Virtual Local Area Networks
-
Upload
xandra-hamilton -
Category
Documents
-
view
41 -
download
1
description
Transcript of Virtual Local Area Networks
![Page 1: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/1.jpg)
Virtual Local Area Networks
![Page 2: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/2.jpg)
Should I V-LAN?
1. SecurityV-LANs can restrict access to network resources
![Page 3: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/3.jpg)
Should I V-LAN?
Access Control Lists are used to direct the availability of information
Faculty Students
Student Records
![Page 4: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/4.jpg)
Faculty V-LAN
Students V-LAN
Student Records
HEWLETTPACKARD
Access Permitted
Access Denied
![Page 5: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/5.jpg)
Should I V-LAN?
2. Broadcast Control for Increased PerformanceReduce the size of your collision domainsLimit broadcast traffic to similar users
![Page 6: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/6.jpg)
Check Your Network for Broadcast Protocols
TCP 40%
UDP 10%
ARP 35%
DHCP 8%
IPX 5%
SPX 2%
![Page 7: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/7.jpg)
One Broadcast Domain
CISCOSYSTEMS
![Page 8: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/8.jpg)
CISCOSYSTEMS
V-LANs form Multiple Broadcast Domains
![Page 9: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/9.jpg)
Should I V-LAN?
3. Network MonitoringCentrally configure devices in local areasDivide your users into logical groupings
![Page 10: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/10.jpg)
Should I V-LAN?
Your security will improve
Your network performance will improve
![Page 11: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/11.jpg)
How Many V-LANs?
• List Buildings• Itemize
Departments• Remember
BROADCAST CONTROL
NC State
![Page 12: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/12.jpg)
How Many V-LANs?
Building 1 Building 2
Lab 1 Wireless Lab
Lab 2 Faculty/Staff
Faculty/Staff Building 3
Library Lab 3
Administration Faculty/Staff
![Page 13: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/13.jpg)
How Many V-LANs?When you’re done – Add 2 More
1. A Test V-LAN for your Test Lab
2. An “Internet Only” V-LAN for all unused ports
plus V-LAN #1 will be your default V-LAN for your administrative purposes
![Page 14: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/14.jpg)
How Many V-LANs?
• Building 1 – 18 V-LANs• Building 2 – 6 V-LANs• Building 3 – 7 V-LANs• Building 4 – 4 V-LANs• Building 5 – 2 V-LANs• Building 6 – 7 V-LANs
• 3 Server VLANs• Internet Only
V-LAN• Test V-LAN• Adm. V-LAN
• Total - 50
![Page 15: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/15.jpg)
Equipment/Server Concerns
• You will need a trustworthy Layer 3 main switch (example: Cisco 4506)
• Unmanaged switches and hubs can contain only 1 V-LAN
• Some protocols, such as IPX & Apple, require broadcasts. These will need to be addressed.
![Page 16: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/16.jpg)
Equipment/Server Concerns• Each V-LAN will need its own DHCP
scope.• DNS must be reachable by every
V-LAN• User applications cannot reside on a
V-LAN that will be blocked• You must know what is connected to
every port on every switch.
![Page 17: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/17.jpg)
How Do I Begin?
Get details on your current setup -
Conduct an audit of the ports on your switches
![Page 18: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/18.jpg)
Create a Switch Audit Form
Switch Loc. IP Address
Manuf/Mod # Upload Port
Port Information
Port # Patch # User Loc
User Name
Printers Used
VLAN #
1
2
3
![Page 19: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/19.jpg)
Set Up a Schedule• Week 1 – Audit Bldg. 1• Week 2 – Audit Bldg. 2• Week 3 – Audit Bldg. 3• Week 4 – Audit Bldg. 4• Week 5 – Audit Bldg. 5• Week 6 – Audit Bldg. 6• Week 7 – Write
Configuration & Access Lists – Select IP Address for Users
• Week 8 - Implementation
Add V-LANs to main switch & DHCP Scopes
Set all ports on all switches
Test PCs & Printers
Change IP’s where needed
You have a new network!
Adhere to the schedule!!
![Page 20: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/20.jpg)
How Do I Add V-LANs to the Switches?
• Add every V-LAN to the main switch• Add to each switch the V-LANs it will
need – With some manufacturers the secondary switches will automatically read the list from the main switch
• Set each port to the correct V-LAN
![Page 21: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/21.jpg)
CISCOSYSTEMS
CISCOSYSTEMS
CISCOSYSTEMS
CISCOSYSTEMS CISCOSYSTEMS
Main Switch
Secondary Switches contain the V-LANs they Service
Main Switch contains all V-LANs
Set each port to the correct V-LAN
![Page 22: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/22.jpg)
Sample Script for Main Switch
ena
config t
vlan 2
name Building1Lab1
exit
vlan 3
name Building1Lab2
exit
1. Add the V-LAN
2. Name the V-LAN
3. Exit that V-LAN
4. Add another V-LAN
![Page 23: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/23.jpg)
Sample Script for Main Switch5. Enter the V-LAN as
an Interface
6. Give a Description to the V-LAN
7. Give an IP Address to the V-LAN
8. Give a location for DHCP for the V-LAN
9. Turn the V-LAN on
int vlan 1description Bus Labip address 172.16.1.1
255.255.255.0ip helper address
10.9.3.102no shutdownexitint vlan 2
![Page 24: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/24.jpg)
Remember . . .
• You must have a default IP Address for every V-LAN
• You must have a DHCP scope for every V-LAN
![Page 25: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/25.jpg)
About those IP Addresses• You will need an addressing scheme
for your new network• Choose it carefully so your V-LANs
will be easy to identify• Use a private address or a
combination of private addresses – 10.0.0.0 – 172.16.0.0 – 192.168.0.0
![Page 26: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/26.jpg)
About those IP Addresses10.0.0.0 – 172.16.0.0 – 192.168.0.0For convenience, subnet your address
to make octet numbers a subnetEx – 10.1.0.0, 10.2.0.0– 255.255.0.0172.16.1.0, 172.16.2.0 – 255.255.255.0You would instantly know that the first
device was on V-LAN 1, the second device on V-LAN 2
![Page 27: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/27.jpg)
Take it Slowly . . .
Set all your switches and test your new network
Give everyone full access until all the bugs have been fixed
![Page 28: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/28.jpg)
When everything works, you’re ready to add the Security
![Page 29: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/29.jpg)
Access Lists• Access Lists are used for Security• These Lists block or allow users to
servers or network addresses• Users can be blocked completely – or
by protocols• Ex – Students can be blocked from
accessing a server with Telnet
![Page 30: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/30.jpg)
Access Lists
Specify the users you wish to block or allow by using a Wildcard Mask.
This mask identifies which octets of the address are to be checked.
0 = match, 255 = ignore
Example:
172.16.2.0 0.0.0.255 – Ignore last octet
allow Addresses 172.16.2.0 – 172.16.2.255
![Page 31: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/31.jpg)
Access Lists
Permit the services users will need – DNS, HTTP, etc.
Deny the services you want to block
Apply the Access List to the correct V-LANs
V-LANs without an Access List will have total access
![Page 32: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/32.jpg)
Access List Example
access-list 101 permit ip 172.16.0.0 0.0.255.255 host 10.0.0.1 – permits all users access to Firewall
access-list 101 deny ip 172.16.5.0 0.0.0.255 host 10.0.0.2 – denies V-LAN #5 access to GroupWise Mail server
![Page 33: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/33.jpg)
Access List Example
access-list 101 permit tcp 172.16.0.0 0.0.255.255 host 10.0.0.3 eq http
- Permits all hosts access to web server, but only for http
int vlan 5
ip access-group 101 in –
Applies access-list to VLAN #5
![Page 34: Virtual Local Area Networks](https://reader033.fdocuments.in/reader033/viewer/2022061616/56813168550346895d97e001/html5/thumbnails/34.jpg)
Enjoy Your New Network
• Security• Multiple Broadcast
Domains• Easier Monitoring