1 / 34

Virtual Local Area Networks

Virtual Local Area Networks. Should I V-LAN?. 1. Security V-LANs can restrict access to network resources. Should I V-LAN?. Access Control Lists are used to direct the availability of information. Student Records. Faculty. Students. Students V-LAN. Faculty V-LAN. Access Denied.

xandra-hamilton
Download Presentation

Virtual Local Area Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Local Area Networks

  2. Should I V-LAN? 1. Security V-LANs can restrict access to network resources

  3. Should I V-LAN? Access Control Lists are used to direct the availability of information Student Records Faculty Students

  4. Students V-LAN Faculty V-LAN Access Denied Access Permitted Student Records

  5. Should I V-LAN? • Broadcast Control for Increased Performance Reduce the size of your collision domains Limit broadcast traffic to similar users

  6. Check Your Network for Broadcast Protocols

  7. One Broadcast Domain

  8. V-LANs form Multiple Broadcast Domains

  9. Should I V-LAN? • Network Monitoring Centrally configure devices in local areas Divide your users into logical groupings

  10. Should I V-LAN? YES Your security will improve Your network performance will improve

  11. How Many V-LANs? • List Buildings • Itemize Departments • Remember BROADCAST CONTROL NC State

  12. How Many V-LANs?

  13. How Many V-LANs? When you’re done – Add 2 More • A Test V-LAN for your Test Lab • An “Internet Only” V-LAN for all unused ports plus V-LAN #1 will be your default V-LAN for your administrative purposes

  14. Building 1 – 18 V-LANs Building 2 – 6 V-LANs Building 3 – 7 V-LANs Building 4 – 4 V-LANs Building 5 – 2 V-LANs Building 6 – 7 V-LANs 3 Server VLANs Internet Only V-LAN Test V-LAN Adm. V-LAN Total - 50 How Many V-LANs?

  15. Equipment/Server Concerns • You will need a trustworthy Layer 3 main switch (example: Cisco 4506) • Unmanaged switches and hubs can contain only 1 V-LAN • Some protocols, such as IPX & Apple, require broadcasts. These will need to be addressed.

  16. Equipment/Server Concerns • Each V-LAN will need its own DHCP scope. • DNS must be reachable by every V-LAN • User applications cannot reside on a V-LAN that will be blocked • You must know what is connected to every port on every switch.

  17. How Do I Begin? Get details on your current setup - Conduct an audit of the ports on your switches

  18. Create a Switch Audit Form

  19. Week 1 – Audit Bldg. 1 Week 2 – Audit Bldg. 2 Week 3 – Audit Bldg. 3 Week 4 – Audit Bldg. 4 Week 5 – Audit Bldg. 5 Week 6 – Audit Bldg. 6 Week 7 – Write Configuration & Access Lists – Select IP Address for Users Week 8 - Implementation Add V-LANs to main switch & DHCP Scopes Set all ports on all switches Test PCs & Printers Change IP’s where needed You have a new network! Set Up a Schedule Adhere to the schedule!!

  20. How Do I Add V-LANs to the Switches? • Add every V-LAN to the main switch • Add to each switch the V-LANs it will need – With some manufacturers the secondary switches will automatically read the list from the main switch • Set each port to the correct V-LAN

  21. Main Switch contains all V-LANs Secondary Switches contain the V-LANs they Service Set each port to the correct V-LAN

  22. ena config t vlan 2 name Building1Lab1 exit vlan 3 name Building1Lab2 exit Add the V-LAN Name the V-LAN Exit that V-LAN Add another V-LAN Sample Script for Main Switch

  23. Enter the V-LAN as an Interface Give a Description to the V-LAN Give an IP Address to the V-LAN Give a location for DHCP for the V-LAN Turn the V-LAN on int vlan 1 description Bus Lab ip address 172.16.1.1 255.255.255.0 ip helper address 10.9.3.102 no shutdown exit int vlan 2 Sample Script for Main Switch

  24. Remember . . . • You must have a default IP Address for every V-LAN • You must have a DHCP scope for every V-LAN

  25. About those IP Addresses • You will need an addressing scheme for your new network • Choose it carefully so your V-LANs will be easy to identify • Use a private address or a combination of private addresses – 10.0.0.0 – 172.16.0.0 – 192.168.0.0

  26. About those IP Addresses 10.0.0.0 – 172.16.0.0 – 192.168.0.0 For convenience, subnet your address to make octet numbers a subnet Ex – 10.1.0.0, 10.2.0.0– 255.255.0.0 172.16.1.0, 172.16.2.0 – 255.255.255.0 You would instantly know that the first device was on V-LAN 1, the second device on V-LAN 2

  27. Take it Slowly . . . Set all your switches and test your new network Give everyone full access until all the bugs have been fixed

  28. When everything works, you’re ready to add the Security

  29. Access Lists • Access Lists are used for Security • These Lists block or allow users to servers or network addresses • Users can be blocked completely – or by protocols • Ex – Students can be blocked from accessing a server with Telnet

  30. Access Lists Specify the users you wish to block or allow by using a Wildcard Mask. This mask identifies which octets of the address are to be checked. 0 = match, 255 = ignore Example: 172.16.2.0 0.0.0.255 – Ignore last octet allow Addresses 172.16.2.0 – 172.16.2.255

  31. Access Lists Permit the services users will need – DNS, HTTP, etc. Deny the services you want to block Apply the Access List to the correct V-LANs V-LANs without an Access List will have total access

  32. Access List Example access-list 101 permit ip 172.16.0.0 0.0.255.255 host 10.0.0.1 – permits all users access to Firewall access-list 101 deny ip 172.16.5.0 0.0.0.255 host 10.0.0.2 – denies V-LAN #5 access to GroupWise Mail server

  33. Access List Example access-list 101 permit tcp 172.16.0.0 0.0.255.255 host 10.0.0.3 eq http - Permits all hosts access to web server, but only for http int vlan 5 ip access-group 101 in – Applies access-list to VLAN #5

  34. Enjoy Your New Network • Security • Multiple Broadcast Domains • Easier Monitoring

More Related