How To Setup VLANs Pt1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

vlans are a great way to bring security to your network but what are vlans and how do you configure a switch to actually use them well if that's something you're interested in learning stick around and watch this video because that's what we'll be going over [Music] now rather than just log into a switch and start making changes here there and everywhere i think it'd be better if i gave you a bit of a background on vlans and switches to begin with but if you prefer you can skip ahead because i've got actual timelines in this video now what we've got here is a diagram of a switch and we've got some you know computers that are actually plugged into it so i mean this is just a stock image but it's a case of we've got a pc for example which plugs into port number one here we then got a laptop plugged into port number two and then i've got a symbol here representing a firewall which we've plugged into port number three now if this is an unmanaged switch what it means is well you can't manage it you can't make any changes to the switch you can't change its behavior in any shape or form it's intended to be a plug-and-play device effectively you can take any computer plug it into any port and that device will then have direct access to any other device that's plugged into the switch now for a simple network where you may only have just a few devices or you know you're not too concerned about security that's not really a problem but if you are concerned about actual security it is a big problem because there's nothing you can do you can't change the behavior of the switch in any shape or form you're just allowing all of these computers to talk directly to each other so if you've seen my previous video where i was going over home i t security and how you might want to start thinking about uh improving the actual network security especially if you've got things like a nas that's got um you know data on it if you've got for example smart home devices you want to start separating those sort of devices out you want to put them into their own network segments and the trouble is you just can't do that if it's an unmanaged switch now again this is a stock image so don't you know read into that it's a case i'm just using it as an example so what we do actually need is what's called a managed switch and like it says it then it allows you to actually manage the configuration of the switch and it means you can actually change the behavior more specifically what we're interested in is being able to change the behavior of the ports or the idea is to create what are called virtual local area networks or vlans in other words we can actually place different ports into different vlans which means we can separate our devices out if we put them into different vlans we're basically putting them into different network segments and then we're stopping them from actually communicating directly between one another now out of the box an actual manage switch behaves just like an unmanaged switch does and that's because what the vendor does is it assigns all of these ports on the switch to the same vlan and that's a vlan number one hence why i've got a one next to the little cables here so straight out of the box this is a plug-and-play switch you can just plug a computer into a port and it'll be able to talk to any other device on that switch so from a sort of a high level view you look at it logically and it looks something like this all of these devices are plugged into vlan number one as you can see here we've got a firewall that's providing internet access for example but what it doesn't do is have any say in these two computers if they want to talk to each other it doesn't get in the way it can't and that's just because from the switches perspective all three of these computers belong to vlan number one if you've got a device in vr number one it can talk to any other device in vlan number one if it's uh you know if it's plugged into a port and that port belongs to vlan number two then it means that that device can talk to any other device in vlan number two so if we go back to the physical uh diagram here basically what's happening is the laptop here will be sending information to the switch it comes into the port here and the actual switch is saying ah you belong to vlan number one the laptop then you know send wants to send that information over to the pc here and the pc as far as the switch is concerned belongs to vlan number one because that's what the ports are saying too so it allows these two you know computers to talk directly to each other so the traffic literally just comes into this port uh goes through the switch back plane and pops out back out to this interface here over the pc so all that's happening is you've just got traffic going backwards and forwards between these two ports normally i mean i'm not going to go into the the gist of how switches really work but normally this firewall would never see any of that traffic it'll see some of it to begin with and every now and again but most of the time these two switches uh two switch ports are just uh carrying out a conversation between these two computers totally independently of what goes on you know for the rest of the switch ports so out of the box yeah we've got this flat network effectively where these two computers can talk directly to each other and that's not what we want we want to change that behavior for example maybe we don't want these two computers to talk to each other we might still want them to access the internet we just don't want them to have direct access to each other or maybe we want limited connectivity and that's where we start making changes by implementing vlans on the switch so straight out of the box we've got the situation where everything belongs to vlan number one and it's not what we want we want we want various devices to be in different network segments which means we need to put them into different freelance so instead of having this sort of network design what we actually want to be aiming for is something like this so we still want the two devices to be able to access the internet through the firewall but we don't want to talk directly to each other or we want limited access and so basically what we need to do is to put them into different vlans so as an example we've got a laptop here and that's in vlan 100 we've got a pc which is in vlan 200. now the actual you know number of these vlans doesn't really matter i've just plugged them up there basically use whatever number is best for you but the thing is got a range from about one to four thousand and ninety four years so you've got a big choice of numbers that's the thing to bear in mind is we're not using names we're using numbers you might be able to configure an actual name in the description when we create these vlans but ultimately it boils down to the actual number of the vlans that's what's the important thing so what we've got here is a pc and vlan 200 and a laptop in vlan 100 and the switch will not allow these two computers to talk directly to each other because well they're in different vlans the laptop can talk to something that's in vlan 100 but it can't talk to something in vlan 200 unless you place a device that's got connectivity to both of the vlans and that's where something like a firewall would come into play because what we've got here is a firewall that's got an interface in vlan 200 as well as in vlan 100 so this firewall would be still a default gateway for these two computers because they'll want access to the internet for example uh let's say that this laptop well let's say for example that the the pc is doing some music streaming for instance and the laptop wants to be able to to play that well we could introduce rules on the firewall to allow that or maybe it's a case of well we don't want anything in this network talking to anything in this network in which case the rules on the firewall should be well nothing can talk to each other between these two networks but the key thing is is now we've got this choice if you go back to the original setup where all of the ports are in vlan 1 we can't control anything the switches along these two devices for example talk directly to each other as soon as we introduce vlans and start putting these devices into different vlans all of a sudden we've now got this control and that's what we're aiming for when it comes to security we've got the final say effectively as long as the switch is keeping our traffic separated into different vlans we've got to see on this firewall as to whether these computers can talk to one another or not so how do you actually achieve that how do we get from say this where everything's in vlan 1 to this where pc's and vlan 200 and our laptops in vlan 100 well that means we've actually got to make changes to the switch so if we go back to the way it's set up these devices they've all got one cable plugged into the actual switch it doesn't necessarily have to be that way i mean the firewall for instance could have an extra interface plugged into a different port but in this particular example it only has the one interface plugged into port number three in which case what we've got to do is we've got to modify the switch so that it now looks like this in other words we want the laptop to be in vlan 100 we want the pc to be in vlan 200 and we want the firewall to be in vlan 100 and vlan 200 so the firewall has one interface plugged into the switch but it can talk to both of the vlans now i have actually done another video on how to set up a firewall like pf sense for example to be able to do that how you set up uh what is a vlan aware firewall to support multiple vlans on a single physical interface although as i said you've got the choice where you could have for example one cable plugged into port number three if the firewall's got another interface you could plug that into this port down here that one could belong to 100 that one could belong to 200 really comes down to you know how you want to do it but for the sake of this example we're going along with one interface plugged into one port and the firewall is what's called veil and aware in other words we can break that physical interface up into logical interfaces each belonging to a different actual vlan now the one thing i should actually point out before i start explaining how we configure the switch to achieve all this is to do with the ip addressing on the actual network so when you start off you'll start off probably out of the box unless you've made some sort of changes to your own network where all of the devices are in vlan 1 and you all belong to this 192.168.1.0 24 network that's just though the way that they tend to be by default that seems to be the common sort of um ip address range that vendors use these days but the thing is the firewall i'll want to see devices in different networks so not just different vlans here that we're talking about we're talking about different ip address subnets as well so that's something to bear in mind here so for example we might decide to keep this 192.168.1.0 network for vln 100 but we're then going to have to introduce a new ip address range of say for example 192.168.2.0 to vlan 200. so we've got different ip addressing on this side of the network and different ip addressing on that side of the network so that's just something to bear in mind it's not just a case of we can just make some quick change to the actual ports on the actual switch and hey presto you know everything's still on the same network and everything's all working tickety-boo it doesn't work like that unfortunately at least not this way when you configure the firewall it'll have an interface in this network and then i'll have an interface in that network and we've also got to then start supplying new ip addressing to the computers in this network and then you don't necessarily have to keep this particular ip range and to be honest i wouldn't recommend you do anyway because it's a a bluntly obvious mip address range for a hack at a target if you actually get access to your networks i would probably change that to something completely different but either way it's just something you're gonna have to bear in mind is there's more to it than just changing these vlans so now that we know that to separate our devices out from each other we have to put them into different vlans what sort of configuration changes do we need to make to the switch to get say the laptop into vlan 100 uh the pc into vlan 200 and so on well one thing to point out is that when it comes to retail switches all they know about are vlans they don't want anything about the ip addressing so we can't make any changes on the switches to actually influence ip addressing and you can on higher end professional switches but retail switches it's just vlans all you do is basically assign the vlans to ports and then you know whatever port that pc or laptops plugged into well that's the vlan they belong to when it comes to changing the ip addressing that's a different video altogether i mean we're into the realms of you know making changes within dhcp servers for example or manually assigning ip addressing on the actual computers now i did do a video on how to do this sort of thing within a lab for example if you want to create your own linux server that runs dhcp for example uh you could also configure a dhcp server on a firewall like pfsense for example so it's the dhcp server for vlan 100 and 200 but as far as this particular video goes we're just interested in the vlans because that's all the actual retail switches that out there can support typically so what actual changes do we need to make then to actually change these vlans how do we go from a switch that's configured like this where the actual computers are you know connected to vlan 1 for instance to this where the laptops in 100s the pcs and 200 and the firewalls in 100 and 200 well it does vary slightly when it comes to the vendors they do things slightly differently but the process and the principles that we're using is pretty much the same no matter which vendor you actually go with so the first thing you have to do is to actually log into the switch because you want to be able to manage it and then what you have to do is find out a section that's typically called vlans for example because that's where we create vlans now a switch will support anything from vlan 1 to 4094 so it's a big long range but typically it'll only know about vlan one or that's the only vlan that's being created on the switch so it's capable of supporting more it's just out of the box it only supports vlan one now it is slightly different for like netgear switches they tend to support vlans one two and three out of the box but in any case we just don't want to touch these default vlans anywhere that's the reason why i've got these you know these numbers here of 100 and 200 it's just a kind of an industry practice to to keep away from these default vlans i mean i won't get into the security details but it is a recommendation i would suggest is come up with a plan for all the different network segments that you where you need and then come up with a particular number in that range and and you know put aside a vlan for every individual network segment so in our case i've got two network segments one is vlan 100 and one is vlan 200 so the first thing then is literally to just connect to the switch look for a vlan tab some section within the configuration to do with vlans and typically there you'll be able to then create your vlans so what we would do is create a vlan 100 and a vlan 200 that would be step by number one now chances are you might be able to give these a name you might be able to give them a description but from the switches perspective that's just you know for your own benefit really it has no meaning to the switch it's just interested in the numbers that's it so once we've actually created the vlans we've actually got to then start assigning vlans to these ports and it it's always going to vary depending on what the actual device is that's plugged into it so these two devices are what we call end devices they're not reveal unaware they could be but from a security perspective we don't even want them to be the actual firewall on the other hand we trust the via the actual firewall and that is vlan aware i mean it's gonna have logical interfaces for example it's got one physical interface but it's going to have logical interfaces in each of these two vlans and we've got to be able to basically trust the firewall to tell the actual switch which vlan the traffic belongs to likewise when the switch needs to send traffic to the firewall it needs to tell a firewall which vlan the actual traffic belongs to so we do trust the firewall we don't really have much choice really because we're splitting up this physical interface into multiple logical interfaces but when it comes to end devices that's a whole different ball game we even if they are actually capable and most operating systems are we do not want them to be vlan aware we don't want them to be like the actual firewall where they can influence uh which vlan they belong to because then that's a security risk so for example if we allowed this pc to talk to vlan 100 well there's not much point really uh we actually want this one in vlan 200 you want the actual laptop in vlan 100 and we do want the user uh actually changing that decision we want to keep them you know separated and we want the actual switch deciding which vlans they belong to so the configuration change at this point will be slightly different again depending on the actual endpoint device that we've got here but also depending on the actual manufacturer of your switch but typically what it involves is a step two where we actually tell a switch which vlan well which ports i should say a vlan can actually be used on so the ports themselves can support multiple vlans at the same time and this step two is to actually tell the switch which vlans can be used on a port so in this case all of the ports initially are able to use their vlan number one but what we would do is look for a slightly different section within the configuration i mean it might be called vlan membership for example there what you do is you actually select the vlan where you want to then assign it out to different ports so for example we would pick a vlan 100 and then we might get a uh so like a long list of all the individual ports and then we'll select exactly which ports that vlon vlan can be used on so in this case we would say well we want it to be used on port number two and port number three because the laptop needs to be able to get access to vlan 100 and so does the firewall and then when we come to vla to the actual vlan 200 for the pc we'll select vlan 200 again we'll get our big list of ports and for that one we'll say well we want that to be used on port 1 and port 3. the only thing is it's going to then vary depending on the manufacturer as to what happens next because it might be a case of they actually want to tell you well how do i actually treat the traffic on this actual port that seems to be a common uh theme where you've actually got to tell the actual switch are you expecting any traffic coming into this port to be tagged or untagged and then what you typically have is like a little check box where you click the box and initially it might be untagged then you click it again and then it's a tagged port click it again and then the vlan isn't supported on that port so it varies depending on the vendor i mean it'll it'll become a whole lot more simpler and a lot more easier to understand once you go through an example but literally what we're talking about here is that this device here is a an end device where it's not vlan aware so it's not going to be telling the switch and we don't want it to tell the switch which vlan it belongs to in which case that's referred to as untagged traffic and now the firewall on the other hand is vlan aware and the only way for the switch in the firewall to be able to distinguish between you know what interface belongs to which vlan is through this tagging process so when the firewall for instance needs to send traffic into vlan 100 it tags that into that actual traffic with 100 when it wants to send traffic for vlan 200 it'll tag it with 200 and that way when it gets to the switch the switch knows straight away all right okay you've got a tag of 100 then it belongs to vlan 100 and you know vice versa the switch does its own tagging when it sends traffic to the firewall so we've got these two ports here if the vendor is asking about tagged or untagged traffic these two ports would be untagged because here we don't expect any traffic to be tagged but b we don't want traffic to be tagged we don't want to give these devices the opportunity to change to a different vlan because that would just break the security and that we've got in place anyway whereas this particular port for the firewall we are expecting it to be tr to actually tag that traffic and it's a case of we have to tag the traffic going to the firewall so it was we'd assign that particular port as a tagged port so once we've done that the next step is well we've got to do something slightly different when it comes to these two devices here because these two devices they're kind of like pinned to one and only one actual vlan so what we've got to actually then do is go to another section and it's going to vary depending on the vendor again but it might be a case if they call it primary vlan ids or it might be the actual um native vlan or the default vlan or something it's all about what happens when you've got traffic coming into these switch ports that isn't tagged what vlan should it belong to and that's mostly going to influence devices like these that hey we don't want tagging traffic and b we don't expect tag traffic so these are these are our untagged ports that it's more useful for but in this particular case when it comes to port one we get to this section and we select that specific port port number one and say that the primary vlan id or the native vlan or the default vlan is vlan 200 so when this pc sends traffic to the port then the switch itself tags it as belonging to vlan 200. when the laptop is sending its information we have to tell that port that its default vlan primary vlan need a vlan is vlan 100 so the switch is then forcing the traffic to belong to a specific vlan now this particular port is slightly different i mean we're going to trust this firewall to do the right thing because well we'd expect to be the ones configuring it in the first place but technically we don't we don't expect any traffic to be actually untagged but there is the potential now to be honest if this actual firewall got hacked there's there's much bigger problems that we've got quite frankly anyway but when it comes to security best practices the idea is any traffic that comes into that port which is untagged we want to really drop it we want to we don't want to start like um have any problems because there is a security risk when it comes to untagged traffic again i don't want to really get into the the details about it but when it comes to that specific port what we want to do is we want to pick a vlan that's not used and we want to set that as the primary vlan id or the anita vlan and the idea is if for some reason this firewall were to send traffic to the port and it's not tagged it ends up in a vlan that's not getting used anywhere else on the switch and it helps uh get around a potential security risk i mean again it's a case of for a home user that's probably not that big of a deal but because it's a it's like a best practice for security when it comes to switches it's something we'll we'll just go along and do but once we've made all these changes once we've created the vlans once we've told a switch you know which ports can support which vlans and then when it comes to these devices in particular these two ports we've told which specific vlan is the the primary vlan id for example that's it the switches all of a sudden it's now functioning differently all of a sudden this laptop will be in vlan 100 uh this pc will be in vlan 200. the firewall well it's up to the firewall as long as it's configured properly it'll be able to communicate in vlan's 100 and 200 and that's it here presto everything's changed but the one thing to bear in mind is they still support vlan number one and that's something we don't want so what we would do is i saw like a final step if you will as a bit of the best security practices we'd actually go back to the the little section about the vlan membership for example and we'd actually remove vlan 1 from the ports so that these devices can't access vlan 1 and that way if somebody were to get access to vlan 1 but it doesn't matter these these devices won't be able to talk to vlan 1 in which case we're fine um these are all nicely separated out into their own specific vlans and it doesn't really matter if somebody you know connects a device into vlan one they can't talk to these because they don't know anything about it at least the ports don't anyway so hopefully i've covered it in enough detail but it's probably like quite long wind i must admit it'll be a lot easier to explain if we go through an example one thing to bear in mind though is once you start moving to different vlans you've got to bear in mind that the switch by default it'll have a it's like an ip address a management ip address assigned to it and that's listening and communicating on vlan number one and that that is something we're going to have to change we're going to have to go into the system configuration of the switch and we're going to have to move that interface into whatever is our most trusted or secure vlan because we don't want that in vlan one either it's a bit of a risk when you do it because you could end up locking yourself out if you don't do it properly but we'll go over that all in an example and i'll go through a like a couple of defenders to show you how things vary well thanks for making it to the end of this video i really do hope you found it useful if so then do click the like button and share because that encourages youtube's algorithm to suggest it to other people who might find it useful as well if you're new to the channel and you'd like to see more content like this then yeah do subscribe just remember to click the little bell icon though that way you'll get notifications when i send new content out if you've got any comments any suggestions if you want to leave any feedback at all please post that in the comments section below and if you'd like to support the channel i've left links to both patreon and paypal in the description below but above all thanks very much for watching i'll see you in the next video [Music]

Info

Channel: Tech Tutorials - David McKone

Views: 21,736

Rating: undefined out of 5

Keywords: how to setup vlans, how to setup vlans at home, how to configure vlans, how to configure vlans on a switch, how to configure vlans on a home network, how to setup vlan, how to setup vlan on switch, how to configure vlan, how to configure vlan in switch, how to configure vlan trunk, vlan explained, vlan trunking, vlan configuration step by step, vlan configuration

Id: WIC7qExLYS0

Channel Id: undefined

Length: 29min 17sec (1757 seconds)

Published: Fri May 07 2021