Join Lisa Bock for an in-depth discussion in this video Introducing VLANS, part of IT Security Foundations: Network Security.
- Layer two or switch networks are flat in that all hosts are physically tethered off of a switch. Off of that switch is a single broadcast domain which means every device that is attached to the switch will see the broadcast. A VLAN or virtual local area network removes the physical barrier and treats the host as if they were all part of the same subnet while logically separating networks within networks creating smaller broadcast domains.
Here you can see three computers illustrated in red. They would all be part of the same virtual local area network. However, they are not attatched to the same switch. A couple of things about VLANS. VLANS are part of a separate IP subnetwork. As a result a layer 3 switch or router must be used. With a Cisco IOS we use VLAN Trunking Protocol or VTP. This is used by Cisco to propagate VLAN information to all the switches.
VLANS offer a number of advantages over traditional LANS. One being Simplified Administration. When a computer is physically moved to another location it can stay on the same VLAN without any hardware reconfiguration. And Performance. By reducing broadcast and multicast, and creating Broadcast Domain using switches instead of routers. Here you can see a traditional LAN. As you see that is one giant broadcast domain.
Now using VLANS it reduces the size of that broadcast domain therefore improving efficiency. And Virtual Workgroups in isolation. For example, if we take those three red computers and we'll say that they are part of the manufacturing group. We want to prevent manufacturing employees from viewing YouTube videos. We can create a VLAN and isolate them from the internet. The VLAN does not allow internet access but then is trunked to the main network.
VLAN Security can be used to restrict access. Security also provides setup authentication for VLAN Trunking Protocol and we can implement wireless constraints by ensuring a user assigned to a specific VLAN will always connect to that VLAN regardless of their location. VLAN membership is assigned manually on a port by port basis. Now, VLAN Creation is done on a switch. Now in this illustration I have a sample set of commands with a Cisco IOS.
We're going to set up three VLANS, vlan 10 which we'll name faculty. vlan 20 which we'll name students, and vlan 30 which we'll name guest. On that switch we'll need to assign switch ports. Now take a look at this. Now we'll say that the interface range 6-10 we'll assign for vlan 10. The interface range 11-17 we'll assign vlan 20. And the interface range 18-24 we'll assign vlan 30.
Now on a switch a switch port is defaulted as an Access port meaning it carries a single host traffic. A Trunk port though, this when we use a Trunk port we use switch to switch communication and it can carry different VLAN traffic. So on a switch we want to enable trunking. We'll say on this case the interface range 1-3 will then be in a trunk mode. Now here you can see the Switchport mode access, which it's default, which allow one host traffic to the switch.
When a switch needs to communicate with another switch we put it in the trunk mode and that is illustrated by the different colors of the different VLANS traveling to the other switch. Now when we take a look at VLAN creation here we're going to use an example illustrating the 802.1Q, which is the standard that supports VLANS and tagging. When a switch receives data from a work station it tags the data with a VLAN identifier so it knows where to go. Up at the top we see a standard Ethernet frame.
With this Ethernet frame we see the source and destination MAC address and then following that would be the data which will include the IP header, the transport layer header, and the data. When we use tagging or an 802.1Q frame we see that the frame has a source and destination MAC address, but then tucked right there before the IP header the transport layer and the data header is the tag. Now I'm in wire shark, a free and open source protocol analyzer.
This is a VLAN packet capture and I want to show you one thing. I'm going to go to Frame 9. Now, what we see here, Frame 9, this information here, there's no header called Frame 9, that's just metadata about this single frame. But here, we see the true frame header, Ethernet II and in it you see the source and destination MAC address. After that you see the IP header, which includes the source and destination IP address.
And the transport layer header, in this case it's a TCP header. Before the IP header, and the transport layer header, and any data, if there were to be any data, includes the tag to illustrate where that frame is to go. I'm going to open this up and you can see 802.1Q Virtual LAN. And there you see ID: 32 which indicated the membership into VLAN 32.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security