Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
10
Helpful
7
Replies

VLAN Purpose

vyasgobinath
Level 1
Level 1

‎02-09-2020 04:25 AM - edited ‎02-09-2020 04:31 AM

Hi,

 

Please refer the topology attached.

 

 

I connected 2 computers in different networks (Network 1 and Network2) to a switch, and connected another 2 computers (Network 1 and Network 2) to another switch, and interconnected those 2 switches (No configuration to the switches). I was expecting that without configuring vlan's, I would not be able to have connectivity between the same subnets. But I was surprised to see, there was network connectivity. Till date I was having a wrong assumption on VLAN's. I thought that VLANS were the only means to have connectivity between multiple network through a single switch.

I analysed the ethernet link to find - "one broadcast domain" in-spite of having two networks. This I understand, is because of the switch (switch acts as single broadcast domain until vlans are created). So, I understand the VLANS are created to segment traffic, and reduce broadcast messages.

 

What I don't understand is how VLANS make the network more secure? Even without the VLANS, when we have different subnets connected to the switch, the traffic is safe, isn't it? only broadcast messages can be seen by people from other subnet.  Apart from ARP requests, I did not see any other broadcast messages. How are these broadcast messages dangerous? Am I not seeing something big?

 

I reviewed a few posts about VLAN, and I'm quoting one of the response by user, chandra_rc16

"

VLANs (Virtual Local Area Networks) are created to seperate layer 2 traffic.Generall types of traffic include.

1. Multicast (Video streaming)

2. Network Management Traffic (SNMP messages, CDP Messages, BPDU's etc)

3. VoIP (Voice Traffic)

4. User traffic "

 

Can someone give more information about

1. VOIP traffic? Isn't VOIP unicast traffic? how does VLANS help voip, other than prioritizing it with a ACL. 

2. What is the security vulnerability of network management traffic? Are these traffic broadcast messages?

 

Any information on the purpose/practical use of VLAN's other than avoiding broadcast storms would be appreciated.

Labels:
Preview file
29 KB
0 Helpful
7 Replies 7

Martin L
VIP
VIP

‎02-10-2020 07:35 AM - edited ‎02-10-2020 07:36 AM


2 computers in different networks (Network 1 and Network 2) ---you should have 2 broadcast domains; but, if your switches are not configured at all, all devices are on the same network, vlan 1. this is default vlan for all cisco switches. this means all ports are on vlan 1 by default. this way, u can plug device(s) to brand new switch and communicate. Hence, PCs can ping each others.
Of course, you should configure your switch for vlan 10 and vlan 20 based on IPs on the picture.
Link between switches should be set as a trunking link.

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful

vyasgobinath
Level 1
Level 1
In response to Martin L

‎02-10-2020 11:31 AM

"2 computers in different networks (Network 1 and Network 2) ---you should have 2 broadcast domains; but, if your switches are not configured at all, all devices are on the same network, vlan 1. this is default vlan for all cisco switches. this means all ports are on vlan 1 by default. this way, u can plug device(s) to brand new switch and communicate. Hence, PCs can ping each others."

Yes! I understood this after the test I made.

Just to confirm this behavior is not only with vlan 1, I created vlan10, and assigned both ports (with different subnets) to vlan 10 and tested. As expected, PC's in Network 1 were able to communicate with each other and PC's in network 1 was not able to communicate with the PC's in network 2.

 

"Of course, you should configure your switch for vlan 10 and vlan 20 based on IPs on the picture.
Link between switches should be set as a trunking link."

I understand, this is the way to configure. I just want to learn concepts about vlan. So 'm trying all combinations, to have a better understanding.

 

Thank You for your reply.

 

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-10-2020 10:32 AM

"Am I not seeing something big?"

Yes, the "big" thing you're missing is that VLANs don't automatically restrict traffic to just broadcast being seen by other hosts. Multicast, w/o ICMP snooping floods to all ports. Further, unicast, where the destination MAC isn't in the MAC table is flooded to all ports.

As to your other questions, (#1) yes VoIP is usually unicast. VLANs make it a bit easier to restrict traffic on a VoIP VLAN to just VoIP traffic, and they limit broadcasts seen by VoIP devices. (Broadcast don't need to be a storm to be of concern. Understand hosts, on Ethernet which was designed for a shared media will "filter" out undesired frames at the NIC, but broadcast are intended for all hosts, so the host must accept the broadcast and analyze it's content to determine if the frame is of interest.)

For your second question, again as security can usually be easier tied to VLANs (which usually corresponds to networks), "unauthorized" traffic can be better precluded from a management VLAN. (Even something as simple as sending a heavy broadcast stream [an artificial storm] can often degrade network devices [i.e. DoS attack] on a management VLAN.)

vyasgobinath
Level 1
Level 1
In response to Joseph W. Doherty

‎02-10-2020 11:16 AM

Hi,

Thank you for your reply.

" Multicast, w/o ICMP snooping floods to all ports. "

I believe you meant IGMP snooping right? Although I don't know a lot about it, I googled and read about it.

 

"Further, unicast, where the destination MAC isn't in the MAC table is flooded to all ports."

That's when ARP is used, isn't it? (when the destination mac address is not in the switch cam table)

 

"For your second question, again as security can usually be easier tied to VLANs (which usually corresponds to networks), "unauthorized" traffic can be better precluded from a management VLAN. (Even something as simple as sending a heavy broadcast stream [an artificial storm] can often degrade network devices [i.e. DoS attack] on a management VLAN.)"

 

If for example I have 2 vlans in the switch. one native vlan (5) for managing the switch (I hope this is what you mean by management vlan. I'll have read more about management vlan) and one vlan (10) for all other traffic. If the vlan (10) has a broadcast stream, will it affect the other vlan? Will I be still able to access the switch and manage it?

 

I'm sorry if the questions are naive.

 

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to vyasgobinath

‎02-10-2020 11:27 AM

 

Yes IGMP snooping. 

 

A switch will flood to all ports in the same vlan if mac is unknown it is as simple as that. 

 

Why it is unknown can be for a number of different reasons. 

 

Broadcasts in one vlan do not need to be processed by devices in a different vlan but if there were enough broadcasts eg a loop the the entire switch could be affected. 

 

Jon

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to vyasgobinath

‎02-10-2020 04:56 PM

"I'm sorry if the questions are naive."

No need to be sorry, it's one of the reasons for these forums.

Oops! Yes, (as Jon notes it's) IGMP snooping.

"That's when ARP is used, isn't it? (when the destination mac address is not in the switch cam table)"

No, ARP is used by a host to translate an IP address to a MAC address. (A switch doesn't ARP, except when functioning as a host itself [which a "dumb" switch does not].) Also, BTW, CAM can be used for other purposes. CAM is a type of memory that's accessed by "content".

A switch's MAC table is populated from, not seen before, ingress frames' source MAC. I.e. when a frame arrives on an ingress port, the switch will add its source MAC (and port received on) to its MAC table, assuming it's not already there. (If there, it often updates a timer that will flush the entry in the source MAC has not been seen for some amount of time.)

"If the vlan (10) has a broadcast stream, will it affect the other vlan?"

Usually not, but there are exceptions, as Jon notes.

"Will I be still able to access the switch and manage it?"

Again, usually yes, but also again, as Jon notes, there are exceptions. Because of such exceptions, a management VLAN might be implemented as a separate physical LAN, rather than a separate logical V(itural)LAN.
0 Helpful

vyasgobinath
Level 1
Level 1
In response to Joseph W. Doherty

‎02-10-2020 08:56 PM

@Joseph W. Doherty wrote:

No, ARP is used by a host to translate an IP address to a MAC address. (A switch doesn't ARP, except when functioning as a host itself [which a "dumb" switch does not].) Also, BTW, CAM can be used for other purposes. CAM is a type of memory that's accessed by "content".

A switch's MAC table is populated from, not seen before, ingress frames' source MAC. I.e. when a frame arrives on an ingress port, the switch will add its source MAC (and port received on) to its MAC table, assuming it's not already there. (If there, it often updates a timer that will flush the entry in the source MAC has not been seen for some amount of time.)

 

Now ARP and switch mac table population are more clear. Thank You.

 

Again, usually yes, but also again, as Jon notes, there are exceptions. Because of such exceptions, a management VLAN might be implemented as a separate physical LAN, rather than a separate logical V(itural)LAN.

If the switch fails because of a broadcast stream, how will a management VLAN implemented as a separate physical LAN help? I mean, how is having the management vlan as a seperate physical lan different from having it in a different logical vlan? Could you please share more details on it? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card