VLANs and Network Segmentation
Routing, VLANs and Network Segmentation
Open Wireshark, TCP View, Chrome, cmd, GNS3 for prep1Nick
Rowlett
Technology Director Sparta SchoolsCisco Certified Network
AdministratorMicrosoft Certified System Administrator2AgendaOpen
Systems Interconnection Reference Model aka The OSI ModelLayer 2
switching protocols; discussion & demonstrationLayer 3
protocols; discussion & demonstrationLayer 4 what to know!3Why
would I want to segment my Network?4
HIGH SCHOOLELEMENTARY SCHOOLMIDDLE SCHOOLADMIN
BLDG.Efficiency
Security
Administrative control
Quality of Service (QoS)Physical boundaries are a challenge as
well as logical boundaries
*Inter-building links may be slow links, in which case
inter-switch links will not be trunks, but routed links (separate
IP network with two hosts)
Stop and spend time on each section, elaborate. Why efficient?
Why administrative control?5
vlan 1vlan 2TRUNK*first reason: logical boundaries
*While an incorrect configuration may be completely functional
on a small network, more complex networks require more efficiency
to run smoothly
(switching design)*core layer*Distribution Layer*Access
Layer
(trunking)*can restrict VLANs allowed over trunk stil switched
(layer 2) traffic*access port vs. trunk port6I: The OSI Reference
Model1: Physical2: Data Link3: Network4: Transport5: Session6:
Presentation7: ApplicationLLC / MAC - 00-14-22-AE-EB-B0IP -
172.20.64.100
Transmission Medium01001100 / IEEE802.xApplicationTransportTCP /
UDP
Transmission Medium: Copper Cable (UTP, STP, Coax, etc), Fiber
Optics, radio waves1: Physical:NIC / turns 2: Data Link: MAC (Media
Access Control address)3: Network: IP4: Transport: TCP/UDP - 5:
Session: Synchronize and Manage Data transfer start and stop6:
Presentation: jpg, mp3, file packaging & decryption7:
Application
(8th layer: the user)7I: The OSI Reference Model7: Application6:
Presentation5: Session4: Transport3: Network2: Data Link1:
PhysicalTransmission Medium
HUBSWITCH L2ROUTING - L37: Application6: Presentation5:
Session4: Transport3: Network2: Data Link1: PhysicalHouse
analogy!-spend time and effort on the base-layers
(switching/routing). They wont be interchanged as much as the top
layers (paint, dcor).
Open Systems Interconnection model
Layer 2: datagram
Layer 3 : Segment
Layer 4: Packet8VLAN SegmentationVLAN: Virtual Local Area
Network
Collision: When two hosts try to communicate at the exact same
time
Unicast: Traffic from one host to one host
Multicast: Traffic from one hosts to many hosts
Broadcast: Traffic sent to all hosts
Quality of Service (QoS): guaranteed performance, low
latency/errorsdefine a few terms9
HUB1 collision domain
1 broadcast domainLAYER 1(two slides illustrate the difference
between hub and switch)A simple network:2 PCs, 1 server, 1 hub,
cabling
all endpoints wait in line to talk on network (using CSMA/CD
algorithm)all broadcast packets go to all receivers
10
CSMA/CDWhy does half-duplex (CSMA/CD) suck?11
CSMA/CD in Real Life
SWITCH1 broadcast domainLAYER 23 collision domains(1 per
port)(two slides illustrate the difference between hub and switch)A
simple network:2 PCs, 1 server, 1 switch, cabling
13LAYER 2
VLAN 1VLAN 2Layer 2 network segmentation:
What if we want to have two networks?
Two VLANs on a single switch: two separate networks, no
communication between them
Describe an application that uses Layer-2 communication; i.e. a
discovery CD that comes with an IP camera or consumer
product14EthernetIEEE 802.3
Transmitted in frames
Uses MAC addresses to communicateMAC
Addresses000e.1eca.f83400-0e-1e-ca-f8-34
Show mac-address-table
MACVLANPORT000e.1eca.f8349Fa0/1
Describe looking up MAC tables; demonstrate. Show multiple MACs
connected on a single port, indicating a downstream switch
Transmitted in frames:
http://en.wikipedia.org/wiki/Ethernet_frame
16Unicast / BroadcastFF:FF:FF:FF:FF:FFLayer 2:
How does a device talk to everyone on layer2?
**illustrate a packet coming into the PC then being blasted out
of all ports (Except receiving port)17Layer 2 protocolsSpanning
TreeSTPRSTPPVSTPVST+MSTPR-PVSTLink AggregationLACPProprietary
18Spanning Tree
Bridge Protocol Data Units (BPDU)BPDU19Spanning TreePort
states:BlockingListeningLearningForwardingDisabledNormal
OperationBlocking- A port that would cause a switching loop, no
user data is sent or received but it may go into forwarding mode if
the other links in use were to fail and the spanning tree algorithm
determines the port may transition to the forwarding state. BPDU
data is still received in blocking state. Prevents the use of
looped paths.Listening- The switch processes BPDUs and awaits
possible new information that would cause it to return to the
blocking state. It does not populate the MAC address table, but it
does forward frames.Learning- While the port does not yet forward
frames it does learn source addresses from frames received and adds
them to the filtering database (switching database). It populates
the MAC Address table, but does not forward frames.Forwarding- A
port receiving and sending data, normal operation. STP still
monitors incoming BPDUs that would indicate it should return to the
blocking state to prevent a loop.Disabled- Not strictly part of
STP, a network administrator can manually disable a port
20
Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast
storm anecdote; troll user plugs in a xover cable into a non-STP
network. LOLarity insues.21Spanning TreeTopology Change
NotificationTCNTCNTCNACKACKACKBroadcast!Broadcast!Broadcast!Broadcast!Broadcast!Broadcast!During
normal operation, port up/down sends a change notification to the
root bridge. The root bridge sends acceptance then notifies the
rest of the spanning tree participants.
This is why you want to segment your STP operations so that
change notifications dont have to encompass a large amount of
devices.22Spanning TreePortfast (or similar)Configure on KNOWN
endpoint portsEliminates convergence time to forwarding
stateConvergence time 30 to 50 seconds, depending23DHCP
(Anthropomorphized)
Can I get an IP address? Anyone?Yo I can give you
192.168.1.1Sounds good, Ill use it.OK!
ARPAddress Resolution Protocolbetween layers 2/3Windows: arp a
Internet Address Physical Address Type 10.202.60.1
00-24-b5-da-ac-83 dynamic 10.202.61.255 ff-ff-ff-ff-ff-ff
static
Switches: show arp
Arp a on laptop25Layer 3 protocolsIPv4IPv6IPSecRoute sharing
protocolsRIP, OSPF, EIGRPICMP (ping)Emphasize ping as a first-line
troubleshooting tool if network problems are suspected26IP Address
(v4)192.168.1.1255.255.255.0 (/24)
192.168.1.255255.255.255.255Host:Subnet
Mask:Broadcast:192.168.1.0Network:192.168.1.254Gateway:27IP
Subnetting192.168.1.111000000124816326412811000000.10101000.00000001.00000001IP
SubnettingHost11000000.10101000.00000001.00000001
Subnet
Mask11111111.11111111.11111111.00000000(255)(255)(255)(0)Subnet
illustration in binary. Go to
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f33.shtml
to review table of subnets; continual division by 229RoutingGateway
of Last Resort:0.0.0.0 via 172.20.0.254Directly connected:
172.20.16.0/24 is directly connected, Vlan20 Static Route:
192.168.7.0/24 via 172.20.0.1Information collected into a route
table
Also mention protocol based routing (RIP, OSPF, EIGRP etc) route
table looks the same as staticcan tell the difference using the
code (R, S, E, etc), routers compare routing tables and pass routes
to each other
30
VLAN 1192.168.1.2192.168.1.310.10.10.210.10.10.3VLAN
2BROADCASTBROADCASTLAYER 3Layer 3 network segmentation -correct
example
*assuming a Class C subnet /24 (255.255.255.0) for demonstration
purposes*two broadcast domains*no communication between VLANs
(yet)
Slide demonstrates that the computers are communicating on
Layer3 (IP) while the switch only understand the Layer 2
communication31LAYER 3 routing
VLAN 1192.168.1.2192.168.1.310.10.10.210.10.10.3VLAN
210.10.10.1192.168.1.1Layer 3 network segmentation - add a VLAN
interface IP
*Adding an IP address to the VLAN interface allows the switch to
communicate on Layer3, effectively turning it into a router.*this
is why Layer3 switches can be thought of as switch/routers*hosts on
each network use the VLAN interface address as the Default Gateway,
then hosts can communicate with each other.*security: access lists
can be installed to control or restrict communication between
routed networks
32Bad layer 3
VLAN 1192.168.1.2192.168.1.310.10.10.210.10.10.3BROADCASTLayer 3
network segmentation -incorrect example
*default config VLAN 1 (no vlans configured)*assuming a Class C
subnet /24 (255.255.255.0) for demonstration purposes*still a
single broadcast domain*may seem like there are two networks since
Layer3 communication only happens between hosts on the same
subnet*security issues, latency
33
INTERNET
10.10.10.2VLAN 1: 10.10.10.1
VLAN 2: 10.10.20.2
QoS: Prefer VLAN 2
10.10.10.5
10.10.20.17
IP PBXVOICE CIRCUIT10.10.20.2TRUNKVLANs 1, 2Example: VOIP
implementation
*need for echo- and error-free communication *data devices on
VLAN 1*voice devices on VLAN 2*Quality of Service applied so that
Voice traffic is preferred, assured data delivery so that call
quality can be guaranteed
34
HIGH SCHOOLELEMENTARY SCHOOLMIDDLE SCHOOLADMIN BLDG.Example:
Basic school district
Layer 2/Layer 3 segmentation by location35
ADMINISTRATION BUILDING:
NETWORK: 192.168.1.0/24
VLAN 101 ADMIN_VLAN
VLAN 101 IP: 192.168.1.1ADMINISTRATION BUILDING:NETWORK:
192.168.1.0/24 - stress for demo purposesonly 255 IPsVLAN 101
ADMIN_VLANVLAN 101 IP: 192.168.1.1
One DHCP server, ( AD site or NDS partition ), 36
MIDDLE SCHOOL:
NETWORK: 192.168.2.0/24
VLAN 201 MS_VLAN
VLAN 201 IP: 192.168.2.1192.168.1.0/24MIDDLE SCHOOL:NETWORK:
192.168.2.0/24VLAN 201 MS_VLANVLAN 201 IP: 192.168.2.1
One DHCP server, ( AD site or NDS partition ), 37
ELEMENTARY SCHOOL:
NETWORK: 192.168.3.0/24
VLAN 301 ES_VLAN
VLAN 301 IP: 192.168.3.1192.168.1.0/24192.168.2.0/24ELEMENTARY
SCHOOL:NETWORK: 192.168.3.0/24 VLAN 301 ES_VLANVLAN 301 IP:
192.168.3.1
One DHCP server, ( AD site or NDS partition ), 38
HIGH SCHOOL:
NETWORK: 192.168.4.0/24
VLAN 401 HS_VLAN
VLAN 401 IP:
192.168.4.1192.168.1.0/24192.168.2.0/24192.168.3.0/24HIGH
SCHOOL:NETWORK: 192.168.4.0/24 VLAN 401 HS_VLANVLAN 401 IP:
192.168.4.1
One DHCP server, ( AD site or NDS partition ), 39
192.168.1.0/24192.168.2.0/24192.168.3.0/24192.168.4.0/2410.1.1.2/3010.1.1.1/30Routed
link: Switch port on each side in access mode, either assigned an
IP address on the port, or are assigned to a VLAN with the labeled
address.40
192.168.1.0/24192.168.2.0/24192.168.3.0/24192.168.4.0/2410.1.2.2/3010.1.2.1/30Routed
link41
192.168.1.0/24192.168.2.0/24192.168.3.0/24192.168.4.0/2410.1.3.2/3010.1.3.1/30Routed
link42
192.168.1.0/24192.168.2.0/24192.168.3.0/24192.168.4.0/24LAYER 2
TRUNKLAYER 3 ROUTEDIllustrate the difference between a routed link
and a Layer 2 VLAN trunk.
Layer 2 switching vs. Layer 3 routing. Boundaries can appear
administrative, have greater effect when the link is slow43
10.10.10.2
10.10.10.3VLAN 110.10.10.1VLAN 2192.168.1.1INTERNET
10.10.10.4
192.168.1.2
192.168.1.3
TRUNKVLAN1 VLAN2
172.16.0.1VLAN 3 (guest)VLAN3Example: Wireless
implementation*VLAN 1 standard network, has internet
connection*hosts on VLAN1 are configured with VLAN1 interface (.1)
as default gateway*switch is configured with router IP as default
gateway*can now add new network, VLAN2*hosts on VLAN2 use
192.168.1.1 as default gateway
Wireless access point (Cisco, et. al) can now use a trunk to
serve both VLANs*access lists can be implemented on the switch to
prevent certain traffic between VLANs44I: The OSI Reference Model7:
Application6: Presentation5: Session4: Transport3: Network2: Data
Link1: PhysicalTransmission Medium
HUBSWITCH L2ROUTING - L37: Application6: Presentation5:
Session4: Transport3: Network2: Data Link1: PhysicalOSI
revisited.House analogy!
Open Systems Interconnection model
Layer 2: datagram
Layer 3 : Segment
Layer 4: Packet45Questions?46
