Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Point-to-Point Protocol over Ethernet wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Parallel port wikipedia , lookup
Telephone exchange wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Network tap wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Nonblocking minimal spanning switch wikipedia , lookup
Virtual LAN 2017/5/25 1 VLAN • What is VLAN? – 簡言之, VLAN 就是以軟體的方式, 讓 Switch 能夠切割網路為 “不同的 Broadcast Domains” • HOW? – 分屬不同 VLAN 的 PCs 間無法經由 Switch 溝通 – 對網路規劃與管理者而言, VLAN 是傳統 Switch 與 Router 外之另一 “工具”, “觀念” 或 “武器” 2017/5/25 • VLAN 不是一個 “裝置”, VLAN 的達成, 仍需 仰賴 Switch 與 Router 2 傳統 LAN 架構與 VLAN 之不同 2017/5/25 3 VLAN (更詳細 …) • A VLAN is a logical grouping of network devices or users that are not restricted to a physical switch segment. 2017/5/25 4 VLAN (更詳細 …) • The devices or users in a VLAN can be grouped by function, department, project teams, applications, and so on, regardless of the physical location or connections to the network • A VLAN creates a single broadcast domain that is not restricted to a physical segment and is treated like a subnet. – Packets are only switched between ports that are designated for the same VLAN. – VLAN setup is done in the switch by software. 2017/5/25 5 VLAN (更詳細 …) 2017/5/25 6 2017/5/25 7 傳統 LANs & broadcast domains 2017/5/25 8 VLANs & Broadcast Domains 2017/5/25 9 Relationship between ports, VLANs & Broadcast • Each switch port can be assigned to a VLAN. • Ports assigned to the same VLAN share broadcasts. • Ports that do not belong to that VLAN do not share these broadcasts. This improves the overall performance of the network. 2017/5/25 10 VLAN makes workstations addition, moves & changes easier • Without VLANs, moving a user from one office to another might require a router to be reconfigured, changes in the patch cables in the wiring closet, and IP address reconfiguration on the host. • A host connected to a VLAN-capable switch, however, simply stays in the same VLAN (i.e., same broadcast domain and subnetwork), with no router changes, patch cable changes or IP address changes. – This may not sound like a big deal when 1 host is moved; but when many hosts are moving over the course of a year the savings in time and trouble is tremendous. 2017/5/25 11 VLAN Configuration • VLAN 的運作 (or 設定) 方式 – Static • port-centric (port-based) – Dynamic 2017/5/25 12 Static (Port-Based/Centric) VLAN 2017/5/25 13 Static (port-centric) VLAN 2017/5/25 1 2 3 4 5 6 . Port 1 2 1 2 2 1 . VLAN 14 Port-Baesd/Centric • Users are assigned by port. • VLANs are easily administered. • It provides increased security between VLANs. • Packets do not "leak" into other domains. 2017/5/25 15 Dynamic VLAN 2017/5/25 16 A Scenario … 2017/5/25 17 A small college Faculty & student LAN, each has different security features 2017/5/25 18 A year later … What if we still want each has different security features? 2017/5/25 19 VLAN can be the rescue … 2017/5/25 20 More details … 2017/5/25 21 Benefits of VLAN 2017/5/25 22 Security • Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. – Faculty computers are on VLAN 10 and completely separated from student and guest data traffic. 2017/5/25 23 More on Security with VLAN • Restrict the number of users in a VLAN group • Prevent another user from joining without first receiving approval from the VLAN network management application • Configure all unused ports to a default lowservice VLAN 2017/5/25 24 2017/5/25 25 Cost reduction • Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. 2017/5/25 26 Higher performance • Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance. 2017/5/25 27 Broadcast storm mitigation • Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. 2017/5/25 28 Improved IT staff efficiency • VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. • When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. • It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. 2017/5/25 29 Simpler project or application management • VLANs aggregate users and network devices to support business or geographic requirements. • Having separate functions makes managing a project or working with a specialized application easier 2017/5/25 30 Types of VLAN • • • • • 2017/5/25 Data VLAN Default VLAN Native VLAN Management VLAN Voice VLAN 31 Data VLAN • A data VLAN is a VLAN that is configured to carry only user-generated traffic • A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. – It is common practice to separate voice and management traffic from data traffic • A data VLAN is sometimes referred to as a user VLAN. 2017/5/25 32 Default VLAN • All switch ports become a member of the default VLAN after the initial boot up of the switch – Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. • The default VLAN for Cisco switches is VLAN 1 – VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it. – Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. – VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. – It is a security best practice to change the default VLAN to a VLAN other than VLAN 1 2017/5/25 33 Default VLAN 2017/5/25 34 Native VLAN • A native VLAN is assigned to an 802.1Q trunk port. • An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). – The 802.1Q trunk port places untagged traffic on the native VLAN. • Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. 2017/5/25 – It is a best practice to use a VLAN other than VLAN 1 as the native VLAN. 35 Management VLAN • A management VLAN is any VLAN you configure to access the management capabilities of a switch. – VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. – You assign the management VLAN an IP address and subnet mask. • A switch can be managed via HTTP, Telnet, SSH, or SNMP. – Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN 2017/5/25 • an arbitrary user connecting to a switch to default to the management VLAN. 36 And, one more … 2017/5/25 37 Voice VLAN details 2017/5/25 38 2017/5/25 39 VLAN Switch Port Modes 2017/5/25 40 Static Mode Setup 2017/5/25 41 Voice Mode Setup 2017/5/25 The configuration command # mls qos trust cos // cos : class of service ensures that voice traffic is identified as priority traffic. Remember that the entire network must be set up to prioritize voice traffic. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5 42 Voice VLAN Verification 2017/5/25 43 Controlling broadcast w/o VLAN 2017/5/25 44 Controlling broadcast with VLAN 2017/5/25 45 Controlling Broadcast Domains with Switches and Routers • Breaking up broadcast domains can be performed either with VLANs (on switches) or with routers. • A router is needed any time devices on different Layer 3 networks need to communicate, regardless whether VLANs are used. 2017/5/25 46 VLAN Trunking 2017/5/25 47 目前為止, 我們主要討論的是一個 Switch 下的 VLAN 2017/5/25 48 VLAN 跨越兩個以上 Switches 時 … VLAN Trunking 2017/5/25 49 Trunking? (電話線路的例子) 2017/5/25 50 Trunking Concept One physical link for each VLAN (will need 10 links for 10 VLANs not practical) With VLAN Trunking 2017/5/25 51 VLAN Trunking A trunk is a physical and logical connection between two switches across which network traffic travels 2017/5/25 52 Definition of a VLAN Trunk • A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch. – Ethernet trunks carry the traffic of multiple VLANs over a single link. – A VLAN trunk allows you to extend the VLANs across an entire network. – Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces. • A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers. 2017/5/25 53 Trunking Mechanisms (機制) • Frame Filtering • Frame Tagging – IEEE 802.1Q 2017/5/25 54 Frame Filtering 2017/5/25 55 Frame Tagging 2017/5/25 56 IEEE 802.1q Frame Format Re-Calculated FCS VLAN ID (12-bit) 2017/5/25 57 802.1Q Frame Tagging 2017/5/25 58 VLAN Trunk 2017/5/25 59 Trunk Configuration 2017/5/25 60 Trunk Configuration Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Switches from other vendors do not support DTP. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port. DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. 2017/5/25 61 Trunk Configuration 2017/5/25 62 Configuring VLAN & Trunk 2017/5/25 63 VLAN ID Ranges 2017/5/25 64 Create a VLAN 2017/5/25 65 Command Syntax 2017/5/25 66 Add a VLAN 2017/5/25 67 Add a VLAN - verification 2017/5/25 68 Assign a Switch Port 2017/5/25 69 Command Syntax 2017/5/25 70 Assign a Switch Port 2017/5/25 71 Delete a Switch Port - verification 2017/5/25 72 Port Memberships Deletion 2017/5/25 73 Verify VLANs and Port Memberships 2017/5/25 74 Command Syntax 2017/5/25 75 Verify VLANs and Port Memberships 2017/5/25 76 Verify VLANs and Port Memberships 2017/5/25 77 Verify VLANs and Port Memberships 2017/5/25 78 Configure Trunking 2017/5/25 79 Command Syntax 2017/5/25 80 Configure an 802.1Q Trunk Topology 2017/5/25 81 Configure an 802.1Q Trunk example 2017/5/25 82 Configure an 802.1Q Trunk verification 2017/5/25 83 Reset Trunking 2017/5/25 84 Common Problems with Trunks 2017/5/25 85 Native VLAN mismatches • Trunk ports are configured with different native VLANs – for example, if one port has defined VLAN 99 as the native VLAN and the other trunk port has defined VLAN 100 as the native VLAN. • This configuration error – generates console notifications, causes control and management traffic to be misdirected, poses a security risk. 2017/5/25 86 Trunk mode mismatches • One trunk port is configured with trunk mode "off" and the other with trunk mode "on". – This configuration error causes the trunk link to stop working. 2017/5/25 87 Allowed VLANs on trunks • The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk. 2017/5/25 88 Trouble Shooting – Native VLAN Mismatches 2017/5/25 89 Trouble Shooting – S3 configuration 2017/5/25 90 Trouble Shooting – Solution 2017/5/25 91 Trouble Shooting – Trunk Mode Mismatches 2017/5/25 92 Trouble Shooting – S1 & S3 configuration 2017/5/25 93 Trouble Shooting – Solution 2017/5/25 94 Trouble Shooting – Incorrect VLAN List 2017/5/25 95 Trouble Shooting – S1 & S3 configuration 2017/5/25 96 Trouble Shooting – Solution 2017/5/25 97 Trouble Shooting – VLAN and IP Subnets 2017/5/25 98 Trouble Shooting – S1 & S3 configuration 2017/5/25 99 Trouble Shooting – Solution 2017/5/25 100