Let’s assume the following for this example

• We have 2 public IP addresses (192.168.1.1 & 192.168.1.2)
• The IP address on the outside interface has been configured to use PAT for all internal IP addresses for Internet access (192.168.1.1)
• I have a DMZ with 3 servers, FTP, E-mail, and Web Server (10.0.1.1, 10.0.1.2 & 10.0.1.3 respectively)
• I need my 3 DMZ servers to be reachable from the Internet.

The above scenario poses a slight problem. If I have already used one of my public addresses for PAT to allow all internal hosts to access the Internet, I only have one IP address left but I require 3 static NAT entries to be created. In my post on Static NAT we saw that we configure NAT to map on a one-to-one basis, so in this scenario I would require 3 IP addresses, one for each of my DMZ servers.

The nice thing about the above scenario, is that each of the three servers is hosting a totally different service and therefore each requires different ports to be accessible from the Internet. This allows me to create static NAT’s that specify the ports, a type of overload function.

FTP would require ports 20,21 to be allowed
E-mail would require port 25 to be opened, and possibly 143 and 110 if you are using IMAP or POP
Web Server will require port 80, and possibly 443 if there is any SSL been used (https).

The above can be configured in the following way (interfaces would need to be configured as inside and outside as well, as seen here)

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 20
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 21

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 25
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 143
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 110

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 80
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 443

Related posts:

1. Configuring Static NAT on Cisco Routers
2. Configuring PAT on Cisco Routers (NAT Overload)
3. NAT (Network Address Translation)

PAT or otherwise known as NAT overload, allows you to translate IP addresses in a many-to-one method.
In my previous post on Configuring Dynamic NAT we saw that we can NAT many-to-many  but this was limited by the amount of public addresses that you have available. In cases such as home ADSL, your ISP will only issue you with a single public IP address but you might have 2 or more devices that need to access the Internet at any given time. This is where PAT takes over and makes this all possible.

As with any NAT configuration we need to first define our inside and outside interfaces. In this example I’ll use FastEthernet 0/0 as my inside, and Serial 0 as my outside.

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

The next step is to define which addresses in my inside network I want to allow to be translated. Let’s assume my inside IP address range is 10.0.1.0 /24

AOIP.ORG (config) # access-list 1 permit 10.0.1.0 0.0.0.255 (Using a standard access-list is the easiest way to achieve this)

Then I need to configure the address that will be used by my internal IP addresses for accessing the outside interface. This can be done in 2 ways.

Option 1:
If I only have 1 public IP address, which is the case with home ADSL, the router will already have that IP address allocated to it by your ISP. The only thing I can do is tell the router to share that address with my internal hosts.

AOIP.ORG (config) # ip nat inside source list 1 Serial 0 overload (This defines my access-list 1 as the source addresses, and tell them to be translated into the same IP address that is configured on Serial 0. The overload command tells the router that it needs to keep track of all the source and destination ports so the IP address can be used multiple times, overloaded)

Option 2:
If I have a second public IP address that I would like to use for Internet browsing, I can configure PAT for that IP address.

AOIP.ORG (config) # ip nat inside source list 1 192.168.1.1 overload (Same as the above command, but I’ve specifically told the router which IP address to translate my internal hosts into)

This option is fantastic if you have multiple public addresses and you want to segment your Internet browsing based on departments or geographic locations. For example
Marketing – 10.1.0.0 /24
Sales – 10.2.0.0 /24
Technical – 10.3.0.0 /24

I can have each of the above departments using their own public IP address, which will make log files easier to read when tracking Internet use and for troubleshooting connection errors.

access-list 2 permit 10.1.0.0 0.0.0.255
access-list 3 permit 10.2.0.0 0.0.0.255
access-list 4 permit 10.3.0.0 0.0.0.255
ip nat inside source list 2 192.168.1.2 overload
ip nat inside source list 3 192.168.1.3 overload
ip nat inside source list 4 192.168.1.4 overload

Related posts:

1. Configuring Dynamic NAT on Cisco Routers
2. Configuring Static NAT on Cisco Routers
3. Static NAT overloaded???

Dynamic NAT allows us to translate many IP addresses into a pool of many IP addresses. The big thing to realize here is that the pool does not need to contain enough IP addresses to translate all the internal addresses at the same time, as would be the case if we used Static NAT. Dynamic NAT allows internal hosts to be translated into an IP address in the pool when it requires a connection. Once the internal host has finished it’s session the NAT entry is removed from the NAT table allowing another internal host to use the external IP address for it’s session.

Assume we have 50 hosts in our inside network but only have 5 public IP addresses available to use. With Dynamic NAT we can allow all 50 internal addresses to share the 5 public addresses as and when they need them. This of course does impose a limit of only 5 simultaneous connections to the outside world and that is where PAT would come in and solve that problem.

On of the benefits of using Dynamic NAT vs Static NAT, is that Dynamic NAT requires the session to originate from the inside network. No outside connections can be established to the inside network. This is obviously a more secure solution as connections from the outside won’t work; only traffic originating from the inside will be translated. Static NAT is different in the fact that the entry is added to the NAT table on a permanent basis and will allow connections in either direction.

Here are the steps to configure Dynamic NAT on a Cisco Router.

Step 1 : I need to define the IP address range that will be translated (my inside IP addresses). I can do this with a standard access-list

AOIP.ORG (config)# access-list 1 permit 10.0.1.0 0.0.0.255 (don’t forget, access-lists use wildcard masks, not subnet masks)

Step 2 : I need to configure the range of addresses that my internal network will be translated into by using a NAT pool.

AOIP.ORG (config) # ip nat pool MY_POOL 10.50.1.1 10.50.1.5 netmask 255.255.255.0 (There are 5 IP addresses that can be used for translation in this example)

Step3 : Define inside and outside interfaces

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

Step 4 : Configure the translation to take place.

AOIP.ORG (config) # ip nat inside source list 1 pool MY_POOL (List 1 is my access-list that defined my inside IP addresses, MY_POOL defined the IP addresses to be used for the translation)

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Static NAT on Cisco Routers
3. NAT (Network Address Translation)

Static NAT is a one-to-one mapping. It allows us to translate a single IP address into a different single IP address. This is most commonly found when you have a server inside your DMZ that you would like to allow the outside world (The Internet) to connect to, such as E-mail servers, FTP servers and Web servers (if you’re hosting your own).

The first step in configuration static NAT, is to define which interfaces on your router are involved in the NAT process and then configuring your Cisco router to know which interface is on which side of the network. Your Cisco router needs to know which interface is the inside interface and which is the outside interface to allow the translation to take place.

For example purposes let’s assume that FastEthernet 0/0 is the inside interface, and Serial 0 is my outside.

AOIP.ORG > en
AOIP.ORG # conf t
AOIP.ORG (config)# interface FastEthernet 0/0
AOIP.ORG (config-if)# ip nat inside
AOIP.ORG (config-if)# interface Serial 0
AOIP.ORG (config-if)# ip nat outside

So we have just informed our Cisco router of the inside and the outside, the next step is to tell your Router how to translate and what to translate.

Let’s assume that I have a server in my DMZ that has an IP address of 10.0.1.1 and I have a public IP address of 192.168.1.1 (yes I know this a private range part of RFC 1918, but for example purposes, let’s assume it’s not).

AOIP.ORG (config)# ip nat inside source static 10.0.1.1 192.168.1.1

That’s it, your done. When your server 10.0.1.1 connects to anything on Serial 0 and beyond, the source IP address will be translated into 192.168.1.1. Similarly, when someone from the Internet connects to the IP address 192.168.1.1 it will be translated into a destination IP address of 10.0.1.1 and hence connect to our server in the DMZ (Access-list permitting).

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Dynamic NAT on Cisco Routers
3. Static NAT overloaded???

There are 3 ways to configure NAT on a Cisco Router
1/ Static NAT
2/ Dynamic NAT
3/ NAT overload (PAT – Port Address translation)

Static NAT is a one-to-one mapping. This is usually only required when you have a server inside your network (ie: Webserver, FTP, E-mail) that needs to be accessed from the internet. Users on the internet will access a public IP address that you have statically and permanently linked to your servers internal IP address. Of course any time your internal server sends packet to the internet, it’s source IP address will be translated into a public IP address configured with static NAT.

Dynamic NAT is used for many-to-many mapping. This will allow all your internal computers to be translated into a pool of public IP addresses, however if you only have 10 public IP addresses available in the NAT pool, only 10 computers will be able to access the public network at a time. Each computer will consume one public address at a time which makes this very limited for public internet access. The main purpose for dynamic NAT is to fix overlap IP addresses often experienced after a merger or acquisition. Since all companies use RFC 1918 for internal addresses, it’s not uncommon for 2 companies to be using the exact same internal IP addresses. When a merger or acquisition takes place there are issues with the IP addresses conflicting. Dynamic NAT allows us to translate the internal IP addresses from company ‘A’ into something unique that company ‘B’ does not use, and similarly translate all the internal IP addresses in company ‘B’ into something unique that company ‘A’ does not use. In most cases the ‘public’ address that the two companies will be translated into, will be part of RFC 1918 and will be used purely to resolve IP address overlaps, and NOT internet access.

NAT overload, or otherwise known as PAT (Port Address Translation), allows us to create a many-to-one mapping. Every computer in your network will be translated into a single Public IP address. This allows us to save on public addresses but still allows each computer in our organisation to access the internet at the same time. PAT identifies each session based on the source port number used in the communication flow. Since each session uses a random source port number, each session in theory should have a different number which allows PAT to associate a session with the single public IP addresses been shared. In the occurrence of two computers randomly choosing the same source port number, PAT will translate the port number and keep a record of the original as well as the new translated port to maintain the session. PAT will not allow internet users to access your internal servers as there is no mapping from outside to inside. The maximum theoretical limit for sharing a single IP address is 64,513 however the practical limit is dependent on the router or firewall doing the PAT and is usually limited to no more than 4,000 sessions to a single IP address.

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Dynamic NAT on Cisco Routers
3. Useable IP addresses in private networks

As an additional method for securing your Cisco devices, it’s a good idea to bind an ACL (Access Control List) to the VTY’s (Virtual Terminal Lines). This will only allow IP addresses included in the ACL to create a connection to the device in addition to needing the password for the lines.

If we look at the diagram below, I might want to restrict telnet access into R1 so telnet will only be allowed to take place from AOIP.ORG and not from any other device or computer.

 In order to achieve the above, the following commands would need to be configured.

R1# conf t

R1(config)# access-list 1 permit host 192.168.1.10 log

Create a standard access-list (only checks the source address) and include the ‘log’ command so I will be able to see how many times the ACL has been matched. I don’t have to include any deny statements since there is always a implicit deny any statement at the end of every ACL

R1(config)# line vty 0 4

Enter the Virtual lines

R1(config-line)# access-class 1 in

Attach the ACL to the virtual lines for traffic inbound to the router.

Below is the live demo.

Related posts:

1. Configuring VTY Access
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. Mitigating SubSeven attacks

Firstly, most people believe that ACL’s are used purely for denying or allowing traffic, although this is certainly one of the functions of a ACL it certainly not the only function. ACL’s can be used for

1/ Permitting or denying packets moving THROUGH the router.

2/ Permitting or denying packet TO or FROM the router.

3/ QOS (Quality of Service)

4/ DDR (Dial-on Demand Routing)

5/ Route filtering

So let’s break down each of the above to see its use.

1/ When you want to restrict traffic from flowing THROUGH a router, you can attach a ACL to an interface of the router. This can be done on a INBOUND or OUTBOUND direction. The direction of the traffic is vitally important and how the router processes the information differs depending on direction of the ACL. If the ACL is bound to an interface INBOUND the ACL will take effect before any processing is done by the router. If the ACL is bound to an interface in a OUTBOUND direction, the router would have already processed the packet entirely before possibly dropping it. This could increase the processing on the router unnecessarily.

2/ Attaching an ACL to an interface however does NOT stop traffic that is going TO or FROM the router. This means that if I’m trying to telnet to the router, the ACL on the interface will NOT APPLY. In order to restrict traffic TO or FROM the router we need to attach the ACL to the Virtual Interfaces of the router (VTY lines).

3/ QOS uses ACL to define traffic that you wish to prioritise. The ACL are not bound to interfaces but are used in modular QOS

4/ When using dial-up interfaces such as modems or ISDN you don’t want to allow any traffic to cause the interfaces to dial. If all traffic was allowed to cause the lines to dial then every time a broadcast message took place the lines would dial. This would result in the lines constantly been connected and result in a large phone bill. With ACL for DDR we define what traffic is allowed to make the modem or ISDN lines dial and create a connection. It is important to understand that when the line is active ALL traffic is allowed to flow through the line. These ACL do not restrict traffic from flowing, they restrict traffic from causing the lines to dial!

5/ Route filtering is used when we wish to re-distribute routes learnt from one routing protocol into another one. This is most commonly seen when you have an EGP (Exterior Gateway Protocol) like BGP and you wish to insert some of the routes learnt from BGP into your IGP (Interior Gateway Protocol) such as OSPF. You cannot re-distribute the entire BGP routing table into OSPF as OSPF cannot handle a routing table of that size, so we can restrict which entries that will be re-distributed using an ACL.

Now that we understand the different uses of Access Control List we now need to see the 3 different types of ACL’s. STANDARD, EXTENDED and NAMED

Standard ACL only check the source address of the packet and can either permit or deny the entire protocol suite. It will have a number between 1-99 and 1300-1999

Extended ACL can check the source and destination addresses, the source and destination port numbers, and specific protocols. It will have a number between 100-199 and 2000-2699

Named ACL can be either standard or extended ACL, however we can associate a name to the ACL instead of using numbers.

Guidelines:

- One ACL per interface, per protocol, per direction

- The order of ACL statements is important. Once  match has been made no further testing is done.

- The most restrictive statements go at the top of the list

- The last statement in an ACL is ALWAYS an implicit deny any, so every ACL needs at least one permit statement

- ACL must be configured before applying them to interfaces

Related posts:

1. Restricting access to VTY (Virtual Terminal Lines)
2. Mitigating Smurf DoS Attacks
3. Configuring VTY Access

As an example, I have 2 VLANS, VLAN 10 and VLAN 20 which have subnets 10.0.10.0/24 and 10.0.20.0/24 respectively. In order to have traffic from one subnet communicate with the other routing would have to take place. Furthermore the switch I have used in the example below is a layer 2 switch so there is no routing functionality available so I am forced to use a router.

This leaves me with 2 options.

1/ Plug my router into my switch with 2 cables. Configure 1 port on the router to be in subnet 10.0.10.0/24 and in VLAN 10, and configure a second port to be in subnet 10.0.20.0/24 and associate that port to VLAN 20.

This is not a major issue, and this is something that could easily be configured, however it will require a router with 2 interfaces free for me to use. What if I had more than 2 VLAN’s? What if I had 200 VLAN’s (Not an uncommon scenario)? Not only would this mean I need a router with 200 interfaces, but it would also mean that my switch would need 200 interfaces. So far this is not looking like a very scalable solution.

2/ I can plug my router in my switch with a single cable. Configure Sub-interfaces on the router and associate each sub-interface to each VLAN. This is FAR more scalable and would allow me to configure more than 2 VLAN’s on a single interface

NOTE: A sub-interface is a logical separation of the physical interface. Each sub-interface can be configured as if it were a physical port on the device.

As you can see from the above, option 2 is the only logical solution for scalability and ease. There is however one small problem with using this option. In order to have multiple VLAN’s been sent over a single cable/port the port needs to be configured as a Trunk port. In my example I have already configured the switch and made FastEthernet 0/23 a trunk port using dot1q as my encapsulation protocol. (Port f0/23 on the switch is plugged into the router’s port f0/1)

Here is the breakdown of the configuration needed to configure a Router on a stick.

AOIP.ORG# ping 10.0.10.2

Confirming that ping does not work to the interface VLAN 10 on my switch which has IP address 10.0.10.2

AOIP.ORG# ping 10.0.20.2

Confirming that ping does not work to the interface VLAN 20 on my switch which has IP address 10.0.20.2

AOIP.ORG(config)# interface fastethernet 0/1.10

This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘10’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.

AOIP.ORG(config-subif)# encapsulation dot1q 10

Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 10

AOIP.ORG(config-subif)# ip address 10.0.10.1 255.255.255.0

Associate an IP address to the sub-interface

AOIP.ORG(config-subif)# exit

AOIP.ORG(config)# interface fastethernet 0/1.20

This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘20’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.

AOIP.ORG(config-subif)# encapsulation dot1q 20

Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 20

AOIP.ORG(config-subif)# ip address 10.0.20.1 255.255.255.0

Associate an IP address to the sub-interface

AOIP.ORG(config-subif)# exit

AOIP.ORG(config)# exit

AOIP.ORG# ping 10.0.10.2

Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this

AOIP.ORG# ping 10.0.20.2

Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this

In order to complete the design and installation of the above, all computers that are in VLAN 10 would need to have their Default-gateway configured as 10.0.10.1 and machines in VLAN 20 would need their Default-gateway configured as 10.0.20.1.

When a machine from VLAN 10 tries to communicate with a machine in VLAN 20 the following will take place

1/ Packet enters the switch

2/ The Switch will send the packet via the TRUNK port on VLAN 10 to the router.

3/  The router will receive the packet on sub-interface f0/1.10 tagged as VLAN 10

4/ The router will remove the TAG on the packet and do a lookup in the routing table

5/ The router will encapsulate the packet with a TAG for VLAN 20

6/ The router will send the packet via the TRUNK to the switch on VLAN 20 through sub-interface f0/1.20

7/ The switch will receive the packet on the trunk port on VLAN 20

8/ The switch will send the packet to the destination computer.

Below is the live demo.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. VTP (VLAN Trunking Protocol)
3. Configuring an Access port on a Cisco switch

1/ VLAN information will only be sent on trunk ports

2/ Only the VLAN identity is replicated, NOT which ports are configured to use that VLAN!

3/ Maintains database consistency through a common administrative domain. Switches that are not in the same VTP domain WILL NOT replicate!

4/ VTP advertisement are sent as multicast frames

5/ VTP advertisements are sent every 5 minutes or when there is a change.

So based on the above, when I create a new VLAN on a switch, that VLAN will be replicated to all other switches that are in the same VTP domain as the switch I made the change. This allows me to create a VLAN once and have the rest of the network learn about the creation via replication. Once the VLAN information has been replicated, then the switches will be able to allocate ports to the VLAN. At no time will a switch inform other switches about which ports are in which VLANS. VTP purely replicates the existence of the VLAN.

Further to the above, a switch can be configured to be in one of 3 modes of VTP (Server, Client, Transparent)

Server Mode

-          Creates VLAN’s

-          Modifies VLAN’s
-          Deletes VLAN’s

-          Sends and forwards the advertisements about the VLAN’s

-          Synchronizes changes with other switches

-          Saves the information to NVRAM (non volatile RAM)

Client Mode

-          Cannot create, change or delete VLAN’s

-          Forwards advertisements that it has received

-          Synchronizes changes with other switches

-          Does NOT save information to NVRAM, so when it’s rebooted it has to relearn the information

Transparent Mode

-          Creates LOCAL VLAN’s only (This information will not be sent or advertised to any other devices)

-          Modifies LOCAL VLAN’s only

-          Deletes LOCAL VLAN’s only

-          Sends and forwards advertisements that it has received from other devices

-          Does NOT synchronize

-          Saves its OWN configuration to NVRAM

Further to the above it’s important to understand that Transparent mode VTP is usually used in DMZ’s where the information should not be replicated or shared to any other devices on the network. Anything configured on a switch in Transparent mode, remains local to the device. It will not replicate the information with any other devices, and it will not learn any information from other devices.

In most cases, you would have a Server were changes to the VLAN’s would be done, and those changes would be replicated to all other switches in your network which would be running in client mode.

IMPORTANT NOTE: NEVER plug a new switch into a network unless you have configured it as CLIENT MODE!!!. If the new device was configured as a server and it happened to have a higher revision number (Synchronisation number) than the REAL server, the entire database will be overwritten and all VLAN configuration will be lost! This could cause the ENTIRE network to crash. This happens frequently when you have a test network, and you decide to use one of the test switches in the live network.

VTP pruning increases the available bandwidth by reducing unnecessary flooding traffic. This takes form in the following way…

If I have 6 switches in my network, and only 4 of them have any ports configured for VLAN 10, then only 4 switches would need to receive traffic destined for VLAN 10. The other 2 switches would learn about VLAN 10 through VTP and identify that they do not have any ports configured for that VLAN. They will then send a message (prune message) to all other switches asking them not to forward traffic destined for VLAN 10 to them as it will not be useful. If at any point these 2 switches DID have a port configured for VLAN 10, they would un prune themselves. Based on this, traffic destined for VLAN 10 would only be sent to switches that had ports configured to belong to VLAN 10. Please note, VTP does NOT send the port information to other switches, if a switch receives a prune message it would know not to forward traffic to that device for that particular VLAN, it does NOT know what the port configuration is of the neighbour switch.

In order to increase the security of the VTP information, as password can be set. Only devices that share the same password will be able to exchange information with each other. The password checking between devices is done through the use of MD5 hashing, so the password is never sent over the wire.

Additionally, there are currently 2 versions of VTP, VTP version 2 supports the same functions and features as version 1, but also includes the following

-          Token Ring Support

-          Unrecognized Type-Length-Values (TLV)

-          Version-Dependent Transparent mode

-          Consistency Checks

Below is the configuration breakdown used in the live demo.

AOIP.ORG_Switch# conf t

AOIP.ORG_Switch(config)# vtp mode server

Set the mode to Server

AOIP.ORG_Switch(config)# vtp domain AOIP

Defines the Domain name (it is CaSeSeNsItIvE)

AOIP.ORG_Switch(config)# vtp password aoip

Sets the password

AOIP.ORG_Switch(config)# vtp pruning

Turns on VTP pruning

AOIP.ORG_Switch(config)# vtp version 2

Changes to version to version 2 support

AOIP.ORG_Switch(config)#exit

AOIP.ORG_Switch# show vtp status

Shows the current configuration of VTP as well as the replication revision number as seen in the below diagram.

Below is the Live Demo.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Inter-VLAN Routing (Router on a Stick)
3. Configuring an Access port on a Cisco switch

In previous years, an office would have a physical switch or hub in each office, and offices were structured around the job function. In other words, all sales people would be in the same office and would all be connected to the same switch or hub. This allowed for physical association of devices in our networks. In today’s networks people are often spread across multiple offices but we still want to have them separated from a logical point of view.

One reason we want to separate machines logically is to implement access controls. If I don’t want to allow sales people to share and copy files with the marketing people then I would need to implement an ACL (Access Control List) that would deny the traffic. This is easy to achieve if the sales and marketing people are in separate subnets and logically separated from each other. VLAN’s give us this exact option. If you computer has been plugged into a port that is configured in VLAN 10, you are only able to communicate with people in VLAN 10. In order for you to communicate with a different VLAN you traffic MUST go through a router (multi-layer switches have built in routers) and hence the router would be able to run Access lists to allow or deny the traffic.

Another reason for separating the traffic is to isolate broadcasts. Routers do not forward broadcast messages, so any broadcasts that take place on VLAN 10 would remain in VLAN 10.

Another important thing to remember about VLAN’S is:

A VLAN is equal to a Subnet. This means that if I have 2 VLANS, I have at least 2 subnets. I can have more than 1 subnet in a single VLAN, but I cannot have 1 subnet in multiple VLANS.

Below is the configuration to configure a VLAN. To see how to configure a port to belong to a VLAN see the article Configuring an Access port on a Cisco switch

AOIP.ORG# conf t

AOIP.ORG(config)# vlan 2

This creates VLAN 2

AOIP.ORG(config-vlan)# name sales

In order to make your life easier to troubleshoot, naming the VLAN is a good idea. In this case ‘sales’ is the name of our vlan

AOIP.ORG(config-vlan)#exit

AOIP.ORG(config-vlan)# vlan 3

This creates VLAN 2

AOIP.ORG(config-vlan)# name marketing

Naming VLAN 3 – marketing

AOIP.ORG(config-vlan)# exit

AOIP.ORG(config)# exit

AOIP.ORG# show vlan

You will now be able to see which VLAN’s have been created on your device and which ports have been allocated to them.

Related posts:

1. Inter-VLAN Routing (Router on a Stick)
2. VTP (VLAN Trunking Protocol)
3. Configuring a Trunk port on a Cisco Switch