Virtual LAN
Encyclopedia
A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain
, regardless of their physical location. A VLAN has the same attributes as a physical local area network
(LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch
. VLAN membership can be configured through software instead of physically relocating devices or connections.
To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and equipment which are kept separate from the primary network. However, unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can suffer both reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untagging when exit from VLAN.)
This is also useful if someone wants to create multiple layer 3 networks on the same layer 2 switch. For example, if a DHCP
server is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won't use that DHCP server and will obtain link-local address
es, or obtain an address from a different DHCP server.
VLANs are layer 2 constructs, compared with IP subnets which are layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN. VLANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.
By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.
joined Bellcore
and turned to the problem of scaling up Ethernet networks. At 10 Mbit/s, Ethernet was faster than most alternatives of the time; however, Ethernet was a broadcast network and there was not a good way of connecting multiple Ethernets together. This limited the total bandwidth of an Ethernet network to 10 Mbit/s and the maximum distance between any two nodes to a few hundred feet.
By contrast, the existing telephone network's peak speed for individual connections was limited to 56 kbit/s, less than one hundredth the speed of Ethernet, but the total bandwidth of the network was estimated to be a terabit, capable of moving over a hundred thousand times more information.
IP
routing
could be used to connect multiple Ethernet networks together; however, the VAX-11/780 computers commonly used as routers cost $400,000 each and their total throughput was significantly less than Ethernet speeds. Sincoskie started looking for alternatives that required less processing per packet. In the process he independently reinvented the self-learning ethernet switch
.
However, using switches to connect multiple Ethernet networks requires a spanning tree
configuration. This means that there is exactly one path from any source address to any destination. This causes centrally-located switches to become bottlenecks, which limits scalability as more networks are interconnected.
To help alleviate this problem, Sincoskie invented VLANs by adding a tag to each Ethernet packet. These tags could be thought of as colors, say red, green, or blue. Then each switch could be assigned to handle packets of a single color, and ignore the rest. The networks could be interconnected with three different spanning trees: a red spanning tree, a green spanning tree, and a blue spanning tree. By sending a mix of different packet colors, the aggregate bandwidth could be improved. Sincoskie referred to this as a multitree bridge. With the help of Chase Cotton, the two created and refined the algorithms (called the Extended Bridge Algorithms for Large Networks) necessary to make the system feasible.
This "color" is what is now known in the Ethernet frame as the 802.1Q header, or the VLAN tag. While VLANs are commonly used in modern Ethernet networks, using them for the original purpose would be rather unusual.
Configuration of the first custom VLAN port group usually involves subtracting ports from the default VLAN, such that the first custom group of VLAN ports is actually the second VLAN on the device, apart from the default VLAN. The default VLAN typically has an ID of 1.
If a VLAN port group were to only exist on the one device, all ports that are members of the VLAN group only need to be "untagged". It is only when the port group is to extend to another device that tagging is used. For communications to occur from switch to switch, an uplink port needs to be a tagged member of every VLAN on the switch that uses that uplink port, including the default VLAN.
Some switches either allow or require a name be created for the VLAN, but it is only the VLAN group number that is important from one switch to the next.
Where a VLAN group is to simply pass through an intermediate switch via two pass-through ports, only the two ports need to be a member of the VLAN, and are tagged to pass both the required VLAN and the default VLAN on the intermediate switch.
Management of the switch requires that the management functions be associated with one of the configured VLANs. If the default VLAN were deleted or renumbered without moving the management to a different VLAN first, it is possible to be locked out of the switch configuration, requiring a forced clearing of the device configuration to regain control.
Switches typically have no built-in method to indicate VLAN port members to someone working in a wiring closet. It is necessary for a technician to either have management access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. These charts must be manually updated by the technical staff whenever port membership changes are made to the VLANs.
Remote configuration of VLANs presents several opportunities for a technician to accidentally cut off communications and lock themselves out of the devices they are attempting to configure. Actions such as subdividing the default VLAN by splitting off the switch uplink ports into a separate new VLAN can suddenly cut off all remote communication, requiring the technician to physically visit the device in the distant location to continue the configuration process.
. The IEEE committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco
's ISL
(Inter-Switch Link) and 3Com
's VLT (Virtual LAN Trunk). Cisco also implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10
frame header, contrary to the purpose of the IEEE 802.10
standard.
Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the existing Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and so does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to work on both access and trunk links: frames are standard Ethernet, and so can be handled by commodity hardware.
The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI contains the following elements:
The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. Some network devices that do not support a larger frame size will process the frame successfully but may report these anomalies as a "baby giant."
Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. This technology provides one method for multiplexing bridge groups (VLANs) over a high-speed backbone. It is defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been available on Cisco routers since Cisco IOS Software Release 11.1.
With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the packet as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. The fields in an ISL header identify the frame as belonging to a particular VLAN.
A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed.
Early network designers often configured VLANs with the aim of reducing the size of the collision domain
in a large single Ethernet
segment and thus improving performance. When Ethernet switch
es made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the broadcast domain
at the MAC layer. VLAN can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN Hopping
is a common means of bypassing such security measures.
VLANs operate at Layer 2 (the data link layer
) of the OSI model
. Administrators often configure a VLAN to map directly to an IP network, or subnet
, which gives the appearance of involving Layer 3 (the network layer
). In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone
for network traffic going across different VLANs.
VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations, because VLANs can cross connect when duplicate names are used. They also could become internally disconnected when they are mapped from one LAN type to another, for example, Ethernet to ATM LANE ELANs or FDDI 802.10 VLANs. VTP provides a mapping scheme that enables seamless trunking within a network employing mixed-media technologies.
VTP provides the following benefits:
As beneficial as VTP can be, it does have disadvantages that are normally related to the spanning tree protocol
(STP) as a bridging loop propagating throughout the network can occur. Cisco switches run an instance of STP for each VLAN, and since VTP propagates VLANs across the campus LAN, VTP effectively creates more opportunities for a bridging loop to occur.
Before creating VLANs on the switch that will be propagated via VTP, a VTP domain must first be set up. A VTP domain for a network is a set of all contiguously trunked switches with the same VTP domain name. All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information.
Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:
Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.
Dynamic VLANs are created through the use of software. With a VLAN Management Policy Server
(VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the device queries a database for VLAN membership.
Essentially, the user tries to segregate or forward a particular protocol traffic from a port using the protocol based VLANs;
traffic from any other protocol is not forwarded on the port.
For example, if you have connected a host, pumping ARP traffic on the switch at port 10, connected a Lan pumping IPX traffic to the port 20 of the switch and connected a router pumping IP traffic on port 30, then if you define a protocol based VLAN supporting IP and including all the three ports 10, 20 and 30 then IP packets can be forwarded to the ports 10 and 20 also, but ARP traffic will not get forwarded to the ports 20 and 30, similarly IPX traffic will not get forwarded to ports 10 and 30.
. IEEE approves the use of such a mechanism in par 6.11 of IEEE 802.1ad-2005.
Broadcast domain
A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments....
, regardless of their physical location. A VLAN has the same attributes as a physical local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
(LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
. VLAN membership can be configured through software instead of physically relocating devices or connections.
To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and equipment which are kept separate from the primary network. However, unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can suffer both reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untagging when exit from VLAN.)
Uses
VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.This is also useful if someone wants to create multiple layer 3 networks on the same layer 2 switch. For example, if a DHCP
Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
server is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won't use that DHCP server and will obtain link-local address
Link-local address
A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network or a point-to-point connection that a host is connected to. Routers do not forward packets with link-local addresses....
es, or obtain an address from a different DHCP server.
VLANs are layer 2 constructs, compared with IP subnets which are layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN. VLANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.
By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.
History
After successful experiments with voice over Ethernet from 1981 to 1984, Dr. W. David SincoskieW. David Sincoskie
Walter David "Dave" Sincoskie was an American computer engineer. Sincoskie installed the first ethernet local area network at Bellcore, and helped invent voice over IP technology. Sincoskie authored the first local ATM specification...
joined Bellcore
Telcordia Technologies
Telcordia Technologies, formerly Bell Communications Research, Inc. or Bellcore, is a telecommunications research and development company based in the United States created as part of the 1982 Modification of Final Judgment that broke up American Telephone & Telegraph...
and turned to the problem of scaling up Ethernet networks. At 10 Mbit/s, Ethernet was faster than most alternatives of the time; however, Ethernet was a broadcast network and there was not a good way of connecting multiple Ethernets together. This limited the total bandwidth of an Ethernet network to 10 Mbit/s and the maximum distance between any two nodes to a few hundred feet.
By contrast, the existing telephone network's peak speed for individual connections was limited to 56 kbit/s, less than one hundredth the speed of Ethernet, but the total bandwidth of the network was estimated to be a terabit, capable of moving over a hundred thousand times more information.
IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
routing
Routing
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
could be used to connect multiple Ethernet networks together; however, the VAX-11/780 computers commonly used as routers cost $400,000 each and their total throughput was significantly less than Ethernet speeds. Sincoskie started looking for alternatives that required less processing per packet. In the process he independently reinvented the self-learning ethernet switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
.
However, using switches to connect multiple Ethernet networks requires a spanning tree
Spanning tree
Spanning tree can refer to:* Spanning tree , a tree which contains every vertex of a more general graph* Spanning tree protocol, a protocol for finding spanning trees in bridged networks...
configuration. This means that there is exactly one path from any source address to any destination. This causes centrally-located switches to become bottlenecks, which limits scalability as more networks are interconnected.
To help alleviate this problem, Sincoskie invented VLANs by adding a tag to each Ethernet packet. These tags could be thought of as colors, say red, green, or blue. Then each switch could be assigned to handle packets of a single color, and ignore the rest. The networks could be interconnected with three different spanning trees: a red spanning tree, a green spanning tree, and a blue spanning tree. By sending a mix of different packet colors, the aggregate bandwidth could be improved. Sincoskie referred to this as a multitree bridge. With the help of Chase Cotton, the two created and refined the algorithms (called the Extended Bridge Algorithms for Large Networks) necessary to make the system feasible.
This "color" is what is now known in the Ethernet frame as the 802.1Q header, or the VLAN tag. While VLANs are commonly used in modern Ethernet networks, using them for the original purpose would be rather unusual.
Implementation
A basic switch not configured for VLANs will either have VLAN functionality disabled, or will have it permanently enabled with what is known as a default VLAN which simply contains all ports on the device as members.Configuration of the first custom VLAN port group usually involves subtracting ports from the default VLAN, such that the first custom group of VLAN ports is actually the second VLAN on the device, apart from the default VLAN. The default VLAN typically has an ID of 1.
If a VLAN port group were to only exist on the one device, all ports that are members of the VLAN group only need to be "untagged". It is only when the port group is to extend to another device that tagging is used. For communications to occur from switch to switch, an uplink port needs to be a tagged member of every VLAN on the switch that uses that uplink port, including the default VLAN.
Some switches either allow or require a name be created for the VLAN, but it is only the VLAN group number that is important from one switch to the next.
Where a VLAN group is to simply pass through an intermediate switch via two pass-through ports, only the two ports need to be a member of the VLAN, and are tagged to pass both the required VLAN and the default VLAN on the intermediate switch.
Management of the switch requires that the management functions be associated with one of the configured VLANs. If the default VLAN were deleted or renumbered without moving the management to a different VLAN first, it is possible to be locked out of the switch configuration, requiring a forced clearing of the device configuration to regain control.
Switches typically have no built-in method to indicate VLAN port members to someone working in a wiring closet. It is necessary for a technician to either have management access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. These charts must be manually updated by the technical staff whenever port membership changes are made to the VLANs.
Remote configuration of VLANs presents several opportunities for a technician to accidentally cut off communications and lock themselves out of the devices they are attempting to configure. Actions such as subdividing the default VLAN by splitting off the switch uplink ports into a separate new VLAN can suddenly cut off all remote communication, requiring the technician to physically visit the device in the distant location to continue the configuration process.
Motivation
In a legacy network, users were assigned to networks based on geography and were limited by physical topologies and distances. VLANs can logically group networks so that the network location of users is no longer so tightly coupled to their physical location. Technologies able to implement VLANs are:- Asynchronous Transfer Mode (ATM)Asynchronous Transfer ModeAsynchronous Transfer Mode is a standard switching technique designed to unify telecommunication and computer networks. It uses asynchronous time-division multiplexing, and it encodes data into small, fixed-sized cells. This differs from approaches such as the Internet Protocol or Ethernet that...
- Fiber Distributed Data Interface (FDDI)Fiber Distributed Data InterfaceFiber Distributed Data Interface provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to . Although FDDI logical topology is a ring-based token network, it does not use the IEEE 802.5 token ring protocol as its basis; instead, its...
- EthernetEthernetEthernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
- Fast EthernetFast EthernetIn computer networking, Fast Ethernet is a collective term for a number of Ethernet standards that carry traffic at the nominal rate of 100 Mbit/s, against the original Ethernet speed of 10 Mbit/s. Of the fast Ethernet standards 100BASE-TX is by far the most common and is supported by the...
- Gigabit EthernetGigabit EthernetGigabit Ethernet is a term describing various technologies for transmitting Ethernet frames at a rate of a gigabit per second , as defined by the IEEE 802.3-2008 standard. It came into use beginning in 1999, gradually supplanting Fast Ethernet in wired local networks where it performed...
- 10 Gigabit Ethernet10 Gigabit EthernetThe 10 gigabit Ethernet computer networking standard was first published in 2002. It defines a version of Ethernet with a nominal data rate of 10 Gbit/s , ten times faster than gigabit Ethernet.10 gigabit Ethernet defines only full duplex point to point links which are generally connected by...
- HiperSockets
Protocols and design
The protocol most commonly used today in configuring VLANs is IEEE 802.1QIEEE 802.1Q
IEEE 802.1Q is the networking standard that supports Virtual LANs on an Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames...
. The IEEE committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
's ISL
Cisco Inter-Switch Link
Cisco Inter-Switch Link is a Cisco Systems proprietary protocol that maintains VLAN information in Ethernet frames as traffic flows between switches and routers, or switches and switches....
(Inter-Switch Link) and 3Com
3Com
3Com was a pioneering digital electronics manufacturer best known for its computer network infrastructure products. The company was co-founded in 1979 by Robert Metcalfe, Howard Charney, Bruce Borden, and Greg Shaw...
's VLT (Virtual LAN Trunk). Cisco also implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10
IEEE 802.10
IEEE 802.10 is a former standard for security functions that could be used in both local area networks and metropolitan area networks based on IEEE 802 protocols....
frame header, contrary to the purpose of the IEEE 802.10
IEEE 802.10
IEEE 802.10 is a former standard for security functions that could be used in both local area networks and metropolitan area networks based on IEEE 802 protocols....
standard.
Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the existing Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and so does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to work on both access and trunk links: frames are standard Ethernet, and so can be handled by commodity hardware.
The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI contains the following elements:
- Three-bit user priority
- One-bit canonical format indicator (CFI)
- Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs
The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. Some network devices that do not support a larger frame size will process the frame successfully but may report these anomalies as a "baby giant."
Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. This technology provides one method for multiplexing bridge groups (VLANs) over a high-speed backbone. It is defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been available on Cisco routers since Cisco IOS Software Release 11.1.
With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the packet as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. The fields in an ISL header identify the frame as belonging to a particular VLAN.
A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed.
Early network designers often configured VLANs with the aim of reducing the size of the collision domain
Collision domain
A collision domain is a section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet. A network collision occurs when more than one device attempts to send a packet on a network...
in a large single Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
segment and thus improving performance. When Ethernet switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
es made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the broadcast domain
Broadcast domain
A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments....
at the MAC layer. VLAN can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN Hopping
VLAN hopping
VLAN hopping is a computer security exploit, a method of attacking networked resources on a Virtual LAN . The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible...
is a common means of bypassing such security measures.
VLANs operate at Layer 2 (the data link layer
Data link layer
The data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
) of the OSI model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
. Administrators often configure a VLAN to map directly to an IP network, or subnet
Subnetwork
A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into subnetworks is called subnetting....
, which gives the appearance of involving Layer 3 (the network layer
Network layer
The network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...
). In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone
Internet backbone
The Internet backbone refers to the principal data routes between large, strategically interconnected networks and core routers in the Internet...
for network traffic going across different VLANs.
Cisco VLAN Trunking Protocol (VTP)
On Cisco Devices, VTP (VLAN Trunking Protocol) maintains VLAN configuration consistency across the entire network. VTP uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis from a centralized switch in the VTP server mode. VTP is responsible for synchronizing VLAN information within a VTP domain and reduces the need to configure the same VLAN information on each switch.VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations, because VLANs can cross connect when duplicate names are used. They also could become internally disconnected when they are mapped from one LAN type to another, for example, Ethernet to ATM LANE ELANs or FDDI 802.10 VLANs. VTP provides a mapping scheme that enables seamless trunking within a network employing mixed-media technologies.
VTP provides the following benefits:
- VLAN configuration consistency across the network
- Mapping scheme that allows a VLAN to be trunked over mixed media
- Accurate tracking and monitoring of VLANs
- Dynamic reporting of added VLANs across the network
- Plug-and-play configuration when adding new VLANs
As beneficial as VTP can be, it does have disadvantages that are normally related to the spanning tree protocol
Spanning tree protocol
The Spanning Tree Protocol is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and ensuing broadcast radiation...
(STP) as a bridging loop propagating throughout the network can occur. Cisco switches run an instance of STP for each VLAN, and since VTP propagates VLANs across the campus LAN, VTP effectively creates more opportunities for a bridging loop to occur.
Before creating VLANs on the switch that will be propagated via VTP, a VTP domain must first be set up. A VTP domain for a network is a set of all contiguously trunked switches with the same VTP domain name. All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information.
Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:
- Management domain
- Configuration revision number
- Known VLANs and their specific parameters
Establishing VLAN memberships
The two common approaches to assigning VLAN membership are as follows:- Static VLANs
- Dynamic VLANs
Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.
Dynamic VLANs are created through the use of software. With a VLAN Management Policy Server
VLAN Management Policy Server
A VLAN Management Policy Server or "VMPS" is a network switch that contains a mapping of device information to VLAN.The primary goal of VMPS is VLAN assignment for general network management purposes, but can also be used for providing security through segregating clients with an unknown MAC...
(VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the device queries a database for VLAN membership.
Protocol Based VLANs
In a protocol based VLAN enabled switch, traffic is forwarded through ports based on protocol.Essentially, the user tries to segregate or forward a particular protocol traffic from a port using the protocol based VLANs;
traffic from any other protocol is not forwarded on the port.
For example, if you have connected a host, pumping ARP traffic on the switch at port 10, connected a Lan pumping IPX traffic to the port 20 of the switch and connected a router pumping IP traffic on port 30, then if you define a protocol based VLAN supporting IP and including all the three ports 10, 20 and 30 then IP packets can be forwarded to the ports 10 and 20 also, but ARP traffic will not get forwarded to the ports 20 and 30, similarly IPX traffic will not get forwarded to ports 10 and 30.
VLAN Cross Connect
VLAN Cross Connect (CC) is a mechanism used to create Switched VLANs, VLAN CC uses IEEE 802.1ad frames where the S Tag is used as a Label as in MPLSMultiprotocol Label Switching
Multiprotocol Label Switching is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links between...
. IEEE approves the use of such a mechanism in par 6.11 of IEEE 802.1ad-2005.
See also
- IEEE 802.1QIEEE 802.1QIEEE 802.1Q is the networking standard that supports Virtual LANs on an Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames...
- MVRP Multiple VLAN Registration Protocol (formerly GVRP GARP VLAN Registration Protocol)
- Private VLANPrivate VLANA private VLAN is a technique in computer networking where a VLAN contains switch ports that are restricted, such that they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink...
- Virtual networkVirtual networkA virtual network is a computer network that consists, at least in part, of virtual network links. A virtual network link is a link that does not consist of a physical connection between two computing devices but is implemented using methods of network virtualization.The two most common forms of...
- VoIP recordingVoIP recordingVoice over Internet Protocol recording is a subset of telephone recording or voice logging, first used by call centers and now being used by all types of businesses...
- VPLS Virtual Private LAN ServiceVirtual Private LAN ServiceVirtual Private LAN Service is a way to provide Ethernet based multipoint to multipoint communication over IP/MPLS networks. It allows geographically dispersed sites to share an Ethernet broadcast domain by connecting sites through pseudo-wires. The technologies that can be used as pseudo-wire can...
- VPN Virtual private networkVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
- SVI Switch virtual interfaceSwitch virtual interfaceA switch virtual interface is a VLAN of switch ports represented by one interface to a routing or bridging system. There is no physical interface for the VLAN and the SVI provides the Layer 3 processing for packets from all switch ports associated with the VLAN.There is one-to-one mapping between...
External links
- IEEE's 802.1Q standard 1998 version (2003 version)(2005 version)
- Cisco Systems
- Cisco home page for Virtual LANs/VLAN Trunking Protocol (VLANs/VTP) (discusses DSL, DTP, GVRP, ISL, VTP, 802.1Q)
- Cisco's Overview of Routing between VLANs
- Cisco's Bridging Between IEEE 802.1Q VLANs white paper
- University of California's VLAN Information
- OpenWRT guide to VLANs: Provides a beginners' guide to VLANs
- Study of VLAN usage in Purdue University's Campus Network
- Towards Systematic Design of Enterprise Networks: Demonstrates how to systematically produce a VLAN design
- Some FAQ about VLANs
- Interactive VLAN Basics Simulation