Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Virtual Local Area Networks in Security COSC 356 – Network Security Mark Reed December 4th, 2008 Introduction A Local Area Network (LAN) is defined as a single broadcast domain of computers that are physically located near each other. A single broadcast domain is a domain in which that if a user on the LAN sends a request that it will be received by each node on the same LAN. Routers on a network will stop broadcasts and switches just forward them. Virtual Local Area Networks are used to logically segment a LAN into different broadcast domains. VLAN’s are logical groupings and not physical ones, so the nodes on a VLAN do not have to be physically located near each other. VLAN’s also allow broadcast domains to be created by using switches instead of using routers. VLAN’s are created by putting some switch ports in a VLAN other than VLAN 1, which is the default VLAN. All ports that are added to a single VLAN are in a single broadcast domain. Since switches can communicate between each other, some ports on switch A in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts sent between devices in VLAN 10 will only be sent to other devices that are also in VLAN 10. Why Use VLAN’s VLAN’s can be used on a network to help reduce the amount of traffic and broadcasts that are being sent across a network. Not every network should use VLAN’s if they aren’t necessary to improve network performance or network security. You should consider using VLAN’s if you have more than 200 devices on your LAN, you have a lot of broadcast traffic on your LAN, groups of users need more security, groups of users need access to more bandwidth or need access to the same applications, or if you just need to make a single switch into multiple virtual switches. There are many reasons why VLAN’s should be used over traditional LAN’s when setting up a large enterprise network. Using VLAN’s will increase the performance of the network and enable network traffic to communicate more efficiently. By setting up a VLAN you can reduce the need to send broadcasts and multicasts to all users on the network and to only the user’s who need to receive the traffic. This will reduce the amount of network traffic which will increase the performance of the network. The use of VLANS on a network can also be used to reduce the amount of routers used on the network which will reduce the load on the routers and increase the performance of the routers and the network itself. VLANs also give the network administrator the ability to form virtual workgroups for departments, divisions or groups throughout an enterprise. It is common for different departments or groups to work together in organizations on certain projects that may last only a small amount of time. In order to reduce the amount of multicast and broadcast packets being sent over the network these users can be added to a VLAN which will decrease network traffic and allow these users to work more efficiently. VLAN’s can also be used to improve the performance of applications that certain users of an organization use. For example, if there is an application that several users in a certain department use that requires a lot of network traffic then the users could be added into a VLAN to help reduce network traffic and increase the performance of the application. A majority of network costs are a result of adding, removing and changing users on the network. VLAN’s can be used to reduce these costs and the amount of work necessary to complete these tasks. VLAN’s help reduce network costs by eliminating the need to purchase expensive routers to create separate broadcast domains. Once VLAN’s are implemented in a network it will help simplify network administration in the future. If a user is in a VLAN and they need to be moved to another location in the organization you will only need to make sure that the switch port they are using or the MAC address of the workstation is added into the necessary VLAN. VLAN’s provide additional security not available in a shared network environment. A switched network environment delivers frames only to the intended recipients and broadcast frames only to other members of the VLAN. VLAN’s also allow network administrators to group users that require access to sensitive information into separate VLAN’s from the rest of the other network users regardless of their physical location. Monitoring a port with a traffic analyzer will only view the traffic associated with that particular port which also helps increase the security on the network. How VLAN’s Work When a switch receives data from a workstation on the network it tags the data with a VLAN identifier which indicates which VLAN the data came from. This type of tagging is called explicit tagging. It is also possible to determine which VLAN data belongs to by using implicit tagging. Implicit tagging determines which VLAN the data came from by the port the data came from, the source MAC address, the source network address, or a combination of these fields. In order for the switch to perform tagging of data using any of the methods it needs to keep a database containing mappings for VLAN’s and other switches on the network. In order for the network to operate properly each switch will need to contain the same database. VLAN’s also use a technique called tagging to help distinguish frames sent over the network. Tagging is used to indicate which VLAN a frame belongs to so the switch will forward the frame to only the ports that belong to that specific VLAN. Tagging adds specific information about a frame to the header of each frame. The following information is added to the header: user priority information, source routing control information and the source MAC address. When a switch receives data it determines which VLAN the data belongs to by either using implicit or explicit tagging as described above. Membership information for each VLAN is stored in a filtering database which consists of two types of entries. The two types of entries are static entries and dynamic entries. When using static entries, the information is added, modified and deleted manually by a network administrator. Therefore, entries will not be automatically removed after they are inactive; they will need to be removed manually by the network administrator. There are also two types of static entries, Static Filtering Entries and Static Registration Entries. Static Filtering Entries specify for each port whether the frames that are sent to a specific MAC address or group address on a specific VLAN should be forwarded or discarded. Static Registration Entries specify whether frames sent to a specific VLAN are to be tagged or untagged and determines which ports are registered for that specific VLAN so that data can be forwarded or discarded. Dynamic database entries are automatically generated by the switch and cannot be created or updated by the network administrator. The VLAN database is updated by observing each port by looking at the frame, source address and the VLAN ID (VID). The entry will be dynamically updated if the port allows learning, the source address is a workstation and if there is space available in the database. Entries can be dynamically removed from the database if the entry is unused for a specified amount of time. There are three types of dynamic database entries. Dynamic Filtering Entries specify whether frames sent to a specific MAC address on a specific VLAN should be forwarded or discarded. Group Registration Entries indicate for each port whether frames sent to a group of MAC addresses should be forwarded or discarded. Dynamic Registration Entries specify which ports are registered to a specific VLAN. There are several types of VLAN’s which differ by the way they classify membership. The membership classifications can be by port, MAC address, type of protocol that is being used, or by the subnet address. In a Layer 1 VLAN the membership can be defined based on the ports that belong to the VLAN. The main disadvantage to Layer 1 membership is that it requires reconfiguration if a user moves to a different port on the switch or to another switch. In a Layer 2 VLAN the membership is defined by the MAC address of the workstation. The biggest advantage to using Layer 2 VLAN membership is the ability to move a workstation without reconfiguring the switches. When a workstation is moved to another location it will still remain in the same VLAN since the switch tracks the workstation by its MAC address instead of the port it is physically connected to. In a Layer 3 VLAN the membership is based on the subnet of the IP address of the workstation. When using Layer 3 membership a workstation can be moved without reconfiguring the network addresses but it generally takes longer to forward packets using this information than it does by MAC address. There are also several others ways that VLAN membership can be implemented, which include by application, service or any combination of these. To create VLAN’s on your network you will need a switch that supports creating Virtual Local Area Networks. To setup VLAN’s on your network all you need to do is create a new VLAN on the switch and then assign each port to the desired VLAN. For example, if you create VLAN 10 and assign ports 2 and 3 to it and create VLAN 20 and assign ports 4 and 5 to it you will have created two VLAN’s. Now that you have created the two VLAN’s, ports 2 and 3 will be able to communicate and ports 4 and 5 will be able to communicate with each other. Information will not be shared between either of the VLAN’s without a router or further configuration of the switch. Summary A VLAN is a broadcast domain that is created by switches. VLAN’s simplify network administration and can help reduce the cost of network administration. VLAN’s allow the formation of virtual workgroups, better security, improved performance, simplified network administration and reduced network costs. VLAN’s are formed by logical segmentations of a network and can be classified into different Layers. Tagging and the filtering database allow a switch to determine the source and destination VLAN for received data. If VLAN’s are implemented correctly they can show great performance and security improvement on a Local Area Network. Works Cited Hucaby, David, and Stephen Mcquerry. "VLANs and Trunking." Cisco Systems, Inc Cisco Press. 30 Nov. 2008 <www.ciscopress.com/articles/article.asp?p=29803>. Petri, Daniel . "What is a VLAN?." Welcome to Petri.co.il by Daniel Petri. 30 Nov. 2008 <http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm>. "VLAN Information." Network 21 - UC Davis. 30 Nov. 2008 <http://net21.ucdavis.edu/newvlan.htm>. Varadarajan, Suba. "Virtual Local Area Networks." Department of Computer Science & Engineering - Washington University. 14 Aug. 1997. 30 Nov. 2008 <http://www.cs.wustl.edu/~jain/cis788-97/ftp/virtual_lans/index.htm>. "Virtual LAN - Wikipedia." Wikipedia, the free encyclopedia. 30 Nov. 2008 <http://en.wikipedia.org/wiki/VLAN>. "What is a VLAN?." The Tech FAQ. 30 Nov. 2008 <http://www.techfaq.com/vlan.shtml>.