hi
I set up on Packet tracer a network with 1 router, 3 switches, 6 pc's, 2 pc's connected to each switch, (see image,) every switch has access to 2 different vlans, (every vlan is named, so you can understand the image,) so here is my question, when I ping let’s say from switch S5 to pc Accounting on Switch Switch3 which Accounting is in a different vlan then any vlan on Switch S5 the ping is not going through, since it’s in a different vlan, but when I ping between the pc's, from the PC Shipping on S5 to PC accounting on Switch Switch3 the ping is working, even its in different vlan's

so basically my question is as follows: why is the ping from the switches not going from one vlan to another, and the ping from the pc’s, is going through, even its different vlans, so I have 2 questions, 1) why is the pc ping working, and, 2) why is the ping from the switch not working,

but let me ask, maybe the ping command isn’t the right way how to test vlans in a network, what I mean to say is, that when you can ping a host, doesn’t mean that I have access to that host-data-server in that vlan, so if this is right, how can I test my network in Packet Tracer if the vlans are working properly?
please see attached a image of my network and my configurations.
thanks a lot

By looking at your configs it does not appear that you have set up the managment vlan on the switches(vlan 1 by default). You need to assign an ip address and default gateway.

The ping command can be used to test the routing between vlans.

EDIT: I see the ip address on vlan 1 but no default gateway. You also have the same vlan 1 ip address for both sw4 and sw5

you are also assigning an ip address to each vlan on each switch????

you only need 1 ip address on a switch so you can login to it. You only need it on the mgt vlan (vlan 1 by default).

you are also assigning an ip address to each vlan on each switch????

you only need 1 ip address on a switch so you can login to it. You only need it on the mgt vlan (vlan 1 by default).

thanks for trying to help me,

don’t I have to assign each vlan in a different network, how can I use the same ip address in vlan 1 for vlan 2 on the switch? and that’s why I assigned each vlan on each switch a different ip address, but each vlan has ip address in the same subnetwork, and regarding Default gateway, as I remember I did assigned them, how could I see it? which command will show it for me?

and back to my question, as I see now (which answers my original question), that without a router I can ping from one pc only to a pc in the same vlan, but with the router I could ping to every pc in any vlan, so what is the purpose of vlans when using a router,

The purpose of the ip address on a LAYER 2 switch is only needed so you can log in to it to manage it via telnet or ssh. Thats it. When we talk about assigning a different subnet to each vlan we are refering to the all hosts on a vlan must be in the same subnet. You need a default gateway on the mgt lan for the same reason each of the host have one.

Layer 2 device do not even look at the ip address when forwarding traffic. They only look at the mac address. Ip address are use with Layer 3 devices such as routers.

Vlans are used to breakup broadcast domains and as a result reduce traffic which speeds up your network. Another reason is to increase security. PCs in one vlan cannot talk to PCs in another vlan. Such as there is little reason why the sales department needs to access devices on the HR departmart vlan. There are times which you want a pc in one vlan to be able to get to another vlan. Maybe the sales department and the marketing department share a high end printer. This is where the router comes in. Remember, because we assigned a different subnet(layer 3) to each vlan, we need a layer 3 device (router) to route the traffic from one vlan to another. We can also use the Access Control Lists on the router to control which vlans and hosts can talk to each other to implement additional security.

The purpose of the ip address on a LAYER 2 switch is only needed so you can log in to it to manage it via telnet or ssh. Thats it. When we talk about assigning a different subnet to each vlan we are refering to the all hosts on a vlan must be in the same subnet. You need a default gateway on the mgt lan for the same reason each of the host have one.
So what you saying is, that I don’t need to assign ip addresses on the switches for every vlan, only for native vlan (vlan 1) for mng purposes, so this is one mistake I made, that I assigned on each switch for each vlan an ip address.....
Another reason is to increase security. PCs in one vlan cannot talk to PCs in another vlan. Such as there is little reason why the sales department needs to access devices on the HR departmart vlan. There are times which you want a pc in one vlan to be able to get to another vlan. Maybe the sales department and the marketing department share a high end printer. This is where the router comes in.
So how is it secured if one pc can access anther pc in another vlan through a router???? Please clarify this!!!

Thanks for your great help, you are a great help, I’m now much much clearer in this matter,

So what you saying is, that I don’t need to assign ip addresses on the switches for every vlan, only for native vlan (vlan 1) for mng purposes, so this is one mistake I made, that I assigned on each switch for each vlan an ip address.....


Correct!



So how is it secured if one pc can access anther pc in another vlan through a router???? Please clarify this!!!

Thanks for your great help, you are a great help, I’m now much much clearer in this matter,

At this stage we are only talking about layers 2 and 3. When I said access another pc I was only refering to layer 3. At layer 3 (routers) we would use access control list to permit or deny traffic based on their ip address or protocol that they are using. For example in another recent post HermeszData talked about getting a job where the client needed to allow network printing to a new network printer. He modified the ACL to allow tcp port 9100 traffic which the old ACL had blocked.

You are right about the pc's security. As network and sys admins it would your job to secure the device or application. Such as if the network printer was attached to a windows server you would assign a user name and password to that network printer before allowing anyone to print.

Correct!
You are right about the pc's security. As network and sys admins it would your job to secure the device or application. Such as if the network printer was attached to a windows server you would assign a user name and password to that network printer before allowing anyone to print.
I understand very well what you are saying, and I really appreciate your time to help me, but, if its like you are saying that to secure a server or any device I would need to use ACL's or passwords, where in the world is vlan standing for security???? I don’t see the security part in vlans! Except when you don’t use a router, which you can’t find these days, and as I study in Todd’s and in Odom’s books, they all talking at vlans as a security!!!

Thanks again for your great help

When you have a switch with no vlans, all ports can connect to each other right? But when I use vlans, members of vlan 2 cannot see or connect to members of vlan 3. This is security every one is talking about when the speak of vlans. For example, most of the time the HR department is very sensitive since this is where payroll is. By putting HR in a seperate vlan I know that other users on the lan cannot connect UNLESS I use a router and allow it.

If I wanted to put members in vlans that I absolutly do not want to connect I would NOT use a router at all.

ACLs are what routers use to control traffic. So IF I wanted to restrict traffic between vlans I would use an ACL on the inter-vlan router.

The reason you almost always see a router in vlans is simply because most of the time users on vlans need to get somewhere else on the lan. Maybe they need to get to the internet so the inter-vlan router sends packets out an network interface other than an interface for a vlan.