Vlan and subnet

Suppose I have 3 computers namely A,B and C. These 3 computers are attached to a Layer 2 Switch (switch has no layer 3 capability).I assign Lan 1 to Computer "A" , VLan 2 to "B" and VLan 3 to "C".

First question : If i place the 3 computers on different Vlans , do i have to give them separate sub nets also ? Is it possible to assign 1 subnet to computers of 2 seperate Vlans?

Second question : Is a router or a Layer 3 switch required to make communication between A , B and C possible ?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Forsaken_GA

hassantalal785 wrote: »

Suppose I have 3 computers namely A,B and C. These 3 computers are attached to a Layer 2 Switch (switch has no layer 3 capability).I assign Lan 1 to Computer "A" , VLan 2 to "B" and VLan 3 to "C".

First question : If i place the 3 computers on different Vlans , do i have to give them separate sub nets also ? Is it possible to assign 1 subnet to computers of 2 seperate Vlans?

Possible, yes. Also a really bad idea, splitting a subnet between two vlans has serious design implications. Generally speaking, you want to keep subnets and vlans on a 1 to 1 basis. It's ok to add an additional subnet to a vlan if needed (like if you run out of addresses), but it's rarely ok to add a second vlan to a subnet, instead you trunk the subnet across multiple switches

Second question : Is a router or a Layer 3 switch required to make communication between A , B and C possible ?

Yes. vlans are layer 2 constructs, in order to communicate between vlans, layer 3 intervention is required.

Diggs

Just to add onto what Forsaken_GA said regarding your second question, in order to route between the vlans you would need either a router or a layer 3 switch. To my knowledge if using a router you would need either separate interfaces for each vlan or configure sub interfaces on the router for each vlan and assign a trunk from the switch to the router.

xXErebuS

In addition to what both Forsaken and Diggs have said; if you want them in a CIDR range such as 192.168.1.0/24 you can use VLSM to assign say 192.168.1.64/26; 192.168.1.128/26; 192.168.1.192/26.

Danielh22185

The true nature / definition of a vlan is to separate broadcast traffic. If you are incorporating multiple vlans into a single subnet, which I am not sure is even possible could potentially cause a loop problem or cause packets to be dropped all together. As stated previously vlans should always be observed as a 1 to 1 ratio if all possible. This sounds like a spanning tree disaster waiting to happen if not done properly.

You could do this with one router / 1 interface between the router and switch but would need to create sub interfaces for each vlan and also ensure the link between the router and switch trunk.

Forsaken_GA

Danielh22185 wrote: »

The true nature / definition of a vlan is to separate broadcast traffic.

No, it is not. A router separates broadcast domains, not a vlan on a switch. A vlan is nothing more than a logical dumb switch.

However, since telling people they're incorrect rarely works, I'll issue this challenge to help demonstrate:

192.168.0.0/16

A broadcast on that subnet can potentially reach over 16,000 devices.

Using vlans only, how would you break up the broadcast domain, while still allowing all 16,000+ devices to have unicast connectivity to each other?

Danielh22185

Not trying to hijack a thread here but I guess I didn't fully explain my point or I may have been misunderstood. If you have two separate vlans and traffic is sent over one vlan out it it should only reach traffic within its own vlan (Broadcast domain). That traffic will not reach the other due to the separation of broadcast domains that has been created by the switches' vlans. However the only way to actually talk between the two broadcast domains is to have a router pass the communication between the two vlans. I guess if it were actually possible to have the multiple vlans within the same subnet it might be possible, never heard of that practice though, I could be wrong on that part.

Forsaken, I am not sure I fully understand your challenge though. I will attempt... It would seem you may need many networking devices to manage 16,000 host devices. If I follow, you could potentially have thousands of vlans that interconnect those devices so long as you have the routing capabilities to do so.

Forsaken_GA

Danielh22185 wrote: »

Not trying to hijack a thread here but I guess I didn't fully explain my point or I may have been misunderstood. If you have two separate vlans and traffic is sent over one vlan out it it should only reach traffic within its own vlan (Broadcast domain). That traffic will not reach the other due to the separation of broadcast domains that has been created by the switches' vlans.

Yes and no. That seperation is a by-product. The vlan is unaware that it's vlan. It thinks it's one big dumb switch, whether the vlan has 2 ports on one switch, or 4000 ports spanning many switches. Every time you add a port to the vlan, you're increasing the broadcast domain. If you get a question asking which device seperates a broadcast domain and you choose switch instead of router because you're thinking the vlan will break up the broadcast domain, you will get it wrong.

The truth of the matter is that, due to trunking, a vlan actually allows you to propagate a broadcast domain far beyond traditional boundaries, which is something that folks with large flat layer 2 networks discovered awhile ago, and are rediscovering with the trend back to big layer 2 networks thanks to virtualization. This is why if you want to control broadcast traffic, you have to carefully plan your subnets and vlans to make sure they stay appropriately sized.

Forsaken, I am not sure I fully understand your challenge though. I will attempt... It would seem you may need many networking devices to manage 16,000 host devices. If I follow, you could potentially have thousands of vlans that interconnect those devices so long as you have the routing capabilities to do so.

Not at all. It's one subnet, one router could handle it, assuming enough processor power. You'd need a crap load of switches, and they wouldn't even need to be vlan capable.

The point I'm trying to make is that the best way to manage broadcast traffic with a subnet that large isn't via using a vlan. A vlan alone is not enough. If I seperate the hosts out into different vlans, sure, my broadcast traffic is bounded, but so is my ability to communicate within the subnet,w hich means using a vlan to break up a broadcast domain is an invalid solution.

The correct solution is to subnet.

So in a situation like this, a vlan will not solve your broadcast solution. A subnet will. A subnet requires layer 3 intervention, which means broadcast domain control is the purview of layer 3, not layer 2. Therefore, it is entirely improper and extremely misleading to say that a vlan breaks up broadcast domains.

hassantalal785

Forsaken_GA wrote: »

Yes and no. That seperation is a by-product.
So in a situation like this, a vlan will not solve your broadcast solution. A subnet will. A subnet requires layer 3 intervention, which means broadcast domain control is the purview of layer 3, not layer 2. Therefore, it is entirely improper and extremely misleading to say that a vlan breaks up broadcast domains.

If Vlan will not solve our broadcast problem and we need layer 3 intervention to break broadcast then why actually are we using vlans .Meaning what are the advantages of creating multiple vlans then ?

Forsaken_GA

hassantalal785 wrote: »

If Vlan will not solve our broadcast problem and we need layer 3 intervention to break broadcast then why actually are we using vlans .Meaning what are the advantages of creating multiple vlans then ?

If you ask the virtualization folks, it doesn't.

A vlan is the logical equivalent of physically sepaate networks, so from a security standpoint, that's a good idea, as there are quite a bit of attacks you can perform with layer 2 adjacency.

Network segmentation also solves issues of scalability and network management.

NetworkVeteran

A VLAN defines a broadcast domain.

A router allows devices in different broadcast domains to talk to each other at layer three.

If you don't want two sets of hosts to communicate at layer two--for security or performance reasons--connecting them to ports assigned to different VLANs is a common solution. You then have the choice of whether or not to allow those devices to communicate at layer three.

It's not unusual in carrier environments to use VLANs to segregate traffic from different customers, or in corporations to seperate Guest and Corporate traffic. Inter-VLAN routing is often undesireable, or at the very least tighly controlled, under such circumstances.

NetworkVeteran

If Vlan will not solve our broadcast problem and we need layer 3 intervention to break broadcast then why actually are we using vlans .Meaning what are the advantages of creating multiple vlans then ?

You use VLANs to put the devices into separate broadcast domains, and then use layer three devices to allow those VLANs to communicate. That is the solution to the problem that a broadcast domain is too large and therefore causing trouble, the one-two punch.

Imagine you have a L2 switch with 10 hosts and 1 router connected to it:

If you put 5 hosts in VLAN_A and 5 hosts in VLAN_B but don't do any routing, you've cut down on broadcasts, but at the expense that now one half of the hosts can't talk to the other half.

If you add routing but leave all 10 hosts in one VLAN, you've done nothing to reduce broadcasts.

If you put 5 hosts in VLAN_A and 5 hosts in VLAN_B and add routing, you've finally cut down on broadcasts, and all of the devices can communicate with one another at layer three.

Danielh22185

Yes and no. That seperation is a by-product. The vlan is unaware that it's vlan. It thinks it's one big dumb switch, whether the vlan has 2 ports on one switch, or 4000 ports spanning many switches. Every time you add a port to the vlan, you're increasing the broadcast domain. If you get a question asking which device seperates a broadcast domain and you choose switch instead of router because you're thinking the vlan will break up the broadcast domain, you will get it wrong.

I agree with you statement here. In any Cisco exam if you are asked what separates broadcast domains, and you are only allowed to choose 1 option, your best choice should fundamentally be a router. However if you are given the 'choose all that apply' option and there is a choice for router and switch with multiple vlans these should be the answers you choose.

The point I'm trying to make is that the best way to manage broadcast traffic with a subnet that large isn't via using a vlan. A vlan alone is not enough. If I separate the hosts out into different vlans, sure, my broadcast traffic is bounded, but so is my ability to communicate within the subnet,w hich means using a vlan to break up a broadcast domain is an invalid solution.

I guess this would be more defined by what is needed in terms of the design. However if you are separating via subnet this is typically something you would need to do when creating multiple vlans too. Otherwise the assignable addresses would overlap with different vlans in a similar subnet, thus why I've stated I have never heard of this being a practical solution. I never claimed that all you need are vlans obviously the needs for a layer 3 device is high so you can communicate between the subnets.

nkillgore

Diggs wrote: »

Just to add onto what Forsaken_GA said regarding your second question, in order to route between the vlans you would need either a router or a layer 3 switch. To my knowledge if using a router you would need either separate interfaces for each vlan or configure sub interfaces on the router for each vlan and assign a trunk from the switch to the router.

I believe that this is correct. To add to it, with a layer 3 switch, you don't have to assign ip addresses to individual interfaces. You just assign an ip to each vlan on the switch, assign the appropriate ports to the vlans, and set up trunking to the layer 2 switches. Also, you probably need to set up a routing protocol..or some static routes.. or whatever you are doing.

edit: oh and the hosts' default gateway should probably be the ip address of the L3 switch vlan interface of the vlan they are on.

xXErebuS

Forsaken_GA wrote: »

No, it is not. A router separates broadcast domains, not a vlan on a switch. A vlan is nothing more than a logical dumb switch.

However, since telling people they're incorrect rarely works, I'll issue this challenge to help demonstrate:

192.168.0.0/16

A broadcast on that subnet can potentially reach over 16,000 devices.

Using vlans only, how would you break up the broadcast domain, while still allowing all 16,000+ devices to have unicast connectivity to each other?

To be 100% correct; seperate subnets seperates broadcast domains on a Layer 3 device - which is typically a router / layer 3 switch (also means this is where routing starts becoming required).

I realize that this may be in real world the same thing as your saying but theoretically you can have other devices using virtualization to perform routing functions (such as windows using "connectify"). At this point the PC is breaking up into two seperate broadcast domains, just as a layer 3 vlan interface or a subinterface / router interface.

I don't understand the second part...
192.168.1.0/24 - vlan 1
192.168.2.0/24 - vlan 2
192.168.3.0/24 - vlan 3

If your referring to a Layer 2 switch only then 192.168.0.0 doesnt even exist; only management IP addressing for remote connectivity.

xXErebuS

nkillgore wrote: »

I believe that this is correct. To add to it, with a layer 3 switch, you don't have to assign ip addresses to individual interfaces. You just assign an ip to each vlan on the switch, assign the appropriate ports to the vlans, and set up trunking to the layer 2 switches. Also, you probably need to set up a routing protocol..or some static routes.. or whatever you are doing.

edit: oh and the hosts' default gateway should probably be the ip address of the L3 switch vlan interface of the vlan they are on.

Trunks are necessary when you have sub interfaces / trunking multiple vlans.

hosts default should be the ip address of the layer 3 switch vlan interface; the default IP of the switch should be the layer 3 interface of the MANAGEMENT Vlan.

You only need routing for routes outside the connectivity of that layer 3 switch. If you have a layer 3 switch connecting to 10.0.0.0/16 network but host the 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 vlans/interfaces then you only need a route to 10.0.0.0/16; not each vlan since they are in essence directly connected.

nkillgore

xXErebuS wrote: »

Trunks are necessary when you have sub interfaces / trunking multiple vlans.

hosts default should be the ip address of the layer 3 switch vlan interface; the default IP of the switch should be the layer 3 interface of the MANAGEMENT Vlan.

You only need routing for routes outside the connectivity of that layer 3 switch. If you have a layer 3 switch connecting to 10.0.0.0/16 network but host the 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 vlans/interfaces then you only need a route to 10.0.0.0/16; not each vlan since they are in essence directly connected.

I guess I wasn't being entirely clear. I was trying to keep my post from becoming a novel. To add, though, the switch does have routes to the directly connected vlans. You just don't have to tell it they are there. It treats them like a router would treat a directly connected network. Some sort of routing should be configured unless you only want connectivity between the vlans. Any outside connectivity will require a default route at a minimum.

Forsaken_GA

xXErebuS wrote: »

Trunks are necessary when you have sub interfaces / trunking multiple vlans.

hosts default should be the ip address of the layer 3 switch vlan interface; the default IP of the switch should be the layer 3 interface of the MANAGEMENT Vlan.

You only need routing for routes outside the connectivity of that layer 3 switch. If you have a layer 3 switch connecting to 10.0.0.0/16 network but host the 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 vlans/interfaces then you only need a route to 10.0.0.0/16; not each vlan since they are in essence directly connected.

I said VLAN's only, not VLAN's with trunks or with SVI's. I also specified the subnet was 192.168.0.0/16, which means that's how the hosts are configured, which means that for all 65k+ addresses, they will never, ever use their default gateway.

So let's say you carve half of them up and put them in 1 vlan and the other half in another. Congratulations, you've segmented your broadcast domain, but now half your network can't talk to each other at all. You could achieve the exact same result by unplugging half the network and plugging them into an entirely separate set of switches.

In order to actually break up the broadcast domain and maintain communication, you absolutely positively MUST have a layer 3 device involved.

When you use a subinterface trunked up to a router, you're using a layer 3 device.

When you assign your vlan interfaces IP addresses, you're using a layer 3 device, you are no longer using only vlans for domain segmentation. The vlan interface (SVI) is a virtual router port, in the same way the VLAN is a virtual dumb switch. It doesn't physically exist, but logically, the SVI vlan67 is functionally identicial to fa0/0 on a router for all IOS operations.