18181331 Concept of the VLAN
-
Upload
ashrafizahid -
Category
Documents
-
view
213 -
download
0
Transcript of 18181331 Concept of the VLAN
-
7/28/2019 18181331 Concept of the VLAN
1/10
This article describes the concept of the VLAN. VLANs are commonly used to speed up
networks and reduce congestion.
Overview
Virtual LAN; a logical, not physical, group of devices, defined by software. VLANsallow network administrators to resegment their networks without physically rearranging
the devices or network connections. A VLAN (Virtual LAN) is a network composed oflogical broadcast domains. For example, let us say you have a two story building, with 3
different departments on each floor. Each department [on both floors] must communicate
together directly. They also produce a large amount local traffic. What is the best solution
for this situation? A Virtual LAN (VLAN) is the best way to reduce overall networktraffic spawning from each department. Normally, connecting these users would be
challenging because these users would lie on 2 different switches, and possibly different
subnets or gateways creating network latency. Specifying VLAN rules in both switcheslogically groups each department together. See the image below:
This diagram gives you the basic idea of VLAN membership. You can see how the floors
of the building are seperate and that each department is represted by a different color. The
switches lie below and the trunk link is represented by the lightning bolt.
Types of Membership
There are several different types of memberships associated with VLANs:
Static VLANs
Dynamic VLANs
-
7/28/2019 18181331 Concept of the VLAN
2/10
Static VLANs are specified by switch port. For example, let us say a 12 port fast ethernet
switch is split for the creation of 2 VLANs. The first 6 ports are associated with VLAN1
and the last 6 ports are associated with VLAN2. If a machine is moved from port 3 toport 11, it will effectively change VLANs.
Dynamic VLANs are specified by MAC address. Assuming the same scenario, a systemadministrator will enter MAC addresses for all machines connecting to the switch. These
addresses will be stored in a memory chip inside the switch that forms a database of local
MAC addresses. Each MAC address can then be associated with a certain VLAN. Thisway, if a machine is moved, it will retain the original VLAN membership reguardless of
it's port number.
VLAN Tagging
Moving VLAN data over multiple subnets and routers requires a special process called
VLAN tagging. The act of VLAN tagging simply adds extra information in the packet
header of ethernet frames so routers know how to pass along the data. This method iscommonly used in large networks, or with VLANs that span across wide geographic
areas.
VLAN Enabled Switches
Not all switches support VLANs. While most expensive switches do, you won't get "the
works" unless your using a Cisco Catalyst. Cisco has created proprietary protocols to
manage VLANs. VLAN Trunking Protocol(VTP) enables Cisco switches to advertiseVLAN routes to other VTP enabled switches. It also allows a system administrator to
manage all VLANs from a central point and order all switches to update the VLAN
information along the entire network. 3com Superstack switches also have great VLANsupport. However, there have been some compatibility issues associated with mutli-vendor VLAN devices. Most orgainizations using VLANs have figured out it is worth
shelling out the extra cash to go with Cisco equipment and get the extra features and
fuctionality.
http://www.puredata.com/manual/backboneswiches/appendix/glossary.html
http://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtual-
lan&method=6&sbid=lc04b
virtual LAN
Also called a "VLAN," it is a logical subgroup within a local area network that is created
via software rather than manually moving cables in the wiring closet. It combines user
stations and network devices into a single unit regardless of the physical LAN segmentthey are attached to and allows traffic to flow more efficiently within populations of
mutual interest.
http://www.puredata.com/manual/backboneswiches/appendix/glossary.htmlhttp://www.puredata.com/manual/backboneswiches/appendix/glossary.htmlhttp://www.puredata.com/manual/backboneswiches/appendix/glossary.html -
7/28/2019 18181331 Concept of the VLAN
3/10
VLANs are implemented in port switching hubs and LAN switches and generally offer
proprietary solutions. VLANs reduce the time it takes to implement moves, adds and
changes.
VLANs function at layer 2. Since their purpose is to isolate traffic within the VLAN, in
order to bridge from one VLAN to another, a router is required. The router works at thehigher layer 3 network protocol, which requires that network layer segments are
identified and coordinated with the VLANs. This is a complicated job, and VLANs tendto break down as networks expand and more routers are encountered. The industry is
working towards "virtual routing" solutions, which allows the network manager to view
the entire network as a single routed entity. See 802.1q.
The VLAN
Virtual LANs solve the problem of containing traffic
within workgroups that are geographically dispersed.
They allow moves, adds and changes to be performedvia software at a console rather than manually changing
cables in the wiring closet.
3D Digital Models
Find ethernet models in Max, Maya, XSI, more
www.turbosquid.comVirtual Network
Small Business Teleworking, VPN & Remote Access News and Resources
www.NetworkWorld.com
Wikipedia
http://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=1512&dekey=802.1q&gwp=8&curtab=1512_1&sbid=lc03bhttp://www.answers.com/library/Wikipedia;jsessionid=4j7n9ufu9ntd1-cid-1977174018-sbid-lc03bhttp://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtual-lan&method=6&sbid=lc04b#copyright#copyrighthttp://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtual-lan&method=6&sbid=lc04b#top#tophttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=1512&dekey=802.1q&gwp=8&curtab=1512_1&sbid=lc03bhttp://www.answers.com/library/Wikipedia;jsessionid=4j7n9ufu9ntd1-cid-1977174018-sbid-lc03b -
7/28/2019 18181331 Concept of the VLAN
4/10
Virtual LAN
A virtual LAN, commonly known as a vLAN or as a VLAN, is a logically-independent
network. Several VLANs can co-exist on a single physical switch.
A vLAN consists of a network of computers that behave as if connected to the same wire- even though they may actually physically connect to different segments of a LAN.
Network administrators configure VLANs through software rather than hardware, which
makes them extremely flexible. One of the biggest advantages of VLANs emerges whenphysically moving a computer to another location: it can stay on the same VLAN without
the need for any hardware reconfiguration.
The IEEE 802.1Qtagging protocol dominates the VLAN world. Prior to the introduction
of 802.1Q several proprietary protocols existed, such asCisco's ISL (Inter-Switch Link, avariant ofIEEE 802.10) and 3Com VLT (Virtual LAN Trunk). Some users now deprecate
ISL in favor of 802.1Q.
Early network designers often configured VLANs with the aim of reducing the size of the
collision domainin a large singleEthernet segment and thus of improving performance.When Ethernet switches made this a non-issue (because they have no collision domain),
attention turned to reducing the size of thebroadcast domain at the MAC layer. Virtual
networks can also serve to restrict access to network resources without regard to physicaltopology of the network, although the strength of this method remains debatable.
Virtual LANs operate at layer 2 (the data link layer) of theOSI model. However,
administrators often configure a VLAN to map directly to an IP network, or subnet,
which gives the appearance of involving layer 3 (the network layer).
In the context of VLANs, the term 'trunk' denotes a network link carrying multipleVLANs which are identified by labels ('tags') inserted into their packets. Such trunks
must run between 'tagged ports' of VLAN-aware devices, so are often switch-to-switch or
switch-to-routerlinks rather than links to hosts. (Confusingly, the term 'trunk' also getsused for what Cisco call 'channels':Link Aggregation or Port Trunking). A router (Layer
3 switch) serves as thebackbone for network traffic going across different VLANs.
On Cisco devices, VTP (VLAN Trunking Protocol) allows for VLAN domains, which
can aid in administrative tasks. VTP also allows "pruning", which involves directingspecific VLAN traffic only to switches which have ports on the target VLAN.
Types and varieties
Network administrators can configure VLANs in various ways:
at the protocol level, using IP,IPX, LAT, etc
based in MAC addresses
based on IP subnet
http://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Local+area+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Computer+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.1Q&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.1Q&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Systems&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Systems&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Inter-Switch+Link&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.10&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=3Com+Corporation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Collision+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Collision+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Ethernet&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Ethernet&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Broadcast+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+link+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=OSI+model&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=OSI+model&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Router&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Router&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Link+aggregation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Link+aggregation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+backbone&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=VTP&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+Protocol&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IPX&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IPX&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=LAT&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Local+area+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Computer+network&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.1Q&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Systems&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Cisco+Inter-Switch+Link&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IEEE+802.10&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=3Com+Corporation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Collision+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Ethernet&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+switch&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Broadcast+domain&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+link+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=OSI+model&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Network+layer&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Router&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Link+aggregation&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+backbone&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=VTP&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Internet+Protocol&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=IPX&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=LAT&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03b -
7/28/2019 18181331 Concept of the VLAN
5/10
based on ports
Designers can set up static, dynamic, or port-centric vLANs.
Two methods of establishing a VLAN exist: frame-tagging and frame-filtering:
1. Frame-tagging changes the information contained within the layer-2 frame, so thatswitches may forward the VLAN traffic to its correct VLAN destination and
return the frame to its normal format
2. Frame-filtering involves the switch looking for certain criteria in the layer-2 frame
and using this matching system to forward the traffic to its correct VLAN anddestination.
A Layer-2 device can implement VLANs in different ways:
Open VLANs have a singleMAC address database for all VLANs
Closed VLANs have a separateMAC address database for each VLAN Mixed-Mode VLANs can involve configuring Open or Closed VLANs on a per-
VLAN basis
Computer security specialists generally consider closed VLANs more secure than Open
VLANs.
External links
IEEE's 802.1Q standard
Cisco's Overview of Routing between Virtual LANs
Cisco'sBridging Between IEEE 802.1Q VLANs white paper University of California's VLAN Information
Virtual Private Networks
Introduction | VPN Classifications | How to Secure Data in VPN | VPNs Secure Protocol
IPSec Technologies | Details of IPSec | IPSec Packets
Introduction
As companies become more decentralized, they find themselves with employees all over thecountry and around the world. Increasingly, these workers need the same access to corporate
information as those still at headquarters.
This presents a challenge for network managers - how to beef up the information flow while
keeping WAN costs in check. Some users are finding they can meet both goals through
Internet-based virtual private networks, or VPNs.
http://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+frame&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+frame&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://standards.ieee.org/getieee802/download/802.1Q-1998.pdfhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://net21.ucdavis.edu/newvlan.htmhttp://www.daxnetworks.com/Technology/VPN.asp#Intro#Introhttp://www.daxnetworks.com/Technology/VPN.asp#Classific#Classifichttp://www.daxnetworks.com/Technology/VPN.asp#secure#securehttp://www.daxnetworks.com/Technology/VPN.asp#Protocol#Protocolhttp://www.daxnetworks.com/Technology/VPN.asp#Protocol#Protocolhttp://www.daxnetworks.com/Technology/VPN.asp#Tech#Techhttp://www.daxnetworks.com/Technology/VPN.asp#Details#Detailshttp://www.daxnetworks.com/Technology/VPN.asp#IPSEC#IPSEChttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=Data+frame&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://www.answers.com/main/ntquery;jsessionid=4j7n9ufu9ntd1?method=4&dsid=2222&dekey=MAC+address&gwp=8&curtab=2222_1&sbid=lc03bhttp://standards.ieee.org/getieee802/download/802.1Q-1998.pdfhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htmhttp://net21.ucdavis.edu/newvlan.htmhttp://www.daxnetworks.com/Technology/VPN.asp#Intro#Introhttp://www.daxnetworks.com/Technology/VPN.asp#Classific#Classifichttp://www.daxnetworks.com/Technology/VPN.asp#secure#securehttp://www.daxnetworks.com/Technology/VPN.asp#Protocol#Protocolhttp://www.daxnetworks.com/Technology/VPN.asp#Tech#Techhttp://www.daxnetworks.com/Technology/VPN.asp#Details#Detailshttp://www.daxnetworks.com/Technology/VPN.asp#IPSEC#IPSEC -
7/28/2019 18181331 Concept of the VLAN
6/10
Basically, Virtual private networks maintain privacy through the use of a tunneling protocol and
security procedures. Ittypically uses the Internet as the transport backbone to establish secure
links with business partners, extend communications to regional and isolated offices, and
significantly decrease the cost of communications for an increasingly mobile workforce
because the Internet has become so ubiquitous, virtually everybody can plug into it, potentially
reducing the need for banks of remote-access servers and modems, or for users to dial long-distance into such facilities. And because the Internet is always there, you can often use it in
place of dedicated lines.
All of this can mean fairly substantial savings over traditional leased-line connections or frame
relay permanent virtual circuits.
Users can expect to save hundreds of dollars a month on dedicated Internet access
connections when compared to dedicated private lines from a long-distance service provider.
The main element of the VPN concept lays at the gateways between the private networks and
the public network. Be it software oriented, hardware oriented or a combination of the two -this
intermediate device acts on behalf of the private network that it protects. When one of the
local hosts sends data to another host in a remote network, the data must first pass from the
private network through the protecting gateway device, travel through the public network, and
then pass through the gateway device that is protecting the host in the remote network at the
receiving end.
VPN safeguards the data by automatically encrypting it (thus, making it incomprehensible to a
third party) before it is sent from one private network to another, encapsulating it into an IP
packet, and then automatically decrypting the data at the receiving end.
The gateway device can also double as a Firewall for the local network, denying harmful or
malicious data access to the network, and managing the outgoing data to the public network
(whether it is encrypted or not).
VPN Classifications:
Despite the large (and rapidly expanding) number of VPN products, all fall into three broad
categories: hardware-based systems, firewall-based VPNs and standalone VPN application
packages (software-based) system.
Hardware-based VPN systems are encrypting routers. They are secure and easy to use,
since they provide the nearest thing to "plug and play" encryption equipment available. Theyprovide the highest network throughput of all VPN systems, since they don't waste processor
overhead in running an operating system or other applications. However, they may not be as
flexible as software-based systems. The best hardware VPN packages offer software-only
clients for remote installation, and incorporate some of the access control features more
traditionally managed by firewalls or other perimeter security devices.
http://www.daxnetworks.com/Technology/VPN.asp#Top#Top -
7/28/2019 18181331 Concept of the VLAN
7/10
Firewall-based VPNs take advantage of the firewall's security mechanisms, including
restricting access to the internal network. They also perform address translation; satisfy
requirements for strong authentication; and serve up real-time alarms and extensive logging.
Most commercial firewalls also "harden" the host operating system kernel by stripping out
dangerous or unnecessary services, providing additional security for the VPN server. OS
protection is a major plus, since very few VPN application vendors supply guidance on OSsecurity. Performance may be a concern, especially if the firewall is already loaded -- however,
some firewall vendors offer hardware-based encryption processors to minimize the impact of
VPN management on the system.
Software-based VPNs are ideal in situations where both endpoints of the VPN are not
controlled by the same organization (typical for client support requirements or business
partnerships), or when different firewalls and routers are implemented within the same
organization. At the moment, standalone VPNs offer the most flexibility in how network traffic
is managed. Many software-based products allow traffic to be tunneled based on address or
protocol, unlike hardware-based products, which generally tunnel all traffic they handle,
regardless of protocol. Tunneling specific traffic types is advantageous in situations where
remote sites may see a mix of traffic --some that needs transport over a VPN (such as entries
to a database at headquarters) and some that doesn't (such as Web surfing). In situations
where performance requirements are modest (such as users connecting over dial-up links),
software-based VPNs may be the best choice.
But software-based systems are generally harder to manage than encrypting routers. They
require familiarity with the host operating system, the application itself, and appropriate
security mechanisms. And some software VPN packages require changes to routing tables and
network addressing schemes.
How to Secure Data in VPN
1. Certification - The certification is usually twofold and includes an electronic token and a
PIN (Personal Identification Number). In this manner, the user must have something in
his possession and something he memorizes. This drastically reduces the probability of
someone impersonating a user because he needs both elements to access the system.
2. Encryption - Once in the VPN, each gateway device sends its public key to all of his
peers in the VPN. With the use of the public and private keys the data is encrypted in
such a way that it's mathematically impossible to decode without knowledge of the
keys. Once the encryption key is selected and implemented, it is necessary to ensure
that the keys are protected through a key management system. Key management isthe process of distributing the keys, refreshing them at specific intervals and revoking
them when necessary. A balance has to be made between the key exchange intervals
and the amount of data that is exchanged. An interval that is too short overburdens
the VPN servers with key generation. On the other hand, a key exchange interval that
is too long compromises the key and the data it encrypts.
http://www.daxnetworks.com/Technology/VPN.asp#Top#Tophttp://www.daxnetworks.com/Technology/VPN.asp#Top#Top -
7/28/2019 18181331 Concept of the VLAN
8/10
VPNs Secure Protocol:
IPSec is a suite of protocols that integrate security into the Internet Protocol (IP), and provide
data source authentication, data integrity, confidentiality, and protection against replay
attacks. IPSec is an evolving standard for secure private communications over the Internet.
Normal IPv4 packets consist of headers and payload, both of which contain information of
value to an attacker. The header contains source and destination IP addresses, which arerequired for routing but may be spoofed or altered in what are known as "man-in-the-middle"
attacks; the payload consists of information which may be confidential to a particular
organization. IPSec provides mechanisms to protect both header and payload data. The IPSec
Authentication Header (AH) digitally signs the outbound packet, both data payload and
headers, with a hash value appended to the packet, verifying the identity of the source and
destination machines and the integrity of the payload. The IPSec Encapsulating Security
Payload (ESP) guarantees the integrity and confidentiality of the data in the original message
by combining a secure hash and encryption of either the original payload by itself, or the
headers and payload of the original packet.
IPSec Technologies
IPSec combines several different security technologies into a complete system to
provide confidentiality, integrity, and authenticity. In particular, IPSec uses:
Diffie-Hellman key exchange for deriving key material between peers on a public
network
Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the
identity of the two parties and avoid man-in-the-middle attacks
Bulk encryption algorithms, such as DES, for encrypting the data
Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such
as MD5 or SHA for providing packet authentication. Digital certificates signed by a certificate authority to act as digital ID cards.
Details of IPSec
IPSec combines the aforementioned security technologies into a complete system that
provides confidentiality, integrity, and authenticity of IP datagrams. IPSec actually refers to
several related protocols as defined in the new RFC 2401-2411 and 2451 (the original IPSec
RFCs 1825-1829 are now obsolete). These standards include:
IP Security Protocol proper, which defines the information to add to an IP packet to enableconfidentiality, integrity, and authenticity controls as well as defining how to encrypt the
packet data.
Internet Key Exchange, which negotiates the security association between two entities and
exchanges key material. It is not necessary to use IKE, but manually configuring security
associations is a difficult and manually intensive process. IKE should be used in most real-world
applications to enable large-scale secure communications.
http://www.daxnetworks.com/Technology/VPN.asp#Top#Tophttp://www.daxnetworks.com/Technology/VPN.asp#Top#Top -
7/28/2019 18181331 Concept of the VLAN
9/10
IPSec Packets
IPSec defines a new set of headers to be added to IP datagrams. These new headers are
placed after the IP header and before the Layer 4 protocol (typically Transmission Control
Protocol [TCP] or User Datagram Protocol [UDP]). These new headers provide information forsecuring the payload of the IP packet as follows:
Authentication header (AH)-This header, when added to an IP datagram, ensures the integrity
and authenticity of the data, including the invariant fields in the outer IP header. It does not
provide confidentiality protection. AH uses a keyed-hash function rather than digital
signatures, because digital signature technology is too slow and would greatly reduce network
throughput.
Encapsulating security payload (ESP)-This header, when added to an IP datagram, protects the
confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity,
it does not include the invariant fields in the IP header.
AH and ESP can be used independently or together, although for most applications just one of
them is sufficient. For both of these protocols, IPSec does not define the specific security
algorithms to use, but rather, provides an open framework for implementing industry-standard
algorithms. Initially, most implementations of IPSec will support MD5 from RSA Data Security or
the Secure Hash Algorithm (SHA) as defined by the U.S. government for integrity and
authentication. The Data Encryption Standard (DES) is currently the most commonly offered
bulk encryption algorithm, although RFCs are available that define how to use many other
encryption systems, including IDEA, Blowfish, and RC4.
IPSec provides two modes of operations like transport and tunnel mode.
In transport mode, only the IP payload is encrypted, and the original IP headers are left intact.
This mode has the advantage of adding only a few bytes to each packet. It also allows devices
on the public network to see the final source and destination of the packet. This capability
allows you to enable special processing (for example, quality of service) in the intermediate
network based on the information in the IP header. However, the Layer 4 header will be
encrypted, limiting the examination of the packet. Unfortunately, by passing the IP header in
the clear, transport mode allows an attacker to perform some traffic analysis.
In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a
new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy.
That is, the router performs encryption on behalf of the hosts.
The source's router encrypts packets and forwards them along the IPSec tunnel. The
destination's router decrypts the original IP datagram and forwards it on to the destination
system. The major advantage of tunnel mode is that the end systems do not need to be
modified to enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis.
With tunnel mode, an attacker can only determine the tunnel endpoints and not the true
http://www.daxnetworks.com/Technology/VPN.asp#Top#Top -
7/28/2019 18181331 Concept of the VLAN
10/10
source and destination of the tunneled packets, even if they are the same as the tunnel
endpoints.