vlan segmentation part 1 of 2 - usalearning · pdf filevlan segmentation part 1 of 2. ......
If you can't read please download the document
TRANSCRIPT
VLAN Segmentation Part 1 of 2
Table of Contents
Overview of VLANs VLAN Definitions ............................................................................................. 2
Overview of VLANs VLAN Definitions (cont.) .................................................................................. 3
Overview of VLANs Benefits of VLANs ............................................................................................ 5
Overview of VLANs Types of VLANs ................................................................................................ 7
Overview of VLANs Types of VLANs (cont.) .................................................................................... 8
Overview of VLANs Voice VLANs .................................................................................................. 10
Page 1 of 14
Overview of VLANs VLAN Definitions
Presentation_ID 5 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Overview of VLANs
VLAN Definitions A VLAN is a logical partition of a Layer 2 network.
Multiple partitions can be created, allowing for multiple VLANs to co-exist.
Each VLAN is a broadcast domain, usually with its own IP network.
VLANs are mutually isolated and packets can only pass between them via layer 3 routing.
The hosts grouped within a VLAN are unaware of the VLANs existence (unless the host supports VLAN trunking).
**005 VLAN Segmentation. VLAN segmentation is a logical partition of a Layer 2 network. How many people work with VLANs on a regular basis or are familiar with VLANs? How many people are not familiar with VLANs? Okay. VLANs are essentially, if, like, if you could take a switch and take a knife through the switch and cut the switch up into pieces and say, "Okay. Now I've taken the one physical switch and I made this switch out of it and that switch out of it and this other switch out of it and turned it into multiple logical switches."
Page 2 of 14
Within a VLAN, all the rules apply that used to apply to the whole switch. When you broadcast, you broadcast across the entire VLAN. People in this VLAN can see each other but can't see other VLANs. So the idea is you can use VLANs to separate networks. We'll talk about why here in just a second. Now, can VLANs talk to other VLANs? Yes. If you put them through a router, because a router's a Layer 3 device, so the Layer 3 packets can be routed from one VLAN to another.
Overview of VLANs VLAN Definitions (cont.)
Presentation_ID 6 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Overview of VLANs
VLAN Definitions (cont.)
**006 So VLANs by definition. On a
Page 3 of 14
practical basis if you're in a Layer 2 environment, Layer 2 environment has limits as to how big a Layer 2 environment can be. We've talked about trying to keep that 500 hosts or under. Definitely, if possible, under 4 figures, under 1,000. But once you decide that and you say, "Okay. This network is big enough that I want to break it up," one of the questions becomes, "How do you break it up? Under what rules do you break it up? What do you use? Where's the boundaries? Why do you do it?" Well, you can set up boundaries a number of ways. One way to set up boundaries would be to say first floor, second floor, third floor, and putting them each on their own VLAN. Another way to set up boundaries would be instead we could put managers on a VLAN, employees on a VLAN, and the IT Department on its own VLAN, and set them up based on some security or some logical reason to isolate the users away from other users. So the point here is VLANs can be used for a lot of purposes. If you're going to break up your network anyway, and you have security reasons to break it up in a certain fashion, then you might as well do it for the security reasons. Because you need some reason to break it up, let's make it a reason that actually contributes to the company, or to the organization.
Page 4 of 14
Overview of VLANs Benefits of VLANs
Presentation_ID 7 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Overview of VLANs
Benefits of VLANs Security
Cost reduction
Better performance
Shrink broadcast domains
Improved IT staff efficiency
Simpler project and application management
**007 So benefits to VLAN. Number one is security. You really can. You can isolate groups from other groups. If you isolate groups from other groups, then when you put them through the router to talk or to attempt to talk, you can have rules in the router, access control lists, that can decide who's permitted in and who isn't. It's less expensive. Less expensive in the cost reduction phase. Is if you're going to have two different groups anyway, rather than put up two switches, two physical switches, let's just put up one switch and configure
Page 5 of 14
it and it's logically separated, so you're buying less hardware. Better performance because of the smaller size of the collision domains and broadcast domains. Shrinking the broadcast domain size. Improved IT staff efficiency for the same reason. If you have less equipment, then you need less people to manage it. And simpler project and application management, because rather than having to go out and move cables to move somebody from one network to another, install new equipment to move somebody from one network to another, all you have to do is reach in with a little SSH, couple of minutes, reconfigure a port, and "bam," you've moved somebody from one organization to another.
Page 6 of 14
Overview of VLANs Types of VLANs
Presentation_ID 8 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Overview of VLANs
Types of VLANs Native VLAN
Often the default VLAN
Management VLAN
Application VLANs (data, VoIP, etc.)
**008 So VLAN types. You can have what's called the native VLAN or the default VLAN. We'll talk about that. We'll talk about management VLANs. We'll talk about application VLANs.
Page 7 of 14
Overview of VLANs Types of VLANs (cont.)
Presentation_ID 9 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Overview of VLANs
Types of VLANs (cont.)
**009 If you see this one here, this one says "show vlan brief," and it says VLAN 1 default, active, and you can look at the ports to it. What ports are there? Trainee: All of them. Instructor: All of them. Most people don't think about it, but VLANs are on by default. On all switches. The reason you don't notice it is if everybody's in the same VLAN it's like you're not in a VLAN at all, correct? So by instead of trying to turn VLANs off, they just put everyone in VLAN 1. VLAN 1's the default VLAN. VLAN 1 also happens
Page 8 of 14
to be the native VLAN, and in 802.1Q, which is the protocol that runs VLANs, 802.1Q. In 802.1Q the native VLAN doesn't get frame tagged. We'll talk about frame tagging later, but realize that because it doesn't get frame tagged, it looks like there's no VLAN at all. There's no tagging to it, everybody talks to each other, and that's why you can get away with putting everybody in VLAN 1, leaving VLANs running, and nobody know you're in VLANs. Also, you can't delete VLAN 1. So basically you're stuck with it, right? VLAN 1's always going to be there.
Page 9 of 14
Overview of VLANs Voice VLANs
Presentation_ID 10 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Overview of VLANs
Voice VLANs VoIP traffic is time-sensitive and requires:
Assured bandwidth to ensure voice quality. Transmission priority over other types of network traffic. Ability to be routed around congested areas on the network. Delay of less than 150 ms across the network.
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone.
The switch can connect to a Cisco 7960 IP phone and carry IP voice traffic.
The sound quality of an IP phone call can deteriorate if the data is unevenly sent; the switch supports quality of service (QoS).
**010 So Voice VLANs. Talk about voice VLANs. We talk about special reasons for having VLANs. The idea of a voice VLAN. How many people have voiceover IP phones in their environment? Okay. If you have a voiceover IP phone in your environment, if you turn it over on the back what you'll probably see is something roughly like this. Instructor: If you look at the back of your phone. Here's the phone, right? If you turn it over on the back, what you'll see is you'll see two ports like this. One is in from the switch, and the other one says 2 PC.
Page 10 of 14
And the reason they do that is when voiceover IP systems first started going in 10, 15 years ago, one of the major impediments to getting voice systems in would've been that now instead of needing one network drop for every desk, now I need two network drops for every desk. And the cost of converting to voice systems would've been too much, because they would've had double the number of switches in the environment. So what they did instead is they said, "Well, hey, why don't we just let the PC connect to the phone and the phone connect in?" So if you were to really look at this, what you really got here is--and I'm going to draw this kind of oversize. Here's what you've really got inside the phone. There's a three-port switch. You only see two o