A virtual local area network is a logical independent structure located in one physical network. A user can have multiple VLANs in one router or switch. Each of these networks unites teams of a certain segment, which has clear advantages when it comes to management and security.
The evolution of virtual network design
Organizations that need to upgrade their legacy network can implement a WLAN architecture managed by on-premises controllers or an architecture with controllers located in the cloud. Both options offer significant benefits. Determining which implementation will work best depends on several factors, including the structure of the company, the current network design, and the requirements.
When corporate WLANs were deployed initially, each access point was configured and managed independently of others on the same network. This was not a problem at the time, because most companies defined special zones for wireless access points. Usually these were conference rooms, lobbies and open areas - any place with a large number of users and several wired ports.
As the demand for Wi-Fi in the enterprise grew, the infrastructure needed to provide it grew. Network administrators had to manage hundreds, or even thousands of access points. Technical problems, such as interference in the shared channel, power control, and roaming clients, have made many networks unstable and unpredictable.
It required the creation of a virtual local area network in which suppliers hosted controllers in order to force the return of data back. They became a single throttle point for the configuration of the access point, communication and applied policies. Access points have lost their identity, and the controller has become the "brain" for the entire WLAN.
Configuration types
There are six types of virtual LAN. However, most users use only three: port level, MAC, and application. A port, or rather its switching in the router configuration menu, is the most common.
Each port is assigned a VLAN, and users connected to this port see each other internally. Neighboring virtual networks are unattainable for them. The only drawback of the model is that it does not take into account dynamism when searching for users, and if they change their physical location, the virtual LAN program must be reconfigured.
The MAC instead of the destination at the port level is at the MAC address of the device. The advantage is that it provides mobility without the need to make configuration changes to the switch or router. The problem seems understandable, but adding all the users can be tedious.
Applications are programs of a virtual local network, in which networks are assigned depending on the software used, using several factors, such as time, MAC address or subnet, which distinguish between SSH, FTP, Samba or SMTP.
LAN architecture
Wireless LANs managed by the cloud depend on the quality of the Internet, and can fail if the connection is unreliable. The cloud controller often performs other wireless services, such as preparing and authenticating the dynamic host configuration protocol.
Using a local network between virtual machines creates additional overhead for Internet bandwidth. Therefore, if the connection is heavily used, unreliable, or suffering from latency problems, it is best to follow a local approach that controls these features.
In most situations, controllers offer much greater flexibility when it comes to real-world design and deployment of WLANs. This includes enhanced support for legacy Wi-Fi devices and applications and more granular control over specific virtual LAN settings. For enterprises that use thousands of access points, multiple local controllers can work together to provide reliable network access and failover for clients.
Flat structure
The design of a switched LAN of a second-level virtual machine resembles a flat network. Each device in the network can see the transmission of any broadcast packet, even if it does not need to receive data. Routers only allow this broadcast within the source network when it switches the live broadcast in each bay or segment. This is not called a flat network because of its design, but because it has one broadcast domain. The host sends this broadcast to all ports on the switches, leaving the one that was received first.
Thus, the biggest advantage of a switched level network is that it establishes a separate segment or compartment of the conflict domain for each specific equipment connected to the switch. As a result, larger networks can be assembled and there is no need to establish a long Ethernet.
Security can be a problem on a typical dial-up network, as devices will be visible to all accounts. Another disadvantage is that it is impossible to stop the broadcast and the reaction of users to it. Unfortunately, the choice of security is limited when it comes to placing passwords on various servers and other devices.
Asymmetric VLAN
Asymmetric virtual local area networks (VLANs) allow you to segment the network by safely and efficiently sharing traffic between them, while reducing the size of broadcast domains and, therefore, network traffic. Typically, VLANs are targeted at large networks using managed switches, which are powerful and expensive projects.
Such designs can be useful in small to medium network environments. For security reasons, it is important to divide the network into two completely independent networks that can support access to shared resources. The usual solution is to use an access control switch between VLANs. More specifically, you can consider the use of the D-Link Smart series. These smart switches are web-based and have a lower price.
In particular, you can use the asymmetric VLAN functionality in a D-Link DGS-1210-24 switch. This will allow you to split the network into independent VLANs, but at the same time maintain a common line that machines from other virtual networks can access.
In this case, computers assigned to VLANs will be invisible, but all of them will gain access to the Internet or resources located in shared ports. Obviously, in this case, all PCs will be on the same IP subnet. You can extend this procedure to a corporate Wi-Fi network, for example, to create a guest network that will have access to the Internet.
Implementation: general description
A virtual local area network is a unit in the data link layer of the protocol stack. You can create it for local area networks (LANs) that use host technology. By assigning user groups, they improve network management and security. And you can also assign interfaces from the same system to different VLANs.
It is recommended that you divide the local area network into VLAN if you need to do the following:
- Implement the creation of a virtual local network through the logical separation of work groups, for example, when all the hosts on the floor of a building are connected via LAN with nodes.
- Assign different security policies for workgroups, such as finance and IT. If the systems in both departments share the same line, you can create a separate VLAN for each department. Then assign an appropriate security policy for each.
- Divide workgroups into managed issuing domains.
Using VLANs reduces the size of issuing domains and improves network efficiency.
Valid Name Rules
VLANs demonstrate the advantage of using common or user names. Previous versions of VLANs were identified using a physical point of attachment (PPA), which required a combination of the hardware name of the data link and the identifier when creating a virtual local area network over the Internet.
On more modern devices, such as Oracle Solaris 11, you can choose a more meaningful name for identification. The name must match the data channel naming conventions given in the rules for valid names in the Oracle Solaris 11 Network, for example, sales0 or marketing1.
Names work with VLAN IDs. On a local network, they are identified by an identifier, also known as a VLAN tag, set during setup. To support VLANs on the switches, you must assign an identifier for each port that matches the interface.
LAN Topology
LAN technology with nodes allows you to organize a local area network system in a VLAN. To be able to share it, the user must have nodes compatible with virtual technology. You can configure all ports on the host to transfer data for one or more virtual networks, depending on their configuration. Each switch manufacturer uses different procedures to configure ports.
For example, if the network has a subnet address of 192.168.84.0, this LAN can be divided into three VLANs that will correspond to three work groups:
- Acctg0 with VLAN ID 789: Accounting Group. It has hosts D and E.
- Humres0 with VLAN ID 456: group of frames. It has hosts B and F.
- Infotech0 with VLAN ID 123: A group of computers. It has hosts A and C.
You can configure multiple virtual networks on a single network drive, such as a switch, combining VLAN and Oracle Solaris Zones with three physical network cards net0, net1, and net2.
Without a VLAN, you would have to configure different systems to perform certain functions and connect them to separate networks. Using VLANs and zones, you can collapse eight systems and configure them as zones in one.
VoIP Security Risks
Storing data and VoIP traffic in separate VLANs is certainly a good security practice, but at times it's easier said than done. If you need an additional network adapter and switch port to separate VoIP from data traffic on one workstation, it will be difficult to implement this idea in a business environment.
Some IP phones have programmable primary and secondary Ethernet ports for the telephone and desktop computer, that is, a cable designed for the PC.
A switch that supports this model must have VLAN capability. In order to access unified communications or allow desktop computers or servers to communicate with the telephone network, routing between VLANs and a firewall are required.
If the network does not have any of the above elements, then there is no need to use IP phones. Without an additional network card and switch port, it makes no sense to even try to deploy them.
Placing data in VLAN-1 and voice communication in VLAN-2 as a basic example will improve overall network performance because it isolates the broadcast traffic on the data side to the VLAN and is the same for voice. Thus, in order to get a safe and economically viable VoIP solution, you will need the following basic elements:
- firewall
- router
- managed switches.
Integration Benefits
After integrating the OS into the local network, you can use the virtualized operating system, as if it were a physical machine integrated into the network. This will give advantages in work:
- In case of lack of equipment, you can use the virtual machine as a server and configure the type, for example, DNS server, web server, NFS server, mail server, SSH server and VPN server.
- The user will have the opportunity to simulate a small local network with several commands to perform all kinds of tests.
- You can easily exchange information between the virtualized OS and the host operating system, without having to have a shared folder offered by Virtualbox.
- You can use the virtual machine to install the SSH tunnel and thus encrypt all traffic generated by the computer.
Integrating a VM into a local network is extremely simple. Before creating a virtual local area network, install the operating system on the Virtualbox virtual machine, it can be any known OS. Well recommended in work with VM Xubuntu 12.10.
Integration Sequence:
- Select Xubuntu 12.10 and click on the configuration icon.
- Once inside the window, select the network option.
- After selecting make sure that the option is activated to enable the network adapter.
- Change the parameter in NAT to the adapter bridge.
- Before connecting the virtual machine to the local network, determine the Name option.
- The Name field offers the wlan0 and eth0 options. If the connection is via Wi-Fi, select the wlan0 option and click on the button to accept the changes.
- For a cable connection outside, you have to select the eth0 option and accept the changes.
After completing the above steps, the integration of the virtual machine into the local network will be completed.
In order to verify that the VM is working, open a terminal and type: sudo apt-get to establish nmap to install the nmap package.
Then check the IP that the system has through the terminal, and the Ifconfig command.
At the same time, the user must be sure that the virtual machine is integrated into the local network, since by default Virtualbox assigns an IP of type 10.0.2.x / 24.
Next, check the equipment in a virtual machine. To do this, open a terminal and use nmap: sudo nmap 192.1.1.1 / 24.
In this case, the command may differ depending on the subnet mask. After dialing nmap, the router's input port (192.1.1.1) is added, plus one, and, finally, the subnet mask is placed in the canonical form. With regard to security, it should be borne in mind that devices belonging to VLANs do not have access to elements found in other networks, and vice versa.
From what was said earlier, a simple conclusion is made about why virtual local area networks (VLANs) are created: management becomes much simpler, since the devices are divided into classes, even if they belong to the same network. A VLAN can classify many broadcast domains by the number of logical subnets and provide a grouping of end stations that are physically dispersed in the network.