VLAN’s partition a single layer 2 network into multiple virtual, isolated network segments.
- Security. Traffic is confined to its own vlan.†
- Traffic management. QoS can be applied per vlan.
- Abstraction. VLANs can be constructed of nodes on different physical lan segments.
† It’s easy to misconfigure vlans, which can allow a malicious client to hop vlans. vlans are not a security panacea, but they’re a reasonable additional to other security measures.
How VLANs Works
802.1Q encapsulation. Packets are encapsulated with a VLAN ID tag that can be read by vlan-aware devices.
- Traffic between vlans must be routed.
- Up to 4093 vlans can be defined.
- In theory, vlan tags may not reliably survive passing through dumb switches/hubs.
Configuration and Terminology
Create numbered VLANs.
The default vlan generally has VID 1.
- On an unconfigured switch, all ports belong to vlan 1.
- Consider restricting vlan 1. Devices for which you haven’t otherwise accounted will end up there.
Create a new management vlan for switches
- This should not be the default vlan
- Setting the management vlan will not necessarily secure access to the switch’s management interface.
- Use ACL’s or firewall rules to protect the management vlan from other vlan’s.
- What it actually does (or should do, if the switch manufacturer is on their game) is tag any traffic from the switch itself (its IP) with the configured management VID.
After defining vlans, configure each port.
Port configuration has two aspects that must be defined for each port: ingress and egress
TRAFFIC ENTERING THE SWITCH (Ingress):
- PVID: untagged packets entering the port are tagged with this vid.
- Tagged packets entering through this port will not be changed.
- Trunk/Tagged ports should have a PVID of the default vlan.
TRAFFIC LEAVING THE SWITCH (Egress):
- UNTAGGED: the port is a member of the vlan.
- The device connected to this port receives traffic tagged for this vlan.
- However, the connected device is not vlan-aware, so the switch strips vlan encapsulation from the packet as it exists the port for the connected device.
- TAGGED: this port trunks for this vlan.
- The device on the other end is vlan-aware (generally, another smart switch, or perhaps a vlan-aware server or firewall).
- NOT MEMBER/BLANK: as expected. The port doesn’t see traffic for this vlan.
- Cisco terminology varies from that of most other vendors.
- “Access port” = Untagged.
- “Trunk port” = Tagged.
- “Native vlan” = PVID.
- D-Link switches seem to auto-assign the PVID based on vlan membership (Untagged).
- On Netgear switches, we need to manually assign PVID for ports after configuring the vlans.
Appendix: A Brief Review of the OSI Network Layer Model
In terms of VLANs, we’re concerned mainly with layer 2.
Dumb hubs operate only on layer 1; any packet received on any port gets sent to all the ports. Switches operate on layer 2; they shuffle traffic based on MAC addresses, with traffic received on one port only sent to the destination port with the appropriate MAC address. VLAN-capable smart switches maintain multiple ARP tables (see below) to further constrain which ports see what traffic. Some smart switches also have limited routing capability operating on layer 3.
- Physical: cables, link lights, simplex/duplex, DSL, T1
- Data link: MAC, ARP, lowest level TCP stuff, PPP, SLIP
- Network: routing, packetization, IPv4, IPv6, ICMP, IPsec
- Transport: segmentation-desegmentation, retransmits, UDP, TCP
- Session: NetBIOS, RPC, etc.
- Presentation: encapsulation, SSL, MIME, VT220
- Application: DNS, FTP, HTTP, NTP, SMTP, etc.
Appendix: A Brief Review of ARP
ARP is a layer 2 protocol. Nodes broadcast ARP requests in order to discover the MAC address of other nodes to which they wish to send data. A switch receives ARP requests, and broadcasts them to all its ports. The destination node responds to the original node with its MAC address and IP address. The originating host adds this pair of addresses to its ARP table.
The switch itself also maintains an ARP table, which matches MAC address to its ports. Smart switches manage ARP mappings in a more sophisticated way.