I saw a picture of a network-structure with VLANs in it:
Why would somebody structure their network like this? Does this even make sense? I mean, they are in a different LAN, why then mapping a VLAN to each one?
VLAN Mapping – Does It Make Sense for Each LAN?
layer2Networkswitchswitchingvlan
Related Solutions
If you assing a separate, physical switch to each of your network zones VLANs are useless; just assign a zone to your interface and let Zywall take care for routing and firewall rules. Obviously you cannot mix different end points on same device (ex, pcs and voip phones on the same switch).
Since you have not included the router model, I will assume it is a Cisco router, something like an ISR with a built-in switch module.
Some Cisco routers can have a built-in or optional, add-on switch modules. The interfaces for this module are switch interfaces, not router interfaces. You need to create VLAN interfaces to link the layer-2 switch to the layer-3 router.
You configure the switch interfaces the same way that you do for a layer-2 switch. They are switch interfaces, not router interfaces, so you cannot configure layer-3 on those interfaces. That is where the SVIs come in. You assign a VLAN to each switch interface, and create an SVI for each VLAN. The SVIs get configured with the layer-3 information for the VLAN. The layer-3 addresses configured on the SVIs will be the gateways for the VLANs.
The router will also have some router interfaces that get configured for layer-3. Routers will, by default, route everything between its layer-3 interfaces, including SVIs configured for layer-3.
Let's assume you have eight switch interfaces (GigabitEthernet0 - 7), and two router interfaces (GigabitEthernet8 - 9), like a Cisco 892 router. There are two connections to other routers, and there are four VLANs (two switch interfaces on each VLAN). The first eight interfaces are switch interfaces, and they are configured like a layer-2 switch. The last two interfaces are router interfaces, and they are configured with layer-3. The four VLAN interfaces are configured as layer-3 interfaces. Routing between the VLANs and the router interfaces will happen, as long as they are configured for layer-3, and there are no other configurations to block, e.g. ACLs. The gateways for the VLANs will be the addresses configured on the VLAN interfaces.
You could have something like this:
interface GigbitEthernet0
description VLAN 1
switchport access vlan 1
switchport mode access
no shutdown
!
interface GigbitEthernet1
description VLAN 1
switchport access vlan 1
switchport mode access
no shutdown
!
interface GigbitEthernet2
description VLAN 2
switchport access vlan 2
switchport mode access
no shutdown
!
interface GigbitEthernet3
description VLAN 2
switchport access vlan 2
switchport mode access
no shutdown
!
interface GigbitEthernet4
description VLAN 3
switchport access vlan 3
switchport mode access
no shutdown
!
interface GigbitEthernet5
description VLAN 3
switchport access vlan 3
switchport mode access
no shutdown
!
interface GigbitEthernet6
description VLAN 4
switchport access vlan 4
switchport mode access
no shutdown
!
interface GigbitEthernet7
description VLAN 4
switchport access vlan 4
switchport mode access
no shutdown
!
interface GigbitEthernet8
description Link to Router 2
ip address 10.2.0.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
!
interface GigbitEthernet9
description Link to Router 3
ip address 10.3.0.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
!
interface Vlan1
description VLAN1
ip address 192.168.1.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
!
interface Vlan2
description VLAN2
ip address 192.168.2.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
!
interface Vlan3
description VLAN3
ip address 192.168.3.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
!
interface Vlan4
description VLAN4
ip address 192.168.4.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
!
Best Answer
Using VLANs is like breaking a switch into multiple unconnected switches. On a single switch, no hosts on a VLAN will ever see any traffic for a different VLAN. Traffic must pass through a router, where it can be controlled, to get from one VLAN to a different VLAN.
There are many reasons to use VLANs. One is that switches will flood unknown unicast traffic, and broadcast and multicast traffic is sent to all the other interfaces. Someone with bad intentions could be snooping on that traffic for other networks if the switch wasn't broken into VLANs. With VLANs, that type of traffic is restricted to interfaces configured for the VLAN.