Virtual Local Area Networks

34
Virtual Local Area Networks

description

Virtual Local Area Networks. Should I V-LAN?. 1. Security V-LANs can restrict access to network resources. Should I V-LAN?. Access Control Lists are used to direct the availability of information. Student Records. Faculty. Students. Students V-LAN. Faculty V-LAN. Access Denied. - PowerPoint PPT Presentation

Transcript of Virtual Local Area Networks

Page 1: Virtual Local Area Networks

Virtual Local Area Networks

Page 2: Virtual Local Area Networks

Should I V-LAN?

1. SecurityV-LANs can restrict access to network resources

Page 3: Virtual Local Area Networks

Should I V-LAN?

Access Control Lists are used to direct the availability of information

Faculty Students

Student Records

Page 4: Virtual Local Area Networks

Faculty V-LAN

Students V-LAN

Student Records

HEWLETTPACKARD

Access Permitted

Access Denied

Page 5: Virtual Local Area Networks

Should I V-LAN?

2. Broadcast Control for Increased PerformanceReduce the size of your collision domainsLimit broadcast traffic to similar users

Page 6: Virtual Local Area Networks

Check Your Network for Broadcast Protocols

TCP 40%

UDP 10%

ARP 35%

DHCP 8%

IPX 5%

SPX 2%

Page 7: Virtual Local Area Networks

One Broadcast Domain

CISCOSYSTEMS

Page 8: Virtual Local Area Networks

CISCOSYSTEMS

V-LANs form Multiple Broadcast Domains

Page 9: Virtual Local Area Networks

Should I V-LAN?

3. Network MonitoringCentrally configure devices in local areasDivide your users into logical groupings

Page 10: Virtual Local Area Networks

Should I V-LAN?

Your security will improve

Your network performance will improve

Page 11: Virtual Local Area Networks

How Many V-LANs?

• List Buildings• Itemize

Departments• Remember

BROADCAST CONTROL

NC State

Page 12: Virtual Local Area Networks

How Many V-LANs?

Building 1 Building 2

Lab 1 Wireless Lab

Lab 2 Faculty/Staff

Faculty/Staff Building 3

Library Lab 3

Administration Faculty/Staff

Page 13: Virtual Local Area Networks

How Many V-LANs?When you’re done – Add 2 More

1. A Test V-LAN for your Test Lab

2. An “Internet Only” V-LAN for all unused ports

plus V-LAN #1 will be your default V-LAN for your administrative purposes

Page 14: Virtual Local Area Networks

How Many V-LANs?

• Building 1 – 18 V-LANs• Building 2 – 6 V-LANs• Building 3 – 7 V-LANs• Building 4 – 4 V-LANs• Building 5 – 2 V-LANs• Building 6 – 7 V-LANs

• 3 Server VLANs• Internet Only

V-LAN• Test V-LAN• Adm. V-LAN

• Total - 50

Page 15: Virtual Local Area Networks

Equipment/Server Concerns

• You will need a trustworthy Layer 3 main switch (example: Cisco 4506)

• Unmanaged switches and hubs can contain only 1 V-LAN

• Some protocols, such as IPX & Apple, require broadcasts. These will need to be addressed.

Page 16: Virtual Local Area Networks

Equipment/Server Concerns• Each V-LAN will need its own DHCP

scope.• DNS must be reachable by every

V-LAN• User applications cannot reside on a

V-LAN that will be blocked• You must know what is connected to

every port on every switch.

Page 17: Virtual Local Area Networks

How Do I Begin?

Get details on your current setup -

Conduct an audit of the ports on your switches

Page 18: Virtual Local Area Networks

Create a Switch Audit Form

Switch Loc. IP Address

Manuf/Mod # Upload Port

Port Information

Port # Patch # User Loc

User Name

Printers Used

VLAN #

1

2

3

Page 19: Virtual Local Area Networks

Set Up a Schedule• Week 1 – Audit Bldg. 1• Week 2 – Audit Bldg. 2• Week 3 – Audit Bldg. 3• Week 4 – Audit Bldg. 4• Week 5 – Audit Bldg. 5• Week 6 – Audit Bldg. 6• Week 7 – Write

Configuration & Access Lists – Select IP Address for Users

• Week 8 - Implementation

Add V-LANs to main switch & DHCP Scopes

Set all ports on all switches

Test PCs & Printers

Change IP’s where needed

You have a new network!

Adhere to the schedule!!

Page 20: Virtual Local Area Networks

How Do I Add V-LANs to the Switches?

• Add every V-LAN to the main switch• Add to each switch the V-LANs it will

need – With some manufacturers the secondary switches will automatically read the list from the main switch

• Set each port to the correct V-LAN

Page 21: Virtual Local Area Networks

CISCOSYSTEMS

CISCOSYSTEMS

CISCOSYSTEMS

CISCOSYSTEMS CISCOSYSTEMS

Main Switch

Secondary Switches contain the V-LANs they Service

Main Switch contains all V-LANs

Set each port to the correct V-LAN

Page 22: Virtual Local Area Networks

Sample Script for Main Switch

ena

config t

vlan 2

name Building1Lab1

exit

vlan 3

name Building1Lab2

exit

1. Add the V-LAN

2. Name the V-LAN

3. Exit that V-LAN

4. Add another V-LAN

Page 23: Virtual Local Area Networks

Sample Script for Main Switch5. Enter the V-LAN as

an Interface

6. Give a Description to the V-LAN

7. Give an IP Address to the V-LAN

8. Give a location for DHCP for the V-LAN

9. Turn the V-LAN on

int vlan 1description Bus Labip address 172.16.1.1

255.255.255.0ip helper address

10.9.3.102no shutdownexitint vlan 2

Page 24: Virtual Local Area Networks

Remember . . .

• You must have a default IP Address for every V-LAN

• You must have a DHCP scope for every V-LAN

Page 25: Virtual Local Area Networks

About those IP Addresses• You will need an addressing scheme

for your new network• Choose it carefully so your V-LANs

will be easy to identify• Use a private address or a

combination of private addresses – 10.0.0.0 – 172.16.0.0 – 192.168.0.0

Page 26: Virtual Local Area Networks

About those IP Addresses10.0.0.0 – 172.16.0.0 – 192.168.0.0For convenience, subnet your address

to make octet numbers a subnetEx – 10.1.0.0, 10.2.0.0– 255.255.0.0172.16.1.0, 172.16.2.0 – 255.255.255.0You would instantly know that the first

device was on V-LAN 1, the second device on V-LAN 2

Page 27: Virtual Local Area Networks

Take it Slowly . . .

Set all your switches and test your new network

Give everyone full access until all the bugs have been fixed

Page 28: Virtual Local Area Networks

When everything works, you’re ready to add the Security

Page 29: Virtual Local Area Networks

Access Lists• Access Lists are used for Security• These Lists block or allow users to

servers or network addresses• Users can be blocked completely – or

by protocols• Ex – Students can be blocked from

accessing a server with Telnet

Page 30: Virtual Local Area Networks

Access Lists

Specify the users you wish to block or allow by using a Wildcard Mask.

This mask identifies which octets of the address are to be checked.

0 = match, 255 = ignore

Example:

172.16.2.0 0.0.0.255 – Ignore last octet

allow Addresses 172.16.2.0 – 172.16.2.255

Page 31: Virtual Local Area Networks

Access Lists

Permit the services users will need – DNS, HTTP, etc.

Deny the services you want to block

Apply the Access List to the correct V-LANs

V-LANs without an Access List will have total access

Page 32: Virtual Local Area Networks

Access List Example

access-list 101 permit ip 172.16.0.0 0.0.255.255 host 10.0.0.1 – permits all users access to Firewall

access-list 101 deny ip 172.16.5.0 0.0.0.255 host 10.0.0.2 – denies V-LAN #5 access to GroupWise Mail server

Page 33: Virtual Local Area Networks

Access List Example

access-list 101 permit tcp 172.16.0.0 0.0.255.255 host 10.0.0.3 eq http

- Permits all hosts access to web server, but only for http

int vlan 5

ip access-group 101 in –

Applies access-list to VLAN #5

Page 34: Virtual Local Area Networks

Enjoy Your New Network

• Security• Multiple Broadcast

Domains• Easier Monitoring