Webinar - VLAN and its Applications

Webinar - VLAN and its Applications

Show Video

G'day everyone and welcome to i-LAN Technology's  presentation on VLAN and its applications. This is Part 1 in our series of webinars where we will look at how VLANs (or Virtual Local Area Networks) can be used in small and medium sized networks. In this webinar we will look at how VLANs can  be configured and used using DrayTek routers, and in the following webinars we will expand our  discussion to include DrayTek VigorSwitches.

My name is Jawa and I'm a Technical  Sales Specialist at DrayTek Aust & NZ. If you have any questions during the video please comment in the chat box  on the right side of the screen, and stick around at the end  for a 5 minute Q&A session. If you're watching this after the live Premiere, please comment below or send us an email to sales@draytek.com.au It's time to begin today's session. We'll start out with a look at what a VLAN  is and what sort of advantages they offer.

Then we will compare and outline  Port based and Tag based VLANs. We will also show a video that  demonstrates VLAN configuration on a DrayTek access point & Router. Other topics include VigorSwitch VLAN configuration and VLAN applications. As mentioned, DrayTek Layer 2+ VigorSwitches will be covered in greater detail in our next webinar that's coming soon. Let's start off by looking at what a  VLAN is and why we need to use it.

If you were to lookup the definition  of a VLAN; it would read: "A virtual Local area Network (VLAN)  is a logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical dispersion". The VLAN information is in the Layer 2 header  of an Ethernet Data packet as shown in this diagram. It is 12 bits of data between the Type and Source  MAC Address sections of the Ethernet packet. So in other words, a VLAN is a group of devices  physically on the same LAN as other devices but separated from them using  information in the Ethernet packet, and they don't necessarily have  to be altogether in one place.

Using VLANs allows you to segregate your network and prevent devices in one part of the network from getting access to other  parts in the network, and vice versa. VLANs allow you to segment your network by function or application. Unicast, broadcast, and multicast packets are forwarded and flooded out ports in the same VLAN.

This also enhances the network performance  since broadcasts and multicasts are not sent to other parts of the network. VLANs also ease network configuration by logically connecting devices without physically relocating those devices. Here we have a typical application of VLANs. We can see 4 local area networks: Administration, Sales, Support Department and the Warehouse.

The devices in each of these LANs could be in different locations within the company but are logically part of the same network. Some of you may be looking after large networks  which may have IP cameras, IP phones and so on in addition to your PC data network. You'll find that if all these devices are installed in a flat network, you will soon see network congestion resulting in slow network response times as well as poor phone call quality. The solution is to separate each  of these services by using VLANs. One of the benefits of using VLANs is that it  increases the number of broadcast domains. Hence reducing congestion and  improving performance of the network as described in our previous slide.

VLANs can also be used to create logical groups and allow communication  between required subnets. Firewall rules can also be used to  control data flow between networks where routing has been enabled,  thereby helping to secure the network. External threats are of course minimised. If an outside attacker is able to  gain access to one VLAN, they'll be contained to that network by the boundaries and controls in place to segment it from others.  Also VLANs are not restricted  to just one switch. They can span across multiple switches, hence  increasing flexibility to your network.

And Grouping is logical here, not physical. To illustrate this, let's say within a building we have the Sales department on 1st floor but one of the sales persons is located on the second floor. So no matter where the  PC is placed in the network, it can still be a part of the Sales VLAN. VLANs also help to make network  administration much easier. By logically grouping users into  the same virtual networks, you make it easy to set up and control  your policies at a group level.

When users physically move workstations, you can keep them on the same network with different equipment. Or if someone changes teams  but not their workstation, they can easily be given access to whatever new VLANs they need. Troubleshooting problems on the network  can be simpler and faster when different user groups are  segmented and isolated from one another. If you know that complaints are only  coming from a certain subset of users, you'll be able to quickly narrow down  where to look to find the issue. VLANs also provide improved quality of service  by managing traffic more efficiently, so that end-users experience better performance.

There are also fewer latency problems on the network and improved reliability for critical applications. VLANs can also be used to prioritise traffic, to ensure critical application  data keeps flowing even when lower priority traffic  such as web browsing spikes. We will now look at the different types of VLANs.

The 2 main types are port  based and tag based VLANs. Starting with port based VLANs. As shown here, the VLANs are assigned  to the LAN ports on the router. So, any devices plugged into one of these  ports will be a part of that VLAN. We have 3 VLANs shown here. VLAN 0 for sales and VLAN 1 for admin, and a guest Wi-Fi VLAN.

Each of these workgroups  will be isolated from each other but can still access the same internet connection. The next type of VLAN is 802.1q tag-based VLANs. In the example shown here we have 3  different work groups connected to a switch shown by the different colours. The VLAN ID is limited by 12 bits, or 2 to the power of 12, which  gives a maximum limit of 4096. The actual number of VLANs that  can be configured will be limited by the router or the switch model and would usually be between 2 and 50. To achieve this, we have a single port on the router configured with multiple VLANs which also have a VLAN tag.

This is the VLAN trunk connection which is connected to a managed switch. In the example shown, we also have the 3 different VLANs in the VLAN trunk connection to the switch. Each VLAN shown by the orange, green and blue  colours can be for different work groups. The VLAN tag is inserted  into the data packet header and this is used to identify  which VLAN it belongs to. Another parameter in the VLAN  tag is the 802.1p setting.

This is used to specify the  priority level of the data packets, and ranges from 0 for best effort  to 7 being the highest level. If you want to allow  communication between each VLAN, then inter-LAN routing has  to be enabled between them. In this diagram we only want to  allow communication between the Administration workgroup and the Sales dept, so we enable routing between these two LANs. I'll briefly show you the configuration  steps to set up VLANs in DrayTek routers. We will start with port based VLANs. This applies to DrayOS routers such as the   Vigor2862 and Vigor2927 as well as others.

The steps involved are also covered in knowledge base articles that are available on our web site. Step 1 is go to LAN>>VLAN config  menu. Then select Enable. The next step is to assign all  ports and SSIDs to a VLAN. Select LAN subnet for the  VLAN in the circle there. Ensure all LAN ports and  SSIDs are assigned to a VLAN. The number of ports and LANs  will vary by the router model.

Also do note that we do not enable  VLAN tags for port-based VLANs. The next step is to enter the LAN subnet details  for each LAN including the DHCP details. Enable routing if required, by selecting the intersection of the  two LANs you wish to route between. Here we've enabled routing  between LAN 2 and LAN 3.

For Linux based routers such as the Vigor3900  and Vigor2960 the setup is different. First step is to create the VLANs and  then assign the LAN port as Untagged. The next step is to configure  the LAN subnets for each VLAN. In the example here we have assigned  the subnet to VLAN 100.

For Inter-LAN routing in Linux routers we only have the global option  to enable Inter-LAN routing. We need to select "Enable Inter-LAN Route". With the route group feature as shown here, you can use groups to allow or  block routing between VLANs. You can also use firewall rules to  control traffic flow between VLANs.

Setting up 802.1q tag-based VLANs in DrayOS  routers is similar to the port based VLAN setup but includes a couple of extra steps. Step 1, like I mentioned, is to go to  LAN>>VLAN config menu. Then select Enable. The next step is to assign all  ports and SSIDs to a VLAN and select a LAN subnet for each VLAN. The extra step is enabling the VLAN Tag and assigning a VLAN ID.

The priority setting is optional. A value of 0 is the lowest  priority and 7 is the highest. It is recommended to also select "Permit untagged device in P1 to access the router" as I have highlighted here. The reason for doing this is that usually we will have a switch between the router and a computer, and the switch handles the tagged data packet.

But if for some reason you want to connect a computer directly to the router, it will not be accessible. The next step is to enter the LAN subnet details for each LAN including the DHCP details. Enable routing if required, by selecting the intersection of the two LANs you wish to route between. Here we've enabled routing  between LAN 2 and LAN 3. For Linux based routers select the VLAN  for the member to be a tagged VLAN. In the example shown here we've selected  LAN port 2 to be a member of VLAN 30 which will make it a tagged VLAN.

We now need to set up the 802.1q trunk port. This is needed when connecting  the router to a smart switch and we require all the VLANs to  be available on the switch ports. In DrayOS routers select all the VLANs  to belong to the same LAN port. In the example here we've assigned  all the VLANs to port P1. For Linux routers, to set  up an 802.1q trunk port

we just select all the tagged VLANs  to belong to the same LAN port. In the example shown here we have LAN port  2 configured as the 802.1q Trunk Port. A typical application of VLANs utilising  the 802.1q Trunk is shown in this diagram.

The switch is connected to the router and we  connect the PCs to the switch LAN ports, with each department assigned to a VLAN. Now here's a short video created a few years ago which shows how to configure  VLANs on an access point and connect to a DrayTek router  via an 802.1q VLAN trunk. The video is available on  YouTube at the link shown. I'll also include a link in the description  below if you'd like to check it out again later. Hey everyone this video demonstrates how to  set up your access point with multi SSID. We can setup multi SSID to separate  wireless LANs to different subnets.

Here in this example, AP connecting to a router has multiple subnets and it is passing traffic via trunk port. We will configure AP900 and Vigor2860 one by one. So let's configure Vigor2860 first.

Connect Vigor2860 to a computer. Open your web browser and log in to Vigor2860. Here we'll configure 4 LAN subnets with network  address, 2.0, 3.0 and 4.0, all with subnet mask To configure LAN1 go to LAN >> General Setup. Click on Details Page.

Enter IP address, subnet mask  and DHCP configuration. Similarly we need to configure  LAN2, LAN3 and LAN4. At this stage router does not allow to configure  remaining LAN subnets as they are inactive. To make them active we'll go  to LAN >> VLAN configuration.

Enable VLAN. We'll use port six as a trunk port, hence it will be part of all the VLANs. Now select LAN subnet, and a VLAN ID under "VLAN tag". Now let's allocate remaining ports. Here we will keep remaining  ports under VLAN 4 as untagged. Click ok to save the settings.

After router restarts, log into the  router again and go to LAN >> General Setup and configure remaining LAN subnets. For that, first enable LAN2, LAN3 and LAN4. Now check IP, subnet mask and DHCP  settings for LAN2 and change if required. Similarly check LAN3 and LAN4. Now we'll configure access point. Connect AP900 to a computer.

You will need to use static IP to a computer to access AP900, as DHCP server is inactive by default. Now go to LAN >> General Setup  and disable DHCP client. Ensure that DHCP server is turned off so that all  IP addresses will be assigned by Vigor2860 only. Then go to wireless LAN >> General Setup. Enable wireless LAN. Uncheck "Enable 2 subnet" option,

and configure 4 VLANs with different  VLAN ID as set on the router. Enter SSID name for them. Now go to wireless LAN >> Security. For each SSID, select an authentication  mode, WPA algorithm and enter passphrase.

Click okay to save. Also set key renewal interval  to 3600 if not set. Both devices, Vigor2860 and  AP900, are now configured. We will connect LAN port No 6 of 2860  to AP900 through a network cable.

Now we will test the setup. From laptop, go to wireless and try to connect SSIDs  one by one and check IP addresses. Wireless client getting IP address  according to the SSID it connects to. Hence only one LAN physical connection between router and AP can pass the traffic for all VLANs. You can also enable inter-LAN routing under LAN >> General Setup, to allow communication among all VLANs.

Now we'll briefly take a look at VLAN  options in DrayTek VigorSwitches. We'll go over VLANs in VigorSwitches  in more detail in our next webinar. In a large network as shown in this diagram, much of the data traffic is between devices or servers on the local network, so not much traffic needs to go to the Internet. For example, IP cameras store videos to a  local NVR, the IP phones register to a PBX, and documents and files on PCs are  stored on the local file server. Utilising VLANs as well as layer 2+  features in DrayTek VigorSwitches will improve network performance and also reduce the need to have a higher  end router to handle local traffic.

The configuration steps we use when  setting up VLANs in VigorSwitches are: Add the VLANs by selecting tagged or Port-based. Assign VLAN Membership for Ports. Assign a port as Trunk port.

And finally, configuring the ports. In VigorSwitches we have 3  different types of VLANs. These are Voice and Surveillance VLAN,  MAC based and protocol-based VLAN.

Again, these will be covered in  more detail in our next webinar. Central switch management in DrayTek routers  provides a convenient and easy way to manage and configure VLANs in VigorSwitches. Instead of logging into each switch and  working through the configuration pages, you can just log into the router and centrally configure, and deploy the switches in your network.

You can also monitor the switch and LAN clients' status as well as perform maintenance tasks. It also allows easy deployment. Here we have a screenshot of one  of the configuration pages. The VLAN configuration is quick and easy  by using the graphical user interface.

With a few mouse clicks, VLANs  can be assigned to switch ports, and it'll also update the  router VLAN configuration. It will auto detect uplink and downlink, and  also auto configure PVID for the access port. Furthermore, it will auto configure a trunk  port when multiple VLANs are selected. The PVID value can be selected  from a drop-down menu. We will deep dive into Central Switch  Management in a future webinar where we'll talk about DrayTek  switching technologies. Let's look at some typical scenarios  where VLANs can be advantageous.

Let's assume that a company wants to separate  the employees Wi-Fi network and Guest Wi-Fi so it can restrict network  access for guest users. We want guest users to be  able to access the internet but we don't want them  accessing other LAN resources such as the servers, printers & internal portals. So, two VLANs can be defined here to  accomplish this - VLAN1 and VLAN2. The LAN subnet for VLAN1 can be set as, and the subnet for VLAN2 can be set as, and of course in this case we want  to keep inter-LAN routing disabled. Another scenario is where four companies  are located in the same building.

They share the broadband network and use a Vigor router for load  balancing, security, and VoIP features. So, four VLANs can be defined  - VLAN5, 6, 7 and VLAN8. There can be many other instances  where VLAN can be very helpful. Another example where VLANs are used is in  adding a VLAN tag for the WAN connection. This is set up in the WAN >> General Setup  configuration menu in DrayOS routers. Some NBN service providers use  VLAN tagging for WAN connections.

When connecting a DrayTek router to the  NBN via one of these service providers, you'll need to enable the VLAN tag. Otherwise data connection will not be available. Most ISPs in Australia use a VLAN tag of  100 or 2 but there are a few exceptions. The table you see at the bottom shows service providers in New Zealand who use a VLAN tag of 10. The example shown here is for New Zealand where we need to place a Vodafone router with a built in ATA for VoIP services behind the DrayTek router.

Here the WAN connection uses tagged VLAN and the attached VoIP router also  requires a Tagged VLAN connection coming from the DrayTek router's LAN port. This screen shot shows the settings we've used. We've basically configured VLAN 1 on LAN port  4 as a tagged VLAN port with a VLAN ID of 10. All other ports and SSIDs are  allocated to VLAN0 with no VLAN tags.

Alright. So, that brings us to the  conclusion of today's session. Let's summarise the key  takeaway messages, which are: VLANs help in improving network performance by reducing congestion, enhancing security, adding flexibility, allowing a logical grouping of users by function (not location) and they make it easier to administer networks. DrayTek routers and switches support  port based and Tag based VLAN. DrayTek routers support VLAN  tagging on WAN interfaces as well, which is something that's  often required by NBN ISPs in both Australia and NZ. Something that we didn't have time to go into today which DrayTek routers also support, is virtual WANs. This allows simulating several WAN connections  through one physical WAN connection, which is often used for Triple  Play services in some countries.

Well, that's about it from me  but please do stay tuned. We'll be answering any questions in the live chat on the right of your screen for the next five minutes. For more information about DrayTek products please check out our website  at www.draytek.com.au or send us an email to sales@draytek.com.au, or just give us a call on 02 98 3888 99. Please like and subscribe below, and if you'd like a notification of new premiere videos we're about to launch, or anytime we put up a new video, just give the bell a click too.

Thank you for your attention, I hope to you again soon. Goodbye. :)

2021-02-13 00:59

Show Video

Other news