Introduction to VLANs

Introduction to VLANs by HTRegz

Hey Hey,

I searched through the Tutorials Index and couldn't find anything on VLANs so I figured I'd throw this up. I've got a test on Configuring Cisco and Nortel switches for VLANs in a few hours, so I figure brushing up on the theory couldn't hurt. I find I learn best when I'm explaining for others, so here ya go. This is a introduction to VLANs, so for those of you with knowledge it will seem rather simple. If a more in-depth tutorial is wanted. I will go about doing some serious research and writing one.

What is a VLAN?

Quote:

---

Source: Webopedia

Short for virtual LAN, a network of computers that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.

---

**As a side note, if you have never used webopedia before, I suggest you go take a look at it**

VLANs let you group people logically, rather than physically as the definition says.

Example:

You have Accounting and Marketing Departments. These departments both have 7 employees and 1 manager. Being a large corporation, your managers aren't on the same floor as the rest of the employees, they're a few floors up with bigger offices. Yet you want all people related to Accounting on one network and all those related to marketing on another, including the managers. This would be a pain if you were designing your network using physical layouts. You'd have to run some massively long wires and it would be counter productive if someone ever moved. Your switches would look something like this.

Code:

---

Accounting Switch                Marketing Switch
X X X X X X X X                        X X X X X X X X
| | | | | | | |                | | | | | | | |
S S S S S S S 2                S S S S S S S 2
A A A A A A A                  A A A A A A A 
M M M M M M M F                M M M M M M M F
E E E E E E E L                E E E E E E E L
              O                              O
F F F F F F F O                F F F F F F F O
L L L L L L L R                L L L L L L L R
O O O O O O O S                O O O O O O O S
O O O O O O O                  O O O O O O O 
R R R R R R R U                R R R R R R R U
              P                              P

---

This would be rather messy. Say someone movies to a different cubicle or office, you would have to run wires back to the original switch.


Solution: VLANs.

You setup 2 VLANs in your company. VLAN1 - Accounting and VLAN2 - Marketing. You configure your switches. Instead of the 2 8 port switches, you'd have a 16 port and for the other anything over 3 ports would do the trick, but we'll say an 8 port. On the floor with all the bean counters you'd have the 16 port switch. (instead of typing Same floor I will abreviate to SF to save space)

Code:

---

Employee Switch
    VLAN1    |    VLAN2
X X X X X X X X X X X X X X X X
| | | | | | |  | | | | | | | |
S S S S S S S  S S S S S S S T
F F F F F F F  F F F F F F F R
                              U
                              N
                              K


Manager Switch
 VLAN1 | VLAN2
X X X X X X X X
|      |    |
S      S    T
F      F    R
              U
              N
              K

---

Now we've introduced something new. A Port labelled Trunk. Those of you who have done the CCNA will know this as the Trunk port, and those of you who have dealt with Nortel will know this as a Tagged port. Same thing... different name. A Trunk/Tagged port allows for communication between VLANs which span multiple switches (The Trunk/Tagged port must be a member of both VLANs when configured). Assuming our trunk ports are connected in the above example now an Employee on VLAN1 could ping the Manager on VLAN1's workstation. When the first trunk port recieves the data, it adds a tag to it. The recieving trunk port will remove this tag. The tag tells the recieving trunk port the VLAN ID of the transmitting workstation, so that it knows how to deal with the data. The tag is defined by IEEE 802.1q. A Tag Looks like this.

Code:

---

_________________________________________________________
| 6 Bytes | 6 Bytes | 4 Bytes | 2 Bytes | 46 - 1500 bytes |
|  DST  |  SRC  |  TAG  | PROTOCOL|      DATA      |
|___MAC___|___MAC___|        |___TYPE__|_________________|
        ___________/          \___________
      | 10 Bits | 3 Bits | 1 Bit | 12 Bits|
      |_81-00___|PRIORITY|__CFI__|VLAN ID_|

---

So Data Leaves the WS attached to port 1 on VLAN1. It travels to the trunk port and is tagged. It is recieved by the attached trunk port which looks at the VLAN ID in the TAG and switches it over to VLAN1 and removes the tag.

This has all been an example of Port-based VLANs. You should know however that you can also do Host (MAC) based VLANs (this is handy) because if you move a computer, when you plug it in, it will be back on the same VLAN. There are also Protocol based VLANs which allow you to segregate networks based on protocol (IP, IPX, etc).

One last thing I will leave you with is that 2 VLANs cannot directly communicate, even if they are on the same switch. They are seperate networks and, therefore, require a router to communicate.

Code:

---


Switch
 VLAN1 | VLAN2
X X X X X X X X
              T
              R
              U
              N
              K
              |
              |
              |
              X
          Router

---

By Enabling dot1q encapsulation on the router and setting up the ethernet interface to be a trunk and using sub-interfaces to define each VLAN, we can configure the router to route packets from VLAN1 to VLAN2 and vise-versa. This is basically just a matter of configuration. If there is enough interest. I will write an addendum on the configuration of both nortel and cisco routers and switches to carry out these tasks. I will also do a more advanced VLAN tutorial if so desired. This is designed to be a simple introduction. Feedback is always appreciated.

Peace,
HT

Edit: Some of the formatting is messed up. I apologize for this and will attempt to fix it when I get a chance. However I'm already running late for class.

Addendum:

I looked at this as an intro. However I recieved an AP assignment from MsM that had a good question in it. What about the security risk(s) of VLANs. I've thought about this and I really can't think of any off the top of my head. However I can think of an advantage. We all know that switches segment collision domains, thus making it more difficult to sniff a switch (programs like ettercap are required) unless of course you only want to listen to broadcasts, because switches don't create broadcast domains. However VLANs do create broadcast domains. A broadcast cannot travel from one VLAN to another. Although I don't see a security use for this, someone with more experience may see something, but it's a thought to put out. Limiting the broadcast domain would keep the users seeing broadcasts to a minimum. This could prove useful in some way? It's a thought that I'm putting out.. Any input or ideas on the subject?


Edit: This was quite rushed because I'm already late leaving, I hope you all understand what I mean.... if not i'll explain more later. Peace

The only problem i can think of in releation to broadcasts, is NetBIOS Name Resolution (etc etc). And that is not even a security risk, and a network willing to implement VLANs then their gonna be able to implement a WINS Server anyway. VLANing is a very efficient network...

Ive never really discovered the difference between subnetting and vlan(-ing?), cheers for the article though

Quote:

---

VLANing is a very efficient network...

Ive never really discovered the difference between subnetting and vlan(-ing?), cheers for the article though

---

I know this post is late and everyone involved probably knows the answers to this question anyways, but I thought I'd put it up here just in case anyone is wondering still.

VLANing is not actually an efficient way to network, it is very useful for its purpose though. Any traffic that needs to propagate outside of a VLAN must be sent through a router even if it is on the same switch with another VLAN


The differences between vlan-ing and subnetting are:

VLANs are assigned at the switch (data-link) level in a dynamic or static manner. Static/port is the preferred method for most administrators

Subnetting is accomplished at the router (network layer) by dividing your IP range into smaller, more managed networks.


The primary purposes of VLANs are to allow specific hosts to access to resources on other subnets and to allow for broadcast traffic to traverse routers (Routers drop broadcast packets like a bad habit by default).

Hey Hey,

It's a dead topic but what the hay... there's lots that I disagree with in that last post.

Quote:

---

VLANing is not actually an efficient way to network, it is very useful for its purpose though. Any traffic that needs to propagate outside of a VLAN must be sent through a router even if it is on the same switch with another VLAN

---

VLANs are a very efficient way to design a network... In fact they are quite seriously promoted in network design. The fact that network doesn't propagate outside of a VLAN is one of the primary reasons for that... you lower the number of broadcasts on your network. This provides added security and efficiency..

VLANs allow you to logically segment your network instead of segmenting it physically. This means that if you're head office (New York) has a sales department and your West Coast Office (LA) has a sales office... they can share resources, and even be on the same subnet.

You actually argued your own comment with your mention of subnetting being layer three (btw you don't need a router to subnet... however, IP addressing is a layer three function... just another problem I had with what you said... I can have a a subnet in use between two hosts on the same hub or switch and it'll still function just fine...). If you have VLANs on your network, they are for a reason and you don't want traffic spreading... If you are using two seperate subnets, it's for a reason... Two VLANs or Two subnets... you're sticking a router in between regardless. Networking is about putting a bunch of 'stuff' together and having it work.. It's about logically designing it and placing devices in appropriate locations... segmenting your network properly and laying it out.. This is why VLANs are so important in a network.

A flat network is an awful design.. you wouldn't do it from a subnetting point of view... (could you imagine the results of a single subnet for an office of say 15,000 users?)... You also wouldn't do it with VLANs.. This way you can have your office... Manager and say 15 employees... You want your Managers traffic seperate from your employees... Prior to VLANs, or for those without knowledge of them, this would require two switches... that's a waste of hardware and resources (doesn't sound very efficient to me) and you'd still require a router because the odds are they'd be on different subnets.. However with VLANs you can have one switch divided into two VLANs... these Virtual LANs can be grouped in with the Manager and her 20 employees in the next building over... Now Administration is seperate form Staff.... sounds like a good idea to me... You've also limited your broadcasts... and that's a good thing, considering your corporation is most likely running Windows machines, and they generate far too many broadcasts...

Quote:

---

The primary purposes of VLANs are to allow specific hosts to access to resources on other subnets and to allow for broadcast traffic to traverse routers

---

This is the one that really blew my mind.... It's to allow hosts to access resources on the same subnet in a different physical location... as far as broadcast traffic traversing a router... only as far as your VLAN goes... because it's a Virtual LAN... as far as the router is concerned, you have a LAN setup.. it won't broadcast into other LANs, so why would it broadcast into other VLANs..

I may be wrong.. but from your poist you sound like someone who has completed a portion of the CCNA program and not fully grasped what they were trying to teach you.

Peace,
HT

Quote:

---

I may be wrong.. but from your poist you sound like someone who has completed a portion of the CCNA program and not fully grasped what they were trying to teach you.

---

I actually have had my C.C.N.A. for a couple of years and am working on my CSPFA Firewall Cert.

I apologize for the simplicity of my statement and for not accurately describing what I meant. I think this is a better explanation.

You are right. I agree 100% that VLANS are the preferred and most efficient way to design a network. They can provide security, they provide broadcasts control and all kinds of other useful traffic/network access features.

What I was referring to, and I did it badly, was the amount of traffic and the load that is placed on an individual router. From a strictly 1's and 0's standpoint more traffic is created and more load is placed on each device along the path by use of VLANs. Besides that, I use and manage them as well and I'm glad they exist.

Quote:

---

quote:

The primary purposes of VLANs are to allow specific hosts to access to resources on other subnets and to allow for broadcast traffic to traverse routers



This is the one that really blew my mind.... It's to allow hosts to access resources on the same subnet in a different physical location... as far as broadcast traffic traversing a router... only as far as your VLAN goes... because it's a Virtual LAN... as far as the router is concerned, you have a LAN setup.. it won't broadcast into other LANs, so why would it broadcast into other VLANs..

---

I did not say that you can broadcast into other VLANs that would be silly. But without the VLAN you could not use broadcasts outside of your local IP Subnet, defined by a router.

Remote users cannot be on the same subnet (meaning having the same subnet mask and network ID) from an IP standpoint, but with the VLAN they can appear to be.

Ok, so I'm going to have to break this down a little... when you have a large group of IP addresses and you break them up you have what? Subnets... this is what I meant by subnets, strictly layer 3 stuff.
Ok, so on each interface of a router you have a different subnet...
WANs are connected through routers.
So for two physically remote users to access resources as though they were on the same subnet (even though they're on different ones) they would have to be assigned a VLAN

I think you were misunderstanding my word choice, but I do appreciate you pointing out that I should be more clear in my future postings.

Ehhhhh, sorry captain, but I feel like you're making things even more confusing than they were!

I think the big issue here is that you are confusing the terms "subnets" and "segments".

Vlans can be used to group one or more ports on one or more switches (with .1q) into a single segment (what could be called "forwarding" domains).

Routers (or more exactly routing tables on any type of machine) can be used to divide an IP network (runing over one or more segments) into multiple subnets, thus creating seperate broadcast domains.

Now everyone agrees that Vlans are good networking practices.

Vlans do not "cause" more load on routers anymore than normal routing between subnets; however, the use of vlans more or less implies that you will be doing routing inbetween vlans at some point, thus adding some load on your routers. The added load on the router depends on the amount of cross subnet traffic that will be going on. Adding a routing hop can also add a very small amount of latency. The use of Layer 3 switches with ASIC (on higher end models) reduces the load and lantency to (or nearly) that of wirespeed switching.


Now about the security issues originally raised by MsM's AP post...
There are a couple of issues that can lead to "vlan hopping", ie the ability for an attacker to talk across other vlans.
These can be led in two ways:
1- If the switch is configured with Dynamic Trunking Protocol (DTP) (or CDP) enabled and the users' access port in automatic trunking mode, the user can be able to represent himself as another switch and register himself as a trunk port, thus receiving other vlans' traffic or sending onto other vlan than his originaly assigned. To prevent this, make sure all access ports are statically assigned to the chosen vlan.
2- If a trunk port is enabled between between 2 switches, a user on a (even statically assigned) access port could double encapsulate his ethernet frames with .1q headers; the first header will be stripped by the switch, but the second one remains, which will then be taken into account on the trunk link. To prevent this make sure all trunk ports use diffrent vlan IDs than the access ports.

In all cases, never use vlan1 since it is often used for management communications between switches (eg: ciscos).

Cisco has a nice document (attached) on these issues. Check the "vlan hopping section"...


I hope this cleared things up in this thread...


Ammo

Quote:

---

I actually have had my C.C.N.A. for a couple of years and am working on my CSPFA Firewall Cert.

---

Another perfect example of why I think certs are useless when determining skills and ownership of knowledge. Look at the first response by a CCNA who states that VLANs are not efficient. There are a bunch of other examples of misinformation but you get the idea. Nothing beats solid experience - period.

Anyway, I use VLANs in an enterprise environment not only is the traditional use but also for security purposes. If your host doesn't pass a certain criteria, you're passed into a VLAN where your machine will be patched and will be given no access to mission critical systems. This works wonderfully. I have yet to see a method of breaking out of a VLAN without actually pwning the VLAN hardware device. If you allow this to happen, well, then you're sitting on a heap of much bigger problems.