Using vLANs
Gilbert Held
There's a new LAN in town, called a virtual LAN, or more commonly referred to as a vLAN. This virtual LAN provides an entirely different set of resources and capabilities that can provide significant advantages to network managers, LAN administrators, and users of a network. In this article, I'll explore the capabilities and limitations of virtual LANs. To do so, I will first examine the concept behind a virtual LAN. I will discuss how they can be created and why they provide an enhanced level of networking capability over conventional LANs. I will then focus on the different types of vLANs from which we can create this new logical networking structure and discuss the interoperability issues we should be aware of.
Overview The basic concept behind the virtual LAN is relatively simple. By definition a virtual LAN is defined as a broadcast domain. If we take this definition literally, every LAN user has always been on a virtual LAN because each network consists of a broadcast domain formed by the cabling of workstations to hubs and the interconnection of two or more hubs to expand the scope of a network. Of course, the literal definition of a vLAN does not provide any advantages over an existing network. However, when we have the ability to create two or more broadcast domains, then we can take advantage of the capability of vLANs and logically partition one broadcast domain into two or more domains.
To obtain a general appreciation of the capabilities of vLANs, let's compare them to a traditional IP network. On that network, each station has the same network address. This means that a broadcast generated by one station flows to all other stations. If that network is formed through the use of a switch, you can easily restructure the single broadcast domain into two or more, tailoring traffic flow to better suite your operational environment. Although you could consider using subnets to achieve the same result, you would need to manually reconfigure both hardware and software, which could become a daunting task.
Illustrating some of the benefits associated with the use of vLANs is best accomplished by using a switching hub to create a few vLANs. Figure 1 illustrates an 8-port, vLAN-capable switching hub that allows virtual LANs to be created by grouping selected ports into a broadcast domain.
Port-based vLANs are one of several types of vLANs marketed by switch manufacturers. Other popular types of vLANs include MAC address-based vLANs, network-based vLANs, and policy or rules-based vLANs, each of which will be examined later in this article. In examining Figure 1, note that ports 0, 2, 5, and 7 are configured to be in one broadcast domain, which is associated with vLAN1. The remaining ports on the switching hub, ports 1, 3, 4, and 6, are configured to be in a second broadcast domain, which is noted as vLAN2.
To illustrate some of the advantages associated with vLANs, let's assume your organization's switched network has two employee departments, engineering and accounting, each with their own server. Let's further assume that engineering employees and their server are connected to ports that comprise vLAN1, while accounting employees and their server are connected to switch ports associated with vLAN2.
Without a vLAN capability, a switching hub can be considered as a multiport bridge. As such, broadcast traffic generated by each server to alert other stations of its presence is transmitted to every port regardless of whether network users connected to those ports ever require access to those servers. Similarly, when a workstation used by an employee in one department transmits data to an employee in the same department whose station's address has not been learned, the switch will flood the frame onto all ports other than the originating port regardless of the affiliation of switch users connected to each port.
Thus, the vLAN's ability to logically subdivide switch ports into two or more broadcast domains prevents broadcast traffic occurring in one domain from adversely affecting transmission on other broadcast domains. When you consider the fact that many vLAN-capable switches permit domain subdivision to occur as a point-and-drag operation while IP subnetting involves hardware and software reconfiguration, you begin to appreciate the capabilities of vLANs. If you're managing a thousand-station network you might even send a thank-you note to your switch vendor!
Returning to the example shown in Figure 1, the ability to place servers used by different departments on different vLANs would prevent the broadcast traffic on the accounting vLAN from adversely affecting engineering users and vice versa. Similarly, as frames are transmitted to users whose MAC addresses have yet to be learned by the switch, the effect of frame flooding is localized to logical partitions based on how vLANs are created.
A second advantage associated with the use of vLANs is the fact that they can facilitate network modifications. For example, assume a network user connected to a segment that is connected to port 0 was moved either as a direct connection to port 5 or onto a segment connected to port 5 on the switch. Since ports 0, 2, 5, and 7 are shown configured as vLAN1, the user's association with the vLAN is maintained. Thus, another advantage associated with the use of vLANs is that their use can facilitate adds, moves, and changes.
A third benefit usually associated with vLANs is security. vLANs are not designed to provide any enhancements to facilitate network security, nor should they be considered a security device. However, the the fact that they isolate transmission to a broadcast domain makes it harder for users in other domains to eavesdrop on other network users. For example, a curious or unscrupulous engineer, who places a network sniffer on a port assigned to the engineering vLAN, will not be able to read accounting traffic because it is restricted to the accounting broadcast domain. Thus, there is a degree of transmission privacy built into vLANs based upon the manner by which traffic is restricted to the broadcast domain.
Disadvantages Although there are several advantages associated with the use of vLANs, they are not the solution to all network management problems. First, vLANs take time to plan and configure. This time can vary from a few minutes for a port-based vLAN switch to hours or days if you are using a MAC-based vLAN and have a network with hundreds or thousands of users. A second disadvantage concerns interoperability. Although the IEEE 802.1Q standard was due to be finalized in May 1998, that standard only covers port-based vLANs, perhaps the simplest of all vLAN creation methods. In addition, balloting for draft number 10 was in progress during June, so the standard will obviously be delayed. The IEEE 802.1Q standard also involves the insertion of explicit tags into frames, which extends the maximum length of frames beyond that supported by some types of "legacy" LAN equipment. Thus, the ability to take advantage of some of the built-in capabilities associated with vLANs through the use of equipment compliant with the IEEE 802.1Q standard may restrict your ability to use existing LAN equipment as well as to interoperate with different types of vLANs.
Another disadvantage associated with vLANs is inter-vLAN communications. Since a vLAN represents a broadcast domain, normally the use of a router or switching hub would be required to provide inter-vLAN communications. Since router ports are relatively expensive in comparison to switch ports, the ability to provide inter-vLAN communications capability can significantly affect your financial plan. Fortunately, if you only have a limited requirement for inter-vLAN communications, you could connect your network stations that require multiple vLAN membership to switch ports associated with each vLAN.
An example of this configuration is shown in Figure 2. In this example, a server that must provide access to users associated with both vLAN 1 and vLAN 2 is shown connected to two ports, one for each vLAN. Thus, instead of having to use a router, you could install an additional network card and its cabling to a second switch port in order to support client-server requests from each vLAN. However, since there are a limited number of expansion slots in most PCs, this configuration is only applicable where stations associated with a limited number of vLANs need access to a few common servers. Otherwise, more expensive routers will be required to provide inter-vLAN communications capability.
MAC Address vLANs In Figures 1 and 2, we briefly examined the use of a port-based vLAN creation method. Other common types of vLANs include MAC address vLANs, network-based vLANs, rules-based vLANs, and emulated LANs. The latter is a technique whereby vLANs are created by assigning stations connected to an Ethernet switch (which in turn is connected by an ATM backbone) to a database that allows the stations to be grouped into a broadcast domain. The most common method of grouping is based on the port by which the stations are connected to the switch. When this occurs, the emulated LAN's virtual LAN creation method is in effect a port-based vLAN creation method that includes ports on other Ethernet switches connected by the ATM backbone.
Returning to our examination of vLAN construction methods, we can consider port-based vLANs similar to layer 1 of the ISO Reference Model, because the configuration of the vLAN is by physical port. Moving up the ISO Reference Model, we can consider a MAC-based vLAN creation method to be equivalent to layer 2 of the ISO Reference Model, since MAC addresses used for vLAN creation are those addresses used for the data link. To illustrate the use of a layer 2 vLAN creation method, consider Figure 3. In this example, the eight-port switching hub is shown supporting both port and segment connections. The 48-bit MAC address that is normally displayed and operated upon as 12 hex characters is shown as a letter in Figure 3.
In Figure 3, note that stations with addresses A, B, C, D, H, I, and J are assigned to vLAN 1, while stations with addresses E, F, G, K, L, M, and N are assigned to vLAN 2. At this point, you might be tempted to say "so what", since a port-based vLAN where ports 0, 1, 4, and 5 assigned to vLAN 1 and ports 2, 3, 6, and 7 assigned to vLAN 2 would, in effect, provide the same results.
To understand the advantages of a layer 2 vLAN creation capability over a port-based vLAN creation capability, let's assume that the station whose address is B is moved to the segment connected to port 2 on the switching hub. Since each vLAN is constructed based upon the MAC address of network stations, the switching hub will automatically track the movement of the station. This would not be possible using a port-based vLAN creation method, because all stations on a segment connected to a switch port must be members of the same vLAN. Of course, this additional capability is not without a price. Just think about all the fun you will have determining and entering the MAC address of every station to be connected to the switch.
Other disadvantages of the use of MAC-based vLANs include broadcast and privacy issues and the use of docking stations to facilitate the connection of employee laptops when they return from trips. Concerning docking stations, if the LAN adapter is in the station, the station would always be a member of the same vLAN. This is true even when employees of different departments use the station, unless the administrator manually reconfigures the switch each time an employee returns from a trip.
Concerning broadcast and privacy, if station B is moved to the segment connected to port 2, that segment and each station on the segment will receive traffic destined to both vLANs. Thus, it becomes possible for broadcast domains to overlap, a situation you may wish to consider when you configure your vLANs. Some switch vendors permit the overlapping of broadcast domains on a segment, while other switch vendors do not.
Network-Based vLANs A network-based vLAN creation capability requires a switch to look further into each packet to determine the network protocol being used. Once this is accomplished, the switch may look a bit further depending upon the method it uses for establishing network-based vLANs.
A simple example of the use of network-based vLANs would be to assign stations to vLANs based upon the network protocol they use. For example, all stations using NetWare's IPX/SPX protocol suite could be assigned to one vLAN broadcast domain, and all stations using the Internet Protocol (IP) could be assigned to a second vLAN broadcast domain. A second method for creating network-based vLANs is to use the network address in each packet as a decision criterion. For example, stations connected to different ports on a switch, but which are assigned to the same IP subnet, could be associated to one vLAN. Stations connected to other ports, which are assigned to a different IP subnet, would be associated with a different vLAN.
One of the advantages associated with a network-based vLAN creation capability is the ability to control broadcasts and traffic flow. For example, if you have a network that uses NetWare for internal corporate use and TCP/IP for Internet access, you would connect a router to a port configured as a member of the vLAN associated with the IP protocol. That router would be connected via a WAN to an ISP. Since NetWare servers are well known for broadcasting their presence on a network, by isolating NetWare traffic to one vLAN, you would minimize the effect of server advertisements upon stations using the IP protocol.
Rules-Based vLANs A relatively new method of vLAN creation is accomplished by the ability of some switching hubs to examine literally every bit in every packet that flows through the switch. Through the use of a comprehensive software program, administrators can create vLANs based upon the values of different fields within a frame (layer 2) or packet (layer 3) data flow. In fact, some rules-based vLAN creation techniques permit the switch administrator to use a variety of boolean logic operators on the contents of fields, and even individual bit positions within a field, to configure the rules by which the contents of a frame or packet will be associated with a vLAN. For example, you could assign all stations within a block of IP addresses, all destination MAC addresses within a certain range generated by source MAC addresses within a certain range, and all frames transporting email.
To alleviate a potential bit of confusion, let's review the difference between layer 3 vLAN creation and layer 3 switching. Layer 3 vLAN creation results in the creation of one or more broadcast domains based upon the type of network layer. In comparison, layer 3 switching uses the layer 3 address as a metric for routing packets. Thus, a layer 3-based vLAN creation method results in all layer 3 devices receiving a layer 3 transmission if their protocols match, while layer 3 switching results in only one device receiving a packet, assuming it was a unicast packet.
Although a switch with a comprehensive rules-based vLAN creation capability provides almost an unlimited possibility for the creation of vLANs based upon almost any criteria you may require, there is a downside. That downside is when the administrator gets too greedy and configures vLANs based upon the inclusion and exclusion of numerous criteria. As more elaborate vLAN construction rules are created, the processes associated with examining each frame or packet flowing through the switch increases. At a certain level, the processing required to examine each frame or packet can be expected to adversely affect switch throughput. Thus, although rules-based vLAN creation capability can provide a significant ability to customize the creation of vLANs, too much customization could degrade switch performance.
Switch Interoperability Issues As you interconnect two or more switching hubs, you more than likely want the ability to create vLANs that span multiple switches. Currently the ability to configure vLANs across multiple switches depends upon the ability of switches to communicate with one another. This inter-switch communications capability is proprietary, with each switch manufacturer using a different method to transmit switch configuration data from one switch to another. However, as discussed earlier in this article, the pending IEEE 802.1Q vLAN standard uses a tag-based mechanism to provide the ability to identify frames assigned to different vLANs. As tagged frames flow from one switch to another, they maintain their vLAN relationship regardless of the signaling method used to communicate configuration information between switches. Once vendors construct switching hubs that are compliant with this standard, you should be able to use switches from different vendors to create vLANs that span multiple switches. However, since the IEEE 802.1Q standard is currently applicable to the creation of port-based vLANs, you will have to continue to consider proprietary equipment if you want other vLAN creation methods.
About the Author
Gilbert Held is an award-winning author and lecturer and is the author of more than 25 books and 200 articles. Some of his recent titles include Virtual LANs, Ethernet Networks 2ed., High Speed LAN Switching, LAN Performance: Issues and Answers, The Complete Modem Reference 3ed., and Data and Image Compression 4th ed., all published by John Wiley & Sons. Gil can be reached at: 235-8068@mcimail.com.
|