I love IT when a VLAN comes together…

VLAN basics Jason Baker VHB

Jason Baker is an IT “Jack of All Trades” with a people- oriented approach, excellent analytical and troubleshooting skills, and project management experience for large-scale IT conversions. Jason has over 16 years of experience in information technology planning and implementation, hardware & software installation, training, troubleshooting, repair and maintenance, and network design, deployment, and management. I Love IT When a VLAN Comes Together...

VLAN Basics

• Describe broadcast traffic on a LAN and how this can cause issues as networks scale up. • Describe how VLAN's break up broadcast domains and what problems that will fix... and what problems it won't. • Demonstrate a basic VLAN setup • Q & A

#SPICEWORLD2016 What is a VLAN?

• A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a at the (OSI layer 2). LAN is an abbreviation for local area network. To subdivide a network into virtual LANs, one configures network equipment. - https://en.wikipedia.org/wiki/Virtual_LAN • A VLAN is a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. - http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12- 2/25ew/configuration/guide/conf/vlans.html

#SPICEWORLD2016 How is a VLAN like The A-Team?

• Production • Voice over IP • Network management • Storage area network (SAN) • Guest network • Demilitarized zone (DMZ) • Client separation (ISP, in a large facility, or in a datacenter)

#SPICEWORLD2016 What Is Broadcast Traffic?

“In computer networking, broadcast traffic is a type of data sent to all computers and devices on a network or subnetwork. It is used in situations where all possible network destinations need to be reached or when the address of a specific computer is unknown.” - http://www.wisegeek.com/what-is-broadcast-traffic.htm

“Broadcasts are frames sent to all devices on a switch, and in many cases, a normal and frequent function. A broadcast domain is the set of all devices that receive a broadcast. Small LANs are typically equivalent to a single broadcast domain.” - http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan- how-to-segmenting-a-small-lan?start=1

#SPICEWORLD2016 Types of Broadcast Traffic

• ARP (Address Resolution Protocol) broadcast • DHCP (Dynamic Host Configuration Protocol) requests • IP • Switch “unicast flooding” of frames to find a destination MAC

#SPICEWORLD2016 How do broadcasts affect performance?

• “In a network based on broadcasts to all listeners to find peers, as the number of peers on a network grows, the frequency of broadcasts also increases, potentially to a point such that much of the network time and capacity is occupied with sending broadcasts exclusively among all members.” - https://en.wikipedia.org/wiki/Virtual_LAN

• “Broadcasts can eat up considerable bandwidth on your LAN and they also use processing power. Every device in the LAN receives broadcasts and must read and determine whether or not to respond to each broadcast. As the number of devices in your LAN grows, so will the volume of broadcast traffic.” - http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan- how-to-segmenting-a-small-lan?start=1

#SPICEWORLD2016 Breaking up broadcast domains

• Traditionally: Routers • Routers operate at Layer 3, forwarding packets based on IP addresses, not MAC addresses. A will receive a frame on its interface, strip off the MAC address, and make a routing decision based on the originating and destination IP addresses.

#SPICEWORLD2016 Breaking up broadcast domains using VLANs

• Broadcasts are propagated within a VLAN, but not between VLANs. • VLANs can help reduce network traffic by forming multiple broadcast domains, to break up a large network into smaller independent segments with fewer broadcasts being sent to every device on the overall network.

#SPICEWORLD2016 Advantages of Using VLANs

• Reduced congestion: Improved performance is achieved, because on a segmented network there are fewer hosts per subnetwork, thus minimizing local traffic • Improved security: Broadcasts will be contained to local network. Internal network structure will not be visible from outside • Containing network problems: Limiting the effect of local failures on other parts of network • Controlling visitor access: Visitor access to the network can be controlled by implementing VLANs to segregate the network. - https://en.wikipedia.org/wiki/Network_segmentation

#SPICEWORLD2016 Security concerns

As networked devices of all types So do the risks: proliferate: “Target breach happened because of a basic network segmentation error” - http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach- • Computers, printers, scanners… happened-because-of-a-basic-network-segmentation-error.html • VOIP “Home Depot should have had the POS • Security Cameras, Building environment in its own restricted virtualized local area network (VLAN)” – https://www.sans.org/reading- Access Controls room/whitepapers/casestudies/case-study-home-depot-data-breach-36367 • HVAC systems, lighting systems "In late December, three Ukrainian energy • Industrial Control Systems, companies had their operations disrupted, causing a loss of power to 225,000 customers.” - http://searchsecurity.techtarget.com/feature/Proper-network-segments-may-prevent-the- Supervisory control and data next-breach acquisition (SCADA)

#SPICEWORLD2016 What can VLAN’s do for you… and what they can’t..

Can: Can’t: • Allow you to control • Prevent all access or communications between communication between VLANs broadcast domains at Level 3 • Provide adequate security for • Reduce impacts of scaling critical systems • Connect devices logically • Solve bandwidth problems • Configure Quality of Service • Compensate for inadequate (QOS) for VOIP physical infrastructure

#SPICEWORLD2016 How do VLAN’s actually work?

• Each VLAN is identified by an ID which is a number. • Each port on the switch is designated as Tagged, Untagged or Excluded in each VLAN. • If a port is Tagged, the switch will add the VLAN ID to the header of any packets sent on that interface. Tagged packets are only understood by network equipment that is VLAN aware. • If a port is Untagged the switch will not add the VLAN ID to the header of packets sent on that interface and will remove and VLAN IDs in packets that came in on a Tagged interface. • If a port is Excluded from a VLAN packets with that VLAN ID will never be sent out on that port. • If a port is marked Untagged on one VLAN, it will be excluded from all other VLANs. In other words, an Untagged interface can only be a part of one VLAN at a time. • A port can be marked as Tagged on any number of VLANs #SPICEWORLD2016 What is VLAN Tagging?

• VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN (Virtual Local Area Network) the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

#SPICEWORLD2016 What is Trunking?

• VLAN enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. • The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN. • Generally speaking, trunk ports will link switches, and access ports will link to end devices.

#SPICEWORLD2016 Configuring VLANs

• Port assignment The default method specified in 802.1Q is to assign ports explicity to VLANs within the switch.

• MAC address An administrator can build a table of MAC address/VLAN pairs within the switch.

• IP Subnet Assign each VLAN an IP address scope.

• Dynamic assignment Authenticating user’s group membership as managed by a service, usually consisting of RADIUS and a user directory.

• Device assignment VLAN-configured end-point network interface card.

• Protocols Assign packets to VLANs based on the protocol used.

• Applications Assign a packet to a VLAN based on the nature of the packet payload.

#SPICEWORLD2016 Port Assignment

• Trunk mode allows ONE untagged vlan and multiple Tagged vlans to exist on the same switch interface. • Access mode allows only one untagged vlan to exist on a switch interface. • General mode allows multiple untagged vlans and also multiple tagged vlans to exist on the same switch interface.

#SPICEWORLD2016 How to do it: depends on your switch.

• To change the VLAN for a COS device, use the set vlan command, followed by the VLAN number, and then the port or ports that should be added to that VLAN. VLAN assignments such as this NOTE: are considered static because they do not change unless the administrator All ports are assigned to VLAN 1 by default. changes the VLAN configuration. Ports are active only if they are assigned to • For the IOS device, you must first select VLANs that exist on the switch. the port (or port range for integrated IOS) and then use the switchport access vlan command followed by the VLAN number.

#SPICEWORLD2016 Questions? Thank you!!!