Difference between revisions of "Training: vLAN"

From IPitomy Wiki
Jump to navigation Jump to search
m
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
== vLANs ==
+
== Virtual LANs (vLANs) ==
vLANs, or Virtual LANs, are a way to logically, rather than physically, segregate your network traffic.  This can be done for multiple reasons, but primarily is done for security.  Traffic from one vLAN cannot cross over to another without a static route existing on the router.  Each individual port on a switch that supports vLANs can be configured as a member of one or more vLAN.  The port itself can be configured as either an access port, which allows ONLY membership on a single vlan, and does not require setting up your device to support vLAN (tagging your traffic), or a trunk port, which can be a member of multiple vLANs simultaneously.  vLAN traffic can either be untagged or tagged.  These concepts will all be explained below.
 
  
== Switch port types ==
+
=== Overview ===
 +
Virtual LANs (vLANs) are a pivotal concept in modern networking, providing a logical method to segregate network traffic for reasons primarily related to security and efficiency. Unlike traditional LANs, vLANs do this without the need for separate physical networks.
  
=== Access ===
+
=== Switch Port Types in vLANs ===
Access ports are intended for individual network devices, such as user PCs, phones, etc.  These ports are members of a single vLAN, and ALL traffic received from the plugged in device is automatically considered to be part of that vLAN.  This has the advantage of allowing devices to participate in a vLAN that do not natively support tagging.  The disadvantage is that you cannot make use of multiple devices coming off of that single port that need to be on different vLANs, such as a phone on a voice vLAN, with a PC plugged into the phone's PC passthrough port, on the data vLAN.
 
  
 +
==== Access Ports ====
  
=== Trunk ===
+
* Function: Designed for single vLAN membership.
Trunk ports can carry multiple vLANs simultaneously. By default, they are generally configured to carry ALL vLANs, but can be restricted to specific ones in the switch vLAN port configuration section, depending on switch make and model.  All trunk ports have a default vLAN membership, which is what vLAN untagged traffic is communicated on, and all other vLAN memberships must be tagged, so that the switch can know which vLAN to pass tagged packets to and from.  If a device with a vLAN ID is connected to the port that does not match any of the port's membership IDs, it will not pass any packets tagged with that ID at all.
+
* Usage: Ideal for devices like PCs or phones that don't support vLAN tagging.
 +
* Limitation: Each port can only belong to one vLAN, limiting the use of multiple devices requiring different vLANs on the same port.
  
 +
==== Trunk Ports ====
  
== vLAN traffic ==
+
* Function: Capable of carrying multiple vLANs simultaneously.
 +
* Configuration: Can be set to carry specific vLANs, distinguishing them using tags.
 +
* Default Behavior: Untagged traffic is assigned to a default vLAN.
  
=== Untagged ===
+
=== vLAN Traffic Types ===
All network traffic, unless otherwise specified, is untagged by default.  This simply means it has no vLAN header at all, and lets the switch transmit this traffic on whatever the default vLAN that particular port is set to (see above in access and trunk sections).
 
  
=== Tagged ===
+
==== Untagged Traffic ====
Packets with an optional vLAN header contain a VID (vLAN ID), which tells the switch what vLAN this packet belongs on.  If the port is not a member of that particular vLAN, it will not pass the packet (in or out).  This prevents someone from simply configuring a computer with the correct IP address information from accessing that network, if they are not plugged into a member port of the target vLAN, even if they do have the correct VID configured on their computer.
 
  
== Setting Up your vLAN ==
+
* Definition: Standard network traffic without vLAN identification.
 +
* Assignment: Automatically assigned to the port's default vLAN.
  
The first thing you'll need to decide is what device you want to handle DHCP for the vLAN. If your router is capable of handling this, with separate DHCP services on it for each vLAN, or if you want the PBX itself to act as a DHCP server for the voice vLAN. If you use the PBX, it will also act as a gateway for the phones.
+
==== Tagged Traffic ====
  
=== Router as DHCP server ===
+
* Definition: Contains a vLAN ID (VID) to direct it to the appropriate vLAN.
 +
* Security: Ports not configured for a specific VID will reject its traffic, enhancing network segmentation.
  
*System=>VLAN
+
=== Setting Up vLANs ===
**Enable VLAN: DISABLED. What this does is enable/disable the pbx dhcp server and a virtual interface for the vlan. The switch port that the PBX is plugged into should be set up as a member of the intended voice vLAN, UNTAGGED, since the PBX will be sending untagged packets for voice traffic.
 
  
*PBX Setup=>Phone Global
+
==== Deciding on DHCP Server ====
**Apply VLAN Config to Phones: ENABLED
 
**Phone VLAN Enable: Enabled - this makes the phone's voice traffic tagged instead of untagged
 
**Phone VID: set this to the ID of the voice vLAN you have designated for the phone traffic
 
**Phone Priority: This is currently not used
 
**PC VLAN Enable: generally disabled, this is for the phone's PC passthrough port, if you want to tag PC traffic or leave it untagged
 
**PC VID: generally not used unless you're using a data vLAN, if so, set this according to what vLAN ID the computer's traffic should be tagged with. PC VLAN must be enabled for this to have any effect
 
**PC Priority: currently not used
 
  
Switch setup: The port the PBX is going to be plugged into needs to be a member of the voice vLAN UNTAGGED (the pbx will be sending and receiving untagged traffic in this configuration). The ports that will have phones plugged into them will need to be members of the data vALN untagged, and the voice vLAN TAGGED, as the phone will be sending/receiving tagged packets, while the computer (if any), plugged into each phone, will be sending its data network traffic as UNtagged.
+
* Options: Choose between the router or the PBX system to manage DHCP for the vLAN.
 +
* Considerations: This decision influences subsequent network configurations.
  
The ports that are members of vLAN 10, whether tagged or untagged, can communicate with each other.  Ports NOT members of vLAN 10 at all can NOT communicate with vLAN 10 ports, unless those ports are a member of both 1 AND 10.
+
==== Configurations ====
 +
 
 +
===== Router as DHCP Server =====
 +
 
 +
* PBX Settings: Disable VLAN on the PBX system. Configure it to send untagged voice traffic.
 +
* Switch Port Configuration: Set the PBX-connected port as an untagged member of the voice vLAN.
 +
 
 +
===== PBX as DHCP Server =====
 +
 
 +
* PBX Settings: Enable VLAN with a unique IP address and subnet mask. Set the maximum DHCP leases.
 +
* Switch Port Configuration: Configure the PBX-connected port as a tagged member of the voice vLAN and untagged in the data vLAN.
 +
 
 +
=== Switch Configuration for Phones ===
 +
 
 +
* Requirement: Ports for phones should be members of both data (untagged) and voice (tagged) vLANs.
 +
* Purpose: Ensures proper segregation of phone traffic and PC access to the data network.
 +
 
 +
=== Inter-vLAN Communication Rules ===
 +
 
 +
* Rule: Ports in a specific vLAN (e.g., vLAN 10) can only interact with ports in the same vLAN.
 +
* Exception: Ports in different vLANs can communicate only if configured as members of the relevant vLANs.
  
 
[[File:VLAN router as DHCP.png|File:VLAN router as DHCP.png]]
 
[[File:VLAN router as DHCP.png|File:VLAN router as DHCP.png]]
  
=== PBX as DHCP server ===
+
== PBX Configuration for Voice vLAN ==
 +
 
 +
=== System Settings for vLAN ===
 +
 
 +
* Enable vLAN: Set to 'Enabled' to activate vLAN functionality on the PBX system.
 +
* vLAN IP Address: Assign an IP address that the phones will use to reach the PBX. Defaulting to 10.71.66.1 is usually adequate. Ensure this is distinct from the PBX's primary network interface to avoid conflicts.
 +
* vLAN Subnet Mask: Use 255.255.255.0 for up to 254 usable addresses, sufficient for most phone networks.
 +
* vLAN ID (VID): Default is 10. Adjust to match the voice vLAN ID configured on your switches.
 +
* Max DHCP Leases: Set to cover the anticipated number of phones but within the limits of your subnet (total addresses in the subnet minus one for the PBX).
 +
 
 +
=== PBX Global Phone Settings ===
 +
 
 +
* Apply vLAN Config to Phones: Set to 'Enabled' to apply vLAN settings to connected phones.
 +
* Phone vLAN Enable: Enable this to tag voice traffic from phones.
 +
* Phone VID: Match this with your voice vLAN ID.
 +
* Phone Priority: Not used in current configurations.
 +
* PC vLAN Enable: Typically disabled unless tagging PC traffic through the phone's passthrough port.
 +
* PC VID: Set if using a data vLAN for PCs connected through phones. Requires PC vLAN to be enabled.
 +
* PC Priority: Currently not utilized.
  
*System=>VLAN
+
=== Switch Configuration for PBX and Phones ===
**Enable VLAN: Enabled
 
**VLAN IP Address: This will be the IP address that the phones reach the PBX at. Leaving it default at 10.71.66.1 is generally fine, as you need it to be on a completely unique network range from the PBX's system=>networking IP range. Having this interface on the same network will cause the pbx to become unreachable.
 
**VLAN Subnet Mask: 255.255.255.0 will provide 254 useable addresses for your phone network. This is generally adequate.
 
**VID: 10 by default, but set this to whatever vlan ID is set in the switches for the voice vlan to use.
 
**Max DHCP Leases: This should be enough to cover the number of phones you anticipate having, but not be more than the number of addresses useable in the subnet mask, minus 1 address used by the pbx.
 
**DHCP Start Address and End Address: The range of your DHCP scope.
 
  
*PBX Setup=>Phone Global
+
* PBX Port Setup: Configure the switch port connected to the PBX as:
**Apply VLAN Config to Phones: ENABLED
+
** Untagged in the data vLAN (for communication with SIP trunks and other network services).
**Phone VLAN Enable: Enabled - this makes the phone's voice traffic tagged instead of untagged
+
** Tagged in the voice vLAN (for communication with phones).
**Phone VID: set this to the ID of the voice vLAN you have designated for the phone traffic
+
* Phone Ports Setup: Ports connecting to phones should be:
**Phone Priority: This is currently not used
+
** Untagged in the data vLAN.
**PC VLAN Enable: generally disabled, this is for the phone's PC passthrough port, if you want to tag PC traffic or leave it untagged
+
** Tagged in the voice vLAN, as phones will send/receive tagged voice traffic.
**PC VID: generally not used unless you're using a data vLAN, if so, set this according to what vLAN ID the computer's traffic should be tagged with. PC VLAN must be enabled for this to have any effect
+
** PCs connected to phone passthrough ports will send their data traffic untagged.
**PC Priority: currently not used
 
  
Switch setup: The port the PBX is going to be plugged into needs to be a member of the data vLAN UNTAGGED and voice vLAN TAGGED (the pbx will be sending and receiving untagged traffic on the data vLAN to communicate with SIP trunks, for example, and all communication between the pbx and local phones will be in tagged packets on the voice vLAN, in this configuration). The ports that will have phones plugged into them will need to be members of the data vALN untagged, and the voice vLAN TAGGED, as the phone will be sending/receiving tagged packets, while the computer (if any), plugged into each phone, will be sending its data network traffic as UNtagged.
+
[[Category:Training]]

Latest revision as of 17:45, 13 November 2023

Virtual LANs (vLANs)

Overview

Virtual LANs (vLANs) are a pivotal concept in modern networking, providing a logical method to segregate network traffic for reasons primarily related to security and efficiency. Unlike traditional LANs, vLANs do this without the need for separate physical networks.

Switch Port Types in vLANs

Access Ports

  • Function: Designed for single vLAN membership.
  • Usage: Ideal for devices like PCs or phones that don't support vLAN tagging.
  • Limitation: Each port can only belong to one vLAN, limiting the use of multiple devices requiring different vLANs on the same port.

Trunk Ports

  • Function: Capable of carrying multiple vLANs simultaneously.
  • Configuration: Can be set to carry specific vLANs, distinguishing them using tags.
  • Default Behavior: Untagged traffic is assigned to a default vLAN.

vLAN Traffic Types

Untagged Traffic

  • Definition: Standard network traffic without vLAN identification.
  • Assignment: Automatically assigned to the port's default vLAN.

Tagged Traffic

  • Definition: Contains a vLAN ID (VID) to direct it to the appropriate vLAN.
  • Security: Ports not configured for a specific VID will reject its traffic, enhancing network segmentation.

Setting Up vLANs

Deciding on DHCP Server

  • Options: Choose between the router or the PBX system to manage DHCP for the vLAN.
  • Considerations: This decision influences subsequent network configurations.

Configurations

Router as DHCP Server
  • PBX Settings: Disable VLAN on the PBX system. Configure it to send untagged voice traffic.
  • Switch Port Configuration: Set the PBX-connected port as an untagged member of the voice vLAN.
PBX as DHCP Server
  • PBX Settings: Enable VLAN with a unique IP address and subnet mask. Set the maximum DHCP leases.
  • Switch Port Configuration: Configure the PBX-connected port as a tagged member of the voice vLAN and untagged in the data vLAN.

Switch Configuration for Phones

  • Requirement: Ports for phones should be members of both data (untagged) and voice (tagged) vLANs.
  • Purpose: Ensures proper segregation of phone traffic and PC access to the data network.

Inter-vLAN Communication Rules

  • Rule: Ports in a specific vLAN (e.g., vLAN 10) can only interact with ports in the same vLAN.
  • Exception: Ports in different vLANs can communicate only if configured as members of the relevant vLANs.

File:VLAN router as DHCP.png

PBX Configuration for Voice vLAN

System Settings for vLAN

  • Enable vLAN: Set to 'Enabled' to activate vLAN functionality on the PBX system.
  • vLAN IP Address: Assign an IP address that the phones will use to reach the PBX. Defaulting to 10.71.66.1 is usually adequate. Ensure this is distinct from the PBX's primary network interface to avoid conflicts.
  • vLAN Subnet Mask: Use 255.255.255.0 for up to 254 usable addresses, sufficient for most phone networks.
  • vLAN ID (VID): Default is 10. Adjust to match the voice vLAN ID configured on your switches.
  • Max DHCP Leases: Set to cover the anticipated number of phones but within the limits of your subnet (total addresses in the subnet minus one for the PBX).

PBX Global Phone Settings

  • Apply vLAN Config to Phones: Set to 'Enabled' to apply vLAN settings to connected phones.
  • Phone vLAN Enable: Enable this to tag voice traffic from phones.
  • Phone VID: Match this with your voice vLAN ID.
  • Phone Priority: Not used in current configurations.
  • PC vLAN Enable: Typically disabled unless tagging PC traffic through the phone's passthrough port.
  • PC VID: Set if using a data vLAN for PCs connected through phones. Requires PC vLAN to be enabled.
  • PC Priority: Currently not utilized.

Switch Configuration for PBX and Phones

  • PBX Port Setup: Configure the switch port connected to the PBX as:
    • Untagged in the data vLAN (for communication with SIP trunks and other network services).
    • Tagged in the voice vLAN (for communication with phones).
  • Phone Ports Setup: Ports connecting to phones should be:
    • Untagged in the data vLAN.
    • Tagged in the voice vLAN, as phones will send/receive tagged voice traffic.
    • PCs connected to phone passthrough ports will send their data traffic untagged.