Vlan
Páginas: 8 (1839 palabras)
Publicado: 15 de enero de 2013
Asymmetric VLAN and Traffic Segmentation For Shared Server Application using L2 switch
Shared Server/Shared Internet Access Application
Servers
V2
V3
V4
• Shared Servers (Mail Server, data server, Internet Access servers) can be access by all user groups, but the access between groups are not allowed (for the performance or security consideration) • L2 solution: Asymmetric VLANor Traffic Segmentation • L3 solution: L3 switch + ACL to limit the access between group.
Asymmetric VLAN vs. Traffic Segmentation
Asymmetric VLAN
• Need strong 802.1q VLAN knowledge • VLAN membership can be across devices, and server can be anywhere. • Special 802.1q support (overlapping untagged VLAN) is needed • May not support IGMP snooping • Max Vlan numbers limited to 4096.
TrafficSegmentation
• Simple, no VLAN knowledge is needed. • VLAN membership cannot be across the devices • IGMP snooping still works. • Traffic Segmentation can be hierarchically. No Vlan number limitation. • Shared servers must be at the “TOP” switch (when using hierarchically approach)
Scenario1: Asymmetric VLAN ISP
V1, Servers 192.168.1.x V1, Internet Gateway 192.168.1.1 V1: port 1-8, untaggedShared Server(s) or Internet Gateway V2: port 9-16, untagged VLAN2 users (PC or hub/switch) V3: port 17-24, untagged VLAN3 users (PC or hub/switch)
Objective and Requirement:
1. V2 and V3 can access V1 for shared Server (with IPX, same network IP, AppleTalk, NetBEUI etc) V2 and V3 can access Internet Gateway for Internet Access using same network IP. No access between V2 and V3.
2. V2192.168.1.x Gw192.168.1 .1 V3 192.168.1.x Gw192.168.1 .1
3.
Scenario1: Asymmetric VLAN
PVID and VLAN settings: ports 1-8 9-16 17-24 =============================== pvid 1..1 2..2 3..3 ------------------------------VLANS default E..E E..E E..E (V1) U..U U..U U..U V2 V3 E..E U..U E..E U..U E..E U..U -..-..-..-..E..E U..U enable asymmetric_vlan create vlan v2 tag 2 create vlan v3 tag 3 config vlanv2 add untagged 1-16 config vlan v3 add untagged 1-8,17-24 config gvrp 1-8 pvid 1 config gvrp 9-16 pvid 2 config gvrp 17-24 pvid 3 save
Test: 1. V2 PC can access (ping) V1 servers and Internet Access is OK. 2 V3 PC can access (ping) V1 servers and Internet Access is OK. 3 V2 PC cannot see V3 PC, and V3 PC cannot see V2 PC.
ISP
V1, Servers1 192.168.1.x V1, Internet Gateway 192.168.1.1Scenario 2: Asymmetric VLAN across two DES3526
V1: S1port1-4, S2port1-4, untagged Shared Server(s) or Internet Gateway S1port 5-8, S2 port 5-8 , tagged for uplink/downlink to other switches V2: S1port 9-16, S2port9-16,untagged VLAN2 users (PC or hub/switch)
S1
T V1, Servers2 192.168.1.x T V2 192.168.1.x Gw192.168.1 .1 V3 192.168.1.x Gw192.168.1 .1
V3: S1port17-24, S2port17-24, untagged VLAN3users (PC or hub/switch)
Objective and Requirement:
1. V2 and V3 can access V1 for shared Server (with IPX, IP, AppleTalk, etc) or Internet Gateway V2 and V3 cannot see each other
S2
2. V2 192.168.1.x Gw192.168.1 .1 V3 192.168.1.x Gw192.168.1 .1
Scenario 2: Asymmetric VLAN across two DES3526 S1 settings
ports 1-4 5-8 9-16 17-24 ========================================= pvid 1..1 1..12..2 3..3 ----------------------------------------VLANs default E..E E..E E..E E..E (V1) U..U T..T U..U U..U V2 E..E U..U E..E U..U E..E T..T E..E T..T E..E U..U -..-..-..-..E..E U..U enable asymmetric_vlan create vlan v2 tag 2 create vlan v3 tag 3 config vlan default delete 5-8 config vlan default add tagged 5-8 config vlan v2 add untagged 1-4,9-16 config vlan v2 add tagged 5-8 config vlan v3add untagged 1-4,17-24 config vlan v3 add tagged 5-8 config gvrp 1-8 pvid 1 config gvrp 9-16 pvid 2 config gvrp 17-24 pvid 3 save
V3
S2 settings
Scenario 2: Asymmetric VLAN across two DES3526
enable asymmetric_vlan create vlan v2 tag 2 create vlan v3 tag 3 config vlan default delete 5-8 config vlan default add tagged 5-8 config vlan v2 add untagged 1-4,9-16 config vlan v2 add tagged 5-8...
Shared Server/Shared Internet Access Application
Servers
V2
V3
V4
• Shared Servers (Mail Server, data server, Internet Access servers) can be access by all user groups, but the access between groups are not allowed (for the performance or security consideration) • L2 solution: Asymmetric VLANor Traffic Segmentation • L3 solution: L3 switch + ACL to limit the access between group.
Asymmetric VLAN vs. Traffic Segmentation
Asymmetric VLAN
• Need strong 802.1q VLAN knowledge • VLAN membership can be across devices, and server can be anywhere. • Special 802.1q support (overlapping untagged VLAN) is needed • May not support IGMP snooping • Max Vlan numbers limited to 4096.
TrafficSegmentation
• Simple, no VLAN knowledge is needed. • VLAN membership cannot be across the devices • IGMP snooping still works. • Traffic Segmentation can be hierarchically. No Vlan number limitation. • Shared servers must be at the “TOP” switch (when using hierarchically approach)
Scenario1: Asymmetric VLAN ISP
V1, Servers 192.168.1.x V1, Internet Gateway 192.168.1.1 V1: port 1-8, untaggedShared Server(s) or Internet Gateway V2: port 9-16, untagged VLAN2 users (PC or hub/switch) V3: port 17-24, untagged VLAN3 users (PC or hub/switch)
Objective and Requirement:
1. V2 and V3 can access V1 for shared Server (with IPX, same network IP, AppleTalk, NetBEUI etc) V2 and V3 can access Internet Gateway for Internet Access using same network IP. No access between V2 and V3.
2. V2192.168.1.x Gw192.168.1 .1 V3 192.168.1.x Gw192.168.1 .1
3.
Scenario1: Asymmetric VLAN
PVID and VLAN settings: ports 1-8 9-16 17-24 =============================== pvid 1..1 2..2 3..3 ------------------------------VLANS default E..E E..E E..E (V1) U..U U..U U..U V2 V3 E..E U..U E..E U..U E..E U..U -..-..-..-..E..E U..U enable asymmetric_vlan create vlan v2 tag 2 create vlan v3 tag 3 config vlanv2 add untagged 1-16 config vlan v3 add untagged 1-8,17-24 config gvrp 1-8 pvid 1 config gvrp 9-16 pvid 2 config gvrp 17-24 pvid 3 save
Test: 1. V2 PC can access (ping) V1 servers and Internet Access is OK. 2 V3 PC can access (ping) V1 servers and Internet Access is OK. 3 V2 PC cannot see V3 PC, and V3 PC cannot see V2 PC.
ISP
V1, Servers1 192.168.1.x V1, Internet Gateway 192.168.1.1Scenario 2: Asymmetric VLAN across two DES3526
V1: S1port1-4, S2port1-4, untagged Shared Server(s) or Internet Gateway S1port 5-8, S2 port 5-8 , tagged for uplink/downlink to other switches V2: S1port 9-16, S2port9-16,untagged VLAN2 users (PC or hub/switch)
S1
T V1, Servers2 192.168.1.x T V2 192.168.1.x Gw192.168.1 .1 V3 192.168.1.x Gw192.168.1 .1
V3: S1port17-24, S2port17-24, untagged VLAN3users (PC or hub/switch)
Objective and Requirement:
1. V2 and V3 can access V1 for shared Server (with IPX, IP, AppleTalk, etc) or Internet Gateway V2 and V3 cannot see each other
S2
2. V2 192.168.1.x Gw192.168.1 .1 V3 192.168.1.x Gw192.168.1 .1
Scenario 2: Asymmetric VLAN across two DES3526 S1 settings
ports 1-4 5-8 9-16 17-24 ========================================= pvid 1..1 1..12..2 3..3 ----------------------------------------VLANs default E..E E..E E..E E..E (V1) U..U T..T U..U U..U V2 E..E U..U E..E U..U E..E T..T E..E T..T E..E U..U -..-..-..-..E..E U..U enable asymmetric_vlan create vlan v2 tag 2 create vlan v3 tag 3 config vlan default delete 5-8 config vlan default add tagged 5-8 config vlan v2 add untagged 1-4,9-16 config vlan v2 add tagged 5-8 config vlan v3add untagged 1-4,17-24 config vlan v3 add tagged 5-8 config gvrp 1-8 pvid 1 config gvrp 9-16 pvid 2 config gvrp 17-24 pvid 3 save
V3
S2 settings
Scenario 2: Asymmetric VLAN across two DES3526
enable asymmetric_vlan create vlan v2 tag 2 create vlan v3 tag 3 config vlan default delete 5-8 config vlan default add tagged 5-8 config vlan v2 add untagged 1-4,9-16 config vlan v2 add tagged 5-8...
Leer documento completo
Regístrate para leer el documento completo.