7/28/2019 18181331 Concept of the VLAN

1/10

This article describes the concept of the VLAN. VLANs are commonly used to speed up

networks and reduce congestion.

Overview

Virtual LAN; a logical, not physical, group of devices, defined by software. VLANsallow network administrators to resegment their networks without physically rearranging

the devices or network connections. A VLAN (Virtual LAN) is a network composed oflogical broadcast domains. For example, let us say you have a two story building, with 3

different departments on each floor. Each department [on both floors] must communicate

together directly. They also produce a large amount local traffic. What is the best solution

for this situation? A Virtual LAN (VLAN) is the best way to reduce overall networktraffic spawning from each department. Normally, connecting these users would be

challenging because these users would lie on 2 different switches, and possibly different

subnets or gateways creating network latency. Specifying VLAN rules in both switcheslogically groups each department together. See the image below:

This diagram gives you the basic idea of VLAN membership. You can see how the floors

of the building are seperate and that each department is represted by a different color. The

switches lie below and the trunk link is represented by the lightning bolt.

Types of Membership

There are several different types of memberships associated with VLANs:

Static VLANs

Dynamic VLANs

7/28/2019 18181331 Concept of the VLAN

2/10

Static VLANs are specified by switch port. For example, let us say a 12 port fast ethernet

switch is split for the creation of 2 VLANs. The first 6 ports are associated with VLAN1

and the last 6 ports are associated with VLAN2. If a machine is moved from port 3 toport 11, it will effectively change VLANs.

Dynamic VLANs are specified by MAC address. Assuming the same scenario, a systemadministrator will enter MAC addresses for all machines connecting to the switch. These

addresses will be stored in a memory chip inside the switch that forms a database of local

MAC addresses. Each MAC address can then be associated with a certain VLAN. Thisway, if a machine is moved, it will retain the original VLAN membership reguardless of

it's port number.

VLAN Tagging

Moving VLAN data over multiple subnets and routers requires a special process called

VLAN tagging. The act of VLAN tagging simply adds extra information in the packet

header of ethernet frames so routers know how to pass along the data. This method iscommonly used in large networks, or with VLANs that span across wide geographic

areas.

VLAN Enabled Switches

Not all switches support VLANs. While most expensive switches do, you won't get "the

works" unless your using a Cisco Catalyst. Cisco has created proprietary protocols to

manage VLANs. VLAN Trunking Protocol(VTP) enables Cisco switches to advertiseVLAN routes to other VTP enabled switches. It also allows a system administrator to

manage all VLANs from a central point and order all switches to update the VLAN

information along the entire network. 3com Superstack switches also have great VLANsupport. However, there have been some compatibility issues associated with mutli-vendor VLAN devices. Most orgainizations using VLANs have figured out it is worth

shelling out the extra cash to go with Cisco equipment and get the extra features and

fuctionality.

http://www.puredata.com/manual/backboneswiches/appendix/glossary.html

http://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtual-

lan&method=6&sbid=lc04b

virtual LAN

Also called a "VLAN," it is a logical subgroup within a local area network that is created

via software rather than manually moving cables in the wiring closet. It combines user

stations and network devices into a single unit regardless of the physical LAN segmentthey are attached to and allows traffic to flow more efficiently within populations of

mutual interest.

http://www.puredata.com/manual/backboneswiches/appendix/glossary.htmlhttp://www.puredata.com/manual/backboneswiches/appendix/glossary.htmlhttp://www.puredata.com/manual/backboneswiches/appendix/glossary.html

7/28/2019 18181331 Concept of the VLAN

3/10

VLANs are implemented in port switching hubs and LAN switches and generally offer

proprietary solutions. VLANs reduce the time it takes to implement moves, adds and

changes.

VLANs function at layer 2. Since their purpose is to isolate traffic within the VLAN, in

order to bridge from one VLAN to another, a router is required. The router works at thehigher layer 3 network protocol, which requires that network layer segments are

identified and coordinated with the VLANs. This is a complicated job, and VLANs tendto break down as networks expand and more routers are encountered. The industry is

working towards "virtual routing" solutions, which allows the network manager to view

the entire network as a single routed entity. See 802.1q.

The VLAN

Virtual LANs solve the problem of containing traffic

within workgroups that are geographically dispersed.

They allow moves, adds and changes to be performedvia software at a console rather than manually changing

cables in the wiring closet.

3D Digital Models

Find ethernet models in Max, Maya, XSI, more

www.turbosquid.comVirtual Network

Small Business Teleworking, VPN & Remote Access News and Resources

www.NetworkWorld.com

Wikipedia

http://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=1512&dekey=802.1q&gwp=8&curtab=1512_1&sbid=lc03bhttp://www.answers.com/library/Wikipedia;jsessionid=4j7n9ufu9ntd1-cid-1977174018-sbid-lc03bhttp://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtual-lan&method=6&sbid=lc04b#copyright#copyrighthttp://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtual-lan&method=6&sbid=lc04b#top#tophttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=1512&dekey=802.1q&gwp=8&curtab=1512_1&sbid=lc03bhttp://www.answers.com/library/Wikipedia;jsessionid=4j7n9ufu9ntd1-cid-1977174018-sbid-lc03b

7/28/2019 18181331 Concept of the VLAN

4/10

Virtual LAN

A virtual LAN, commonly known as a vLAN or as a VLAN, is a logically-independent

network. Several VLANs can co-exist on a single physical switch.

A vLAN consists of a network of computers that behave as if connected to the same wire- even though they may actually physically connect to different segments of a LAN.

Network administrators configure VLANs through software rather than hardware, which

makes them extremely flexible. One of the biggest advantages of VLANs emerges whenphysically moving a computer to another location: it can stay on the same VLAN without

the need for any hardware reconfiguration.

The IEEE 802.1Qtagging protocol dominates the VLAN world. Prior to the introduction

of 802.1Q several proprietary protocols existed, such asCisco's ISL (Inter-Switch Link, avariant ofIEEE 802.10) and 3Com VLT (Virtual LAN Trunk). Some users now deprecate

ISL in favor of 802.1Q.

Early network designers often configured VLANs with the aim of reducing the size of the

collision domainin a large singleEthernet segment and thus of improving performance.When Ethernet switches made this a non-issue (because they have no collision domain),

attention turned to reducing the size of thebroadcast domain at the MAC layer. Virtual

networks can also serve to restrict access to network resources without regard to physicaltopology of the network, although the strength of this method remains debatable.

Virtual LANs operate at layer 2 (the data link layer) of theOSI model. However,

administrators often configure a VLAN to map directly to an IP network, or subnet,

which gives the appearance of involving layer 3 (the network layer).

In the context of VLANs, the term 'trunk' denotes a network link carrying multipleVLANs which are identified by labels ('tags') inserted into their packets. Such trunks

must run between 'tagged ports' of VLAN-aware devices, so are often switch-to-switch or

switch-to-routerlinks rather than links to hosts. (Confusingly, the term 'trunk' also getsused for what Cisco call 'channels':Link Aggregation or Port Trunking). A router (Layer

3 switch) serves as thebackbone for network traffic going across different VLANs.

On Cisco devices, VTP (VLAN Trunking Protocol) allows for VLAN domains, which

can aid in administrative tasks. VTP also allows "pruning", which involves directingspecific VLAN traffic only to switches which have ports on the target VLAN.

Types and varieties

Network administrators can configure VLANs in various ways:

at the protocol level, using IP,IPX, LAT, etc

based in MAC addresses

based on IP subnet

http://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Local+area+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Computer+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.1Q&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.1Q&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Systems&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Systems&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Inter-Switch+Link&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.10&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=3Com+Corporation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Collision+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Collision+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Ethernet&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Ethernet&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Broadcast+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+link+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=OSI+model&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=OSI+model&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Router&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Router&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Link+aggregation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Link+aggregation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+backbone&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=VTP&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+Protocol&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IPX&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IPX&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=LAT&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Local+area+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Computer+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.1Q&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Systems&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Inter-Switch+Link&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.10&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=3Com+Corporation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Collision+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Ethernet&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Broadcast+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+link+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=OSI+model&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Router&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Link+aggregation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+backbone&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=VTP&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+Protocol&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IPX&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=LAT&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03b

7/28/2019 18181331 Concept of the VLAN

5/10

based on ports

Designers can set up static, dynamic, or port-centric vLANs.

Two methods of establishing a VLAN exist: frame-tagging and frame-filtering:

1. Frame-tagging changes the information contained within the layer-2 frame, so thatswitches may forward the VLAN traffic to its correct VLAN destination and

return the frame to its normal format

2. Frame-filtering involves the switch looking for certain criteria in the layer-2 frame

and using this matching system to forward the traffic to its correct VLAN anddestination.

A Layer-2 device can implement VLANs in different ways:

Open VLANs have a singleMAC address database for all VLANs

Closed VLANs have a separateMAC address database for each VLAN Mixed-Mode VLANs can involve configuring Open or Closed VLANs on a per-

VLAN basis

Computer security specialists generally consider closed VLANs more secure than Open

VLANs.

External links

IEEE's 802.1Q standard

Cisco's Overview of Routing between Virtual LANs

Cisco'sBridging Between IEEE 802.1Q VLANs white paper University of California's VLAN Information

Virtual Private Networks

Introduction | VPN Classifications | How to Secure Data in VPN | VPNs Secure Protocol

IPSec Technologies | Details of IPSec | IPSec Packets

Introduction

As companies become more decentralized, they find themselves with employees all over thecountry and around the world. Increasingly, these workers need the same access to corporate

information as those still at headquarters.

This presents a challenge for network managers - how to beef up the information flow while

keeping WAN costs in check. Some users are finding they can meet both goals through

Internet-based virtual private networks, or VPNs.

http://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+frame&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+frame&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://standards.ieee.org/getieee802/download/802.1Q-1998.pdfhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://net21.ucdavis.edu/newvlan.htmhttp://www.daxnetworks.com/Technology/VPN.asp#Intro#Introhttp://www.daxnetworks.com/Technology/VPN.asp#Classific#Classifichttp://www.daxnetworks.com/Technology/VPN.asp#secure#securehttp://www.daxnetworks.com/Technology/VPN.asp#Protocol#Protocolhttp://www.daxnetworks.com/Technology/VPN.asp#Protocol#Protocolhttp://www.daxnetworks.com/Technology/VPN.asp#Tech#Techhttp://www.daxnetworks.com/Technology/VPN.asp#Details#Detailshttp://www.daxnetworks.com/Technology/VPN.asp#IPSEC#IPSEChttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+frame&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://standards.ieee.org/getieee802/download/802.1Q-1998.pdfhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://net21.ucdavis.edu/newvlan.htmhttp://www.daxnetworks.com/Technology/VPN.asp#Intro#Introhttp://www.daxnetworks.com/Technology/VPN.asp#Classific#Classifichttp://www.daxnetworks.com/Technology/VPN.asp#secure#securehttp://www.daxnetworks.com/Technology/VPN.asp#Protocol#Protocolhttp://www.daxnetworks.com/Technology/VPN.asp#Tech#Techhttp://www.daxnetworks.com/Technology/VPN.asp#Details#Detailshttp://www.daxnetworks.com/Technology/VPN.asp#IPSEC#IPSEC

7/28/2019 18181331 Concept of the VLAN

6/10

Basically, Virtual private networks maintain privacy through the use of a tunneling protocol and

security procedures. Ittypically uses the Internet as the transport backbone to establish secure

links with business partners, extend communications to regional and isolated offices, and

significantly decrease the cost of communications for an increasingly mobile workforce

because the Internet has become so ubiquitous, virtually everybody can plug into it, potentially

reducing the need for banks of remote-access servers and modems, or for users to dial long-distance into such facilities. And because the Internet is always there, you can often use it in

place of dedicated lines.

All of this can mean fairly substantial savings over traditional leased-line connections or frame

relay permanent virtual circuits.

Users can expect to save hundreds of dollars a month on dedicated Internet access

connections when compared to dedicated private lines from a long-distance service provider.

The main element of the VPN concept lays at the gateways between the private networks and

the public network. Be it software oriented, hardware oriented or a combination of the two -this

intermediate device acts on behalf of the private network that it protects. When one of the

local hosts sends data to another host in a remote network, the data must first pass from the

private network through the protecting gateway device, travel through the public network, and

then pass through the gateway device that is protecting the host in the remote network at the

receiving end.

VPN safeguards the data by automatically encrypting it (thus, making it incomprehensible to a

third party) before it is sent from one private network to another, encapsulating it into an IP

packet, and then automatically decrypting the data at the receiving end.

The gateway device can also double as a Firewall for the local network, denying harmful or

malicious data access to the network, and managing the outgoing data to the public network

(whether it is encrypted or not).

VPN Classifications:

Despite the large (and rapidly expanding) number of VPN products, all fall into three broad

categories: hardware-based systems, firewall-based VPNs and standalone VPN application

packages (software-based) system.

Hardware-based VPN systems are encrypting routers. They are secure and easy to use,

since they provide the nearest thing to "plug and play" encryption equipment available. Theyprovide the highest network throughput of all VPN systems, since they don't waste processor

overhead in running an operating system or other applications. However, they may not be as

flexible as software-based systems. The best hardware VPN packages offer software-only

clients for remote installation, and incorporate some of the access control features more

traditionally managed by firewalls or other perimeter security devices.

http://www.daxnetworks.com/Technology/VPN.asp#Top#Top

7/28/2019 18181331 Concept of the VLAN

7/10

Firewall-based VPNs take advantage of the firewall's security mechanisms, including

restricting access to the internal network. They also perform address translation; satisfy

requirements for strong authentication; and serve up real-time alarms and extensive logging.

Most commercial firewalls also "harden" the host operating system kernel by stripping out

dangerous or unnecessary services, providing additional security for the VPN server. OS

protection is a major plus, since very few VPN application vendors supply guidance on OSsecurity. Performance may be a concern, especially if the firewall is already loaded -- however,

some firewall vendors offer hardware-based encryption processors to minimize the impact of

VPN management on the system.

Software-based VPNs are ideal in situations where both endpoints of the VPN are not

controlled by the same organization (typical for client support requirements or business

partnerships), or when different firewalls and routers are implemented within the same

organization. At the moment, standalone VPNs offer the most flexibility in how network traffic

is managed. Many software-based products allow traffic to be tunneled based on address or

protocol, unlike hardware-based products, which generally tunnel all traffic they handle,

regardless of protocol. Tunneling specific traffic types is advantageous in situations where

remote sites may see a mix of traffic --some that needs transport over a VPN (such as entries

to a database at headquarters) and some that doesn't (such as Web surfing). In situations

where performance requirements are modest (such as users connecting over dial-up links),

software-based VPNs may be the best choice.

But software-based systems are generally harder to manage than encrypting routers. They

require familiarity with the host operating system, the application itself, and appropriate

security mechanisms. And some software VPN packages require changes to routing tables and

network addressing schemes.

How to Secure Data in VPN

1. Certification - The certification is usually twofold and includes an electronic token and a

PIN (Personal Identification Number). In this manner, the user must have something in

his possession and something he memorizes. This drastically reduces the probability of

someone impersonating a user because he needs both elements to access the system.

2. Encryption - Once in the VPN, each gateway device sends its public key to all of his

peers in the VPN. With the use of the public and private keys the data is encrypted in

such a way that it's mathematically impossible to decode without knowledge of the

keys. Once the encryption key is selected and implemented, it is necessary to ensure

that the keys are protected through a key management system. Key management isthe process of distributing the keys, refreshing them at specific intervals and revoking

them when necessary. A balance has to be made between the key exchange intervals

and the amount of data that is exchanged. An interval that is too short overburdens

the VPN servers with key generation. On the other hand, a key exchange interval that

is too long compromises the key and the data it encrypts.

http://www.daxnetworks.com/Technology/VPN.asp#Top#Tophttp://www.daxnetworks.com/Technology/VPN.asp#Top#Top

7/28/2019 18181331 Concept of the VLAN

8/10

VPNs Secure Protocol:

IPSec is a suite of protocols that integrate security into the Internet Protocol (IP), and provide

data source authentication, data integrity, confidentiality, and protection against replay

attacks. IPSec is an evolving standard for secure private communications over the Internet.

Normal IPv4 packets consist of headers and payload, both of which contain information of

value to an attacker. The header contains source and destination IP addresses, which arerequired for routing but may be spoofed or altered in what are known as "man-in-the-middle"

attacks; the payload consists of information which may be confidential to a particular

organization. IPSec provides mechanisms to protect both header and payload data. The IPSec

Authentication Header (AH) digitally signs the outbound packet, both data payload and

headers, with a hash value appended to the packet, verifying the identity of the source and

destination machines and the integrity of the payload. The IPSec Encapsulating Security

Payload (ESP) guarantees the integrity and confidentiality of the data in the original message

by combining a secure hash and encryption of either the original payload by itself, or the

headers and payload of the original packet.

IPSec Technologies

IPSec combines several different security technologies into a complete system to

provide confidentiality, integrity, and authenticity. In particular, IPSec uses:

Diffie-Hellman key exchange for deriving key material between peers on a public

network

Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the

identity of the two parties and avoid man-in-the-middle attacks

Bulk encryption algorithms, such as DES, for encrypting the data

Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such

as MD5 or SHA for providing packet authentication. Digital certificates signed by a certificate authority to act as digital ID cards.

Details of IPSec

IPSec combines the aforementioned security technologies into a complete system that

provides confidentiality, integrity, and authenticity of IP datagrams. IPSec actually refers to

several related protocols as defined in the new RFC 2401-2411 and 2451 (the original IPSec

RFCs 1825-1829 are now obsolete). These standards include:

IP Security Protocol proper, which defines the information to add to an IP packet to enableconfidentiality, integrity, and authenticity controls as well as defining how to encrypt the

packet data.

Internet Key Exchange, which negotiates the security association between two entities and

exchanges key material. It is not necessary to use IKE, but manually configuring security

associations is a difficult and manually intensive process. IKE should be used in most real-world

applications to enable large-scale secure communications.

http://www.daxnetworks.com/Technology/VPN.asp#Top#Tophttp://www.daxnetworks.com/Technology/VPN.asp#Top#Top

7/28/2019 18181331 Concept of the VLAN

9/10

IPSec Packets

IPSec defines a new set of headers to be added to IP datagrams. These new headers are

placed after the IP header and before the Layer 4 protocol (typically Transmission Control

Protocol [TCP] or User Datagram Protocol [UDP]). These new headers provide information forsecuring the payload of the IP packet as follows:

Authentication header (AH)-This header, when added to an IP datagram, ensures the integrity

and authenticity of the data, including the invariant fields in the outer IP header. It does not

provide confidentiality protection. AH uses a keyed-hash function rather than digital

signatures, because digital signature technology is too slow and would greatly reduce network

throughput.

Encapsulating security payload (ESP)-This header, when added to an IP datagram, protects the

confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity,

it does not include the invariant fields in the IP header.

AH and ESP can be used independently or together, although for most applications just one of

them is sufficient. For both of these protocols, IPSec does not define the specific security

algorithms to use, but rather, provides an open framework for implementing industry-standard

algorithms. Initially, most implementations of IPSec will support MD5 from RSA Data Security or

the Secure Hash Algorithm (SHA) as defined by the U.S. government for integrity and

authentication. The Data Encryption Standard (DES) is currently the most commonly offered

bulk encryption algorithm, although RFCs are available that define how to use many other

encryption systems, including IDEA, Blowfish, and RC4.

IPSec provides two modes of operations like transport and tunnel mode.

In transport mode, only the IP payload is encrypted, and the original IP headers are left intact.

This mode has the advantage of adding only a few bytes to each packet. It also allows devices

on the public network to see the final source and destination of the packet. This capability

allows you to enable special processing (for example, quality of service) in the intermediate

network based on the information in the IP header. However, the Layer 4 header will be

encrypted, limiting the examination of the packet. Unfortunately, by passing the IP header in

the clear, transport mode allows an attacker to perform some traffic analysis.

In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a

new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy.

That is, the router performs encryption on behalf of the hosts.

The source's router encrypts packets and forwards them along the IPSec tunnel. The

destination's router decrypts the original IP datagram and forwards it on to the destination

system. The major advantage of tunnel mode is that the end systems do not need to be

modified to enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis.

With tunnel mode, an attacker can only determine the tunnel endpoints and not the true

http://www.daxnetworks.com/Technology/VPN.asp#Top#Top

7/28/2019 18181331 Concept of the VLAN

10/10

source and destination of the tunneled packets, even if they are the same as the tunnel

endpoints.