0% found this document useful (0 votes)
80 views43 pagesFirewall Design
d
Uploaded by
mohammed suhelCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
80 views43 pagesFirewall Design
d
Uploaded by
mohammed suhelCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 43
Practical ® Networking
Routing Between VLANs
We wrote an article which covers Virtual Local Area Networks (VLANs) as a concept, and another article on configuring VLANs
fon Cisco switches, The remaining subject to cover is the different options that exist for routing between VLANS. This is also
sometimes called inter-vian routing, or occasionally Router on a Stick (Roa)
Why do we need Routing Between VLANs?
'As we learned in 3 prior article, VLANS create a losical separation between Switch ports. Essentially, each VLAN behaves like @
separate physical switch. To illustrate this, below are two topology pictures of the same environment — one Physical and one
Logical
psunapeaiedhetnrengnatitalonaouin teen! us
The Physical topology depicts a switch and four hosts in two different VLANs ~ Host A and Host B are in VLAN 20 and Host C
and Host D are in VLAN 30. The logical topology reflects how the physical topology operates — the two VLANs essentially create
‘two separate physical switches.
Prysical Logical
Despite all four hosts being connected to the same physical switch, the logical topology makes it clear that the hosts in VLAN 20
are unable to speak with the hosts in VLAN 30, Notice since there is nothing connecting the two “Virtual” switches, there is no
way for Host A to speak to Host C.
Since Host A and Host C are in different VLANs, itis also implied that they are in different Networks. Each VLAN will typically
correspond to its own IP Network. In this diagram, VLAN 20 contains the [email protected]/24 network, and VLAN 30 contains the
10.0.30.0/24 network,
‘The purpose of a Switch is to facilitate communication within networks. This works great for Host A trying to speak to Host 8,
However, if Host Ais trying to speak to Host C, we will need to use another device one whose purpose is to facilitate
communication between networks.
osunpeacieshetnrengattanlonaouin etcen aan! a
If you've read the Packet Traveling series, then you know that the device which facilitates communication between networks is a
Router.
‘A router will perform the routing function necessary for two hosts an different networks to speak to one another. In the same
way. a Router is what we will need in order for hosts in diferent VLANs to communicate with one another.
‘There are three options available in order to enable routing between the VLANS:
+ Router with a Separate Physical Interface in each VLAN
+ Router with a Sub-Interface in each VLAN
+ Utilizing a Layer 3 Switch
The remainder of this article will explore these three options and their configuration
Router with Separate Physical Interfaces
The simplest way to enable routing between the two VLANs to simply connect an additional port from each VLAN into a Router,
osunpeacieshetnrengattanlonaouin etcen aan! us
The Router doesn't know that it has two connections to the same switch — nar does it need te. The Router operates like normal
‘when routing packets between two networks.
infact, the process of a packet moving from Host A to Hest D in this topology will work exactly as it does in this video. The only
difference is since there is only one physical switch, there will only be one MAC address table ~ each entry includes the mapping
of switchport to MAC address, as well as the VLAN ID number that port belongs to.
ch switch port in this diagram is configured as an Access port, we can use the range command to configure multiple ports as
swaten(configyy interface range eth2/@ - 2
Suiten{config-ié-rangeye sudtehport mode access
Sisten(config-iforangeys sudtenport secess vian 20
swsten{contta)a interface range etho/0 2
Of course, before assigning the switchport to a VLAN, itis @ good idea to create the VLAN in the VLAN Database.
The Router interfaces also use a standard configuration — configuring an IP address and enabling the interface:
iouter(config)# interface eth@/2
Router(config-14)f 1p eddress.10.0,20.1 255.255.255.0
Router(config-i#)# ne shutdown
Router(config)# interface ethe/s
Router config-ts)s ip eddress 10.0,30.1 255.255.255.0
Router(config-if)s ne shutdonn
Below you will find various show commands for the Router and the Switch, these can be used to understand and validate how
the environment is functioning,
Router Show Commands
psunmaeaiedhetrengnatitalonatouin teen! ae
shownn pinto | iproute ap eip neighbor
outer Show Punning- contig
intertace echernete/2
Ip address 1600-28-2 255.255.255.0
interface Ethernete/3
ip adaress 16.0. 38-2 255.255.255.0
‘Switch Show Commands
shownn —mactable vlan brief | eap neighbor
Snitch show running- contig
in 20
ian 20
interface eenernet2/9
Sltehport mode access
interface Ethennet2/2
‘Siicehport secess. Vian 28
Suitehport mode access
nterface ethernet2/2
Seahpee ceS fan 28
interface Feheenet3/9
Switchport secess vian 38
Sultehport mode access
Anterface Ethernet3/3
osunmapeactedhetnrengattanlonaouir etcen aan!
‘sultchport access vian 38
Stitchport mode access
Anterface ethernet3/2
Suitchport mode access
Router with Sub-Interfaces
The previously described method is functional, but scales poorly. If there were five VLANs on the switch, then we would need five
switchports and five router ports to enable routing between all five VLANs
Instead, there exists a way for multiple VLANs to terminate on a single router interface, That method is to create a Subelnterface.
‘A Sub-Interface allows 2 single Physical interface to be split up into multiple virtual sub-interfaces, each of which terminate
their own VLAN,
‘Sub-interfaces to a Router are similar to what Trunk ports are toa
‘Switch — one link carrying trafic for multiple VLANs. Hence, each
router Sub-interface must also add a VLAN tag t all traffic leaving
erty said interface.
The logical operation of the Sub-interface topology works exactly as
the separate physical interface topology in the section before it. The
‘only difference is with Sub-interfaces, only one Router interface is
required to terminate all VLANs.
ov ke
psunmapeciedhetnrengatitalonaouin teense! on
Keep in mind, however, that the drawback with all VLANs terminating on a single Router interface is an increased risk
of congestion on the link.
‘The Sub-interface feature is sometimes referred to as Router on a Stick or One-armed Router. This is in reference to the single
router terminating the traffic from each VLAN.
‘The Switch's port facing the router is configured as a standard Trunk:
Interface etn/a
Ie)f sultehport trunk encapsulation dott
[Skiten{config-if)s switehport mode trunk
The Router's configuration of Sub- interfaces is farty straight forward, Fist, we enable the physical interface:
outer(confiaja interfoce etha/a
Router(config-1¢)# no. shutdown:
Next, we create and configure the first Sub- interface:
outer{ config) interface etha/3.20
Router(config-sub!f)# encapsulation dotae 20
outer (config-subis}® Sp addness 10.0, 20-1 255.255.255.0
‘Apart from using the Sub-interface distinguisher (eth1/1.20} and using the encapsulation datiq command, the rest of
the interface configuration is exactly the same as any other regular physical interface,
Similarly, we will also configure the Sub-interface for VLAN 30:
Fovke-(cmna Interface tae | 1
outen(contig-subifjn fp address 0.023001 255.255.255.0
osunmapeaciehetnrengrattanlonaouir eteen aan!
A point of clarity regarding the Sub-interface syntax. The number after the physical interface (fa0/3.20 and fa0/3.30) simply
serves the purpose of spitting up the physical interfaces into Sub interfaces. The number specified in the encapsulation dota
lan iit command is what actually specifies what VLAN IDi the traffic belongs to,
“These two values do not have to match, but often they do for the purpose of technician sanity.
Below you will find various show commands for the Router and the Switch. These can be used to understand and validate how
‘the environment is functioning,
Router Sub-Interface Show Commands
shownn —ipintorie | iproute ap ep neighbor
outer show running- config
Inkertace esherneti/1
nouip address
Anerface Ethernest/1.20
fneapsulation detig 20.
Interface ethernett/1.30
foneapauiation aotig
SDiaaaress 30
‘Switch Trunk Show Commands
osunpeacieshetnrengattanlonaouin etcen aan!
shown mactable vianbiefintrunk_ cd
Seiten Show runndng- contig
ian 20
interface etherneta/1
nitehport trunk encapsulation dottq
Suitchport mode trunk
interface Eehemet2/2
Switchport secess vian 20
Sltehport mode access
interface Ethernet2/2
Ghicehport secess. Vian 28
eitehpert access vian 30
Suitehport moce access
Antertace ¢hernes3/2
‘Sidcehport secess Vian 38
Layer 3 Switch
“The last option for routing between VLANs does not involve a router at all. Nor does it involve using a traditional switch.
Instead, a diferent device entirely can be used. This device is known as a Layer 3 Switch (or sometimes also as a Multilayer
switch). But exactly what is Layer 3 switch?
osunpeacieshetnrengattanlonaouin etcen aan!
A Layer 3 Switch is different from a traditional Layer 2 Switch in that it has the
functionality for routing between VLANs intrinsically. In fact, when considering how
a L3 Switch operates, you can safely imagine that a Layer 3 Switch is a traditional
‘switch with a buitt in Router.
With regard to VLANs the Multilayer switch is configured mostly the same way as a
regular L2 switch
mettiiayersniten(configye vien 20
Imuittlayersudeen(contigavian)# ane RED
Inultilayersuiteh{contigys vian 30
Imuteslayersuiten(config-vian)e mane OLUE
pucpreetent net cae
lmuitstayersuiten(conttgy# in
Imuteilayersudzentcont
Imutehlayersuiten (contig
race range eth3/@ - 2
Then, for each VLAN that you want the Multilayer switch to route for, you have the option of configuring an IP address within
‘what is known as an SVI, or a Switched Virtual Interface
‘An SVI serves as the L3 termination point for each VLAN ~ aka, the way in or out of each VLAN. Another way of looking ati is
that the SVI serves as the interface on the built-in Router of the Multilayer switch, allowing traffic from one VLAN to reach the
built-in Router and be routed to another VLAN as necessary.
The configuration for an SVI involves two parts. First, enabling IP Routing; and Second, applying an IP address to the VLAN.
To enable IP Routing, use the following command:
fuetiayerssttan(contigye ip routing
psunmapeciedhetnrengatitalonaouin teense! seis
Routing only needs to be enabled once. Some L3 switches come with it enabled by default. Applying the command while its
already enabled will nat cause any harm, so i in doubt as to whether its already enabled or not, simply applying it again is sae.
To apply an IP address to the VLANs, configure the SVI as follows:
[nateitayersaivcn(contigye interface vlan 2
Inuitslayersuiven(contig-f)8 ip address 10.
Inuitilayersndten(contig-if}® no shutdown
lnurtsiayersuiten(conttgy4 interface vian 30
Inuitslayersuiventcontig-if}s ip address’ 10-0,30.2. 255.255.2550
Inultilayersudventcontig-it38 no. snutdoun
The two configurations above will enable routing between VLAN 20 and VLAN 30. The hosts in each VLAN can use the IP
addresses 19.0.20.1 and 10.0.30.1 as their default gateway (respectively.
‘When Host A sends a packet to Host B, the packet will be switched within the same VLAN —no L3 processing will occur.
When Host A sends a packet to Host C, the packet will be sent to the SVI to be routed to the other VLAN ~ all regular L3
processing will occur: the TTL will be decremented and the L2 header will be rewritten
Multilayer Switch Configuration
psunmapeaicdhetrengnatitaalenaouin teense! wa
chown macadcresssable | vanbief
WoleilayerSuiteh® show running- config
ip’ routing
‘Sp sadess
10.1 255.255.255.0
Hp sedress 16
10.1 255.255.255.0
proute arp pint viet
iat iTayerSuitche show ip route
(odes: '” decal, €'= connected,
Gatewsy of last resort is not set
9,9,0/8 Sa worsany stinetted, 4 sutnets, 2 masks
/24'is directly connected, Vianie
Ieiecze.1/38 13 directly comected, viange
1010:30.0/24 $3 directly comected, Vian30
to0:30:1/52 35 directly comected, Vian3e
Note: both sets of tabs and configuration above are fram the same device. For the sake of erganization, one set of tabs refer to
the L3 functions and the other refers to the L2 functions.
osunpeacieshetnrengattanlonaouin etcen aan! sais
summary
This article discussed the three different options for Routing between VLANs. In each case, the hosts in communication behave
exactly the same. In fact, the hosts have no visibility into how and what they are connected to.
Each strategy above has its own benefits and Limitations. Hopefully at this point you have a good idea of the options available to
enable communication between hosts on different VLANS.
Related Posts:
ane ae
—— \cona/)
es —
Son
Tags:
asco WANS
47
Arte Ratng
oto:
osinpractedhetarengattanlonaouin etcen an! ss
© Suvserve ©
Join the discussion
2» eo
92 COMMENTS
Jacob
© Syearsag0
rice post - thanks for these nuggets!
wet Reply
Hector
(© Sysorsa50
| really liked the detailed diagrams, the contig examples and of course, the clear explanation. An excellent
source for beginners in networking, Kudos!
we 3 Reply
EdHarmoush (eed)
2 Reply to Hecior @ Syeareage
Hi Hector, glad you tked the article Thanks forthe kind words.
ie 0 Repiy
osunpeaciehetnrengattanalonaouir etcen an! as
Jose Carlos
(© 5 years 290
Hill'm from Portugal. Congrats for the way you teaching. Very well explained and easily o understand, Thanks!
0% Reply
Dhiraj
© years 2g0
Can single host access multiple vlan using layer 2 switch without router ?
> Reply
Ed Harmoush (eed)
Reply to Dhira @ ayens age
Hi Dhica. No, it can not. Recall that a single L2 switch with two VLANS is essentially like tvo physical,
“switches that are not connected together — frames from one can not reach the other Ifyou need to wrap
your head around it further. would recommend this artic.
neo Repty
Prom Karat
2 Resiyto EdHarmaush © 3 veer 290
Iecan inthe scenario of virtualization, Imagine the host isa hypervisor andit has a virtual swith, in
that case, the switch port on physical switch, that connects your virtual switch to physical switch needs
tobe configured as a vunk port
0% Reply
osunpeaciehetnrengattanlonsouin eteen aan! sss
Ed Harmoush (@ed)
2 Reply to Prem Karat © 3 years ago
“The hypervisor here isnot acting like a host. It may be a physical server, but you are connecting
into the virtual swite,
‘The virtual hosts within the hypervisor ae stil subject tothe same rules as any other hosts
regarding VLANs: The wSwitch wil not let ta virtual hosts in efferent VLANs speak t each
ther without something performing routing between the two VLANS
ea Reply
Jon Pinkley
1 Replyte Dies © 2yeue age
The answer Ed provided is true as tong asthe host has only a single interface and is connected to an access
port fora single vlan.
However, itis possible to have a host with multiple physical interfaces, each connecting to access ports on
‘two vlans. Or if connected toa trunk port i the hosts vlan-aware it can connect to multiple ians on its
‘sub-interfaces onthe trunk port
Here's an example using a Raspberry i with the the vian package loaded.
hitpsiiwwwsbprojects netbrojectsraspberrypivlan php
> Repiy
Eo Harmoush (tea)
2 Repiyto Jon Pikley © 2 yest 290
‘There are always exceptions»). Yes. single host with two NIC's can have each NIC in a separate
VLAN, And of course ifthe hosts VLAN aware, you can configute a host's single interface asa trunk
and therefore become members of multiple VLANS using VLAN tagging
eo Reply
osunpeacieshetnrengattanlonaouin etcen aan! seus
Ricardo Luiz
© year 390
Excellent post. The best! Thank you
eo Reply
Ed Harmoush (Ged)
2 Reply to Ricardo Luis @ 2 year ag0
You're welcome!
i 0S Reply
Asi Samson
© yeas 290
Well expained, however, usta few questions since | am stuck in this same scenarfo, My question is
How do | route between two different networks, | created subinterfaces in both routers and | can ping from
network 10.0.0.0 to network 192.168.0.2 interface fa0/0 but | cannot ping the interface (which have
subinterfaces) directly connected to the other LAN whichis interface fa0/1 | used router rip, please help what
am I missing in the configurations.
Thank you
Asi
> Reply
Ed Harmoush (Ged)
2 Reply to Asi Samson @ A years age
HAs,
osunmapeaciehetrengattanlonaouin etcen ar! mas
tis hard to know without sesing the configuration and topology. But! think your routers don't know of each
‘other's networks. This article can explain the details, but try comparing the show ip route of each router
land ensure they know about each other's networks.
‘Beyond that, this is probably not the best place to ack for specifi configuration troubleshooting Try pasting
‘on Redalt's CCNA or Networking forums,
0S Reply
ANWAR
© yeas 290
0000000
> Reply
ANULJAIN
© year 390
[really Uked very nice
> Reply
LafRay Red
© year 390
“Thank you kindly. Your method has assisted with really understanding this Vian communication environment.
| appreciate you a whole tot.
we 0% Reply
Vishat
© years 350
osunpeacieshetnrengattanlonaouin etcen aan! us
Really nice explanation. | was having some trouble understanding the SVI part. Could you share an example
with MAC addresses of the ports and SVis and show how the L2 header changes?
wet Reply
Ed Harmoush (eed)
2 Reply to Vishal © 4 yeerea50
Hi Vishal, absolutely
Host has the IP address 10.0:20.11 and Host C has the IP address 10.0.30.32, These IP address willbe the
‘Source and Destination inthe L3 header, Remember L3 is responsible for enc to end delivery therefore this
header wil nat change.
To understand the L2 header, well have to take a look atthe Multilayer Switeh ourput From the show ara
command (the afp tab) we learn the four MAC addresses that will e used in the process
Host has a MAC address of 050.7966 6800, and Host Chas @ MAC address of 0050,7966.6803. And,
‘The MAC address of SVI20 is aabb.ccB0.0200, and the MAC address of SVI 30 ls aabb.ccB0.0200 (tis
common fr all SVs ona L3 switch to share the same MAC adres),
‘That said, when the packet is just leaving Host A the L2 source will be 0050:7966.6800, and the L2
destination will be aabb.ce80.0200, When the packet i ust leaving SVI 30, the L2 source will be
‘sabb.ccB0.0200, and the L2 destination wil be 0050 796.6803,
{Lawl accomplish the hop to hop delivery to move the packet through the entire path
Hope this helps
2 Reply
Vishal
2 Rei
AHarmaush © 4 yess apo
Thanks Ea
9% Reply
osunmpeaciehetrengattanlonaouin etcen ar! sais
ting
© 4 years 290
‘thank you for explanation,
nave a question on the SVI
| could do the SVI connection as per ur explanation. however, when trunk it with second layer three switch,
‘then | couldnt ping each other from another layer three switch, why could this happen?
thank you
Reply
What does it mean eth2/1, ethOV1 ?
0 Reply
Ed Harmoush (Ged)
Reply to Siar © 4 years ae
Those are simply the names ofthe physical interface ports on the Switch,
OS Reply
Alberto
© 4 years 290
In Layer 3 Switch
‘Add "ip routing" for enable the option of routing, this is important for test the communication ofthe VLANS.
eo Reply
osunpeacieshetnrengattanlonaouin etcen aan! aa
v
2 Reply to Alberto © A years go
Didr't see your comment until attr Ihit post. &
OS Reply
Ed Harmoush (eed)
2 Reply to Alberto © 3 years a0
"ve updated the article with a rote about enabling IP Routing, Thanks for pointing this out!
oS Reply
0
© A yeorea90
Ifthe switch supports it, you can also simply enable ip routing
hetps:lwwwecsco.comileniusisuppertidocs/ian-switehinglinter-vian-routing/41860-howto-L3-
intervlanrouting html
eo Reply
EdHarmoush (wea) *
Reply to T) © Bye
‘ve updated the article with a rote about enabting IP Routing, Thanks for pointing this out =),
iO Repiy
Mark
© years 290
osunpeacieshetnrengattanlonaouin etcen aan! a
‘Thanks. | understand the routing of vans well
veo Reply
anita
(© 3 ysorea50
wow. Great article. | have werked 4 years in networking domain and configured VLANs too. But never
Understood the concept. Ths is an eyeopener for me. Thanks alot for writing such a lovely article @
0% Reply
manorma
(© 3years 290
Very clear and detailed explanation ©
eo Reply
sijo
© 3 years 290
‘thank you so00000 much
we 0% Reply
Yohan Tejerta Carbajat
© Syst a90
Hi,1'm from Uruguay, very clear, detailed articles, it help me a let, congrats I
eo Reply
osunpeacieshetnrengattanlonaouin etcen aan!
Jana Uramova
(© 3 years a90
Perfect, just one suggestion: It would be perfect to add also “show cdp neigh detail to your article, because it
would be very explanatory to see the output on switch {in the ist scenario ~ router with sub-interfaces), how
are IP addresses visible in the output. Also ifL3 switch would have one access switch connected to it. it would
be perfect to see “sh edp neigh detail’ on this access switch, how are IP addresses visible in the output. If
someone know the answer, please post it)
“There is another problem to discussion, what with the native vlan, and when, why and where to change
configuration for that (router ~ switch, L3switch ~ L2swite
° Reply
Ed Harmoush (eed)
2 Reply to lana Uramove © 3 yeu age
HiJana, good point about show cép neighbor detail . Hopefully after reading tis article though, you can
build these topologies yoursein GNS3Y/VIRL and find the output youself =).
[As forthe Native VLAN, it wouldn't necessarily tis into which ofthe three methods fr routing between
VLANs you choose. The concept of the Native VLAN was discussed hee,
0S Reply
Peter
© Sys ape
Higa,
| must sayyou have done brilliant work but | think there is @ small error upper image logical and physical has
twaalternate ©
wo Reply
osunmapeacieshetnrengattanlonaouin eteen an! au
osunpeacieshetnrengattanlonaouin etcen aan!
Ed Harmoush (Ged)
2 Reply to Peter @ 3 years a0
Hi Peter. m not sure m following, thin they are labeled correctly, Are you seeing something else?
oY Reply
Gary
(© 3 ysores50
Good informative post
We have a problem with a 2nd switch we have added to the network. Core switch i L3 and the additional one
Js L3 too. We cannot get this 2ndinew switch to route from its vian20 across to vlan20 on the other switch. We
have port going from vlan! to viant on the switches. tried tagging the ports in lan20 but that doesnt work
How can we route the new switch vian20 across tothe other switch vlan20?
Thanks
° Reply
Ed Harmoush (ted)
Reply to Gory @ 3year a90
Hi Gary. Glad you liked he past Your question is very specific though, unfortunately this isn't the right
‘medium fr that type of question. | woule recommend the Network Engineering Stack Exchange or the
"Networking Sub Reddit.
i 0S Reply
Rohan
© Syste a90
Hi
Please tell me do i need to enable jp routing emd in L3 switch to enable routing between vian 208 Vian 30?
> Reply
EdHarmoush (Gea)
Reply to Rohan © 3 years 90
Hi Rohan, Yes, you do need to enable ip routing. | have updated the artcte with anote discussing it. Thanks
for pointing this ou
oS Reply
Pavan Gu
© Sys 390
Please update the HSRP topic with troubleshooting methods.
0% Reply
CodeTron
© Sys 290
One of the simplest description of how connecting VLANS for beginners
‘Thank you
eo Reply
van
© Zea 290
‘Very nice explanation in general. But | got some specific questions. The first is why do we need a VLAN fietd in
the entry of MAC table when VLAN has been set up in the switch? Ist only useful for blocking traffic when,
broadcasting within 2 domain? The second is, given a layer 3 switch scenario, iftwo hosts in the same VLAN
osunpeacieshetnrengattanlonaouin etcen aan!
domain, ke A and 8, would like to communicate with each other, only the MAC table will be used for
‘forwarding, ight? Although they go through a TCP/IP stack. Thanks :)
> Reply
Ed Harmoush (eed)
2 Reply to ar @ Deas ag9
> why do we need a VLAN feldn the entry of MAC table when VLAN has been set up inthe switch?
Consider it as a separate MAC address table foreach VLAN. The MAC addresses in VLAN 10 are nat
"known" tothe users in VLAN 20 fet)
> iftwo hosts in the same VLAN domain, tke A and B, would like to cammunicate with each other, only the
MAC table will be used for forwarding ight?
Yes, correct =). They will operate exactly like the host in this article
hitpsswww practialnetworking.netiseriesipacket-tavelinghhostto-host!
bntpssdwww practiealnetworking.netiseriespacket-travelinghhostto-hostthrough-a-switeh!
0 Reply
Wan
a Reptyto EdHarmoush © 2 veer 290
‘Thanks for your reply:) |am stl a Uitte bit confused about the frst question. Since users in diff VLANS,
Live in dif IP subnets, they shouldbe able to judge that they are in iff domains before sending
packets. Hence in my point of view, the VLAN field seems useless inthis scenaro. And the only
scenario in which this field would be useful should be preventing broadcast packets from leaking,
9% Reply
Ed Hermoush (@ea)
2 Rely 29 van © Zea 290
osunpeaciehetnrengattanlonsouin eteen aan! aus
‘A host can not always be trusted todo the right thing.
Look atthe output of "show mac-address table" inthe thie example, Host has the MAC
address 0959. 7965.6800 and isin VLAN 20, Host Dis in VLAN 30 and has the MAC address
(2050. 7966.6803 . Being that these hosts are indtferent VLANS, we de NOT want them to
speak drectly to each other (without going through a Router, which may have security policies
applied
Ir Host A were to craft a malicious packet witha destination MAC address of €050.7966..6803 ,
clespite the switch having this MAC address in t's MAC Table, since the entry belongs ta VLAN
30, the switch will not forward it to Host D. It wil instead act asf the switch aid nat have a
‘matching entry inthe MAC table and simply flood the frame out all ports in VLAN 20,
0% Rely
Ivan
2 Reply =AHormoush @ 2yeas a0
‘An excellent counterexample. Thanks alot.
0 Reoly
van
© 2ysore390
| nave ever seen the configuration fie of a layer 3 switch in which some interfaces are also configured to be
sub-interfaces. Does it mean that a layer 3 switch can bein a mixed mode with sub-interface and SVI in use?
Thanks =)
wo Reply
Rajesh
© Dyer 399
osunpeacieshetnrengattanlonaouin etcen aan! ama
Hig,
Great explanation, thanks. Have a quick question, For routing, hosts need to configure the SVI as default
gateway, or we have to enable routing protocol on SVI and hosts. Would enabling proxy arp remove the need
{for turning on routing protocol or configuring default gateway on hosts?
Host A needs to talk to Host C, it sends out a arp request for host C's IP address, can the layer 3 switch jump in
and proxy for host C?,
Thanks,
Rajesh
veo Reply
Mohamed Maubasher
© 2yeare950
| just want to say Thank you very much for such efforts, The grahics and method is amazing, please keep the
{00d work.
© Reply
ogjitha
(© 2s 290
can | get explanation of encapsulation and decapsulation for HTTP or FTP request
eo Reply
Ed Harmoush (Ged)
Reply to poojth: © 2yees age
Hello, The Encapsulation process is described inthis article:
tps: practicalnetwarking netiseriesfpacket-travelinglosi-model/encap-decap
osunmapeaciehetrengattanlonaouin etcen ar! ana
‘That tink shows the tee application Layers as simply creating a generic “DATA payload. Each application
populates that payload dliferently. | dont have @ write up about FTP, but | dd write about the inner workings
(of HTTP inthis answer on the Network Engineering Stack Exchange:
https: Jnetworkengineering stackexchange.comla/1 3464/3675
Hope it helps.
OS Reply
vidath
© 2ysore 390
“Thank you so much, this really helped mel!
eo Reply
EgHarmoush (eed) *
2 Replyto vidath © 2yeer290
Hi Vidath, You're welcomel m glad this helped!
i 0S Reply
Marco
© 2yea 290
Hill am an aeronautical engineer trying to acquire a solid background in networking as well. This is
Undoubtedly the best explanation of communication among hosts belonging to different VLANs that | have
seen so far. Many thanks?
0 Reply
EdHarmoush (Ged)
osunmapeaciehetrengattanlonaouin etcen ar! aaa
Reply to Marco 2years ago
Hi Marco, thank you forthe kind words +) ™m so happy you enjoyed the content
Prasad PK
© 2yeore350
In scenario 1> where configured router on stick with 2 vians on switch
switch connected with 1 host on each vlan,
Switch vlan 10 host 10.10,10.10 = Host A,
Switch vlan 20 - host 20.20.20.20 = Host B
"Default gateway not configured on both hosts
In Scenario 2> below is connectivity with 2 Switches instead 1 switch
Host A (Vlan10} - Switch 1 ~ Router~ Switch 2— host 8 (Vian 20}
"The default gateway is not configured on switches
Question below for both topologies
What will happen when Host A sends packets (Broadcast) packet who is 20,20.20.20 Will router
Interfacefinterfaces receive that packet if yes what will be details of that packet and frame. will it reply with
proxy-arp and connectivity will work?
eo Reply
Ed Harmoush (Ged)
2 Reply to Prasad PK @ 2yeurs age
In both cases, the Router may respond to the ARP request (le, do Proxy ARP). But Proxy ARP shouldnt be
depended on for routing
‘Azo, remember, Hast A wouldn't send a Broadcast for 2020.20.20 unless t though the IP 20:20.20.20 was
Init own netwark. This series will explain how hosts communicate with one another through Routers and
osunmapeaciehetrengattanlonaouin etcen ar! na
‘Switches:
hutpsilwww practicalnetwarkingnetiseriesbacket-travelingpackettraveling!
0S Reply
Saeed Rehman
(© 2years 290
| am Uiterally blown away how smooth your content flows. It's really easy to follow and I'm so glad Ive found
your website. | am learning CCNA from zero understanding or experience. Slowly going through the CCNA 200
-301 book and was struggling with understanding Router on a stick and SV\s. I've now understood that they
are are two separate options which can be used, but most importantly | get what the SVIs are used for
“Thank you so so much for setting this website and providing this content.
0 Reply
Eg Harmoush (eed)
1 Reply te Ssced Rehman © 2ye
Hey Saved, thanks forthe kind wore
1m so happy you found my articles beneficial
If you're studying for CCNA, | puta ist of all my CCNA related articles here:
etpsulwwrmpractcalnetworkingnetindexkenal
Hope ithetps!
OS Reply
Mark Symms
© iyearage
Ed, thanks so much for this. | am currently designing my home network around a refurbished Cisco Catalyst
3750. | want to set up several VLANs but only need communication between a small subset of that. |am
osunpeacieshetnrengattanlonaouin etcen aan! saa
planning on several SSIDs running to isolate the wireless devices even further {I hate Wifi. Anyway, how do |
isolate the communications between VLANs without it bleeding over to other VLANS? Granted | am very new
at this managed switch game,
° Reply
Redwyvren87
© tye ge
Ed, solid article and used it to great effect to build afew VLANs at home for a lab setting. Quick question on the
topic, i the original purpose of VLANS is to provide a logical separation between networks (or subnets), why
would you want to perform routing between the VLANs? | can't find any good real world examples af a
network that has multiple VLANs with routing in between them,
° Reply
Ed Harmoush (eed)
2 Reply to Recdeyens? 1 year ago
riginaty, applying securty policies (ike ACI) could anly dane an Reuters. Meaning ifyou wanted t iter
‘rac between two PCs, you had to force that trafic to go through a Router. This allows you to logically
‘separate PC's but allow some or limited communication between them Ifyou want zero communication
‘between them, then you don't need to enable Routing between ther.
Soto summarize
+ if you intend for two PC's to nave full communication, aut them in the same VLAN
+ Ifyou want twa PC's to have no communication, put them in diferent VLANs.
* Ifyou want two PC's to have limited communication, put ther in different VLAN, but enable Routing
‘between VLANS and fiter traffic as necessary on the Router
Hope it helps.
io Reply
osunmapeaciehetnrengattanlonaouir eteen ar! aa
Sisira Kumara
© tysorage
Hi Ed Harmoush, First of all | want to say my special thanks for your article. Itis clearly described how to build
different VLANS in a Cisco switch it sel. Using Cisco packet tracer | practically did iit went well for Multilayer
‘Switches, Layer 3 Switches. I wonder that How I solve this problem in Below layer 3 Switches till example
Cisco 2900 series or 2800 series or 1800 series switches. Your solution will be highly appreciated. Thank you
in advance. Looking forward to hear from you soon. /Sisira
wo Reply
Giuliano
© i yearego
‘Thank you very much for the detailed explanation, ihad a lot of doubts about vians and svi, and with this post
‘you made them clear to me. Really thank you so much <3
° Reply
Vish
© year age
awesome past! Thanks, The layer 3 switch routing answered a question Ive had for ages.
Love the diagrams AND the switehfouter configs as well. makes it REALLY clear
Reply
‘Spoorthi
© year age
| really loved it. need not to look for any other 100's of sites! Its all in one best and complete book!.| would
say @ Bible for me!. Thank you very much!. Appreciate your knowledge and wisdom!
osunpeacieshetnrengattanlonaouin etcen aan! sais
\ Reply
EdHarmoush (Ged)
1 Reply to Spoorth) @ 13 mone age
You're welcome, Spoorthi =}.
OS Reply
ssamir fadtallah
© tysorage
Hi,
‘Thanks for this topic. | always gets confused but when i read is straight forward and clear. just one question if
you enable ip routingo on (3 switch you enable all vians communication but is there any command to route just
like 2 vlan from 5 vlans actually?
0 Reply
Ed Harmoush (Ged)
2 Replys smifelallah © 4 months age
‘You's have to both enable and Create SVisto tll the L3 switch to route between VLANs, Soin your example,
if you only want two VLANS ta Route, youd only create those two SVs. The remaining three VLANs would
Just act as regular L2 VLANs.
oS Reply
Jenny
© ti montesse
Impressive article Ed, Awesome explanatory skills!
In your example regarding router's sub-interfaces, just one question to shed light
osunpeacieshetnrengattanlonaouin etcen aan! uta
was this the Mac address : aabb 00,0211 of router’s physical port,
cor switchport’s virtual port (ie switch's trunk port);
“To be precise if the Mac address aabb
