Introducing VLAN
Click the Many Buildings button in the figure.
A year later, the college has grown and now has three buildings. In the figure, the original network is the same, but student and faculty computers are spread out across three buildings. The student dorms remain on the fifth floor and the faculty offices remain on the third floor. However, now the IT department wants to ensure that student computers all share the same security features and bandwidth controls. How can the network accommodate the shared needs of the geographically separated departments? Do you create a large LAN and wire each department together? How easy would it be to make changes to that network? It would be great to group the people with the resources they use regardless of their geographic location, and it would make it easier to manage their specific security and bandwidth needs.
VLAN Overview
The solution for the community college is to use a networking technology called a virtual LAN (VLAN). A VLAN allows a network administrator to create groups of logically networked devices that act as if they are on their own independent network, even if they share a common infrastructure with other VLANs. When you configure a VLAN, you can name it to describe the primary role of the users for that VLAN. As another example, all of the student computers in a school can be configured in the "Student" VLAN. Using VLANs, you can logically segment switched networks based on functions, departments, or project teams. You can also use a VLAN to geographically structure your network to support the growing reliance of companies on home-based workers. In the figure, one VLAN is created for students and another for faculty. These VLANs allow the network administrator to implement access and security policies to particular groups of users. For example, the faculty, but not the students, can be allowed access to e-learning management servers for developing online course materials.
Click the Details button in the figure.
VLAN Details
A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network. The figure shows a network with three computers. For computers to communicate on the same VLAN, each must have an IP address and a subnet mask that is consistent for that VLAN. The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN. A switch port with a singular VLAN configured on it is called an access port. Remember, just because two computers are physically connected to the same switch does not mean that they can communicate. Devices on two separate networks and subnets must communicate via a router (Layer 3), whether or not VLANs are used. You do not need VLANs to have multiple networks and subnets on a switched network, but there are definite advantages to using VLANs.
Benefits of a VLAN
User productivity and network adaptability are key drivers for business growth and success. Implementing VLAN technology enables a network to more flexibly support business goals. The primary benefits of using VLANs are as follows:
- Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. Faculty computers are on VLAN 10 and completely separated from student and guest data traffic.
- Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
- Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
- Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. As discussed in the "Configure a Switch" chapter, LAN segmentation prevents a broadcast storm from propagating to the whole network. In the figure you can see that although there are six computers on this network, there are only three broadcast domains: Faculty, Student, and Guest.
- Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. In the figure, for easy identification VLAN 20 could be named "Student", VLAN 10 could be named "Faculty", and VLAN 30 "Guest."
- Simpler project or application management - VLANs aggregate users and network devices to support business or geographic requirements. Having separate functions makes managing a project or working with a specialized application easier, for example, an e-learning development platform for faculty. It is also easier to determine the scope of the effects of upgrading network services.
VLAN ID Ranges
Access VLANs are divided into either a normal range or an extended range.
Used in small- and medium-sized business and enterprise networks.
Identified by a VLAN ID between 1 and 1005.
IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
IDs 1 and 1002 to 1005 are automatically created and cannot be removed. You will learn more about VLAN 1 later in this chapter.
Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in the flash memory of the switch.
The VLAN trunking protocol (VTP), which helps manage VLAN configurations between switches, can only learn normal range VLANs and stores them in the VLAN database file.
Extended Range VLANs
Enable service providers to extend their infrastructure to a greater number of customers. Some global enterprises could be large enough to need extended range VLAN IDs.
Are identified by a VLAN ID between 1006 and 4094.
Support fewer VLAN features than normal range VLANs.
Are saved in the running configuration file.
VTP does not learn extended range VLANs.
255 VLANs Configurable
One Cisco Catalyst 2960 switch can support up to 255 normal range and extended range VLANs, although the number configured affects the performance of the switch hardware. Because an enterprise network may need a switch with a lot of ports, Cisco has developed enterprise-level switches that can be joined or stacked together to create a single switching unit consisting of nine separate switches. Each separate switch can have 48 ports, which totals 432 ports on a single switching unit. In this case, the 255 VLAN limit per single switch could be a constraint for some enterprise customers.
Today there is essentially one way of implementing VLANs - port-based VLANs. A port-based VLAN is associated with a port called an access VLAN.
However in the network there are a number of terms for VLANs. Some terms define the type of network traffic they carry and others define a specific function a VLAN performs. The following describes common VLAN terminology:
Rollover the Data VLAN button in the figure.
Data VLAN
A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic. The importance of separating user data from switch management control data and voice traffic is highlighted by the use of a special term used to identify VLANs that only carry user data - a "data VLAN". A data VLAN is sometimes referred to as a user VLAN.
Rollover the Default VLAN button in the figure.
Default VLAN
All switch ports become a member of the default VLAN after the initial boot up of the switch. Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. This allows any device connected to any switch port to communicate with other devices on other switch ports. The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1. VLAN trunks support the transmission of traffic from more than one VLAN. Although VLAN trunks are mentioned throughout this section, they are explained in the next section on VLAN trunking.
Note: Some network administrators use the term "default VLAN" to mean a VLAN other than VLAN 1 defined by the network administrator as the VLAN that all ports are assigned to when they are not in use. In this case, the only role that VLAN 1 plays is that of handling Layer 2 control traffic for the network.
Rollover the Native VLAN button in the figure.
Native VLAN
A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. In the figure, the native VLAN is VLAN 99. Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. For our purposes, a native VLAN serves as a common identifier on opposing ends of a trunk link. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.
Rollover the Management VLAN button in the figure.
Management VLAN
A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN; you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN. Recall that you configured the management VLAN as VLAN 99 in the Basic Switch Concepts and Configuration chapter.
Tidak ada komentar:
Posting Komentar