Any VLAN experts out there??

[OneApplications]

Hi All,

This question isn't exactly to do with my hosting here at eUK but this seemed like the best place to ask a question about layer 3 switches and VLANs, so here goes...

Assuming I have 5 VLANS configured on a layer 3 switch:-

Admin VLAN
Production VLAN1
Production VLAN2
Production VLAN3
Production VLAN4

The Admin VLAN is not the "management VLAN" by the way, it's just another bog standard network.

The question is can I set up routing such that the Admin VLAN can connect to each of the production VLANs but at the same time ensure that production VLANs can't connect to each other?

The way I understand "router on a stick" configuration is that once you've configured all the sub-interfaces for each VLAN this basically enables ALL VLANs listed to communicate with each other. Is this the same when using an L3 switch?

To sum up, I need to be able to access all production PCs from any of the PCs connected to the Admin VLAN but I don't want any of the production PCs to be able to communicate with each other. Hope that makes sense!

Thanks in advance!

Chris.

[AlexP]

Hello Chris,

When you create a VLAN and assign an IP address with the interface vlan <vlan_number> command, the VLAN becomes a Layer 3 VLAN. In Layer 3 switches, the hosts between the two VLANs can communicate with each other (if the hosts are configured with the default gateway as the VLAN interface IP address). You can use ACLs to deny communication between the VLANs.

This section shows an example of how to isolate the communication between a newly created Layer 3 VLAN's

In this example, the Layer3 switch has three VLANs (VLAN 1 , VLAN 2 and VLAN 3). VLAN 1, VLAN 2 and VLAN 3 are Layer 3 VLANs. ACLs are implemented to allow traffic so that VLAN 3 can communicate with VLAN 1 and VLAN 2 and deny the traffic so that VLAN 1 and VLAN 2 does not communicate each other.

* VLAN 1 - 10.10.10.0 /24
* VLAN 2 - 172.16.1.0 /24
* VLAN 3 - 192.168.1.0 /24 (Admin Vlan )

1. Create the new VLAN in the database. In this case the new VLAN is VLAN 3. When you exit vlan database mode, the configuration changes are applied.

Code:

 Switch#vlan database
          Switch(vlan)#vlan 3
          VLAN 3 added:
              Name: VLAN0001
          Switch(vlan)#exit
          APPLY completed.
          Exiting....

2.Make sure the VLAN is created in the vlan database. Check the output of the show vlan command.
3. Set an IP address for the newly created VLAN.

Code:

 Switch(config)#interface vlan 3
          Switch(config-if)#ip address 192.168.1.1 255.255.255.0
          Switch(config)#no shut

4. Please create other vlan with same above s
5. Configure physical interfaces that connect the clients to the corresponding VLAN.

Code:

Switch(config)#interface fastEthernet 2/1 
          Switch(config-if)#switchport mode access
          Switch(config-if)#switchport access vlan 3
          Switch(config-if)#no shut

You need to configure three access-lists, one for each VLAN.
* This access list denies traffic that comes from VLAN 1 to get to VLAN 2.

Code:

Switch#configure terminal
                Switch(config)#access-list 101 deny 
                ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
               Switch(config)#access-list 101 permit ip 10.10.10.0 0.0.0.255 any

* This access list denies traffic that comes from VLAN 2 to get to VLAN 1.

Code:

 Switch#configure terminal
                Switch(config)#access-list 102 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
                Switch(config)#access-list 102 permit ip 172.16.1.0 0.0.0.255 any

* This access list denies traffic that comes from VLAN 3 to get to VLAN 1 and VLAN 2.

Code:

 Switch#configure terminal
                Switch(config)#access-list 105 permit  ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
                Switch(config)#access-list 105 permit  ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
                Switch(config)#access-list 105 permit ip10.10.10.0 0.0.0.255 any

And once they are configured, apply the access lists to interface VLAN 1, interface VLAN 2 and interface VLAN 3.

Code:

  Switch#configure terminal
          Switch(config)#interface vlan 1
          Switch(config-if)#ip access-group 101 in
          Switch(config-if)#exit

          Switch#configure terminal
          Switch(config)#interface vlan 2
          Switch(config-if)#ip access-group 102 in
          Switch(config-if)#exit

          Switch#configure terminal
          Switch(config)#interface vlan 5
          Switch(config-if)#ip access-group 103 in
          Switch(config-if)#end

Please let us know if still you have any queries.

[OneApplications]

Thanks Alex! That's a very thorough explanation.

So, in a nut shell, once you've enabled inter-vlan routing between VLANs you've pretty much lost the benefit of having VLANs in the first place?

Is there any difference between these two configurations?...

1. All PCs in the network are on the same subnet.
2. PCs are divided between VLANs / subnets but inter-vlan routing connects them all together.

Obviously you can then implement ACLs like you say but can't you do that if all PCs are on the same subnet in the first place??

Cheers,

Chris.

[OneApplications]

Actually, I may be missing a simple solution to my problem here. I'll explain my proposed set up in a bit more detail...

I need a network that will be divided up into several different "production vlans". These vlans CANNOT communicate with each other.

However I need one or two separate "Admin PCs" to have access to all of the production vlans (so they can get FTP access to be more specific).

Assuming I setup the vlans / switch ports as follows:-

Production VLAN1 192.168.110.0/24 Ports 1 - 4
Production VLAN2 192.168.111.0/24 Ports 5 - 8
Production VLAN3 192.168.112.0/24 Ports 9 - 13

If I now want a single PC to be able to connect to all of the above VLANs can I setup a further switch port to be part of VLAN1,2 & 3?

Would this maintain complete separation between VLANs?

Obviously, the "Admin PC" would need to have it's IP changed to reflect the subnet of the terminal it was trying to communicate with at the time.

Mmmm, decisions decisions

[AlexP]

Quote:

Originally Posted by OneApplications

Is there any difference between these two configurations?...

1. All PCs in the network are on the same subnet.
2. PCs are divided between VLANs / subnets but inter-vlan routing connects them all together.

Chris.

If you connected all PCs in the same subnet network, they will communicate each other using single broadcast domain name. It broadcast floods in larger networks from consuming resources, or causing unintentional denials of service unnecessarily.
In single broadcast domain if there any attack on single computer in network it will affect all other computer which are in big network.

Mostly VLAN is used to limit broadcasts between multiple subnets by dividing subnet into small small subnet. Each VLAN consists of a separated broadcast domain. Which means that only ports belonging to a specific VLAN share broadcasts eliminating unnecessary traffic from flooding the entire network; hence improving the overall performance of the network.
VLAN includes high performance, simplified network administration, security, low cost and the creation of the virtual groups to avoid the collision and data loss in the network.

[OneApplications]

Ok, thanks Alex.

I was aware of the "separate broadcast domain" thing but I assumed that if I had inter-vlan routing enabled between all of the vlans and one of the terminals in VLAN1 sent a broadcast that this broadcast would also be routed to all other vlans?

Are broadcasts not routed between vlans in this way?

[OneApplications]

Something that I didn't realise is that you can assign more than one IP address to a single NIC. This being the case, if I configured the NIC on the "Admin PC" to have an IP address in each of the three VLAN subnets, could this PC then access all of the VLANs via a single port on the switch?

[AlexP]

Quote:

Originally Posted by OneApplications

Something that I didn't realise is that you can assign more than one IP address to a single NIC. This being the case, if I configured the NIC on the "Admin PC" to have an IP address in each of the three VLAN subnets, could this PC then access all of the VLANs via a single port on the switch?

No it won't work,VLAN is assign to the port on the switch. If you have assign vlan 1 to port on the switch to which your PC is connected then you can access only VLAN 1 network.

Some switches does support a single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.
Which type of switch are you using , Can you please give me exact name with version ?

[OneApplications]

To be honest we haven't decided on which switch to purchase for this project yet so I'm open to suggestions. Having said that, we want to keep costs down so I'll be trying to steer clear of Cisco I think.

Netgear seem to do some very "cost effective" switches that provide a very good set of features. In particular I was looking at an FS728TS which is a 24 port 100mb "smart switch" with 4 1GB uplinks. It also supports stacking of upto 6 units. The end-stations for this project are quite old and hardly any will support GBE so Fast Ethernet should do fine.

Link... Stackable, Fast Ethernet Smart Switches - FS728TS & FS752TS

Looking at the Netgear configuration with regard to VLAN port configuration, it looks like you CAN assign multiple VLANs to a single port. You just need to ensure that the port is in tagged mode for each of the VLANs assigned to it.

Assuming the NIC in the attached Admin PC supports 802.1Q and has the required IP addresses setup for each VLAN, could the Admin PC not communicate with each VLAN via the single port??

[OneApplications]

Mmm, the whole subject of 802.1Q trunking via a NIC seems a little hit and miss from what I've been reading on the web. I guess an alternative (and maybe better solution) would be to setup a terminal server with multiple NICs and just locate that in the switch rack.

This may be a slightly more secure way of doing it because the admin PC won't have a direct connection to all of the VLANs but instead just a single connection to the terminal server.

I guess I can try 802.1Q with the terminal server and then if I get no where with that, just stick in some additional low cost NICs and do it that way.

I assume using a terminal server to connect to multiple networks / VLANs is ok from a security point of view? There is no routing / bridging that goes on within the TS that is likely to compromise the isolation between connected VLANs?

Cheers,

Chris.

[AaronC]

Hi Chris,

I would suggest you to use single NIC card having VLAN capability on a PC and you can create a trunk between Admin PC and a switch port #14. Configuration of switch will be as below:

Switch(config)#interface fa0/14
Switch(config-if)#switchport trunk allowed vlan 1,2,3
Switch(config-if)#switchport mode trunk

This will make port #14 to be a trunk port with dot1q encapsulation and will allow traffic of all vlans to be forwarded (not routed) to PC NIC card. On PC NIC card you can create sub interfaces (IP alias) with corresponding vlans. For example.

# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.1
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.2
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.3

#vi /etc/sysconfig/network-scripts/ifcfg-eth0.1 and set DEVICE=ifcfg-eth0.1 and add one line as VLAN=yes

#vi /etc/sysconfig/network-scripts/ifcfg-eth0.2 and set DEVICE=ifcfg-eth0.2 and add one line as VLAN=yes

#vi /etc/sysconfig/network-scripts/ifcfg-eth0.3 and set DEVICE=ifcfg-eth0.2 and add one line as VLAN=yes

set the IP address of each interface as below and restart network service after configuration.

# Broadcom Corporation NetXtreme II BCM5716 Gigabit Ethernet
DEVICE=eth0.1
BOOTPROTO=static
HWADDR=00:24:E8:49:F1:1E
IPADDR=192.168.110.1
NETMASK=255.255.255.0
NETWORK=192.168.110.0
ONBOOT=yes

# Broadcom Corporation NetXtreme II BCM5716 Gigabit Ethernet
DEVICE=eth0.2
BOOTPROTO=static
HWADDR=00:24:E8:49:F1:1E
IPADDR=192.168.111.1
NETMASK=255.255.255.0
NETWORK=192.168.111.0
ONBOOT=yes

# Broadcom Corporation NetXtreme II BCM5716 Gigabit Ethernet
DEVICE=eth0.3
BOOTPROTO=static
HWADDR=00:24:E8:49:F1:1E
IPADDR=192.168.112.1
NETMASK=255.255.255.0
NETWORK=192.168.112.0
ONBOOT=yes

This will make Admin PC able to connect all vlans and no production vlans can communicate with each other unless and until you allow IP forwarding on Admin PC.

[OneApplications]

Thanks Aaron! That's really helpful info.

I will probably be using a Netgear switch but I think I know how to enable multiple VLANs per port on those so that shouldn't be a problem. I haven't actually bought the switch yet but i've read through a few Netgear manuals so I have a reasonable idea.

I know you mention a BCM5716 NIC there, I assume you have some experience with these cards and have used them before with trunk connections?

Do practically all recent GBE NICs support 802.1Q? And if so would you recommend any in particular?

Cheers,

Chris.

[OneApplications]

Oh, I should add that the admin PC (or terminal server) will be running Windows not Linux if that makes any difference.

[AaronC]

Hi Chris,

I tested this solution using 'Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express' interface card with Linux OS (CentOS) and Cisco 3750 switch. I can't surely say that all recent GBE NICs support 802.1Q. However, most of them like Intel Pro Series NIC support 802.1Q. Window OS also supports VLAN trunk and you can accomplish same results with Window OS.

If you face any problem configuring VLAN trunk on Window OS, please let me know.

[OneApplications]

That's super! Thanks for your help Aaron.

Looks like the Intel Pro series may be worth a look at then.