Network Knowledge and experience: March 2014

Monday, March 31, 2014

VLAN SECURITY - MAKING THE MOST OF VLANS

NTRODUCTION

Take a look under the hood of this powerful networking tool so that your agency can reap the benefits of bandwidth, availability and security.

It's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a single organization — without the headache of managing multiple cable plants and switches.

Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and security.

Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally well. The market has been flooded by thousands of switches that seem to do the job, but special consideration must be taken before making a purchase.

A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports.

Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything runs smoothly. The tasks of these switches include prioritizing network packets based on their source and destination (essentially Q uality of S ervice), ensuring all edge switches are aware of the VLANs configured in the network, continuously monitoring for possible network loops on every VLAN, switching packets between VLANs as required and ensuring network security according to their configuration .

Edge switches, also known as access switches, are dedicated to the end devices: user workstations , network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers directly to the core- backbone switches). The edge switches must be compatible with the VLAN features that the core backbone switches support, otherwise unavoidable problems will arise because of incompatibilities among the switch devices.

This is one reason many organizations standardize when it comes to network equipment from companies that include Cisco Systems, HP and Juniper Networks.

When deploying VLANs, here are five key considerations to address:

1. LINKS ON VLAN SWITCHES

VLAN switches have two main types of links: access links and trunk links.

Access Links are the most common type of links on any VLAN capable switch. All network hosts connect to the switch's Access Links to gain access to the local network. These links are the ordinary ports found on every switch, but configured to access a particular VLAN.

Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all available VLANs.

2. NATIVE VLAN, ISL AND 802.1Q

When a port on a switch is configured as an access link (http://www.firewall.cx/networking-topics/vlan-networks/218-vlan-access-trunk-links.html) , it has access to one specific VLAN. Any network device connecting to it will become part of that VLAN.

Ethernet frames entering or exiting the port are standard Ethernet II type frames (http://www.firewall.cx/networking-topics/ethernet/ethernet-frame-formats/201-ethernet-ii.html) , which are understood by the network device connected to the port. Because these frames belong only to one network, they are said to be “untagged” — meaning that they do not contain any information as to which VLAN they are assigned.

Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging.

Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q. Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors supporting VLAN trunking.

What might come as a surprise is that a trunk link can also be configured to act as an access link when a device (computer or switch) that does not support VLAN trunking connects to it. This means that if you have a trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN. The VLAN in this case is known as the “native VLAN,” a common term that refers to the VLAN a trunk port is configured for when acting as an access link.

3.VIRTUAL TRUNK PROTOCOL AND VTP PRUNING

VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the core switch, is propagated to all network switches within the VTP domain.

During initial network configuration, all switches are configured members of the same VTP domain. With the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All information is then automatically sent to all members of the VTP domain. The VTP equivalent for other vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-tuned in the recent years and includes many features implemented previously only in Cisco's VTP Protocol .

VTP pruning (http://www.firewall.cx/networking-topics/vlan-networks/virtual-trunk-protocol.html), an extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN.

In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network.

4. INTER-VLAN ROUTING

Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one of the most important features found on advanced switches. Because inter-VLAN routing (http://www.firewall.cx/networking-topics/vlan-networks/222-intervlan-routing.html) directs packets based on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3 switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases where a Layer 3 switch is not available, this function can also be performed by a server with two or more network cards or a router, a method often referred to as “router on a stick.”

Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.

5. SECURING VLAN DEVICES

Even though many administrators and IT managers are aware of VLAN technologies and concepts, that doesn't necessarily hold true when it comes to VLAN security.

The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled. Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas.

Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result.

These best practices include:

• removing console-port cables and introducing password-protected console or virtual terminal access with specified timeouts and restricted access policies;

• applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-list to restrict telnet/SHH access from specific networks and hosts;

• avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ;

• disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD);

• deploying VTP domain, VTP pruning and password protections;

• controlling inter-VLAN routing through the use of IP access lists.

For hands-on details about each of these practices, go to fedtechmagazine.com/0211VLANsec .

RAISING THE THROTTLE

VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.

Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks.

It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.

INTERVLAN ROUTING - ROUTING BETWEEN VLAN NETWORKS

This article deals with the popular topic of InterVLAN routing, which is used to allow routing & communication between VLAN networks. Our article analyses InterVLAN routing and provides 4 different methods of InterVLAN routing to help understand the concept

THE NEED FOR ROUTING

Each network has it's own needs, though whether it's a large or small network, internal routing, in most cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus reducing network broadcasts and increasing your security, is a tactic used by most engineers. Popular setups include a separate broadcast domain for critical services such as File Servers, Print servers, Domain Controllers e.t.c, serving your users non-stop.

The issue here is how can users from one VLAN (broadcast domain), use services offered by another VLAN?

Thankfully there's an answer to every problem and in this case, its VLAN routing:

The above diagram is a very simple but effective example to help you get the idea. Two VLANs consisting of two servers and workstations of which one workstation has been placed along with the servers in VLAN 1, while the second workstation is placed in VLAN 2.

In this scenario, both workstations require access to the File and Print servers, making it a very simple task for the workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2.

As you might have already guessed, we need to somehow route packets between the two VLANs and the good news is that there is more than one way to achieve this and that's what we'll be covering on this page.

VLAN ROUTING SOLUTIONS

While the two 2924 Catalyst switches are connected via a trunk link, they are unable to route packets from one VLAN to another. If we wanted the switch to support routing, we would require it to be a layer 3 switch with routing capabilities, a service offered by the popular Catalyst 3550 series and above.

Since there are quite a few ways to enable the communcation between VLANs (InterVLAN Routing being the most popular) there is a good chance that we are able to view all possible solutions. This follows our standard method of presenting all possible solutions, giving you an in-depth view on how VLAN routing can be setup, even if you do not have a layer 3 switch.

Note: The term 'InterVLAN Routing' refers to a specific routing method which we will cover as a last scenario, however it is advised that you read through all given solutions to ensure you have a solid understanding on the VLAN routing topic.

VLAN ROUTING SOLUTION NO.1: USING A ROUTER WITH 2 ETHERNET INTERFACES

A few years ago, this was one of the preferred and fastest methods to route packets between VLANs. The setup is quite simple and involves a Cisco router e.g 2500 series with two Ethernet interfaces as shown in the diagram, connecting to both VLANs with an appropriate IP Address assigned to each interface. IP Routing is of course enabled on the router and we also have the option of applying access lists in the case where we need to restrict network access between our VLANs.

In addition, each host (servers and workstations) must either use the router's interface connected to their network as a 'default gateway' or a route entry must be created to ensure they use the router as a gateway to the other VLAN/Network. This scenario is however expensive to implement because we require a dedicated router to router packets between our VLANs, and is also limited from an expandability prospective.

In the case where there are more than two VLANs, additional Ethernet interfaces will be required, so basically, the idea here is that you need one Ethernet interface on your router that will connect to each VLAN.

To finish this scenario, as the network gets bigger and more VLANs are created, it will very quickly get messy and expensive, so this solution will prove inadequate to cover our future growth.

VLAN ROUTING SOLUTION NO.2: USING A ROUTER WITH ONE ETHERNET (TRUNK) INTERFACE

This solution is certainly fancier but requires, as you would have already guessed, a router that supports trunk links. With this kind of setup, the trunk link is created, using of course the same type of encapsulation the switches use (ISL or 802.1q), and enabling IP routing on the router side. This method of InterVLAN routing is also known as 'Router on a Stick'. You can read more on its configuration under ourCisco Router Knowledgebase

The downside here is that not many engineers will sacrifice a router just for routing between VLANs when there are many cheaper alternatives, as you will soon find out. Nevertheless, despite the high cost and dedicated hardware, it's still a valid and workable solution and depending on your needs and available equipment, it might be just what you're looking for!

Closing this scenario, the router will need to be configured with two virtual interfaces, one for each VLAN, with the appropriate IP Address assigned to each one so routing can be performed.

VLAN ROUTING SOLUTION NO.3: USING A SERVER WITH TWO NETWORK CARDS

We would call this option a "Classic Solution". What we basically do, is configure one of the servers to perform the routing between the two VLANs, reducing the overal cost as no dedicated equipment is required.

In order for the server to perform the routing, it requires two network cards - one for each VLAN and the appropriate IP Addresses assigned, therefore we have configured one with IP Addresses 192.168.1.1 and the other with 192.168.2.1. Once this phase is complete, all we need to do is enable IP routing on the server and we're done.

Lastly, each workstation must use the server as either a gateway, or a route entry should be created so they know how to get to the other network. As you see, there's nothing special about this configuration, it's simple, cheap and it gets the job done.

VLAN ROUTING SOLUTION NO.4: INTERVLAN ROUTING

And at last, InterVLAN routing! This is without a doubt the best VLAN routing solution out of all of the above. InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.

The Cisco Catalyst 3550 series switches used here are layer 3 switches with built-in routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where switches such as the Catalyst 3550 are usually placed as core switches, connecting all branch switches together (2924's in this case) via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone.

VLAN Configuration and InterVLAN routing for Cisco Layer 3 switches (3550, 3560 series, 3750 series, 4500 series and 6500 series switches) is covered extensively at the following article: Basic & Advanced Catalyst Layer 3 Switch Configuration: Creating VLANs, InterVLAN Routing (SVI), VLAN Security – VLAN Hopping, VTP Configuration, Trunk Links, NTP. IOS License Requirements for SVI Routing.

We should also note that InterVLAN routing on the Catalyst 3550 has certain software requirements regarding the IOS image loaded on the switch as outlined on the table below:

Image Type & Version	InterVLAN Routing Capability
Enhanced Multilayer Image (EMI) - All Versions	YES
Standard Multilayer Image (SMI) - prior to 12.1(11)EA1	NO
Standard Multilayer Image (SMI) - 12.1(11)EA1 and later	YES

If you happen to have a 3550 Catalyst in hand, you can issue the Show version command to reveal your IOS version and find out if it supports IP routing.

In returning to our example, our 3550 Catalyst will be configured with two virtual interfaces, one for each VLAN, and of course the appropriate IP Address assigned to them to ensure there is a logical interface connected to both networks. Lastly, as you might have guessed, we need to issue the 'IP Routing' command to enable the InterVLAN Routing service!

The diagram above was designed to help you 'visualise' how switches and their interfaces are configured to specific VLAN, making the InterVLAN routing service possible. The switch above has been configured with two VLANs, VLAN 1 and 2. The Ethernet interfaces are then assigned to each VLAN, allowing them to communicate directly with all other interfaces assigned to the same VLAN and the other VLAN, when the internal routing process is present and enabled.

ACCESS LISTS & INTERVLAN ROUTING

Another common addition to the InterVLAN routing service is the application of Access Lists (packet filtering) on the routing switch,to restrict access to services or hosts as required.

In modern implementations, central file servers and services are usually placed in their own isolated VLAN, securing them from possible network attacks while controlling access to them. When you take into consideration that most trojans and viruses perform an initial scan of the network before attacking, an administrator can smartly disable ICMP echoes and other protocols used to detect a live host, avoiding possible detection by an attacker host located on a different VLAN.

SUMMARY

InterVLAN is a terrific service and one that you simply can't live without in a large network. The topic is a fairly easy one once you get the idea, and this is our aim here, to help you get that idea, and extend it further by giving you other alternative methods.

The key element to the InterVLAN routing service is that you must have at least one VLAN interface configured with an IP Address on the InterVLAN capable switch, which will also dictate the IP network for that VLAN. All hosts participating in that VLAN must also use the same IP addressing scheme to ensure communication between them. When the above requirements are met, it's then as simple as enabling the IP Routing service on the switch and you have the InterVLAN service activated.

VLANS - IEEE 802.1Q TRUNK LINK PROTOCOL ANALYSIS

INTRODUCTION

Our VLAN Tagging page briefly covered the IEEE 802.1q protocol and we are about to continue its analysis here. As mentioned previously, the IEEE 802.1q tagging method is the most popular as it allows the seemless integration of VLAN capable devices from all vendors who support the protocol.

IEEE 802.1q Analysis

The IEEE 802.1q tagging mechanism seems quite simple and efficient thanks to its 4-byte overhead squeezed between the Source Address and Type/Length field of our Ethernet II frame:

The process of inserting the 802.1q tag into an Ethernet II frame results in the original Frame Check Sequence (FCS) field to become invalid since we are altering the frame, hence it is essential that a new FCS is recalculated, based on the new frame now containing the IEEE 802.1q field. This process is automatically performed by the switch, right before it sends the frame down a trunk link. Our focus here will be the pink 3D block, labeled as the IEEE 802.1q header.

The IEEE 802.1q Header

As noted, the 802.1q header is only 4 bytes or 32 bits in length while within this space there is all the necessary information required to successfully identify the frame's VLAN and ensure it arrived to the correct destination. The diagram below analyses all fields contained in a 802.1q header:

The structure is quite simple as there are only 4 fields when compared with the 11 ISL has. We will continue by analysing each of these fields in order to discover what the protocol is all about.

TPID - Tag Protocol IDentifier

The TPID field is 16 bit long with a value of 0x8100. It is used to identify the frame as an IEEE 802.1q tagged frame.

Note: The next three fields, Priority, CFI and VLAN ID are also known as the TCI (Tag Control Information) field and are often represented as one single field (TCI Field).

Priority

The Priority field is only 3 bits long but used for prioritisation of the data this frame is carrying.

Data Prioritisation is a whole study in itself but we won't be analysing it here since it's well beyond the scope of our topic. However, for those interested, data prioritisation allows us to give special priority to time-latency sensitive services, such as Voice Over IP (VoIP), over normal data. This means that the specified bandwidth is allocated for these critical services to pass them through the link without any delay.

The IEEE 802.1p priority protocol was developed to provide such services and is utilised by the IEEE 802.1q tagging protocol.

The Priority field is approximately 3 bits long, allowing a total of 2^3=8 different priorities for each frame, that is, level zero (0) to seven (7) inclusive.

CFI - Canonical Format Indicator

The CFI field is only 1 bit long. If set to '1', then it means the MAC Address is in non-canonical format, otherwise '0' means it is canonical format. For Ethernet switches, this field is always set to zero (0). The CFI field is mainly used for compatibility reasons between Ethernet and Token Ring networks.

In the case where a frame arrives to an Ethernet port and the CFI flag is set to one (1), then that frame should not be forwarded as it was received to any untagged port (Access Link port).

VLAN ID - Virtual Local Area Network Identifier

The VLAN ID field is perhaps the most important field out of all because we are able to identify which VLAN the frame belongs to, allowing the receiving switch to decide which ports the frame is allowed to exit depending on the switch configuration.

For those who recall our VLAN Tagging page, we mentioned that the IEEE 802.1q tagging method supports up to 4096 different VLANs. This number derives from the 12 bit VLAN ID field we are analysing right now and here are the calculations to prove this: 2^12=4096, which translates from VLAN 0 to VLAN 4095 inclusive.

Summary

That completes our analysis on the IEEE 802.1q protocol. As a last note, you should remember that this protocol is the most wide spread tagging method used around the world that supports up to 4096 VLANs!

VLAN TAGGING - UNDERSTANDING VLANS ETHERNET FRAMES

INTRODUCTION

We mentioned that Trunk Links are designed to pass frames (packets) from all VLANs, allowing us to connect multiple switches together and independently configure each port to a specific VLAN. However, we haven't explained how these packets run through the Trunk Links and network backbone, eventually finding their way to the destination port without getting mixed or lost with the rest of the packets flowing through the Trunk Links.

This is process belongs to the world of VLAN Tagging!

VLAN TAGGING

VLAN Tagging, also known as Frame Tagging, is a method developed by Cisco to help identify packets travelling through trunk links. When an Ethernet frame traverses a trunk link, a special VLAN tag is added to the frame and sent across the trunk link.

As it arrives at the end of the trunk link the tag is removed and the frame is sent to the correct access link port according to the switch's table, so that the receiving end is unaware of any VLAN information.

The diagram below illustrates the process described above:

Here we see two 3500 series Catalyst switches and one Cisco 3745 router connected via the Trunk Links. The Trunk Links allow frames from all VLANs to travel throughout the network backbone and reach their destination regardless of the VLAN the frame belongs to. On the other side, the workstations are connected directly to Access Links (ports configured for one VLAN membership only), gaining access to the resources required by VLAN's members.

Again, when we call a port 'Access Link' or 'Trunk Link', we are describing it based on the way it has been configured. This is because a port can be configured as an Access Link or Trunk Link (in the case where it's 100Mbits or faster).

This is stressed because a lot of people think that it's the other way around, meaning, a switch's uplink is always a Trunk Link and any normal port where you would usually connect a workstation, is an Access Link port!

VLAN TAGGING PROTOCOL

We're now familiar with the term 'Trunk Link' and its purpose, that is, to allow frames from multiple VLANs to run across the network backbone, finding their way to their destination. What you might not have known though is that there is more than one method to 'tag' these frames as they run through the Trunk Links or ... the VLAN Highway as we like to call it.

INTERSWITCH LINK (ISL)

ISL is a Cisco propriety protocol used for FastEthernet and Gigabit Ethernet links only. The protocol can be used in various equipments such as switch ports, router interfaces, server interface cards to create a trunk to a server and much more. You'll find more information on VLAN implementations on our last page of the VLAN topic.

Being a propriety protocol, ISL is available and supported naturally on Cisco products only:) You may also be interested in knowing that ISL is what we call, an 'external tagging process'. This means that the protocol does not alter the Ethernet frame as shown above in our previous diagram - placing the VLAN Tag inside the Ethernet frame, but encapsulating the Ethernet frame with a new 26 byte ISL header and adding an additional 4 byte frame check sequence (FCS) field at the end of frame, as illustrated below:

Despite this extra overhead, ISL is capable of supporting up to 1000 VLANs and does not introduce any delays in data transfers between Trunk Links.

In the above diagram we can see an ISL frame encapsulating an Ethernet II frame. This is the actual frame that runs through a trunk link between two Cisco devices when configured to use ISL as their trunk tagging protocol.

The encapsulation method mentioned above also happens to be the reason why only ISL-aware devices are able to read it, and because of the addition of an ISL header and FCS field, the frame can end up being 1548 bytes long! For those who can't remember, Ethernet's maximum frame size is 1518 bytes, making an ISL frame of 1548 bytes, what we call a 'giant' or 'jumbo' frame!

Lastly, ISL uses Per VLAN Spanning Tree (PVST) which runs one instance of the Spanning Tree Protocol (STP) per VLAN. This method allows us to optimise the root switch placement for each available VLAN while supporting neat features such as VLAN load balancing between multiple trunks.

Since the ISL's header fields are covered on a separate page, we won't provide further details here.

IEEE 802.1Q

The 802.1q standard was created by the IEEE group to address the problem breaking large networks into smaller and manageable ones through the use of VLANs. The 802.1q standard is of course an alternative to Cisco's ISL, and one that all vendors implement on their network equipment to ensure compatibility and seamless integration with the existing network infrastructure.

As with all 'open standards' the IEEE 802.1q tagging method is by far the most popular and commonly used even in Cisco oriented network installations mainly for compatability with other equipment and future upgrades that might tend towards different vendors.

In addition to the compatability issue, there are several more reasons for which most engineers prefer this method of tagging. These include:

Support of up to 4096 VLANs
Insertion of a 4-byte VLAN tag with no encapsulation
Smaller final frame sizes when compared with ISL

Amazingly enough, the 802.1q tagging method supports a whopping 4096 VLANs (as opposed to 1000 VLANs ISL supports), a large amount indeed which is merely impossible to deplet in your local area network.

The 4-byte tag we mentioned is inserted within the existing Ethernet frame, right after the Source MAC Address as illustrated in the diagram below:

Because of the extra 4-byte tag, the minimum Ethernet II frame size increases from 64 bytes to 68 bytes, while the maximum Ethernet II frame size now becomes 1522 bytes. If you require more information on the tag's fields, visit our protocol page where further details are given.

As you may have already concluded yourself, the maximum Ethernet frame is considerably smaller in size (by 26 bytes) when using the IEEE 802.1q tagging method rather than ISL. This difference in size might also be interpreted by many that the IEEE 802.1q tagging method is much faster than ISL, but this is not true. In fact, Cisco recommends you use ISL tagging when in a Cisco native environment, but as outlined earlier, most network engineers and administrators believe that the IEEE802.1q approach is much safer, ensuring maximum compatability.

And because not everything in this world is perfect, no matter how good the 802.1q tagging protocol might seem, it does come with its restrictions:

In a Cisco powered network, the switch maintains one instance of the Spanning Tree Protocol (STP) per VLAN. This means that if you have 10 VLANs in your network, there will also be 10 instances of STP running amongst the switches. In the case of non-Cisco switches, then only 1 instance of STP is maintained for all VLANs, which is certainly not something a network administrator would want.
It is imperative that the VLAN for an IEEE 802.1q trunk is the same for both ends of the trunk link, otherwise network loops are likely to occur.
Cisco always advises that disabling a STP instance on one 802.1q VLAN trunk without disabling it on the rest of the available VLANs, is not a good idea because network loops might be created. It's best to either disable or enable STP on all VLANs.

Note: There are other VLAN tagging protocol to support other interfaces. Here we focus on the VLAN over Ethernet only.

VLANS - ACCESS & TRUNK LINKS

This article will start to slowly expand on these terms to help understand how VLANs are implemented inside an enterprise network.

To begin with, we will take a closer look at the port interfaces on these smart switches and then start moving towards the interfaces connecting to the network backbone where things become slightly more complicated, though do not be alarmed since our detailed and easy to read diagrams are here to ensure the learning process is as enjoyable as possible.

VLAN LINKS - INTERFACES

When inside the world of VLANs there are two types of interfaces, or if you like, links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, or Trunk Links.

ACCESS LINKS

Access Links are the most common type of links on any VLAN switch. All network hosts connect to the switch's Access Links in order to gain access to the local network. These links are your ordinary ports found on every switch, but configured in a special way, so you are able to plug a computer into them and access your network.

Here's a picture of a Cisco Catalyst 3550 series switch, with it's Access Links (ports) marked in the Green circle:

We must note that the 'Access Link' term describes a configured port - this means that the ports above can be configured as the second type of VLAN links - Trunk Links. What we are showing here is what's usually configured as an Access Link port in 95% of all switches. Depending on your needs, you might require to configure the first port (top left corner) as a Trunk Link, in which case, it is obviously not called a Access Link port anymore, but a Trunk Link!

When configuring ports on a switch to act as Access Links, we usually configure only one VLAN per port, that is, the VLAN our device will be allowed to access. If you recall the diagram below which was also present during the introduction of the VLAN concept, you'll see that each PC is assigned to a specific port:

In this case, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 3 have been assigned to VLAN 1 while ports 4, 5 and 6 to VLAN 2.

In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 3, while ports 4, 5 and 6 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly configured the switch to route traffic between the two VLANs.

It is equally important to note at this point that any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them.

The following diagram illustrates this to help you get the picture:

As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are understood by the network device connected to the port. There is nothing special about these packets, other than the fact that they belong only to the VLAN the port is configured for.

If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0 with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned to VLAN 1 must be configured with the appropriate network address so they may communicate with all other hosts in the same VLAN.

TRUNK LINKS

What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. There is, however, one more type of port configuration which we mentioned in the introductory section on this page - the Trunk Link.

A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches.

The diagram below shows multiple switches connected throughout a network and the Trunk Links are marked in purple colour to help you identify them:

As you can see in our diagram, our switches connect to the network backbone via the Trunk Links. This allows all VLANs created in our network to propagate throughout the whole network. Now in the unlikely event of Trunk Link failure on one of our switches, the devices connected to that switch's ports would be isolated from the rest of the network, allowing only ports on that switch, belonging to the same VLAN, to communicate with each other.

So now that we have an idea of what Trunk Links are and their purpose, let's take a look at an actual switch to identify a possible Trunk Link:

As we noted with the explanation of Access Link ports, the term 'Trunk Link' describes a configured port. In this case, the Gigabit ports are usually configured as Trunk Links, connecting the switch to the network backbone at the speed of 1 Gigabit, while the Access Link ports connect at 100Mbits.

In addition, we should note that for a port or link to operate as a Trunk Link, it is imperative that it runs at speeds of 100Mbit or greater. A port running at speeds of 10Mbit's cannot operate as a Trunk Link and this is logical because a Trunk Link is always used to connect to the network backbone, which must operate at speeds greater than most Access Links!

The VLAN concepts

To help start clearing things up we will define the VLAN concept not only through words, but through the use of our cool diagrams and at the same time, compare VLANs to our standard flat switched network.

We will start by taking a quick look at a normal switched network, pointing out it's main characteristics and then move on to VLANs

THE TRADITIONAL SWITCHED NETWORK

Almost every network today has a switch interconnecting all network nodes, providing a fast and reliable way for the nodes to communicate. Switches today are what hubs were a while back - the most common and necessary equipment in our network, and there is certainly no doubt about that.

While switches might be adequate for most type of networks, they prove inadequate for mid to large sized networks where things are not as simple as plugging a switch into the power outlet and hanging a few Pc's from it!

For those of you who have already read our "switches and bridges" section, you will be well aware that switches are layer 2 devices which create a flat network:

The above network diagram illustrates a switch with 3 workstations connected. These workstations are able to communicate with each other and are part of the same broadcast domain, meaning that if one workstation were to send a broadcast, the rest will receive it.

In a small network multiple broadcast might not be too much of a problem, but as the size of the network increases, so will the broadcasts, up to the point where they start to become a big problem, flooding the network with garbage (most of the times!) and consuming valuable bandwidth.

To visually understand the problem, but also the idea of a large flat network, observe the diagram below:

The problem here starts to become evident as we populate the network with more switches and workstations. Since most workstations tend to be loaded with the Windows operating system, this will result in unavoidable broadcasts being sent occasionaly on the network wire - something we certainly want to avoid.

Another major concern is security. In the above network, all users are able to see all devices. In a much larger network containing critical file servers, databases and other confidential information, this would mean that everyone would have network access to these servers and naturally, they would be more susceptible to an attack.

To effectively protect such systems from your network you would need to restrict access at the network level by segmenting the exisiting network or simply placing a firewall in front of each critical system, but the cost and complexity will surely make most administrators think twice about it. Thankfully there is a solution ..... simply keep reading.

INTRODUCING VLANS

Welcome to the wonderful world of VLANs!

All the above problems, and a lot more, can be forgotten with the creation of VLANs...well, to some extent at least.

As most of you are already aware, in order to create (and work with) VLANs, you need a layer 2 switch that supports them. A lot of people new to the networking field bring the misconception that it's a matter of simply installing additional software on the clients or switch, in order to "enable" VLANs throughout the network - this is totally incorrect!

Because VLANs involve millions of mathematical calculations, they require special hardware which is built into the switch and your switch must therefore support VLANs at the time of purchase, otherwise you will not be able to create VLANs on it!

Each VLAN created on a switch is a separate network. This means that a separate broadcast domain is created for each VLAN that exists. Network broadcasts, by default, are filtered from all ports on a switch that are not members of the same VLAN and this is why VLANs are very common in today's large network as they help isolate network segments between each other.

To help create the visual picture on how VLANs differentiate from switches, consider the following diagram:

What we have here is a small network with 6 workstations attached to a VLAN capable switch. The switch has been programmed with 2 VLANs, VLAN1 and VLAN2 respectfully, and 3 workstations have been assigned to each VLAN.

VLANS = SEPARATE BROADCAST DOMAINS

With the creation of our VLANs, we have also created 2 broadcast domains. This mean that if any workstation in either VLAN sends a broadcast, it will propagate out the ports which belong to the same VLAN as the workstation that generated the broadcast:

This is clearly illustrated in the diagram above where Workstation 1, belonging to VLAN1, sends a network broadcast (FF:FF:FF:FF:FF:FF). The switch receives this broadcast and forwards it to Workstation 2 and 3, just as it would happen if these three workstations were connected to a normal switch, while the workstations belonging to VLAN2 are totally unaware of the broadcast sent in VLAN1 as they do not receive any packets flowing in that network.

To help clear any questions or doubts on how the above setup works, the diagram below shows the logical equivalent setup of our example network:

By this stage, you should begin seeing the clear advantages offered by the use of VLANs within your network. Security, cost and network traffic are reduced as more hosts are added to the network and the number of VLANs are increased.

SUMMARY

This page introduced the concept of VLANs and indicated the differences existing between them and normal switched networks. We also briefly examined their efficiency in terms of cost, security and implementation.

The information here serves as an introduction to the VLAN technology and we will now start diving deeper into the topic, analysing it in greater detail. Having said that, our next page deals with the design of VLANs, showing different logical and physical configurations of VLANs within networks. So, make yourself comfortable and let's continue cause there is still so much to cover!