Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3...

Institute of Technology,Sligo Dept of Computing

Semester 3, version 2.1.3Semester 3, version 2.1.3

Semester 3Semester 3

Chapter 3 VLANsChapter 3 VLANs

3.1.1 VLANs3.1.1 VLANs A VLAN is a A VLAN is a logicallogical grouping of grouping of

devices or users that can be grouped devices or users that can be grouped by function, department, or by function, department, or application, regardless of their application, regardless of their physical segment location. VLAN physical segment location. VLAN configuration is done at the switch configuration is done at the switch via via softwaresoftware. .

3.2.1 3.2.1 Segmentation with Segmentation with Switching ArchitecturesSwitching Architectures

LANs are increasingly being divided into LANs are increasingly being divided into workgroups connected via common workgroups connected via common backbones to form VLAN topologies. backbones to form VLAN topologies. VLANs logically segment the physical LAN VLANs logically segment the physical LAN infrastructure into different subnets (or infrastructure into different subnets (or broadcast domainsbroadcast domains for Ethernet). for Ethernet). Broadcast frames are switched only Broadcast frames are switched only between ports within the same VLAN. between ports within the same VLAN.

VLANs create broadcast domains.VLANs create broadcast domains.

3.2.3 The Transport of VLANs 3.2.3 The Transport of VLANs Across BackbonesAcross Backbones

Important to any VLAN architecture is Important to any VLAN architecture is the ability to transport VLAN information the ability to transport VLAN information between interconnected switches and between interconnected switches and routers that reside on the corporate routers that reside on the corporate backbonebackbone. .

Within the backbone, Within the backbone, high-bandwidthhigh-bandwidth, , high-capacity links are typically chosen high-capacity links are typically chosen to carry the traffic throughout the to carry the traffic throughout the enterprise.enterprise.

3.2.4 The Role of Routers in 3.2.4 The Role of Routers in VLANsVLANs

The traditional role of a router is to provide The traditional role of a router is to provide firewalls, broadcast management and firewalls, broadcast management and route processing and distribution. While route processing and distribution. While VLAN switches take on some of these VLAN switches take on some of these tasks, routers still remain vital in VLAN tasks, routers still remain vital in VLAN architectures because they provide architectures because they provide connected routes between different VLANs. connected routes between different VLANs.

Routers provide communication Routers provide communication betweenbetween VLANs.VLANs.

3.2.5 How Frames are Used in 3.2.5 How Frames are Used in VLANsVLANs

VLANs use VLANs use framesframes to make filtering and to make filtering and forwarding decisions.forwarding decisions.

The most common approaches for logically The most common approaches for logically grouping users into distinct VLANs are grouping users into distinct VLANs are frame filtering and frame identification frame filtering and frame identification (frame tagging). Both of these techniques (frame tagging). Both of these techniques look at the frame when it is either received look at the frame when it is either received or forwarded by the switch. or forwarded by the switch.

Frame FilteringFrame Filtering Frame filtering examines Frame filtering examines particular particular

informationinformation about each frame. about each frame. A filtering table is developed for each A filtering table is developed for each

switch; this provides a high level of switch; this provides a high level of administrative control because it can administrative control because it can examine many attributes of each examine many attributes of each frame. frame.

Frame TaggingFrame Tagging Frame tagging uniquely assigns a Frame tagging uniquely assigns a

VLAN VLAN ID ID to each frame. to each frame. This technique was chosen by the This technique was chosen by the

Institute of Electrical and Electronic Institute of Electrical and Electronic Engineers (Engineers (IEEEIEEE) standards group ) standards group because of its scalability. because of its scalability.

IEEE 802.1qIEEE 802.1q states that frame states that frame tagging is the way to implement tagging is the way to implement VLANs.VLANs.

Frame TaggingFrame Tagging Frame tagging places a unique Frame tagging places a unique

identifier in the header of each identifier in the header of each frame as it is forwarded frame as it is forwarded throughout the network throughout the network backbonebackbone. .

Frame identification functions at Frame identification functions at Layer Layer 22. .

3.3 VLAN Implementation3.3 VLAN Implementation A VLAN makes up a switched network that A VLAN makes up a switched network that

is logically segmented by is logically segmented by functions, functions, project teams, or applicationsproject teams, or applications, without , without regard to the physical location of users.regard to the physical location of users.

Three VLAN implementation methods can Three VLAN implementation methods can be used to assign a switch port to a VLAN. be used to assign a switch port to a VLAN. They are:They are: port-centric port-centric static static dynamicdynamic

3.3.2 Port Centric3.3.2 Port Centric In port-centric VLANs, all the In port-centric VLANs, all the

nodes connected to ports in the nodes connected to ports in the same VLAN (same VLAN (same switched portsame switched port) ) are assigned to the same VLAN are assigned to the same VLAN ID.ID.

3.3.3 Static VLANs3.3.3 Static VLANs Static VLANs are ports on a switch that Static VLANs are ports on a switch that

are are statically assignedstatically assigned to a VLAN. to a VLAN. Although Although staticstatic VLANs require the VLANs require the

administrator to make changes, they administrator to make changes, they are secure, easy to configure, and are secure, easy to configure, and straightforward to monitor. straightforward to monitor.

Static VLANs work well in networks in Static VLANs work well in networks in which moves are controlled and which moves are controlled and managed. managed.

3.3.4 Dynamic VLANs3.3.4 Dynamic VLANs

DynamicDynamic VLANs are ports on a switch VLANs are ports on a switch that are automatically assigned to a that are automatically assigned to a VLAN.VLAN.

Dynamic VLAN functions are based Dynamic VLAN functions are based on on MAC addressesMAC addresses, , logical logical addressingaddressing, or , or protocol typeprotocol type of the of the data packets. data packets.

3.3.4 Dynamic VLANs3.3.4 Dynamic VLANs The major benefits of this approach are less The major benefits of this approach are less

administration within the wiring closet when administration within the wiring closet when a user is added or moved and centralized a user is added or moved and centralized notification when an unrecognized user is notification when an unrecognized user is added to the network. added to the network.

Typically, more administration is required up Typically, more administration is required up front to set up the database within the VLAN front to set up the database within the VLAN management software and to maintain an management software and to maintain an accurate database of all network users.accurate database of all network users.

3.4.1 Making Additions, Moves 3.4.1 Making Additions, Moves and Changes Easierand Changes Easier

Moves, additions, and changes are one Moves, additions, and changes are one of a network manager's biggest of a network manager's biggest headaches and one of the largest headaches and one of the largest expenses related to managing the expenses related to managing the network. network.

VLANs provide an effective mechanism VLANs provide an effective mechanism for controlling these changes and for controlling these changes and reducing much of the cost associated reducing much of the cost associated with hub and router reconfigurations. with hub and router reconfigurations.

3.4.1 Making Additions, Moves 3.4.1 Making Additions, Moves and Changes Easierand Changes Easier

A location change can be as simple A location change can be as simple as plugging a user into a port on a as plugging a user into a port on a VLAN-capable switch and configuring VLAN-capable switch and configuring the port on the switch to that VLAN. the port on the switch to that VLAN.

Users may be reassigned to different Users may be reassigned to different VLANs using the switch VLANs using the switch softwaresoftware. .

3.4.2 How VLANs Control 3.4.2 How VLANs Control BroadcastsBroadcasts

Broadcast traffic occurs in every Broadcast traffic occurs in every network. network.

New multimedia applications are New multimedia applications are being developed that are broadcast being developed that are broadcast and multicast intensive.and multicast intensive.

You need to take preventive You need to take preventive measures to ensure against measures to ensure against broadcast-related problems. broadcast-related problems.


One of the most effective preventive One of the most effective preventive measure is to properly segment the measure is to properly segment the network with protective network with protective firewallsfirewalls..

Thus, although one segment may Thus, although one segment may have excessive broadcast conditions, have excessive broadcast conditions, the rest of the network is protected the rest of the network is protected with a firewall commonly provided by with a firewall commonly provided by a router.a router.


The The routerrouter reduces or eliminates reduces or eliminates broadcast related problems with broadcast related problems with firewalls.firewalls.

VLANs are an effective mechanism for VLANs are an effective mechanism for extending firewalls from the routers to extending firewalls from the routers to the switch fabric and protecting the the switch fabric and protecting the network against potentially dangerous network against potentially dangerous broadcast problems. broadcast problems.


The smaller the VLAN group, the The smaller the VLAN group, the smaller the number of users affected smaller the number of users affected by by broadcastbroadcast traffic activity within traffic activity within the VLAN group. the VLAN group.

VLANs along with routers, establish VLANs along with routers, establish broadcastbroadcast domains. domains.

3.4.3 How VLANs Improve 3.4.3 How VLANs Improve SecuritySecurity

Confidential data requires security Confidential data requires security through access restriction. One through access restriction. One problem of shared LANs is that they problem of shared LANs is that they are relatively easy to penetrate. are relatively easy to penetrate.

One cost-effective and easy One cost-effective and easy administrative technique to increase administrative technique to increase security is to segment the network security is to segment the network into multiple broadcast groups.into multiple broadcast groups.


Multiple broadcast groups allow the Multiple broadcast groups allow the network manager to: network manager to: Restrict the number of users in a VLAN Restrict the number of users in a VLAN

group group Prevent another user from joining without Prevent another user from joining without

first receiving approval from the VLAN first receiving approval from the VLAN network management application network management application

Configure all unused ports to a default Configure all unused ports to a default low-service VLANlow-service VLAN


Restricted applications and resources are Restricted applications and resources are commonly placed in a secured VLAN commonly placed in a secured VLAN group. On the secured VLAN, the switch group. On the secured VLAN, the switch restricts access into the group.restricts access into the group.

Restrictions can be placed based on Restrictions can be placed based on station addressesstation addresses, , application typesapplication types, or , or protocol typesprotocol types. .

One benefit of using VLANs is One benefit of using VLANs is tighter tighter network securitynetwork security..

3.4.4 How VLANs can Save 3.4.4 How VLANs can Save Money.Money.

Network managers save money by Network managers save money by connecting existing hubs to switches. connecting existing hubs to switches.

Each hub segment connected to a Each hub segment connected to a switch port can be assigned to switch port can be assigned to only only oneone VLAN. VLAN.

Stations that share a hub segment Stations that share a hub segment are all assigned to the same VLAN are all assigned to the same VLAN group.group.

The EndThe End

Good luck on your Chapter 3 online exam!Good luck on your Chapter 3 online exam!

Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3...

Documents

Transcript of Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3...