VLAN-Based Network Segmentation

Similar documents
VLAN Interoperability

What is VLAN Routing?

Can PowerConnect Switches Be Used in IP Multicast Networks?

How Are PowerConnect ACLs Different From Cisco ACLs?

Deploying ACLs to Manage Network Security

How Much Broadcast and Multicast Traffic Should I Allow in My Network?

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

VOICE VLAN SUPPORT IN THE DELL POWERCONNECT 6200

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

LANs and VLANs A Simplified Tutorial

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

VLANs. Application Note

Efficient Video Distribution Networks with.multicast: IGMP Querier and PIM-DM

Switching in an Enterprise Network

Abstract. MEP; Reviewed: GAK 10/17/2005. Solution & Interoperability Test Lab Application Notes 2005 Avaya Inc. All Rights Reserved.

Can PowerConnect Switches Be Used in VoIP Deployments?

How To Configure InterVLAN Routing on Layer 3 Switches

Overview of Routing between Virtual LANs

VMware ESX Server Q VLAN Solutions W H I T E P A P E R

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Application Note Gigabit Ethernet Port Modes

A Principled Technologies white paper commissioned by Dell Inc.

Virtual LAN Configuration Guide Version 9

TECHNICAL BRIEF. 3Com. NJ205 IntelliJack Switch Management Feature: Virtual LANs and Traffic Prioritization

How to Create VLANs Within a Virtual Switch in VMware ESXi

CCT vs. CCENT Skill Set Comparison

A Guide to Simple IP Camera Deployment Using ZyXEL Bandwidth Solutions

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

IP SAN Best Practices

Easy Smart Configuration Utility

Network Configuration Example

Exhibit n.2: The layers of a hierarchical network

Link Aggregation Interoperability of the Dell PowerConnect 5316M with Cisco IOS or Cisco CatOS based Switches. By Bruce Holmes

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

> Technical Configuration Guide for Microsoft Network Load Balancing. Ethernet Switch and Ethernet Routing Switch Engineering

Flow Monitor Configuration. Content CHAPTER 1 MIRROR CONFIGURATION CHAPTER 2 RSPAN CONFIGURATION CHAPTER 3 SFLOW CONFIGURATION...

Best Practice Recommendations for Implementing VLANs in a ShoreTel VoIP Environment with IP Phones

Dell PowerVault MD Series Storage Arrays: IP SAN Best Practices

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

Virtual LANs. or Raj Jain

Lab Use Network Inspector to Observe STP Behavior

A Dell Technical White Paper Dell Storage Engineering

Configuring QoS. Understanding QoS CHAPTER

Network configuration for the IBM PureFlex System

VLAN for DekTec Network Adapters

VLAN and QinQ Technology White Paper

A Dell Technical White Paper Dell PowerConnect Team

Implementation of Virtual Local Area Network using network simulator

How To Configure Voice Vlan On An Ip Phone

Cisco - Catalyst 2950 Series Switches Quality of Service (QoS) FAQ

Flow Monitor Configuration. Content CHAPTER 1 MIRROR CONFIGURATION CHAPTER 2 SFLOW CONFIGURATION CHAPTER 3 RSPAN CONFIGURATION...

Troubleshooting an Enterprise Network

Device Interface IP Address Subnet Mask Default Gateway

- Hubs vs. Switches vs. Routers -

Objectives. The Role of Redundancy in a Switched Network. Layer 2 Loops. Broadcast Storms. More problems with Layer 2 loops

Easy Smart Configuration Utility

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

- Virtual LANs (VLANs) and VTP -

GVRP Overview. Overview

BLADE PVST+ Spanning Tree and Interoperability with Cisco

Configuring EtherChannel and 802.1Q Trunking Between Catalyst L2 Fixed Configuration Switches and Catalyst Switches Running CatOS

ENTERASYS WEBVIEW WEB-BASED MANAGEMENT FOR THE VH-2402S/VH-2402S2 WEB MANAGEMENT GUIDE

Management Software. User s Guide AT-S88. For the AT-FS750/24POE Fast Ethernet Smart Switch. Version Rev. B

hp ProLiant network adapter teaming

netis Web Management Switch User's Guide Manual Version:1.1:

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

ProCurve Switch ProCurve Switch

enetworks TM IP Quality of Service B.1 Overview of IP Prioritization

VOIP Guide Using ZyXEL Switch

Interconnecting Cisco Network Devices 1 Course, Class Outline

GS700TS FS700TS Access to the Internet on multiple VLANS using Multi- Homing

Optimizing VoIP Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches

How To Understand and Configure Your Network for IntraVUE

DEPLOYING IP TELEPHONY WITH EX SERIES ETHERNET SWITCHES

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

UTM10 in multi-ssid, multi-vlan network with WMS5316. Network diagram

LAN Switching and VLANs

Lab - Using IOS CLI with Switch MAC Address Tables

Abstract. Avaya Solution & Interoperability Test Lab

ProSafe Plus Switch Utility

The IP Transmission Process. V1.4: Geoff Bennett

Layer 2 / Layer 3 switches and multi-ssid multi-vlan network with traffic separation

Virtual Networking with z/vm Guest LAN and Virtual Switch

CHAPTER 10 LAN REDUNDANCY. Scaling Networks

IP SAN BEST PRACTICES

Using MLAG in Dell Networks

vsphere Networking ESXi 5.0 vcenter Server 5.0 EN

Improving Quality of Service

Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version

ADVANCED NETWORK CONFIGURATION GUIDE

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

QoS Switching. Two Related Areas to Cover (1) Switched IP Forwarding (2) 802.1Q (Virtual LANs) and 802.1p (GARP/Priorities)

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

Configuration VLANs, Spanning Tree, and Link Aggregation Avaya Ethernet Routing Switch 5000 Series

Transcription:

PowerConnect Application Note #8 January 2004 VLAN-Based Network Segmentation This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx PowerConnect 52xx Abstract This Application Note explains the benefits of using virtual local area networks (VLANs) to segment a switched network. This document describes VLAN fundamentals and provides configuration instructions for setting up multiple VLANs on Dell PowerConnect switches. Applicable Network Scenarios VLANs are useful in situations where the need exists to separate the logical topology of network segments from the physical topology. For example, VLANs can be used to restrict a broadcast domain to a given workgroup, enhancing both security and performance. The following diagram shows a switched network using Dell PowerConnect 33xx and 52xx switches in a default VLAN configuration. Client A from the accounting workgroup requires access to a central server, while Clients B and C from the marketing workgroup should not have access to the accounting server. Note that all switch interfaces are members of.this is the default configuration for all Dell PowerConnect switches. Since all switch interfaces are members of by default, all nodes attached to both switches are members of the same broadcast domain. This configuration provides no data privacy Client A Accounting 1/e10 Client B Marketing 1/15 1/e1 1/1 PowerConnect 3324 PowerConnect 5224 Client C Accounting 1/e20 Accounting server 1/5 and it can degrade application performance. Security may be compromised because Clients B and C can see network traffic from the accounting workgroup. Performance suffers because all nodes attached to www.dell.com/networking 1

both switches must process all broadcast frames. Broadcast traffic also can contribute to excessive network utilization. Technology Background A VLAN is a single logical broadcast domain comprised of interfaces on one or more switches. Not all interfaces on a switch must be members of a given VLAN; in fact, a major benefit of VLANs is the ability to subdivide one physical switch into multiple logical networks. The virtual aspect of VLANs is that they enable the construction of multiple virtual networks from one physical switch, or vice versa; a single VLAN may span multiple physical switches through the use of trunk links between the switches. VLANs can be used to logically segment groups of connected nodes into individual broadcast domains. The VLAN implementation in Dell PowerConnect switches is based on the IEEE 802.1Q standard. As such, VLANs is an Ethernet mechanism, meaning it works at layer 2 of the seven-layer ISO model. Any inter-vlan traffic must first traverse a layer-3 device such as a router in order to communicate with another VLAN. Thus, logical segmentation not only optimizes bandwidth utilization, but also provides security by isolating segments behind layer-3 devices, which typically can filter traffic using access control lists (ACLs). Even if two nodes share a common IP subnet, they will not be able to directly communicate if they are in separate VLANs. The IEEE 802.1Q standard describes a tagging mechanism that allows switches to differentiate frames based on a 12-bit VLAN ID (VID) field. Tagging is useful on trunk interfaces that connect the Dell PowerConnect switch to a neighboring 802.1Q-compliant router or switch. With tagging, the two devices can logically separate traffic from different VLANs. Depending on configuration, a Dell PowerConnect switch will either keep or strip off the tag of an inbound tagged frame. If the ingress interface (the interface on which a frame arrives) is configured as a member of an untagged VLAN, the switch will strip off the frame s tag before transmitting it. On the other hand, if the interface is configured as a member of a tagged VLAN (for example, if the interface is part of a trunk link between switches), the switch will not remove the frame s tag before transmitting it. Dell PowerConnect 33xx series switches offer three main modes for handling VLAN traffic on a given interface. Access mode specifies a single, untagged VLAN to which the interface belongs; this is useful for when the attached node is an end-station. General mode allows the administrator to configure multiple VLANs that can be either tagged or untagged; this is useful for nodes that must communicate on more than one VLAN. Trunk mode inserts an 802.1Q-compliant VLAN tag into all frames; this is useful for trunk links that connect the Dell PowerConnect switch with another 802.1Q-compliant switch or router. Dell PowerConnect 52xx switches do not support general mode. However, the 52xx series switches allow multiple VLANs to be added in access mode. When a frame enters an interface in access mode or general mode, the switch assigns the frame the default port VLAN identifier (PVID) specified for that interface and performs a lookup in its VLAN-aware media access control (MAC) table. If the ingress interface is in access mode, the switch verifies the destination is in the same VLAN. If the ingress interface is in general mode, the switch verifies the VLAN exists. The switch then forwards the frame if the destination is valid or discards it if not. If the destination (egress) interface is in access mode, the switch strips off the 802.1Q tag before transmitting the frame. If the destination interface is in general mode and the target VLAN is configured as tagged, the switch forwards the frame with its VLAN tag intact. All traffic entering and leaving a trunk interface must be tagged. Interfaces configured for trunk mode or general mode can be configured with a port VLAN ID (PVID) that specifies a default VLAN to use for tagging if the frame is untagged upon entry. www.dell.com/networking 2

Dell PowerConnect switches use ingress filtering to discard frames belonging to VLANs that are not associated with the ingress interface. Ingress filtering is enabled by default and can only be disabled on interfaces configured in general mode. Proposed Solution To optimize bandwidth utilization and help secure sensitive data, we will segment the network into two separate VLANs, one for each department. The central fileserver will have access to both VLANs. Overview To implement VLANs on Dell PowerConnect switches, use the following steps: On Dell PowerConnect switches: 1. Create VLANs in the VLAN database. 2. Configure interfaces associated with end-stations for access mode and their respective VLANs. 3. Configure interface associated with the server for general mode and respective VLANs. 4. Place uplink interfaces into trunking mode. Note: This example assumes a network consisting of two switching connected with a trunk link. For a single-switch network, omit step 4 above. Typical Network Designs We will set up one VLAN for each department. We assign accounting to 0 and marketing to VLAN 20. The accounting server's associated switch interface will be placed in general mode and have access to the accounting VLAN, enhancing security and performance. Step-By-Step Instructions The following configuration guidelines work with any Dell PowerConnect 33xx or 52xx switch. 1. Create VLANs 10 and 20. www.dell.com/networking 3

console> en console# config console(config)# vlan database console(config-vlan)# vlan 10 console(config-vlan)# vlan 20 PowerConnect 52xx: console# config console(config)# vlan database console(config-vlan)# vlan 10 name vlan_10 media ethernet console(config-vlan)# vlan 20 name vlan_20 media ethernet console(config-vlan)# exit 2. Configure interfaces associated with end-stations for access mode and their respective VLANs: console(config)# interface ethernet 1/e10 console(config-if)# switchport access vlan 10 console(config)# interface ethernet 1/e20 console(config-if)# switchport access vlan 20 PowerConnect 52xx: console(config)# interface ethernet 1/15 console(config-if)# switchport allowed vlan add 20 console(config-if)# switchport native vlan 20 3. Configure the interface associated with server for general mode and 0. (Note: The example assumes the server is attached to a Dell PowerConnect 52xx switch. The following configuration commands are not used in the example, and are given only for the sake of completeness.) console(config)# interface ethernet 1/e5 console(config-if)# switchport mode general console(config-if)# switchport general allowed vlan add 10 untagged PowerConnect 52xx: (Note: PowerConnect 52xx switches do not support general mode. Instead, we simply add VIDs to the list of allowed untagged VLANs) console(config)# interface ethernet 1/e5 console(config-if)# switchport allowed vlan add 10 untagged 4. Place uplink interfaces into trunking mode. (Note: Omit this step for a single-switch network.) console(config)# interface ethernet 1/e1 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 10,20 www.dell.com/networking 4

PowerConnect 52xx console(config)# interface ethernet 1/1 console(config-if)# switchport mode trunk console(config-if)# switchport allowed vlan add 10,20 tagged Conclusion We have set up VLANs and separated traffic between the accounting and marketing workgroups. As a result, Clients B and C can no longer see Client A and vice versa. Further, Clients B and C can no longer reach the accounting server. The two VLANs have isolated the accounting workgroup s sensitive data from the rest of the network. The two VLANs also segregate broadcast traffic, helping to reduce bandwidth consumption and processing overhead on both segments. Information in this document is subject to change without notice. 2003 Dell Inc. All rights reserved. www.dell.com/networking 5

This Application Note is for informational purposes only, and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. Dell, the DELL logo, and PowerConnect are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own. www.dell.com/networking 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information