Editor's Note
 IT Purchases
 Linux, But Which One?
 Virtual LANs
 Free Software - II
 Database Components
 Windows Security - I
 CISN Archive
 Questionnaire
 Send Feedback


Computing & Information Services Newsletter
Virtual Local Area Networks (VLANs)
     
 

Virtual Local Area Network (VLAN) is implemented by grouping the network users and resources logically (instead of physically) on a local area network (LAN) and assigning each port of a switch to VLAN. VLAN implementation frees up bandwidth by limiting broadcast traffic throughout the network, because every VLAN receives its own broadcast. VLANs can be defined according to the location, to the department, to the people or according to the implementation/protocol.

Most of the problems that are caused by Layer 2 switching can be fixed by implementing VLANs on the network. We can group them under the following main titles.

1. Broadcast Control

Broadcast is generated by any protocol. However, the amount of the broadcast is dependent on the protocol used, the implementation and how the service is being used. The Layer 2 switching devices that are without VLAN implementation, send the broadcast packets they receive to every port without taking it into account whether the other node will take it or not. Let's assume the number of devices on the network is abundont; then the broadcast will be multiplied accordingly since the packets are being sent to every device available on the network.

A well designed network should be divided into segments according to some criteria. Switching and routing are the best methods to accomplish this task. This will prevent braodcast traffic between VLANs.

2. Security

Another disadvantage of a network without VLAN is security. On a network where switch is not implemented and where the data transfer is provided over coax cable or through a hub, the data transfer between two computers is also disseminated to all of the devices that are connected to the network (collision). As well as creating traffic problems on the network, the software that may sniff all the packets sent and received on the network, and other software and hardware that may decrypt some of the data transmitted may pose serious security problems. On a network where switch is implemented as the tool of transmission, the security problem between the ports is defeated since every port is set apart forming their own collision segment. However, the boradcast is disseminated to all the ports on a plain network with switch topology, and this means that every device receive all the broadcast traffic of each other.

Another important fact is that the user groups that do not have a network relationship with others on this network will be provided access by the other devices which will send them broadcast packets. Such security vulnerabilities are eliminated if the network devices on the switch are segmented into VLANs. Segmenting the devices into VLANs will prevent a user to connect himself/herself to a port to sniff the entire network and steal private information. That user can only operate on the VLAN he/she is connected to.

3. Flexibility

A network designed by creating VLANs actually means that broadcast groups are created on it. It is easily and flexibly possible to assign one user to any of the VLANs regardless of his/her location. Likewise, a VLAN that has expanded in time may be easily be transferred to other VLANs that are created anew. This can be done by defining a new port on the switch.

If the same process is to be carried out on a network without VLAN support, one has to establish a physical connection to the central router, a requirement for the sub-network that will be created.

On a network with VLAN implementation, a router to perform routing between VLANs or another layer 3 device is required. For every VLAN used on a switch, an end should connect the switch to the router.

The Inter-Vlan Communication

There are two types of VLANs:

1. Static VLANs: They are defined and assigned to each port of a switch by network administrators. Unless changed by the administrator, that port of the switch remains assgined to that VLAN. This method makes it easier for the administrators to monitor and manage the network.

2. Dynamic VLANs: In dynamic VLAN, the switch locates the VLAN of the device that is connected to its port and automatically assigns that port to the VLAN it locates. With network management programs it is possible to define VLAN at the level of hardware address (MAC- Media Access Control), protocol, or even at the level of implementation. To set an example, let us assume that MAC addresses are entered to a central VLAN management implementation. When a device is connected to a port of a switch which is not assigned with a VLAN, the MAC address is requested from the VLAN database; then the VLAN value obtained is assigned to that port of the switch. If the user changes or the device that is connected to the port changes, a new VLAN value is requested, and then it is assigned to the port. If then, the database is created carefully, this reduces the burden of administration and configuration tasks for the administrator. VMPS (VLAN Management Policy Server) is made available on the Cisco devices for dynamic VLANs in order to provide VLAN mapping database service instead of using MAC addresses.

VLAN Definitions

VLANs are distributed between the switches that are linked. Using a method named as "frame tagging", the packet obtained by the switch fabric is sent to the port(s) assigned to that VLAN the switch fabric belongs to. Switch fabric is the switch group that carries the same VLAN information. There are two types of connections about switches:

Access links: On this type of link passes only traffic for a single VLAN. The device that is connected on access link, operates independent of the inter-VLAN connections and physical network assuming that it is connected to a broadcast domain. Switches remove the VLAN header on the packet before sending it to the device connected with access link. Unless routed by a router or a Layer 3 device, the packets sent by the devices on the access link, do not communicate with the devices out of their own VLANs.

Trunk links: Trunk link allows the crossing of traffic from multiple VLANs. Trunk link can be used to connect a switch to another switch, to a router or a server. Trunk link is supported only on Fast or Gigabit Ethernet. Cisco switches use two different methods to identify the VLANs on the trunk link: ISL and IEEE802.1q. Trunk links are used to transfer VLANs between the devices and they can beconfigured to carry all or some of the VLANs.

With the method Frame tagging, the switch that receives the packet looks for inspects the VLAN ID (VLAN number) of the packet and finds out what to do the with the packet by checking the filter table. The VLAN header on the packet leaves the packet before quitting the trunk link. If another trunk link is available on the switch where the packet has come from, the packet is directly sent from this port. The last device that the packet is sent to cannot access the VLAN information on the packet.

VLAN Definition Methods

Inter-Switch Link (ISL): This is used by Cisco switches and can only operate on Fast or Gigabit Ethernet. This method is called "external tagging". In this method, the original size of the packet is not changed, however, an 26-byte ISL header is added to the packet and the identification of VLAN between the devices is made possible. Moreover, it adds a 4-byte FCS (frame check sequence) at the end of the packet which controls the the packet. After these additions, the packet can only be identified by the devices that identify ISL.The size of the packet may reach up to 1522 bytes whereas the maximum size on ethernet network is 1518 bytes. The packet which is enveloped with ISL information, will set itself apart from all the additions and return to its original state, if it is going to travel over access link type of connection.

IEEE 802.1q: This standard method, which is developed by IEEE, is used to carry multi VLANs on a single connection, between switches or routers of different brands. A tag that conforms to the defined standard specified is placed on the packet recevied and this method enables the identification of the VLAN of the packet belongs to between the devices.

LAN Emulation (LANE): It is used to carry multi VLANs over a single connection on ATM network.

IEEE 802.10 (FDDI): It is used to carry multi VLANs over a single connection on FDDI network. It adds the VLAN identification header, named as SAID, on the packet.

Inter-VLAN Routing

The devices that are connected to a VLAN can intercommunicate with each other and send their broadcasts without a restriction. VLANs segment the network and separate the traffic. A Layer 3 device is required for the communication of devices between VLAN s.

Two alternatives are available at this stage:

1. One connection is added for each VLAN on a router and the required configurations are done on the router to inter-VLAN communication.

2. A connection to the switch fabric on a ISL router (or a router which can define a VLAN on a trunk link) is established. After the required configurations are done on the router, communication can be established between the VLANs.

If the VLAN number to be defined on the network is small (2 or 3), the first alternative should be selected and a router with the same amount of gateways as of the number of VLANs should be provided.

However, if the VLAN number is abundant and the if the network has a tendency to expand, the second alternative should be selected. Cisco routers provide ISL support for the 2600 models and above. In this case, ISL service should be run on one of the connections of the router (preferably on the one with the highest bandwidth), or a "route switch module (RSM)" should be provided on the router to perform routing. RSM provides 1005 VLAN support and packet processing takes less time since it runs at the backplane of the router. The VLAN routing of the router by running ISL on the Fast or Gigabit ethernet connection is called "router-on-a-stick".

VLAN Trunk Protocol (VTP)

Cisco developed VLAN Trunk Protocol (VTP) to provide VLAN management of the switches connected on anetwork. VTP helps the network administrator to perform tasks such as changing, adding or deleting names on VLANs, and VTP reports the new information to all of the switches on the network. VTP;

  • removes the errors such as the configuration deficiency or mis configuration with regard to the central management on multi switch networks It eliminates problems on multi switch networks such as configuration deficiency or misconfiguration with regard to central administration.
  • helps to establish VLAN trunk links between different types of networks. For example, it shares VLAN definitions tanımlamalarını between Ethernet, ATM (LANE), FDDI.
  • provides error-free VLAN tracking and monitoring.
  • reports the dynamically added VLANs to all of the switches.

For a VTP to manage the VLANs on a network, a VTP server should provide service for that network. All the servers and switches that are required to share the VLAN information, should be configured to the same VTP domain group. Switches announce the VTP domain information, configuration renewal number, and and all the known VLANs with their parameters. Switch can be configured as to send VTP information over trunk port, however not to receive it over trunk port and not to update VTP database (transparent mode).

Switches detect the new VLAN definition by listening to the VTP information that is to arrive and then return to the previous position to wait for that VLAN's new information that will come from the trunk ports. The VTP information that may arrive can be VLAN ID, IEEE 801.10, SAID or LANE. The updates are done by the enhancement of the configuration renewal number. If the switch receives a higher configuration renewal number than its renewal number, it identifies the fact that a new configuration is received and it saves this new information that has just arrived on the old database.

There are 3 types of VTP operation modes: Server, Client, Transparent.

Server: Cisco Catalyst series are preinstalled on the switches Minimum one VTP server is required for tasks such as adding, removing, configuring VLAN for VTP domain. Any changes made on the switch that runs on the server mode, is announced to that VTP domain. Its configuration is kept on NVRAM (Non-Volatile RAM).

Client: These are switches that obtain the information from the VTP servers, that receive and send the updating information, however they cannot make any changes on them. Its configuration cannot be kept on NVRAM (Non-Volatile RAM), it is temporary.

Transparent: These are switches that send the VTP information received directly 'as is' over the trunk ports without joining to the VTP domain group.They do not send the changes that may be made on their own VTP database over the trunk ports. Their configuration is kept on NVRAM (Non-Volatile RAM).

VLAN Prunning

To save bandwidth and to reduce, multicast and other unicast packets, VTP configuration has to be changed. This is called VLAN prunning. VTP prunning service sends the broadcast received only to its trunk ports that are to receive that information, it does not send it to others. For example, the VLAN 5 broadcast which is received by a switch which does not have any VLAN 5 port, is certainly not sent over any of the ports of the switch. VTP prunning is delivered as switched-off on switches. To activate VTP prunning, it is essential that it should be activated on all the VTP domain. The numbers between VLAN 2 to 1005 are the VLAN numbers available for prunning. Since VLAN 1 is a VLAN for administration purposes, it can never be pruned.

Gökhan Eryol

 
     
  - TOP -  
© 2002 METU CC
Design: CC - INFO