Lead Image © Maxim Kazmin, 123RF.com

Lead Image © Maxim Kazmin, 123RF.com

Segmenting networks with VLANs

Logically Tunneled

Article from ADMIN 37/2017
Network virtualization takes very different approaches at the software and hardware levels to divide or group network resources into logical units independent of the physical layer. It is typically a matter of implementing secure strategies. We show the technical underpinnings of VLANs.

The most obvious network separation is routinely carried out between the Internet and the internal network. The connection of the IT infrastructure of a company to the outside world is typically implemented in a demilitarized zone (DMZ), which is a subnet that provides controlled access to public servers and services that exist in it. A firewall separates the Internet from the DMZ, and another firewall separates the DMZ from the internal network (Figure 1). Thanks to this separation, access to publicly accessible services, such as email, Internet, DNS, or voice over IP (VoIP), can be granted while still protecting the internal corporate network from unauthorized access from the outside. Also, the distribution of the data streams into virtual LANs (VLANs) takes place in the DMZ.

Figure 1: The first and most important barrier occurs between Internet and intranet in a DMZ.

If you use VoIP, the Enterprise Session Border Controllers (E-SBCs) are also installed in the DMZ. This is a kind of Session Initiation Protocol (SIP) firewall. The data firewalls pass the VoIP/video streams to the E-SBC via an open port. Because the E-SBC is an application-specific test component, it performs "deep packet inspection" and ensures that only legitimate SIP messages reach the VoIP/video components in the corresponding voice VLAN.

The E-SBC acts as a proxy and can perform VoIP/video interception or check encrypted connections. After the check, the data is encrypted again and redirected to the recipient. Additionally, an E-SBC can prevent denial-of-service (DoS) attacks on the telephone system. Positive and negative lists of IP addresses belonging to trusted communication partners and known attackers also can be created. Failed logon attempts are registered and the potential attackers then blocked. This prevents flooding of the call server with registration messages.

Advantages of VLANs

Network virtualization ensures that systems can be structured from a logical point of view – that is, independently of the physical topology. In traditional LANs, the devices of a physical wiring area, such as a floor or a building, usually make up a contiguous network group. Subdividing networks with VLANs typically offers various advantages, including flexibility in assigning devices to network segments.

A VLAN is a logical grouping of network devices or users that is not limited to a physical segment. VLANs segment switched networks logically by function within an organization by project team or application. For example, all VoIP phones and VoIP servers can be connected to the same VLAN regardless of their location on the network.

Performance can be improved thanks to VLANs. For example, the delivery of specific traffic types (e.g., voice) in a VLAN can be prioritized in the transmission. Admins usually only reduce the broadcast domains and thus prevent broadcasts propagating over the entire network. A VLAN is a broadcast domain that spans one or more switches. Packet forwarding between the different VLANs takes place at level 3. To do this, each VLAN must have a connection to a router.

VLANs do not protect networks against spying or sniffing, although they can be monitored like switched networks using data analyzers (e.g., Wireshark). Despite this failing, VLANs are considered safer than normal networks. In truth, a network is also based on a VLAN where all nodes on the network work with a VLAN ID of 0.

Multivendor VLANs

Multivendor VLANs can be created on the basis of IEEE 802.1p/Q. The type field in the corresponding package format is shifted back by four digits. The 802.1p/Q package format also begins with the usual destination address (2 bytes), followed by the source address (2 bytes). Instead of the type field, another 4 bytes are added in the extended package format, while the following Ethernet header information for these 4 bytes is moved backward. These additional 802.1p/Q bytes contain the VLAN ID and prioritization – 2-byte type ID of the VLAN, 2-byte tag control information (TCI). In the Ethernet packet, the familiar type field ID, the data, and the CRC checksum then follow.

The IEEE unambiguously defined the value "8100" as a VLAN type ID. The 16-bit TCI that follows is for data prioritization (3 bits), token-ring encapsulation (1 bit), and identification of the respective VLAN identifier (12 bits). A maximum of 4,096 VLANs can be set up with the 12 bits of the VID (VLAN identifier) field. Tagged VLANs differ from the older, tagless, port-based VLANs. The term "tagged" refers to defined network packets that have an extra VLAN tag.

Ensuring Quality of Service

To ensure the quality of service within the MAC layer, the IEEE defined an extension of the IEEE 802.1d (MAC bridges). The 802.1p standard (traffic class expediting and dynamic multicast filtering) describes methods for providing quality of service at the MAC level. IEEE 802.1p defines the following QoS parameters:

  • Service availability: Decides whether a service is provided in bridged LANs.
  • Frame loss: Equivalent to packet loss
  • Frame misorder: Re-requests of packets/frames are not possible at the MAC level; the packet order is thus a QoS parameter.
  • Frame duplication: Packet duplication is not supported by MAC services.
  • Transit delay experienced by frames: The time that elapses between the request and the confirmation of a successful transfer.
  • Frame lifetime: Limiting the lifetime of a packet within a network prevents the possible formation of loops (equivalent to the Time-to-Live [TTL] value in the header).
  • Undetected frame error rate: Very low error rate if the procedures for determining checksums (FCS, frame checksum) are used.
  • Maximum service data unit size supported: The maximum size of a packet within a network. Defined by the network element that has the smallest packet size.
  • User priority: Handled as a QoS parameter at the MAC level.
  • Throughput: Data throughput

The distinction of the packets and the corresponding mapping to queues can be achieved by identifying the priorities of a packet or frame. IEEE 802.1p recommends user priority and its mapping to traffic classes and existing queues. Table 1 shows this relationship.

Table 1

Traffic Class Mapping

User Priority Number of Available Traffic Classes
  1 2 3 4 5 6 7 8
0 0 0 0 1 1 1 1 2
1 0 0 0 0 0 0 0 0
2 0 0 0 0 0 0 0 1
3 0 0 0 1 1 2 2 3
4 0 1 1 2 2 3 3 4
5 0 1 1 2 3 4 4 5
6 0 1 2 3 4 5 5 6
7 0 1 2 3 4 5 6 7

The specified user priority is defined by the application or by the user's authorizations. Within a network, the transported information (traffic types) is broken down into traffic classes (see Table 2).

Table 2

Traffic Classes

User Priority Value Traffic Class Comment
0 Best effort Normal data traffic
1 Background Large-volume data transmissions that are time critical and do not have special priority
2 Spare Not precisely specified
3 Excellent effort Important data
4 Controlled load Time-critical data with high priority
5 Video Image transfer (delay <100ms)
6 Voice Voice transmission (delay <10ms)
7 Network control Network management data, to keep the network running; server to determine the shortest route

Packet prioritization and the corresponding mapping to queues in the switch is achieved by the priority field in the VLAN tag (bits 1 to 3). The IEEE 802.1p standard defines the mapping of priorities to the respective traffic classes and existing queues. Within a network/VLAN, the transported information is assigned to different types of traffic. Usually, the respective packet priority is defined by the application or by the user's authorizations.

Distinguishing seven types of traffic as opposed to eight defined traffic classes reduces the number of queues required in the layer 2 switch. In practice, the number of available queues in the switches is less than the number of existing traffic classes. Currently, only two or four queues are used by most network components. For this reason, the administrator needs to adjust the traffic classes to reflect the queues that exist in the switch.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Understanding Layer 2 switch port security
    What happens when an intruder with a laptop parks at an empty cubicle and attaches to your local network? If you don't want to find out, it might be time to think about implementing some switch port security.
  • Virtual switching with Open vSwitch
    Virtualization with Vmware, KVM, and Xen is here to stay. But up to now, no virtual switch has supported complex scenarios. Open vSwitch supports flows, VLANS, trunking, and port aggregation just like major league switches.
  • Virtual networks with Hyper-V in Windows Server 2016
    Microsoft provides some interesting virtualization features in current and future versions of Windows Server. You can connect or isolate virtual machines, and Windows Server 2016 even supports virtual switches.
  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Moving Data Between Virtual Machines
    Network information in virtualized computer landscapes is not easy to access. In this article, we look at a few approaches you can use.
comments powered by Disqus