CISCO Virtual LAN

	Internetworking Technologies Instructor: Prabul, CCNA
	Internetworking Technologies Instructor: Prabul, CCNA

3. Virtual LANs

Top 10 Graphics:

VLAN - Virtual LAN:

A group of devices on a LAN that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. VLANs logically segment the physical LAN infrastructure into different subnets (broadcast domains for Ethernet) so that broadcast frames are switched only between ports within the same VLAN.

VLANs

A group of ports or users in the same broadcast domain
group can be based on port ID, MAC address, protocol, or application
LAN switches and network management software provide a mechanism to create VLANs
Frames tagged with VLAN ID

Logical networks independent of their members' physical location
Administratively defined broadcast domain
Users reassigned to different VLAN using software

Broadcast domain - The set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains are typically bounded by routers because routers do not forward broadcast frames.

Virtual LAN (VLAN) technology is a cost effective and efficient way of grouping network users into 'virtual workgroups' regardless of their physical location on the network.

VLANs work at Layer 2 and Layer 3 of the OSI model
VLANs provide a method of controlling network broadcast
Which users are part of a VLAN is controlled by the network administrator
VLANs can increase network security by defining which network nodes can communicate with each other

Why create VLANs ?

Simplify moves, adds, and changes
Reduce administrative costs
Better control of broadcasts
Tighten network security
Microsegment with scalability
Distribute traffic load
Relocate servers into secure locations

Microsegmentation - Division of a network into smaller segments, usually with the intention of increasing aggregate bandwidth to network devices.

Switches (the core of VLANs) - Network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.

Are entry points for end-station devices into switched fabric
Provide intelligence to:
- Group users, ports, or logical addresses
- Make filtering and forwarding decisions
  - sent
  - filter
  - broadcast
- Communicate with other switches and routers
Use frame filtering or frame tagging (identification)
Switching and filtering based on the Layer 2 (bridging) and Layer 3 (routing) address

Frame Filtering (similar to scheme used by routers)

A filtering table is developed for each switch
Switches share address table information
Table enteries are compared with frames
Switch takes appropriate action (send, filter, broadcast)
not very scalable (because each frame has to be referenced to a lookup table)

Frame Tagging (more scalable solution)

Specifically developed for multi-VLAN, interswitched communications
Places unique identifier in header of each frame as it travels across the network backbone (vertical cabling)
Identifier removed before frame exits switch on nonbackbone links (horizontal cabling)
Functions at Layer 2 (Data Link)
Requires little processing or administrative overhead
Logical segmentation across the backbone
IEEE 802.1q

VLANs provide an effective mechanism for controlling changes and reducing much of the cost associated with hub and router reconfigurations. Users in a VLAN can share the same network "address space" (IP subnet) regardless of their location.

Static VLANs

Assigned ports on a switch (port-centric)
Maintain their assigned VLAN configurations until you change them
Static VLANs are secure, easy to configure and monitor
Works well in networks where moves are controlled and managed

Dynamic VLANs

VLANs assigned using centralized VLAN management applications
VLANs based on MAC address, logical address, or protocol type
Less administration in the wiring closet
Notification when unrecognized user is added to the network

Broadcasts need Boundaries

Broadcast traffic can result from multimedia applications, faulty devices
Broadcasts (from one segment) can bring down a network
Firewalls segment a network (commonly provided by a router)
VLANs plus routers bound broadcasts to domain of the original

Preventive measures need to be taken to ensure against broadcast-related problems. One effective measure is to properly segment the network with protective firewalls that prevent as much as possible, problems on one segment from damaging other parts of the network.

Broadcast - Data packet that will be sent to all nodes on a network. Broadcasts are identified by a broadcast address.

Multicast - Single packets copied by the network and sent to a specific subset of network addresses. These addresses are specified in the destination address field.

Unicast - Message sent to a single network destination.

Firewall - Router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network. Firewall segmentation provides reliability, and minimizes the overhead of broadcast traffic, allowing for greater throughput of application traffic.

When no routers are placed between switches, broadcasts (Layer 2 transmissions) are sent to every switched port. This is commonly referred to as a "flat" network where there is one broadcast domain across the entire network.

VLANs are an effective mechanism for extending firewalls from the routers to the switch fabric and protecting the network against potentially dangerous broadcast problems while maintaining all of the performance benefits of switching. Broadcast traffic within one VLAN is not transmitted outside the VLAN. You can easily control the size of the broadcast domain by regulating the overall size of its VLANs, restricting the number of switch ports within a VLAN and restricting the number of users residing on these ports and lower the overall vulnerability of the network to broadcast storms.

Broadcast storm - Undesirable network event in which many broadcasts are sent simultaneously across all network segments. A broadcast storm uses substantial network bandwidth and, typically, causes network time-outs.

Tightening Network Security

Segment network into multiple 'broadcast groups'
Restrict the number of users in a VLAN group
Disallow users from joining without first receiving approval from the VLAN network management application
Use VLANs and router 'access lists' based on:
- Station address
- Application types
- Protocol types

VLANs thus provide 'security firewalls', restrict individual user access and flag any unwanted intrusion to a network manager. Further security enhancements can be added using router 'access lists' which are especially useful when communicating between VLANs. On the secured VLAN, the router restricts access into the group as configured on both the switches and the routers.

Access list -

List kept by Cisco routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).
Command that creates an entry in a standard traffic filter list.

VLANs remove physical boundaries

Group users by department, team, or application (VLAN organizations)
Routers provide communication between VLANs

Routers remain vital for switched architectures configured as VLANs because they provide the communication between logically defined workgroups (VLANs). Layer 3 communication, either embedded in the switch or provided externally, is an integral part of any high-performance switching architecture.

Switches and Hubs

Network managers are leveraging their investments by connecting switches to the backplanes of the hubs. Each hub segment connected to a switch port can be assigned to only one VLAN. The more the shared hub can be broken into smaller groups, the greater the microsegmentation and the greater the VLAN flexibility for assigning individual users to VLAN groups.

Microsegmentation - Division of a network into smaller segments, usually with the intention of increasing aggregate bandwidth to network devices.

VLAN Implementation

VLAN Membership by 'port' maximizes forwarding performance because:

Users are assigned by port
VLANs are easily administered
Maximizes security between VLANs
Packets do not 'leak' into other domains
VLANs and membership are easily controlled across network

Static VLANs

Assigned ports on a switch (port-centric)
Maintain their assigned VLAN configurations until you change them
Static VLANs are secure, easy to configure and monitor
works well in networks where moves are controlled and managed

Dynamic VLANs

VLANs assigned using a centralized management application
VLANs based on MAC address, logical address, or protocol type
Less administration in the wiring closet
Notification when unrecognized user is added to the network

Important to any VLAN architecture is the ability to transport VLAN information between interconnected switches and routers that reside on the corporate backbone.

VLAN transport enables enterprise-wide VLAN communications.
- transport capabilities remove the physical boundaries between users
- configuration flexibility of a VLAN solution when users move
- provide for interoperability between backbone system components

			`aprabul@yahoo.com` `Copyright © 2003`