Let us discuss how you route inter-VLAN traffic. We mentioned that you are going to typically have a different layer 3 subnet for each VLAN and that way because if you remember the presentation about layers, devices will only try to communicate at layer 2 at the ethernet layer if they belong to the same layer 3 subnet, same ipv4, ipv6 subnet. So if you've split these different VLANs so you've created different switches different layer two networks you need the router to move traffic between them and you can do this in multiple ways the first way is what we've shown and in this case you have two switches configured as before with the orange and green VLANs and you have trunk ports instead of directly to the other switch they're going to a third switch and into the switch we've plugged in a router if you plug in the router with just one interface then you need to create it as a trunk port on the switch as well as on the router on the router you might need to use sub interfaces and in that case the same physical interface will root traffic for each VLAN so each of the sub interfaces will have an IP address for the subnet that belongs to either the orange VLAN or the green VLAN. The other way you can do this is you have the same setup as before but this time you have a router with two interfaces: one for each VLAN and in this case you have a cable from each VLAN to the router and since it's only carrying one traffic for one VLAN on the switch it's configured as an access port so in this case each VLAN has its own router interface and this has the advantage that the VLANs are not sharing the bandwidth of a physical interface because when you have a trunk with multiple VLANs on it they'll share the same physical interface bandwidth however this can get a bit complicated if you have three four five six seven eight vlans you end up having to pull multiple cables just because you're splitting vlans so the third way you could do this is with an 802.1 q compliant layer three switch so this is a device that can do switching as well as routing so it collapses the functions of those two different devices that we've been seeing the switch and the router so you have trunk ports into the different switches that have the access devices inside 20 and 30. the layer 3 switch will decide if it's going to switch a packet a frame for example if it if the source and destination is within the same vlan or if it's going to try and root the frame if the source and destination are in multiple vlans this tends to be more efficient if you have a core router and you have multiple VLANs on your campus having a layer 3 switch tends to work better than having separate devices and switching a router. From the discussion above you should see that vlans increase complexity on your network you can no longer just replace a switch now you have vlan configuration to maintain you need to remember what was configured on the old switch and then put it on the new switch before you plug it in also the field technician who goes to swap the switch needs more skills you can't just send anybody to swap the switch that person needs to know that they need to move the cables to the same port and in case you are swapping a switch with fewer ports for a switch with more ports you need to have already discussed what you're going to do and the field technician must be able to verify the configuration and everything is working before they leave the remote site so it adds maintenance secondly each time you configure the switch to switch trunks you have to make sure that the trunks carry all the required vlans so you have to make sure that you have all the vlans on the transport otherwise you'll find a scenario where some devices in a particular VLAN are unable to communicate with other devices on a different switch in the same vlan because somewhere the vlan is missing on one of the trunk links and you have to keep this in mind each time you add or remove vlans as a result they are good times to use vlans and there are bad times to use VLANs so let's look at the good reasons you might have for using VLANs and as an example you might have a scenario where like we explained earlier you have a router in the core and then you have a single fiber going to your building but then inside that building you might want to have different subnets and you want to carry them across this single fiber pair in this case you would use a trunk link from the core router to the building and split your vlans that way and that's a good reason to use a vlans you might also want to segment your network into multiple subnets and yet you do not have budget to buy more switches for each subnet at that moment but this will allow you to create separate broadcast domains that will allow you to split for example your word and your wireless um or your phones and etc um you might also want to separate control traffic from user traffic control traffic is the kind of traffic that you use to manage your switches and other devices so for example ssh or SNMP that kind of traffic is controlled traffic you might want to separate that from user traffic. User traffic is a traffic that is flowing through the switch either to your servers or to destinations out onto the internet. So separating that traffic from the control traffic is a good reason to use VLANs there are some bad reasons people choose to use vlans and some examples are given on this slide number one do not use vlans just because you can just because the switch has the feature. Remember VLANs add complexity and you should keep your network as simple as possible. Only add complexity when you need it. There is no need to add that management nightmare just because the feature is there. Secondly some people imagine that VLANs completely secure a host and we see this for example: people want to have a different teachers or staff VLAN and the student VLAN and you get into trouble in cases like for example if i come into a classroom and i am teaching is my port a staff port or or a student port and if it's a staff port what happens when i leave the classroom can somebody now come and plug in their laptop and become a staff member so you have to be careful with that then switches also have this ability to have the same IP network because remember all members of a vlan are members of the same switch even if it's on different physical switches so people sometimes use this to extend an ip network across multiple separate buildings for various reasons and it's very common and sometimes some vendors actually have it inside their documentation and it's a very bad idea much as it's a common set up it's such a bad idea that we've coined the term VLAN spaghetti and we highly recommend that you do not build VLAN spaghetti. VLAN spaghetti is where you extend a VLAN to multiple buildings across the trunk port and you start with one VLAN and then you have another VLAN and then you have another VLAN so you end up with this mesh of VLANs. And it's a bad idea because broadcast traffic is going to be carried across all trunks from one end of the network to the other and everybody will see that broadcast traffic. Secondly if you have a broadcast storm all trunk ports that carry that VLAN are going to suffer from that broadcast storm it's going to affect other VLANs as well as long as they are on switches that carry that particular VLAN, it won't affect just a VLAN an increase of maintenance and troubleshooting nightmare. So please do not build VLAN spaghetti.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.