ch8.pdf
Document Details
Uploaded by ProdigiousQuantum
null
Tags
Full Transcript
JTO PH-II IT VLAN & Configuration 8 VLAN& CONFIGURATION 8.1 LEARNING OBJECTIVE In this chapter, we will understand the concept of VLAN i.e Virtual Local Area Network. VLAN is used to divide the single broadcast domai...
JTO PH-II IT VLAN & Configuration 8 VLAN& CONFIGURATION 8.1 LEARNING OBJECTIVE In this chapter, we will understand the concept of VLAN i.e Virtual Local Area Network. VLAN is used to divide the single broadcast domain to multiple broadcast domains. 8.2 INTRODUCTION A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed. 8.3 VLAN IMPLEMENTATION To subdivide a network into VLANs, one configures network equipment. Simpler equipment might partition only each physical port (if even that), in which case each VLAN runs over a dedicated network cable. More sophisticated devices can mark frames through VLAN tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Since VLANs share bandwidth, a VLAN trunk can use link aggregation, quality-of-service prioritization, or both to route data efficiently. VLANs address issues such as scalability, security, and network management. Network architects set up VLANs to provide network segmentation. Routers between VLANs filter broadcast traffic, enhance network security, perform address summarization, and mitigate network congestion. In a network utilizing broadcasts for service discovery, address assignment and resolution and other services, as the number of peers on a network grows, the frequency of broadcasts also increases. VLANs can help manage broadcast traffic by forming multiple broadcast domains. Breaking up a large network into smaller independent segments reduces the amount of broadcast traffic each network device and network segment has to bear. Switches may not bridge network traffic between VLANs, as doing so would violate the integrity of the VLAN broadcast domain. VLANs can also help create multiple layer 3 networks on a single physical infrastructure. VLANs are data link layer (OSI layer 2) constructs, analogous to Internet Protocol (IP) subnets, which are network layer (OSI layer 3) constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN. JTO-PH-II IT Version Page 108 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution Without VLAN capability, users are assigned to networks based on geography and are limited by physical topologies and distances. VLANs can logically group networks to decouple the users' network location from their physical location. By using VLANs, one can control traffic patterns and react quickly to employee or equipment relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration VLANs can be used to partition a local network into several distinctive segments, for instance: Production Voice over IP Network management Storage area network (SAN) Guest Internet access Demilitarized zone (DMZ) A common infrastructure shared across VLAN trunks can provide a measure of security with great flexibility for a comparatively low cost. Quality of service schemes can optimize traffic on trunk links for real-time (e.g. VoIP) or low-latency requirements (e.g. SAN). However, VLANs as a security solution should be implemented with great care as they can be defeated unless implemented carefully. In cloud computing VLANs, IP addresses, and MAC addresses in the cloud are resources that end users can manage. To help mitigate security issues, placing cloud-based virtual machines on VLANs may be preferable to placing them directly on the Internet. Network technologies with VLAN capabilities include: Asynchronous Transfer Mode (ATM) Fiber Distributed Data Interface (FDDI) Ethernet HiperSockets InfiniBand After successful experiments with voice over Ethernet from 1981 to 1984, Dr. W. David Sincoskie joined Bellcore and began addressing the problem of scaling up Ethernet networks. At 10 Mbit/s, Ethernet was faster than most alternatives at the time. However, Ethernet was a broadcast network and there was no good way of connecting multiple Ethernet networks together. This limited the total bandwidth of an Ethernet network to 10 Mbit/s and the maximum distance between nodes to a few hundred feet. By contrast, although the existing telephone network's speed for individual connections was limited to 56 kbit/s (less than one hundredth of Ethernet's speed), the total bandwidth of that network was estimated at 1 Tbit/s (100,000 times greater than Ethernet). Although it was possible to use IP routing to connect multiple Ethernet networks together, it was expensive and relatively slow. Sincoskie started looking for alternatives that required less processing per packet. In the process, he independently reinvented transparent bridging, the technique used in modern Ethernet switches. However, using switches to connect multiple Ethernet networks in a fault-tolerant fashion requires redundant paths through that network, which in turn requires a spanning JTO-PH-II IT Version Page 109 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution tree configuration. This ensures that there is only one active path from any source node to any destination on the network. This causes centrally located switches to become bottlenecks, limiting scalability as more networks are interconnected. To help alleviate this problem, Sincoskie invented VLANs by adding a tag to each Ethernet frame. These tags could be thought of as colors, say red, green, or blue. In this scheme, each switch could be assigned to handle frames of a single color, and ignore the rest. The networks could be interconnected with three spanning trees, one for each color. By sending a mix of different frame colors, the aggregate bandwidth could be improved. Sincoskie referred to this as a multitree bridge. He and Chase Cotton created and refined the algorithms necessary to make the system feasible. This color is what is now known in the Ethernet frame as the IEEE 802.1Q header, or the VLAN tag. While VLANs are commonly used in modern Ethernet networks, they are not used in the manner first envisioned here. In 1998, Ethernet VLANs were described in the first edition of the IEEE 802.1Q- 1998 standard. This was extended with IEEE 802.1ad to allow nested VLAN tags in service of provider bridging. This mechanism was improved with IEEE 802.1ah-2008. 8.4 CONFIGURATION AND DESIGN CONSIDERATIONS Early network designers often segmented physical LANs with the aim of reducing the size of the Ethernet collision domain—thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the data link layer broadcast domain. VLANs were first employed to separate several broadcast domains across one physical medium. A VLAN can also serve to restrict access to network resources without regard to physical topology of the network. VLANs operate at the data link layer of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving the network layer. Generally, VLANs within the same organization will be assigned different non-overlapping network address ranges. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the private network 192.168.0.0/16). However, it is not possible to route data between two networks with overlapping addresses without delicate IP remapping, so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN. A basic switch that is not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members. The default VLAN typically uses VLAN identifier 1. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting each group using a distinct switch for each group. Remote management of the switch requires that the administrative functions be associated with one or more of the configured VLANs. JTO-PH-II IT Version Page 110 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution In the context of VLANs, the term trunk denotes a network link carrying multiple VLANs, which are identified by labels (or tags) inserted into their packets. Such trunks must run between tagged ports of VLAN-aware devices, so they are often switch-to- switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs. It is only when the VLAN port group is to extend to another device that tagging is used. Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and traffic through these ports must be tagged. Switches typically have no built-in method to indicate VLAN to port associations to someone working in a wiring closet. It is necessary for a technician to either have administrative access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. 8.5 PROTOCOLS AND DESIGN The protocol most commonly used today to support VLANs is IEEE 802.1Q. The IEEE 802.1 working group defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco Inter-Switch Link (ISL) and 3Com's Virtual LAN Trunk (VLT). Cisco also implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10 frame header, contrary to the purpose of the IEEE 802.10 standard.Both ISL and IEEE 802.1Q tagging perform explicit tagging – the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and therefore does modify the basic Ethernet frame structure. This internal tagging allows IEEE 802.1Q to work on both access and trunk links using standard Ethernet hardware. 8.5.1 IEEE 802.1Q Under IEEE 802.1Q, the maximum number of VLANs on a given Ethernet network is 4,094 (4,096 values provided by the 12-bit VID field minus reserved values at each end of the range, 0 and 4,095). This does not impose the same limit on the number of IP subnets in such a network since a single VLAN can contain multiple IP subnets. IEEE 802.1ad extends the number of VLANs supported by adding support for multiple, nested VLAN tags. IEEE 802.1aq (Shortest Path Bridging) expands the VLAN limit to 16 million. Both improvements have been incorporated into the IEEE 802.1Q standard. 8.5.2 CISCO INTER-SWITCH LINK Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect switches and maintain VLAN information as traffic travels between switches on trunk links. ISL is provided as an alternative to IEEE 802.1Q. ISL is available only on some Cisco equipment and has been deprecated. JTO-PH-II IT Version Page 111 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution 8.5.3 CISCO VLAN TRUNKING PROTOCOL VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of VLANs on the whole local area network. VTP is available on most of the Cisco Catalyst Family products. The comparable IEEE standard in use by other manufacturers is GARP VLAN Registration Protocol (GVRP) or the more recent Multiple VLAN Registration Protocol (MVRP). 8.5.4 MULTIPLE VLAN REGISTRATION PROTOCOL Multiple VLAN Registration Protocol is an application of Multiple Registration Protocol that allows automatic configuration of VLAN information on network switches. Specifically, it provides a method to dynamically share VLAN information and configure the needed VLANs. 8.6 MEMBERSHIP VLAN membership can be established either statically or dynamically. Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to- VLAN assignment for the new connection. Dynamic VLANs are created using software or by protocol. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the switch queries a database for the VLAN membership of the port that device is connected to. Protocol methods include Multiple VLAN Registration Protocol (MVRP) and the somewhat obsolete GARP VLAN Registration Protocol (GVRP). In a switch that supports protocol-based VLANs, traffic may be handled on the basis of its protocol. Essentially, this segregates or forwards traffic from a port depending on the particular protocol of that traffic; traffic of any other protocol is not forwarded on the port. This allows, for example, IP and IPX traffic to be automatically segregated by the network. VLAN cross connect (CC or VLAN-XC) is a mechanism used to create Switched VLANs, VLAN CC uses IEEE 802.1ad frames where the S Tag is used as a Label as in MPLS. IEEE approves the use of such a mechanism in part 6.11 of IEEE 802.1ad-2005. 8.7 VLAN CONFIGURATION Login to the switch with console. Type the commands JTO-PH-II IT Version Page 112 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution Switch#configure terminal Switch(config)#vlan 2 // Creating a vlan // Switch(config-vlan)#name CSC // Naming a vlan // Switch(config-vlan)#exit Switch(config)#interface fastEthernet 0/14 // Configuring fa 0/14 as access port// Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 2 // Assigning vlan 2 for port 14// Switch(config-if)#exit Switch(config)#int range fastEthernet 0/15-16 // configuring multiple ports for vlan // Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 2 // Assigning vlan 2 for multiple ports // Switch(config-if-range)#exit 8.7.1 VERIFYING VLANS Switch#showvlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gig0/1, Gig0/2 2 CSC active Fa0/14, Fa0/15, Fa0/16 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Shorter vlan configuration Switch(config)# Switch(config)#int range fastEthernet 0/20-23 Switch(config-if-range)#switchport access vlan 3 % Access VLAN does not exist. Creating vlan 3 Switch(config-if-range)#end Switch#wr // saving the configuration// Building configuration... [OK] Verify JTO-PH-II IT Version Page 113 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution Switch#showvlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11,Fa0/12 Fa0/13, Fa0/17, Fa0/18, Fa0/19 Fa0/24, Gig0/1, Gig0/2 2 CSC active Fa0/14, Fa0/15, Fa0/16 3 VLAN3 active Fa0/20, Fa0/21, Fa0/22, Fa0/23 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch(config)#no vlan 2 // removing a vlan// Configuring Voice and Data vlan on ports Connected to phones. Switch#configure terminal Switch(config)#vlan 10 Switch(config-vlan)#vlan 11 Switch(config-vlan)#exit Switch(config)#interface range fastEthernet 0/1-4 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 JTO-PH-II IT Version Page 114 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution Switch(config-if-range)#switchport voice vlan 11 Switch(config-if-range)#end Switch#wr Verification Switch#showvlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig0/1, Gig0/2 10 VLAN0010 active Fa0/1, Fa0/2, Fa0/3, Fa0/4 11 VLAN0011 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Switch# Switch#show interface fa0/4 switchport Name: Fa0/4 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (VLAN0010) Trunking Native Mode VLAN: 1 (default) Voice VLAN: 11 Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Appliance trust: none JTO-PH-II IT Version Page 115 of 136 For Restricted Circulation OSPF Configuration – Normal/ Stub/ Totally Stub/ NSSA & RIP Redistribution 8.8 CONCLUSION VLANs operate at the data link layer of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving the network layer. Generally, VLANs within the same organization will be assigned different non-overlapping network address ranges. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the private network 192.168.0.0/16). However, it is not possible to route data between two networks with overlapping addresses without delicate IP remapping, so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN. JTO-PH-II IT Version Page 116 of 136 For Restricted Circulation