Welcome back, everyone. Now we're going to get into VLANs VLANs. We'll start off with VLANs. First. Now, we already know VLANs. Okay, well let's talk about, here's talking about basically, that in in layer two, where the layer two switch, even though layer three.

But if you're using layer three switches, because using routing capabilities, but in a layer two, a full layer two, topology. If you don't create VLANs, you're going to have one huge broadcast domain. And you will have multiple collision domains. Needless to say, you will have the full bandwidth you'll have the full duplex going back and forth, but you're going to create a huge broadcast a huge broadcast, not only because both says Oh, because I lived it. Okay. I was in high school and those of you taking my CCNA know This, I said this story three, 3 million times.

Okay. 24 classrooms, okay. each classroom has a switch that goes to a central switch or central rack I should say. And no VLANs zero VLANs. So, anybody, any student, any faculty member gets on that particular network because you have the faculty side and the the administration side. Anybody in the faculty network, or segment or block, right not to use their terminology.

You're going to hear that noise regardless, people think that once the ARP is over with or once you know, oh, our part that's what it is. ARB is once once it learns it cache there is an expiration time on that. Okay, well, once ARP is done, you know, ARP is done. But you still hear noise because we're saying hey, somebody's trying to transmit it but that's not So I'm not going to answer. But you still hear that noise of knob, make the test yourself. Because when the IT departments tries to image, a particular classroom, it doesn't matter, it's still gonna go to the entire network, because you have one huge network.

That's what they consider a flat network, a flat network. This is where VLANs come into effect, connect, the members won't get anywhere. And that's the whole purpose though this last, this last bullet point here. VLANs take away the restriction of you being in a particular location. You can be in the same VLAN and be somewhere else because they're logical. It doesn't really matter physically where you're at.

As long as you are a member of that VLAN you'll be good to go. So VLANs definitely is something that needs to be part of your network. You You must create them, you must assign them. And obviously, we start talking about trunking. You must trunk the appropriate port. But definitely we need VLANs If not, you're going to run into some major major issues.

Now there's two types. All right, all VLANs are static and dynamic, but it's not about static VLANs. First, there are port base memberships, Port based memberships, meaning that we assign a VLAN to a range of ports. Okay, that means that you will actually go in there and say, hey VLAN to name so and so, and range or one by one but you know, a range as your one dash 15 and then switch port mode access switch port mode, oh, switch port access, VLAN 10 2030, whatever it is. Okay. So that was that's what it means by port base, you're assigning users or end devices nodes to those particular ports.

Okay. Now it says here that they will be identified. period as a personal VLAN identifier, yes, you know, one has a special and I've told this to everyone because remember, we have access ports and we have trunk ports not to get ahead of myself, but just you should know this, you should know this if you do your CCNA studies, the only VLAN that can go across a trunk port. Okay, is I'm sorry, the only VLAN that can go across a trunk port and an access port is the native VLAN the default VLAN the administrative VLAN the management VLAN, whatever you want to call it. All right, the next one, which is by default, you can change that. Okay, but that one has a special pivot that you don't have to trunk ports for all other VLANs you have to trunk ports, but the purpose is trunk port will carry multiple VLANs or an access port will only carry one VLAN one VLAN and here's the condition Have a static view that when we get into a lab you'll see it VLAN 10 name faculty and you can do up to 32 characters so those of you that want to know well how many characters can I put make it simple?

Why did I make that name though? building one floor to cubicle three, Janie, I mean, come on. Seriously, I don't do nothing like that. I mean be disruptive. Okay, you have descriptions you can put on your, on your interfaces. So keep the keep the names.

You know, I've seen huge sentences, 4 million names which is insane. But anyway, this is how you will configure a static VLAN All right, and yes, there are port base there are four basic is your assigning them to ports, basically. Now assigning static VLANs. Again, you can do it one at a time. You must turn the port mode to access because by default they're in auto. Ok dynamic auto.

So switch port mode access that you have to Do that, you got to do that. And then switch port access VLAN. And then the number, the number of the VLAN. And there's another thing when creating Well, I think we were here right now, when you are creating VLANs. And this is a question I've been asked many times, should I mean, you know, should I name the VLAN? Do I have to name a VLAN?

No, you don't have to name a VLAN. We can go ahead and just let it name itself 00 10 003, whatever. I mean, I mean, it gives it a number. You don't want that. Okay? Give it a name.

Give it an actual name, please. And the other question is, do I have to create a Veena first or can I sign it first? Now you're going to sign a VLAN first, and then the router says VLAN does not exist or switch? I'm sorry. The VLAN does not exist. Would you like to be it for us to create it?

And it creates it for you automatically with a name with a national number? I'm sorry. So why would you assign something that's not there? Don't do that. Don't do that. create it, give it a name, then assign it.

And again, you're gonna sign up by individual ports. Okay? And then or you can do a range interface range. And then you do switch for more access, and then whatever VLAN you're going to use, give him a name. And then you can do it by arrange, okay? One by one is fine, but these are static, static.

All right. Now, here where you can see there's two commands show VLAN to VLAN. Brief. This is really show VLAN. I just cut off all the other stuff that it says down here because it gives you a whole bunch of other information. But the show VLAN brief is the same as this.

All you're going to see Hey, 10, hr 20, accounting, whatever you did, and then what ports are they active on ports one and two. A port one is HR port two is accounting. And then the default VLAN is on all the other ports. So you can use either one of these commands and then show VLAN Brief is really all you need. Well, you're going to use show VLAN you see the whole thing, it doesn't really matter. The information down here, you're not going to really need what you're looking at is this right here.

Okay? All right. Now dynamic VLANs. This is based on that it says their membership and MAC addresses based on MAC addresses. All right. So it is more flexible, you can allow more things.

But then now you got to have a VMM v MPs server or membership policy server that you have to create user accounts on and all these different things. It does allow for more flexibility mobility because of this. Think that you have users that work in multiple buildings, and they're across counties, townships, whatever, okay. And they got to drive back and forth. You can just start creating VLANs yourself manually and then have them assign and then or do switch port security. Oh my god, no, it's Yeah, let me put in his mat.

Let me put it in our I'm going to allow so many people, but what do they switch of laptops? What are they're using? You know, different devices every, every time they come in and out? It's not that you can't. So that's why it's based on membership with MAC addresses. Okay.

But again, this is something that's nice that to query the database for the for the VLAN. Membership. Are you really the user that's supposed to be on here? Okay. Yes, you are. Here's your account, okay, boom, and then your a, but again, admins most assigned to users MAC address to the VLAN app in the database, or the VLAN membership policy server admins must assign.

So yeah, there's some legwork at the beginning, just like anything else. This is nice. But again, some people use it some people don't know depends the size of your network. We're talking about enterprise networks. This may work for you just know that you do need a server. All right, and then you need to create these accounts.

So when people go in there, they're gonna go ahead and authenticate. Okay, oh query and it says right there to that particular server, so you can get allowed in. Alright. So that is what a dynamic VLAN is, I doubt that you'll see that in particular. In a particular test. Now there's two classes of VLANs.

And this is funny, and so on VLANs and logo VLANs the difference, and 20 LANs or VLANs are going to go all over the place. All right, you leave your own segment. And you can have the same VLAN somewhere else and another block and another block and another block that's end to end VLAN. Right. Apparently, they don't like that. They like local VLANs.

Very few, and VLANs, because they're hard to maintain and manage, right. That's what they say. Local VLANs are the ones local to your segment. I remember, when there are no applause in the CCNA. There's an 8020 rule 80% of your traffic should stay within your local segment. Only 20 of it should be when your access outside.

Well, that's changed now. Now. Do I have it here? I mean the next slide. It's a 2080 rule. Now 20% is local and 80% is accessing centralized cloud based servers and all this, all this stuff.

So Cisco recommends a one to one correspondence between VLANs and IP subnets. Meaning, all right, if you have a 24 bit mask, you should have no more than 254 devices on that being that I've always said. I never gave him a number, but I've always said, Do not overload your VLANs. The whole reason you're doing VLANs is a segment break down, shrink the size of that particular network, so you have less noise. Okay? That's the reason not all been asked to extend beyond layer two domain or distribution switch.

This is where the end to end VLANs come in. Lonely, your VLANs go outside their own local segment. You want to maintain them if you for whatever reason, they need to go outside. It has to be a very important person. If you have to go across that core router has got access distribution and core right? So you have to go past the distribution router, the better be a good reason for the better be a real need for it.

And maybe you should segment that particular network, okay. And localized broadcast traffic, unnecessary traffic movement on the core, I just said, if there's traffic that doesn't need to go outside, this is why we create, let's say you're missing, we're in a very secure location. What we're doing, we cannot be going online going to Facebook and Instagram and all these different things that people use nowadays, because it provides a creates a security hole. So you want to make sure that you block that. So there's many things that you can do to minimize people leaving their own block, all right, not only creating local VLANs where they only exist and that particular block nowhere else, okay, only a few You are actually allowed, but then there'll be assigned to that particular VLAN. Or they can leave.

And then using management software, you got to look to see what's going on. Right? You have to take a look and control that network traffic. Why is Joe going out side his segment? Where is he going? This is why you need those networking tools.

Okay, so you can see what's going on in those monitoring tools. All right, so I'm trying to go across the entire the enterprise network, not recommended companies are moving to there it is. The 20 at the turn that around the 2080 rule 20% of traffic is local and 80% is global. I have not yet seen that. have not yet seen that. Or 20% of the traffic is local.

Okay. Oh, whoa, whoa, that is true. percent equal, everybody goes everywhere that everybody can go anywhere. law you can subdivide, are these geographic VLANs range in size from single switch or a wiring closet to an entire building. Yeah, one wiring closet. And that's what Cisco Remember, if you go back, remember that you had a main distribution facility and MDF.

And then every other floor, you had an IDF intermediate distribution facility, you can do that, alright, or not VLANs organized in the manner in this manner will enable layer three functions in the campus network to intelligently handle inter VLAN traffic load. The whole point of all this that your reading here is, is saying, Okay, I'm going to create VLANs How am I going to segment it? Where am I going to put them who has access to what who will allow to go outside to reach the core to go outside their site to go outside their block? That's the whole point. Because if you don't do that, you just create VLANs. Let's say you have a building you have three floors.

You have been on the run to get 3 million for. Okay, that's it, you do your interval and connectivity, your access list to permit or deny people will come in and out. You have other security measures in place to permit sir, on your website, what have you that and then that's it, you're done. But everybody can go anywhere else. So normally in a company people will stay within their VLAN if they're not, if you create proper policies, they will be putting in, you know, their, their pictures on Facebook, and hey, I went to Jamaica this weekend, all this good stuff, you're not gonna have that. I do find that.

That's why we have the NetFlow and the SNMP and all these different things for us to look at and say, huh, no, no, no, Joe went on to talk with him because he can be leading his own VLAN. But when we're deploying these VLANs these are things that we need to take into consideration, especially the traffic, why there's so much traffic going out this this particular segment where they don't need to Even though they say 20% of the traffic is local 80% is global. The only reason for 80% being global is because people are accessing global, those cloud servers. So who has access to that, who is actually going to those cloud servers that they need to? And you using your network monitoring tools, you need to say, okay, the right people are getting to where they need to go. And again, you'll have charts and line graphs and all these different things I will show you the traffic of my traffic and that we need to keep an eye on and using not only proper segmentation, by using policies to control to control people from one where they need to go.

Alright, so nine all the ns n and local VLANs Whoa, one more thing. And we've been doing pretty much anti and VLANs annoyingly, because the way I showed you was to do and to create your VLANs on your core router. From the ports created VTP domain, leave that leave that core router as a server as a server switch, I'm sorry. And then the other switches as client switches, and trend, those ports will be trunk dynamically. So all those VLANs are now across all the access switches. So all those VLANs exist everywhere.

Okay. But again, Cisco states test purposes 20% of traffic global 80% Global, the only reason cloud servers cloud services will happen. All right. I'll leave with that. See you next