So in this lab we are going to look at how different vendors have different configuration syntax for VLANs. And we shall look at Cisco we shall look at Juniper router or you can think of it as a layer 3 switch and a linux server so we have starting here with two cisco switches sw1 and sw2 each switch has an orange and a green vlan configured connected to it and these are configured as accessports orange is vlan 20 green is vlan 30 the ip address is for subnet ranges for each is given at the bottom below each node each access node has its ip address listed beneath it and it's given by 100.64.the VLAN number dot the pc number so pc1 has that ip address for example there is also a linux server at the center here which has ip address 100.64.20.100 inside the orange VLAN 20 and 100.64.30.100 inside the green VLAN 30 and we shall get to how that works later on let's console into the Cisco switch and see what we have configured if you look at these different ports this one here is as you can see gigabit zero stroke zero this one here is gigabit two-stroke one this one here is gigabit three-stroke one right so this particular port is gigabit three-stroke one so let us look at those different interfaces to see what's configured there so show run int gigabit zero stroke zero and this shows you that we've created uh something if the mod is trunk and inside trunk mode the allowed vlans adjust these to 20 and 30 and we've specified that we are using 802.1 q encapsulation if we look at the other one was two stroke one this is an access this this port is in mod access the vlan when it's in access mode is vlan 20 and if we look at three stroke one this is also in access mode and the vlan when it's in access mode is vlan 30. if you want to verify what that looks like how the configuration looks like on the command line there are multiple show vlan commands but we shall look at just a couple so if you do show vlan brief get a summary of the vlans that exist on the switch and you can see we have vlan 20 there and we have vlan 30 and you can see which interfaces vlans 20 and vlan 30 are configured on note that the default vlan has other ports that have not been configured one way or another and there are also some other vlans that exist that we haven't created but cisco traditionally created these not also that gigabit zero stroke zero isn't listed under vlans 20 or vlans 30. to see that you need to look at the output of because it's a trunk port you need to look at the output of a particular vlan id so show vlan id in this case 20 and then you shall see that gigabit zero stroke zero is listed down there so this is how you configure it in cisco and this is how you verify the configuration now this two devices here inside the blue circle collectively form a juniper mx router the architecture of juniper has separate control and forwarding planes your forwarding plane is this one at the bottom the vfp and this is where you have line cards and different interface slots and the control plane is where you run routing protocols and this is what you connect to to issue your configuration and the commands to verify what is happening on your router this has a dedicated link between the control plane and the forwarding plane so internally they exchange some information other external devices are connected to ports inside the control plane and in this case these three devices these three links are connected into trunk ports so that you can trunk from the cisco switches as well as to the ubuntu server so let us console as we said to the control plane and see what that looks like so we can look at the configuration by saying show configuration interfaces and we see from a beginning that we have three gigabit ethernet interfaces zero zero zero one zero zero one and zero zero two and in each one of them under the bridge family we've said the interface mode is trunk and the vlan id list is 20 and 30. and we've done that for each one of them so this is how you specify that these are trunk ports additionally for juniper you have to create what are called inside the configuration what are called bridge domains and you tell it what to do with these different vlans so if you say show i want to look at the configuration for bridge domains you can see that we've created one called vlan 20 with an id of 20 and we've collected created one called vlan 30 which will match anything which has the vlan id 30 on it to verify this and to see what it's doing you issue the show bridge domain command and you can see that we're using the same routing instance default switch because this remember we say this is a layer 3 you can think of it as a layer 3 switch but we have vlan 20 with that particular vlan id and it lists all the interfaces that participate inside that vlan same thing for vlan 30 and if you notice interfaces are listed twice so that would tell you that these are trunk ports but of course inside this particular output you do not see the wild access and trunk that you had here the last interface we created was zero zero two let us create two more interfaces zero zero three inside vlan 20 as an access and 004 inside vlan 20 vlan 30 as an access as well so the way we do that is we say configure and then we say set interfaces gigabit ethernet and we want to start with 0 0 3 and under the first unit family bridge we want to say the interface mode is access and we want to say that the vlan id now you can have either vlan id list or vlan id but in this case for access mode since we only have one vlan you just say i want this to be vlan 20. and then we can do the same for the next interface which is available which is ge4 and we say this would be vlan 30. so we can say show and we want to ask it to compare so that it shows us the lines that we've just added we typed each one of these statements on one line but it broke it out into this syntax so for gigabit three we've said family bridge interface mode is accessed the id is 20 for gigabit four family bridge interface mode is accessed the id is 30. so we can commit this configuration and we can get out of uh configuration mode back into exec mode and if we again now look at our bridge domain you will see that down here at the bottom gigabit 3 stroke 0 has been added to vlan 20 and down here at the bottom gigabit 4 stroke 0 has been added to vlan 30. so now let us look at this linux machine and we shall log in and the first thing that we're going to look at as as soon as you log in you can notice that there's an ip address for an interface vlan 20 and that is the ip address and an ip address for vlan 30 is that these names could have been anything they do not tell you exactly what villain it is but it's good to have them to match the villains that you want so this configuration because it's ubuntu 1804 uses netplan so the file that you use to configure this is inside slash etc net plan and if i scroll to the top you have a network statement then you have an ethernet statement that lists the physical ethernet on this machine and in this case we have ens3 and we've just set it not to have ip addresses on version 4 version 6. then for the vlan configuration you have any name the id has to you specify the tag which is 20 and under link you specify the interface that it's linked to and then you can do things like specify the ip address so this is how we do it other linux systems might have different configuration files but if you look at vlan slash config you will end up with this same kind of thing you'll have a name the id right there as well as the interface that it's connected to also you can do things like ip address list vlan 20 and it will show you a couple of things like the ip address itself it will tell you that this is the scope and it will tell you that it's an interface that is linked to ens3 so this will work um irrespective of which linux system that you are using as long as it has some way of configuring vlans so because it has addresses in both these networks i can say for example ping 100.64.20.1 which is pc1 and i can also ping let's see let's give it a 5 count to 100.64.30.12 which is down here inside vlan 30 and that's kind of works however because we don't have gateways on this network if i'm on pc1 i can ping 100.64.20.100 and this will work fine because it's inside the same subnet as me but however i cannot ping 100.64.30.100 because it does not know how to reach that device from the server or from the pc if i connect to a different pc a different set of pcs for example pc12 i can ping 100.64.30.100 now what we're going to do is we're going to move these cables for these pieces into the access ports that we created earlier so first we need to delete this link we also need to delete this link but all i want to do is delete this link what i deleted was this which doesn't really matter this just tells us this is just documentation to tell us which vlan is which so i've removed the link from pc12 and i've removed the link from pc1 and we can now add the link from pc1 ethernet 0 to the next available interface on the vfp and then as well as pc12 from ethernet 0 to the next available interface on the vf p which we already configured note that the names inside here do not match the names that the control plane sees but once that is done we should be able to ping 20.100 again because we've moved it's it's still inside an access port inside vlan 20 and down here it's still an access spot inside vlan 30 so this still works and if whilst pinging i run wireshark on this interface wireshark allows us to capture packets as they go through the different interfaces and let's say i'm only interested in icmp packets and um if i'm pinging from pc1 to 100 and i'm pinging from pc12 to 100 what you see on that link between the mx router because this is where we're running wireshark so that on this link between here and down here if you go back to the wireshark is you see different packets from 20.1 you'll have a packet and you can see that it has an 802.1 queue tag id of 20. it has an ethernet source and destination mac address which we could check but it should match the mac addresses of 20.1 and uh 20.100 and then this is the details of the tag priority the flag for token ring which we don't use and the id for something that is in vlan 30 you can clearly see that the id changes to 30 both on the incoming packet as well as the response as a summary these different vendors have different ways to specify vlan configuration and however they all internally will use 802.1 queue to target packets wherever they need to on trunk ports and then on access ports they will all send untagged packets so it is interoperable now note that spanning VLANs needs to be done carefully if you look at vlan 20 now exists here it exists here it exists on this switch so you need to be careful with how you span VLANs because any port that participates inside any device that participates inside VLAN 20 is affected by any thing that happened inside that villain for example if we had a broadcast storm on this VLAN it will affect these access ports it will affect this trunk port which in turn will affect all these access ports because they'll share much as they're in a different vlan they'll share the physical cable this one it will affect that port it will affect all these ports and once you affect these ports you affect both this vlan up here and this vlan down here so be very very careful about spanning VLANs.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.