- Posts: 3
- Thank you received: 0
VALN
21 years 4 months ago #269
by tfs
Thanks,
Tom
Vlans are a way to segment the network in a "virtual" way. It allows users on different lan segment to talk to each other even though they are on a different lan segment (wire). It allows you to break up the broadcast domain (which switches normally don't do - they break up collision domains) without the use of routers.
Where you typically would use a whole switch for one segment or multiple switches for the same segment - with VLANS you can have multiple segments on one switch.
Why would you do this? Suppose you want to segment your company by department. Now suppose each department is on a different floor (accounting on 1st floor, sales on 2nd and marketing on 3rd. No problem use a router to route the segement to each floor. Each floor has their own set of switches.
Now you decide to move 3 people in marketing to the same floor as accounting (2 floors away) - for space reasons. How do you easily move them? You'd have to some way run a wire from the 3rd floor down to the 1st floor with it's own switch.
With a VLAN, you could set it up the same way with Switches set up for VLAN. In the switch you would set up the VLAN numbers (2,3,4, etc.). In our example: accounting = 2, sales = 3 and marketing = 4 (could just as easily have been 10, 11, 12). So the switches on the 1st floor (accounting) would have all the ports set to VLAN 2, the switches on the 2nd floor would have all the ports set to VLAN 3 and the 3rd floor would have all the switch ports set to VLAN 4. All the switches are "trunked" together and talk to each other.
So what - you say! This is just like the conventional way. But now when I move the 3 people to accounting, all I do is connect them to the accounting switches and reconfigure those ports to VLAN 4. Now the switches on the 1st floor have VLAN 2 and VLAN 4.
One of the advantages that you have with VLANs is you are less limited to your physical environment when setting up your LAN. Change your physical setup and just reconfigure your switches to accommodate it.
There is obviously, a bunch more on this subject. Here are a few pages I found that might be helpful:
www.networkmagazineindia.com/200205/primer.shtml
216.239.33.104/search?q=cache:909Sa1_vIl...uting&hl=en&ie=UTF-8
support.3com.com/infodeli/tools/switches...nual.b03/vlansa4.htm
Tom.
Where you typically would use a whole switch for one segment or multiple switches for the same segment - with VLANS you can have multiple segments on one switch.
Why would you do this? Suppose you want to segment your company by department. Now suppose each department is on a different floor (accounting on 1st floor, sales on 2nd and marketing on 3rd. No problem use a router to route the segement to each floor. Each floor has their own set of switches.
Now you decide to move 3 people in marketing to the same floor as accounting (2 floors away) - for space reasons. How do you easily move them? You'd have to some way run a wire from the 3rd floor down to the 1st floor with it's own switch.
With a VLAN, you could set it up the same way with Switches set up for VLAN. In the switch you would set up the VLAN numbers (2,3,4, etc.). In our example: accounting = 2, sales = 3 and marketing = 4 (could just as easily have been 10, 11, 12). So the switches on the 1st floor (accounting) would have all the ports set to VLAN 2, the switches on the 2nd floor would have all the ports set to VLAN 3 and the 3rd floor would have all the switch ports set to VLAN 4. All the switches are "trunked" together and talk to each other.
So what - you say! This is just like the conventional way. But now when I move the 3 people to accounting, all I do is connect them to the accounting switches and reconfigure those ports to VLAN 4. Now the switches on the 1st floor have VLAN 2 and VLAN 4.
One of the advantages that you have with VLANs is you are less limited to your physical environment when setting up your LAN. Change your physical setup and just reconfigure your switches to accommodate it.
There is obviously, a bunch more on this subject. Here are a few pages I found that might be helpful:
www.networkmagazineindia.com/200205/primer.shtml
216.239.33.104/search?q=cache:909Sa1_vIl...uting&hl=en&ie=UTF-8
support.3com.com/infodeli/tools/switches...nual.b03/vlansa4.htm
Tom.
Thanks,
Tom
21 years 2 months ago #741
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
VLAN membership can be defined on the basis of :
a. Group of ports
b. MAC address
c. Network address
a. The membership is based on which port the data comes in from. The disadvantage here is that if the user moves, the admin has to reconfigure the VLAN port membership
b. The MAC address is mapped to the VLAN, this allows you to have the node connect through any port and still be a member of the VLAN. Major disadvantage is that intially all users will have to be assigned to a VLAN and when you first set it up, everyone will be on the same VLAN !! This will cause some network performace problems. Also if you use laptops often, the MAC address of hte docking station is a member of the VLAN, so using the laptop in another docking station will mean reconfig of the VLAN info.
c. Based on network address information such as the IP address. There is no frame tagging involved here.
The database where this information is stored is known as a filtering database. If you are using many switches then this information must be shared by all of them and you must have a port in trunk mode which can carry information from all the VLANs to the other switches. Dont confuse this with 'port trunking' which means binding many ports to act as a single port and use their combined bandwidth.
(God knows I was confused about those two terms for ages ! Everyone I asked about 'port trunking' said it had nothing to do with VLANs !!)
a. Group of ports
b. MAC address
c. Network address
a. The membership is based on which port the data comes in from. The disadvantage here is that if the user moves, the admin has to reconfigure the VLAN port membership
b. The MAC address is mapped to the VLAN, this allows you to have the node connect through any port and still be a member of the VLAN. Major disadvantage is that intially all users will have to be assigned to a VLAN and when you first set it up, everyone will be on the same VLAN !! This will cause some network performace problems. Also if you use laptops often, the MAC address of hte docking station is a member of the VLAN, so using the laptop in another docking station will mean reconfig of the VLAN info.
c. Based on network address information such as the IP address. There is no frame tagging involved here.
The database where this information is stored is known as a filtering database. If you are using many switches then this information must be shared by all of them and you must have a port in trunk mode which can carry information from all the VLANs to the other switches. Dont confuse this with 'port trunking' which means binding many ports to act as a single port and use their combined bandwidth.
(God knows I was confused about those two terms for ages ! Everyone I asked about 'port trunking' said it had nothing to do with VLANs !!)
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
21 years 2 months ago #742
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
While the subject has been covered in these threads, I would like to simply clarify a few things about VLAN and MAC mappings.
There are two modes in which a VLAN can operate:
1) Static VLANS
2) Dynamic VLANS
In Static mode, the administrator defines the VLAN membership for every port the switch has. For example, Port 1, 2 and 3 might be assigned to VLAN 10, while ports 4,5 and 6 to VLAN 20.
No matter what device/host is plugged into the switch port, the VLAN assignment remains the same.
In Dynamic mode, the administrator assigns VLAN membership based on the MAC address of each host. This means a database is created where a mapping between MAC addresses and VLANs exist. So if you have 3 switches using this mode, and you move a workstation from Port 1 on switch 1 to port 7 on switch 3, then it will maintain its VLAN membership.
Out of the two VLAN modes, the first one, that is, Static Mode, is more popular and secure.
If you would like to read more about the topic, I have recently written a whitepaper on VLANS for searchnetworking.com, here is the url:
searchnetworking.techtarget.com/tip/0,28...d7_gci929352,00.html
And you can find my Q&A's from the above site's members at:
searchnetworking.techtarget.com/ateSingl...d7_gci904743,00.html
Cheers,
There are two modes in which a VLAN can operate:
1) Static VLANS
2) Dynamic VLANS
In Static mode, the administrator defines the VLAN membership for every port the switch has. For example, Port 1, 2 and 3 might be assigned to VLAN 10, while ports 4,5 and 6 to VLAN 20.
No matter what device/host is plugged into the switch port, the VLAN assignment remains the same.
In Dynamic mode, the administrator assigns VLAN membership based on the MAC address of each host. This means a database is created where a mapping between MAC addresses and VLANs exist. So if you have 3 switches using this mode, and you move a workstation from Port 1 on switch 1 to port 7 on switch 3, then it will maintain its VLAN membership.
Out of the two VLAN modes, the first one, that is, Static Mode, is more popular and secure.
If you would like to read more about the topic, I have recently written a whitepaper on VLANS for searchnetworking.com, here is the url:
searchnetworking.techtarget.com/tip/0,28...d7_gci929352,00.html
And you can find my Q&A's from the above site's members at:
searchnetworking.techtarget.com/ateSingl...d7_gci904743,00.html
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
21 years 2 months ago #746
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Just to add to what Chris said, static mode is more popular,
however don't use vlans as a security solution.. it has recently been proven that its quite trivial to make packets from one vlan 'jump' to another vlan...
honor.trusecure.com/pipermail/firewall-w...0-August/008844.html
that is a link to a discussion from bugtraq on how this happens.
VLANs were a traffic management and easy administration solution.. the isolation they provide is good additional security but not a security solution.
Cheers,
Sahir.
however don't use vlans as a security solution.. it has recently been proven that its quite trivial to make packets from one vlan 'jump' to another vlan...
honor.trusecure.com/pipermail/firewall-w...0-August/008844.html
that is a link to a discussion from bugtraq on how this happens.
VLANs were a traffic management and easy administration solution.. the isolation they provide is good additional security but not a security solution.
Cheers,
Sahir.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.132 seconds