Re: Question about VLANS

mmtantawi · ‎07-31-2006

Dear All,

i am still new to the CISCO World.

i have a question regarding VLANS & really i want you to explain to me if i was correct or not ?

---------------------------------------

The Question is :-

if i have Cisco Switch 3560 Series, and this switch is 48 Ports.

i did not do any thing on this switch except add IP-Address , & Subnet mask.

the switch does not have any VLANS at all and its only 1 switch .

Now Here is my question :-

if i have 2 PC , the first one is in Fe 0/1 , and the second one is in Fe 0/2.

the First PC have this IP-Address ( 192.168.1.1 / 255.255.255.0 ) & No GW & No DNS at all .

the Second PC have THis IP-Address ( 172.16.1.1 / 255.255.0.0 ) & No GW & No DNS at all.

Now, if the First PC get infected by SPYWARE or VIRUSE or What ever Or MALWARE, Do you think the Second well get affected as well, becasue there is one Broadcast domain , and all the Ports are in same Broadcast domain and all the traffic will be in the same braodcast domain , but if i have 2 broadcast domain as 2 VLANS, only the PC's which is in this Broadcast domain only where ever its located accross the network will get affect only . but all the others PC which they are in another Broadcast domain will not get affected.

----------

is that correct or not ?

i know this is not the only thing from using the VLANS, But i want to know , is this Point Correct or Not ?

gpulos · ‎07-31-2006

no. you have no routing between the two subnets you have defined. ie: 192.168.1.0/24 & 172.16.0.0/16.

you do have a vlan on that switch. it is the default vlan 1. all ports belong to vlan 1 if they do not belong to another vlan.

you also have two broadcast domains, ie: 192.16.1.255 and 172.16.255.255

it would be a best practice to create a vlan for a new subnet. if you have two subnets you should have two vlans. (one for each)

the devices in these two vlans will not be able to communicate with each other until a router is in place to do the routing.

mmtantawi · ‎07-31-2006

Thanks Man

i want to reply to you.

All the Ports in the Switch are in the same VLAN , which is VLAN 1 .

i did not assign any VLANS At all.

what i did is , just plug the PC to the Cisco Switch Port , no more no else.

so please, what do you mean by :-

you do have a vlan on that switch. it is the default vlan 1. all ports belong to vlan 1 if they do not belong to another vlan.

----------------------------------

what do you mean by :-

you also have two broadcast domains, ie: 192.16.1.255 and 172.16.255.255

while there is no any VLANS at all in this switch except VLAN 1 for MANAGMENT.

so please , was i am correct or not ?

please update me.

gpulos · ‎07-31-2006

Q1) what do you mean by :

you do have a vlan on that switch. it is the default vlan 1. all ports belong to vlan 1 if they do not belong to another vlan.

A) you stated in the initial post that "the switch has no vlans at all...." i was just letting you know that in fact it does have a vlan and it is VLAN 1. aka. the default VLAN. all switches have a default VLAN 1.

Q2) what do you mean by :-

you also have two broadcast domains, ie: 192.16.1.255 and 172.16.255.255

A) you stated in your original post that the switch has one broadcast domain. you also stated that you have two PCs of different subnets plugged into the switch. i was just stating that in fact you now have two broadcast domains in the switch. one for each of the subnets you have your PCs on.

pc1: 192.168.1.1 255.255.255.0 - broadcastDomain: 192.168.1.255

pc2: 172.16.1.1 255.255.0.0 - broadcastDomain: 172.16.255.255

mmtantawi · ‎07-31-2006

thanks for you.

but if i have 2 broadcast domain , why i need to create a vlan.

can i understand .

becasue i do not know if what i understood is correct or not :-

Broadcast domain, its only for the switch VLANS.

and if you have 2 pc with diffrent IP Schema, and all of them is in the same Broadcast domain for the switch ( i mean this switch have no VLANS at all except VLAN 1 for managment ), if you ping from PC1 to 2 , it will reply, becasue the traffic will pass , becasue nothing can stop it, is that corrcet ?

scottmac · ‎07-31-2006

Whether or not the virus propagates will depend on it's mode of transmission.

If the virus uses broadcast, then the other (presumed unprotected) machine will be infected.

A layer two broadcast destination address is all ones, regardless of the layer three address. The second machine will accept the broadcast, as it must, according to Ethernet protocol.

If the layer three destination address is also a broadcast, then that packet will continue up the stack and, if whatever port the virus targets is open / vulnerable, then the machine is becomes infected.

In the same scenario with another VLAN enabled (each machine in it's own VLAN), then the infection is not likely to propagate. The VLAN tag supercededs the broadcast address and the control logic of the switch *shouldn't* allow the infected frame to be broadcast into the other VLANs domain ... so no exposure of the second machine.

Viruses that propagate using a "ping sweep" to find other active clients will take longer to infect the second machine, but many will still be successful, because once they have exhausted the native address range, they increment and sweep the next range. Given enough time, the infected machine will eventually hit the address of the second machine and infect it.

There is only one broadcast domain. A VLAN by (Cisco's) definition is a broadcast domain ... one VLAN, one broadcast domain.

Hope this helps...

Good Luck

Scott