Wednesday, 6 May 2009

Cisco logical interfaces

Cisco routers just like the switches support VLAN and you can put many of them on to one physical interface and here is how it can be done.

Remove the IP address from the physical interface, and turn it on,

no ip address
no shutdown

Create a logical interface to be assigned to one of the VLANs

interface fastethernet 0/0.X

You can change the ‘fastethernet’ to the type you have and the ‘0/0’ with the interface number that you are using.
X represent the logical interface number since this has no real value I tend to use the number of the VLAN so that its easier to follow.
For example, for the logical interface that you will use for VLAN 5 use ‘int fastethernet 0/0.5'. This way, you will easily know which interface refers to which VLAN.

Assign the logical interface to a VLAN number

encapsulation XXX Y where XXX is the encapsulation type you are using for the VLANs (ex: isl or dot1q which is 802.1Q) most commonly used one is dot1q and Y is the VLAN number that this logical interface will be assigned to.

interface fastethernet0/0.5
encapsulation dot1q 5

Now you have the interface but still no IP
Assign an IP address to the logical interface is easy its the same as assigning IP to physical interface

ip address

Now repeat the steps for each VLAN that you want, I've created three bellow as an example I've created for VLAN 5,10 and 15

interface fastethernet0/0.5
ip address
encapsulation dot1q 5

interface fastethernet0/0.10
ip address
encapsulation dot1q 10

interface fastethernet0/0.15
ip address
encapsulation dot1q 15

Configure static or dynamic routing in the way you need it.
you treat the logical interfaces the exact same way you treat the physical interfaces when doing the routing, so really this isn't that hard.

If you like some VLANs (ie, networks) not to participate in the routing, you can either not include them in the routing protocol or not assign a logical interface for them.

Configure access-lists in the way you find appropriate to filter the traffic going from one VLAN to another and apply them to the logical interfaces the same way you apply them to physical interfaces, this might be that you don't want them to see one another at all or just one way depending on what you want.

Common one is that management vlan can see the others but others cannot see managment vlan or one another except on some needed services.

some things not to leave out or forget about is...

If you plan to let routing updates go through the router from one VLAN to another, it is necessary to turn off split-horizon. Split-horizon technology forbids the update coming from one interface to go out the same interface. By the way its unlikely you even had it turned on but you can check to be sure.

no ip split-horizon

Don't forget without the access-lists, there would not be much point of doing VLANs and inter-VLAN routing because without the VLANs everyone would be able to communicate with everyone else.

Lastly nearly all switches support trunks on FastEthernet, and do not support the older Ethernet with 10Mbps.

No comments: