Virtual LANs (VLANs) VLAN - Virtual LAN

:
A group of devices on a LAN that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. VLANs logically segment the physical LAN infrastructure into different subnets (broadcast domains for Ethernet) so that broadcast frames are switched only between ports within the same VLAN.

VLANs
• • • • • • •

A group of ports or users in the same broadcast domain group can be based on port ID, MAC address, protocol, or application LAN switches and network management software provide a mechanism to create VLANs Frames tagged with VLAN ID Logical networks independent of their members' physical location Administratively defined broadcast domain Users reassigned to different VLAN using software

Broadcast domain - The set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains are typically bounded by routers because routers do not forward broadcast frames. Virtual LAN (VLAN) technology is a cost effective and efficient way of grouping network users into 'virtual workgroups' regardless of their physical location on the network.
• • • •

VLANs work at Layer 2 and Layer 3 of the OSI model VLANs provide a method of controlling network broadcast Which users are part of a VLAN is controlled by the network administrator VLANs can increase network security by defining which network nodes can communicate with each other

Why create VLANs ?
• • • • • • •

Simplify moves, adds, and changes Reduce administrative costs Better control of broadcasts Tighten network security Microsegment with scalability Distribute traffic load Relocate servers into secure locations

Microsegmentation - Division of a network into smaller segments, usually with the intention of increasing aggregate bandwidth to network devices. Switches (the core of VLANs) - Network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.
• •

• •

Are entry points for end-station devices into switched fabric Provide intelligence to: o Group users, ports, or logical addresses o Make filtering and forwarding decisions  sent  filter  broadcast o Communicate with other switches and routers Use frame filtering or frame tagging (identification) Switching and filtering based on the Layer 2 (bridging) and Layer 3 (routing) address

Frame Filtering (similar to scheme used by routers)
• • • • •

A filtering table is developed for each switch Switches share address table information Table enteries are compared with frames Switch takes appropriate action (send, filter, broadcast) not very scalable (because each frame has to be referenced to a lookup table)

Frame Tagging (more scalable solution)

• • • • • • •

Specifically developed for multi-VLAN, interswitched communications Places unique identifier in header of each frame as it travels across the network backbone (vertical cabling) Identifier removed before frame exits switch on nonbackbone links (horizontal cabling) Functions at Layer 2 (Data Link) Requires little processing or administrative overhead Logical segmentation across the backbone IEEE 802.1q

VLANs provide an effective mechanism for controlling changes and reducing much of the cost associated with hub and router reconfigurations. Users in a VLAN can share the same network "address space" (IP subnet) regardless of their location.

Static VLANs
• • • •

Assigned ports on a switch (port-centric) Maintain their assigned VLAN configurations until you change them Static VLANs are secure, easy to configure and monitor Works well in networks where moves are controlled and managed

Dynamic VLANs
• • • •

VLANs assigned using centralized VLAN management applications VLANs based on MAC address, logical address, or protocol type Less administration in the wiring closet Notification when unrecognized user is added to the network

Broadcasts need Boundaries
• • • •

Broadcast traffic can result from multimedia applications, faulty devices Broadcasts (from one segment) can bring down a network Firewalls segment a network (commonly provided by a router) VLANs plus routers bound broadcasts to domain of the original

Preventive measures need to be taken to ensure against broadcast-related problems. One effective measure is to properly segment the network with

protective firewalls that prevent as much as possible, problems on one segment from damaging other parts of the network.

Broadcast - Data packet that will be sent to all nodes on a network. Broadcasts are identified by a broadcast address. Multicast - Single packets copied by the network and sent to a specific subset of network addresses. These addresses are specified in the destination address field. Unicast - Message sent to a single network destination. Firewall - Router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network. Firewall segmentation provides reliability, and minimizes the overhead of broadcast traffic, allowing for greater throughput of application traffic.
When no routers are placed between switches, broadcasts (Layer 2 transmissions) are sent to every switched port. This is commonly referred to as a "flat" network where there is one broadcast domain across the entire network. VLANs are an effective mechanism for extending firewalls from the routers to the switch fabric and protecting the network against potentially dangerous broadcast problems while maintaining all of the performance benefits of switching. Broadcast traffic within one VLAN is not transmitted outside the VLAN. You can easily control the size of the broadcast domain by regulating the overall size of its VLANs, restricting the number of switch ports within a VLAN and restricting the number of users residing on these ports and lower the overall vulnerability of the network to broadcast storms.

Broadcast storm - Undesirable network event in which many broadcasts are sent simultaneously across all network segments. A broadcast storm uses substantial network bandwidth and, typically, causes network time-outs. Tightening Network Security

Segment network into multiple 'broadcast groups'

• • •

Restrict the number of users in a VLAN group Disallow users from joining without first receiving approval from the VLAN network management application Use VLANs and router 'access lists' based on: o Station address o Application types o Protocol types

VLANs thus provide 'security firewalls', restrict individual user access and flag any unwanted intrusion to a network manager. Further security enhancements can be added using router 'access lists' which are especially useful when communicating between VLANs. On the secured VLAN, the router restricts access into the group as configured on both the switches and the routers.

Access list 1. List kept by Cisco routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router). 2. Command that creates an entry in a standard traffic filter list. VLANs remove physical boundaries
• •

Group users by department, team, or application (VLAN organizations) Routers provide communication between VLANs

Routers remain vital for switched architectures configured as VLANs because they provide the communication between logically defined workgroups (VLANs). Layer 3 communication, either embedded in the switch or provided externally, is an integral part of any high-performance switching architecture.

Switches and Hubs
Network managers are leveraging their investments by connecting switches to the backplanes of the hubs. Each hub segment connected to a switch port can be assigned to only one VLAN. The more the shared hub can be broken

into smaller groups, the greater the microsegmentation and the greater the VLAN flexibility for assigning individual users to VLAN groups.

Microsegmentation - Division of a network into smaller segments, usually with the intention of increasing aggregate bandwidth to network devices.

VLAN Implementation
VLAN Membership by 'port' maximizes forwarding performance because:
• • • • •

Users are assigned by port VLANs are easily administered Maximizes security between VLANs Packets do not 'leak' into other domains VLANs and membership are easily controlled across network

Static VLANs
• • • •

Assigned ports on a switch (port-centric) Maintain their assigned VLAN configurations until you change them Static VLANs are secure, easy to configure and monitor works well in networks where moves are controlled and managed

Dynamic VLANs
• • • •

VLANs assigned using a centralized management application VLANs based on MAC address, logical address, or protocol type Less administration in the wiring closet Notification when unrecognized user is added to the network

Important to any VLAN architecture is the ability to transport VLAN information between interconnected switches and routers that reside on the corporate backbone.

VLAN transport enables enterprise-wide VLAN communications. o transport capabilities remove the physical boundaries between users o configuration flexibility of a VLAN solution when users move o provide for interoperability between backbone system components