Step-By-Step Networking: Switching & VLANs - HOMEBREW

10 min read

15 Jan

15Jan

From the last post in this series, you may wonder why more configuration is needed. While it may seem simpler to configure at first, having one subnet and VLAN for all of your devices actually makes the network harder to manage. In fact, it could be considered insecure.

In this post, I will be covering what VLANs are as well as some of the reasons as to why we need separate VLANs on our internal network.

If you have not read the previous article in this series, below is an index containing each post in sequential order.

Index

Switching & VLANs

Open Packet Tracer and view the configuration from the previous post. For reference, here is the network we are aiming to build:

Here is what we currently have. If the labels under each device do not match up with the topology, double-click the label and change the name. Note that this does not actually change the configured hostname of the device:

Right now, only our physical connections are set up. There is no logical separation on our network. If you notice something though, this works just fine as far as functionality in certain sections of the network. Let me show you what I mean.

Open FINPC01 and click on the "Config" tab
Click on "FastEthernet0" in the lefthand pane
In the "IPv4 Address" prompt, type 192.168.5.100
Ensure the Subnet Mask prompt contains 255.255.255.0

Now do a similar configuration on ITPC01:

Open ITPC01 and click on the "Config" tab
Click on "FastEthernet0" in the lefthand pane
In the "IPv4 Address" prompt, type 192.168.5.101
Ensure the Subnet Mask prompt contains 255.255.255.0

Now ping FINPC01 from ITPC01:

Click on the "Desktop" tab
Click on the "Command Prompt" option
Type the following command:

C:\>ping 192.168.5.100

You should get successful replies from FINPC01 as shown below. The first response may time out, which is normal behavior.

Pinging 192.168.5.100 with 32 bytes of data:


Reply from 192.168.5.100: bytes=32 time<1ms TTL=128
Reply from 192.168.5.100: bytes=32 time<1ms TTL=128
Reply from 192.168.5.100: bytes=32 time<1ms TTL=128
Reply from 192.168.5.100: bytes=32 time<1ms TTL=128


Ping statistics for 192.168.5.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now assign an IP address in the name network on DCSRV01:

Open DCSRV01 and click on the "Config" tab
Click on "FastEthernet0" in the lefthand pane
In the "IPv4 Address" prompt, type 192.168.5.102
Ensure the Subnet Mask prompt contains 255.255.255.0

Now try to ping DCSRV01 from ITPC01:

From ITPC01's command prompt, type the following command:

C:\>ping 192.168.5.102

The command fails with the following output:

Pinging 192.168.5.102 with 32 bytes of data:


Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 192.168.5.102:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Why did this fail? Well, take a look at our topology. We have a router separating our server from the other two PC's, while only one switch separates FINPC01 and ITPC01. If we ping the device in simulation mode within Packet Tracer, we will see ARP failed to resolve the IP address, so the ping packet timed out. In simple terms, ITPC01 wasn't sure where to send the packet so it just held onto it until it had to be discarded.

This shows that we can't just put any IP address within the same subnet on any node and expect it to work. If this was the case, then modern networks would be a huge mess. There are rules, or protocols, that each device needs to follow in order to ensure delivery.

To fully understand why this failed, we need to first understand how a packet travels the network.

The OSI Model

Earlier in this series, I mentioned bits and pieces of the OSI model, however I never fully explained what the OSI model is.

The Open Systems Interconnection (OSI) model is a model developed by the International Organization of Standardization (ISO) used by information technology and cybersecurity professionals to help understand and visualize how different aspects of a network interact with each other. The model is broken into seven layers:

Application
Presentation
Session
Transport
Network
Data Link
Physical

Different protocols and technologies reside in each one of these layers, and each layer is often referred to by their position in the model. While I have them numbered from the application layer down, the first layer is actually the physical layer. So, when someone is talking about the physical layer, you may hear them say "layer 1," and when someone is talking about the data link layer you may hear them say "layer 2." This continues all the way up to the application layer referred to as "layer 7."

The physical layer contains the standards on how network traffic is physically passed to each device. The data link layer, which is where ARP resides, contains the protocols that define how devices interact with each other on the same network using the ethernet protocol. The network layer defines routing between networks and logical addressing using the Internet Protocol (IP), and the transport layer defines the protocols used to transmit data with either the transmission control protocol (TCP) or the user datagram protocol (UDP).

For this post, the other layers are mostly irrelevant except for the application layer. This layer contains protocols such as HTTP, DHCP, DNS, SNMP, SMTP, SMB, and so on. Layer 7 should not be confused with common user applications such as Microsoft Word or Google Chrome. DHCP in particular will be utilized later in the series.

The model itself isn't necessarily tangible, it just helps to conceptualize different parts of the network. There is a second model that is replacing the OSI model called the TCP/IP model, which consolidates the application, presentation, and session layers into one. The same is done with the physical and data link layers for a total of 4 layers.

Address Resolution Protocol

Each device has a unique address called the Media Access Control (MAC) address burned into the network card by the manufacturer. This address follows the format of AA:BB:CC:XX:YY:ZZ, where the first three sections are used to identify the manufacture and the last three sections identifies the unique device. This address consists of 48 bits in total using the hexadecimal system also known as base16.

An important MAC address to be aware of is the broadcast address, as indicated by FF:FF:FF:FF:FF:FF. When this address is used, the ethernet frame goes to everyone on the local network. Every device that is able to receive this frame is part of the same broadcast domain. Routers will not forward these broadcast frames, while a switch will.

The destination MAC address of the node must be known by the device sending the network traffic. However, IP addresses are logically configured by the network administrator. This means that the device has no idea what IP is going to be paired with what MAC address, so it has to find that information before it's able to send any traffic.

Residing on the data link layer, enter the Address Resolution Protocol (ARP). Before a packet is sent using an IP address, an ARP broadcast is sent to every node in the same broadcast domain. The sending device send an ARP request using the FF:FF:FF:FF:FF:FF address to all nodes on the broadcast domain asking who has the MAC address associated with the given IP. The node with the assigned IP address responds, stating "I have IP X.X.X.X, here is my MAC address." The sending device then sends the packet using the MAC address provided. With this process, ARP resolves IP addresses to MAC addresses.

The process is basically the same for routing information to another network. However, instead of finding the MAC address of the destination IP it resolves the MAC address of the default gateway- the network's router. From there, it is up to the router to determine where the packet goes next.

Note that when a device receives an ARP reply, that IP to MAC resolution is cached on the local device. We can see this on ITPC01. On the command line, type the following command:

C:\> arp -a
Internet Address      Physical Address      Type
  192.168.5.100         000a.4192.9787        dynamic

Earlier we pinged 192.168.5.100, which we set on FINPC01. We also pinged 192.168.5.102 set on DCSRV01. Notice we do not have an ARP entry for DCSRV01 as routers do not forward ARP requests by default. This explains why we didn't receive a response to our ping.

By now you can probably see how having one broadcast domain can affect network performance. Every device can send broadcasts that use network resources. For a network containing only a few nodes this is not a problem, though consider a network with hundreds or thousands of nodes. One broadcast could generate hundreds of packets, causing unnecessary bandwidth utilization and degraded performance. This is known as a broadcast storm and can potentially crash a network. There could be a few different causes for broadcast storms, including an incorrect configuration of the spanning-tree protocol (STP). This is one of the main reasons why we have VLANs.

Switches

Switches are fairly straight forward to understand on a basic level. By default, they only support layer 2 protocols and can work out-of-the-box. Regardless, it isn't recommended to install a switch without proper configuration. Here we're configuring our switches from scratch, so it is worth mentioning that there are a couple different types of switches.

There are two types of switches that you should be aware of when shopping for one: managed and unmanaged. Unmanaged switches are unable to be configured and lack several features that a manage switch offers. The advantage is that it works out-of-the-box and there is little overhead for setting it up. The disadvantage is that this is a major performance issue and security concern as you cannot configure quality of service or port security. Unmanaged switches are usually used in a home network where manageability doesn't really matter and users need a quick way to get connected to their network.

Managed switches offers advanced management and security for a network. These switches still work out-of-the-box, but if you plug it into a production network unconfigured there's a significant chance something may break. Advantages include quality of service capability, port security, fine-tuning of protocols, and capability of layer three services. The disadvantage is that there is a lot of overhead for setting them up, and they often cost hundreds to a few thousand dollars. Businesses often hire professional network engineers to configure managed switches and routers since configuring them properly takes quite a bit of skill. For now, we are only concerned with the basic understanding of how a switch works.

When a switch receives a packet, the switch looks at its MAC address table to see if the source MAC address is included in it. This table associates MAC addresses with the interfaces on the switch. If it has no match, the MAC address is included in the table. We can view the mac address table on SW02 with the command below in the privileged EXEC mode:

Switch#show mac address-table 
          Mac Address Table
-------------------------------------------


Vlan    Mac Address       Type        Ports
----    -----------       --------    -----


   1    00e0.b046.3b8a    DYNAMIC     Gig1/0/23
   1    00e0.f788.4c02    DYNAMIC     Gig1/0/1

Then, the switch looks at the destination MAC address and checks the table again. If there is a match, the frame is sent out of the corresponding port in the table. If the table doesn't contain the destination MAC address or the address is FF:FF:FF:FF:FF:FF, it will forward the packet out of all ports. Once the device with the MAC responds, the switch creates an entry in the MAC address table and ties it to an interface. All traffic destined to that MAC address is now sent out of the corresponding port only.

It is important to note that one MAC address does not have to be associated with one interface in this context. Depending on the configuration, there could be multiple addresses corresponding to one interface. The switch does not care unless security is configured.

Switches may handle packets differently based on STP and port security, but this is how packets are generally processed on a switch.

Now that we have a general understanding of how a switch operates, let's see how VLANs can break up one broadcast domain into multiple.

Virtual Local Area Network

Virtual local area networks (VLANs) logically separate a network by dividing the network into different broadcast domains. While they are technically virtual, I learned about system virtualization before VLANs, so this was a rather difficult topic for me to conceptualize at first. However, it is actually a very simple concept. Let's use an analogy to make it simple.

Picture a house with no walls on the inside (the LAN). Put three people in the house for them to have a conversation (nodes). This represents our LAN with no logical separation. These three people can communicate with no restrictions, and when one talks the other two can hear them regardless of who it's intended for.

However, Alice, Bob, and Eve all want to separate their belongings from one another. They're also getting tired of hearing other conversations that do not pertain to them. So, they build three rooms (VLANs) for separation and a hallway (trunk) to connect their rooms. Bob now knows his room, but doesn't know who resides in the other two, so the three of them hire a room keeper (router for inter-vlan routing) and places him in the hallway to keep track of which room belongs to which person.

Now, Bob can lock his door to prevent Alice and Eve from accessing his equipment. Bob can also limit his communication to anyone in his room without disturbing the others. All three still reside in the same house, or LAN, but have segmented away from one another by creating their own space, or VLAN. If Bob needs to talk to Alice or Eve, he consults the room keeper to find which room to go to.

This is a very high-level explanation of a VLAN, but it describes the concept so you can visualize how it works. On a switch, you configure each VLAN by assigning it a number. This number can be from 1-4094 on a Cisco switch, where VLAN 1 is the default VLAN all network traffic is tagged with if left unconfigured. In fact, client machines are completely unaware of VLANs and is purely a layer 2 concept.

VLANs are added to the switch and interfaces are assigned to that VLAN. When traffic enters the interface, the 802.1Q protocol (or dot1Q) tags the traffic with a VLAN number. Switches then only send that packet to interfaces with that VLAN or trunked interfaces that allow that VLAN.

A trunk is simply an interface that allows traffic from multiple VLANs to traverse over that interface. For this reason, trunks should only be used when connecting two switches or a switch to a router for inter-vlan routing.

While not required, it doesn't make sense to configure different VLANs, assign interfaces to that VLAN, and configure each node to be in the same IP network. While layer 2 would be separated, layer 3 would not, which defeats the entire point of having VLANs. With that in mind, it is best practice to correlate a VLAN with an IP subnet so nodes are completely separated at both layer 2 and layer 3.

Let's see which VLANs are currently configured on SW02. Type the following command below:

Switch#show vlan brief

Here is our output:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gig1/0/1, Gig1/0/2, Gig1/0/3, Gig1/0/4
                                                Gig1/0/5, Gig1/0/6, Gig1/0/7, Gig1/0/8
                                                Gig1/0/9, Gig1/0/10, Gig1/0/11, Gig1/0/12
                                                Gig1/0/13, Gig1/0/14, Gig1/0/15, Gig1/0/16
                                                Gig1/0/17, Gig1/0/18, Gig1/0/19, Gig1/0/20
                                                Gig1/0/21, Gig1/0/22, Gig1/0/23, Gig1/0/24
                                                Gig1/1/1, Gig1/1/2, Gig1/1/3, Gig1/1/4
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active

Notice all interfaces are in VLAN 1, the default VLAN. VLANs 1002, 1003, 1004, and 1005 are reserved for special use for specific networks. For example, the token-ring network is a network topology that is hardly in use today, but was once abundant. In modern networks, it is extremely rare to see token-ring being used.

Conclusion

Today, we covered concepts around switching and VLANs. In the next post we will be configuring our VLANs and reviewing the router-on-a-stick configuration for inter-vlan routing.