Friday 13 July 2012
Tutorial – VLANS, what they are and how they work
Virtual Local Area Network (VLAN)What is a VLAN?Well Cisco defines a VLAN as:
A switched network that is logically segmented on an organizational
basis, by functions, project teams, or applications rather than on a
physical or geographical basis.
What this is saying is that a VLAN is not defined by any physical
restrains or needs, it can span an entire country or can be in the same
floor in an office. VLANs are formed for administrative purposes and not
geographical purposes.
So what are they?
Well, in a nut shell a VLAN is a LAN that functions separately from the physical LAN it is located in.
Take this following example:
You have an office in London and an office in Manchester and you need to put a small network in place between both of them.
You find out there is already a Fibre Optic network linking the two of them up but this network needs to be completely separate from yours.
You find out there is already a Fibre Optic network linking the two of them up but this network needs to be completely separate from yours.
Do you buy your own fibre, routers, firewalls, switches etc and have a
completely separate network? …..You could but it’s not a very cost
effective solution for a small network.
What about ‘piggy backing’ on the existing network? It would cut
cost’s down considerably and would make use of a network that is already
in place and working perfectly. However you have been told the networks
must remain separate from start to finish and not interfere with each
other in anyway.
The simple solution is to designate a port on each switch to a VLAN – say VLAN 30 in this case.
Say your new network is a 192.168.200.0 network and the existing
network is a 10.0.0.0 network. You speak to the network engineer who
runs the existing one and ask him very nicely, whilst placing a crate of
Fosters on his desk, if he can put a port on each switch in to VLAN 30.
Obviously he agrees and drops everything to do this for you.
Now in essence, there is as good as two different networks linking
the two buildings together but in reality there is only one ‘set’ of
hardware in place. The 10.0.0.0 network is completely separate from the
192.168.200.0 network as far a routing is concerned; they just share the
same switches is all.
Or a smaller problem maybe you have different departments in your
office that need to be segregated from each other. Say a finance dept
and a sales dept.
The finance department deals with sensitive data that should not be
seen by anyone in other dept’s. One way to get around this problem is to
place the finance department in to their own VLAN. That way anyone not
in this VLAN will not be able to have access to it without first going
through a router – on the router you place Access Control Lists (ACL’s)
to restrict who can use this VLAN and who can’t.
“In switched networks, routers perform broadcast management, route
processing and distribution, and provide communications between VLANs.
Routers provide VLAN access to shared resources and connect to other
parts of the network that are either logically segmented with the more
traditional subnet approach or require access to remote sites across
wide-area links.”
Before switches the only way to have this functionality was with
routers using different interfaces for different networks, now we can
use ports on a switch to virtually place it in a different network!
Hopefully by now you get the gist of why we have VLANS, so now let’s take a look at how they work!
How VLANs Operate
So we know that we can assign a switch port in to a VLAN and this
will keep all the data separate from other VLANS but how does this work?
This works by what is called VLAN Frame Tagging.
As we all know, once data has got to Layer 2 on the OSI Model it is known as a frame – switches live at layer two and switch frames – VLANs are defined at layer 2 on a switch – so Frames are what get routed by switches and what we need to route between VLANs.
To accomplish this fames are tagged with a ‘tag’ or a VLAN ID (VID,
vID, V-id) This VLAN ID allows any switch that is may pass through to
make the correct decision about which port to forward it out of.
So our frame gets tagged with the VLAN 30 ID as soon as it arrives at the first switch in the VLAN in, say, London.
That switch than takes a look to what port is in VLAN 30, if any. If
there are no ports in VLAN 30 the frame is dropped. If there are frames
in VLAN 30, the usual MAC address process takes place and the frame is
forwarded out of the correct port accordingly, as long as the port is in
VLAN 30. Notice this was done on a MAC level basis, which is why we can
switch different IP addresses from different networks without the aid
of a router.
From a Cisco point on view:
“The VLAN ID allows VLAN switches
and routers to selectively forward packets to ports with the same VLAN
ID. The switch that receives the frame from the source station inserts
the VLAN ID and the packet is switched onto the shared backbone network.
When the frame exits the switched LAN, a switch strips header and
forwards the frame to interfaces that match the VLAN colour. If you are
using a Cisco network management product such as VlanDirector, you can
actually colour code the VLANs and monitor VLAN graphically.”
So this is how switches keep track of the frames, what VLAN they
belong to and why they can switch packets from different networks.
If a frame arrives for a VLAN that has not been configured it is dropped. If a frame arrives for a VLAN that is configured it is only sent out of a port that is in the matching VLAN as what is in the header of the frame.
A port can be configured to allow only frames with a VLAN ID tag,
frames with no VLAN ID tag or both. If a frame is received that is not
what the port has been configured for, it is simply dropped.
A switch port can be statically assigned to a VLAN therefore no
matter what is plugged in to the port it will always be in the relevant
VLAN. This is known as a Static VLAN and is beneficial in a properly
administered network where moves are properly planned and conducted.
Or you can populate a MAC table on a switch and tell it which MAC
address belongs to which VLAN – know as a Dynamic VLAN, the benefit of
this is that you can place a work station anywhere on the LAN and the
switch will always place it in the correct VLAN – no further
configuration of the switch is required.
So that’s a very basic look at how a VLAN operates.
Let’s take a brief look at one of the most significant side effects of a VLAN – Security.
Contrary to popular belief VLANs where not invented to improve
network security – the added security is a bonus to implementing a VLAN.
Although I have said earlier that the only way to talk between two
VLANS is via a router – like everything IT related someone will find a
way to get around any security restriction sooner or later. It must be noted that this only works on older switches.
The following is knows as a ‘Temporary VLAN Cut-Through After VLAN Change’ and is taken from the Cisco web site:
“If systems have established TCP/IP communications on the same VLAN,
then the switch gets configured so that one system’s port now belongs to
a different VLAN. Communications continues between the two systems
because each has the MAC address of the other in its ARP cache, and the
bridge knows which destination MAC addresses gets directed to which
port.
In the second example, someone wishing to hop VLANs manually enters a
static ARP entry for the desired system. Doing so requires that the
person somehow learns the MAC address of the target system, perhaps
through physical access to the target system.
Each of these two examples can be blocked by using switch software
that removes the information necessary for passing packets between
VLANs. In higher end Cisco switches, separate spanning trees, the tables
that map MAC addresses to ports, exist for each VLAN. Other switches
either have similar features, or can use configuration to filter the
bridging information available to members of each VLAN.”
As we all now spoofing an IP source addresses has been around for
many years, and spoofing VLAN tags is no different. The 2.4 Linux
kernels have support for acting as VLAN switches, and can generate any
VLAN tag that the user wants to. Other software exists for spoofing VLAN
tags such as Sniffer Pro v.2.0.01.
More information about VLAN ID spoofing with Linux here:
http://www.candelatech.com/~greear/vlan.html
More information about VLAN ID spoofing with Linux here:
http://www.candelatech.com/~greear/vlan.html
Certain conditions have to be meet for VLAN Hopping to be successful:
The MAC addresses of the target system have to be known in advance.
The attacker must belong to the same VLAN as the trunk used to connect the switches.
The attacker must belong to the same VLAN as the trunk used to connect the switches.
You can easily prevent VLAN hopping by configuring trunk ports so
their VLANs do not match the VLAN ID of any other VLANs that you have
configured.
By default, the native VLAN for a trunk will be VLAN ID one, the
default for any VLAN. You can choose to set the native VLAN for trunks
to be 99, or any value that your switch supports and is not used for any
other VLAN to prevent VLAN Hopping.
Well that is a very basic overview of VLANs – what they are and how
they work. There is more to VLANs and I have left a lot out as this did
seem to get rather lengthy very quickly!
I may do a more advanced one in the upcoming months!
Friday 13 July 2012 0
Monday 11 June 2012
Major Internet service providers (ISPs), home networking equipment
manufacturers, and web companies around the world are coming together to
permanently enable IPv6 for their products and services by 6 June 2012.
Organized by the Internet Society, and building on the successful one-day World IPv6 Day
event held on 8 June 2011, World IPv6 Launch represents a major
milestone in the global deployment of IPv6. As the successor to the
current Internet Protocol, IPv4, IPv6 is critical to the Internet's
continued growth as a platform for innovation and economic development.
This Time It is For Real
Major Internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are uniting to redefine the global Internet and permanently enable IPv6 for their products and services on 6 June 2012.
Monday 11 June 2012 0
Tuesday 8 May 2012
Hi, we all know that facebook founder Mark Zuckerberg stole the idea of facebook from two twin brothers in harvard university in 2001
Tuesday 8 May 2012 0
Friday 10 February 2012
The content writing is the process of posting your thought and blog or any type of the writing contents over the internet through the website and messengers. And there are a lot of website available on the internet which can provide you content writing job where you can put up your own contents and redeem the balance.
So, Today I'm giving you some of the special website's name where you can find and place the web contents and get more to more profit online with the minimum time efforts.
Freelancer
Freelancer (previously GetAFreelancer) is a freelance job board offers for the IT person, writing, programming, design and so much more – if you have the skill for it, Freelancer can help you find a client. Freelancer is great for writers to get started by providing massive jobs – some require over 500+ articles to be written!
So, Today I'm giving you some of the special website's name where you can find and place the web contents and get more to more profit online with the minimum time efforts.
Freelancer
Freelancer (previously GetAFreelancer) is a freelance job board offers for the IT person, writing, programming, design and so much more – if you have the skill for it, Freelancer can help you find a client. Freelancer is great for writers to get started by providing massive jobs – some require over 500+ articles to be written!
oDesk
oDesk offers a wide variety of jobs which can easily be accomplished online. Although the pay isn’t always the best, the sheer amount of jobs available will always give you something to do.
ELance
ELance
eLance is one of the best and world's leading platform for online employment, Elance helps businesses hire and manage in the cloud You will need to register to view more details and bid on jobs but the eLance community is very mature and bridges the gap between clients and those seeking online pay.
ArticleMe is a fairly new article marketplace which allows you to write and submit articles to directly sell to clients. Unlike other websites for finding freelancing writing gigs, ArticleMe puts you in control from the subject of your content to the price you charge per article.
Constant-Content
Constant-Content is one of the premiere article marketplaces for serious freelance writers to make money online. Because Constant-Content is so mature, writers can demand top dollar for their articles (charging upward of $100+ each article!). Constant-Content has a strict editorial process but the large marketplace and demand for writing makes this marketplace one of the best.
Constant-Content is one of the premiere article marketplaces for serious freelance writers to make money online. Because Constant-Content is so mature, writers can demand top dollar for their articles (charging upward of $100+ each article!). Constant-Content has a strict editorial process but the large marketplace and demand for writing makes this marketplace one of the best.
Friday 10 February 2012 0
Subscribe to:
Posts (Atom)
