1 / 110

Cabrillo College

Cabrillo College. CCNP – Multilayer Switching Introduction to VLANs Rick Graziani, Instructor March 27, 2001. VLANs. Switched networks that are logically segmented on an organizational basis by functions, project teams, or applications rather than on a physical or geographical basis.

yaphet
Télécharger la présentation

Cabrillo College

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cabrillo College CCNP – Multilayer Switching Introduction to VLANs Rick Graziani, Instructor March 27, 2001

  2. VLANs • Switched networks that are logically segmented on an organizational basis by functions, project teams, or applications rather than on a physical or geographical basis

  3. VLANs • Can be thought of as a broadcast domain that exists within a defined set of switches • Provide the segmentation services traditionally provided by routers • Offer scalability, security, and improved network management • Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management.

  4. VLANs What are the issues if these were only separate subnets and not vlans? To solve this problem, normally the router would only be attached to one subnet and the hosts on physically separate subnets, in order to divide the broadcast domains.

  5. VLANs

  6. VLANs are secure • Whenever a station transmits in a shared network such as a legacy half-duplex 10BaseT system, all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients. • Anyone with such a network sniffer can capture passwords, sensitive e-mail, and any other traffic on the shared network.

  7. VLANs are secure - Switches • Switches allow for microsegmentation • Each user that connects directly to a switch port is on his or her own segment. • If every device has its own segment (switchport) then only the sender and receiver will “see” unicast traffic, unless the switch has to flood the unicast traffic for that vlan. • More in a moment! • VLANs contain broadcast traffic • Only users on the same VLAN will see broadcasts

  8. Side Note - Transparent Bridging • Transparent bridging (normal switching process) is defined in IEEE 802.1d describing the five bridging processes of: • learning • flooding filtering • forwarding • aging • These will be discussed further in STP

  9. Transparent Bridge Process - Jeff Doyle Receive Packet Learn source address or refresh aging timer Is the destination a broadcast, multicast or unknown unicast? Yes No Flood Packet Are the source and destination on the same interface? No Yes Filter Packet Forward unicast to correct port

  10. Transparent Bridging • Switches will flood unicast traffic out all ports if it does not have the destination MAC address in its source address table. • This can be especially true for large flat networks where switches cannot contain all of the MAC addresses. • MAC address table can be 1,024 (or less) and more than 16,000 addresses depending upon vendor and model • Addresses will also age out of the source address table which means the frames will be flooded. This traffic may include confidential information including passwords. • Cisco and Bay default is 5 minutes (common) • Why so small? Dynamic and current.

  11. Changing and viewing the aging timer • Set-based Switch_1> (enable) set cam agingtime vlan agingtime_in_msec Switch_1> (enable) show cam agingtime VLAN 1 aging time = 300 sec VLAN 2 aging time = 300 sec • IOS-based Switch(config)# mac-address-table aging-time seconds [vlan vlan] Switch# show mac-address-table aging-time 300

  12. Show Mac-Address-Table (Source Address Table) • Set-based Console> (enable) show cam dynamic * = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port Security Entry VLAN Dest MAC/Route Des [CoS] Destination Ports… ---- ------------------ ----- ------------------- 1 00-a0-c9-66-86-94 2/6 [ALL] Total Matching CAM Entries Displayed = 1

  13. Show Mac-Address-Table (Source Address Table) • IOS-based Switch#show mac-address-table dynamic Non-static Address Table: Destination Address Address Type VLAN ... Port ------------------- ------------ ---- ...------ 00a0.c966.8694 Dynamic 1 FastEthernet0/5

  14. VLANs are secure - Switches • VLANs contain broadcast, multicast (later) and unknown unicast traffic to the specific VLAN

  15. VLANs control broadcasts

  16. VLANs control broadcasts • Broadcast traffic is a necessary evil • Routing protocols and network services typically rely on broadcasts • Multimedia applications may also use broadcast frames/packets • Each VLAN is its own broadcast domain • Traffic of any kind cannot leave a VLAN without L3 services (a router) • Administrators can control the size of a broadcast domain by defining the size of the VLAN

  17. VLANs improve BW utilization • Bandwidth is shared in legacy Ethernet; a switch improves BW utilization by eliminating collisions (microsegmentation). • VLANs further improve BW utilization by confining broadcasts and other traffic • Switches only flood ports that belong to the source port’s VLAN.

  18. VLANs decrease latency If switches and VLANs were used here instead of routers, Accounting users would experience less latency.

  19. When NOT to VLAN

  20. Types of VLANs • When scaling VLANs in the switch block, there are two basic methods of defining the VLAN boundaries: • End-to-end VLANs (no longer recommended by Cisco due to management and STP concerns) • Local VLANs

  21. Types of VLANs • Remember: a one-to-one correspondence between VLANs and IP subnets is strongly recommended! • Typically, this results in VLANs of 254 hosts or less. (Depending upon the subnetting scheme used.)

  22. End-to-End VLANs • Users are grouped into VLANs independent of physical location and dependent on group or job function. • All users in a VLAN should have the same 80/20 traffic flow patterns. • As a user moves around the campus, VLAN membership for that user should not change. • Each VLAN has a common set of security requirements for all members.

  23. End-to-End VLANs

  24. Local VLANs • As many corporate networks have moved to centralize their resources, end-to-end VLANs became more difficult to maintain. • Users are required to use many different resources, many of which are no longer in their VLAN. • Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries.

  25. Local VLANs • Can span a geographic location as large as an entire building or as small a one switch • 20/80 rule in effect with 80 percent of the traffic remote to the user and 20 percent of the traffic local to the user • A user must cross a L3 device in order to reach 80 percent of the resources • However, this design allows the network to provide for a deterministic, consistent method of accessing resources.

  26. VLAN Types • The two common approaches to assigning VLAN membership are: • Static VLANs • Dynamic VLANs

  27. Static VLANs • Also referred to as port-based membership • VLAN assignments are created by assigning ports to a VLAN • As a device enters the network, the device automatically assumes the VLAN of the port. • If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

  28. Static VLANs

  29. Static VLANs • The port is assigned to a specific VLAN independent of the user or system attached to the port. • The port cannot send or receive from devices in another VLAN without the intervention of a L3 device. • The device that is attached to the port likely has no understanding that a VLAN exists. • The device simply knows that it is a member of a subnet. (ip address and subnet mask)

  30. Static VLANs • Switch is responsible for identifying that the information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN. • The switch is further responsible for ensuring that ports in a different VLAN do not receive the information.

  31. Static VLANs • This approach is quite simple, fast, and easy to manage in that there are no complex lookup tables required for VLAN segmentation. • If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good. • An ASIC allows the port-to-VLAN mapping to be done at the hardware level.

  32. Configuring Static VLANs IOS-Based Switch Switch# vlan database Switch(vlan)# vlan vlan-num name vlan-name Switch(config)#interface fastethernet 0 Switch(config-if)# switchport access vlan vlan-num

  33. Configuring Static VLANs Set-Based Switch Switch(enable) set vlan vlan-num [name name] Switch(enable) set vlan vlan-nummod/num_list Switch(enable) set vlan 10 2/19-24

  34. Dynamic VLANs • Created through the use of software packages such as CiscoWorks 2000 • Allow for membership based on the MAC address of the device • As a device enters the network, the device queries a database for VLAN membership

  35. Dynamic VLANs

  36. Dynamic VLANs • With a VLAN Management Policy Server (VMPS), you can assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port. • When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.

  37. Dynamic VLANs • When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. • If you reset or power cycle the Catalyst 5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.

  38. Dynamic VLANs • VMPS opens a UDP socket to communicate and listen to client Catalyst requests. • When the VMPS server receives a valid request from a client Catalyst, it searches its database for a MAC address-to-VLAN mapping.

  39. Access and Trunk Links

  40. Access Links • An access link is a link on the switch that is a member of only one VLAN. • This VLAN is referred to as the native VLAN of the port. • Any device that is attached to the port is completely unaware that a VLAN exists.

  41. Trunk Links • A trunk link is capable of supporting multiple VLANs. • Trunk links are typically used to connect switches to other switches or routers. • Switches support trunk links on both Fast Ethernet and Gigabit Ethernet ports.

  42. Access and Trunk Links

  43. Trunk Links Without trunking With trunking

  44. Trunking • A trunk is a point-to-point link that supports several VLANs • A trunk is to saves ports when creating a link between two devices implementing VLANs • Trunking covered in more detail in next section

  45. Trunk Links • A trunk link does not belong to a specific VLAN. • Acts as a conduit for VLANs between switches and routers. • The trunk link can be configured to transport all VLANs or to transport a limited number of VLANs. • A trunk link may, however, have a native VLAN. • The native VLAN of the trunk is the VLAN that the trunk uses if the trunk link fails for any reason.

  46. Trunk Links • In Ethernet, the switch has two methods of identifying the VLAN that a frame belongs to: • ISL– InterSwitch Link • (Cisco proprietary) • IEEE 802.1Q (standards-based) • aka, dot1q

  47. VLAN Identification • ISL - This protocol is a Cisco proprietary encapsulation protocol for interconnecting multiple switches; it is supported in switches as well as routers. • Even though it’s Cisco proprietary, ISL is not natively supported by the Catalyst 4000. • The L3 blade does give the Cat4000s router two ISL-capable ports (Gig 1 and Gig 2).

  48. VLAN Identification • IEEE 802.1Q - This protocol is an IEEE standard method for identifying VLANs by inserting a VLAN identifier into the frame header. • This process is referred to as frame tagging. • Note: In practice, both ISL and dot1q are called frame tagging

  49. VLAN Identification • 802.10 - This standard is a Cisco proprietary method of transporting VLAN information inside the standard 802.10 frame (FDDI). • The VLAN information is written to the security association identifier (SAID) portion of the 802.10 frame. • This method is typically used to transport VLANs across FDDI backbones.

  50. VLAN Identification • LAN Emulation (LANE) - LANE is an ATM Forum standard that can be used for transporting VLANs over Asynchronous Transfer Mode (ATM) networks.

More Related