>From a call center perspective, we have a different VLAN for each business >unit, partially for security, but more to limit a DoS from a broadcast storm >caused by a bad NIC, bad wire, etc. That way it only affects a single >business unit, and not the whole call center.
-----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Tuesday, October 27, 2009 6:11 PM To: NT System Admin Issues Subject: VLAN concepts and applications Someone was asking VLAN questions, so I decided to re-post this. I've also updated it to reflect our successful VoIP deployment. PROTOCOL CONCEPTS We have regular "untagged" Ethernet frames. ("Frame" is the data-link (layer 2) term for what some protocols calls a "packet" or "datagram".) These are the same Ethernet frames from before VLANs were invented. Then we have "tagged" frames. These take a regular Ethernet frame and add a marker -- the "tag". The tag itself contains the VLAN number (along with a priority code). Thus, a tagged frame is associated with a particular VLAN number. Inside the frame, the tag is basically just a reserved Ethernet frame type, followed by the tag information, followed by the rest of the original frame (complete with its original frame type). So to network nodes which are *not* VLAN aware, a tagged frame looks just like a regular Ethernet frame, but with an "unknown" frame type. For computers, a VLAN-aware network stack will usually turn each VLAN into a separate network interface, as if each VLAN was a different network card with a different cable. The "stock" network stack included with Win 2000/XP does *not* include VLAN capability, so they can only handle untagged frames. Tagged frames will generally be silently ignored. Third-party software (often included with high-end network cards) can add VLAN capability. I'm not sure about 2003/Vista/2008. Switches which are not VLAN-aware, along with any repeaters, will treat tagged frames exactly like they do any other frame. SWITCH CONCEPTS Switches which are VLAN-aware generally let you control which ports are associated with which VLAN(s). The terminology, commands, etc., will vary with manufacturer. I'm most familiar with the HP ProCruve managed witches, so I'll speak mostly to that. The concepts should carry over to other manufacturers. Hopefully others can chime in with specifics. With HP, you can tell the switch that each VLAN is tagged, untagged, or not available for each port. Internally, frames are *always* associated a VLAN number. The configuration just tells the switch which VLANs go with which ports, and which VLAN number to use for untagged frames. When the switch receives an untagged frame, it needs to know what VLAN to associate it with. If the port has an untagged VLAN associated it, the fame will go to that VLAN. If there is no untagged VLAN associated with the port, the frame is dropped. This is why a port can have (at most) one untagged VLAN associated with it -- how could the switch know which one to use otherwise? When the switch receives a tagged frame, it simply checks to see if that VLAN is associated with the port. If so, it accepts it; if not, it drops it. This is basically just an access control mechanism. When the switch has a frame to *transmit*, it only considers ports which are associated with the frame's VLAN. If a port is configured as tagged for the frame's VLAN, it transmits the frame with the VLAN tag. If a port is configured as untagged for the VLAN, the frame is transmitted on that port without a VLAN tag. APPLICATIONS Okay, enough conceptual stuff, how do we use it? At %DAYJOB%, we've got VLANs as follows: 1 - Reserved 2 - Main company private network 3 - Guest network 4 - ISP uplink 5 - IP telephony I am using separate VLANs for security, manageability, and robustness. I don't want guests to be able to probe/sniff/screw-up the corporate network. I don't want the cable modem link (which is full of garbage traffic from other subscribers) on the main LAN. I want the phones to have higher priority over regular data, and to have their own DHCP server, so if the "data side" of the house goes down, we still have phones. We don't use VLAN 1 because that's the default on most things, and to avoid confusion we avoid it. VLAN 2 is where most traffic is. Most ports are configured as untagged for VLAN 2. The computers, printers, etc., plugged into those ports aren't even aware they are on a VLAN. All the employee workstations are like this, as are most servers. The syntax to configure this is easy. For example, if I want port 1 to be untagged for VLAN 2 like this: vlan 2 untagged 1 VLAN 3 is for guests (visitors). For obvious reasons, we don't let them plug in to our main network. They get a separate IP subnet, a separate DHCP server, and bypass much of our network filtering. This is also where our wireless access points connect (employees use VPN-over-wireless). Again, all untagged, and connected nodes are not aware of the VLAN. VLAN 4 exists because we've got a cable Internet feed we use for employee web browsing. Circumstances meant the cable modem had to go in a different building from the main server/network room. (We have another feed for important stuff; that terminates in the server room.) So the cable modem plugs into a particular switch port, which uses VLAN 4 to carry it to our firewall in a different building. Again, untagged, unaware. VLAN 5 is for premises voice-over-IP. The phones include a built-in switch for "daisy chain", and are VLAN-aware. Switch ports connected to phones are tagged for VLAN 5 and untagged for VLAN 2, so you can plug a PC (not VLAN aware) into the phone. Traffic is kept separate, and voice traffic is given priority. The central equipment has an Ethernet port which we connect to one of our switches, with that switch port untagged for VLAN 5. So the central equipment just thinks it is talking to a regular LAN. For example, support port 20 was the central phone equipment, and port 7 had a VoIP phone. We would do: vlan 2 untagged 7 vlan 5 tagged 7 vlan 5 untagged 20 For links between switches, each VLAN is configured as *tagged* for those ports, with *no* untagged VLAN. Those ports are only used to carry traffic between VLAN-aware switches. (Cisco would call this a "trunk port", IIRC.) The HP syntax for (e.g.) port 24 as a switch link would be: vlan 2 tagged 24 vlan 3 tagged 24 vlan 4 tagged 24 vlan 5 tagged 24 Finally, our firewall, which *is* VLAN-aware, is configured as tagged for all VLANs on its port, with no untagged VLAN. Virtual network interfaces are configured in the firewall OS, and all the IP configuration and filtering rules are done with those virtual interfaces, not the physical interface. This also means our firewall only has one network cable plugged into it. Configures the same as a switch link, really. Hope this helps someone! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
