I have a basic question, that I hope somebody can explain to me. As I understand it vlan's work on the data link layer, either using ports or MAC addresses to define vlans. If this is the case then why do we need a router (i.e layer 3) network device to route between vlans. so simply why use a layer 3 device to help traffic to flow on the layer 2 level?
Let me try to put in simple terms and update if it helps you.
VLANS definetely work at layer 2 and helps in breaking broadcast domain at layer 2. Now a broadcast in one vlan cannot tranverse another vlan in normal situation without a special configuration.
Now look at the broader level where vlans are logical division of subnets. So each vlan means different subnet. Now how will these 2 subnets talk to each other. And that is the reason you need to have layer 3 device to make different vlan talk to each other.
Thanks for your explanation. Unfortunately I still don't fully understand. I can't see how a vlans can be defined as a different subnets, my understanding is that subnets are created via layer 3 not layer 2.
I do understand that vlans segment broadcasts when looking at layer 2, but still can't see why a router should jump in to allow two layer 2 vlans to talk to each other.
Let take a small example. Assume you do not have layer 3 device and just have a pure layer 2 switch.
You have 2 machines one in vlan 2 and one in vlan 3.
You can for sure assign 2 machines with same subnet ip address and without using a layer 3 device they can talk to each other if you use a cross cable and connect to 2 other ports configured for vlan 2 and vlan 3.
But thats not the right implementation of vlans. VLANS also divide your layer 3 subnets logically and is the reason you need different vlans so that you can logically divide your network. And when you have different subnets no matter they are in same vlan on other you need to have layer 3 device.
You can also have mchines in same vlan with different subnets and on your router can define secondary ip address to route them.
So what I m trying to put here is you can have 2 vlans with same subnet address at layer 2 and also you can have one vlan with different subnets but for routing between 2 different subnets you need layer 3 device.
Thanks for the msesage. ITs helps in understanding. So basically the bootom line is that you don't need a layer three device to create vlans if the netwrok range is the same when used on all vlans. If however we use different subnets on each vlan then yes we do need a layer 3 device to route between subnets.
So what benefit do you get if vlans are created and they all use the same subnet ( so no layer 3 device needed). Is it just that they stop broadcasts across vlans, or is there something else?
You got it. But thats a bad design to have multiple vlans but with same subnet and in that case even if you get layer 3 device you will not be able to route between them because on layer 3 device when you crate 2 different layer 3 interfaces for respective vlans and try to assign same subnet ip address it will throw a overlapping address error message.
And yes in this design there can be VLAN leakage also where 2 vlans can talk to each other without a layer 3 devive by just using a cross cable which you can say is a security breach.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...