A Local Area Network (LAN) was originally defined as a network of computers located within the same area. Today, Local Area Networks are defined as a single broadcast domain. This means that if a user broadcasts information on his/her LAN, the broadcast will be received by every other user on the LAN. Broadcasts are prevented from leaving a LAN by using a router. The disadvantage of this method is routers usually take more time to process incoming data compared to a bridge or a switch. More importantly, the formation of broadcast domains depends on the physical connection of the devices in the network. Virtual Local Area Networks (VLAN's) were developed as an alternative solution to using routers to contain broadcast traffic.
Virtual LAN (VLAN) refers to a group of logically networked devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, it is very flexible for user/host management, bandwidth allocation and resource optimization.
There are the following types of Virtual LANs:
Port-Based VLAN: each physical switch port is configured with an access list specifying membership in a set of VLANs.
MAC-based VLAN: a switch is configured with an access list mapping individual MAC addresses to VLAN membership.
Protocol-based VLAN: a switch is configured with a list of mapping layer 3 protocol types to VLAN membership - thereby filtering IP traffic from nearby end-stations using a particular protocol such as IPX.
ATM VLAN - using LAN Emulation (LANE) protocol to map Ethernet packets into ATM cells and deliver them to their destination by converting an Ethernet MAC address into an ATM address.
2.0 What are VLAN's?
In a traditional LAN, workstations are connected to each other by means of a hub or a repeater. These devices propagate any incoming data throughout the network. However, if two people attempt to send information at the same time, a collision will occur and all the transmitted data will be lost. Once the collision has occurred, it will continue to be propagated throughout the network by hubs and repeaters. The original information will therefore need to be resent after waiting for the collision to be resolved, thereby incurring a significant wastage of time and resources. To prevent collisions from traveling through all the workstations in the network, a bridge or a switch can be used. These devices will not forward collisions, but will allow broadcasts (to every user in the network) and multicasts (to a pre-specified group of users) to pass through. A router may be used to prevent broadcasts and multicasts from traveling through the network.
The workstations, hubs, and repeaters together form a LAN segment. A LAN segment is also known as a collision domain since collisions remain within the segment. The area within which broadcasts and multicasts are confined is called a broadcast domain or LAN. Thus a LAN can consist of one or more LAN segments. Defining broadcast and collision domains in a LAN depends on how the workstations, hubs, switches, and routers are physically connected together. This means that everyone on a LAN must be located in the same area (see Figure1).
VLAN's allow a network manager to logically segment a LAN into different broadcast domains (see Figure2). Since this is a logical segmentation and not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN.
VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.
This is also useful if someone wants to create multiple Layer 3 networks on the same Layer 2 switch. For example, if a DHCP server (which will broadcast its presence) was plugged into a switch it will serve any host on that switch that was configured to use the server. By using VLANs you can easily split the network up so some hosts won't use that server and will obtain Link-local addresses.
Virtual LANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. Virtual LANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.
By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.
In a legacy network, users were assigned to networks based on geography and were limited by physical topologies and distances. VLANs can logically group networks so that the network location of users is no longer so tightly coupled to their physical location. Technologies able to implement VLANs are:
Asynchronous Transfer Mode (ATM)
Fiber Distributed Data Interface (FDDI)
10 Gigabit Ethernet
It provides the flexibility to the administration of the network.
It reduces the broadcast traffic.
It increases the security because the information is encapsulated.
It provides the increased performance of the network.
It provides the physical topology independence.
VLAN offers the increased bandwidth to the network users.
VLAN provides the easy management of a specific project or a specialized application.
Creating VLAN with the network switches is cheaper than creating the routed network by using the routers.
Plug and play configurations without requiring additional hardware.
Dynamic reporting across the network.
VLAN also has some limitations that have been described below.
VLAN provides the little security so an intruder with little knowledge of routing and encryption can access it.
It provides the broadcast limitations, device limitations the ports constraints.
MAC based VLAN require the managerial overhead to manage the network
3.0 Why use VLAN's?
VLAN's offer a number of advantages over traditional LAN's. They are:
In networks where traffic consists of a high percentage of broadcasts and multicasts, VLAN's can reduce the need to send such traffic to unnecessary destinations. For example, in a broadcast domain consisting of 10 users, if the broadcast traffic is intended only for 5 of the users, then placing those 5 users on a separate VLAN can reduce traffic.
Compared to switches, routers require more processing of incoming traffic. As the volume of traffic passing through the routers increases, so does the latency in the routers, which results in reduced performance. The use of VLAN's reduces the number of routers needed, since VLAN's create broadcast domains using switches instead of routers.
2) Formation of Virtual Workgroups
Nowadays, it is common to find cross-functional product development teams with members from different departments such as marketing, sales, accounting, and research. These workgroups are usually formed for a short period of time. During this period, communication between members of the workgroup will be high. To contain broadcasts and multicasts within the workgroup, a VLAN can be set up for them. With VLAN's it is easier to place members of a workgroup together. Without VLAN's, the only way this would be possible is to physically move all the members of the workgroup closer together.
However, virtual workgroups do not come without problems. Consider the situation where one user of the workgroup is on the fourth floor of a building, and the other workgroup members are on the second floor. Resources such as a printer would be located on the second floor, which would be inconvenient for the lone fourth floor user.
Another problem with setting up virtual workgroups is the implementation of centralized server farms, which are essentially collections of servers and major resources for operating a network at a central location. The advantages here are numerous, since it is more efficient and cost-effective to provide better security, uninterrupted power supply, consolidated backup, and a proper operating environment in a single area than if the major resources were scattered in a building. Centralized server farms can cause problems when setting up virtual workgroups if servers cannot be placed on more than one VLAN. In such a case, the server would be placed on a single VLAN and all other VLAN's trying to access the server would have to go through a router; this can reduce performance
3) Simplified Administration
Seventy percent of network costs are a result of adds, moves, and changes of users in the network Every time a user is moved in a LAN, recabling, new station addressing, and reconfiguration of hubs and routers becomes necessary. Some of these tasks can be simplified with the use of VLAN's. If a user is moved within a VLAN, reconfiguration of routers is unnecessary. In addition, depending on the type of VLAN, other administrative work can be reduced or eliminated However the full power of VLAN's will only really be felt when good management tools are created which can allow network managers to drag and drop users into different VLAN's or to set up aliases.
4) Reduced Cost
VLAN's can be used to create broadcast domains which eliminate the need for expensive routers.
Periodically, sensitive data may be broadcast on a network. In such cases, placing only those users who can have access to that data on a VLAN can reduce the chances of an outsider gaining access to the data. VLAN's can also be used to control broadcast domains, set up firewalls, restrict access, and inform the network manager of an intrusion.
Why VLAN is required?
VLAN is required due to the following reasons.
If you have a lot of broadcast traffic in your network.
You have more than 200 network devices in your network and you want to avoid collisions and data lost.
You want to make the users on the same broadcast domain because the users are using the same network application.
You need to make single switch.
You want to allow the more security to a group of users.
Virtual networking provides unmatched flexibility. Â Today there are many VLAN solutions available to LAN. Cisco Systems offer comprehensive VLAN solution that allows the remote and geographically dispersed users to come together and become a part of the same network by forming VLAN workgroup topologies.Â
Cisco offers the virtualization solutions to all types of networks including Ethernet, FDDI, Token ring and ATM.
The network devices in the VLAN are connected by following three ways.
Although VLAN offers many advantages it has following limitations.
VLAN stands Virtual Local Area Network and it is a defined in the IEEE802.1q standard.Â In the VLAN the computers behaves as they are connected to the same LAN even though they may actually be physically located to the other segments of the network.Â It is a broadcast domain that is created by the switched in the network.Â In the VLAN if a computer is physically moved to another location, it can stay on the same VLAN without changing the computer hardware. Â
VLAN removes the limitations of using the physical architecture by creating the logical segmentations and grouping together the computers by using their MAC addresses, protocols, and the port numbers. Â VLANs are created by the software, which provides the flexibility to create them.Â
In the VLAN, only the VLAN enabled devices can send/receive data packets. They are created to provide the segmentation services and the services like scalability, security and the management of the computer network.Â VLAN controls the traffic in the network. Â Â There are following three types of the VLAN.
Level 1:Â It is also known as port based VLAN, which defines the virtual network.
Level 2:Â It is also known as MAC-Address based VLAN, which defines the VLAN according to the MAC address of the machine.
Level 3:Â Level 3 VLAN consists of the Network Address Based VLAN and the Protocol Based VLAN.
VLAN is required if you have:
More than 200 devices on your local area network.
Group of the users require more security.
Groups of the users are being slowed down by the broadcasts.
If you have more broadcast traffic on your LAN.
4.0 How VLAN's work
When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier indicating the VLAN from which the data came. This is called explicit tagging. It is also possible to determine to which VLAN the data received belongs using implicit tagging. In implicit tagging the data is not tagged, but the VLAN from which the data came is determined based on other information like the port on which the data arrived. Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields. VLAN's are classified based on the method used. To be able to do the tagging of data using any of the methods, the bridge would have to keep an updated database containing a mapping between VLAN's and whichever field is used for tagging. For example, if tagging is by port, the database should indicate which ports belong to which VLAN. This database is called a filtering database. Bridges would have to be able to maintain this database and also to make sure that all the bridges on the LAN have the same information in each of their databases. The bridge determines where the data is to go next based on normal LAN operations. Once the bridge determines where the data is to go, it now needs to determine whether the VLAN identifier should be added to the data and sent. If the data is to go to a device that knows about VLAN implementation (VLAN-aware), the VLAN identifier is added to the data. If it is to go to a device that has no knowledge of VLAN implementation (VLAN-unaware), the bridge sends the data without the VLAN identifier.
In order to understand how VLAN's work, we need to look at the types of VLAN's, the types of connections between devices on VLAN's, the filtering database which is used to send traffic to the correct VLAN, and tagging, a process used to identify the VLAN originating the data.
5.0 Types of VLAN's
VLAN membership can be classified by port, MAC address, and protocol type.
1) Layer 1 VLAN: Membership by Port
Membership in a VLAN can be defined based on the ports that belong to the VLAN. For example, in a bridge with four ports, ports 1, 2, and 4 belong to VLAN 1 and port 3 belongs to VLAN 2 (see Figure3).
Figure3: Assignment of ports to different VLAN's.
The main disadvantage of this method is that it does not allow for user mobility. If a user moves to a different location away from the assigned bridge, the network manager must reconfigure the VLAN.
2) Layer 2 VLAN: Membership by MAC Address
Here, membership in a VLAN is based on the MAC address of the workstation. The switch tracks the MAC addresses which belong to each VLAN (see Figure4). Since MAC addresses form a part of the workstation's network interface card, when a workstation is moved, no reconfiguration is needed to allow the workstation to remain in the same VLAN. This is unlike Layer 1 VLAN's where membership tables must be reconfigured.
Figure4: Assignment of MAC addresses to different VLAN's.
The main problem with this method is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PC's are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.
3) Layer 2 VLAN: Membership by Protocol Type
VLAN membership for Layer 2 VLAN's can also be based on the protocol type field found in the Layer 2 header (see Figure5).
Figure5: Assignment of protocols to different VLAN's.
4) Layer 3 VLAN: Membership by IP Subnet Address
Membership is based on the Layer 3 header. The network IP subnet address can be used to classify VLAN membership (see Figure 6).
Figure6: Assignment of IP subnet addresses to different VLAN's.
Although VLAN membership is based on Layer 3 information, this has nothing to do with network routing and should not be confused with router functions. In this method, IP addresses are used only as a mapping to determine membership in VLAN's. No other processing of IP addresses is done.
In Layer 3 VLAN's, users can move their workstations without reconfiguring their network addresses. The only problem is that it generally takes longer to forward packets using Layer 3 information than using MAC addresses.
5) Higher Layer VLAN's
It is also possible to define VLAN membership based on applications or service, or any combination thereof. For example, file transfer protocol (FTP) applications can be executed on one VLAN and telnet applications on another VLAN.
The 802.1Q draft standard defines Layer 1 and Layer 2 VLAN's only. Protocol type based VLAN's and higher layer VLAN's have been allowed for, but are not defined in this standard. As a result, these VLAN's will remain proprietary.
5.1 Types of Connections
Devices on a VLAN can be connected in three ways based on whether the connected devices are VLAN-aware or VLAN-unaware. Recall that a VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats.
1) Trunk Link
All the devices connected to a trunk link, including workstations, must be VLAN-aware. All frames on a trunk link must have a special header attached. These special frames are called tagged frames (see Figure7).
Figure7: Trunk link between two VLAN-aware bridges.
2) Access Link
An access link connects a VLAN-unaware device to the port of a VLAN-aware bridge. All frames on access links must be implicitly tagged (untagged) (see Figure8). The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices (legacy LAN).
Figure 8: Access link between a VLAN-aware bridge and a VLAN-unaware device.
3) Hybrid Link
This is a combination of the previous two links. This is a link where both VLAN-aware and VLAN-unaware devices are attached (see Figure9). A hybrid link can have both tagged and untagged frames, but allthe frames for a specific VLAN must be either tagged or untagged.
Figure9: Hybrid link containing both VLAN-aware and VLAN-unaware devices.
It must also be noted that the network can have a combination of all three types of links.
5.2 Frame Processing
A bridge on receiving data determines to which VLAN the data belongs either by implicit or explicit tagging. In explicit tagging a tag header is added to the data. The bridge also keeps track of VLAN members in a filtering database which it uses to determine where the data is to be sent. Following is an explanation of the contents of the filtering database and the format and purpose of the tag header [802.1Q].
1) Filtering Database
Membership information for a VLAN is stored in a filtering database. The filtering database consists of the following types of entries:
i) Static Entries
Static information is added, modified, and deleted by management only. Entries are not automatically removed after some time (ageing), but must be explicitly removed by management. There are two types of static entries:
a) Static Filtering Entries: which specify for every port whether frames to be sent to a specific MAC address or group address and on a specific VLAN should be forwarded or discarded, or should follow the dynamic entry, and
b) Static Registration Entries: which specify whether frames to be sent to a specific VLAN are to be tagged or untagged and which ports are registered for that VLAN.
ii) Dynamic Entries
Dynamic entries are learned by the bridge and cannot be created or updated by management. The learning process observes the port from which a frame, with a given source address and VLAN ID (VID), is received, and updates the filtering database. The entry is updated only if all the following three conditions are satisfied:
a) This port allows learning,
b) The source address is a workstation address and not a group address, and
c) There is space available in the database.
Entries are removed from the database by the ageing out process where, after a certain amount of time specified by management (10 sec --- 1000000 sec), entries allow automatic reconfiguration of the filtering database if the topology of the network changes. There are three types of dynamic entries:
a) Dynamic Filtering Entries: which specify whether frames to be sent to a specific MAC address and on a certain VLAN should be forwarded or discarded.
b) Group Registration Entries: which indicate for each port whether frames to be sent to a group MAC address and on a certain VLAN should be filtered or discarded. These entries are added and deleted using Group Multicast Registration Protocol (GMRP). This allows multicasts to be sent on a single VLAN without affecting other VLAN's.
c) Dynamic Registration Entries: which specify which ports are registered for a specific VLAN. Entries are added and deleted using GARP VLAN Registration Protocol (GVRP), where GARP is the Generic Attribute Registration Protocol.
GVRP is used not only to update dynamic registration entries, but also to communicate the information to other VLAN-aware bridges.
In order for VLAN's to forward information to the correct destination, all the bridges in the VLAN should contain the same information in their respective filtering databases. GVRP allows both VLAN-aware workstations and bridges to issue and revoke VLAN memberships. VLAN-aware bridges register and propagate VLAN membership to all ports that are a part of the active topology of the VLAN. The active topology of a network is determined when the bridges are turned on or when a change in the state of the current topology is perceived.
The active topology is determined using a spanning tree algorithm which prevents the formation of loops in the network by disabling ports. Once an active topology for the network (which may contain several VLAN's) is obtained, the bridges determine an active topology for each VLAN. This may result in a different topology for each VLAN or a common one for several VLAN's. In either case, the VLAN topology will be a subset of the active topology of the network (see Figure 10).
When frames are sent across the network, there needs to be a way of indicating to which VLAN the frame belongs, so that the bridge will forward the frames only to those ports that belong to that VLAN, instead of to all output ports as would normally have been done. This information is added to the frame in the form of a tag header. In addition, the tag header:
i) allows user priority information to be specified,
ii) allows source routing control information to be specified, and
iii) indicates the format of MAC addresses.
Frames in which a tag header has been added are called tagged frames. Tagged frames convey the VLAN information across the network.
The tagged frames that are sent across hybrid and trunk links contain a tag header. There are two formats of the tag header:
i) Ethernet Frame Tag Header: The ethernet frame tag header (see Figure11) consists of a tag protocol identifier (TPID) and tag control information (TCI).
Figure11: Ethernet frame tag header.
ii) Token Ring and Fiber Distributed Data Interface (FDDI) tag header: The tag headers for both token ring and FDDI networks consist of a SNAP-encoded TPID and TCI.
Figure12: Token ring and FDDI tag header.
TPID is the tag protocol identifier which indicates that a tag header is following and TCI (see Figure 13) contains the user priority, canonical format indicator (CFI), and the VLAN ID.
Figure13: Tag control information (TCI).
User priority is a 3 bit field which allows priority information to be encoded in the frame. Eight levels of priority are allowed, where zero is the lowest priority and seven is the highest priority. How this field is used is described in the supplement 802.1p.
The CFI bit is used to indicate that all MAC addresses present in the MAC data field are in canonical format. This field is interpreted differently depending on whether it is an ethernet-encoded tag header or a SNAP-encoded tag header. In SNAP-encoded TPID the field indicates the presence or absence of the canonical format of addresses. In ethernet-encoded TPID, it indicates the presence of the Source-Routing Information (RIF) field after the length field. The RIF field indicates routing on ethernet frames.
The VID field is used to uniquely identify the VLAN to which the frame belongs. There can be a maximum of (2 12 - 1) VLAN's. Zero is used to indicate no VLAN ID, but that user priority information is present. This allows priority to be encoded in non-priority LAN's.
Communicating between VLANs
CiscoÂ IOS provides full-feature routing at Layer 3 and translation at Layer 2 between VLANs. There are three different protocols available for routing between VLANs:
Inter-Switch Link (ISL)
ATM LAN Emulation
All three of these technologies are based on OSI Layer 2 bridge multiplexing mechanisms.
Inter-Switch Link Protocol
Inter-Switch Link (ISL) protocol is used to inter-connect two VLAN-capable Fast Ethernet devices, such as the Catalyst 5000 or 3000 switches and Cisco 7500 routers. The ISL protocol is a packet-tagging protocol that contains a standard Ethernet frame and the VLAN information associated with that frame. The packets on the ISL link contain a standard Ethernet, FDDI, or token-ring frame and the VLAN information associated with that frame. ISL is currently supported only over Fast Ethernet links, but a single ISL link, or trunk, can carry different protocols from multiple VLANs.
IEEE 802.10 Protocol
The IEEE 802.10 protocol provides connectivity between VLANs. Originally developed to address the growing need for security within shared LAN/MAN environments, it incorporates authentication and encryption techniques to ensure data confidentiality and integrity throughout the network. Additionally, by functioning at Layer 2, it is well suited to high-throughput, low-latency switching environments. IEEE 802.10 protocol can run over any LAN or HDLC serial interface.
ATM LANE Protocol
The ATM LAN Emulation (LANE) protocol provides a way for legacy LAN users to take advantage of ATM benefits without requiring modifications to end-station hardware or software. LANE emulates a broadcast environment like IEEE 802.3 Ethernet on top of an ATM network that is a point-to-point environment.
LAN Emulation makes ATM function like a LAN. LAN Emulation allows standard LAN drivers like NDIS and ODI to be used. The virtual LAN is transparent to applications. Applications can use normal LAN functions without dealing with the underlying complexities of the ATM implementation. For example, a station can send broadcasts and multicasts, even though ATM is defined as a point-to-point technology and doesn't support any-to-any services.
To accomplish this, special low-level software is implemented on an ATM client workstation, called the LAN Emulation Client or LEC. The client software communicates with a central control point called a LAN Emulation Server, or LES. A Broadcast and Unknown Server (BUS) acts as a central point to distribute broadcasts and multicasts. The LAN Emulation Configuration Server (LECS) holds a database of LECs and the ELANs the belong to. The database is maintained by a networkÂ administrator.
Designing Switched VLANs
By the time you are ready to configure routing between VLANs, you will have already defined them through the switches in your network. Issues related to network design and VLAN definition should be addressed during your network design. Refer to the Cisco Internetworking Design Guide and appropriate switch documentation for information on these topics:
Sharing resources between VLANs
Segmenting Networks with VLANs
Segmenting the network into broadcast groups improves network security. Use router access lists based on station addresses, application types, and protocol types.
Routers and their Role in Switched Networks
In switched networks, routers perform broadcast management, route processing and distribution, and provide communications between VLANs. Routers provide VLAN access to shared resources and connect to other parts of the network that are either logically segmented with the more traditional subnet approach or require access to remote sites across wide-area links.
CFI - Canonical Format Indicator
FDDI - Fiber Distributed Data Interface
FTP - File Transfer Protocol
GARP - Generic Attribute Registration Protocol
GMRP - Group Multicast Registration Protocol
GVRP - GARP VLAN Registration Protocol
IEEE - Institute of Electrical and Electronic Engineers
LAN - Local Area Network
MAC - Media Access Control
RIF - Source-Routing Information
TCI - Tag Control Information
TPID - Tag Protocol Identifier
VID - VLAN ID
VLAN - Virtual Local Area Network
The deployment of flat, Layer 2 switched networks has dramatically impacted the corporate LAN. By eliminating the latency caused by Layer 3 routing, Layer 2 switching has allowed time-sensitive applications to flourish. Unfortunately, as switched networks grow, you start to realize why we had routed networks in the first place. In an enterprise network, some Layer 3 routing is inevitable. However, at the access layer, Virtual LANs (VLANs) can provide some of the benefits of Layer 3 routing without the latency.
Knowing when to move to VLANs can be difficult. By looking at some of the advantages of VLANs, the network administrator can decide if VLANs are a viable solution for his/her network problems.
Many of the protocols used in the modern LAN make excessive use of broadcasts. By default, Layer 3 devices (i.e., routers) block these broadcasts from traveling between network segments. However, in a flat, switched network, broadcasts travel throughout the entire network and are seen by every PC connected to the wire. In a large LAN, broadcasts can overwhelm the network and eventually lead to network failure.
Now the problem has gone full circle and we are back to needing Layer 3 routing again, right? Well, not exactly. By dividing switch ports into VLANs, separate broadcast domains are created. For example, if we have groups of users connected to Ethernet ports 1 through 24 on a Cisco Catalyst 2900 series switch, each group would be a member of the same broadcast domain. By configuring each switch port as a separate VLAN, we could divide the broadcast domains into 24 separate VLANS. A more likely scenario may be that users on ports 1 through 12 would be on one VLAN and users on ports 13 through 24 would be on another VLAN. Using this scenario, if all groups were generating the same amount of broadcast traffic, you would cut the broadcasts seen by each switch port in half.
When a group of users belongs to the same broadcast domain, all of the network traffic generated within that broadcast domain is accessible by each user. Thus, if a user is running a packet sniffer, they can see every frame that crosses the network. Security issues result when programs send data that is highly sensitive, such as human resource or payroll data. In this situation, a sniffer could access the data being transferred. By implementing VLANs, areas such as human resources can be split into their own broadcast domains, thereby prohibiting other areas from access to sensitive data transmitted over the LAN. In addition, because an administrator assigns each switch port to a particular VLAN, they can control which devices have access to a particular VLAN. For example, if all human resource PCs are a member of VLAN 10, the network administrator can collect the MAC addresses from the human resource PCs and allow only those MAC addresses to connect to VLAN 10.
Keeping track of which MAC address is assigned to a particular VLAN and switch port can be a difficult task. To help manage this process, Cisco offers a program called VLAN Membership Policy Server (VMPS). VMPS can dynamically assign switch ports to a particular VLAN based on the end station's MAC address. Additionally, VMPS can deny access to any MAC address that is not a member of a particular VLAN. This can significantly reduce network administration and increase network security.
If you've been in the industry for a while, you're probably thinking, "VLANs are great, but we were able to provide the same functionality with routers, so why did we implement Layer 2 switching in the first place?" The answer is: to reduce network latency.
Every packet that crosses a router's interface must be read at Layer 3 and a new MAC header must be created. Reading a packet's Layer 3 addressing information and creating a new MAC header causes latency. However, when a packet is switched through a network, the Layer 2 address is read and the packet is forwarded, filtered, or flooded. The MAC header is not recreated and this dramatically reduces latency.
Keeping your users happy
The last and most important reason for deploying VLANs is to keep your users happy. VLANs use network bandwidth more efficiently, reduce broadcasts, and increase security. What could make your users happier than that?
Warren Heaton Jr., MCSE+I, CCNP, CCDP is the Cisco Program Manager for A Technological Advantage in Louisville, KY.
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.