VLAN Theory

Before we understand what VLAN (Virtual Local Area Network) is we should understand what an LAN (Local Area Network) is. Here we have an LAN

Lan Diagram

In this case, we have a router 192.168.0.1/24 and 3 switches that are physically separating our network, but at network configuration level they have all 192.168.0.x IP-s. A LAN includes all systems in the broadcast domain. All of the network components on a single LAN receive a broadcast sent by any member of that LAN. By this definition, a LAN is bordered by routers or other devices that operate at OSI Layer 3. Any component of the LAN can communicate with any other component if the machines personal firewalls allow to do so, but this is fine when we are talking about small home networks, but when we are talking about big networks many problems raise. For example, I have different employees and my enterprise network is divided in different sectors:

a)Administration

b)Development

c)Marketing/Sales

d)Help Desk

e)Hotspot – Free Access
and I don’t want that the Hotspot part of my network communicate with Administration, or Development or any other portion of my network cause of security. So the first problem is security.
Another problem is maintenance of all of this switches , and the network configuration and administration is difficult, lets think about an big LAN /16 with many switches. You have to configure any hardware device, when physically moving server computer to another location. Let’s say I want to move my radius server from the Help desk to Administration, then I should physically move this server to the administration RAK and re-configure with the administration network settings. Performance as well raise as a problem.

All of this problems are solved with VLAN

VLAN (Virtual Local Area Network) is a group of hosts that communicate as if they were attached to the same broadcast domain, regardless of their physical location. VLAN offer the combination of different LAN’s network in to a single physical device.
You have to buy an switch with VLAN capabilities. A single VLAN-capable switch is able to participate in multiple LANs at once.

This functionality alone has a variety of uses, but VLANs become far more interesting when combined with trunking. A trunk is a single physical connection that can carry multiple VLANs. Each frame that crosses the trunk has a VLAN identifier attached to it, so it can be identified and kept within the correct VLAN.

Trunks can be used between two switches, between a switch and a router or between a switch and a computer that supports trunking. When connecting to a router or computer, each VLAN appears as a separate virtual interface.

Cool ha? So this means, 1 switch (save allot of money) and different networks, the networks are:

• Physically connected but in the same time isolated from each other
• They have different subnets and different locations
• Administration is easy and centralized , if you have to move now your radius server you have only to unplug the cable from VLAN 5 to VLAN lets say 3
• The networks share the same physical link without leakage of information between networks

How VLAN Works

VLAN uses IEEE 802.1Q IEEE standard a.k.a VLAN Tagging that in reality doesn’t encapsulate or change the normal packet but it just add a 32-bit field between the source MAC address and the EtherType/Length fields of the original frame, this for including specific VLAN data as the VLAN ID, TPID (Tag Protocol Identifier) etc.

So this is how the switch knows where to redirect the traffic, if the traffic comes with VLAN ID x he will redirect this packets to the virtual LAN X.

In order to correctly communicate the firewall /router must “understand” the packets received from the switch and also send packets that the switch “understands”. For this, our firewall supports VLAN and have vlan software installed in order to generate VLAN traffic. The switch from his side is just recognising the traffic and redirecting it but indeed this packets are generated by an interface like:

eth1.2 (eth1 vlan id 2)

or eth1.4 (eth1 vlan id 4… etc..

VLAN Configuration

• Switch Configuration

so I have an 3Com switch with VLAN support, now I want to create 3 different VLAN-s with 3 different firewalls. I create a new VLAN and change the id to 5 (or whatever except 1 – is reserved/default) now there are 3 type of switch port modality:

a) Tagged => Green

b) Untagged => Blue

c) Not a Member => White

Tagged means for the switch that hi will expect tagged packets on that ports, so if the id is 5 the switch will expect packets with VLAN ID 5 on the tagged port, and this is the port when we should attach the firewall because the VLAN traffic is generated and handled by the firewall.

Untagged means that from that port the firewall should expect normal packets without VLAN ID, but if I set any port to Untaged this port automatically becomes a member of VLAN 5, and when I connect the PC the dhcp request is redirected to the first DHCP server available on his LAN (in reality VLAN) and this is our firewall.

Not a Member means that this port is not a member of this VLAN and the packet that pass through this port are not handled by VLAN 5.

• Firewall / Linux configuration

Configuring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. The main difference is you first must attach each VLAN to a physical device. This is accomplished with the vconfig utility. If the trunk device itself is configured, it is treated as native. For example, these commands define VLANs 2-4 on device eth0:

vconfig add eth0 2
vconfig add eth0 3 where 3 is vlan ID

So we use 1 switch instead of 3
here a pic:

VLAN_Configuration