Embed Size (px)
Citation preview
Cisco S3C3
Virtual LANS
Why VLANs?
• You can define groupings of workstations even if separated by switches and on different LAN segments– They are one collision domain, one VLAN, and
one broadcast domain
• Faster
• Logical
Typical LAN Configuration
• Configured according to physical infrastructure– Users grouped based on location– Router interconnecting shared hubs typically
provides segmentation and acts as broadcast firewall
– Does not group users according to need for bandwidth
VLAN Introduction
• Group of ports or users can be in same broadcast domain
• Can be based on port ID, MAC address, protocol, or application software
• LAN switches and network management software provide mechanism to create VLANS
• Frame tagged with VLAN ID
VLAN Characteristics
• Work at Layer 2 and Layer 3 of OSI model• Communications between VLANS is provided by
Layer 3 routing• VLANs provide a method of controlling network
broadcasts• Network administrator assigns users to VLAN• Can increase network security by defining
communication between nodes
VLAN Groups
• Coworkers in same department• Cross-functional product team• Diverse user groups sharing same network
application or software• Can be grouped on a single switch or on
connected switches• Can span single building infrastructures,
interconnected buildings, or WANS
VLAN Transport Capabilities
• Remove physical boundaries between users• Increase configuration flexibility of a
VLAN solution when users move• Provide mechanisms for interoperability
between backbone system components• Backbone carries end-user VLAN
information and identification between switches, routers, and attached servers
Routers and VLANs
• Routers traditionally provide firewalls, broadcast management, and route processing
• VLAN switches take on some of these tasks• Routers still have to provide connected routes
between different VLANS and connect to other network segments
• Layer 3 is still integral part of high switching architecture
• Backbone connections can be ATM, Fast Ethernet, others
ATM/Fast Ethernet Connections
• Increase throughput between switches and routers
• Consolidate overall number of physical router ports required for communication between VLANs
• VLAN architecture provides logical segmentation and can enhance efficiency of a network
Frame Filtering
• Filtering table is developed for each switch
• Switches share address table information
• Table entries are compared with the frames
• Switch takes appropriate action
Frame Tagging
• Specifically developed for multi-VLAN, inter-switched communicators
• Places unique identifier in header of each frame as it travels across network backbone (vertical cabling)
• Identifier removed before frame exits switch on non-backbone links (horizontal cabling)
VLAN Trends
• Rapid evolution• Movement from workgroup to enterprise
implementation• Need for logical segmentation across the
backbone• Frame tagging gaining recognition as the
standard trunking mechanism (IEEE 802.1q)
Switch Intelligence
• Can make filtering and forwarding decisions by frame, based on VLAN metrics defined by network managers
• Can communicate information to other switches and routers within network
• Rules defined by administrator determine where frame is to be sent, filtered, or broadcasted
VLAN Operations
• Each switch port can be assigned to a VLAN
• Ports assigned to same VLAN share broadcast
• VLANs are port-centric, static, and dynamic
Port-Centric VLANS
• All nodes connected to ports in same VLAN are assigned to same VLAN ID– Users assigned by port– Easily administered– Increased security between VLANs– Packets do not leak into other domains
Static VLANs
• Ports on switch statically assigned to VLAN• Maintain assigned VLAN configuration
until changed– Secure– Easy to configure– Straightforward to monitor– Work well in networks in which moves are
controlled and managed
Dynamic VLANs
• Ports on switch than can automatically determine VLAN assignment
• Assigned using centralized VLAN management application
• Based on MAC address, logical address, or protocol type
• Less administration in wiring closet• Notification when unrecognized user is added to
network
VLAN Facts
• 20% to 40% of workforce moves each year– Can require re-cabling, readdressing
• VLANs provide mechanism for controlling these changes and reducing cost
• VLANs are improvement over typical LAN-based techniques– Require less rewiring, configuration and
debugging; router configuration left intact
VLAN & Broadcasts
• Broadcast traffic can result from multimedia applications
• Broadcasts can bring down network (storms)
• Firewalls segment network– Assign switch ports or users to specific VLAN
groups within single switches and across multiple switches
Network Security
• Segment network into broadcast groups– Use router access lists based on
• Station addresses• Application types• Protocol types
– Restrict number of users in VLAN group– New users must review approval– Configure all unused ports to default to low-service
VLAN
• Add control lists; restrict access by address, application, protocol, or time of day
Connecting Hub Segments
• Can save money by connecting existing hubs to switches
• Each hub segment connected to switch port can be assigned to only one VLAN
• Stations that share a hub must be in same VLAN group
