VLANs???

[Rogue]

We run a network which consists of over 300 switches interconnected over fiber links to large routers. We are looking to change everything to a VLAN configuration to support pushing clients into VLANs based on patch level, viral infection, etc. to plan future products which permit access to the network based on such things.

The base question is, how do VLANs work and where can I get a good understanding of it from?

 

[spidey07]

whoah there.

That is going to take some serious planning. But its the current trend in network security.

Basically a VLAN is a virtual LAN. Meaning it operates stricly on a layer2 basis - a LAN. In order for one VLAN to communicate with another it has to pass through a router. It can also be thought of as a single broadcast domain.

With 300 switches you don't want VLANs spanning all over the place and would normally do a single VLAN per wiring closet. Then some kind of router to aggregate all those closets and route to some other router which would then route to the data center.

On a well designed network the concept of a VLAN isn't really needed as the network is broken down into blocks or groups of layer2 networks and are aggregated into a router.

Just search cisco.com for VLAN and you will probably get a few 100 thousand hits.

For example you could have a 300 port switch and have ports 1-100 in VLAN10, ports 101-200 in VLAN 10 and ports 201-300 in VLAN 30. Ports in VLAN 10 could not communicate or broadcast to ports in the other VLANS. A router would be needed to "route" the packets from one LAN to the other.

 

[Rogue]

Alright, perhaps more info is in order. As stated, we run a CAN/WAN that covers about 300+ square miles of terrain and 300+ buildings each with their own class C subnet. Each switch connects back via fiber to 12 core routers, each of which acts as the gatway to the class C network in each physical building. Each of these routers are interconnected also and connect to two main routers that provide redundant paths for the entire network.

Based on what you're saying, establishing a VLAN for every single building would not make sense and is not necessary, did I interpret that correctly?

I guess my main concern is, I want the ability to segment certain hosts into a "quarantine VLAN" no matter which building (LAN segment) that they are in. Does this mean that I create a single VLAN (ie. vlan 100) in all 300+ switches and route that VLAN at every single router interface on the network?

Scenario: the IDS says that a certain host is part of a botnet. Currently we reserve the IP in DHCP and then create an ACL on the uplink port for that switch that stops all outbound connectivity. Problem is, that's a real bitch to manage and gets unwieldy with 4000+ hosts and 300+ switches. Plus, it limits our ability to connect back to them to investigate, etc. Will a "quarantine VLAN" do what I think it will and permit me to simply throw these offending hosts into it, effectively removing it from connectivity with all but a few specified IP addresses (helpdesk, security, etc)?

 

[w0ss]

Basicly in a sense you are already running vlans. one vlan per building Sounds like what you want is trunking. What kind of swithes/routers do you have? If you have ciscos you probaly could do this with your existing equipment just changing the configuration/wiring a little.

 

[w0ss]

Assuming you have vlan capable switches/routers here is how I would set it up.


Router
______________________^
______________________|
______________________|
______________________>
Remote SwitchA <--> Hub switch <--> Remote SwitchB
______________________^
______________________|
______________________|
> Remote SwitchC


Basicly you would setup all the switches into a VTP domain and connect the remote switches to the Hub switch via a trunk. Be sure to setup pruning or you could have some performance issues. Then connect the hub swith and router via another trunk. If you have layer 3 switches you could setup the routing on them to offload the router.

***I hate ascii art anyway I hope you get the idea if you have any questions ask away.

 

[Garion]

OK, time for my two cents.

The easiest way to think of a VLAN is as though it was a stand-alone chunk of a switch or a group of switches trunked together. Each VLAN almost acts like a separate switch. Machines on VLAN 101 can't talk to machines on VLAN 102 without going through some kind of router or Layer 3 switch.

You are correct that you could create a VLAN in each site and then create access lists on your core routers to severly restrict traffic from these hosts to a few key addresses without much trouble. It's pretty easy to assign a port to a VLAN - All you need to do is identify the port by looking at the MAC/CAM tables and ID'ing the port.

Are you planning on trying to do this with your existing network? If so, the possibility of doing so is TOTALLY dependent upon the switches and routers you have in place. If you've got plain-jane vanilla layer 2 switches it's probably not going to work. If you have something fairly modern by a reputable company (Cisco, Nortel, etc.) you've got a better chance.

What kind of switches do you have in the remote sites and what are your core routers? Tell us that (if you can disclose it) and we might be able to provide more information.

If you're going to replace them, the solution is easy, but we can go into more of that later.

- G