Post on 01-Jan-2016
description
Virtual Local Area Networks
Should I V-LAN?
1. SecurityV-LANs can restrict access to network resources
Should I V-LAN?
Access Control Lists are used to direct the availability of information
Faculty Students
Student Records
Faculty V-LAN
Students V-LAN
Student Records
HEWLETTPACKARD
Access Permitted
Access Denied
Should I V-LAN?
2. Broadcast Control for Increased PerformanceReduce the size of your collision domainsLimit broadcast traffic to similar users
Check Your Network for Broadcast Protocols
TCP 40%
UDP 10%
ARP 35%
DHCP 8%
IPX 5%
SPX 2%
One Broadcast Domain
CISCOSYSTEMS
CISCOSYSTEMS
V-LANs form Multiple Broadcast Domains
Should I V-LAN?
3. Network MonitoringCentrally configure devices in local areasDivide your users into logical groupings
Should I V-LAN?
Your security will improve
Your network performance will improve
How Many V-LANs?
• List Buildings• Itemize
Departments• Remember
BROADCAST CONTROL
NC State
How Many V-LANs?
Building 1 Building 2
Lab 1 Wireless Lab
Lab 2 Faculty/Staff
Faculty/Staff Building 3
Library Lab 3
Administration Faculty/Staff
How Many V-LANs?When you’re done – Add 2 More
1. A Test V-LAN for your Test Lab
2. An “Internet Only” V-LAN for all unused ports
plus V-LAN #1 will be your default V-LAN for your administrative purposes
How Many V-LANs?
• Building 1 – 18 V-LANs• Building 2 – 6 V-LANs• Building 3 – 7 V-LANs• Building 4 – 4 V-LANs• Building 5 – 2 V-LANs• Building 6 – 7 V-LANs
• 3 Server VLANs• Internet Only
V-LAN• Test V-LAN• Adm. V-LAN
• Total - 50
Equipment/Server Concerns
• You will need a trustworthy Layer 3 main switch (example: Cisco 4506)
• Unmanaged switches and hubs can contain only 1 V-LAN
• Some protocols, such as IPX & Apple, require broadcasts. These will need to be addressed.
Equipment/Server Concerns• Each V-LAN will need its own DHCP
scope.• DNS must be reachable by every
V-LAN• User applications cannot reside on a
V-LAN that will be blocked• You must know what is connected to
every port on every switch.
How Do I Begin?
Get details on your current setup -
Conduct an audit of the ports on your switches
Create a Switch Audit Form
Switch Loc. IP Address
Manuf/Mod # Upload Port
Port Information
Port # Patch # User Loc
User Name
Printers Used
VLAN #
1
2
3
Set Up a Schedule• Week 1 – Audit Bldg. 1• Week 2 – Audit Bldg. 2• Week 3 – Audit Bldg. 3• Week 4 – Audit Bldg. 4• Week 5 – Audit Bldg. 5• Week 6 – Audit Bldg. 6• Week 7 – Write
Configuration & Access Lists – Select IP Address for Users
• Week 8 - Implementation
Add V-LANs to main switch & DHCP Scopes
Set all ports on all switches
Test PCs & Printers
Change IP’s where needed
You have a new network!
Adhere to the schedule!!
How Do I Add V-LANs to the Switches?
• Add every V-LAN to the main switch• Add to each switch the V-LANs it will
need – With some manufacturers the secondary switches will automatically read the list from the main switch
• Set each port to the correct V-LAN
CISCOSYSTEMS
CISCOSYSTEMS
CISCOSYSTEMS
CISCOSYSTEMS CISCOSYSTEMS
Main Switch
Secondary Switches contain the V-LANs they Service
Main Switch contains all V-LANs
Set each port to the correct V-LAN
Sample Script for Main Switch
ena
config t
vlan 2
name Building1Lab1
exit
vlan 3
name Building1Lab2
exit
1. Add the V-LAN
2. Name the V-LAN
3. Exit that V-LAN
4. Add another V-LAN
Sample Script for Main Switch5. Enter the V-LAN as
an Interface
6. Give a Description to the V-LAN
7. Give an IP Address to the V-LAN
8. Give a location for DHCP for the V-LAN
9. Turn the V-LAN on
int vlan 1description Bus Labip address 172.16.1.1
255.255.255.0ip helper address
10.9.3.102no shutdownexitint vlan 2
Remember . . .
• You must have a default IP Address for every V-LAN
• You must have a DHCP scope for every V-LAN
About those IP Addresses• You will need an addressing scheme
for your new network• Choose it carefully so your V-LANs
will be easy to identify• Use a private address or a
combination of private addresses – 10.0.0.0 – 172.16.0.0 – 192.168.0.0
About those IP Addresses10.0.0.0 – 172.16.0.0 – 192.168.0.0For convenience, subnet your address
to make octet numbers a subnetEx – 10.1.0.0, 10.2.0.0– 255.255.0.0172.16.1.0, 172.16.2.0 – 255.255.255.0You would instantly know that the first
device was on V-LAN 1, the second device on V-LAN 2
Take it Slowly . . .
Set all your switches and test your new network
Give everyone full access until all the bugs have been fixed
When everything works, you’re ready to add the Security
Access Lists• Access Lists are used for Security• These Lists block or allow users to
servers or network addresses• Users can be blocked completely – or
by protocols• Ex – Students can be blocked from
accessing a server with Telnet
Access Lists
Specify the users you wish to block or allow by using a Wildcard Mask.
This mask identifies which octets of the address are to be checked.
0 = match, 255 = ignore
Example:
172.16.2.0 0.0.0.255 – Ignore last octet
allow Addresses 172.16.2.0 – 172.16.2.255
Access Lists
Permit the services users will need – DNS, HTTP, etc.
Deny the services you want to block
Apply the Access List to the correct V-LANs
V-LANs without an Access List will have total access
Access List Example
access-list 101 permit ip 172.16.0.0 0.0.255.255 host 10.0.0.1 – permits all users access to Firewall
access-list 101 deny ip 172.16.5.0 0.0.0.255 host 10.0.0.2 – denies V-LAN #5 access to GroupWise Mail server
Access List Example
access-list 101 permit tcp 172.16.0.0 0.0.255.255 host 10.0.0.3 eq http
- Permits all hosts access to web server, but only for http
int vlan 5
ip access-group 101 in –
Applies access-list to VLAN #5
Enjoy Your New Network
• Security• Multiple Broadcast
Domains• Easier Monitoring