Virtual Local Area Networks. Should I V-LAN? 1. Security V-LANs can restrict access to network resources.

Virtual Local Area Networks

Should I V-LAN?

1. SecurityV-LANs can restrict access to network resources

Should I V-LAN?

Access Control Lists are used to direct the availability of information

Faculty Students

Student Records

Faculty V-LAN

Students V-LAN

Student Records

HEWLETTPACKARD

Access Permitted

Access Denied

Should I V-LAN?

2. Broadcast Control for Increased PerformanceReduce the size of your collision domainsLimit broadcast traffic to similar users

Check Your Network for Broadcast Protocols

TCP 40%

UDP 10%

ARP 35%

DHCP 8%

IPX 5%

SPX 2%

One Broadcast Domain

CISCOSYSTEMS

CISCOSYSTEMS

V-LANs form Multiple Broadcast Domains

Should I V-LAN?

3. Network MonitoringCentrally configure devices in local areasDivide your users into logical groupings

Should I V-LAN?

Your security will improve

Your network performance will improve

How Many V-LANs?

• List Buildings• Itemize

Departments• Remember

BROADCAST CONTROL

NC State

How Many V-LANs?

Building 1 Building 2

Lab 1 Wireless Lab

Lab 2 Faculty/Staff

Faculty/Staff Building 3

Library Lab 3

Administration Faculty/Staff

How Many V-LANs?When you’re done – Add 2 More

1. A Test V-LAN for your Test Lab

2. An “Internet Only” V-LAN for all unused ports

plus V-LAN #1 will be your default V-LAN for your administrative purposes

How Many V-LANs?

• Building 1 – 18 V-LANs• Building 2 – 6 V-LANs• Building 3 – 7 V-LANs• Building 4 – 4 V-LANs• Building 5 – 2 V-LANs• Building 6 – 7 V-LANs

• 3 Server VLANs• Internet Only

V-LAN• Test V-LAN• Adm. V-LAN

• Total - 50

Equipment/Server Concerns

• You will need a trustworthy Layer 3 main switch (example: Cisco 4506)

• Unmanaged switches and hubs can contain only 1 V-LAN

• Some protocols, such as IPX & Apple, require broadcasts. These will need to be addressed.

Equipment/Server Concerns• Each V-LAN will need its own DHCP

scope.• DNS must be reachable by every

V-LAN• User applications cannot reside on a

V-LAN that will be blocked• You must know what is connected to

every port on every switch.

How Do I Begin?

Get details on your current setup -

Conduct an audit of the ports on your switches

Create a Switch Audit Form

Switch Loc. IP Address

Manuf/Mod # Upload Port

Port Information

Port # Patch # User Loc

User Name

Printers Used

VLAN #

1

2

3

Set Up a Schedule• Week 1 – Audit Bldg. 1• Week 2 – Audit Bldg. 2• Week 3 – Audit Bldg. 3• Week 4 – Audit Bldg. 4• Week 5 – Audit Bldg. 5• Week 6 – Audit Bldg. 6• Week 7 – Write

Configuration & Access Lists – Select IP Address for Users

• Week 8 - Implementation

Add V-LANs to main switch & DHCP Scopes

Set all ports on all switches

Test PCs & Printers

Change IP’s where needed

You have a new network!

Adhere to the schedule!!

How Do I Add V-LANs to the Switches?

• Add every V-LAN to the main switch• Add to each switch the V-LANs it will

need – With some manufacturers the secondary switches will automatically read the list from the main switch

• Set each port to the correct V-LAN

CISCOSYSTEMS

CISCOSYSTEMS

CISCOSYSTEMS

CISCOSYSTEMS CISCOSYSTEMS

Main Switch

Secondary Switches contain the V-LANs they Service

Main Switch contains all V-LANs

Set each port to the correct V-LAN

Sample Script for Main Switch

ena

config t

vlan 2

name Building1Lab1

exit

vlan 3

name Building1Lab2

exit

1. Add the V-LAN

2. Name the V-LAN

3. Exit that V-LAN

4. Add another V-LAN

Sample Script for Main Switch5. Enter the V-LAN as

an Interface

6. Give a Description to the V-LAN

7. Give an IP Address to the V-LAN

8. Give a location for DHCP for the V-LAN

9. Turn the V-LAN on

int vlan 1description Bus Labip address 172.16.1.1

255.255.255.0ip helper address

10.9.3.102no shutdownexitint vlan 2

Remember . . .

• You must have a default IP Address for every V-LAN

• You must have a DHCP scope for every V-LAN

About those IP Addresses• You will need an addressing scheme

for your new network• Choose it carefully so your V-LANs

will be easy to identify• Use a private address or a

combination of private addresses – 10.0.0.0 – 172.16.0.0 – 192.168.0.0

About those IP Addresses10.0.0.0 – 172.16.0.0 – 192.168.0.0For convenience, subnet your address

to make octet numbers a subnetEx – 10.1.0.0, 10.2.0.0– 255.255.0.0172.16.1.0, 172.16.2.0 – 255.255.255.0You would instantly know that the first

device was on V-LAN 1, the second device on V-LAN 2

Take it Slowly . . .

Set all your switches and test your new network

Give everyone full access until all the bugs have been fixed

When everything works, you’re ready to add the Security

Access Lists• Access Lists are used for Security• These Lists block or allow users to

servers or network addresses• Users can be blocked completely – or

by protocols• Ex – Students can be blocked from

accessing a server with Telnet

Access Lists

Specify the users you wish to block or allow by using a Wildcard Mask.

This mask identifies which octets of the address are to be checked.

0 = match, 255 = ignore

Example:

172.16.2.0 0.0.0.255 – Ignore last octet

allow Addresses 172.16.2.0 – 172.16.2.255

Access Lists

Permit the services users will need – DNS, HTTP, etc.

Deny the services you want to block

Apply the Access List to the correct V-LANs

V-LANs without an Access List will have total access

Access List Example

access-list 101 permit ip 172.16.0.0 0.0.255.255 host 10.0.0.1 – permits all users access to Firewall

access-list 101 deny ip 172.16.5.0 0.0.0.255 host 10.0.0.2 – denies V-LAN #5 access to GroupWise Mail server

Access List Example

access-list 101 permit tcp 172.16.0.0 0.0.255.255 host 10.0.0.3 eq http

- Permits all hosts access to web server, but only for http

int vlan 5

ip access-group 101 in –

Applies access-list to VLAN #5

Enjoy Your New Network

• Security• Multiple Broadcast

Domains• Easier Monitoring