Virtual Local Area Networks (VLAN) Group 3 Shade Alabsa, Blayne Cohran, Betty Kretlow, Sayali Joshi, Siva Kalyan Chakravarthy

VLANs What is it? Why use VLANs? How does it work? What does it look like? Advantages and disadvantages Uses

What are VLANs? “A LAN consists of all devices in the same broadcast domain.” VLAN’s do this on the switch level allowing multiple broadcast domains on one switch. Partitions broadcast domain on the data link layer. Standardized by 802.1Q – Preceded by ISL from Cisco which is proprietary

Why use VLANs? “Switches are easy, routers are hard.” Users are assigned to one or more VLANs by an administrator, automatically or via a management system. The switches maintain VLAN configuration information. VLANs can span multiple switches and sites. Users should be grouped by community of interest, not location in building. However users in single community of interest are rarely located in same part of building. Groups of users are usually separated into their own IP networks for network management, performance, security and other policy reasons.

How does it work? Ethernet frames are tagged as they are encountered by the first VLAN aware host, usually the switch its connected to. Switches must know station VLAN membership across all switches. Table Maintenance Frame tagging TDM

VLAN Membership methods Membership by port Define which port of switch belong to which VLAN. Advantage : Easy to configure. Disadvantage : require switch reconfiguration whenever workstation moved from one place to another. Membership by MAC address (dynamic) Membership based on mac address of workstation. Switch automatically assigns port to a VLAN using device’s MAC address. When device connected to switch port, switch queries to VMPS to establish membership Membership by protocol type Header contains protocol type field. Traffic handled on the basis of its protocol. Segregates or forward traffic from port depending on protocol of traffic. Membership by IP subnet address Membership is based on Layer 3 header and switch reads layer 3 IP address and associate a VLAN membership.

What does it look like? Tag header : Information added to each frame to indicate which VLAN the frame belongs to. Bridges will forward frames only to those ports that belong to the VLAN instead of to all output ports. Two formats of Tag header are 1. Ethernet Frame Tag Header: 2. Token Ring and Fiber Distributed Data Interface (FDDI) : Tag control information(TCI) :

What does it look like? TPID – Tag Protocol Identifier 16 bit field set to 0x8100 to identify frame as an 802.1Q tagged frame Priority 3 bit field refers to 802.1P priority. Represented by 8 levels 0 -7 CFI – Canonical Format Indicator 1 bit field to indicate whether the mac address is canonical format. 1 == noncanonical 0 == canonical VID – VLAN Identifier 12 bit field to uniquely identify which VLAN the frame belongs to. Frame Size

What does it look like? 802.1Q tag is 4 bytes Maximum frame size 1522 bytes and minimum is 68 bytes. On a switch that doesn’t support VLAN’s frames are silently dropped if the frame size is over 1518 Frames less than 1518 are processed as normal on non supporting VLAN switches.

Types of VLAN connections Trunk Link Devices connected to trunk link are VLAN-aware. All frames on a trunk link must have a special header attached.

Access Link Connects a VLAN-unaware device to the port of a VLAN-aware bridge. All frames on access links must be implicitly tagged. Hybrid Link Both VLAN-aware and VLAN-unaware devices are attached. Hybrid link can have both tagged and untagged frames, but all the frames for a specific VLAN must be either tagged or untagged. Access LinkHybrid Link

Frame Processing and Tagging Filtering Database Static Entries - Static information added, modified and deleted by management only. Two types of static entries Static Filtering entries Static Registration Entries Dynamic Entries – Learns by the bridge and not created or updated by the management. Entries are updated only if Port allows learning Source address is a workstation address and not a group address Space available in the database There are three types of dynamic entries Dynamic Filtering Entries Group Registration Entries Dynamic Registration Entries

Q-in-Q

Advantages and Disadvantages Allows formation of work groups And better isolation between groups of users Limits broadcast domains Facilitates network administration

Uses You can use multiple VLANs for a given L3 network to force traffic to go through an intermediary device, like an IDS. E.g, security zone DMZ gets a vlan for DMZ- Front and DMZ-Back. -Front connects firewall to upstream port on IDS, -Back connects downstream port on IDS to servers. Home brewed “VPN” across ISP – 802.1Q tunneling example

Resources Forouzan, Behrouz A. Data Communications and Networking, Fifth Edition. New York: McGraw-Hill, Print. Forouzan, Behrouz A. TCP/IP Protocol Suite. Boston: McGraw-Hill Higher Education, Print. Lammle, Todd. CCNA: Cisco Certified Network Associate Study Guide. Indianapolis, IN: Wiley, Print. Odom, Wendell, and Wendell Odom. CCENT/CCNA ICND Official Cert Guide ; CCNA ICND Official Cert Guide. N.p.: n.p., n.d. Print. Odom, Wendell. CCENT/CCNA ICND Official Cert Guide. Indianapolis, IN: Cisco, n.d. Print. Tanenbaum, Andrew S. Computer Networks. Upper Saddle River, NJ: Prentice Hall PTR, Print. Molenaar, Rene. "802.1Q Tunneling (Q-in-Q) Configuration Example." N.p., n.d. Web. Evenchik, Len. "Communication Protocols and Internet Architectures." (n.d.): n. pag. Harvard. Harvard. Web.. Varadarajan, Suba. "Virtual Local Area Networks." Virtual Local Area Networks. Washington University St. Louis, 14 Aug Web. 16 July "Inter-Switch Link and IEEE 802.1Q Frame Format." Cisco. Cisco, 25 Aug Web. 16 July