Cisco S3C3 Virtual LANS
Why VLANs? You can define groupings of workstations even if separated by switches and on different LAN segments –They are one collision domain, one VLAN, and one broadcast domain Faster Logical
Typical LAN Configuration Configured according to physical infrastructure –Users grouped based on location –Router interconnecting shared hubs typically provides segmentation and acts as broadcast firewall –Does not group users according to need for bandwidth
VLAN Introduction Group of ports or users can be in same broadcast domain Can be based on port ID, MAC address, protocol, or application software LAN switches and network management software provide mechanism to create VLANS Frame tagged with VLAN ID
VLAN Characteristics Work at Layer 2 and Layer 3 of OSI model Communications between VLANS is provided by Layer 3 routing VLANs provide a method of controlling network broadcasts Network administrator assigns users to VLAN Can increase network security by defining communication between nodes
VLAN Groups Coworkers in same department Cross-functional product team Diverse user groups sharing same network application or software Can be grouped on a single switch or on connected switches Can span single building infrastructures, interconnected buildings, or WANS
VLAN Transport Capabilities Remove physical boundaries between users Increase configuration flexibility of a VLAN solution when users move Provide mechanisms for interoperability between backbone system components Backbone carries end-user VLAN information and identification between switches, routers, and attached servers
Routers and VLANs Routers traditionally provide firewalls, broadcast management, and route processing VLAN switches take on some of these tasks Routers still have to provide connected routes between different VLANS and connect to other network segments Layer 3 is still integral part of high switching architecture Backbone connections can be ATM, Fast Ethernet, others
ATM/Fast Ethernet Connections Increase throughput between switches and routers Consolidate overall number of physical router ports required for communication between VLANs VLAN architecture provides logical segmentation and can enhance efficiency of a network
Frame Filtering Filtering table is developed for each switch Switches share address table information Table entries are compared with the frames Switch takes appropriate action
Frame Tagging Specifically developed for multi-VLAN, inter-switched communicators Places unique identifier in header of each frame as it travels across network backbone (vertical cabling) Identifier removed before frame exits switch on non-backbone links (horizontal cabling)
VLAN Trends Rapid evolution Movement from workgroup to enterprise implementation Need for logical segmentation across the backbone Frame tagging gaining recognition as the standard trunking mechanism (IEEE 802.1q)
Switch Intelligence Can make filtering and forwarding decisions by frame, based on VLAN metrics defined by network managers Can communicate information to other switches and routers within network Rules defined by administrator determine where frame is to be sent, filtered, or broadcasted
VLAN Operations Each switch port can be assigned to a VLAN Ports assigned to same VLAN share broadcast VLANs are port-centric, static, and dynamic
Port-Centric VLANS All nodes connected to ports in same VLAN are assigned to same VLAN ID –Users assigned by port –Easily administered –Increased security between VLANs –Packets do not leak into other domains
Static VLANs Ports on switch statically assigned to VLAN Maintain assigned VLAN configuration until changed –Secure –Easy to configure –Straightforward to monitor –Work well in networks in which moves are controlled and managed
Dynamic VLANs Ports on switch than can automatically determine VLAN assignment Assigned using centralized VLAN management application Based on MAC address, logical address, or protocol type Less administration in wiring closet Notification when unrecognized user is added to network
VLAN Facts 20% to 40% of workforce moves each year –Can require re-cabling, readdressing VLANs provide mechanism for controlling these changes and reducing cost VLANs are improvement over typical LAN-based techniques –Require less rewiring, configuration and debugging; router configuration left intact
VLAN & Broadcasts Broadcast traffic can result from multimedia applications Broadcasts can bring down network (storms) Firewalls segment network –Assign switch ports or users to specific VLAN groups within single switches and across multiple switches
Network Security Segment network into broadcast groups –Use router access lists based on Station addresses Application types Protocol types –Restrict number of users in VLAN group –New users must review approval –Configure all unused ports to default to low-service VLAN Add control lists; restrict access by address, application, protocol, or time of day
Connecting Hub Segments Can save money by connecting existing hubs to switches Each hub segment connected to switch port can be assigned to only one VLAN Stations that share a hub must be in same VLAN group