Chapter 3 VLANs

1
Chapter 3 VLANs

• Cisco Networking Academy Program
• _at_
• TSTC-Waco

2
VLAN Overview
3
Differences between LANs VLANs

• VLANs...
• work at Layer 2 3
• control network broadcasts
• allow users to be assigned by net admin.
• provide tighter network security. How?

4
VLANs

• Logical grouping of devices or users
• Configuration done at switch via software
• Not standardized proprietary software from
  vendor

5
VLANs

• Logically segment the physical LAN infrastructure
  into different subnets (or broadcast domains for
  Ethernet)

6
Differences Between Traditional Switched LAN and
VLANs

• VLANs work at Layer 2 and Layer 3 of OSI
• Communications between VLANs is done by routers
• VLANs provide a method of controlling network
  broadcasts

• Administrators assign users to VLANs
• VLANs increase network security defines who can
  communicate with whom
• Group switch ports and their connected users into
  logically defined workgroups

7
(No Transcript)
8
(No Transcript)
9
Transport of VLANs Across the Backbone

• Ability to transport VLAN information between
  interconnected switches and routers that reside
  on the backbone
• Remove physical boundaries between users
• Increase configuration flexibility users move
• Provide mechanism for interoperability between
  backbone components

10
VLAN transportation

• Backbone commonly acts as collection point for
  large volumes of traffic
• Carries end user information and ID between
  switches, routers and directly attached servers

11
Routers in the VLAN

• Traditionally provide firewalls, broadcast
  management etc.
• Provide connected routes between different VLANs
• Cost effectively integrate external routers into
  switching architecture by using one or more high
  speed backbone connection like
• Fast Ethernet, or ATM connection
• Increasing the throughput between switches and
  routers
• Consolidating number of physical router ports
  required fro communication between VLANs

12
VLANs Across the Backbone

• VLAN configuration needs to support backbone
  transport of data between interconnected routers
  and switches.
• The backbone is the area used for inter-VLAN
  communication
• The backbone should be high-speed links,
  typically 100Mbps or greater

13
Routers Role in a VLAN

• A router provides connection between different
  VLANs
• For example, you have VLAN1 and VLAN2.
• Within the switch, users on separate VLANs cannot
  talk to each other (benefit of a VLAN!)
• However, users on VLAN1 can email users on VLAN2
  but they need a router to do it.

14
Frame Use in the VLAN

• Switches core component of VLAN communication
• Each switch makes forwarding and filtering
  decisions based on the frame
• Based on VLAN metrics
• Approaches for logically grouping users into
  distinct VLANs
• Frame filtering
• Frame tagging (identification)

15
How Frames are Used in a VLAN

• Switches make filtering and forwarding decisions
  based on data in the frame.
• There are two techniques used.
• Frame Filtering--examines particular information
  about each frame (MAC address or layer 3 protocol
  type)
• Frame Tagging--places a unique identifier in the
  header of each frame as it is forwarded
  throughout the network backbone.

16
Frame Filtering
17
Frame Tagging

• Uniquely assigns a VLAN ID to each frame
• VLAN IDs assigned by switch administrator
• Chosen by IEEE for its scalability
• Gaining recognition as the standard trunking
  mechanism
• IEEE 802.1q states that Frame Tagging is the way
  to implement VLANs

18
More on Frame Tagging

• Frame Tagging...
• is specified by IEEE 802.1q which states frame
  tagging is the preferred way to implement VLANs
• uniquely assigns a VLAN ID to each frame before
  it is forwarded across the backbone.
• is understood by switches prior to any broadcasts
  or transmission to other switches or routers
• places a tag in the frame...thus, frame tagging.
  So what layer?
• is removed by the switch after frame exits the
  backbone and before frame is forwarded to the end
  station

19
Frame Tagging Continued

• Places a unique identifier in the header of each
  frame as it is forwarded throughout the network
• When the frame exits the network backbone
  switch removes the identifier before the frame is
  transmitted to its target
• Frame identification functions at Layer 2 and
  requires little administrative overhead

20
Ports, VLANs and Broadcasts

• VLANs make up a switched network logically
  segmented
• Ports assigned to the same VLAN share broadcasts
• Two VLAN implementation
• Static
• Dynamic

21
Static VLANs

• Ports on switch that is statically assigned to a
  VLAN
• Require administrator to make changes
• Secure
• Easy to configure
• Straightforward to monitor
• Works well in which moves are controlled and
  managed

22
Static VLANs

• Defined
• Static VLANs are when ports on a switch are
  administratively assigned to a VLAN
• Benefits
• can be assigned by port, address, or protocol
  type
• secure, easy to configure and monitor
• works well in networks where moves are controlled

23
STATIC VLANs
24
Dynamic VLANs

• Ports on switch automatically determine their
  VLAN assignments
• Based on MAC addresses, logical addressing or
  protocol type of data packet
• Less administration with in the wiring closet
  when a user moves or new one added
• Centralized notification when an unrecognized
  user is added to the network
• More administration is required to initially set
  up database within the VLAN management software
  (VMPS)

25
Dynamic VLANs

• Defined
• Switch ports can automatically determine a users
  VLAN assignment based on either/or
• MAC
• logical address
• When a station is initially connected to an
  unassigned port, the switch checks an entry in
  the table and dynamically configures the port
  with the right VLAN
• Benefits
• less administration (more upfront) when users are
  added or move
• centralized notification of unauthorized user

26
Dynamic VLANs
27
VLAN Additions, Moves and Changes

• Companies continually reorganizing
• These moves/changes are network managers biggest
  headaches and one of the largest expenses related
  to managing a network
• VLANs provide effective measures for controlling
  changes and reducing costs
• Users in a VLAN can share the same network
  address space i.e. IP subnet
• VLANs require less rewiring, configuration and
  debugging

28
Movement of Users
29
VLANs Help Control Broadcast Activity

• Most effective measures is to properly segment
  with firewalls that help prevent problems on
  segment from damaging other parts of the network
• Firewall segmentation provides reliability and
  minimizes overhead broadcast traffic
• No routers between switches broadcasts (layer 2)
  are sent to every switched port referred to as
  a FLAT network(one broadcast domain across the
  whole network)
• Flat Network
• Provides low latency high throughput
• Easy to administer

30
VLANs Controlling Broadcast Activity

• FLAT Network Disadvantages
• Increases vulnerability to broadcast traffic
  across all switches, ports, backbone links and
  users
• VLANs effectively extend firewalls from routers
  to the switch fabric and protecting against
  potentially dangerous broadcast problems
• Creating firewalls
• Assign switch ports or users to specific VLAN
  groups both within single switches and across
  multiple connected switches

31
VLANs and Broadcast Activity
32
VLANs Control Broadcasts

• Routers provide an effective firewall against
  broadcasts
• Adding VLANs can extend a routers firewall
  capabilities to the switch fabric
• The smaller the VLAN, the smaller the number of
  users that are effected by broadcasts

33
How do VLANs Improve Network Security

• Restrict number of users in a VLAN group
• Prevent another user from joining without first
  receiving approval from the VLAN network
  management application
• Configure all unused ports to a default
  low-service VLAN

34
VLANs Improve Security

• Shared LANs are easy to penetrate...simply plug
  into the shared hub.
• VLANs increase security by ...
• restricting number of users in a VLAN
• preventing user access without authorization
• configuring all unused ports to the Disabled
  setting
• control access by
• addresses
• application types
• protocol types

35
Tightening Network Security
36
VLANS Save Money

• Connect existing HUBS to switches
• Each hub segment connected to a switch can be
  assigned only ONE VLAN
• Stations that share a hub segment are in the same
  VLAN
• If a station need to be assigned a new VLAN that
  station must move to the new hub with the
  appropriate VLAN