This is a great piece of information. Thank You Ben..
On Tue, Oct 27, 2009 at 9:11 PM, Ben Scott <[email protected]> wrote: > Someone was asking VLAN questions, so I decided to re-post this. > I've also updated it to reflect our successful VoIP deployment. > > PROTOCOL CONCEPTS > > We have regular "untagged" Ethernet frames. ("Frame" is the > data-link (layer 2) term for what some protocols calls a "packet" or > "datagram".) These are the same Ethernet frames from before VLANs > were invented. > > Then we have "tagged" frames. These take a regular Ethernet frame > and add a marker -- the "tag". The tag itself contains the VLAN > number (along with a priority code). Thus, a tagged frame is > associated with a particular VLAN number. > > Inside the frame, the tag is basically just a reserved Ethernet > frame type, followed by the tag information, followed by the rest of > the original frame (complete with its original frame type). So to > network nodes which are *not* VLAN aware, a tagged frame looks just > like a regular Ethernet frame, but with an "unknown" frame type. > > For computers, a VLAN-aware network stack will usually turn each > VLAN into a separate network interface, as if each VLAN was a > different network card with a different cable. The "stock" network > stack included with Win 2000/XP does *not* include VLAN capability, so > they can only handle untagged frames. Tagged frames will generally be > silently ignored. Third-party software (often included with high-end > network cards) can add VLAN capability. I'm not sure about > 2003/Vista/2008. > > Switches which are not VLAN-aware, along with any repeaters, will > treat tagged frames exactly like they do any other frame. > > SWITCH CONCEPTS > > Switches which are VLAN-aware generally let you control which ports > are associated with which VLAN(s). The terminology, commands, etc., > will vary with manufacturer. I'm most familiar with the HP ProCruve > managed witches, so I'll speak mostly to that. The concepts should > carry over to other manufacturers. Hopefully others can chime in with > specifics. > > With HP, you can tell the switch that each VLAN is tagged, untagged, > or not available for each port. Internally, frames are *always* > associated a VLAN number. The configuration just tells the switch > which VLANs go with which ports, and which VLAN number to use for > untagged frames. > > When the switch receives an untagged frame, it needs to know what > VLAN to associate it with. If the port has an untagged VLAN > associated it, the fame will go to that VLAN. If there is no untagged > VLAN associated with the port, the frame is dropped. This is why a > port can have (at most) one untagged VLAN associated with it -- how > could the switch know which one to use otherwise? > > When the switch receives a tagged frame, it simply checks to see if > that VLAN is associated with the port. If so, it accepts it; if not, > it drops it. This is basically just an access control mechanism. > > When the switch has a frame to *transmit*, it only considers ports > which are associated with the frame's VLAN. If a port is configured > as tagged for the frame's VLAN, it transmits the frame with the VLAN > tag. If a port is configured as untagged for the VLAN, the frame is > transmitted on that port without a VLAN tag. > > APPLICATIONS > > Okay, enough conceptual stuff, how do we use it? > > At %DAYJOB%, we've got VLANs as follows: > > 1 – Reserved > 2 – Main company private network > 3 – Guest network > 4 – ISP uplink > 5 – IP telephony > > I am using separate VLANs for security, manageability, and > robustness. I don't want guests to be able to probe/sniff/screw-up > the corporate network. I don't want the cable modem link (which is > full of garbage traffic from other subscribers) on the main > LAN. I want the phones to have higher priority over > regular data, and to have their own DHCP server, so if the "data > side" of the house goes down, we still have phones. > > We don't use VLAN 1 because that's the default on most things, and > to avoid confusion we avoid it. > > VLAN 2 is where most traffic is. Most ports are configured as > untagged for VLAN 2. The computers, printers, etc., plugged into > those ports aren't even aware they are on a VLAN. All the employee > workstations are like this, as are most servers. The syntax to > configure this is easy. For example, if I want port 1 to be untagged > for VLAN 2 like this: > > vlan 2 untagged 1 > > VLAN 3 is for guests (visitors). For obvious reasons, we don't let > them plug in to our main network. They get a separate IP subnet, a > separate DHCP server, and bypass much of our network filtering. This > is also where our wireless access points connect (employees use > VPN-over-wireless). Again, all untagged, and connected nodes are not > aware of the VLAN. > > VLAN 4 exists because we've got a cable Internet feed we use for > employee web browsing. Circumstances meant the cable modem had to go > in a different building from the main server/network room. (We have > another feed for important stuff; that terminates in the server room.) > So the cable modem plugs into a particular switch port, which uses > VLAN 4 to carry it to our firewall in a different building. Again, > untagged, unaware. > > VLAN 5 is for premises voice-over-IP. The phones include a built-in > switch for "daisy chain", and are VLAN-aware. Switch ports connected > to phones are tagged for VLAN 5 and untagged for VLAN 2, so you can > plug a PC (not VLAN aware) into the phone. Traffic is kept separate, > and voice traffic is given priority. The central equipment has an > Ethernet port which we connect to one of our switches, with that > switch port untagged for VLAN 5. So the central equipment just thinks > it is talking to a regular LAN. > > For example, support port 20 was the central phone equipment, and > port 7 had a VoIP phone. We would do: > > vlan 2 untagged 7 > vlan 5 tagged 7 > vlan 5 untagged 20 > > For links between switches, each VLAN is configured as *tagged* for > those ports, with *no* untagged VLAN. Those ports are only used to > carry traffic between VLAN-aware switches. (Cisco would call this a > "trunk port", IIRC.) The HP syntax for (e.g.) port 24 as a switch > link would be: > > vlan 2 tagged 24 > vlan 3 tagged 24 > vlan 4 tagged 24 > vlan 5 tagged 24 > > Finally, our firewall, which *is* VLAN-aware, is configured as > tagged for all VLANs on its port, with no untagged VLAN. Virtual > network interfaces are configured in the firewall OS, and all the IP > configuration and filtering rules are done with those virtual > interfaces, not the physical interface. This also means our firewall > only has one network cable plugged into it. Configures the same as a > switch link, really. > > Hope this helps someone! > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
