Vanessa Avalos
Cisco Semester 3
August 29, 2001
Lecture Notes
Chapter 3: The VLAN
VLAN
Definition: A logical grouping of devices or users regardless
of location. Done by software on the switch.
Facts about VLANs
-
Each is a member of a subnet.
-
Can remove physical boundaries.
-
Are a cost effective and efficient way of grouping
-
Can be grouped by, function, department, application
-
Provides a method for controlling broadcasts.
-
Routers communicate between VLANs
-
Network administrators assign VLANs
-
VLANs can increase network security
-
VLAN operate at Layers 2 & 3
-
VLANs can connect WANs and buildings
Transporting VLAN information across the backbone
Transport capabilities
-
Remove physical boundaries between users
-
Increase configuration flexibilities of VLANs when a user
moves
-
Provide mechanisms for interoperability between backbone
components
-
Backbone collection point for traffic,
-
Also carries VLAN information and identification between
switches and routers
Traditionally a router provides firewalls, broadcast
management, and route process & distribution. A VLAN can do some
of these tasks.
Each intelligent switch can communicate with routers
and/or other switches.
The most common ways to logically group users in VLANs
are frame filtering and frame identification (tagging).
Both look at frame either received or forwarded
Frame configuration determines where frame is sent, filtered
or broadcast
Can be centrally administrated with software and is easily
implemented
| Frame Filtering |
Frame Identification (tagging) |
| Each switch builds a table. |
Uniquely assigns a VLAN ID to each frame. |
| Has a high level of administration because it can examine
many attributes |
Requires little processing or administrative overhead |
| Uses the MAC address and protocol |
Functions at Layer 2 |
| Compares packet with table |
Switch removes the tag when the frame exits the backbone,
before forwarding to end station |
| Poor scaling |
Scales well |
| Slow |
Adopted by IEEE – 802.1q |
|
Gaining recognition as the Standard Trunking mechanism |
VLAN Port Assignment:
Each port can be assigned a VLAN, there are three methods
to do this.
1. Port-Centric: All nodes connected to a
ports in the same VLAN get the same VLAN ID. This has greater security.
Users are assigned to ports. They can’t see other ports.
2. Static Ports: Staticlly assigning VLANs
by port. These ports are kept until changed by the administrator.
Secure, easy to configure and straight forward to monitor.
3. Dynamic VLAN assignments: Assigned by
MAC address, network address or protocol type. When a station is
initially connects to an unassigned port the switch checks MAC address
against the VLAN management database, then it configures port to correct
VLAN. The advantage is less administration in wiring closet, but there
is more administration up front.
Broadcasts need boundaries
Most new application have been developed over the years
for few broadcasts
New multimedia applications are being developed that
are broadcast and multicast
intensive
The best protection is to segment the network with broadcast
firewalls so
problems on one segment do not affect another segment
Routers provide broadcast firewalls
VLANs are an effective mechanism for extending firewalls
from the router to the
switch
Broadcasts do not cross VLANs
This type of configuration frees bandwidth
Smaller VLANs are less affected by broadcasts
Network security and VLANS:
One problem with shared LANs is that they are relatively
easy to penetrate by plugging into a live port.
-
You can tighten network security by:
-
Increasing security by implementing VLANs to restrict users
in a VLAN group
-
Preventing users from joining without first receiving approval
from the VLAN management
-
Configuring all unused ports to a default low service VLAN
-
You can add more security with an access list, more useful
when communicating between VLANs, and can be restricted by, station address,
application type, protocol type, or time of day
Many hubs are now being replaced by switches.
Save money by connecting the hubs to switches
Any hub segment connected to a switch can only be assigned
to one VLAN
One port one VLAN