VLAN Questions

Basher

Basher

Basher

Soldato
Joined
18 Oct 2002
Posts
9,158
Right, I have a couple of VLAN related questions.

We have a core network / management IP range, here at work of 132.5.201.0/24 and also a management VLAN of 601, now, what I am wondering is, what is the point of the VLAN? All of the devices in the VLAN 601 are in the 201 network so why is the VLAN necessary!?


Also, say for example I have 20 devices on a switch, all in VLAN 605 and 4 in VLAN 606, am I right in thinking that if a device in VLAN 605 send out a broadcast message, this will not affect devices in VLAN 606, even if they are in the same network segment?

I’m probably missing something fundamental here!

Cheers,

James
 
Basher said:
Right, I have a couple of VLAN related questions.

We have a core network / management IP range, here at work of 132.5.201.0/24 and also a management VLAN of 601, now, what I am wondering is, what is the point of the VLAN? All of the devices in the VLAN 601 are in the 201 network so why is the VLAN necessary!?


Also, say for example I have 20 devices on a switch, all in VLAN 605 and 4 in VLAN 606, am I right in thinking that if a device in VLAN 605 send out a broadcast message, this will not affect devices in VLAN 606, even if they are in the same network segment?

I’m probably missing something fundamental here!

Cheers,

James
Click to expand...
vlan stop broadcasting, better security, you need to configure the router with a sub port on a interface, lower band width used.
 
VLANS are used to divide a physical layer 2 network logically. I.e. Host X on Switch A in VLAN 0 tries to communicate with Host Y on Switch A in VLAN 1. This will not work unless you provide a layer 3 route inbetween even though they are both on the same physical hardware.

In your case it was probably done to stop users being able to see the management interfaces of the hardware. This would prevent people trying to crack the password etc.
 
You can also use a method called port trunking and vlan tagging allowing you to distribute connections across many switches, but to the client it will appear that they are all connected to the same switch.

If you want to take it even further you can use private VLAN's which are effectivley a VLAN within a VLAN, this provides a even greater depth of security, very useful for somewhere like a hotel with internet access per room.

If your interested theres a document from Cisco below explaining the process.

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/vlandir/vdir1gsg/overvw.pdf
 
growse said:
How secure are VLANs? Would you run a DMZ and a core network on the same switch with different VLANS?
Click to expand...

Yes its secure as the switch has no way of routing traffic between the two Vlans and to the end user they are simply presented with ports avalible on that Vlan.

Layer 2 switches require a seperate router to route between Vlans.
Layer 3 switches can route between Vlans but this can be disabled.
 
ok, so if I plug in two different interfaces on a router (say, cisco 837) to two different ports on a switch (say, catalysc 2950) which are on different VLANS, the router should be able to route between those two VLANS?
 
growse said:
ok, so if I plug in two different interfaces on a router (say, cisco 837) to two different ports on a switch (say, catalysc 2950) which are on different VLANS, the router should be able to route between those two VLANS?
Click to expand...

Yes the switch mearly holds a database of MAC - IP address translations for that it can find a particular host or interface.

You could go as far as setting up access lists on the router to control what traffic can pass between through the router between Vlans.
 
the connections from the router to the switch will need to be set as trunk lines wont they? Sub-interfaces need to be created on the router too, so that the two vlans have a gateway?
 
growse said:
Not unless there are two connections between the router and the switch - one for each VLAN...
Click to expand...
you only need 1 connection from the switch to the router interface then you create a sub inter face " Interface FastEthernet 0/0.1" the you put in the ip addy "IP address 10.1.1.1 255.255.255.0" "Interface FastEthernet0/0.2 " "IP address 10.1.1.32 255.255.255.0"the example shows 2 sub interfaces via the same interface but each sub interface has its own ip addy the sub interface is a virtual interface.

The switch only stores mac addys but then you have a brouter which does both.
 
Curiosityx said:
Yes its secure as the switch has no way of routing traffic between the two Vlans and to the end user they are simply presented with ports avalible on that Vlan.

Layer 2 switches require a seperate router to route between Vlans.
Layer 3 switches can route between Vlans but this can be disabled.
Click to expand...

VLAN's are not that secure and are open to manipulation by spoofing VLAN tags on packets injected into a network, ports can be made to "hop" VLANS. Similar to the way switches are considered "secure" in comparison to hubs by some people, it can all be manipulated.

Have a look at ettercap if you’re interested in ARP poisoning and MIM attacks on switching technology.
 
IronFire said:
Have a look at ettercap if you’re interested in ARP poisoning and MIM attacks on switching technology.
Click to expand...

Yes Ethereal is a fantastic tool and yes if your talented Vlans can be compromised if enough if known about the layout of a target network.
 
In the case of CISCO, a management VLAN is created automatically when you start clustering devices together so that you may manage them easilly through one interface.
 
Curiosityx said:
Yes Ethereal is a fantastic tool and yes if your talented Vlans can be compromised if enough if known about the layout of a target network.
Click to expand...

I actualy said ettercap, Ethereal is a network anaylsis tool and packet capture applicaton.
 
You must log in or register to reply here.
Back
Top Bottom