Creating VLANS
Download
Report
Transcript Creating VLANS
Virtual Local Area
Networks
Should I V-LAN?
1. Security
V-LANs can restrict
access to network
resources
Should I V-LAN?
Access Control Lists are
used to direct the
availability of information
Student
Records
Faculty
Students
Students
V-LAN
Access
Denied
Faculty
V-LAN
Access
Permitted
HEWLETT
PACKARD
Student
Records
Should I V-LAN?
2. Broadcast Control for
Increased Performance
Reduce the size of your
collision domains
Limit broadcast traffic to
similar users
Check Your Network for
Broadcast Protocols
TCP
40%
UDP
10%
ARP
35%
DHCP
8%
IPX
5%
SPX
2%
One Broadcast Domain
CISCOSYSTEMS
V-LANs form Multiple
Broadcast Domains
CISCOSYSTEMS
Should I V-LAN?
3. Network Monitoring
Centrally configure
devices in local areas
Divide your users into
logical groupings
Should I V-LAN?
Your security will improve
Your network performance
will improve
How Many V-LANs?
NC
State
• List Buildings
• Itemize
Departments
• Remember
BROADCAST
CONTROL
How Many V-LANs?
Building 1
Lab 1
Lab 2
Faculty/Staff
Library
Administration
Building 2
Wireless Lab
Faculty/Staff
Building 3
Lab 3
Faculty/Staff
How Many V-LANs?
When you’re done – Add 2 More
1. A Test V-LAN for your Test Lab
2. An “Internet Only” V-LAN for all
unused ports
plus V-LAN #1 will be your default V-LAN
for your administrative purposes
How Many V-LANs?
•
•
•
•
•
•
Building 1 – 18 V-LANs
Building 2 – 6 V-LANs
Building 3 – 7 V-LANs
Building 4 – 4 V-LANs
Building 5 – 2 V-LANs
Building 6 – 7 V-LANs
• 3 Server VLANs
• Internet Only
V-LAN
• Test V-LAN
• Adm. V-LAN
• Total - 50
Equipment/Server Concerns
• You will need a trustworthy Layer 3
main switch (example: Cisco 4506)
• Unmanaged switches and hubs can
contain only 1 V-LAN
• Some protocols, such as IPX & Apple,
require broadcasts. These will need to
be addressed.
Equipment/Server Concerns
• Each V-LAN will need its own DHCP
scope.
• DNS must be reachable by every
VLAN
• User applications cannot reside on a
V-LAN that will be blocked
• You must know what is connected to
every port on every switch.
How Do I Begin?
Get details on your
current setup Conduct an audit of
the ports on your
switches
Create a Switch Audit Form
Switch Loc.
IP Address
Manuf/Mod #
Upload Port
Port Information
Port # Patch #
1
2
3
User
Loc
User
Name
Printers VLAN
Used
#
Set Up a Schedule
•
•
•
•
•
•
•
Week 1 – Audit Bldg. 1 • Week 8 - Implementation
Add V-LANs to main
Week 2 – Audit Bldg. 2
switch & DHCP Scopes
Week 3 – Audit Bldg. 3
Set all ports on all
Week 4 – Audit Bldg. 4
switches
Week 5 – Audit Bldg. 5
Test PCs & Printers
Week 6 – Audit Bldg. 6
Change IP’s where
Week 7 – Write
Configuration & Access
needed
Lists – Select IP
You have a new network!
Address for Users
Adhere to the schedule!!
How Do I Add V-LANs to the
Switches?
• Add every V-LAN to the main switch
• Add to each switch the V-LANs it will
need – With some manufacturers the
secondary switches will automatically
read the list from the main switch
• Set each port to the correct V-LAN
CISCOSYSTEMS
Main Switch
CISCO SYSTEMS
CISCOSYSTEMS
CISCOSYSTEMS
Main Switch
contains all V-LANs
Secondary
Switches
contain
the VLANs they
Service
CISCOSYSTEMS
Set each port
to the correct
V-LAN
Sample Script for Main Switch
ena
config t
vlan 2
name Building1Lab1
exit
vlan 3
name Building1Lab2
exit
1.
2.
3.
4.
Add the V-LAN
Name the V-LAN
Exit that V-LAN
Add another V-LAN
Sample Script for Main Switch
int vlan 1
description Bus Lab
ip address 172.16.1.1
255.255.255.0
ip helper address
10.9.3.102
no shutdown
exit
int vlan 2
5. Enter the V-LAN as an
Interface
6. Give a Description to
the V-LAN
7. Give an IP Address to
the V-LAN
8. Give a location for
DHCP for the V-LAN
9. Turn the V-LAN on
Remember . . .
• You must have a
default IP
Address for every
V-LAN
• You must have a
DHCP scope for
every V-LAN
About those IP Addresses
• You will need an addressing scheme
for your new network
• Choose it carefully so your V-LANs
will be easy to identify
• Use a private address or a
combination of private addresses –
10.0.0.0 – 172.16.0.0 – 192.168.0.0
About those IP Addresses
10.0.0.0 – 172.16.0.0 – 192.168.0.0
For convenience, subnet your address
to make octet numbers a subnet
Ex – 10.1.0.0, 10.2.0.0– 255.255.0.0
172.16.1.0, 172.16.2.0 – 255.255.255.0
You would instantly know that the first
device was on V-LAN 1, the second
device on V-LAN 2
Take it Slowly . . .
Set all your switches and test
your new network
Give everyone full access until
all the bugs have been fixed
When everything
works, you’re
ready to add the
Security
Access Lists
• Access Lists are used for Security
• These Lists block or allow users to
servers or network addresses
• Users can be blocked completely – or
by protocols
• Ex – Students can be blocked from
accessing a server with Telnet
Access Lists
Specify the users you wish to block or
allow by using a Wildcard Mask.
This mask identifies which octets of the
address are to be checked.
0 = match, 255 = ignore
Example:
172.16.2.0 0.0.0.255 – Ignore last octet
allow Addresses 172.16.2.0 –
172.16.2.255
Access Lists
Permit the services users will need –
DNS, HTTP, etc.
Deny the services you want to block
Apply the Access List to the correct
V-LANs
V-LANs without an Access List will have
total access
Access List Example
access-list 101 permit ip 172.16.0.0
0.0.255.255 host 10.0.0.1 – permits
all users access to Firewall
access-list 101 deny ip 172.16.5.0
0.0.0.255 host 10.0.0.2 – denies
V-LAN #5 access to GroupWise
Mail server
Access List Example
access-list 101 permit tcp 172.16.0.0
0.0.255.255 host 10.0.0.3 eq http
- Permits all hosts access to web
server, but only for http
int vlan 5
ip access-group 101 in –
Applies access-list to VLAN #5
Enjoy Your New Network
• Security
• Multiple Broadcast
Domains
• Easier Monitoring