Anda di halaman 1dari 36

Chapter 3 VLANs

Cisco Networking Academy Program @ TSTC-Waco

VLAN Overview

Differences between LANs & VLANs

work at Layer 2 & 3 control network broadcasts allow users to be assigned by net admin. provide tighter network security. How?

Logical grouping of devices or users Configuration done at switch via software Not standardized proprietary software from vendor

Logically segment the physical LAN infrastructure into different subnets (or broadcast domains for Ethernet)

Differences Between Traditional Switched LAN and VLANs

VLANs work at Layer 2 and Layer 3 of OSI Communications between VLANs is done by routers VLANs provide a method of controlling network broadcasts Administrators assign users to VLANs VLANs increase network security defines who can communicate with whom Group switch ports and their connected users into logically defined workgroups

Transport of VLANs Across the Backbone

Ability to transport VLAN information between interconnected switches and routers that reside on the backbone
Remove physical boundaries between users Increase configuration flexibility users move Provide mechanism for interoperability between backbone components

VLAN transportation
Backbone commonly acts as collection point for large volumes of traffic Carries end user information and ID between switches, routers and directly attached servers

Routers in the VLAN

Traditionally provide firewalls, broadcast management etc. Provide connected routes between different VLANs Cost effectively integrate external routers into switching architecture by using one or more high speed backbone connection like:
Fast Ethernet, or ATM connection
Increasing the throughput between switches and routers Consolidating number of physical router ports required fro communication between VLANs

VLANs Across the Backbone

VLAN configuration needs to support backbone transport of data between interconnected routers and switches. The backbone is the area used for interVLAN communication The backbone should be high-speed links, typically 100Mbps or greater

Routers Role in a VLAN

A router provides connection between different VLANs For example, you have VLAN1 and VLAN2.
Within the switch, users on separate VLANs cannot talk to each other (benefit of a VLAN!) However, users on VLAN1 can email users on VLAN2 but they need a router to do it.

Frame Use in the VLAN

Switches core component of VLAN communication Each switch makes forwarding and filtering decisions based on the frame
Based on VLAN metrics

Approaches for logically grouping users into distinct VLANs:

Frame filtering Frame tagging (identification)

How Frames are Used in a VLAN

Switches make filtering and forwarding decisions based on data in the frame. There are two techniques used. Frame Filtering-examines particular information about each frame (MAC address or layer 3 protocol type) Frame Tagging--places a unique identifier in the header of each frame as it is forwarded throughout the network backbone.

Frame Filtering

Frame Tagging
Uniquely assigns a VLAN ID to each frame VLAN IDs assigned by switch administrator Chosen by IEEE for its scalability Gaining recognition as the standard trunking mechanism IEEE 802.1q states that Frame Tagging is the way to implement VLANs

More on Frame Tagging

Frame Tagging...
is specified by IEEE 802.1q which states frame tagging is the preferred way to implement VLANs uniquely assigns a VLAN ID to each frame before it is forwarded across the backbone. is understood by switches prior to any broadcasts or transmission to other switches or routers places a tag in the frame...thus, frame tagging. So what layer? is removed by the switch after frame exits the backbone and before frame is forwarded to the end station

Frame Tagging Continued

Places a unique identifier in the header of each frame as it is forwarded throughout the network When the frame exits the network backbone switch removes the identifier before the frame is transmitted to its target Frame identification functions at Layer 2 and requires little administrative overhead

Ports, VLANs and Broadcasts

VLANs make up a switched network logically segmented Ports assigned to the same VLAN share broadcasts Two VLAN implementation
Static Dynamic

Static VLANs
Ports on switch that is statically assigned to a VLAN Require administrator to make changes Secure Easy to configure Straightforward to monitor Works well in which moves are controlled and managed

Static VLANs
Static VLANs are when ports on a switch are administratively assigned to a VLAN

can be assigned by port, address, or protocol type secure, easy to configure and monitor works well in networks where moves are controlled


Dynamic VLANs
Ports on switch automatically determine their VLAN assignments Based on MAC addresses, logical addressing or protocol type of data packet Less administration with in the wiring closet when a user moves or new one added Centralized notification when an unrecognized user is added to the network More administration is required to initially set up database within the VLAN management software (VMPS)

Dynamic VLANs
Switch ports can automatically determine a users VLAN assignment based on either/or:
MAC logical address When a station is initially connected to an unassigned port, the switch checks an entry in the table and dynamically configures the port with the right VLAN

less administration (more upfront) when users are added or move centralized notification of unauthorized user

Dynamic VLANs

VLAN Additions, Moves and Changes

Companies continually reorganizing
These moves/changes are network managers biggest headaches and one of the largest expenses related to managing a network

VLANs provide effective measures for controlling changes and reducing costs Users in a VLAN can share the same network address space i.e. IP subnet VLANs require less rewiring, configuration and debugging

Movement of Users

VLANs Help Control Broadcast Activity

Most effective measures is to properly segment with firewalls that help prevent problems on segment from damaging other parts of the network Firewall segmentation provides reliability and minimizes overhead broadcast traffic No routers between switches broadcasts (layer 2) are sent to every switched port referred to as a FLAT network(one broadcast domain across the whole network) Flat Network
Provides low latency & high throughput Easy to administer

VLANs Controlling Broadcast Activity

FLAT Network Disadvantages
Increases vulnerability to broadcast traffic across all switches, ports, backbone links and users

VLANs effectively extend firewalls from routers to the switch fabric and protecting against potentially dangerous broadcast problems Creating firewalls
Assign switch ports or users to specific VLAN groups both within single switches and across multiple connected switches

VLANs and Broadcast Activity

VLANs Control Broadcasts

Routers provide an effective firewall against broadcasts Adding VLANs can extend a routers firewall capabilities to the switch fabric The smaller the VLAN, the smaller the number of users that are effected by broadcasts

How do VLANs Improve Network Security

Restrict number of users in a VLAN group Prevent another user from joining without first receiving approval from the VLAN network management application Configure all unused ports to a default lowservice VLAN

VLANs Improve Security

Shared LANs are easy to penetrate...simply plug into the shared hub. VLANs increase security by ...
restricting number of users in a VLAN preventing user access without authorization configuring all unused ports to the Disabled setting control access by
addresses application types protocol types

Tightening Network Security

VLANS Save Money

Connect existing HUBS to switches Each hub segment connected to a switch can be assigned only ONE VLAN Stations that share a hub segment are in the same VLAN If a station need to be assigned a new VLAN that station must move to the new hub with the appropriate VLAN