This article attempts to provide a brief explanation of what VLANs are and how they work on a network. As a network administrator it is your responsibility to make sure that network users receive the services they need to successfully perform their job. For instance, it may be necessary to group certain individuals together on the network, or to separate particular parts of the network from certain users. Both of these tasks and many others can be accomplished by implementing virtual local area networks (VLANs). A VLAN is pretty much what its name implies, a network (LAN) that functions virtually or logically on a physical network. VLANs are a great solution for organizationally breaking a network into functional parts, grouping or organizing network users, controlling the size of a broadcast domain, or administering an additional layer of security on the network.
LANs
A local area network (LAN) is a network that is under the control of one administrator. It is traditionally the combination of all of the devices located on a campus; this encompasses both network devices (routers, switches, hubs, etc.) and end devices (computers, printers, scanners, etc.). These devices will share the same media and IP addressing scheme, and users on the network are grouped together according to where they are physically located. These physical restraints could pose a problem within some organizations.
VLANs
A VLAN is a group of devices on a network that behave as if they are attached to the same media and perform like an independent network. Here is an example: several individuals at XYZ, Inc. are working on the same project. These individuals work in two different departments located in different areas throughout the XYZ Inc. campus. Management has decided that it would be more efficient if the team is set up on its own separate network. The network administrator suggests implementing a VLAN solution. Now Jill in Accounting on the third floor is logically, as opposed to physically, connected to Jack in Marketing on the seventh floor.
How They Work
There are two essential network devices that are necessary for VLAN implementation: a switch and a router. According to Cisco Systems a switch is “a network device that filters, forwards, and floods frames based on the destination address of each frame” http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/s12.htm. A switch operates at the network layer (layer 1) of the TCP/IP Model and is usually the network aggregation point to attach end devices to the network. For example, your office PC (assuming you are on a wired network) more than likely is connected to the network via a switch.
Routers are essential for inter-network communication. A router is a computer that moves (routes) data packets between different networks. Routers use Inter-network Layer IP addresses and route databases (tables) to accomplish this task. Routers also create a broadcast domain on the network by containing broadcast request packets within the LAN. Sometimes too much network traffic can bog down a network, especially if the number of broadcast request packets increase. In most cases reducing the size of the broadcast domain may resolve the problem.
Since a router creates a broadcast domain on each network and each network must have a router for inter-network connectivity, it can be deduced that all inter-broadcast domain communication is done via the router as well. And since VLANs behave like an individual network, it could be correctly presumed that they are indeed their own broadcast domain. Given that inter-network connectivity is through a router, it can be ascertained that inter-VLAN communication is achieved through a router or another router-like device also:
Routers=broadcast domain -> VLANs=broadcast domain
Inter-broadcast domain connectivity through router -> Inter-VLAN connectivity through router as well.
Security
Bear in mind that VLANs logically group users and devices on the network. This characteristic could possibly be exploited to add an additional layer of security on the network. A network administrator could separate individuals and devices into groups and regulate the network traffic between them. Access Control Lists (ACL) or other filtering techniques could be used for even more granular control of VLAN packet traffic.
VLAN implementation could also be used to control the size of a broadcast domain. Scaling down the broadcast domain size reduces the amount of network packets a user will be privy to on the network. This decreases the amount of information a malicious user or attacker could capture/“sniff” from the network. Furthermore, VLANs allow the network administrator to manage users by hierarchically assigning them to particular VLANs. This hinders an attacker from having access to the “entire network” by simply attaching to the LAN.
Implementation
Recall that the two essential network devices for VLAN implementation are the router and the switch. The following VLAN configuration will assume that the reader is setting up a “router-on-a-stick” VLAN topology using a Cisco router with Catalyst 2950 or 2960 switches.
The router configuration for the “router-on-a-stick” VLAN implementation is relatively simple. Most of the router settings are standard except for the port (trunk) which handles the VLAN traffic. A trunk is a network segment/channel that moves network packets between two points-in this case VLAN packets. Each trunk must be set up for encapsulation. Encapsulation is the process of tagging VLAN packets as they traverse the network. Dot1q encapsulation will be used in this configuration.
The trunk port will have multiple sub-interfaces programmed on it. The reason, each VLAN must have an individual interface dedicated to it. Fortunately these interfaces do not have to be actual physical interfaces. This is why Cisco routers allow multiple sub-interfaces (logical interfaces) to be configured on one physical port. Each sub-interface will require a unique IP address. Every IP address is then associated to an individual VLAN. At last, the routing protocol must be configured on the router. The following configuration will use EIGRP.
All switches will also need to be configured to participate in the VLAN process. Initially VLAN Trunking Protocol (VTP) must be set up on each switch. VTP reduces the amount of management a network administrator must do on a VLANed network. One switch will act as the VTP server while the others will function as clients. The VTP server is in charge of passing all relevant VLAN information to the VTP clients. A VTP management domain must then be created on the switches. Naturally all switches within the same VTP domain share like information. The domain for the following example will be “Cisco.” Individual VLANs must also be programmed into the switch, and each switchport will be assigned to a particular VLAN. The VLANs on the switch must be identical to the ones configured on the router. Finally, one of the switchports must function as the trunk port between the switch and the router, and like the router will use dot1q encapsulation.
Device Configurations
VLAN Router
The configuration will omit the basic router configurations and focus on the VLAN settings.
router#
router#config t
router(c)#hostname vlan_router
vlan_router(c)#interface s0/0
vlan_router(if)#ip address 200.200.200.201 255.255.255.252
vlan_router(if)#no shutdown
vlan_router(if)#description WAN Interface to ISP
Program sub-interfaces on the router trunk port. These allow an interface to behave like multiple physical ports/interfaces. Sub-interfaces also preserve resources since multiple interfaces function on one port.
vlan_router(if)#interface fastethernet 0/0
vlan_router(if)#no shutdown
vlan_router(if)#interface f0/0.1
An encapsulation type must be applied to each trunk on a VLANed network. Dot1q is the non-proprietary encapsulation type used on VLAN networks. The native keyword applies dot1q to the native VLAN, which is VLAN 1 by default.
vlan_router(if)# encapsulation dot1q native
vlan_router(if)#ip address 192.168.1.1 255.255.255.0
vlan_router(if)#description Sub-interface for VLAN 1
vlan_router(if)#interface f0/0.10
vlan_router(sub-if)#encapsulation dot1q 10
vlan_router(sub-if)#ip address 192.168.10.1 255.255.255.0
vlan_router(sub-if)# description Sub-interface for Accounting VLAN 10
vlan_router(sub-if)#interface f0/0.20
vlan_router(sub-if)#encapsulation dot1q 20
vlan_router(sub-if)#ip address 192.168.20.1 255.255.255.0
vlan_router(sub-if)#description Sub-interface for Marketing VLAN 20
vlan_router(sub-if)#exit
Program the router to use EIGRP with an autonomous system of 100 as the routing protocol. EIGRP should not do automatic summarization.
vlan_router(c)#router eigrp 100
vlan_router(c-router)#network 192.168.1.0
vlan_router(c-router)#network 192.168.10.0
vlan_router(c-router)#network 192.168.20.0
vlan_router(c-router)#network 200.200.200.200
vlan_router(c-router)#no auto-summary
vlan_router(c-router)#end
vlan_router#write memory
VLAN Switch
It is important to understand that by default there is at least one VLAN on every network. There is no need to program VLAN 1 into the switch because it already exists. Enter the VLAN database mode to set up VLANS on the switch. VLANs must have a unique VLAN number and name.
switch#vlan database
switch(vlan)#vlan 10 name Accounting
switch(vlan)#vlan 20 name Marketing
Set up the switch as a VTP server and assign the VTP domain the title “Cisco.”
switch(vlan)#vtp server
switch(vlan)#vtp domain Cisco
switch(vlan)#exit
Designate a switchport as the trunk port and apply dot1q VLAN encapsulation.
switch#conf t
switch(c)#hostname vlan_switch
vlan_switch(c)#interface f0/24
vlan_switch(if)#switchport mode trunk
vlan_switch(if)#switchport trunk encapsulation dot1q
Spanning-Tree is a feature that avoids switching loops between switches with multiple trunks. Although this configuration is not necessary for this set-up, it is a good habit to form when configuring switches. The portfast keyword allows a non-trunking switchport to skip the process of checking the port for switching loops.
vlan_switch(if)#interface range f0/0 - 4
vlan_switch(if)#switchport access vlan 1
vlan_switch(if)#spanning-tree portfast
vlan_switch(if)#interface range f0/5 - 13
vlan_switch(if)#switchport access vlan 10
vlan_switch(if)#spanning-tree portfast
vlan_switch(if)#interface range f0/14 - 23
vlan_switch(if)#switchport access vlan 20
vlan_router(if)#spanning-tree portfast
Only one VLAN can be enabled at a time, so enable (with the no shutdown command) VLAN 1 since it is the management VLAN.
vlan_router(if)#interface vlan 1
vlan_router(if)#ip address 192.168.1.2 255.255.255.0
vlan_router(if)#no shutdown
vlan_router(if)#description Management VLAN
vlan_router(if)#interface vlan 10
vlan_router(if)#ip address 192.168.10.2 255.255.255.0
vlan_router(if)#description Accounting VLAN
vlan_router(if)#interface vlan 20
vlan_router(if)#ip address 192.168.20.2 255.255.255.0
vlan_router(if)#description Marketing VLAN
vlan_switch(if)#end
vlan_switch#write memory
Conclusion
It should be stressed that entire books can be written about VLANs. This article merely scratches the surface of this great tool. Whether implementing VLANs for security, to organize your network into functional working parts, to add structure to the network, to eliminate flat LAN design, or reduce the size of a broadcast domain, VLANing is a great skill to add to your networking toolbox. So go ahead and give it a try. Happy VLANing!
by y0duh
0 comments:
Post a Comment