Lesson 9: Understanding Virtual LANs

This lesson covers virtual LANs or VLANs. We’ll start by defining what a VLAN is and then explaining how it works. We’ll conclude the lesson by talking about some key VLAN technologies such as ISL and VTP.

The Agenda

- What Is a VLAN?

- VLAN Technologies

What Is a VLAN?

Well, the reality of the work environment today is that personnel is always changing. Employees move departments; they switch projects. Keeping up with these changes can consume significant network administration time. VLANs address the end-to-end mobility needs that businesses require.
Traditionally, routers have been used to limit the broadcast domains of workgroups. While routers provide well-defined boundaries between LAN segments, they introduce the following problems:

- Lack of scalability (e.g., restrictive addressing on subnets)
- Lack of security (e.g., within shared segments)
- Insufficient bandwidth use (e.g., extra traffic results when segmentation of the network is based upon physical location and not necessarily by workgroups or interest group)
- Lack of flexibility (e.g., cost reconfigurations are required when users are moved)

Virtual LAN, or VLAN, technology solves these problems because it enables switches and routers to configure logical topologies on top of the physical network infrastructure. Logical topologies allow any arbitrary collection of LAN segments within a network to be combined into an autonomous user group, appearing as a single LAN.

Virtual LANs

A VLAN can be defined as a logical LAN segment that spans different physical LANs. VLANs provide traffic separation and logical network partitioning.
VLANs logically segment the physical LAN infrastructure into different subnets (broadcast domains for Ethernet) so that broadcast frames are switched only between ports within the same VLAN.
A VLAN is a logical grouping of network devices (users) connected to the port(s) on a LAN switch. A VLAN creates a single broadcast domain and is treated like a subnet.
Unlike a traditional segment or workgroup, you can create a VLAN to group users by their work functions, departments, the applications used, or the protocols shared irrespective of the users’ work location (for example, an AppleTalk network that you want to separate from the rest of the switched network).
VLAN implementation is most often done in the switch software.

Remove the Physical Boundaries

Conceptually, VLANs provide greater segmentation and organizational flexibility. VLAN technology allows you to group switch ports and the users connected to them into logically defined communities of interest. These groupings can be coworkers within the same department, a cross-functional product team, or diverse users sharing the same network application or software (such as Lotus Notes users).
Grouping these ports and users into communities of interest—referred to as VLAN organizations—can be accomplished within a single switch, or more powerfully, between connected switches within the enterprise. By grouping ports and users together across multiple switches, VLANs can span single building infrastructures or interconnected buildings. As shown here, VLANs completely remove the physical constraints of workgroup communications across the enterprise.
Additionally, the role of the router evolves beyond the more traditional role of firewalls and broadcast suppression to policy-based control, broadcast management, and route processing and distribution. Equally as important, routers remain vital for switched architectures configured as VLANs because they provide the communication between logically defined workgroups (VLANs). Routers also provide VLAN access to shared resources such as servers and hosts, and connect to other parts of the network that are either logically segmented with the more traditional subnet approach or require access to remote sites across wide-area links. Layer 3 communication, either embedded in the switch or provided externally, is an integral part of any high-performance switching architecture.

VLAN Benefits

VLANs provide many internetworking benefits that are compelling.
Reduced administrative costs—Members of a VLAN group can be geographically dispersed. Members might be related because of their job functions or type of data that they use rather than the physical location of their workspace.

- The power of VLANs comes from the fact that adds, moves, and changes can be achieved simply by configuring a port into the appropriate VLAN. Expensive, time-consuming recabling to extend connectivity in a switched LAN environment, or host reconfiguration and re-addressing is no longer necessary, because network management can be used to logically “drag and drop” a user from one VLAN group to another.

Better management and control of broadcast activity—A VLAN solves the scalability problems often found in a large flat network by breaking a single broadcast domain into several smaller broadcast domains or VLAN groups. All broadcast and multicast traffic is contained within each smaller domain.

Tighter network security with establishment of secure user groups:

- High-security users can be placed in a separate VLAN group so that non-group members do not receive their broadcasts and cannot communicate with them.
- If inter-VLAN communication is necessary, a router can be added, and the traditional security and filtering functions of a router can be used.
- Workgroup servers can be relocated into secured, centralized locations.

Scalability and performance—VLAN groups can be defined based on any criteria; therefore, you can determine a network’s traffic patterns and associate users and resources logically. For example, an engineer making intensive use of a networked CAD/CAM server can be put into a separate VLAN group containing just the engineer and the server. The engineer does not affect the rest of the workgroup. The engineer’s dedicated LAN increases throughput to the CAD/CAM server and helps performance for the rest of the group by not affecting its work.

VLAN Components

There are five key components within VLANs:

Switches — For determining VLAN membership. This is where users/systems attach to the network.

Trunking — For exchanging VLAN information throughout the network. This is essential for larger environments that comprise several switches, routers, and servers.

Multiprotocol routing — For supporting inter-VLAN communications. Remember that while all members within the same VLAN can communicate directly with one another, routers are required for exchanging information between different VLANs.

Servers — Servers are not required within VLAN environments specifically; however, they are a staple within any network. Within a VLAN environment, users can utilize servers in several different ways, and we’ll discuss them momentarily. Because VLANs are used throughout the network, users from multiple VLANs will most likely need their services.

Management — For security, control, and administration within the network. Effective management and administration is essential within any network environment, and it becomes even more imperative for networks using VLANs. The network management system appropriately recognize and administer logical segments within the switched network.
Let’s look at some of these components in more detail.

Establishing VLAN Membership

Switches provide the means for users to access a network and join a VLAN. Various approaches exist for establishing VLAN membership.

each of these methods has its positive and negative points.

Membership by Port

Let’s look at the first method for determining or assigning VLAN membership:

Port-based — In this case, the port is assigned to a specific VLAN independent of the user or system attached to the port. This VLAN assignment is typically done by the network administrator and is not dynamic. In other words, the port cannot be automatically changed to another VLAN without the personal supervision and processing of the network administrator.
This approach is quite simple and fast, in that no complex lookup tables are required to achieve this VLAN segregation. If this port-to-VLAN association is done via ASICs, the performance is very good.
This approach is also very easy to manage, and a Graphical user Interface, or GUI, illustrating the VLAN-to-port association is normally intuitive for most users.
As in other VLAN approaches, the packets within this port-based method do not leak into other VLAN domains on the network. The port is assigned to one and only one VLAN at any time, and no other packets from other VLANs will “bleed” into or out of this port.

Membership by MAC Addresses

The other methods for determining VLAN membership provide more flexibility and are more “user-centric” than the port-based model. However, these methods are conducted with software in the switch and require more processing power and resources within the switches and the network. These solutions require a packet-by-packet lookup method that decreases the overall performance of the switch. (Software solutions do not run as fast as hardware/ASIC-based solutions.)
In the MAC-based model, the VLAN assignment is linked to the physical media address or MAC address of the system accessing the network. This approach provides enhanced security benefits of the more “open” port-based approach, because all MAC addresses are unique.
From an administrative aspect, the MAC-based approach requires slightly more work, because a VLAN membership table must be created for all of the users within each VLAN on the network. As a user attaches to a switch, the switch must verify and confirm the MAC address with a central/main table and place it into the proper VLAN.
The network address and user ID approaches are also more flexible than the port-based approach, but they also require even more overhead than the MAC-based method, because tables must exist throughout the network for all the relevant network protocols, subnets, and user addresses. With the user ID method, another large configuration/policy table must exist containing all authorized user login IDs. Within both of these methods, the switches typically do not have enough resources (CPU, memory) to accommodate such large tables. Therefore, these tables must exist within servers located elsewhere in the network. Additionally, the latencies resulting from the lookup process would be more significant in these approaches.
From an administrative aspect, the network and user ID-based approaches require more resources (memory and bandwidth) to use distributed tables on several switches or servers throughout the network. These two approaches also require slightly more bandwidth to share this information between switches and servers.

Multiple VLANs per Port

When addressing these various methods for implementing VLANs, customers always question the use of multiple VLANs per switch port. Can this be done? Does this make sense?
The means for implementing this type of design is based on using shared hubs off of switch ports. Members using the hub belong to different VLANs, and thus, the switch port must also support multiple VLANs.
While this method does offer the flexibility of having VLANs completely port independent, this method also violates one of the general principle of implementing VLANs: broadcast containment. An incoming broadcast on any VLAN would be sent to all hub ports — even though they may belong to a different VLAN. The switch, hub, and all endstations will have to process this broadcast even if it belongs to a different VLAN. This “bleeding” of VLAN information does not provide true segmentation nor does it effectively use resources.

Communicating Between VLANs

Another key component of VLANs is the router. Routers provide inter-VLAN communications and are essential for sharing VLAN information in large environments. The Layer 3 routing capabilities provide additional security between networks (access lists, protocol filtering, and so on).

In general, there are two approaches to using routers as communication points for VLANs:

- Logical connection method— Using ISL within the router, a trunk can be established between the switch and the router. One high- speed port is used, and multiple VLAN information runs across this trunk link. (We’ll explain ISL in just a minute.)

- Physical connection method— Multiple independent links are used between the router and the switch. Each link contains its own VLAN. This scenario does not require ISL to be implemented on the router and also allows lower-speed links to be used.

The proper method to implement depends on the customer’s needs and requirements. (Does the customer need to conserve router and switch ports? Does the customer need a high-speed ISL port?) In both instances, the router still supports inter-VLAN communication.

Server Connectivity

The network server is another key component of VLANs. Servers provide file, print, and storage services to users throughout the network regardless of VLANs.
To optimize their network environments many customers deploy centralized server farms in their networks.

This eases administration of the servers and Network Operating System, or NOS, significantly. These server farms contain servers that support the entire network, but each server supports a specific VLAN or number of VLANs.

As in the use of routers within VLANs, there are two approaches to using servers as common access within a VLAN environment:

Logical connection method
Using a server adapter (NIC) running ISL, a trunk can be established between the switch and the server. One high-speed port is used and information for multiple VLANs runs across this trunk link. This method offers greater flexibility as well as a high-performance solution that is easy to administer. (that is one NIC to setup and monitor). Note: ISL is now supported in several vendors’ server NIC cards: Intel, CrossPoint. These adapters support up to 64 VLANs per port and cost approximately US$500.

Physical Connection method
Multiple independent links are used between the server and the switch. Each link contains its own VLAN. This method does not require ISL to be implemented on the server and also allows lower-speed links to be used.

The proper method to implement depends on the customer’s needs and requirements. (Does the customer need to conserve switch ports? Does the customer need a high-speed ISL port? Does the customer want to use ISL server adapters?) In both methods, the server still supports multiple VLANs.

VLAN Technologies

Let’s take a look at some technologies that are essential for VLAN implementations.

Inter-Switch Link

Cisco developed the Inter-Switch Link, or ISL, mechanism to support high-speed trunking between switches and switches, routers, or servers in Fast Ethernet environments.

Cisco’s Inter-Switch Link protocol (ISL) enables VLAN traffic to cross LAN segments. ISL is used for interconnecting multiple switches and maintaining VLAN information as traffic goes between switches. ISL uses “packet tagging” to send VLAN packets between devices on the network without impacting switching performance or requiring the use and exchange of complex filtering tables. Each packet is tagged depending on the VLAN to which it belongs.

The benefits of packet tagging include manageable broadcast domains that span the campus; bandwidth management functions such as load distribution across redundant backbone links and control over spanning tree domains; and a substantial cost reduction in the number of physical switch and router ports required to configure multiple VLANs.

The ISL protocol enables in excess of 1000 VLANs concurrently without requiring any fragmentation or re assembly of the packets.
Additionally, ISL wraps a 48-byte “envelope” around the packet that handles processing, priority, and quality-of-service, or QoS, features. ISL is not limited to Fast Ethernet/Ethernet packet sizes (1518 bytes) and can even accommodate large packet sizes up to 16000 bytes — which is appropriate for Token Ring. It is important to understand that ISL (and 802.1q—a format used by some other vendors, for that matter) are both just packet-tagging formats. Neither sets up a standard for administration.

VLAN Standardization

While Cisco was first to market with its revolutionary packet tagging schemes for Fast Ethernet and FDDI, they are proprietary solutions. Other vendors implemented their own unique methods for sharing VLAN information across the network. As a result, a standards body was created within the IEEE to provide one common VLAN communication standard. This ultimately benefits customers using switches from various vendors in the marketplace.

Within the 802.1Q standard, packet tagging is the exchange vehicle for VLAN information.

Because ISL is so widely deployed in our installed customer base, Cisco will continue to support both ISL and 802.1Q. It is important to note that Cisco’s dual mode support of both methods will be implemented via hardware ASICs, which will provide tremendous performance.

VLAN Standard Implementation

This diagram illustrates a typical customer implementation of the 802.1Q VLAN standard. This scenario is based upon a customer network composed of two separate campuses based on different vendors’ technology (Cisco and vendor X).
If the customer already has Cisco switches deployed, it can maintain its use of ISL. Also, it can maintain its use of the VLAN trunking scheme used by vendor X. However, the new joined network must use the 802.1Q standard to share VLAN information between switches within the campus.

Virtual Trunk Protocol (VTP)

In addition to the ISL packet tagging method, Cisco also created the Virtual Trunking Protocol, or VTP, for dynamically configuring VLAN information across the network regardless of media type (for example Fast Ethernet, ATM, FDDI, and so on).
This VTP protocol is the software that makes ISL usable.

VTP enables VLAN communication from a centralized network management platform, thus minimizing the amount of administration that is required when adding or changing VLANs anywhere within the network. VTP completely eliminates the need to administer VLANs on a per-switch basis, an essential characteristic as the number of a network’s switches and VLANs grows and reaches a point where changes can no longer be reliably administered on individual components. VTP allows for greater scalability because it eliminates complex VLAN administration tasks across every switch.

Conceptually, VTP works like this: When you add a new VLAN to the network, let's say VLAN 1, VTP automatically goes out and configures the trunk interfaces across the backbone for that VLAN. This includes the mapping of ISL to LANE or to 802.1Q.
Adding a second VLAN is just as easy. VTP sends out new advertisements and maps the VLAN across the appropriate interfaces. The important thing to remember about this second VLAN, is that VTP keeps track of the VLANs that already exist and eliminates any cross configurations between these two, especially if this configuration were to be done manually.

---

- Summary -

- VLANs enable logical (instead of physical) groups of users on a switch

- VLANs address the needs for mobility and flexibility

- VLANs reduce administrative overhead, improve security, and provide more efficient bandwidth utilization