When you think about UTM, you can think about a security device installed at the network perimeter which controls outgoing traffic, most of the UTM provides security based on identity, IP address or MAC address. Have you ever thought about using UTM to protect your VLAN network? NetCop can be used to provide authentication based VLAN security for your network.

Using NetCop UTM you can save time and money by using single unmanageable switch or multiport hub to take advantage of VLAN. Many struggle with the concept of VLANs and never succeed in taking advantage of this technology. Once configured, NetCop dynamic VLANs can be deployed quickly without needing to add expensive hardware to your network. Let us show you how.

VLANs Explained

As you probably know, a VLAN is a Virtual LAN, or put another way: a partitioned switch. Imagine slicing a switch into four virtual pieces, or even gluing together four (or more) small switches. Each grouping is in a distinct broadcast domain, so devices in one VLAN cannot see broadcast traffic from others. The glued-together analogy works well, because it’s clear that you’re really talking about different layer 2 networks on each switch.

VLANs are extremely handy, and you’re probably using a separate VLAN for your server management network. Often, a VLAN is created with the idea that no router will live on that network. This keeps others from gaining access to the network unless they are physically

located on it. Common practice is to connect a server to both the management network and a regular subnet, so that after logging into that server you will have access to the management network. While this works well, it also means your server’s management interface will occupy a switch port (configured to live in the management network), in addition to the server’s normal network interface.

Traditional way to achieve hardware based VLAN configuration

image

In FIG 1, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 6 have been assigned to VLAN 1 while ports 3, 4 and 5 to VLAN 2.

image

In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 6, while ports 3, 4 and 5 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any traffic between each other, unless we are using a layer 3

image

switches (or router) as shown in FIG 2 and we have explicitly configured the switch to route traffic between the two VLANs.

It is equally important to note at this point that any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them.

As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are understood by the network device connected to the port. There is nothing special about these packets, other than the fact that they belong only to the VLAN the port is configured for.

If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0 with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned to VLAN 1 must be configured with the appropriate network address so they may communicate with all other hosts in the same VLAN.

Trunk Links

A Trunk Link, or ‘Trunk’ is a port configured to carry packets for any VLAN. These types of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches.

Switches are connecting to the network backbone via the Trunk Links. This allows all VLANs created in our network to propagate throughout the whole network.

Again, previously described, these VLANs do not exchange any traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly configured the switch to route traffic between the VLANs.

Keeping your network simple with NetCop’s dynamic VLAN capabilities

Let’s say you have decided to use VLANs to achieve better control over your network and create logical network groups for easier management and control.

image

Given the options available, you have two choices;

First you use traditional way of configuring VLAN’s described earlier in which you need to deploy managed switches, configure L3 routing to make VLANs to communicate with each other.

Second choice is to implement NetCop based dynamic VLANs. It allows you to achieve better control over broadcast domains without spending fortune on network hardware like managed switches, L3 switches and routers.

NetCop in this configuration will act as VLAN manager, to achieve complex VLAN configurations. Following is a connectivity diagram of NetCop being used as VLAN management server. Unlike previous multi-VLAN
configuration, this setup does not require any L3 switch or Router to enable communication between VLANs.

All you need to do is to use unmanaged switches with uplink to build large network shown in diagram

Features of NetCop:

  • No L3 Switches or Router required
  • Easy to configure an maintain
  • Unlimited number of VLANs supported
  • Users must be authenticated to use outside VLANs

Benefits of NetCop:

  1. Cost effective
  2. Easy to manage
  3. Easy to design and configure

 

 

For more information on NetCop please E-mail on sanjay143u@gmail.com

Advertisements