Tutorial – VLANS, what they are and how they work
ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
A switched network that is logically segmented on an organizational basis, by functions, project teams, or applications rather than on a physical or geographical basis.
What this is saying is that a VLAN is not defined by any physical restrains or needs, it can span an entire country or can be in the same floor in an office. VLANs are formed for administrative purposes and not geographical purposes.
So what are they?
Well, in a nut shell a VLAN is a LAN that functions separately from the physical LAN it is located in.
Take this following example:
You have an office in London and an office in Manchester and you need to put a small network in place between both of them.
You find out there is already a Fibre Optic network linking the two of them up but this network needs to be completely separate from yours.
Do you buy your own fibre, routers, firewalls, switches etc and have a completely separate network? …..You could but it’s not a very cost effective solution for a small network.
What about ‘piggy backing’ on the existing network? It would cut cost’s down considerably and would make use of a network that is already in place and working perfectly. However you have been told the networks must remain separate from start to finish and not interfere with each other in anyway.
The simple solution is to designate a port on each switch to a VLAN – say VLAN 30 in this case.
Say your new network is a 192.168.200.0 network and the existing network is a 10.0.0.0 network. You speak to the network engineer who runs the existing one and ask him very nicely, whilst placing a crate of Fosters on his desk, if he can put a port on each switch in to VLAN 30.
Obviously he agrees and drops everything to do this for you.
Now in essence, there is as good as two different networks linking the two buildings together but in reality there is only one ‘set’ of hardware in place. The 10.0.0.0 network is completely separate from the 192.168.200.0 network as far a routing is concerned; they just share the same switches is all.
Or a smaller problem maybe you have different departments in your office that need to be segregated from each other. Say a finance dept and a sales dept.
The finance department deals with sensitive data that should not be seen by anyone in other dept’s. One way to get around this problem is to place the finance department in to their own VLAN. That way anyone not in this VLAN will not be able to have access to it without first going through a router – on the router you place Access Control Lists (ACL’s) to restrict who can use this VLAN and who can’t.
“In switched networks, routers perform broadcast management, route processing and distribution, and provide communications between VLANs. Routers provide VLAN access to shared resources and connect to other parts of the network that are either logically segmented with the more traditional subnet approach or require access to remote sites across wide-area links.”
Before switches the only way to have this functionality was with routers using different interfaces for different networks, now we can use ports on a switch to virtually place it in a different network!
Hopefully by now you get the gist of why we have VLANS, so now let’s take a look at how they work!
How VLANs Operate
So we know that we can assign a switch port in to a VLAN and this will keep all the data separate from other VLANS but how does this work?
This works by what is called VLAN Frame Tagging.
As we all know, once data has got to Layer 2 on the OSI Model it is known as a frame – switches live at layer two and switch frames – VLANs are defined at layer 2 on a switch – so Frames are what get routed by switches and what we need to route between VLANs.
To accomplish this fames are tagged with a ‘tag’ or a VLAN ID (VID, vID, V-id) This VLAN ID allows any switch that is may pass through to make the correct decision about which port to forward it out of.
So our frame gets tagged with the VLAN 30 ID as soon as it arrives at the first switch in the VLAN in, say, London.
That switch than takes a look to what port is in VLAN 30, if any. If there are no ports in VLAN 30 the frame is dropped. If there are frames in VLAN 30, the usual MAC address process takes place and the frame is forwarded out of the correct port accordingly, as long as the port is in VLAN 30. Notice this was done on a MAC level basis, which is why we can switch different IP addresses from different networks without the aid of a router.
From a Cisco point on view:
“The VLAN ID allows VLAN switches and routers to selectively forward packets to ports with the same VLAN ID. The switch that receives the frame from the source station inserts the VLAN ID and the packet is switched onto the shared backbone network. When the frame exits the switched LAN, a switch strips header and forwards the frame to interfaces that match the VLAN colour. If you are using a Cisco network management product such as VlanDirector, you can actually colour code the VLANs and monitor VLAN graphically.”
So this is how switches keep track of the frames, what VLAN they belong to and why they can switch packets from different networks.
If a frame arrives for a VLAN that has not been configured it is dropped. If a frame arrives for a VLAN that is configured it is only sent out of a port that is in the matching VLAN as what is in the header of the frame.
A port can be configured to allow only frames with a VLAN ID tag, frames with no VLAN ID tag or both. If a frame is received that is not what the port has been configured for, it is simply dropped.
A switch port can be statically assigned to a VLAN therefore no matter what is plugged in to the port it will always be in the relevant VLAN. This is known as a Static VLAN and is beneficial in a properly administered network where moves are properly planned and conducted.
Or you can populate a MAC table on a switch and tell it which MAC address belongs to which VLAN – know as a Dynamic VLAN, the benefit of this is that you can place a work station anywhere on the LAN and the switch will always place it in the correct VLAN – no further configuration of the switch is required.
So that’s a very basic look at how a VLAN operates.
Let’s take a brief look at one of the most significant side effects of a VLAN – Security.
Contrary to popular belief VLANs where not invented to improve network security – the added security is a bonus to implementing a VLAN.
Although I have said earlier that the only way to talk between two VLANS is via a router – like everything IT related someone will find a way to get around any security restriction sooner or later. It must be noted that this only works on older switches.
The following is knows as a ‘Temporary VLAN Cut-Through After VLAN Change’ and is taken from the Cisco web site:
“If systems have established TCP/IP communications on the same VLAN, then the switch gets configured so that one system’s port now belongs to a different VLAN. Communications continues between the two systems because each has the MAC address of the other in its ARP cache, and the bridge knows which destination MAC addresses gets directed to which port.
In the second example, someone wishing to hop VLANs manually enters a static ARP entry for the desired system. Doing so requires that the person somehow learns the MAC address of the target system, perhaps through physical access to the target system.
Each of these two examples can be blocked by using switch software that removes the information necessary for passing packets between VLANs. In higher end Cisco switches, separate spanning trees, the tables that map MAC addresses to ports, exist for each VLAN. Other switches either have similar features, or can use configuration to filter the bridging information available to members of each VLAN.”
As we all now spoofing an IP source addresses has been around for many years, and spoofing VLAN tags is no different. The 2.4 Linux kernels have support for acting as VLAN switches, and can generate any VLAN tag that the user wants to. Other software exists for spoofing VLAN tags such as Sniffer Pro v.2.0.01.
More information about VLAN ID spoofing with Linux here:
Certain conditions have to be meet for VLAN Hopping to be successful:
The MAC addresses of the target system have to be known in advance.
The attacker must belong to the same VLAN as the trunk used to connect the switches.
You can easily prevent VLAN hopping by configuring trunk ports so their VLANs do not match the VLAN ID of any other VLANs that you have configured.
By default, the native VLAN for a trunk will be VLAN ID one, the default for any VLAN. You can choose to set the native VLAN for trunks to be 99, or any value that your switch supports and is not used for any other VLAN to prevent VLAN Hopping.
Well that is a very basic overview of VLANs – what they are and how they work. There is more to VLANs and I have left a lot out as this did seem to get rather lengthy very quickly!
I may do a more advanced one in the upcoming months!