSwitches
    !
    vlan 130
    name ISTestlab
    !
    vlan 132
    name IPKVM
    !
    vlan 133
    name SMS
    !
    vlan 140
    name Servers140
    !
    vlan 150
    !
    vlan 160
    name Servers160
    !
    vlan 163
    name SRServers
    !
    vlan 216
    name StaticClient
    !
    vlan 99
    name NativeVLAN

    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan129
    ip address 10.22.129.11 255.255.255.0


    Hope that didn't make things worse,
    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • NetstudentNetstudent Member Posts: 1,694
    mikearama wrote:
    Well explained, Netstudent.

    In our network, the senior admin, for security reasons (I suppose), created a new native vlan (99) and disabled vlan 1 on every device.

    As for trunking, trunk ports no longer belong to a vlan. Remember, to make a port part of a vlan requires this command:
    SRV-SW1(config-if)#switchport access vlan 21

    but to put a port into a trunk requires:
    SRV-SW1(config-if)#switchport mode trunk (or dynamic, though I haven't used it yet).

    That wasn't how you described it, datch, but I think you see it from your config... you assigned a vlan to an individual switch port, but you don't mention vlans at all when configuring your trunks.

    Here's a quick copy of one of our switches... give you an idea of how we use vlans:

    vlan 128
    name NetworkMgmnt
    !
    vlan 129
    name NetworkSwitches
    !
    vlan 130
    name ISTestlab
    !
    vlan 132
    name IPKVM
    !
    vlan 133
    name SMS
    !
    vlan 140
    name Servers140
    !
    vlan 150
    !
    vlan 160
    name Servers160
    !
    vlan 163
    name SRServers
    !
    vlan 216
    name StaticClient
    !
    vlan 99
    name NativeVLAN

    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan129
    ip address 10.22.129.11 255.255.255.0


    Hope that didn't make things worse,
    Mike

    Thanks mike, ya from what I have learned from others is that Vlan1 is actually not used very often. Come to think of it, everyone in the world knows that vlan1 exsists and that it is not encapsulated. So there is an attack called VLAN hopping, in which a malicious frame is tagged with 2 vlans. I don't know all the details about the attack, but I do know that for security reasons, it may be a good idea to not use vlan1 as the native vlan. Just a thought....
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Sign In or Register to comment.