sem 3 chapt 3 vlan use this for class
TRANSCRIPT
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
1/36
Chapter 3VLANs
Cisco Networking Academy Program
@TSTC-Waco
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
2/36
VLAN Overview
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
3/36
erences e ween sVLANs
VLANs...
work at Layer 2 & 3
control network
broadcastsallow users to be
assigned by net
admin.
provide tighter
network security.
How?
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
4/36
VLANs
Logical grouping
of devices or users
Configuration
done at switch via
softwareNot standardized
proprietary
software from
vendor
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
5/36
VLANsLogically segment the physical LAN infrastructureinto different subnets (or broadcast domains forEthernet)
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
6/36
Differences Between Traditional
Switched LAN and VLANs
VLANs work at Layer
2 and Layer 3 of OSI
Communications
between VLANs is
done by routersVLANs provide a
method of controlling
network broadcasts
Administrators assign
users to VLANs
VLANs increase
network security
defines who cancommunicate with
whom
Group switch ports and
their connected users
into logically defined
workgroups
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
7/36
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
8/36
f A A
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
9/36
Transport of VLANs Across the
Backbone
Ability to transport VLAN informationbetween interconnected switches and routers
that reside on the backbone
Remove physical boundaries between users
Increase configuration flexibilityusers move
Provide mechanism for interoperability between
backbone components
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
10/36
VLAN transportation
Backbone commonly acts as collection pointfor large volumes of traffic
Carries end user information and ID between
switches, routers and directly attachedservers
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
11/36
Routers in the VLAN
Traditionally provide firewalls, broadcastmanagement etc.
Provide connected routes between differentVLANs
Cost effectively integrate external routersinto switching architecture by using one ormore high speed backbone connection like:
Fast Ethernet, or ATM connection Increasing the throughput between switches and
routers
Consolidating number of physical router portsrequired fro communication between VLANs
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
12/36
VLANs Across the BackboneVLAN configuration
needs to support
backbone transport of
data between
interconnected routers
and switches.The backbone is the
area used for inter-
VLAN communication
The backbone shouldbe high-speed links,
typically 100Mbps or
greater
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
13/36
Routers Role in a VLAN
A router provides connection betweendifferent VLANs
For example, you have VLAN1 and VLAN2.
Within the switch, users on separate VLANscannot talk to each other (benefit of a VLAN!)
However, users on VLAN1 can email users on
VLAN2 but they need a router to do it.
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
14/36
Frame Use in the VLAN
Switches core component of VLANcommunication
Each switch makes forwarding and filtering
decisions based on the frame
Based on VLAN metrics
Approaches for logically grouping users into
distinct VLANs:
Frame filtering
Frame tagging (identification)
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
15/36
VLANSwitches make filtering and
forwarding decisions basedon data in the frame.
There are two techniquesused.
Frame Filtering--examines particularinformation about eachframe (MAC address orlayer 3 protocol type)
Frame Tagging--places aunique identifier in theheader of each frame asit is forwardedthroughout the network
backbone.
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
16/36
Frame Filtering
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
17/36
Frame Tagging
Uniquely assigns a VLAN ID to each frameVLAN IDs assigned by switch administrator
Chosen by IEEE for its scalability
Gaining recognition as the standard trunkingmechanism
IEEE 802.1q states that Frame Tagging is the
way to implement VLANs
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
18/36
More on Frame TaggingFrame Tagging...
is specified by IEEE 802.1q whichstates frame tagging is the preferredway to implement VLANs
uniquely assigns a VLAN ID to
each frame before it is forwardedacross the backbone.
is understood by switches prior toany broadcasts or transmission toother switches or routers
places a tag in the frame...thus,frame tagging. So what layer?
is removed by the switch afterframe exits the backbone and before
frame is forwarded to the endstation
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
19/36
Frame Tagging Continued
Places a unique identifier in the header ofeach frame as it is forwarded throughout the
network
When the frame exits the network backbone
switch removes the identifier before the
frame is transmitted to its target
Frame identification functions at Layer 2 and
requires little administrative overhead
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
20/36
Ports, VLANs and Broadcasts
VLANs make up a switched networklogically segmented
Ports assigned to the same VLAN share
broadcasts
Two VLAN implementation
Static
Dynamic
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
21/36
Static VLANs
Ports on switch that is statically assigned to aVLAN
Require administrator to make changes
SecureEasy to configure
Straightforward to monitor
Works well in which moves are controlledand managed
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
22/36
Static VLANsDefined
Static VLANs arewhen ports on aswitch areadministratively
assigned to a VLANBenefits
can be assigned byport, address, orprotocol type
secure, easy toconfigure and monitor
works well innetworks where
moves are controlled
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
23/36
STATIC VLANs
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
24/36
Dynamic VLANs
Ports on switch automatically determine theirVLAN assignments
Based on MAC addresses, logical addressingor protocol type of data packet
Less administration with in the wiring closetwhen a user moves or new one added
Centralized notification when an
unrecognized user is added to the networkMore administration is required to initiallyset up database within the VLANmanagement software (VMPS)
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
25/36
Dynamic VLANs
Defined Switch ports can automaticallydetermine a users VLANassignment based on either/or: MAC
logical address
When a station is initially
connected to an unassigned port, theswitch checks an entry in the tableand dynamically configures the portwith the right VLAN
Benefits less administration (more upfront)
when users are added or move
centralized notification ofunauthorized user
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
26/36
Dynamic VLANs
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
27/36
VLAN Additions, Moves and Changes
Companies continually reorganizingThese moves/changes are network managers
biggest headaches and one of the largest
expenses related to managing a network
VLANs provide effective measures for
controlling changes and reducing costs
Users in a VLAN can share the same network
address space i.e. IP subnet
VLANs require less rewiring, configuration
and debugging
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
28/36
Movement of Users
VLANs Help Control Broadcast
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
29/36
VLANs Help Control Broadcast
Activity
Most effective measures is to properly segmentwith firewalls that help prevent problems onsegment from damaging other parts of the network
Firewall segmentation provides reliability andminimizes overhead broadcast traffic
No routers between switches broadcasts (layer 2)are sent to every switched portreferred to as a
FLAT network(one broadcast domain across thewhole network)
Flat Network
Provides low latency & high throughput
Easy to administer
VLANs Controlling Broadcast
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
30/36
VLANs Controlling Broadcast
Activity
FLAT NetworkDisadvantages
Increases vulnerability to broadcast traffic acrossall switches, ports, backbone links and users
VLANs effectively extend firewalls from
routers to the switch fabric and protectingagainst potentially dangerous broadcastproblems
Creating firewalls
Assign switch ports or users to specific VLANgroups both within single switches and acrossmultiple connected switches
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
31/36
VLANs and Broadcast Activity
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
32/36
VLANs Control Broadcasts
Routers provide an
effective firewall
against broadcasts
Adding VLANs can
extend a routersfirewall capabilities to
the switch fabric
The smaller the VLAN,
the smaller the number
of users that are effected
by broadcasts
How do VLANs Improve Network
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
33/36
How do VLANs Improve Network
Security
Restrict number of users in a VLAN groupPrevent another user from joining without
first receiving approval from the VLAN
network management application
Configure all unused ports to a default low-
service VLAN
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
34/36
VLANs Improve Security
Shared LANs are easy to penetrate...simply plug
into the shared hub.
VLANs increase security by ...
restricting number of users in a VLAN
preventing user access without authorization configuring all unused ports to the Disabled setting
control access by
addresses
application types
protocol types
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
35/36
Tightening Network Security
-
8/3/2019 Sem 3 Chapt 3 VLAN Use This for Class
36/36
VLANS Save Money
Connect existing HUBS to switches
Each hub segment connected to a switch can
be assigned only ONE VLAN
Stations that share a hub segment are in thesame VLAN
If a station need to be assigned a new VLAN
that station must move to the new hub withthe appropriate VLAN