2. Virtual LANs (VLANs)

One of the common, though somewhat advanced technologies that make designing and maintaining a LAN easier today than in previous years is the advent of Virtual LANs. Before we look at VLANs, let’s first have a brief look at the motivation for them, and cover some technological background.

This material is also available from the course website and in the class resource server as the “Back of the Envelope Guide to Virtual LANs” video.

2.1. Broadcast Domains

Before I begin, I want to make clear that we are not talking about a collision domain. I say this because I’ve previously gotten the terms confused myself, and want to make a clear distinction for you. A collision domain is what you have in a mixed ethernet segment, such as on a repeating hub. On a switching hub, the collision domain is simply the basic link between the host and the switch, typically a single cable; because the basic link is not shared between hosts, there are no other stations to contend for access to the physical medium.

A broadcast domain is everywhere a data-link level (eg. ethernet) broadcast frame would propogate to[79]. This area is demarcated by routers, which signal the end of a layer-2 (data-link layer) network; to go further requires support at a higher layer, such as layer-3 (eg. IP) to route the packets through the inter-network.

So, looking at the network below, we can see that there are two broadcast-domains, which I have labelled A and B. As an extra exercise, I suggest you also identify the various collision domains.

Figure 16. Broadcast Domains

Broadcast Domains

A network showing two broadcast domains, and how they are connected using routers, switches and hubs. Try to identify the collision domains as well, to appreciate the difference between collision domains and broadcast domains.

2.2. A Virtual LAN

A Virtual LAN (VLAN) is, quite simply, the ability to segregate a switch into seperate broadcast-domains. This means that in order to get between the different VLANs, a router must be used. In the older days, when VLANs were still new, a one-armed router was used, which had an interface on both VLANs; today such a configuration would be more likely to be called a “router on a stick”. Today however, a high-speed router is embedded as part of the switch; this switch is then referred to as a layer-3 switch.

VLANs are identified by a 12-bit number (4096 different VLAN IDs are possible). A switch-port may be a member of a number of VLANs; in the case of multiple VLAN assignments to a port, trunking must be used, which tags that the frames their VLAN identifier, so the next device (typically a switch or a router) can know which (virtual) LAN it belongs to. Figure 17, “VLAN Assignment and Trunking” should make this clear.

Figure 17. VLAN Assignment and Trunking

VLAN Assignment and Trunking

How VLANs are specified, including static assignment by switch-port, assignment by 802.1X authentication (“port” based authentication) and trunking. Not shown is the routing support and access control to allow traffic to flow between VLANs. VLAN 1 is generally reserved for management traffic and all ports generally default to being in VLAN 1. In particular, if the switch has an IP address for management purposes, it starts off in VLAN 1.

Also not shown is the Policy Determination Point, which is generally some server that tells the access-point (acting as a Policy Enforcement Point) what VLAN to assign a client to, as well as access-control data. These terms are particular to the field of Network Access Control, and are not talked about any further in this lab.

There are three layers to a standard Enterprise network design. The Access layer of a network is where clients connect to the switches. Traffic that needs to go to somewhere else on the network goes through the uplink to a Distribution layer switch (commonly there would be at least two, for redundancy). The Distribution switches aggregate a number of Access switches, and on their uplinks connect to the Core switches. As we move into the core, the switches get more and more powerful.

Clients, which are at the access layer of the network, will not have any idea that VLANs are in use, which is what we want, because it means the client doesn’t have any extra configuration to deal with. Thus, in this case, we say the switch-port is an “access” port, rather than a “trunk” port. In this case, the access layer device (typically a switch or wireless access point) will determine the VLAN based on the switch-port (typical for ethernet) or authentication data (typical for enterprise wireless access using 802.1X and RADIUS.

Take a moment to refer again to the picture above. Can you see the benefits we get from using VLANs when we have different classes of device? (business, staff wireless, etc.) Hint: think about the maintainance activities in a network (Moves, Adds and Changes).

Can you imagine how much more complex the network would have to be if we didn’t have VLANs? We would loose a lot of flexibility, and cost would be very much higher. We would at least need many more switches and access-points, routers and cable. Running extra cable would be the most expensive part. We investigate this further in the next section.

2.3. The Motivation for Virtual LANs

Briefly, a VLAN gives us three major benefits: traffic control by prioritising traffic in particular VLANs or reducing broadcast traffic by making the broadcast domains smaller; security, by controlling traffic between different VLANs (subnets); and flexibility in network design without extra equipment.

We like to have flexibility in a network to move clients and servers into different subnets depending on their role and security level; firewalls are one-such tool that can help us here, which we cover in the following lab. Consider the network shown below, which is representative of a university campus where students can have their own laptops on the network. In this network, there are different security classes of device: student wireless, student wired, staff wireless, staff wired, and business (corporate) devices as distinct from academic staff. We want each of these to have their own subnet so we can control traffic going between them.

Figure 18. Using Virtual LANs to divide a network.

Using Virtual LANs to divide a network.

Using Virtual LAN technology gives us much greater flexibility and simplicity in how we design and implement switched networks.

With the use of VLANs in this network, we can have machines in different subnets that are physically dispersed within the network. That is something that would otherwise be quite impractical.

There is more to be said about VLAN management, most notably about how a VLAN database mapping between VLAN indentifiers and a name can be shared amongst the various switches, using the VLAN Trunking Protocol (VTP). More difficult is how you can automatically assign a VLAN based on protocols such as 802.1X, but that is outside the scope of this lab.

[79] This is assuming that the data-link layer being used supports broadcast. There are a number of Non-Broadcast Multiple Access (NBMA) network technologies; one example would be Frame Relay, which is used in a Wide Area Network (WAN) environment.