VLANs

1
VLANs

• Roy H. John
• Cisco Networking Academy
• Youngstown State University

2
Overview

• This chapter provides an introduction to VLANs
  and switched internetworking.
• It compares traditional shared LAN configurations
  with switched LAN configurations.
• It discusses the benefits of using a switched
  VLAN architecture.

3
Existing Shared LAN configurations

• Switched LANs, are where the physical topology is
  closely related to the logical topology, i.e.,
  generally workstations must be grouped by their
  physical proximity to a switch.
• VLANs allow almost complete independence of the
  physical and logical topologies you can define
  groupings of workstations, even if they are
  separated by switches and on different LAN
  segments, as one VLAN, one collision domain, and
  one broadcast domain.

4
Traditional Switched LAN

• In this traditional LAN architecture, each hub
  and its hosts constitutes a large collision and
  broadcast domain and is limited by physical
  proximity of hosts to the hub.

5
VLAN Segmentation

• VLAN capable switches (more expensive than the
  hubs, but far more powerful as well) allow
  smaller collision and broadcast domains.
• They also liberate the logical topology (logical
  groupings of hosts and the information flow
  between them) from the physical topology (how and
  where devices are actually wired).

6
VLAN Differences

• VLANs work at Layer 2 and Layer 3 of the OSI
  reference model.
• Communication between VLANs is provided by Layer
  3 routing. 
• VLANs provide a method of controlling network
  broadcasts.
• The network administrator assigns users to a
  VLAN.
• VLANs can increase network security by defining
  which network nodes can communicate with each
  other.

7
The Transport of VLANs across backbones

• Important to any VLAN architecture is the ability
  to transport VLAN information between
  interconnected switches and routers that reside
  on the corporate backbone. These transport
  capabilities

• remove the physical boundaries between users
• increase the configuration flexibility of a VLAN
  solution when users move
• provide mechanisms for interoperability between
  backbone system components.

Amazingly, VLANs can even group hosts on
different segments off the backbone of a LAN. In
other words, VLAN traffic is allowed and
encouraged beyond the local switches. This allows
the benefits of VLANs to be experienced by the
entire Enterprise or School network.
8
The role of routers in VLANs

• The traditional role of a router is to provide
  firewalls, broadcast management and route
  processing and distribution.
• VLANs, while powerful, do not replace but rather
  complement routers on a LAN.
• While VLAN switches take on some of these tasks,
  routers still remain vital in VLAN architectures
  because they provide connected routes between
  different VLANs. 
• Routers are used to reduce or eliminate broadcast
  related problems.

9
Types of VLANs

• The most common approaches for logically grouping
  users into distinct VLANs are

• Frame filtering
• Frame identification (frame tagging)

10
Frame Filtering

• Operates at Layer 2
• Examines information about each frame
• Filtering table is created for each switch
• Users can be grouped by MAC, network protocol or
  application types
• Table entries are compared with the frames
• Uses frame tagging

11
Frame Tagging

• Frame tagging uniquely assigns a user-defined ID
  to each frame
• Places unique ID in header of the frame as it
  travels across the backbone
• Identifier is understood and examined by each
  switch prior to broadcasts or transmissions to
  other switches, routers, or end-station devices
• ID is removed before frame leaves the backbone
  and reaches the destination
• The IEEE 802.1q states that Frame Tagging is the
  way to implement VLANS.

12
The relationship between ports, VLANs, and
broadcasts

• Members of the same VLAN are members of the same
  broadcast (but not collision) domain.
• VLANs, unlike regularly configured switches,
  break up broadcast domains (regularly configured
  bridges and switches, while segmenting collision
  domains, extend broadcast domains).
• Each switch port can be assigned to a VLAN.
• Ports assigned to the same VLAN share broadcasts.
  
• Ports that do not belong to that VLAN do not
  share these broadcasts.
• This improves the overall performance of the
  network.

13
VLAN Implementation Methods

• Three VLAN implementation methods can be used to
  assign a switch port to a VLAN. They are
• port-centric
• static
• dynamic

14
Port-centric VLANs

• In port-centric VLANs, all the nodes connected to
  ports in the same VLAN are assigned to the same
  VLAN ID.
• The administrator's job easier and the network
  more efficient because
• Users are assigned by port.
• VLANs are easily administered.
• It provides increased security between VLANs.
• Packets do not "leak" into other domains

15
Static VLANs

• Static VLANs are ports on a switch that you
  statically assign to a VLAN.
• They are secure.
• Easy to configure
• Straight forward to monitor
• But they must be setup by an administrator

16
Dynamic VLANs

• In dynamic VLANs, the switch, pre-programmed with
  MAC addresses and VLAN numbers, can recognize
  when a host has switched ports and automatically
  reconfigure the port. But there is no sharing of
  switching tables.
• The major benefits of this approach are less
  administration within the wiring closet when a
  user is added or moved and centralized
  notification when an unrecognized user is added
  to the network.
• More administration is required up front to set
  up the database within the VLAN management
  software and to maintain an accurate database of
  all network users.

17
How VLANs make additions, moves, and changes
easier

• Without VLANs, moving a user from one office to
  another might require a router to be
  reconfigured, changes in the patch cables in the
  wiring closet, and IP address reconfiguration on
  the host.
• A host connected to a VLAN-capable switch,
  however, simply stays in the same VLAN -
  broadcast domain - subnetwork, with no router
  changes, patch cable changes or IP address
  changes.
• This may not sound like a big deal when 1 host is
  moved but when many hosts are moving over the
  course of a year the savings in time and trouble
  is tremendous.

18
How VLANs help control broadcast activity

• Broadcasts are fundamentally necessary for
  running a network.
• But uncontrolled broadcasts can bring network
  traffic to a halt.
• Unfortunately, typical bridges and switches
  -while creating smaller collision domains - do
  not create smaller broadcast domains (they
  propagate broadcasts).
• So one response is to segment the network with
  routers, which do not propagate broadcasts.
• VLANs give you another option - they too can
  contain broadcasts within a specific VLAN.
• VLANs allow the networks logical topology to be
  separated from its physical topology. So in
  controlling broadcasts, you can group hosts
  across a large network into one VLAN, and the
  broadcast traffic will only go to those hosts on
  the VLAN in question

19
VLANs can improve network security

• VLANs allow sensitive network traffic to be
  isolated to a restricted VLAN. This allows Layer
  2 Security to be implemented.
• VLANs can
• Restrict the number of users in a VLAN group
• Prevent another user from joining without first
  receiving approval from the VLAN network
  management application 
• Configure all unused ports to a default
  low-service VLAN

20
Using Existing Hubs

• Each hub segment connected to a switch port can
  be assigned to only one VLAN.
• Stations that share a hub segment are all
  assigned to the same VLAN group.
• If an individual station needs to be reassigned
  to another VLAN, the station must be relocated to
  the corresponding hub.

21
Review

• Frame tagging functions at what OSI layer?
• Frame filtering functions at what OSI layer?
• VLANs make filtering and forwarding decisions
  based on?
• In a port-centric VLAN, users are assigned by?
• The individual ports of a non-intelligent hub can
  be assigned to ______ VLAN(s).