Small Business Networking Goes Virtual

While a LAN may make sense for small networks, it makes expansion or reorganization difficult. Under a LAN setup, all the devices and equipment are located physically near each other and directly connected to a router. In this case, a physically disjointed organization can't use a single network address space. To put users on the same broadcast domain, regardless of physical proximity, the organization needs a VLAN.

For LANs with a lot of broadcast traffic or more than 200 devices, there is an increased chance of packet collisions happening. Packet collisions can cause latency issues within the network. VLANs direct broadcast traffic so that only its group members will see it, not every device connected to the router. This makes sense for groups using an application that is not available to the entire organization, such as VoIP. VoIP users can be assigned to their own VLAN, and the voice traffic will not interfere with other traffic for regular users.

For this TechBuilder recipe, the Channel Test Center redefined an existing LAN to take advantage of VLANs for bandwidth and security purposes. The network, designed to approximate the kind of environment found in small businesses, consisted of several servers, desktops and laptops, all running either Microsoft Windows XP, Windows Vista, or Debian Linux. The LAN included both wired and wireless networks. For this VLAN setup, Test Center engineers used the Netgear Prosafe 48-Port Gigabit Stackable Smart Switch GS748TS.

Netgear is not the only company to make VLAN-capable switches. Cisco's line of Catalyst switches and HP's ProCurve Networking product line also support VLANs. The GS748TS is a stackable smart switch with 48 Gigabit Ethernet ports and four SFP combo fiber ports. Two dedicated ports provide a 20-Gbps, dual-ring, stacking bus to allow up to six switches to be stacked, for a grand total of 288 available ports. The Netgear Prosafe switch includes a suite of robust security features, high quality of service and high availability. It also supports Access Control Lists, 802.1x port authentication, rate limiting and IGMP Snooping. All the devices connected to this switch (and all the stacked switches) can be managed from a single IP address through a comprehensive Web-based management interface.

id
unit-1659132512259
type
Sponsored post

While creating subnets solves the broadcast traffic problem, all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router. Under a VLAN configuration, each VLAN is already on its own subnet. Devices in different physical locations, irrespective of which switch (same or different) they are connected to, can be assigned to the same network.

NEXT: 8 Easy Steps Step 1: Design it on paper and assign the ports

For this step, engineers conceptually laid out exactly what the network would consist of. Depending on usage, number of users and type of devices, the network design can vary in its level of complexity. For this setup, engineers identified four different groups: the broadband connection, the wired network, wireless connectivity and an isolated testing network.

The switch is configured to consider VLAN1 as the default. In the plan, engineers decided to make the internal wired network part of VLAN1. The wireless had the label VLAN3 and the isolated testing network was VLAN4. The port that the broadband, or high-speed, connection would be plugged into was assigned as VLAN2.

With the various groups identified, engineers divided up the ports and assigned them to each group. To allow traffic to pass from one group to the other, or access the Internet, the broadband router had to be connected to a port that was a member of all of the VLANs. Port 1 was set aside to be part of VLAN1, VLAN2, VLAN3 and VLAN4 since that is where router would go. Ports 2 to 7 would also be part of VLAN2, for other sources of broadband. The bulk of the ports, from ports 8 to 36, were allocated for the internal wired network, VLAN1. The wireless VLAN3 had ports 37 to 42. And finally, the design assigned VLAN4, the testing network, to ports 43 to 48.

That ends the planning stage. Now, time to actually deploy the switch.

Step 2: Setup the switch

Engineers plugged a laptop directly into the switch and powered up both the switch and the laptop. Both the Smartwizard Discovery program and the Web browser interface can be used to configure the switch. The Smartwizard Discovery program can find all the switches on the network without using the IP address. The Web browser interface can be accessed from any location via the switch's IP address, supports password protection, and allows more extensive configuration and backup of the settings. The switch has been pre-configured from the manufacturer with a default IP address of 192.168.0.239 and subnet mask of 255.255.255.0.

A static and valid IP address can be manually assigned to the switch using Netgear's SmartWizard Discovery program. For networks with DHCP, the program can "discover" the switch and have the DHCP assign a dynamic address. After the switch has received a new address, clicking on Web Access from the program opens up the browser-based interface.

Engineers manually configured the laptop to be on the switch's default subnet and opened up the Web configuration tool. Changing the machine's subnet is necessary to access the Web configuration tool without using the SmartWizard Discovery program.

The default password is "password."

At this point, a better IP address that fits the rest of the network can be assigned. If a static address has already been assigned, then there's no need to put in a new IP address. For security purposes, engineers changed the password to the Web-based configuration.

NEXT: Creating the VLANs Step 3: Create VLANs

It is very easy to create VLANs. From the Web tool, there's a section in the left pane for VLAN. Click on Properties to open the VLAN Properties Page. All existing VLANs, the ID, name and type are listed in a table. There's also the option for deleting VLANs. Clicking on the button marked Add opens the Add VLAN Page where a number (for the ID) and a name (any text) is entered to create a new VLAN. This is done three times to create VLAN2, VLAN3, and VLAN4. VLAN1 comes in default.

Step 4: Assign the ports

It's not enough to just create the VLAN. The switch needs the port assignments that had been made in the previous step. The information is entered via the VLAN Membership Page, accessible under VLAN | Membership link. The page shows a table with VLAN information and a schematic of all the ports on the switch. The boxes representing the ports are either blank or marked with a T or U. The T indicates the port is tagged with egress packets and is a member of a VLAN. All packets forwarded by the interface are tagged with VLAN information. The U indicates the port is untagged with egress packets and is an untagged VLAN member. Packets forwarded by the interface are untagged. A blank box indicates the port is not a member of any VLAN.

A tagged egress port means packets for any VLAN is sent out on this port. A special data bit accompanies the packet indicating which VLAN it is meant for. An untagged egress port means packets for a VLAN gets sent out without this special tag data.

First, VLAN1 is configured. Under the schematic drawing on VLAN1's membership page, ports 8 to 36 were toggled to be untagged egress ports. Port 1 is toggled as a tagged egress port. Hitting the Apply button saves the port configuration settings.

To configure VLAN2, ports 2 to 7 are selected as untagged egress ports. Port 1 is a tagged egress port. VLAN3 is configured similarly, with ports 37 to 42 as untagged egress ports and port 1 as a tagged one. Finally, the VLAN4 has ports 43 to 48 as untagged and port 1 as tagged. As decided in the design, port 1 is toggled to a tagged egress port for all four VLANs.

Step 5: Configure the ports

Engineers configured the PVID settings for each port. Each port is assigned to a default VLAN that an incoming untagged packet would be forwarded. All ports must have a defined PVID; otherwise the default VLAN PVID, VLAN1, is used. Basically, any incoming packet on a port would go to the other ports in that VLAN. Since port 1 is included in all VLANs, they all have access to the packet.

The Interface PVID Settings Page is accessible from the VLAN menu, under Interface PVID Settings. In the resulting table, the PVID needs to be assigned for each port. As in the previous step, ports for VLAN2, VLAN1, VLAN3, and VLAN4 need to be assigned with the correct integer value associated with that VLAN.

NEXT: Adding security Step 6: Install the router

The router that connects the LAN to the Internet is plugged into port 1. As a side note, there was no requirement to make port 1 the router's port. Any port could have been used.

The router needed IEEE 802.1Q support installed so that it would be aware of the four VLANs. The router is configured to route packets between VLANs.

Step 7: Secure the network

A firewall in place would protect the internal VLANs from the outside. The wireless should have WPA security turned on. At this point, the network is up and running, passing information between and across the VLANs. If the machines have Gigabit cards inside, then the port will be working at Gigabit speed.

Step 8: Backup the configuration

Finally, the configuration should be backed up in case of a future problem, or if another switch needs to be deployed with identical configuration. Unlike many other Web-configured networking products, Netgear doesn't allow the configuration to be downloaded from the browser. The only way to get the configuration file is through a TFTP server.

Under the File Management link on the left pane, there is an option to upload files. The File Management pane gives the option to either download a new firmware to the switch or to upload the configuration file off the switch. For this purpose, select the configuration upload option and enter the IP address of the TFTP server. The switch uploads the configuration data and a copy of the firmware.

If there's any reason to think there is a new firmware available, this page can be used to download it onto the switch. The firmware can be downloaded manually and installed using the Smartwizard Discovery program. It can also be copies to the TFTP server, from where the web tool can download and install from the File Management pane.

And that's it -- the switch has been configured to treat the logical VLANs separately. There are monitoring options for anyone worried about how the VLANs are working. Up to eight ports can be used for port mirroring, to forward copies of incoming and outgoing packets from one port to a monitoring port. Port mirroring can be used as a diagnostic tool as well as a debugging feature. Port mirroring also enables switch performance monitoring. The switch is capable of mirroring all transmitted packets, all received packets, or all packets, both transmitted and received.