Getting up to Speed on VLANs

IT managers are always looking for ways to do their jobs more efficiently, while still providing the quality of service that their clients expect. Virtual LAN technology (VLAN) can help them on both fronts, by easing administrative chores and improving enterprise network performance. VLANs allow IT managers to group users and resources in any way they like, regardless of the physical LAN segment to which those resources are attached. An organization may want to group all users in the marketing department on the same

VLAN with the servers that host the applications and data they use most often, for example. The users who belong to that marketing group may be spread throughout a building, or even the country, but they can still belong to the same VLAN. This type of flexibility in grouping users and resources stands in stark contrast to the days when IT managers were restricted to grouping resources solely by the port to which they were connected. Any changes to the network configuration required a visit to one or more wiring closets to physically move the user or resource from one port to another.With VLANs, such changes can be performed in software, from a central administrative console, thus greatly improving efficiency. At the same time, VLANs can be used to improve network performance in a number of ways – by grouping users that communicate often with one another on the same VLAN, for example, or by creating a VLAN for use by “power users” that tend to consume a lot of network bandwidth. VLANs are most suitable for mid- to large size companies, but even smaller companies with highly demanding users may benefit. Essentially, any organization with a network large enough that it needs to be segmented in some fashion can benefit.

Types of VLANs

When they first came on the scene in the mid 1990s, there were three basic ways to build a VLAN on any given switch or router. The port-based model called for assigning each router or switch port to a specific VLAN. Ports 1-5, for example, might be the engineering VLAN, while ports 6-10 belong to the marketing

VLAN. Some ports may be assigned to more than one VLAN, such as a port that connects a server used by multiple groups. Administrators could make changes to port and VLAN assignments from a central console, rather than physically pulling and rearranging wires. If a repeater was attached to any port, however, all the devices connected to that repeater must belong to the same VLAN.

Another approach was to assign resources to VLANs based on their unique media access control (MAC) address. The switch or router supporting the VLAN maintained a list detailing which MAC addresses belong to which VLAN, and routed traffic accordingly based on the source or destination MAC address. The drawbacks to this method included the time required to assign each MAC address to a given VLAN.

Assigning the same MAC address to multiple VLANs could also wreak havoc with bridges and routers, making it difficult to share server resources among separate VLANs.

Layer 3-based VLANs group resources according to the protocol and Layer 3 address they employ. In this fashion, all IP or IPX traffic can be assigned to its own VLAN, or perhaps all wireless LAN and Voice over IP (VoIP) traffic. The Layer 3 approach also enables all non-routable protocols to share a VLAN, thus limiting the effect of broadcasts on the rest of the network, improving performance for all users.

To promote interoperability between devices from different vendors that may be used to support a VLAN, such as switches and network interface cards, the IEEE developed a couple of key VLAN standards.Most VLANs today employ these standards, perhaps in conjunction with one of the above approaches.

The first standard, 802.1q, defines the format of a tag that is added to each Ethernet frame to detail the VLAN it belongs to. This is especially important in creating large VLANs that span multiple network switches. Enterprises identify their VLANs by giving each one a VLAN identifier (VID), which is a number

between 1 and 4,094. That VID is carried within the 802.1q tag, thus defining what VLAN the frame belongs to. The other key standard, 802.1p, provides a way to preserve quality of service levels for different VLANs, even as they traverse multiple switches. The standard defines three bits that indicate the level of priority for each packet, enabling each switch to reorder packets, if necessary, to ensure that higher-priority packets get through first. That is especially important for VLANs that support delay-sensitive traffic such

as video or VoIP.

Putting it all together

The ability to segment different traffic types is one of the key benefits behind VLANs. Even as organizations strive to create all-IP networks, they will want to give different levels of priority to different types of traffic.

Additionally, many organizations still have other protocols at work, including some “chatty” protocols such as DEC net that generate broadcast packets. The ability to segment those broadcast packets, keeping them from flooding the larger network, will benefit the enterprise as a whole. Similarly, some organizations are now assigning all wireless LAN users to their own VLAN, in an effort to help ensure they stay connected to the network even as they roam about. Security is another concern. VLANs are one way to ensure that

users have access only to the resources they need to do their jobs. If there is no reason that users in the sales group should have access to potentially sensitive engineering documents, a VLAN can be created that ensures the sales team has no visibility into engineering servers. Put another way, VLANs can be used to keep all but authorized users from getting at any given set of enterprise resources. If a client that is not an authorized member tries to connect to any resource on a given VLAN, it will be denied.

At the same time, VLANs promote maximum mobility. Since a client machine can be identified irrespective of the port to which it is attached, users are free to connect from anywhere in the enterprise that their VLAN is supported, and still maintain access to all their usual resources. It should be noted that these benefits are not limited to a single building or campus location, but can also accommodate an enterprise that spans the country or even the globe. Because VLANs are “virtual”, there are no real boundaries. Administrators can configure any given VLAN to support users who may work anywhere the enterprise network reaches, thus improving performance for those users. Add to all these benefits the fact that VLANs dramatically improve the productivity of IT administrators, enabling configuration changes to be made from a central console instead of

from the wiring closet where the device is physically located.

For more detailed info about VLANs visit Cisco.com