Virtual Local Area Networks In Security By Mark Reed
Topics Definition of LAN and VLAN Advantages of using VLANs When to consider using VLANs Why we use VLANs How VLANs work Types of VLANs Increase network security with VLANs
LAN - Definition Local Area Network (LAN) – is a single broadcast domain of computers and network devices that are physically located near each other. A single broadcast domain is a domain in which that if a user on the LAN sends a request that it will be received by each node on the same LAN.
VLAN - Definition Virtual Local Area Network (VLAN) – is a group of hosts with a common set of requirements that communicate as if they were attached to the broadcast domain, regardless of their physical location.
What are the advantages of a VLAN? Have the same attributes as a physical LAN Allows for workstations to be grouped together even if they are not located on the same network switch Network reconfiguration can be done through software instead of physically relocating devices
When should you consider using VLAN’s? If you have more than 200 devices on your network If your network has a lot of broadcast traffic that may be affecting network performance If groups of users need more network security because of sensitive information If groups of users need a lot of bandwidth or access to the same applications If you need to make a single switch into multiple virtual switches
Why use VLAN’s? Increase network performance Allows network administrators to form virtual workgroups for departments or divisions Simplify network administration Reduce network costs Increase network security
How Do VLAN’s Work? Explicit Tagging – When a switch receives data it tags the data with a VLAN identifier indicating the VLAN from which the data came Implicit Tagging – the VLAN from which the data came is determined based on information like the port on which the data arrived
Type Of VLAN’s Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields VLAN’s are classified based on the method of tagging that is used Switches hold a filtering database which stores this information
Layer 1 – Membership By Port Can be defined based on the ports that belong to the VLAN Main disadvantage of this method is that it does not allow for user mobility If a user moves to a different location, the network administrator must reconfigure the VLAN for that user
Layer 2 – Membership By Address Is based on the MAC address of the workstation or the source of the data No reconfiguration is needed if the workstation is moved since the MAC address is part of the network interface card Membership tables will not need to be change
Layer 3 – Membership By IP Subnet Address Is based on the header of the frame or data that is being sent Workstations can be moved without reconfiguring the network address Takes longer to forward Layer 3 information than it does using the MAC address
Frame Processing When a switch receives data it determines which VLAN the data belongs to either by implicit or explicit tagging The switch also keeps track of VLAN members in a filtering database which it uses to determine where the data is to be sent
Filtering Database Membership information for a VLAN is stored in a filtering database The filtering database consists of two types of entries – Static Entries and Dynamic Entries
Static Database Entries Static information is added, modified and deleted by a network administrator There are two types of static database entries 1.Static Filtering Entries – specify for every port whether frames should be forwarded or discarded 2.Static Registration Entries – specify which ports are registered for a specific VLAN
Dynamic Database Entries Dynamics entries are learned by the switch and cannot be created or updated manually Learning process observes the port from which a frame with a given source address and VLAN ID is received and updates the database accordingly The entry is updated only if the port allows learning, the source is a workstation and if there is space available in the database
Dynamic Database Entries Contd. There are three types of dynamic entries 1.Dynamic Filtering Entries – specify whether frames that are to be sent to a specific MAC and on a certain VLAN should be forwarded or discarded 2.Group Registration Entries – specify whether frames that are to be sent to a group MAC address on a certain VLAN should be forwarded or discarded 3.Dynamic Registration Entries – specify which ports are registered for a specific VLAN
VLAN’s Increase Security VLAN’s provide additional security not available in a shared network environment A switched network environment delivers frames only to the intended recipients and broadcast frames only to other members of the VLAN Allows network administrators to segment users that require access to sensitive information into separate VLAN’s from the rest of the general user community regardless of physical location Monitoring a port with a traffic analyzer will only view the traffic associated with that particular port
Summary VLAN’s allow the formation of virtual workgroups, better security, improved performance, simplified administration and reduced network costs. VLAN’s are formed by logical segmentation of a network and can be classified into Layers. Tagging and the filtering database allow a switch to determine the source and destination VLAN for received data.