{"id":190,"date":"2011-11-22T23:24:29","date_gmt":"2011-11-22T23:24:29","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=190"},"modified":"2018-09-06T23:11:39","modified_gmt":"2018-09-06T23:11:39","slug":"vlan-how-to-segmenting-a-small-lan","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=190","title":{"rendered":"VLAN How To: Segmenting a small LAN"},"content":{"rendered":"

Introduction<\/h3>\n

What is a VLAN? Is it some sort of highly expensive technology or virtual reality? Not at all. VLANs are relatively simple, yet they offer a wide variety of options and capabilities to improve your network.<\/p>\n

VLAN, or Virtual LAN, is a technology that enables dividing a physical network into logical segments at Layer 2. Functionally, VLANs enable a network administrator to partition a network into separate, independent networks. There are many reasons to separate a network into VLANs, and numerous options to consider.<\/p>\n

While a useful technology for small LANS, VLANs are often deployed in large networks, too. In larger networks, VLANs are sometimes used to join physically separate LANs or LAN segments into a single logical LAN.<\/p>\n

The goal of this article is to explain and discuss VLANs, including why you should consider using VLANs in a smaller network. I’ll also walk through a configuration example showing how to configure a VLAN-aware switch to create separate LAN segments.<\/p>\n

VLANs and Switches<\/h3>\n

If you have more than one device on your network, you probably have a switch. A switch is a simple device that operates at Layer 2 of the OSI model<\/a>, forwarding data frames from one device to another based on their hardware or MAC (Media Access Control) address. The basic Layer 2 switch does not care or know about IP addresses, which operate at Layer 3.<\/p>\n

Your switch may be a few ports built into your router, it may be a small unmanaged (non-configurable) switch such as the D-Link DGS-2205 shown in Figure 1. Or you may have a more advanced switch with VLAN capability, possibly referred to as a managed, “smart” or multilayer switch. Larger networks usually have multiple switches at numerous locations.<\/p>\n

\"D-Link<\/p>\n

Figure 1: D-Link switch without VLAN capability<\/h6>\n

As stated, switches pass data from one device to another based on their MAC addresses. The key question is, how does the switch know which MAC address is located on which port?<\/p>\n

Even the simplest switch has a “learning ability” to read the MAC address of the devices connected, and store those MAC addresses in a table in memory. Switches “learn” by examining the source MAC address of every frame received. New MAC addresses learned on received frames are added to a table, creating in the switch’s memory a mapping of MAC addresses to switch ports.<\/p>\n

Broadcasts<\/h3>\n

VLANs become important when you consider broadcasts. Broadcasts are frames sent to all devices on a switch, and in many cases, a normal and frequent function. A broadcast domain is the set of all devices that receive a broadcast. Small LANs are typically equivalent to a single broadcast domain.<\/p>\n

Devices on a network generate significant broadcast traffic. Broadcasts normally occur when a device is trying to send data to another device, but doesn’t know the MAC address of the destination device. A PC that knows the destination IP, but not the MAC associated with that IP, will send a broadcast. This type of broadcast is an ARP<\/a> (Address Resolution Protocol) broadcast.<\/p>\n

Devices, such as PCs, will build and maintain a listing of IP addresses to MAC addresses in what is known as the ARP cache. The ARP cache is temporary, can be overwritten, and is rebuilt every time the PC is powered on. In addition, entries expire after two minutes on Windows XP and 2000 PCs.<\/p>\n

In a Windows PC, you can see the ARP cache by typing arp -a<\/strong> at the command line. In Figure 2, you can see the ARP cache of my PC, as learned from its network interface.<\/p>\n

\"arp<\/p>\n

Figure 2: arp -a command showing ARP cache<\/h6>\n

Another example of broadcasts generated by PCs is DHCP<\/strong> (Dynamic Host Configuration Protocol) requests. PCs will send DHCP broadcast requests when they’re turned on to acquire an IP address, unless their IP has been statically configured.<\/p>\n

Another source of broadcasts are switches themselves. When a frame enters a switch destined for a MAC address that the switch hasn’t learned\u2014and that thus isn’t in the switch’s MAC table\u2014the switch will broadcast that frame to all devices except the one that sent it, looking for a response.<\/p>\n

The device with the desired MAC will respond to this broadcast. The switch will then update its MAC table with what it learned from the port on which the response frame was received. Like a PC, the MAC table of a switch is usually stored in temporary memory, and will be rebuilt every time the switch is powered on.<\/p>\n

IP multicasts<\/strong> are yet another source of broadcasts. Video can be sent over IP multicasts, which can consume tremendous amounts of bandwidth. For this reason, IP multicasting is frequently disabled in large networks and in most consumer routers by default.<\/p>\n

Broadcasts can eat up considerable bandwidth on your LAN and they also use processing power. Every device in the LAN receives broadcasts and must read and determine whether or not to respond to each broadcast. As the number of devices in your LAN grows, so will the volume of broadcast traffic.<\/p>\n

This is where VLANs become valuable\u2014to break up broadcast domains. Broadcasts are propagated within a VLAN, but not between VLANs. By segmenting a network into VLANs, you will increase usable network bandwidth, resources, and performance through the reduction of broadcast traffic.<\/p>\n

Routers<\/h3>\n

Routers also break up broadcast domains. Routers operate at Layer 3, forwarding packets based on IP addresses, not MAC addresses. A router will receive a frame on its Ethernet interface, strip off the MAC address, and make a routing decision based on the originating and destination IP addresses.<\/p>\n

Routing is an integral part of any network that contains multiple subnets and can play a key part in VLANs. VLANs can be configured on separate subnets, requiring a router to provide access to common services required by each VLAN.<\/p>\n

For example, a network connected to the Internet usually employs a gateway router, which is probably also providing DHCP and NAT (Network Address Translation) services. If VLANs are created on different subnets, then the gateway, or another router will need to provide those services to each VLAN. In larger LANs, inter-subnet routing and VLAN segmentation is often handled by Layer 3 (sometimes called “multilayer”) switches.<\/p>\n

VLANs can also be configured to share a single subnet, yet isolate various LAN members from each other. I’m going with the single subnet approach here, using the SRW as my Layer 2 managed switch and a Linksys RV042 router (Figure 3) for Internet access, DHCP, and NAT.<\/p>\n

\"Linksys<\/p>\n

Figure 3: The Linksys RV042 router<\/h6>\n

How To<\/h3>\n

Now that you understand VLAN basics, let’s get to the fun part! I’ll be showing you how to segment a single-subnet LAN into multiple private segments.This basic application of VLANs is handy for adding an extra measure of security to clients or servers that contain confidential information. It can also be used in multi-tenant applications, to share a single Internet connection, yet allow each tenant to share files and printers without worrying about the others. I’m sure you can think of other applications.<\/p>\n

I’ll be using a Linksys SRW2008<\/strong> (Figure 4), an eight port 10\/100\/1000 switch with a nice web utility for configuration. The SRW is a Layer 2 switch with a large number of features, including VLAN support.<\/p>\n

\"Linksys<\/p>\n

Figure 4: The Linksys SRW2008 switch<\/h6>\n

The basic steps in configuring a VLAN are:<\/p>\n

    \n
  1. Plan your network.<\/li>\n
  2. Create the VLANs.<\/li>\n
  3. Associate switch ports with the VLANs.<\/li>\n
  4. Test VLAN connectivity.<\/li>\n
  5. Implement security measures as appropriate.<\/li>\n<\/ol>\n

    Planning<\/h3>\n

    The most important part of VLAN implementation, even in a small network, is planning. You need to review your devices and decide which ones should go in which VLAN. A network administrator must consider the components, functions, and traffic types of all the elements of the network when planning VLANs.<\/p>\n

    The network components connected to the eight port SRW switch I’m using for this VLAN example are a LAN port from the RV042 router on port 1, a WiFi router on port 2, a Windows Server on port 3, a NAS on port 4, a printer on port 5, a Linux VoIP Server on port 6, a VoIP ATA on port 7, and a laptop computer on port 8. Figure 5 is a simple diagram of the “Before LAN.”<\/p>\n

    \"Before<\/p>\n

    Figure 5: The network before dividing into VLANs<\/h6>\n

    None of these components are “VLAN-aware,” meaning they will send all frames to the switch “UnTagged.” VLAN-aware devices, such as VLAN-enabled switches, as well as advanced network interface cards, can specify VLAN information by “Tagging” a frame with a VLAN number. This is an important factor when it comes to multi-switch configurations.<\/p>\n

    A common VLAN best practice is to place all VoIP devices in their own VLAN to prevents data traffic from interfering with time-sensitive voice traffic. So we have:<\/p>\n

    – a VLAN for the Data<\/strong> devices
    \n– a VLAN for the VoIP<\/strong> devices<\/p>\n

    But I also need both<\/em> Data and VoIP devices to have Internet access. So I’ll need:<\/p>\n

    – a VLAN to enable Internet access<\/strong> for both VLANs<\/p>\n

    This ability to allow ports to access multiple VLANs comes in very handy and is key to our example.<\/p>\n

    I’m also going to configure the Laptop<\/strong> switch port for access to all<\/em> VLANs and the management functions of the SRW. The SRW switch itself is also a member of the LAN, and has its own IP address. It is important to remember this device and include it in a VLAN to retain access to the switch’s management utility. More on this later.<\/p>\n

    Mapping your network is a big part of the planning. The SRW allows for naming the devices on each port, which is time well spent for the future date when you’re troubleshooting. I took a few minutes and wrote down which devices in my LAN were going to be plugged into which physical port on the switch. I then configured the SRW with a recognizable name for each port in the Description<\/strong> field of the Port Management<\/strong> menu (Figure 6), making it easier to see what was where.<\/p>\n

    \"Port
    \n\"Click<\/a><\/p>\n

    Figure 6: Naming the ports<\/h6>\n

    Create VLANs<\/h3>\n

    With my planning complete, it’s time to create the VLANs. Creating VLANs in the SRW is simply a matter of clicking the “Create VLAN” menu and numbering and naming your VLANs. I’m splitting Voice and Data<\/a> on this network, yet I’m going to create three VLANs so I can name and fully manage all VLANs in use.<\/p>\n

    Figure 7 shows my created VLANs (2,3,4). Note that VLAN1 already existed in the SRW’s default configuration; this is the VLAN of the management interface of the SRW.<\/p>\n

    \"Created
    \n\"Click<\/a><\/p>\n

    Figure 7: Created VLANs named appropriately<\/h6>\n

    Map Ports<\/h3>\n

    The next step is to map the physical switch ports to the appropriate VLANs. This is a multistep process, and involves a couple of terms specific to the SRW. The Linksys SRW has several port types for VLANs: Access<\/strong>, General<\/strong>, and Trunk<\/strong>. Other switches may use different terminology, so I’ll describe what these terms mean.<\/p>\n

    Linksys defines Access and Trunk ports similar to Cisco’s definitions\u2014which makes sense, as Linksys is a division of Cisco. An Access<\/strong> port is one that belongs to a single VLAN. Frames received on ports configured as Access cannot be modified, and more advanced VLAN port features such as filtering are disabled.<\/p>\n

    A Trunk<\/strong> port is defined by Linksys as belonging to multiple VLANs in which all ports are “Tagged” with a VLAN ID. Two or more VLAN capable switches can be configured with VLANs, connected together with trunks, and the frames passed between them Tagged by the sending switch to identify the destination VLAN.<\/p>\n

    I’m using Linksys’ port type of General<\/strong>, which allows a port to be a member of multiple VLANs, and have the option of Tagging. I’m going to use the UnTagged option for all VLANs in this example.<\/p>\n

    Changing a port’s type on the SRW is done in the Port Setting menu (Figure 8), and there is a simple drop down selector for each port. I changed all eight ports to a Mode of General, and clicked Save.<\/p>\n

    \"General<\/p>\n

    Figure 8: Selecting the General port mode<\/h6>\n

    Now that the VLANs are created, and we’ve configured the ports to allow membership to multiple VLANs, we can assign ports to VLANs. The end result (summarized in Table 1) I want is:<\/p>\n