Network+ Guide to Networks

8th Edition

Chapter 10
Network Segmentation and Virtualization

© 2016 Cengage Learning®. May not be scanned, copied or duplicated, or

posted to a publicly accessible website, in whole or in part.
 Objectives

• Describe methods of network design unique to

TCP/IP networks, including subnetting, CIDR, and
supernetting
• Explain virtualization and identify characteristics of
virtual network components
• Describe techniques for incorporating virtual
components in VLANs

Network+ Guide to Networks, 8th Edition 2

© Cengage Learning 2016
 Objectives

• Explain the advanced features of a switch and

understand popular switching techniques, including
VLAN management
• Identify methods of combining VM and VLAN
technologies

Network+ Guide to Networks, 8th Edition 3

© Cengage Learning 2016
 Segmentation and Subnetting

• Segmentation
– Dividing a network into multiple smaller networks
– Traffic on one network is separated from another
network’s traffic
– Each network is its own broadcast domain
• Accomplish the following:
– Enhance security
– Improve performance
– Simplify troubleshooting

Network+ Guide to Networks, 8th Edition 4

© Cengage Learning 2016
 How a Computer Uses a Subnet Mask

• IPv4 address is divided into two parts:

– Network ID and host ID
• Subnet mask is used so devices can determine
which part of an IP address is network ID and which
part is the host ID
– Number of 1s in the subnet mask determines the
number of bits in the IP address belong to the
network ID

Network+ Guide to Networks, 8th Edition 5

© Cengage Learning 2016
 How a Computer Uses a Subnet Mask

Network+ Guide to Networks, 8th Edition 6

© Cengage Learning 2016
 CIDR (Classless Interdomain Routing)

• CIDR
– Provides additional ways of arranging network and
host information in an IP address
– Takes the network ID or a host’s IP address and
follows it with a forward slash (/), followed by the
number of bits used for the network ID
• 192.168.89.127/24
– 24 represents the number of 1s in the subnet mask
and the number of bits in the network ID
– Known as a CIDR block

Network+ Guide to Networks, 8th Edition 7

© Cengage Learning 2016
 Why Subnets?

• Example: A business has grown from 20-30

computers to having a few hundred computers on
three floors
– There is only a single LAN or broadcast domain
– One router serves as the default gateway for the
entire network
• To better manage network traffic, segment the
network so that each floor contains one LAN, or
broadcast domain

Network+ Guide to Networks, 8th Edition 8

© Cengage Learning 2016
 Why Subnets?

Network+ Guide to Networks, 8th Edition 9

© Cengage Learning 2016
 Why Subnets?

Network+ Guide to Networks, 8th Edition 10

© Cengage Learning 2016
 Subnet Mask Tables
• Class A, Class B, and Class C networks
– Can be subnetted
• Each class has different number of host information bits
usable for subnet information
• Varies depending on network class and the way
subnetting is used
• LAN subnetting
– LAN’s devices interpret device subnetting information
– External routers
• Need network portion of device IP address

Network+ Guide to Networks, 8th Edition 11

© Cengage Learning 2016
 Subnet Mask Tables

Network+ Guide to Networks, 8th Edition 12

© Cengage Learning 2016
 Subnet Mask Tables

Network+ Guide to Networks, 8th Edition 13

© Cengage Learning 2016
 Subnet Mask Tables

Network+ Guide to Networks, 8th Edition 14

© Cengage Learning 2016
 Subnet Mask Tables

Network+ Guide to Networks, 8th Edition 15

© Cengage Learning 2016
 Supernetting

• Supernetting
– Combine contiguous networks that all use the same
CIDR block into one supernet
– Also called classless routing or IP address
segmentation
• Supernetting is helpful for two reasons:
– Reduce the number of routing table entries by
combining several entries
– Allow a company to create a single network made up
of more than one Class C license

Network+ Guide to Networks, 8th Edition 16

© Cengage Learning 2016
 Supernetting

• Supernet is defined by a supernet mask

– Moves the network prefix to the left

Figure 10-6 Subnet mask and supernet mask for a Class C network

Network+ Guide to Networks, 8th Edition 17

© Cengage Learning 2016
 Supernetting

Network+ Guide to Networks, 8th Edition 18

© Cengage Learning 2016
 Subnetting in IPv6

• Each ISP can offer customers an entire IPv6 subnet

• Subnetting in IPv6
– Simpler than IPv4
– Classes not used
– Subnet masks not used
• First four blocks (64 bits) normally identify the
network
– Serve as the network prefix or routing prefix
• Interfaces that share a network prefix belong to the
same subnet
Network+ Guide to Networks, 8th Edition 19
© Cengage Learning 2016
 Subnetting in IPv6

• Sometimes the slash notation is called the prefix

mask
• Route prefixes vary in length
– The slash notation is necessary when defining them
– Example: 2608:FE10::/32
• Includes all subnets whose prefixes begin with
2608:FE10

Network+ Guide to Networks, 8th Edition 20

© Cengage Learning 2016
 Subnetting in IPv6

Network+ Guide to Networks, 8th Edition 21

© Cengage Learning 2016
 Virtualization

• Emulation of a computer, operating system

environment, or application:
– On a physical system
• Virtual machines (VMs)
– Virtual workstations
– Virtual servers
– Can be configured to use different types of:
• CPU
• Storage drive
• NIC

Network+ Guide to Networks, 8th Edition 22

© Cengage Learning 2016
 Virtualization

• To users, a VM appears no different from a physical

computer:
– Running the same software
• Host
– Physical computer
• Guest
– Each virtual machine
• Hypervisor
– Software that allows you to define and manage virtual
machines (also known as a virtual machine manager)
Network+ Guide to Networks, 8th Edition 23
© Cengage Learning 2016
 Virtualization

Figure 10-11 Elements of virtualization

Network+ Guide to Networks, 8th Edition 24

© Cengage Learning 2016
 Virtualization

• Advantages of virtualization
– Efficient use of resources
– Cost and energy savings
– Fault and threat isolation
– Simple backups, recovery, and replication
• Disadvantages
– Compromised performance
– Increased complexity
– Increased licensing costs
– Single point of failure
Network+ Guide to Networks, 8th Edition 25
© Cengage Learning 2016
 Virtualization
• VMware
– Makes the most widely implemented virtualization
software
– Provides several which are designed for managing
virtual workstations on a single host
• Other examples that provide similar functionality but
differ in features, interfaces, and ease of use:
– Microsoft’s Hyper-V
– KVM (Kernel-based Virtual Machine)
– Oracle’s VirtualBox
– Citrix’s XenAPP
Network+ Guide to Networks, 8th Edition 26
© Cengage Learning 2016
 Virtual Network Components

• Virtual network
– Can be created to consist solely of virtual machines
on a physical server
• Most networks combine physical and virtual
elements

Network+ Guide to Networks, 8th Edition 27

© Cengage Learning 2016
Virtual Machines and Network Adapters

• Virtualization program
– Assigns VM’s software and hardware characteristics
– Often an easy to use, step-by-step wizard
• Network connection
– Requires virtual adapter (vNIC)
– Each VM can have several vNICs
– Upon creation, each vNIC is automatically assigned a
MAC address
• Also, by default, every VMs vNIC is connected to a port
on a virtual switch

Network+ Guide to Networks, 8th Edition 28

© Cengage Learning 2016
Virtual Machines and Network Adapters

Network+ Guide to Networks, 8th Edition 29

© Cengage Learning 2016
Virtual Machines and Network Adapters

Network+ Guide to Networks, 8th Edition 30

© Cengage Learning 2016
 Virtual Switches and Bridges
• When first VM’s vNIC is selected
– Hypervisor creates a connection between that VM
and the host
– This connection might be called a bridge or switch
• Virtual switch
– Logically defined device
– Operates at Data Link layer
– Passes frames between nodes
• The hypervisor controls the virtual switches
• VMs can go through a virtual switch to reach
network
Network+ Guide to Networks, 8th Edition 31
© Cengage Learning 2016
 Virtual Switches and Bridges

Network+ Guide to Networks, 8th Edition 32

© Cengage Learning 2016
 Virtual Switches and Bridges

Network+ Guide to Networks, 8th Edition 33

© Cengage Learning 2016
 Network Connection Types
• Must identify networking mode the vNIC will use
• Frequently-used network connection types
– Bridged
– NAT
– Host-only
• Bridged Mode
– vNIC accesses physical network using host
machine’s NIC
– Obtains own IP address, default gateway, and
netmask from DHCP server on physical LAN

Network+ Guide to Networks, 8th Edition 34

© Cengage Learning 2016
 Network Connection Types

Network+ Guide to Networks, 8th Edition 35

© Cengage Learning 2016
 Network Connection Types

Network+ Guide to Networks, 8th Edition 36

© Cengage Learning 2016
 Network Connection Types
• NAT Mode
– vNIC relies on host to act as NAT device
– Obtains IP addressing information from host
– Virtualization software acts as a DHCP server
– Appropriate for VMs that do not need to be accessed
at a known address by other network nodes
• Host-only Mode
– VMs on one host can exchange data with each other
and the host
– Cannot communicate with nodes beyond the host
– Never receive or transmit data with host’s physical
NIC
Network+ Guide to Networks, 8th Edition 37
© Cengage Learning 2016
 Network Connection Types

Network+ Guide to Networks, 8th Edition 38

© Cengage Learning 2016
 Network Connection Types

Network+ Guide to Networks, 8th Edition 39

© Cengage Learning 2016
 Network Connection Types

Network+ Guide to Networks, 8th Edition 40

© Cengage Learning 2016
 Virtual Appliances and Virtual Network
Services
• Alternative to test servers for new software
• Virtual appliance includes:
– Image of operating system, software, hardware
specifications, and application configuration
• Most commonly virtual servers
• Popular functions
– Firewall
– Network management
– E-mail solutions
– Remote access
Network+ Guide to Networks, 8th Edition 41
© Cengage Learning 2016
 VRRP (Virtual Router Redundancy
Protocol) and HSRP (Hot Standby
Routing Protocol)
• VRRP
– Cisco’s proprietary version is HSRP
– Used to assign a virtual IP address to a group of
routers
• Virtual IP address
– Can be shared by the entire group
– Messages routed to the virtual IP address are
handled by the master router
– Routers involved are all physical routers acting
together as a single virtual router or a group of virtual
routers
Network+ Guide to Networks, 8th Edition 42
© Cengage Learning 2016
 SDN (Software Defined Networking)

• SDN
– The virtualization of network services
• A network controller manages these services instead of
services being directly managed by hardware devices
– Network controller integrates all of the network’s
virtual and physical devices into one cohesive system
– Protocols handle the process of making decisions
(called the control plane)
– Physical devices make actual contact with data
transmissions as they traverse the network (called the
data plane)
Network+ Guide to Networks, 8th Edition 43
© Cengage Learning 2016
 SDN (Software Defined Networking)

Network+ Guide to Networks, 8th Edition 44

© Cengage Learning 2016
 VLANs and Trunking

• VLAN (virtual local area network)

– Groups ports on a switch so that some of the local
traffic on the switch is forced to go through a router
• To create a VLAN
– You need a programmable physical switch whose
ports can be partitioned into groups

Network+ Guide to Networks, 8th Edition 45

© Cengage Learning 2016
 VLANs and Trunking

• 802.1Q
– The IEEE standard that specifies how VLAN
information appears in frames and how switches
interpret that information
• Each VLAN is assigned its own subnet of IP
addresses
– Each VLAN and subnet normally is a broadcast
domain
• A VLAN can include ports from more than one
switch

Network+ Guide to Networks, 8th Edition 46

© Cengage Learning 2016
 VLANs and Trunking

Network+ Guide to Networks, 8th Edition 47

© Cengage Learning 2016
 VLANs and Trunking

• Reasons for using VLANs:

– Separating groups of users who need special security
or network functions
– Isolating connections with heavy or unpredictable
traffic patterns
– Identifying groups of devices whose data should be
given priority handling
– Containing groups of devices that rely on legacy
protocols incompatible with the majority of the
network’s traffic
– Separating a large network into smaller subnets
Network+ Guide to Networks, 8th Edition 48
© Cengage Learning 2016
 VLANs and Trunking

• Trunk
– A single physical connection between switches
through which many logical VLANs can transmit and
receive data
• A port on a switch is configured as either an access
port or a trunk port
– Access port - used for connecting a single node
– Trunk port - capable of managing traffic among
multiple VLANs

Network+ Guide to Networks, 8th Edition 49

© Cengage Learning 2016
 VLANs and Trunking

Network+ Guide to Networks, 8th Edition 50

© Cengage Learning 2016
 VLANs and Trunking

• To keep data belonging to each VLAN separate

– Each frame is identified with a VLAN identifier or tag
– Trunking protocols assign and interpret these tags
• Cisco’s VTP (VLAN trunking protocol)
– The most popular protocol for exchanging VLAN
information over trunks
– VTP allows changes to VLAN database on one
switch, called the stack master, to be communicated
to all other switches in the network

Network+ Guide to Networks, 8th Edition 51

© Cengage Learning 2016
 VLANs and Trunking

• Potential problem in creating VLANs

– By grouping certain nodes, you are excluding another
group
• To allow different VLANs to exchange data
– You need to connect VLANs with a router or Layer 3
switch
• VLAN hopping attack
– Occurs when an attacker generates transmissions
that appear to belong to a protected VLAN
– Prevented by disabling auto trunking and moving
native VLAN to an unused VLAN
Network+ Guide to Networks, 8th Edition 52
© Cengage Learning 2016
 STP (Spanning Tree Protocol) and
SPB (Shortest Path Bridging)
• IEEE standard 802.1D
• Operates in Data Link layer
• Prevents traffic loops
– Calculating paths avoiding potential loops
– Artificially blocking links completing loop
• STP information is transmitted between switches
– Via BPDUs (Bridge Protocol Data Units)
• BPDU guard
– Help to enforce STP path rules
• BPDU filter can be used to disable STP on ports
Network+ Guide to Networks, 8th Edition 53
© Cengage Learning 2016
 STP (Spanning Tree Protocol) and
SPB (Shortest Path Bridging)
• Three steps
– Select root bridge based on Bridge ID (BID)
– Examine possible paths between network bridge and
root bridge
– Disables links not part of shortest path

Network+ Guide to Networks, 8th Edition 54

© Cengage Learning 2016
 STP (Spanning Tree Protocol) and
SPB (Shortest Path Bridging)
• Newer versions of STP can detect and correct for
link failures in seconds
– RSTP (Rapid Spanning Tree Protocol)
– MSTP (Multiple Spanning Tree Protocol)
• TRILL (Transparent Interconnection of Lots of Links)
– Designed to replace STP
– A multipath, link-state protocol
• SPB (Shortest Path Bridging)
– A descendent of STP that operates at Layer 3
– Keeps all potential paths active while managing flow
of data
Network+ Guide to Networks, 8th Edition 55
© Cengage Learning 2016
 Switch Configurations

• Unmanaged switch
– Provides plug-and-play simplicity with minimal
configuration
• Has no IP address assigned to it
• Managed switch
– Can be configured via a command-line interface and
are usually assigned an IP address
– VLANS can only be implemented through managed
switches

Network+ Guide to Networks, 8th Edition 56

© Cengage Learning 2016
 Switch Configurations

• Configuration options on a managed switch:

– Password security
– Console
• Management console
• Remote configuration is managed through a virtual
terminal or virtual console
– AAA method
– Switch port security
– Speed and duplex

Network+ Guide to Networks, 8th Edition 57

© Cengage Learning 2016
 Wireless VLANs

• Wireless controller (Wi-Fi controller or WLAN

controller)
– Provides a central management console for all of the
APs in the network
• APs can also provide several options
– Thick AP is self-contained without relying on a higher-
level management device
– Thin APs are simple devices that must be configured
from the wireless controller’s console

Network+ Guide to Networks, 8th Edition 58

© Cengage Learning 2016
 Wireless VLANs

• LWAPP (Lightweight Access Point Protocol)

– Direct all wireless frames to the controller by adding
extra headers to the frames
– CAPWAP (Control and Provisioning of Wireless
Access Points) is another example
• Wireless controller can provide centralized
authentication for wireless clients, load balancing,
and channel management
• VLAN pooling is accomplished by grouping multiple
VLANs into a single VLAN group

Network+ Guide to Networks, 8th Edition 59

© Cengage Learning 2016
 Troubleshooting VMs and VLANs

• Virtual networks resemble physical networks in

many ways
– Backups, troubleshooting, and software updates
concerns are similar
• To add VMs to a VLAN defined on a physical
network
– Use the hypervisor to modify a virtual switch’s
configuration
– VMs are not added to a preexisting VLAN on the
physical switch that manages that VLAN

Network+ Guide to Networks, 8th Edition 60

© Cengage Learning 2016
 Summary
• Separating traffic by subnets or VLANs helps
enhance security, improve network performance,
and simplify troubleshooting
• CIDR notation takes the network ID or a host’s IP
address and follows it with a forward slash (/)
followed by the number of bits used for network ID
• To create a subnet, borrow bits that would represent
host information in classful addressing
• Supernetting allows you to combine contiguous
networks that all use the same CIDR block into one
supernet
Network+ Guide to Networks, 8th Edition 61
© Cengage Learning 2016
 Summary
• Subnetting in IPv6 is simpler than subnetting in IPv4
• For a single computer, virtualization can emulate the
hardware, OS, and/or applications
• When you create a VM, use the virtualization
program to assign the VM’s software and hardware
characteristics
• VMs can communicate with a virtual switch on the
host computer to reach the physical network
• A vNIC using bridged mode accesses a physical
network using the host machine’s NIC

Network+ Guide to Networks, 8th Edition 62

© Cengage Learning 2016
 Summary
• A vNIC using NAT mode relies on the host machine
to act as a NAT device
• In host-only mode, VMs on one host can exchange
data with each other and with their host, but cannot
communicate with any nodes beyond the host
• In software defined networking (SDN), services are
delivered by applications that are managed by a
network controller
• Programmable switches create VLANs by
partitioning their ports into groups

Network+ Guide to Networks, 8th Edition 63

© Cengage Learning 2016
 Summary
• Switches and bridges use STP to help eliminate the
possibility of broadcast storms and other loops
• An unmanaged switch has minimal configuration
and no IP address assigned to it
• A large wireless network is often managed by a
central wireless controller

Network+ Guide to Networks, 8th Edition 64

© Cengage Learning 2016